[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

abbra freeipa-github-notification at redhat.com
Thu Dec 8 15:56:30 UTC 2016 

  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

abbra commented:
"""
@simo5 I tried to run the branch as an upgrade against Fedora 25 version (4.4.2-1.fc25) and it failed at first because I was running in SELinux enforcing:
     Unexpected error - see /var/log/ipaupgrade.log for details:
     DBusException: org.fedorahosted.certmonger.bad_arg: The parent of location "/var/kerberos/krb5kdc/kdc.crt" could not be accessed due to insufficient permissions.
     The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

Re-running `ipa-server-upgrade` with 'setenforce 0', I get different error:

    2016-12-08T15:52:28Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
    2016-12-08T15:52:28Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
        return_value = self.run()
      File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run    server.upgrade()
      File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1820, in upgrade     upgrade_configuration()
      File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1755, in upgrade_configuration
        enable_anonymous_principal(krb)
      File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1498, in enable_anonymous_principal
        dn = DN(('krbprincipalname', princ_realm), krb.get_realm_suffix())
      File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 74, in get_realm_suffix
    return DN(('cn', self.realm), ('cn', 'kerberos'), self.suffix)
      File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 1107, in __init__
    self.rdns = self._rdns_from_sequence(args)
      File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 1148, in _rdns_from_sequence
    rdn = self._rdns_from_value(item)
      File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 1141, in _rdns_from_value
    % type(value))

    2016-12-08T15:52:28Z DEBUG The ipa-server-upgrade command failed, exception: TypeError: must be str, unicode, tuple, Name, RDN or DN, got <type 'NoneType'> instead
    2016-12-08T15:52:28Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
TypeError: must be str, unicode, tuple, Name, RDN or DN, got <type 'NoneType'> instead

"""

See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-265775539

More information about the Freeipa-devel mailing list