On 12/01/18 12:32, Alexander Bokovoy wrote:
On pe, 12 tammi 2018, lejeczek via FreeIPA-users wrote:
>
>
> On 11/01/18 18:55, Florence Blanc-Renaud wrote:
>> then the problem you are seeing is probably BZ 14852017
>> [RFE] If the umask is too restrictive the installation
>> won't work [1]
>>
>> Did you install the master with a umask different from
>> 022? In this case, some configuration files are probably
>> not accessible by non-root user, and the httpd server -
>> running as apache - cannot read files needed to
>> establish the secure connection to dogtag.
>>
>> You can try to change the permissions for
>> /etc/ipa/ca.crt and /var/lib/ipa/ra-agent.{key|pem} on
>> the master:
>> $ chmod 444 /etc/ipa/ca.crt
>> $ chmod 440 /var/lib/ipa/ra-agent.*
>>
>> and re-try the replica installation.
>>
>> HTH,
>> Flo
>
> I'm double posting.. beware
> Jesus freaking Christ.. (this comes after I produced a
> whole litany of of bad words in my own language), sorry.
> It almost drove me insane! no, really!
>
> all these problems, all these errors, all because of my
> root's umask 027
> Now having replica installed, I'll see how two servers
> behave in my simple domain.
>
> Guys, make it a very first check in installer code and
> make that installer fail, and.. push out a new release
> with that little fix like... yesterday(do not wait till
> it's properly fixed) You can still save lives!
There is
https://pagure.io/freeipa/issue/7193 for that.
Unfortunately,
it is not going to get into next RHEL update due to timing
issues.
A patch is welcomed.
I'm sure for you guys @devel it won't take more than a blink
of an eye - just fail that installer for "non-regular"
umasks(for now at least) - myself? I'd have to learn python ;)
I've struggled, I've wasted a week, and would have given in
if it wasn't for Flo's help.
Seriously, I'm sure this will save many lives.