hi all, when I tried to install FreeIPA 2.99.0 on Fedora 17 I got the following error:
[root@linux yum.repos.d]# cat ipa-devel.repo [ipa-devel] name=IPA development $releasever - $basearch baseurl=http://jdennis.fedorapeople.org/ipa-devel/fedora/$releasever/$basearch/os/ enabled=1 gpgcheck=0 new yum update .. [root@linux yum.repos.d]# uname -a Linux linux.fritz.box 3.4.4-3.fc17.x86_64 #1 SMP Tue Jun 26 20:54:56 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux freeipa-server-2.99.0-0.20120630T2358Zgit50ebd1a.fc17.x86_64.. ipa-server-install -a ###t --hostname=linux.fritz.box -r fritz.box -p ###### -n fritz.box -U [21/36]: adding default layout Unexpected error - see /var/log/ipaserver-install.log for details: KeyError: 'REALM_id_range' log .. 2012-07-02T10:07:32Z DEBUG [21/36]: adding default layout 2012-07-02T10:07:32Z INFO File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 696, in run_script return_value = main_function() File "/sbin/ipa-server-install", line 958, in main hbac_allow=not options.hbac_allow) File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 249, in create_instance self.start_creation("Configuring directory server", 60) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 259, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 569, in __add_default_layout self._ldap_mod("bootstrap-template.ldif", self.sub_dict) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 98, in _ldap_mod txt = ipautil.template_file(path, sub_dict) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 218, in template_file return template_str(txt, vars) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 206, in template_str val = string.Template(txt).substitute(vars) File "/usr/lib64/python2.7/string.py", line 172, in substitute return self.pattern.sub(convert, self.template) File "/usr/lib64/python2.7/string.py", line 162, in convert val = mapping[named] 2012-07-02T10:07:32Z INFO The ipa-server-install command failed, exception: KeyError: 'REALM_id_range' thx klaus Best Regards, Klaus Eckel, UNIX Consultant HPC (AIX,Linux) GPFS, BIA, SAP ITS/STG (SSIS) Server, Storage & Data Infrastructure Services IBM Deutschland GmbH Laatzener str, 1 30539 Hannover Germany Email: kec...@de.ibm.com Phone: +49-(0)52319489906 Handy: +49 (0)170 6323416 Visit the IBM Deutschland ITS Pages. IBM Deutschland GmbH / Vorsitzender des Aufsichtsrats: Erich Clementi Geschäftsführung: Martin Jetter (Vorsitzender), Reinhard Reschke, Dieter Scholz, Klaus Lintelmann, Michael Diemer, Martina Koederitz Sitz der Gesellschaft: Ehningen / Registergericht: Amtsgericht Stuttgart, HRB 14562 WEEE-Reg.-Nr. DE 99369940 freeipa-devel-boun...@redhat.com wrote on 07/02/2012 09:55:36 AM: > From: > > Martin Kosek <mko...@redhat.com> > > To: > > Rob Crittenden <rcrit...@redhat.com>, > > Cc: > > freeipa-devel@redhat.com > > Date: > > 07/02/2012 09:57 AM > > Subject: > > Re: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges > > Sent by: > > freeipa-devel-boun...@redhat.com > > On 06/30/2012 12:01 AM, Rob Crittenden wrote: > > Rob Crittenden wrote: > >> Rob Crittenden wrote: > >>> Alexander Bokovoy wrote: > >>>> On Fri, 29 Jun 2012, Sumit Bose wrote: > >>>>> On Wed, Jun 27, 2012 at 09:19:36PM +0200, Sumit Bose wrote: > >>>>>> On Tue, Jun 26, 2012 at 12:30:14PM +0200, Sumit Bose wrote: > >>>>>> > On Sun, Jun 17, 2012 at 09:47:20PM +0200, Sumit Bose wrote: > >>>>>> > > On Thu, Jun 14, 2012 at 02:25:01PM +0200, Sumit Bose wrote: > >>>>>> > > > On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote: > >>>>>> > > > > On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: > >>>>>> > > > > > On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: > >>>>>> > > > > > > On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: > >>>>>> > > > > > > > > >>>>>> > > > > > > > to keep track of the different ranges we use for > >>>>>> UIDs/GIDs for local > >>>>>> > > > > > > > users/groups and users from trusted domains new range > >>>>>> objects are > >>>>>> > > > > > > > introduced which are stored below > >>>>>> cn=range,cn=etc,$SUFFIX. > >>>>>> > > > > > > > > >>>>>> > > > > > > > 0022: LDAP schema update > >>>>>> > > > > > > > >>>>>> > > > > > > ack > >>>>>> > > > > > > > >>>>>> > > > > > > > 0023: Create a range object during installation fir the > >>>>>> local ID range > >>>>>> > > > > > > > >>>>>> > > > > > > nack, I think we need to find a way to handle adding at > >>>>>> least the base > >>>>>> > > > > > > range on update. Otherwise an updated server won't be > >>>>>> able to have IDs > >>>>>> > > > > > > for most of its users. > >>>>>> > > > > > > >>>>>> > > > > > I fully agree, but since we said that we concentrate on > >>>>>> update issues in > >>>>>> > > > > > beta2 I wanted to send the version for the fresh install > >>>>>> first to allow > >>>>>> > > > > > testing. > >>>>>> > > > > > >>>>>> > > > > The reason I'd like updates is that this patchset can be > >>>>>> installed on > >>>>>> > > > > top of existing servers for testing w/o having to reinstall > >>>>>> from scratch > >>>>>> > > > > or manually creating the ipaDomainIDRange object :):) > >>>>>> > > > > >>>>>> > > > ok, will do. > >>>>>> > > > > >>>>>> > > > Do you otherwise agree with the patches or is there something I > >>>>>> should > >>>>>> > > > change while adding the updates? > >>>>>> > > > > >>>>>> > > > bye, > >>>>>> > > > Sumit > >>>>>> > > > > >>>>>> > > > > > >>>>>> > > > > > > > >>>>>> > > > > > > > 0024: add primary and secondary RID base to the local > >>>>>> range object > >>>>>> > > > > > > > during ipa-adtrust-install > >>>>>> > > > > > > > >>>>>> > > > > > > Not sure if setting the range belongs in the previous > >>>>>> patch or this one. > >>>>>> > > > > > > >>>>>> > > > > > I think it is right here, because a plain IPA server does > >>>>>> not need the > >>>>>> > > > > > RID related attributes. > >>>>>> > > > > > > >>>>>> > > > > > > We might decide to ask questions during > >>>>>> ipa-adtrust-install if the range > >>>>>> > > > > > > is not available, maybe presenting a set of pre-canned > >>>>>> choices if we can > >>>>>> > > > > > > detect them. > >>>>>> > > > > > > >>>>>> > > > > > I agree here, too. But as above I would like to handle > >>>>>> update issues > >>>>>> > > > > > in a second round. > >>>>>> > > > > > > >>>>>> > > > > > > > >>>>>> > > > > > > Finally I think we need to do a search with uid/gidNmber > >>>>>> < base and > >>>>>> > > > > > > uid/gidNumber > max and prompt/warn the user if we detect > >>>>>> any ID the > >>>>>> > > > > > > falls outside the configured range (either because we > >>>>>> failed to detect > >>>>>> > > > > > > ranges on upgrade and the user botched the question or > >>>>>> because the admin > >>>>>> > > > > > > added arbitrary IDs. > >>>>>> > > > > > > If a warning we should warn that missing a range that > >>>>>> suitably covers > >>>>>> > > > > > > these IDs, those users/groups will not be available for > >>>>>> the trust. > >>>>>> > > > > > > > >>>>>> > > > > > > Maybe we should also have a simple ipa command that can > >>>>>> list all > >>>>>> > > > > > > users/groups that fall outside the ranges as well. > >>>>>> > > > > > > >>>>>> > > > > > I'm working on the ranges cli plugin to allow 'ipa > >>>>>> range-add', 'ipa > >>>>>> > > > > > range-find' etc. I can add it there. > >>>>>> > > > > > > >>>>>> > > > >>>>>> > > Hi, > >>>>>> > > > >>>>>> > > this new series of patches add the cli plugin to create the ID > >>>>>> ranges > >>>>>> > > manually. I'm still working on a detection of the locally used id > >>>>>> range > >>>>>> > > of an upgrade domain in ipa-adtrust-install and an plugin which > >>>>>> rejects > >>>>>> > > new ranges which overlaps with existing ones. > >>>>>> > > > >>>>>> > > bye, > >>>>>> > > Sumit > >>>>>> > > >>>>>> > the attached patch adds a preop plugin which checks for overlaps > >>>>>> with > >>>>>> > existing ranges. > >>>>>> > > >>>>>> > bye, > >>>>>> > Sumit > >>>>>> > >>>>>> Finally I added a method to guess and create the initial ID range, > >>>>>> if no > >>>>>> one is preset, e.g. when updating from an older version of freeIPA. A > >>>>>> full series of patches is attached. > >>>>>> > >>>>>> bye, > >>>>>> Sumit > >>>>> > >>>>> This version of patches fixes review comments by Alexander and also > >>>>> adds > >>>>> some test for the range CLI plugin which were kindly provided by > >>>>> Alexander. > >>>> ACK > >>>> > >>> > >>> These patches aren't applying for me. > >>> > >>> rob > >> > >> Hmm. Pulled a fresh tree and they imported fine. > >> > >> pushed to master > >> > >> rob > > > > I had only pushed 22-24 before, pushed 25 and 29 as well. > > > > rob > > > > I examined the latest changes and found several rather serious issues which > will break this functionality on upgraded servers: > > https://fedorahosted.org/freeipa/ticket/2891 > > Martin > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel >
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
