"Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails
8:26 p.m.
I'm really at a loss on this one.
I have a bunch of old server images (from 2 months ago) that can run
ipa-client-install just fine. When I created a new image, though, I get
this error (from the install logs):
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldap://ipa.services.example:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7ff6a4e67560>
DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't
have a certificate.
DEBUG 'ipa.services.example' doesn't have a certificate.
ERROR In unattended mode without a One Time Password (OTP) or without
--ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
ERROR Cannot obtain CA certificate
HTTP certificate download requires --force
ERROR Installation failed. Rolling back changes.
ERROR IPA client is not configured on this system.
For comparison, the old images work as expected:
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldap://ipa.services.example:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2a0cb6e128>
INFO Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.SERVICES.example
Issuer: CN=Certificate Authority,O=IPA.SERVICES.example
Valid From: Wed Apr 05 21:11:13 2017 UTC
Valid Until: Sun Apr 05 21:11:13 2037 UTC
It's literally the same build script, so nothing there has changed. The
old images still work even now, so I don't think it's a DNS issue. I
tried running update-ca-certificates, but that did nothing. I tried
restarting the FreeIPA server, nothing changed.
If I try --forceing the install, this happens:
Enrolled in IPA realm IPA.SERVICES.EXAMPLE
Created /etc/ipa/default.conf
Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 3099, in <module>
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 3080, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 2727, in install
api.finalize()
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656,
in finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370,
in __do_if_not_done
getattr(self, name)()
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534,
in load_plugins
self.import_plugins(module)
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572,
in import_plugins
module = importlib.import_module(name)
File "/usr/lib/python2.7/importlib/__init__.py", line 37, in
import_module
__import__(name)
File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line
29, in <module>
from ipalib import pkcs10
File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in
<module>
class _PrincipalName(univ.Sequence):
File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in
_PrincipalName
namedtype.NamedType('name-string',
univ.SequenceOf(char.GeneralString()).subtype(
TypeError: __init__() takes exactly 1 argument (2 given)
Really not sure what's going on here; does anyone have advice on how to
fix this? Thanks!
4:13 a.m.
New subject: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails
On 08/01/2017 03:26 AM, None via FreeIPA-users wrote:
I'm really at a loss on this one.
I have a bunch of old server images (from 2 months ago) that can run
ipa-client-install just fine. When I created a new image, though, I get
this error (from the install logs):
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldap://ipa.services.example:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7ff6a4e67560>
DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't
have a certificate.
DEBUG 'ipa.services.example' doesn't have a certificate.
ERROR In unattended mode without a One Time Password (OTP) or without
--ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
ERROR Cannot obtain CA certificate
HTTP certificate download requires --force
ERROR Installation failed. Rolling back changes.
ERROR IPA client is not configured on this system.
For comparison, the old images work as expected:
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldap://ipa.services.example:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2a0cb6e128>
INFO Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.SERVICES.example
Issuer: CN=Certificate Authority,O=IPA.SERVICES.example
Valid From: Wed Apr 05 21:11:13 2017 UTC
Valid Until: Sun Apr 05 21:11:13 2037 UTC
It's literally the same build script, so nothing there has changed. The
old images still work even now, so I don't think it's a DNS issue. I
tried running update-ca-certificates, but that did nothing. I tried
restarting the FreeIPA server, nothing changed.
If I try --forceing the install, this happens:
Enrolled in IPA realm IPA.SERVICES.EXAMPLE
Created /etc/ipa/default.conf
Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 3099, in <module>
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 3080, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 2727, in install
api.finalize()
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656,
in finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370,
in __do_if_not_done
getattr(self, name)()
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534,
in load_plugins
self.import_plugins(module)
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572,
in import_plugins
module = importlib.import_module(name)
File "/usr/lib/python2.7/importlib/__init__.py", line 37, in
import_module
__import__(name)
File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line
29, in <module>
from ipalib import pkcs10
File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in
<module>
class _PrincipalName(univ.Sequence):
File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in
_PrincipalName
namedtype.NamedType('name-string',
univ.SequenceOf(char.GeneralString()).subtype(
TypeError: __init__() takes exactly 1 argument (2 given)
Really not sure what's going on here; does anyone have advice on how to
fix this? Thanks!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Hi,
during client installation, the installer tries to retrieve the CA
certificate:
- either from the provider --ca-cert-file
- or from an existing /etc/ipa/ca.crt
- or (when principal and password are supplied) via ldap
- or (when the above failed) via http only if --force is supplied
The ldap method looks for a certificate in
cn=certificates,cn=ipa,cn=etc,$BASEDN or cn=CAcert,cn=ipa,cn=etc,$BASEDN.
You can check if the CA certificate can be found by the installer. Do
you see matching logs in the directory server access log
(/var/log/dirsrv/slapd-xx/access), like the following:
[27/Jul/2017:09:48:14.923015575 +0200] conn=2 op=16 SRCH
base="cn=certificates,cn=ipa,cn=etc,dc=dom-ipa,dc=com" scope=2
filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))"
attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey
cacertificate;binary ipaKeyTrust ipaCertIssuerSerial"
[27/Jul/2017:09:48:14.923834321 +0200] conn=2 op=16 RESULT err=0 tag=101
nentries=1 etime=1
If yes, check the return code (err=x) and the number of found entries
(nentries=x).
When you run the installer with --force, the tool manages to retrieve
the cert using http but fails later. Which version of IPA are you using?
Flo.
6:07 a.m.
New subject: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails
Hey,
I checked the logs and found this:
conn=3295 op=3 SRCH
base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=services,dc=example"
scope=2 filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))"
attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey
cacertificate;binary ipaKeyTrust ipaCertIssuerSerial"
conn=3295 op=3 RESULT err=0 tag=101 nentries=1 etime=0
So that looks like it's finding an entry, I guess.
All of the lines have err=0 except these:
conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in
progress
conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in
progress
conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
The server is running FreeIPA 4.4:
$ ipa --version
VERSION: 4.4.0, API_VERSION: 2.213
$ ipa-client-install --version
4.4.0
- greg
On 2017-08-01 05:13, Florence Blanc-Renaud wrote:
On 08/01/2017 03:26 AM, None via FreeIPA-users wrote:
> I'm really at a loss on this one.
>
> I have a bunch of old server images (from 2 months ago) that can run
ipa-client-install just fine. When I created a new image, though, I get this error (from
the install logs):
>
> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
> DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7ff6a4e67560>
> DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have
a certificate.
> DEBUG 'ipa.services.example' doesn't have a certificate.
> ERROR In unattended mode without a One Time Password (OTP) or without --ca-cert-file
> You must specify --force to retrieve the CA cert using HTTP
> ERROR Cannot obtain CA certificate
> HTTP certificate download requires --force
> ERROR Installation failed. Rolling back changes.
> ERROR IPA client is not configured on this system.
>
> For comparison, the old images work as expected:
>
> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
> DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2a0cb6e128>
> INFO Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=IPA.SERVICES.example
> Issuer: CN=Certificate Authority,O=IPA.SERVICES.example
> Valid From: Wed Apr 05 21:11:13 2017 UTC
> Valid Until: Sun Apr 05 21:11:13 2037 UTC
>
> It's literally the same build script, so nothing there has changed. The old
images still work even now, so I don't think it's a DNS issue. I tried running
update-ca-certificates, but that did nothing. I tried restarting the FreeIPA server,
nothing changed.
>
> If I try --forceing the install, this happens:
>
> Enrolled in IPA realm IPA.SERVICES.EXAMPLE
> Created /etc/ipa/default.conf
> Traceback (most recent call last):
> File "/usr/sbin/ipa-client-install", line 3099, in <module>
> sys.exit(main())
> File "/usr/sbin/ipa-client-install", line 3080, in main
> rval = install(options, env, fstore, statestore)
> File "/usr/sbin/ipa-client-install", line 2727, in install
> api.finalize()
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in
finalize
> self.__do_if_not_done('load_plugins')
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in
__do_if_not_done
> getattr(self, name)()
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in
load_plugins
> self.import_plugins(module)
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in
import_plugins
> module = importlib.import_module(name)
> File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
> __import__(name)
> File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in
<module>
> from ipalib import pkcs10
> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in
<module>
> class _PrincipalName(univ.Sequence):
> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in
_PrincipalName
> namedtype.NamedType('name-string',
univ.SequenceOf(char.GeneralString()).subtype(
> TypeError: __init__() takes exactly 1 argument (2 given)
>
> Really not sure what's going on here; does anyone have advice on how to fix this?
Thanks!
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Hi,
during client installation, the installer tries to retrieve the CA certificate:
- either from the provider --ca-cert-file
- or from an existing /etc/ipa/ca.crt
- or (when principal and password are supplied) via ldap
- or (when the above failed) via http only if --force is supplied
The ldap method looks for a certificate in cn=certificates,cn=ipa,cn=etc,$BASEDN or
cn=CAcert,cn=ipa,cn=etc,$BASEDN.
You can check if the CA certificate can be found by the installer. Do you see matching
logs in the directory server access log (/var/log/dirsrv/slapd-xx/access), like the
following:
[27/Jul/2017:09:48:14.923015575 +0200] conn=2 op=16 SRCH
base="cn=certificates,cn=ipa,cn=etc,dc=dom-ipa,dc=com" scope=2
filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))"
attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary ipaKeyTrust
ipaCertIssuerSerial"
[27/Jul/2017:09:48:14.923834321 +0200] conn=2 op=16 RESULT err=0 tag=101 nentries=1
etime=1
If yes, check the return code (err=x) and the number of found entries (nentries=x).
When you run the installer with --force, the tool manages to retrieve the cert using http
but fails later. Which version of IPA are you using?
Flo.
7:15 a.m.
New subject: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails
Slight update: I tried precreating /etc/ipa/ca.crt, and when running the
install, I get the same Python error I did before:
File "/usr/sbin/ipa-client-install", line 3099, in <module>
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 3080, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 2727, in install
api.finalize()
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656,
in finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370,
in __do_if_not_done
getattr(self, name)()
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534,
in load_plugins
self.import_plugins(module)
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572,
in import_plugins
module = importlib.import_module(name)
File "/usr/lib/python2.7/importlib/__init__.py", line 37, in
import_module
__import__(name)
File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line
29, in <module>
from ipalib import pkcs10
File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in
<module>
class _PrincipalName(univ.Sequence):
File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in
_PrincipalName
namedtype.NamedType('name-string',
univ.SequenceOf(char.GeneralString()).subtype(
TypeError: __init__() takes exactly 1 argument (2 given)
On 2017-08-01 07:07, greg(a)greg-gilbert.com wrote:
Hey,
I checked the logs and found this:
conn=3295 op=3 SRCH
base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=services,dc=example" scope=2
filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))"
attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary ipaKeyTrust
ipaCertIssuerSerial"
conn=3295 op=3 RESULT err=0 tag=101 nentries=1 etime=0
So that looks like it's finding an entry, I guess.
All of the lines have err=0 except these:
conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
The server is running FreeIPA 4.4:
$ ipa --version
VERSION: 4.4.0, API_VERSION: 2.213
$ ipa-client-install --version
4.4.0
- greg
On 2017-08-01 05:13, Florence Blanc-Renaud wrote:
On 08/01/2017 03:26 AM, None via FreeIPA-users wrote: I'm really at a loss on this
one.
I have a bunch of old server images (from 2 months ago) that can run ipa-client-install
just fine. When I created a new image, though, I get this error (from the install logs):
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7ff6a4e67560>
DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have a
certificate.
DEBUG 'ipa.services.example' doesn't have a certificate.
ERROR In unattended mode without a One Time Password (OTP) or without --ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
ERROR Cannot obtain CA certificate
HTTP certificate download requires --force
ERROR Installation failed. Rolling back changes.
ERROR IPA client is not configured on this system.
For comparison, the old images work as expected:
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2a0cb6e128>
INFO Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.SERVICES.example
Issuer: CN=Certificate Authority,O=IPA.SERVICES.example
Valid From: Wed Apr 05 21:11:13 2017 UTC
Valid Until: Sun Apr 05 21:11:13 2037 UTC
It's literally the same build script, so nothing there has changed. The old images
still work even now, so I don't think it's a DNS issue. I tried running
update-ca-certificates, but that did nothing. I tried restarting the FreeIPA server,
nothing changed.
If I try --forceing the install, this happens:
Enrolled in IPA realm IPA.SERVICES.EXAMPLE
Created /etc/ipa/default.conf
Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 3099, in <module>
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 3080, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 2727, in install
api.finalize()
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in
finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in
__do_if_not_done
getattr(self, name)()
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in
load_plugins
self.import_plugins(module)
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in
import_plugins
module = importlib.import_module(name)
File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
__import__(name)
File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in
<module>
from ipalib import pkcs10
File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in
<module>
class _PrincipalName(univ.Sequence):
File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in
_PrincipalName
namedtype.NamedType('name-string',
univ.SequenceOf(char.GeneralString()).subtype(
TypeError: __init__() takes exactly 1 argument (2 given)
Really not sure what's going on here; does anyone have advice on how to fix this?
Thanks!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Hi,
during client installation, the installer tries to retrieve the CA certificate:
- either from the provider --ca-cert-file
- or from an existing /etc/ipa/ca.crt
- or (when principal and password are supplied) via ldap
- or (when the above failed) via http only if --force is supplied
The ldap method looks for a certificate in cn=certificates,cn=ipa,cn=etc,$BASEDN or
cn=CAcert,cn=ipa,cn=etc,$BASEDN.
You can check if the CA certificate can be found by the installer. Do you see matching
logs in the directory server access log (/var/log/dirsrv/slapd-xx/access), like the
following:
[27/Jul/2017:09:48:14.923015575 +0200] conn=2 op=16 SRCH
base="cn=certificates,cn=ipa,cn=etc,dc=dom-ipa,dc=com" scope=2
filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))"
attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary ipaKeyTrust
ipaCertIssuerSerial"
[27/Jul/2017:09:48:14.923834321 +0200] conn=2 op=16 RESULT err=0 tag=101 nentries=1
etime=1
If yes, check the return code (err=x) and the number of found entries (nentries=x).
When you run the installer with --force, the tool manages to retrieve the cert using http
but fails later. Which version of IPA are you using?
Flo.
8:22 a.m.
New subject: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails
Further update: I'm pretty sure I found out the problem.
Basically, my old server is running pyasn1==0.2.3 and the new one has
pyasn1==0.3.1. Per the pyasn1 documentation, they made a breaking change
to __init__ and a few other functions in 0.3.1, so I guess FreeIPA 4.3.1
isn't compatible with these changes.
I've got a ticket open at https://pagure.io/freeipa/issue/7079 about
this.
- greg
On 2017-08-01 08:15, greg(a)greg-gilbert.com wrote:
Slight update: I tried precreating /etc/ipa/ca.crt, and when running
the install, I get the same Python error I did before:
File "/usr/sbin/ipa-client-install", line 3099, in <module>
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 3080, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 2727, in install
api.finalize()
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in
finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in
__do_if_not_done
getattr(self, name)()
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in
load_plugins
self.import_plugins(module)
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in
import_plugins
module = importlib.import_module(name)
File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
__import__(name)
File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in
<module>
from ipalib import pkcs10
File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in
<module>
class _PrincipalName(univ.Sequence):
File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in
_PrincipalName
namedtype.NamedType('name-string',
univ.SequenceOf(char.GeneralString()).subtype(
TypeError: __init__() takes exactly 1 argument (2 given)
On 2017-08-01 07:07, greg(a)greg-gilbert.com wrote:
Hey,
I checked the logs and found this:
conn=3295 op=3 SRCH
base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=services,dc=example" scope=2
filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))"
attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary ipaKeyTrust
ipaCertIssuerSerial"
conn=3295 op=3 RESULT err=0 tag=101 nentries=1 etime=0
So that looks like it's finding an entry, I guess.
All of the lines have err=0 except these:
conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
The server is running FreeIPA 4.4:
$ ipa --version
VERSION: 4.4.0, API_VERSION: 2.213
$ ipa-client-install --version
4.4.0
- greg
On 2017-08-01 05:13, Florence Blanc-Renaud wrote:
On 08/01/2017 03:26 AM, None via FreeIPA-users wrote: I'm really at a loss on this
one.
I have a bunch of old server images (from 2 months ago) that can run ipa-client-install
just fine. When I created a new image, though, I get this error (from the install logs):
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7ff6a4e67560>
DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have a
certificate.
DEBUG 'ipa.services.example' doesn't have a certificate.
ERROR In unattended mode without a One Time Password (OTP) or without --ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
ERROR Cannot obtain CA certificate
HTTP certificate download requires --force
ERROR Installation failed. Rolling back changes.
ERROR IPA client is not configured on this system.
For comparison, the old images work as expected:
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2a0cb6e128>
INFO Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.SERVICES.example
Issuer: CN=Certificate Authority,O=IPA.SERVICES.example
Valid From: Wed Apr 05 21:11:13 2017 UTC
Valid Until: Sun Apr 05 21:11:13 2037 UTC
It's literally the same build script, so nothing there has changed. The old images
still work even now, so I don't think it's a DNS issue. I tried running
update-ca-certificates, but that did nothing. I tried restarting the FreeIPA server,
nothing changed.
If I try --forceing the install, this happens:
Enrolled in IPA realm IPA.SERVICES.EXAMPLE
Created /etc/ipa/default.conf
Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 3099, in <module>
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 3080, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 2727, in install
api.finalize()
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in
finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in
__do_if_not_done
getattr(self, name)()
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in
load_plugins
self.import_plugins(module)
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in
import_plugins
module = importlib.import_module(name)
File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
__import__(name)
File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in
<module>
from ipalib import pkcs10
File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in
<module>
class _PrincipalName(univ.Sequence):
File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in
_PrincipalName
namedtype.NamedType('name-string',
univ.SequenceOf(char.GeneralString()).subtype(
TypeError: __init__() takes exactly 1 argument (2 given)
Really not sure what's going on here; does anyone have advice on how to fix this?
Thanks!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Hi,
during client installation, the installer tries to retrieve the CA certificate:
- either from the provider --ca-cert-file
- or from an existing /etc/ipa/ca.crt
- or (when principal and password are supplied) via ldap
- or (when the above failed) via http only if --force is supplied
The ldap method looks for a certificate in cn=certificates,cn=ipa,cn=etc,$BASEDN or
cn=CAcert,cn=ipa,cn=etc,$BASEDN.
You can check if the CA certificate can be found by the installer. Do you see matching
logs in the directory server access log (/var/log/dirsrv/slapd-xx/access), like the
following:
[27/Jul/2017:09:48:14.923015575 +0200] conn=2 op=16 SRCH
base="cn=certificates,cn=ipa,cn=etc,dc=dom-ipa,dc=com" scope=2
filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))"
attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary ipaKeyTrust
ipaCertIssuerSerial"
[27/Jul/2017:09:48:14.923834321 +0200] conn=2 op=16 RESULT err=0 tag=101 nentries=1
etime=1
If yes, check the return code (err=x) and the number of found entries (nentries=x).
When you run the installer with --force, the tool manages to retrieve the cert using http
but fails later. Which version of IPA are you using?
Flo.
8:38 a.m.
New subject: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails
None via FreeIPA-users wrote:
Further update: I'm pretty sure I found out the problem.
Basically, my old server is running pyasn1==0.2.3 and the new one has
pyasn1==0.3.1. Per the pyasn1 documentation, they made a breaking change
to __init__ and a few other functions in 0.3.1, so I guess FreeIPA 4.3.1
isn't compatible with these changes.
I've got a ticket open at https://pagure.io/freeipa/issue/7079 about this.
Nice catch.
0.3.1 was just released a few days ago and I haven't had a chance to try
packaging it for Fedora yet much less do any compatibility testing.
Given the API changes I'll need to coordinate the update with the other
module users, including freeIPA.
In the meantime it might be a good idea for packagers to specifically
require 0.2.3 for now.
rob
- greg
On 2017-08-01 08:15, greg(a)greg-gilbert.com wrote:
> Slight update: I tried precreating /etc/ipa/ca.crt, and when running
> the install, I get the same Python error I did before:
>
> File "/usr/sbin/ipa-client-install", line 3099, in <module>
> sys.exit(main())
> File "/usr/sbin/ipa-client-install", line 3080, in main
> rval = install(options, env, fstore, statestore)
> File "/usr/sbin/ipa-client-install", line 2727, in install
> api.finalize()
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line
> 656, in finalize
> self.__do_if_not_done('load_plugins')
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line
> 370, in __do_if_not_done
> getattr(self, name)()
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line
> 534, in load_plugins
> self.import_plugins(module)
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line
> 572, in import_plugins
> module = importlib.import_module(name)
> File "/usr/lib/python2.7/importlib/__init__.py", line 37, in
> import_module
> __import__(name)
> File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line
> 29, in <module>
> from ipalib import pkcs10
> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79,
> in <module>
> class _PrincipalName(univ.Sequence):
> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84,
> in _PrincipalName
> namedtype.NamedType('name-string',
> univ.SequenceOf(char.GeneralString()).subtype(
> TypeError: __init__() takes exactly 1 argument (2 given)
>
>
> On 2017-08-01 07:07, greg(a)greg-gilbert.com wrote:
>
> Hey,
>
> I checked the logs and found this:
>
> conn=3295 op=3 SRCH
> base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=services,dc=example"
> scope=2
> filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))"
> attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey
> cacertificate;binary ipaKeyTrust ipaCertIssuerSerial"
> conn=3295 op=3 RESULT err=0 tag=101 nentries=1 etime=0
>
> So that looks like it's finding an entry, I guess.
>
> All of the lines have err=0 except these:
>
> conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind
> in progress
> conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
> conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind
> in progress
> conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
>
> The server is running FreeIPA 4.4:
>
> $ ipa --version
> VERSION: 4.4.0, API_VERSION: 2.213
> $ ipa-client-install --version
> 4.4.0
>
> - greg
>
> On 2017-08-01 05:13, Florence Blanc-Renaud wrote:
>
> On 08/01/2017 03:26 AM, None via FreeIPA-users wrote:
>
> I'm really at a loss on this one.
>
> I have a bunch of old server images (from 2 months ago)
> that can run ipa-client-install just fine. When I created
> a new image, though, I get this error (from the install logs):
>
> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
> DEBUG retrieving schema for SchemaCache
> url=ldap://ipa.services.example:389
> conn=<ldap.ldapobject.SimpleLDAPObject instance at
> 0x7ff6a4e67560>
> DEBUG get_ca_certs_from_ldap() error:
> 'ipa.services.example' doesn't have a certificate.
> DEBUG 'ipa.services.example' doesn't have a certificate.
> ERROR In unattended mode without a One Time Password (OTP)
> or without --ca-cert-file
> You must specify --force to retrieve the CA cert using HTTP
> ERROR Cannot obtain CA certificate
> HTTP certificate download requires --force
> ERROR Installation failed. Rolling back changes.
> ERROR IPA client is not configured on this system.
>
> For comparison, the old images work as expected:
>
> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
> DEBUG retrieving schema for SchemaCache
> url=ldap://ipa.services.example:389
> conn=<ldap.ldapobject.SimpleLDAPObject instance at
> 0x7f2a0cb6e128>
> INFO Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=IPA.SERVICES.example
> Issuer: CN=Certificate Authority,O=IPA.SERVICES.example
> Valid From: Wed Apr 05 21:11:13 2017 UTC
> Valid Until: Sun Apr 05 21:11:13 2037 UTC
>
> It's literally the same build script, so nothing there has
> changed. The old images still work even now, so I don't
> think it's a DNS issue. I tried running
> update-ca-certificates, but that did nothing. I tried
> restarting the FreeIPA server, nothing changed.
>
> If I try --forceing the install, this happens:
>
> Enrolled in IPA realm IPA.SERVICES.EXAMPLE
> Created /etc/ipa/default.conf
> Traceback (most recent call last):
> File "/usr/sbin/ipa-client-install", line 3099, in
<module>
> sys.exit(main())
> File "/usr/sbin/ipa-client-install", line 3080, in main
> rval = install(options, env, fstore, statestore)
> File "/usr/sbin/ipa-client-install", line 2727, in install
> api.finalize()
> File
> "/usr/lib/python2.7/dist-packages/ipalib/plugable.py",
> line 656, in finalize
> self.__do_if_not_done('load_plugins')
> File
> "/usr/lib/python2.7/dist-packages/ipalib/plugable.py",
> line 370, in __do_if_not_done
> getattr(self, name)()
> File
> "/usr/lib/python2.7/dist-packages/ipalib/plugable.py",
> line 534, in load_plugins
> self.import_plugins(module)
> File
> "/usr/lib/python2.7/dist-packages/ipalib/plugable.py",
> line 572, in import_plugins
> module = importlib.import_module(name)
> File "/usr/lib/python2.7/importlib/__init__.py", line
> 37, in import_module
> __import__(name)
> File
> "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py",
> line 29, in <module>
> from ipalib import pkcs10
> File
> "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line
> 79, in <module>
> class _PrincipalName(univ.Sequence):
> File
> "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line
> 84, in _PrincipalName
> namedtype.NamedType('name-string',
> univ.SequenceOf(char.GeneralString()).subtype(
> TypeError: __init__() takes exactly 1 argument (2 given)
>
> Really not sure what's going on here; does anyone have
> advice on how to fix this? Thanks!
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>
> Hi,
>
> during client installation, the installer tries to retrieve
> the CA certificate:
> - either from the provider --ca-cert-file
> - or from an existing /etc/ipa/ca.crt
> - or (when principal and password are supplied) via ldap
> - or (when the above failed) via http only if --force is supplied
>
> The ldap method looks for a certificate in
> cn=certificates,cn=ipa,cn=etc,$BASEDN or
> cn=CAcert,cn=ipa,cn=etc,$BASEDN.
>
> You can check if the CA certificate can be found by the
> installer. Do you see matching logs in the directory server
> access log (/var/log/dirsrv/slapd-xx/access), like the following:
>
> [27/Jul/2017:09:48:14.923015575 +0200] conn=2 op=16 SRCH
> base="cn=certificates,cn=ipa,cn=etc,dc=dom-ipa,dc=com" scope=2
> filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))"
> attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey
> cacertificate;binary ipaKeyTrust ipaCertIssuerSerial"
> [27/Jul/2017:09:48:14.923834321 +0200] conn=2 op=16 RESULT
> err=0 tag=101 nentries=1 etime=1
>
> If yes, check the return code (err=x) and the number of found
> entries (nentries=x).
>
> When you run the installer with --force, the tool manages to
> retrieve the cert using http but fails later. Which version of
> IPA are you using?
>
> Flo.
>
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
9 a.m.
New subject: Help: Suddenly not possible to mount nfs4 shares with sec=krb5i
Hello,
i have setup an IPA server, NFS server with Samba and of course many clients.
The server are running Scientific Linix 7.3, the clients Fedora 25, CentOS 7.3
and also SL 7.3.
This was running well for one year.
Last week - i think when new IPA patches arrived - we where not able to mount
the NFS shares. I see messages like this:
Could not chdir to home directory /home/habicht: No such file or directory
When i make a "ls /home“ i see the directories, but i can’t mount.
Authentication is working.
First i thought, my IPA server is broken, so i setup a new one and i also
configure the NFS server and the clients for the new IPA server.
(Important: On the NFS server i do only a new ipa-client-install - not a reinstall
of the whole server!)
But i then have the same problem again …
For the shares i am using sec=krb5i. At the end i tested sec=sys. And this works!
Can you give me any help, why a NFS server suddenly stopped working exporting
the shares with sec=krb5i (and also krb5 …)?
What could be broken?
Where i have to search?
Thanx for any help!
Detlev
--
Detlev | Institut fuer Mikroelektronische Systeme
Habicht | D-30167 Hannover +49 511 76219662 habicht(a)ims.uni-hannover.de
--------+-------- Handy +49 172 5415752 ---------------------------
10:20 a.m.
New subject: Help: Suddenly not possible to mount nfs4 shares with sec=krb5i
Detlev Habicht via FreeIPA-users wrote:
Hello,
i have setup an IPA server, NFS server with Samba and of course many
clients.
The server are running Scientific Linix 7.3, the clients Fedora 25,
CentOS 7.3
and also SL 7.3.
This was running well for one year.
Last week - i think when new IPA patches arrived - we where not able to
mount
the NFS shares. I see messages like this:
Could not chdir to home directory /home/habicht: No such file or directory
When i make a "ls /home“ i see the directories, but i can’t mount.
Authentication is working.
First i thought, my IPA server is broken, so i setup a new one and i also
configure the NFS server and the clients for the new IPA server.
(Important: On the NFS server i do only a new ipa-client-install - not a
reinstall
of the whole server!)
But i then have the same problem again …
For the shares i am using sec=krb5i. At the end i tested sec=sys. And
this works!
Can you give me any help, why a NFS server suddenly stopped working
exporting
the shares with sec=krb5i (and also krb5 …)?
What could be broken?
Where i have to search?
Thanx for any help!
I don't know what the issue is but it is highly unlikely to be related
to the IPA packages, especially for a pre-configured system.
I'd look to see what else was pulled in with the update.
Note too that mixing packages between releases (7.3 and 7.4 in this
case) is not well-tested so you should avoid it when possible.
rob
11:15 a.m.
New subject: Help: Suddenly not possible to mount nfs4 shares with sec=krb5i
Thank you, for your answer.
How can i avoid this mixing of packages?
Well, i think i have a mix of 7.2, 7.3 and 7.4 (Scientific Linux). :-(
What can i do to only install 7.2 and the patches for 7.2 (for example)?
Detlev
--
Detlev | Institut fuer Mikroelektronische Systeme
Habicht | D-30167 Hannover +49 511 76219662 habicht(a)ims.uni-hannover.de
--------+-------- Handy +49 172 5415752 ---------------------------
Am 29.08.2017 um 17:20 schrieb Rob Crittenden via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org>:
Detlev Habicht via FreeIPA-users wrote:
> Hello,
>
> i have setup an IPA server, NFS server with Samba and of course many
> clients.
> The server are running Scientific Linix 7.3, the clients Fedora 25,
> CentOS 7.3
> and also SL 7.3.
>
> This was running well for one year.
>
> Last week - i think when new IPA patches arrived - we where not able to
> mount
> the NFS shares. I see messages like this:
>
> Could not chdir to home directory /home/habicht: No such file or directory
>
> When i make a "ls /home“ i see the directories, but i can’t mount.
>
> Authentication is working.
>
> First i thought, my IPA server is broken, so i setup a new one and i also
> configure the NFS server and the clients for the new IPA server.
> (Important: On the NFS server i do only a new ipa-client-install - not a
> reinstall
> of the whole server!)
>
> But i then have the same problem again …
>
> For the shares i am using sec=krb5i. At the end i tested sec=sys. And
> this works!
>
> Can you give me any help, why a NFS server suddenly stopped working
> exporting
> the shares with sec=krb5i (and also krb5 …)?
> What could be broken?
> Where i have to search?
>
> Thanx for any help!
I don't know what the issue is but it is highly unlikely to be related
to the IPA packages, especially for a pre-configured system.
I'd look to see what else was pulled in with the update.
Note too that mixing packages between releases (7.3 and 7.4 in this
case) is not well-tested so you should avoid it when possible.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
12:31 p.m.
New subject: Help: Suddenly not possible to mount nfs4 shares with sec=krb5i
Detlev Habicht via FreeIPA-users wrote:
Thank you, for your answer.
How can i avoid this mixing of packages?
Well, i think i have a mix of 7.2, 7.3 and 7.4 (Scientific Linux). :-(
What can i do to only install 7.2 and the patches for 7.2 (for example)?
I know nothing of SL but there may be separate repositories for each
release that you could use. Otherwise I don't know. The way that RHEL
operates is that each dot release contains package updates as well as
potential security updates so staying at a specific release carries risk
which increases over time.
The thing about NFS is there are a lot of moving parts including NFS
itself, gssproxy, potentially autofs, rpcbind, etc. You should be able
to add a whole slew of -vvvv to get additional debug information out of
the various daemons that may point you in the right direction.
rob
Detlev
--
Detlev | Institut fuer Mikroelektronische Systeme
Habicht | D-30167 Hannover +49 511
76219662 habicht(a)ims.uni-hannover.de <mailto:habicht@ims.uni-hannover.de>
--------+-------- Handy +49 172 5415752 ---------------------------
Am 29.08.2017 um 17:20 schrieb Rob Crittenden via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>:
> Detlev Habicht via FreeIPA-users wrote:
>> Hello,
>>
>> i have setup an IPA server, NFS server with Samba and of course many
>> clients.
>> The server are running Scientific Linix 7.3, the clients Fedora 25,
>> CentOS 7.3
>> and also SL 7.3.
>>
>> This was running well for one year.
>>
>> Last week - i think when new IPA patches arrived - we where not able to
>> mount
>> the NFS shares. I see messages like this:
>>
>> Could not chdir to home directory /home/habicht: No such file or
>> directory
>>
>> When i make a "ls /home“ i see the directories, but i can’t mount.
>>
>> Authentication is working.
>>
>> First i thought, my IPA server is broken, so i setup a new one and i
>> also
>> configure the NFS server and the clients for the new IPA server.
>> (Important: On the NFS server i do only a new ipa-client-install - not a
>> reinstall
>> of the whole server!)
>>
>> But i then have the same problem again …
>>
>> For the shares i am using sec=krb5i. At the end i tested sec=sys. And
>> this works!
>>
>> Can you give me any help, why a NFS server suddenly stopped working
>> exporting
>> the shares with sec=krb5i (and also krb5 …)?
>> What could be broken?
>> Where i have to search?
>>
>> Thanx for any help!
>
> I don't know what the issue is but it is highly unlikely to be related
> to the IPA packages, especially for a pre-configured system.
>
> I'd look to see what else was pulled in with the update.
>
> Note too that mixing packages between releases (7.3 and 7.4 in this
> case) is not well-tested so you should avoid it when possible.
>
> rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
2:46 p.m.
New subject: Help: Suddenly not possible to mount nfs4 shares with sec=krb5i
On Tue, Aug 29, 2017 at 06:15:46PM +0200, Detlev Habicht via FreeIPA-users wrote:
Thank you, for your answer.
How can i avoid this mixing of packages?
Well, i think i have a mix of 7.2, 7.3 and 7.4 (Scientific Linux). :-(
What can i do to only install 7.2 and the patches for 7.2 (for example)?
I don't know about Scientific Linux, but at least CentOS specifically
disallows that:
https://wiki.centos.org/FAQ/General#head-dcca41e9a3d5ac4c6d900a991990fd11...
Quote:
The CentOS Project provides updates or other changes ONLY for the latest
version of each major branch.
...
We are trying to make sure people understand they can NOT use older
minor versions and still be secure. Therefore, a date in the minor
version allows users to know with a glance when this minor version was
created. If it is older than many months, there is likely a new version
you should look for.
2:24 a.m.
New subject: Help: Suddenly not possible to mount nfs4 shares with sec=krb5i
Thank you all for your answers!
Well, it seemed, i make a great mistake here (mixing minor versions …).
But now i have to setup everything new and the real answer i will know
in a few weeks …
But thank you again!
Detlev
--
Detlev | Institut fuer Mikroelektronische Systeme
Habicht | D-30167 Hannover +49 511 76219662 habicht(a)ims.uni-hannover.de
--------+-------- Handy +49 172 5415752 ---------------------------
Am 29.08.2017 um 21:46 schrieb Jakub Hrozek via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org>:
On Tue, Aug 29, 2017 at 06:15:46PM +0200, Detlev Habicht via
FreeIPA-users wrote:
> Thank you, for your answer.
>
> How can i avoid this mixing of packages?
>
> Well, i think i have a mix of 7.2, 7.3 and 7.4 (Scientific Linux). :-(
>
> What can i do to only install 7.2 and the patches for 7.2 (for example)?
I don't know about Scientific Linux, but at least CentOS specifically
disallows that:
https://wiki.centos.org/FAQ/General#head-dcca41e9a3d5ac4c6d900a991990fd11...
Quote:
The CentOS Project provides updates or other changes ONLY for the latest
version of each major branch.
...
We are trying to make sure people understand they can NOT use older
minor versions and still be secure. Therefore, a date in the minor
version allows users to know with a glance when this minor version was
created. If it is older than many months, there is likely a new version
you should look for.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
2424
days inactive
2453
days old
freeipa-users@lists.fedorahosted.org
11 comments
5 participants
participants (5)
-
Detlev Habicht -
Florence Blanc-Renaud -
greg@greg-gilbert.com -
Jakub Hrozek -
Rob Crittenden