Ticket #3551 (closed defect: fixed)

Opened 13 months ago

Last modified 12 months ago

ipa-client-install fails when /etc/ipa/ is missing

Reported by: pviktori Owned by: akrivoka
Priority: critical Milestone: FreeIPA 3.2 - 2013/04-05 (GA)
Component: IPA Version:
Keywords: Cc: akrivoka, tbabej
Blocked By: Blocking:
Affects Documentation: no Patch posted for review: yes
Red Hat Bugzilla: 952686, 953905 Patch review by:
External tracker: Design link:
Needs UI design: Fedora test page:
Feature: Source:
Expertise:
Release Notes:

Description

When /etc/ipa doesn't exist, ipa-client-install fails with a misleading error:

Discovery was successful!
Hostname: vm-059.idm.lab.eng.brq.redhat.com
Realm: IDM.LAB.ENG.BRQ.REDHAT.COM
DNS Domain: idm.lab.eng.brq.redhat.com
IPA Server: vm-089.idm.lab.eng.brq.redhat.com
BaseDN: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
 
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin@IDM.LAB.ENG.BRQ.REDHAT.COM:
Cannot obtain CA certificate
'ldap://vm-089.idm.lab.eng.brq.redhat.com' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.

The client installer should create the directory if it doesn't exist.

The freeipa-python RPM has /etc/ipa/ca.crt and /etc/ipa/default.conf ghost entries. It should also own the directory itself.

Change History

comment:1 Changed 13 months ago by akrivoka

  • Cc akrivoka added
  • Owner changed from someone to akrivoka

comment:2 Changed 13 months ago by dpal

  • Red Hat Bugzilla set to todo
  • Milestone changed from 0.0 NEEDS_TRIAGE to Pilsner barrel

comment:3 Changed 13 months ago by mkosek

  • Cc tbabej added
  • Milestone changed from Pilsner barrel to 0.0 NEEDS_TRIAGE

tbabej just noticed that this error reproduces when user have a clean VM, then installs just freeipa-client + freeipa-python and then runs ipa-client-install.

This makes me think that this error should be fixed sooner than in Pilsner to avoid unpleasant user experience. A fix for this issue should:

  1. Make sure that /etc/ipa is owned and created by freeipa-python package
  2. Make sure that ipa-client-install reports some meaningful error when it is missing

comment:4 Changed 12 months ago by dpal

  • Milestone changed from 0.0 NEEDS_TRIAGE to 2013 Month 04 - April - May (3.2 GA)

comment:5 Changed 12 months ago by dpal

  • Red Hat Bugzilla changed from todo to [https://bugzilla.redhat.com/show_bug.cgi?id=952686 952686]

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=952686

comment:6 Changed 12 months ago by mkosek

  • Priority changed from major to critical

comment:7 Changed 12 months ago by akrivoka

  • Patch posted for review set
  • Status changed from new to assigned

comment:8 Changed 12 months ago by rcritten

  • Status changed from assigned to closed
  • Resolution set to fixed

comment:9 Changed 12 months ago by mkosek

  • Status changed from closed to reopened
  • Resolution fixed deleted

Reopening - /etc/ipa should not be owned by apache group.

comment:10 Changed 12 months ago by mkosek

  • Red Hat Bugzilla changed from [https://bugzilla.redhat.com/show_bug.cgi?id=952686 952686] to [https://bugzilla.redhat.com/show_bug.cgi?id=952686 952686], [https://bugzilla.redhat.com/show_bug.cgi?id=953905 953905]

comment:11 Changed 12 months ago by mkosek

  • Status changed from reopened to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.