[Freeipa-devel] FreeIPA quit working - or, IPA & oVirt
derek.p.moore at gmail.com
Wed May 8 03:44:58 UTC 2013
First I'll undo the oVirt/FreeIPA relationship:
# engine-manage-domains -action=delete -domain=hackunix.org
Manage Domains completed successfully
# service ovirt-engine restart
oVirt works with internal domain and admin user.
Now let's uninstall FreeIPA:
# pkidestroy -s CA -i pki-tomcat
Loading deployment configuration from
Uninstalling CA from /var/lib/pki/pki-tomcat.
pkidestroy : WARNING ....... this 'CA' entry may not be registered with
security domain 'IPA'!
pkidestroy : ERROR ....... updateDomainXML FAILED to delete this 'CA'
entry from security domain 'IPA': ''
# rm -rf /var/log/pki/pki-tomcat
# rm -rf /etc/sysconfig/pki-tomcat
# rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
# rm -rf /var/lib/pki/pki-tomcat
# rm -rf /etc/pki/pki-tomcat
# ipa-server-install --uninstall
This is a NON REVERSIBLE operation and will delete all data and
Are you sure you want to continue with the uninstall procedure? [no]: yes
Shutting down all IPA services
Removing IPA client configuration
ipa : CRITICAL failed to uninstall CA instance Command
'/usr/sbin/pkidestroy -i pki-tomcat -s CA' returned non-zero exit status 255
Unconfiguring web server
Unconfiguring directory server
I choose BIND integration, set my hostname, and now I get a new error:
Server host name [localhost.localdomain]: ds1.hackunix.org
[Errno 1] Unknown host
So now I'm thinking that besides mucking with minssf I also turned on DNS
for my domain, but everything in DNS should match what I started out with
in /etc/hosts... Let me read what the install script is expecting here...
On Tue, May 7, 2013 at 10:04 PM, Derek Moore <derek.p.moore at gmail.com>wrote:
> > Did you restart all IPA services including KDC after you changed the
> Yes, tried many combinations of restarts and reboots trying to undo the
> I found a similar thread on here ("sudden ipa errors") where someone spent
> a lot of time debugging when suddenly RH support came back with an odd fix
> to krb5kdc.conf that doesn't apply to me since I'm not using a subdomain
> for the realm.
> Let me start over documenting the ipa steps better, I had to patch a few
> things along the way to get it to work (like the .pki to .dogtag problem on
> I'll report back...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeipa-devel