[Freeipa-users] Possible bug in ipa-replica-install/pkispawn - or maybe lib mismatch

[Michael Lasevich]

Ok, I just went through process of migrating our IPA setup from 4.1.2
running on Fedora 20 (?? may have been 21) to 4.1.4 on CentOS 7 (MKosek
Copr version) and run into a nasty bug. The replica-install crashes during
CA configuration with something like:

''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpXXXXXX'' returned non-zero
exit status 1

Skipping CA works, but I needed the CA.

Upon digging into this, I found the issue appears to be in pki python, in
file:

/usr/lib/python2.7/site-packages/pki/system.py

It looks like it makes a call to "/ca/rest/securityDomain/domainInfo" and
gets an XML doc which it converts to JSON. Somehow it gets mangled before
it looks at it. XML has outermost tag of "DomainInfo" - but JSON starts
with "Subsystem" (one layer lower) - I am guessing JSON converted strips
the "root" tag.

I bypassed this by hardcoding id as "IPA" - but obviously that is
sub-optimal

Looking at Fedora box, it looks like the difference is in the  version of
PKI package that provides the lib - on Centos you get pki-base 10.1.2
(pki-base-10.1.2-7.1.el7.centos.noarch) - while on Fedore it was a 10.2
branch (and significantly different content in that file)

Anyway, I saw some reports of this bug in searches and no answers - so I
figured I would offer this pointer in (hopefully) the right direction.

-M
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150923/92e434d7/attachment.htm>