[Freeipa-devel] FreeIPA quit working - or, IPA & oVirt

Derek Moore derek.p.moore at gmail.com
Wed May 8 03:44:58 UTC 2013

First I'll undo the oVirt/FreeIPA relationship:

  # engine-manage-domains -action=delete -domain=hackunix.org
  Manage Domains completed successfully

  # service ovirt-engine restart

oVirt works with internal domain and admin user.

Now let's uninstall FreeIPA:

  # pkidestroy -s CA -i pki-tomcat
  Loading deployment configuration from
  Uninstalling CA from /var/lib/pki/pki-tomcat.
  pkidestroy  : WARNING  ....... this 'CA' entry may not be registered with
security domain 'IPA'!
  pkidestroy  : ERROR    ....... updateDomainXML FAILED to delete this 'CA'
entry from security domain 'IPA': ''

  Uninstallation complete.
  # rm -rf /var/log/pki/pki-tomcat
  # rm -rf /etc/sysconfig/pki-tomcat
  # rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
  # rm -rf /var/lib/pki/pki-tomcat
  # rm -rf /etc/pki/pki-tomcat
  # ipa-server-install --uninstall

  This is a NON REVERSIBLE operation and will delete all data and

  Are you sure you want to continue with the uninstall procedure? [no]: yes
  Shutting down all IPA services
  Removing IPA client configuration
  Unconfiguring ntpd
  Unconfiguring CA
  ipa         : CRITICAL failed to uninstall CA instance Command
'/usr/sbin/pkidestroy -i pki-tomcat -s CA' returned non-zero exit status 255
  Unconfiguring named
  Unconfiguring web server
  Unconfiguring krb5kdc
  Unconfiguring kadmin
  Unconfiguring directory server
  Unconfiguring ipa_memcached

  # ipa-server-install

I choose BIND integration, set my hostname, and now I get a new error:

  Server host name [localhost.localdomain]: ds1.hackunix.org

  [Errno 1] Unknown host

So now I'm thinking that besides mucking with minssf I also turned on DNS
for my domain, but everything in DNS should match what I started out with
in /etc/hosts... Let me read what the install script is expecting here...

On Tue, May 7, 2013 at 10:04 PM, Derek Moore <derek.p.moore at gmail.com>wrote:

> > Did you restart all IPA services including KDC after you changed the
> minssf?
> Yes, tried many combinations of restarts and reboots trying to undo the
> breakage.
> I found a similar thread on here ("sudden ipa errors") where someone spent
> a lot of time debugging when suddenly RH support came back with an odd fix
> to krb5kdc.conf that doesn't apply to me since I'm not using a subdomain
> for the realm.
> Let me start over documenting the ipa steps better, I had to patch a few
> things along the way to get it to work (like the .pki to .dogtag problem on
> install).
> I'll report back...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130507/313c89f7/attachment.htm>

More information about the Freeipa-devel mailing list