When /etc/ipa doesn't exist, ipa-client-install fails with a misleading error:
Discovery was successful!
DNS Domain: idm.lab.eng.brq.redhat.com
IPA Server: vm-089.idm.lab.eng.brq.redhat.com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin@IDM.LAB.ENG.BRQ.REDHAT.COM:
Cannot obtain CA certificate
'ldap://vm-089.idm.lab.eng.brq.redhat.com' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.
The client installer should create the directory if it doesn't exist.
The freeipa-python RPM has /etc/ipa/ca.crt and /etc/ipa/default.conf ghost entries. It should also own the directory itself.
tbabej just noticed that this error reproduces when user have a clean VM, then installs just freeipa-client + freeipa-python and then runs ipa-client-install.
This makes me think that this error should be fixed sooner than in Pilsner to avoid unpleasant user experience. A fix for this issue should:
1. Make sure that /etc/ipa is owned and created by freeipa-python package
2. Make sure that ipa-client-install reports some meaningful error when it is missing
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=952686
Reopening - /etc/ipa should not be owned by apache group.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=953905 (Fedora)
Metadata Update from @pviktori:
- Issue assigned to akrivoka
- Issue set to the milestone: FreeIPA 3.2 - 2013/04-05 (GA)
to comment on this ticket.
Copyright © 2014-2017 Red Hat
3.10.1 — Documentation