#3551 ipa-client-install fails when /etc/ipa/ is missing
Closed: Fixed None Opened 11 years ago by pviktori.

When /etc/ipa doesn't exist, ipa-client-install fails with a misleading error:

Discovery was successful!
Hostname: vm-059.idm.lab.eng.brq.redhat.com
Realm: IDM.LAB.ENG.BRQ.REDHAT.COM
DNS Domain: idm.lab.eng.brq.redhat.com
IPA Server: vm-089.idm.lab.eng.brq.redhat.com
BaseDN: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin@IDM.LAB.ENG.BRQ.REDHAT.COM:
Cannot obtain CA certificate
'ldap://vm-089.idm.lab.eng.brq.redhat.com' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.

The client installer should create the directory if it doesn't exist.

The freeipa-python RPM has /etc/ipa/ca.crt and /etc/ipa/default.conf ghost entries. It should also own the directory itself.


tbabej just noticed that this error reproduces when user have a clean VM, then installs just freeipa-client + freeipa-python and then runs ipa-client-install.

This makes me think that this error should be fixed sooner than in Pilsner to avoid unpleasant user experience. A fix for this issue should:
1. Make sure that /etc/ipa is owned and created by freeipa-python package
2. Make sure that ipa-client-install reports some meaningful error when it is missing

Reopening - /etc/ipa should not be owned by apache group.

Metadata Update from @pviktori:
- Issue assigned to akrivoka
- Issue set to the milestone: FreeIPA 3.2 - 2013/04-05 (GA)

7 years ago

Log in to comment on this ticket.

Metadata