Re: [Freeipa-users] freeipa-server from copr repo
Ok :) Thank you for the response. 2014-11-21 10:39 GMT+02:00 Martin Kosek mko...@redhat.com: On 11/21/2014 09:30 AM, Genadi Postrilko wrote: Actually no, FreeIPA 4.1 is planned to be included in RHEL-7.1 release - so you can look forward to that :-) Martin Will it be included as a tech preview or fully supported? You mean if whole IPA will be Tech Preview or Fully Supported? The functionality that was present and supported in RHEL-7.0 of course cannot be suddenly put to Tech Preview. I cannot disclose at this moment which *new* features would be supported and which would be TP, wait and see - but I think this information will be publicly available even in RHEL-7.1 Beta :-) On 11/19/2014 10:24 PM, Tamas Papp wrote: On 11/19/2014 09:29 PM, Martin Kosek wrote: Ah, yes. This one is not a problem with the CentOS port, but rather existing problem in FreeIPA 4.1.1 which will be fixed in FreeIPA 4.1.2 on all platforms, including Fedora 21 and CentOS. See upstream ticket: https://fedorahosted.org/freeipa/ticket/4716 Until this is fixed, correct workaround is to chown this directory by named:named and chmod rights to 0770. I will with the team when 4.1.2 is about to be released, if it is not soon, I can just add the patch to the 4.1.1 in Copr repo. Thanks for all. Just a question. My understanding is that 4.x will not hit RH 7 ever. So for IPA 4.x we have to wait until RH8, am I correct? Thanks, tamas Actually no, FreeIPA 4.1 is planned to be included in RHEL-7.1 release - so you can look forward to that :-) Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] freeipa-server from copr repo
hi All, -- Finished Dependency Resolution Error: Package: freeipa-server-4.1.1-1.1.el7.centos.x86_64 (mkosek-freeipa) Requires: pki-ca = 10.2.0-3 Available: pki-ca-10.0.5-3.el7.noarch (base) pki-ca = 10.0.5-3.el7 Available: pki-ca-10.1.2-3.el7.centos.noarch (mkosek-freeipa) pki-ca = 10.1.2-3.el7.centos You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest Ho can I fix this? 10x tamas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
On 11/19/2014 11:37 AM, Tamas Papp wrote: hi All, -- Finished Dependency Resolution Error: Package: freeipa-server-4.1.1-1.1.el7.centos.x86_64 (mkosek-freeipa) Requires: pki-ca = 10.2.0-3 Available: pki-ca-10.0.5-3.el7.noarch (base) pki-ca = 10.0.5-3.el7 Available: pki-ca-10.1.2-3.el7.centos.noarch (mkosek-freeipa) pki-ca = 10.1.2-3.el7.centos You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest We are working on a fix right now. So hopefully, the fixed CentOS repo would be available during today. Ho can I fix this? Waiting a bit and then trying to install again :-) 10x tamas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
I am good in waiting;) Thanks for the prompt reply. -- Sent from mobile On November 19, 2014 11:54:40 AM Martin Kosek mko...@redhat.com wrote: On 11/19/2014 11:37 AM, Tamas Papp wrote: hi All, -- Finished Dependency Resolution Error: Package: freeipa-server-4.1.1-1.1.el7.centos.x86_64 (mkosek-freeipa) Requires: pki-ca = 10.2.0-3 Available: pki-ca-10.0.5-3.el7.noarch (base) pki-ca = 10.0.5-3.el7 Available: pki-ca-10.1.2-3.el7.centos.noarch (mkosek-freeipa) pki-ca = 10.1.2-3.el7.centos You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest We are working on a fix right now. So hopefully, the fixed CentOS repo would be available during today. Ho can I fix this? Waiting a bit and then trying to install again :-) 10x tamas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
On 11/19/2014 11:57 AM, Tamas Papp wrote: I am good in waiting;) Thanks for the prompt reply. Ok Tamas, I think we *finally* got somewhere. Can you please try the mkosek/freeipa Copr repo now? I was able to install upstream freeipa-server 4.1.1 package on my RHEL-7.0 machine (should be the same for CentOS) and run ipa-server-install: # yum install freeipa-server --enablerepo=mkosek-freeipa ... Resolving Dependencies -- Running transaction check --- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be installed ... Transaction Summary Install 1 Package (+338 Dependent packages) Upgrade ( 11 Dependent packages) Total download size: 146 M ... # rpm -q freeipa-server freeipa-server-4.1.1-1.2.el7.centos.x86_64 # ipa-server-install --setup-dns # kinit admin Password for ad...@example.com: Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
Hi Marin,
I was able to install from the copr repo now as well. Thank you!
However I wasn't able to finish the install:
[23/27]: configure certmonger for renewals
[24/27]: configure certificate renewals
[error] DBusException: org.fedorahosted.certmonger.bad_arg: The location
/etc/pki/pki-tomcat/alias could not be accessed due to insufficient
permissions.
Don't know if you need the command for how I was installing ipa. But here
is the line from my anseible playbook.
shell: ipa-server-install -a {{ adminpassword }} --hostname={{ servername
}} -r {{ realm }} -p {{ directorypassword }} -n {{ domain }} --setup-dns
--forwarder={{ dnsforwarder }} -U creates={{ slapd }}
On Wed, Nov 19, 2014 at 11:23 AM, Martin Kosek mko...@redhat.com wrote:
On 11/19/2014 11:57 AM, Tamas Papp wrote:
I am good in waiting;)
Thanks for the prompt reply.
Ok Tamas, I think we *finally* got somewhere. Can you please try the
mkosek/freeipa Copr repo now?
I was able to install upstream freeipa-server 4.1.1 package on my
RHEL-7.0
machine (should be the same for CentOS) and run ipa-server-install:
# yum install freeipa-server --enablerepo=mkosek-freeipa
...
Resolving Dependencies
-- Running transaction check
--- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be installed
...
Transaction Summary
Install 1 Package (+338 Dependent packages)
Upgrade ( 11 Dependent packages)
Total download size: 146 M
...
# rpm -q freeipa-server
freeipa-server-4.1.1-1.2.el7.centos.x86_64
# ipa-server-install --setup-dns
# kinit admin
Password for ad...@example.com:
Thanks,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
It is highly probable the issue is caused by SELinux (check for AVCs in
/var/log/audit/audit.log).
Can you try with SELinux permissive? We specifically did not build
selinux-policy as we do not think we should be the ones maintaining it for
CentOS.
HTH,
Martin
- Original Message -
From: Bill Peck b...@pecknet.com
To: Martin Kosek mko...@redhat.com
Cc: Tamas Papp tom...@martos.bme.hu, freeipa-users@redhat.com
Sent: Wednesday, November 19, 2014 5:34:10 PM
Subject: Re: [Freeipa-users] freeipa-server from copr repo
Hi Marin,
I was able to install from the copr repo now as well. Thank you!
However I wasn't able to finish the install:
[23/27]: configure certmonger for renewals
[24/27]: configure certificate renewals
[error] DBusException: org.fedorahosted.certmonger.bad_arg: The location
/etc/pki/pki-tomcat/alias could not be accessed due to insufficient
permissions.
Don't know if you need the command for how I was installing ipa. But here
is the line from my anseible playbook.
shell: ipa-server-install -a {{ adminpassword }} --hostname={{ servername
}} -r {{ realm }} -p {{ directorypassword }} -n {{ domain }} --setup-dns
--forwarder={{ dnsforwarder }} -U creates={{ slapd }}
On Wed, Nov 19, 2014 at 11:23 AM, Martin Kosek mko...@redhat.com wrote:
On 11/19/2014 11:57 AM, Tamas Papp wrote:
I am good in waiting;)
Thanks for the prompt reply.
Ok Tamas, I think we *finally* got somewhere. Can you please try the
mkosek/freeipa Copr repo now?
I was able to install upstream freeipa-server 4.1.1 package on my
RHEL-7.0
machine (should be the same for CentOS) and run ipa-server-install:
# yum install freeipa-server --enablerepo=mkosek-freeipa
...
Resolving Dependencies
-- Running transaction check
--- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be installed
...
Transaction Summary
Install 1 Package (+338 Dependent packages)
Upgrade ( 11 Dependent packages)
Total download size: 146 M
...
# rpm -q freeipa-server
freeipa-server-4.1.1-1.2.el7.centos.x86_64
# ipa-server-install --setup-dns
# kinit admin
Password for ad...@example.com:
Thanks,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
Hi Martin,
Yes, setting selinux to permissive allowed me to install and configure IPA
4.1 on CentOS 7.
:-)
On Wed, Nov 19, 2014 at 11:41 AM, Martin Kosek mko...@redhat.com wrote:
It is highly probable the issue is caused by SELinux (check for AVCs in
/var/log/audit/audit.log).
Can you try with SELinux permissive? We specifically did not build
selinux-policy as we do not think we should be the ones maintaining it for
CentOS.
HTH,
Martin
- Original Message -
From: Bill Peck b...@pecknet.com
To: Martin Kosek mko...@redhat.com
Cc: Tamas Papp tom...@martos.bme.hu, freeipa-users@redhat.com
Sent: Wednesday, November 19, 2014 5:34:10 PM
Subject: Re: [Freeipa-users] freeipa-server from copr repo
Hi Marin,
I was able to install from the copr repo now as well. Thank you!
However I wasn't able to finish the install:
[23/27]: configure certmonger for renewals
[24/27]: configure certificate renewals
[error] DBusException: org.fedorahosted.certmonger.bad_arg: The
location
/etc/pki/pki-tomcat/alias could not be accessed due to insufficient
permissions.
Don't know if you need the command for how I was installing ipa. But
here
is the line from my anseible playbook.
shell: ipa-server-install -a {{ adminpassword }} --hostname={{ servername
}} -r {{ realm }} -p {{ directorypassword }} -n {{ domain }} --setup-dns
--forwarder={{ dnsforwarder }} -U creates={{ slapd }}
On Wed, Nov 19, 2014 at 11:23 AM, Martin Kosek mko...@redhat.com
wrote:
On 11/19/2014 11:57 AM, Tamas Papp wrote:
I am good in waiting;)
Thanks for the prompt reply.
Ok Tamas, I think we *finally* got somewhere. Can you please try the
mkosek/freeipa Copr repo now?
I was able to install upstream freeipa-server 4.1.1 package on my
RHEL-7.0
machine (should be the same for CentOS) and run ipa-server-install:
# yum install freeipa-server --enablerepo=mkosek-freeipa
...
Resolving Dependencies
-- Running transaction check
--- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be
installed
...
Transaction Summary
Install 1 Package (+338 Dependent packages)
Upgrade ( 11 Dependent packages)
Total download size: 146 M
...
# rpm -q freeipa-server
freeipa-server-4.1.1-1.2.el7.centos.x86_64
# ipa-server-install --setup-dns
# kinit admin
Password for ad...@example.com:
Thanks,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
Good news!
To clarify on the selinux-policy side. By not maintaining it for the CentOS I
meant that FreeIPA Copr should not maintain system policy for any system, not
just SELinux.
Ideally, it should have a SELinux policy module that would be compiled for
SELinux only and that would only contain the additional policy required by IPA
on top of 7.0.
But this is not a priority for now we do not have enough capacity for it ATM.
But if anyone wishes to contribute that part, doors are open :-)
Martin
On 11/19/2014 05:56 PM, Bill Peck wrote:
Hi Martin,
Yes, setting selinux to permissive allowed me to install and configure IPA 4.1
on CentOS 7.
:-)
On Wed, Nov 19, 2014 at 11:41 AM, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:
It is highly probable the issue is caused by SELinux (check for AVCs in
/var/log/audit/audit.log).
Can you try with SELinux permissive? We specifically did not build
selinux-policy as we do not think we should be the ones maintaining it for
CentOS.
HTH,
Martin
- Original Message -
From: Bill Peck b...@pecknet.com mailto:b...@pecknet.com
To: Martin Kosek mko...@redhat.com mailto:mko...@redhat.com
Cc: Tamas Papp tom...@martos.bme.hu mailto:tom...@martos.bme.hu,
freeipa-users@redhat.com mailto:freeipa-users@redhat.com
Sent: Wednesday, November 19, 2014 5:34:10 PM
Subject: Re: [Freeipa-users] freeipa-server from copr repo
Hi Marin,
I was able to install from the copr repo now as well. Thank you!
However I wasn't able to finish the install:
[23/27]: configure certmonger for renewals
[24/27]: configure certificate renewals
[error] DBusException: org.fedorahosted.certmonger.bad_arg: The
location
/etc/pki/pki-tomcat/alias could not be accessed due to insufficient
permissions.
Don't know if you need the command for how I was installing ipa. But
here
is the line from my anseible playbook.
shell: ipa-server-install -a {{ adminpassword }} --hostname={{ servername
}} -r {{ realm }} -p {{ directorypassword }} -n {{ domain }} --setup-dns
--forwarder={{ dnsforwarder }} -U creates={{ slapd }}
On Wed, Nov 19, 2014 at 11:23 AM, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:
On 11/19/2014 11:57 AM, Tamas Papp wrote:
I am good in waiting;)
Thanks for the prompt reply.
Ok Tamas, I think we *finally* got somewhere. Can you please try the
mkosek/freeipa Copr repo now?
I was able to install upstream freeipa-server 4.1.1 package on my
RHEL-7.0
machine (should be the same for CentOS) and run ipa-server-install:
# yum install freeipa-server --enablerepo=mkosek-freeipa
...
Resolving Dependencies
-- Running transaction check
--- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be
installed
...
Transaction Summary
Install 1 Package (+338 Dependent packages)
Upgrade ( 11 Dependent packages)
Total download size: 146 M
...
# rpm -q freeipa-server
freeipa-server-4.1.1-1.2.el7.centos.x86_64
# ipa-server-install --setup-dns
# kinit admin
Password for ad...@example.com mailto:ad...@example.com:
Thanks,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
hi Martin,
Much better:)
Unfortunately not perfect yet.
[...]
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
ipa : ERRORNamed service failed to start (Command
''/bin/systemctl' 'restart' 'named-pkcs11.service'' returned non-zero
exit status 1)
named service failed to start
Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files
Restarting the web server
Unexpected error - see /var/log/ipaserver-install.log for details:
CalledProcessError: Command ''/bin/systemctl' 'restart' 'ipa.service''
returned non-zero exit status 1
This helped:
chmod 777 /var/named/dyndb-ldap/ipa/
Probably chown or chgrp named would be just enough.
Cheers,
tamas
On 11/19/2014 05:41 PM, Martin Kosek wrote:
It is highly probable the issue is caused by SELinux (check for AVCs in
/var/log/audit/audit.log).
Can you try with SELinux permissive? We specifically did not build
selinux-policy as we do not think we should be the ones maintaining it for
CentOS.
HTH,
Martin
- Original Message -
From: Bill Peck b...@pecknet.com
To: Martin Kosek mko...@redhat.com
Cc: Tamas Papp tom...@martos.bme.hu, freeipa-users@redhat.com
Sent: Wednesday, November 19, 2014 5:34:10 PM
Subject: Re: [Freeipa-users] freeipa-server from copr repo
Hi Marin,
I was able to install from the copr repo now as well. Thank you!
However I wasn't able to finish the install:
[23/27]: configure certmonger for renewals
[24/27]: configure certificate renewals
[error] DBusException: org.fedorahosted.certmonger.bad_arg: The location
/etc/pki/pki-tomcat/alias could not be accessed due to insufficient
permissions.
Don't know if you need the command for how I was installing ipa. But here
is the line from my anseible playbook.
shell: ipa-server-install -a {{ adminpassword }} --hostname={{ servername
}} -r {{ realm }} -p {{ directorypassword }} -n {{ domain }} --setup-dns
--forwarder={{ dnsforwarder }} -U creates={{ slapd }}
On Wed, Nov 19, 2014 at 11:23 AM, Martin Kosek mko...@redhat.com wrote:
On 11/19/2014 11:57 AM, Tamas Papp wrote:
I am good in waiting;)
Thanks for the prompt reply.
Ok Tamas, I think we *finally* got somewhere. Can you please try the
mkosek/freeipa Copr repo now?
I was able to install upstream freeipa-server 4.1.1 package on my
RHEL-7.0
machine (should be the same for CentOS) and run ipa-server-install:
# yum install freeipa-server --enablerepo=mkosek-freeipa
...
Resolving Dependencies
-- Running transaction check
--- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be installed
...
Transaction Summary
Install 1 Package (+338 Dependent packages)
Upgrade ( 11 Dependent packages)
Total download size: 146 M
...
# rpm -q freeipa-server
freeipa-server-4.1.1-1.2.el7.centos.x86_64
# ipa-server-install --setup-dns
# kinit admin
Password for ad...@example.com:
Thanks,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
On 11/19/2014 09:23 PM, Tamas Papp wrote: hi Martin, Much better:) Unfortunately not perfect yet. [...] Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named ipa : ERRORNamed service failed to start (Command ''/bin/systemctl' 'restart' 'named-pkcs11.service'' returned non-zero exit status 1) named service failed to start Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command ''/bin/systemctl' 'restart' 'ipa.service'' returned non-zero exit status 1 This helped: chmod 777 /var/named/dyndb-ldap/ipa/ Probably chown or chgrp named would be just enough. Cheers, tamas Ah, yes. This one is not a problem with the CentOS port, but rather existing problem in FreeIPA 4.1.1 which will be fixed in FreeIPA 4.1.2 on all platforms, including Fedora 21 and CentOS. See upstream ticket: https://fedorahosted.org/freeipa/ticket/4716 Until this is fixed, correct workaround is to chown this directory by named:named and chmod rights to 0770. I will with the team when 4.1.2 is about to be released, if it is not soon, I can just add the patch to the 4.1.1 in Copr repo. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
On 11/19/2014 09:29 PM, Martin Kosek wrote: Ah, yes. This one is not a problem with the CentOS port, but rather existing problem in FreeIPA 4.1.1 which will be fixed in FreeIPA 4.1.2 on all platforms, including Fedora 21 and CentOS. See upstream ticket: https://fedorahosted.org/freeipa/ticket/4716 Until this is fixed, correct workaround is to chown this directory by named:named and chmod rights to 0770. I will with the team when 4.1.2 is about to be released, if it is not soon, I can just add the patch to the 4.1.1 in Copr repo. Thanks for all. Just a question. My understanding is that 4.x will not hit RH 7 ever. So for IPA 4.x we have to wait until RH8, am I correct? Thanks, tamas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
On 11/19/2014 10:24 PM, Tamas Papp wrote: On 11/19/2014 09:29 PM, Martin Kosek wrote: Ah, yes. This one is not a problem with the CentOS port, but rather existing problem in FreeIPA 4.1.1 which will be fixed in FreeIPA 4.1.2 on all platforms, including Fedora 21 and CentOS. See upstream ticket: https://fedorahosted.org/freeipa/ticket/4716 Until this is fixed, correct workaround is to chown this directory by named:named and chmod rights to 0770. I will with the team when 4.1.2 is about to be released, if it is not soon, I can just add the patch to the 4.1.1 in Copr repo. Thanks for all. Just a question. My understanding is that 4.x will not hit RH 7 ever. So for IPA 4.x we have to wait until RH8, am I correct? Thanks, tamas Actually no, FreeIPA 4.1 is planned to be included in RHEL-7.1 release - so you can look forward to that :-) Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
On 11/19/2014 10:27 PM, Martin Kosek wrote: Actually no, FreeIPA 4.1 is planned to be included in RHEL-7.1 release - so you can look forward to that :-) Very good! Then everything is good for testing:) t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
