On 08/20/2014 09:18 AM, Baird, Josh wrote:
Hi,
We are attempting to run ipa-client-install in the %post section of a Kickstart
in order to join the host to an IPA domain (3.3/RHEL7 IdM). We are using
something like:
/usr/sbin/ipa-client-install -w 'one-time-password' --realm=REALM.COM -U
--no-ssh --no-sshd --no-ntp --domain=realm.com
The machine does indeed join the domain correctly, but the certmonger request
fails. Looking at the logs, we can see this:
2014-08-19T15:02:45Z DEBUG Starting external process
2014-08-19T15:02:45Z DEBUG args=/bin/systemctl is-active certmonger.service
2014-08-19T15:02:45Z DEBUG Process finished, return code=0
2014-08-19T15:02:45Z DEBUG stdout=
2014-08-19T15:02:45Z DEBUG stderr=Running in chroot, ignoring request.
The error is occurring because the certmonger service fails to start. This is
because systemd is not able to manipulate services in a chrooted environment
(ala the anaconda installation environment). Prior to systemd, this would work
fine as services could start normally via init in a chroot/%post.
Additionally, we see the error:
Unable to find 'admin' user with 'getent passwd ad...@domain.com'
Again, this is because systemd is unable to start sssd in the chrooted
installation environment. I'm wondering if anyone else has experienced these
issues with systemd unable to start these required services during installation
and what you did to work around them. One option would be to move the
ipa-client-install out of Kickstart and have Puppet join the host to the domain
post-installation (after firstboot), but this isn't really ideal.
Any advice or suggestions would be appreciated.
Create a file that is run at boot, presumably after networking and
certmonger are started.
Thanks,
Josh
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
