FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |

#3551 ipa-client-install fails when /etc/ipa/ is missing

Created 4 years ago by pviktori
Modified 9 months ago

When /etc/ipa doesn't exist, ipa-client-install fails with a misleading error:

Discovery was successful!
DNS Domain:
IPA Server:
BaseDN: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin@IDM.LAB.ENG.BRQ.REDHAT.COM:
Cannot obtain CA certificate
'ldap://' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.

The client installer should create the directory if it doesn't exist.

The freeipa-python RPM has /etc/ipa/ca.crt and /etc/ipa/default.conf ghost entries. It should also own the directory itself.

tbabej just noticed that this error reproduces when user have a clean VM, then installs just freeipa-client + freeipa-python and then runs ipa-client-install.

This makes me think that this error should be fixed sooner than in Pilsner to avoid unpleasant user experience. A fix for this issue should:
1. Make sure that /etc/ipa is owned and created by freeipa-python package
2. Make sure that ipa-client-install reports some meaningful error when it is missing

Reopening - /etc/ipa should not be owned by apache group.

master: cc3c543[[BR]]
ipa-3-1: 6e443eb

9 months ago

Metadata Update from @pviktori:
- Issue assigned to akrivoka
- Issue set to the milestone: FreeIPA 3.2 - 2013/04-05 (GA)

Login to comment on this ticket.