On 07/02/2012 12:16 PM, Klaus Eckel wrote: > hi all, > when I tried to install FreeIPA 2.99.0 on Fedora 17 I got the following error: > > [root@linux yum.repos.d]# cat ipa-devel.repo > [ipa-devel] > name=IPA development $releasever - $basearch > baseurl=http://jdennis.fedorapeople.org/ipa-devel/fedora/$releasever/$basearch/os/ > > enabled=1 > gpgcheck=0 > > new yum update .. > > [root@linux yum.repos.d]# uname -a > Linux linux.fritz.box 3.4.4-3.fc17.x86_64 #1 SMP Tue Jun 26 20:54:56 UTC 2012 > x86_64 x86_64 x86_64 GNU/Linux > > freeipa-server-2.99.0-0.20120630T2358Zgit50ebd1a.fc17.x86_64.. > > ipa-server-install -a ###t --hostname=linux.fritz.box -r fritz.box -p ###### > -n fritz.box -U > > [21/36]: adding default layout > Unexpected error - see /var/log/ipaserver-install.log for details: > KeyError: 'REALM_id_range' > > log .. > > 2012-07-02T10:07:32Z DEBUG [21/36]: adding default layout > 2012-07-02T10:07:32Z INFO File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line > 696, > in run_script > return_value = main_function() > > File "/sbin/ipa-server-install", line 958, in main > hbac_allow=not options.hbac_allow) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", > line > 249, in create_instance > self.start_creation("Configuring directory server", 60) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 259, in start_creation > method() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", > line > 569, in __add_default_layout > self._ldap_mod("bootstrap-template.ldif", self.sub_dict) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 98, in _ldap_mod > txt = ipautil.template_file(path, sub_dict) > > File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 218, in > template_file > return template_str(txt, vars) > > File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 206, in > template_str > val = string.Template(txt).substitute(vars) > > File "/usr/lib64/python2.7/string.py", line 172, in substitute > return self.pattern.sub(convert, self.template) > > File "/usr/lib64/python2.7/string.py", line 162, in convert > val = mapping[named] > > 2012-07-02T10:07:32Z INFO The ipa-server-install command failed, exception: > KeyError: 'REALM_id_range' > > thx klaus > > Best Regards, > Klaus Eckel > <http://w3.ibm.com/bluepages/simpleSearch.wss?searchBy=name&searchFor=Eckel, > Klaus>, UNIX > Consultant HPC (AIX,Linux) GPFS, BIA, SAP > ITS/STG (SSIS) > Server, Storage & Data Infrastructure Services IBM Deutschland GmbH > <http://www.ibm.com/de/> > Laatzener str, 1 > 30539 Hannover > Germany Email: kec...@de.ibm.com <mailto:kec...@de.ibm.com> > Phone: +49-(0)52319489906 > Handy: +49 (0)170 6323416 > > > Visit the IBM Deutschland ITS <http://www-03.ibm.com/solutions/sap/>Pages. > > > IBM Deutschland GmbH / Vorsitzender des Aufsichtsrats: Erich Clementi > Geschäftsführung: Martin Jetter (Vorsitzender), Reinhard Reschke, > Dieter Scholz, Klaus Lintelmann, Michael Diemer, Martina Koederitz Sitz der > Gesellschaft: > Ehningen / Registergericht: Amtsgericht Stuttgart, HRB 14562 WEEE-Reg.-Nr. DE > 99369940 > > freeipa-devel-boun...@redhat.com wrote on 07/02/2012 09:55:36 AM: > >> From: >> >> Martin Kosek <mko...@redhat.com> >> >> To: >> >> Rob Crittenden <rcrit...@redhat.com>, >> >> Cc: >> >> freeipa-devel@redhat.com >> >> Date: >> >> 07/02/2012 09:57 AM >> >> Subject: >> >> Re: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges >> >> Sent by: >> >> freeipa-devel-boun...@redhat.com >> >> On 06/30/2012 12:01 AM, Rob Crittenden wrote: >> > Rob Crittenden wrote: >> >> Rob Crittenden wrote: >> >>> Alexander Bokovoy wrote: >> >>>> On Fri, 29 Jun 2012, Sumit Bose wrote: >> >>>>> On Wed, Jun 27, 2012 at 09:19:36PM +0200, Sumit Bose wrote: >> >>>>>> On Tue, Jun 26, 2012 at 12:30:14PM +0200, Sumit Bose wrote: >> >>>>>> > On Sun, Jun 17, 2012 at 09:47:20PM +0200, Sumit Bose wrote: >> >>>>>> > > On Thu, Jun 14, 2012 at 02:25:01PM +0200, Sumit Bose wrote: >> >>>>>> > > > On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote: >> >>>>>> > > > > On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: >> >>>>>> > > > > > On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: >> >>>>>> > > > > > > On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: >> >>>>>> > > > > > > > >> >>>>>> > > > > > > > to keep track of the different ranges we use for >> >>>>>> UIDs/GIDs for local >> >>>>>> > > > > > > > users/groups and users from trusted domains new range >> >>>>>> objects are >> >>>>>> > > > > > > > introduced which are stored below >> >>>>>> cn=range,cn=etc,$SUFFIX. >> >>>>>> > > > > > > > >> >>>>>> > > > > > > > 0022: LDAP schema update >> >>>>>> > > > > > > >> >>>>>> > > > > > > ack >> >>>>>> > > > > > > >> >>>>>> > > > > > > > 0023: Create a range object during installation fir the >> >>>>>> local ID range >> >>>>>> > > > > > > >> >>>>>> > > > > > > nack, I think we need to find a way to handle adding at >> >>>>>> least the base >> >>>>>> > > > > > > range on update. Otherwise an updated server won't be >> >>>>>> able to have IDs >> >>>>>> > > > > > > for most of its users. >> >>>>>> > > > > > >> >>>>>> > > > > > I fully agree, but since we said that we concentrate on >> >>>>>> update issues in >> >>>>>> > > > > > beta2 I wanted to send the version for the fresh install >> >>>>>> first to allow >> >>>>>> > > > > > testing. >> >>>>>> > > > > >> >>>>>> > > > > The reason I'd like updates is that this patchset can be >> >>>>>> installed on >> >>>>>> > > > > top of existing servers for testing w/o having to reinstall >> >>>>>> from scratch >> >>>>>> > > > > or manually creating the ipaDomainIDRange object :):) >> >>>>>> > > > >> >>>>>> > > > ok, will do. >> >>>>>> > > > >> >>>>>> > > > Do you otherwise agree with the patches or is there something I >> >>>>>> should >> >>>>>> > > > change while adding the updates? >> >>>>>> > > > >> >>>>>> > > > bye, >> >>>>>> > > > Sumit >> >>>>>> > > > >> >>>>>> > > > > >> >>>>>> > > > > > > >> >>>>>> > > > > > > > 0024: add primary and secondary RID base to the local >> >>>>>> range object >> >>>>>> > > > > > > > during ipa-adtrust-install >> >>>>>> > > > > > > >> >>>>>> > > > > > > Not sure if setting the range belongs in the previous >> >>>>>> patch or this one. >> >>>>>> > > > > > >> >>>>>> > > > > > I think it is right here, because a plain IPA server does >> >>>>>> not need the >> >>>>>> > > > > > RID related attributes. >> >>>>>> > > > > > >> >>>>>> > > > > > > We might decide to ask questions during >> >>>>>> ipa-adtrust-install if the range >> >>>>>> > > > > > > is not available, maybe presenting a set of pre-canned >> >>>>>> choices if we can >> >>>>>> > > > > > > detect them. >> >>>>>> > > > > > >> >>>>>> > > > > > I agree here, too. But as above I would like to handle >> >>>>>> update issues >> >>>>>> > > > > > in a second round. >> >>>>>> > > > > > >> >>>>>> > > > > > > >> >>>>>> > > > > > > Finally I think we need to do a search with uid/gidNmber >> >>>>>> < base and >> >>>>>> > > > > > > uid/gidNumber > max and prompt/warn the user if we detect >> >>>>>> any ID the >> >>>>>> > > > > > > falls outside the configured range (either because we >> >>>>>> failed to detect >> >>>>>> > > > > > > ranges on upgrade and the user botched the question or >> >>>>>> because the admin >> >>>>>> > > > > > > added arbitrary IDs. >> >>>>>> > > > > > > If a warning we should warn that missing a range that >> >>>>>> suitably covers >> >>>>>> > > > > > > these IDs, those users/groups will not be available for >> >>>>>> the trust. >> >>>>>> > > > > > > >> >>>>>> > > > > > > Maybe we should also have a simple ipa command that can >> >>>>>> list all >> >>>>>> > > > > > > users/groups that fall outside the ranges as well. >> >>>>>> > > > > > >> >>>>>> > > > > > I'm working on the ranges cli plugin to allow 'ipa >> >>>>>> range-add', 'ipa >> >>>>>> > > > > > range-find' etc. I can add it there. >> >>>>>> > > > > > >> >>>>>> > > >> >>>>>> > > Hi, >> >>>>>> > > >> >>>>>> > > this new series of patches add the cli plugin to create the ID >> >>>>>> ranges >> >>>>>> > > manually. I'm still working on a detection of the locally used id >> >>>>>> range >> >>>>>> > > of an upgrade domain in ipa-adtrust-install and an plugin which >> >>>>>> rejects >> >>>>>> > > new ranges which overlaps with existing ones. >> >>>>>> > > >> >>>>>> > > bye, >> >>>>>> > > Sumit >> >>>>>> > >> >>>>>> > the attached patch adds a preop plugin which checks for overlaps >> >>>>>> with >> >>>>>> > existing ranges. >> >>>>>> > >> >>>>>> > bye, >> >>>>>> > Sumit >> >>>>>> >> >>>>>> Finally I added a method to guess and create the initial ID range, >> >>>>>> if no >> >>>>>> one is preset, e.g. when updating from an older version of freeIPA. A >> >>>>>> full series of patches is attached. >> >>>>>> >> >>>>>> bye, >> >>>>>> Sumit >> >>>>> >> >>>>> This version of patches fixes review comments by Alexander and also >> >>>>> adds >> >>>>> some test for the range CLI plugin which were kindly provided by >> >>>>> Alexander. >> >>>> ACK >> >>>> >> >>> >> >>> These patches aren't applying for me. >> >>> >> >>> rob >> >> >> >> Hmm. Pulled a fresh tree and they imported fine. >> >> >> >> pushed to master >> >> >> >> rob >> > >> > I had only pushed 22-24 before, pushed 25 and 29 as well. >> > >> > rob >> > >> >> I examined the latest changes and found several rather serious issues which >> will break this functionality on upgraded servers: >> >> https://fedorahosted.org/freeipa/ticket/2891 >> >> Martin >>
Hello Klaus, Thanks for reporting this. We already know about this issue and it will be fixed soon in a scope of ticket 2891 I filed and which I am working on right now. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel