Loading the python2 ipa packages got through the first error.
The script seems to be setting some permissions and creating some users but then there are some keytab failures.
I'm just a beginner at this so I need to learn more about how ipa handles these matters. I see the portal user Self Service in the user table vi the web UI.
I already kinit admin prior to this and get:
[ me@portal ~ ]$ create-portal-user Created privilege 'Portal management privilege' Added permission 'System: Add Stage User' to privilege Added permission 'System: Read Stage User' to privilege Added permission 'System: Change User password' to privilege Cannot add permission 'System: Read User Standard Attributes' to privilege ipa: WARNING: Cannot add permission 'System: Read User Standard Attributes' to privilege Cannot add permission 'System: Read User Addressbook Attributes' to privilege ipa: WARNING: Cannot add permission 'System: Read User Addressbook Attributes' to privilege Created role 'Portal management' Added privilege 'Portal management privilege' to role 'Portal management' Created user 'portal' Added role 'Portal management' to user 'portal' Retrieving keytab... ipa-getkeytab -s prime.ipa.kkgpitt.org -p portal@IPA.KKGPITT.ORG -k /etc/ipa/portal.keytab Failed to add key to the keytab Traceback (most recent call last): File "/home/me/.local/bin/create-portal-user", line 207, in <module> main() File "/home/me/.local/bin/create-portal-user", line 197, in main create_keytab(args.username, args.keytab, args.keytab_owner) File "/home/me/.local/bin/create-portal-user", line 180, in create_keytab subprocess.check_call(cmd) File "/usr/lib64/python2.7/subprocess.py", line 190, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '['ipa-getkeytab', '-s', u' prime.ipa.kkgpitt.org', '-p', u'portal@IPA.KKGPITT.ORG', '-k', '/etc/ipa/portal.keytab']' returned non-zero exit status 11
I tried to manually execute the command
[me@portal ~]$ ipa-getkeytab -s prime.ipa.kkgpitt.org -p portal@IPA.KKGPITT.ORG -k /etc/ipa/portal.keytab Failed to add key to the keytab
I tried to manually change the password and try again which yielded a slightly different error. [me@portal ~]$ ipa-getkeytab -s prime.ipa.kkgpitt.org -p <new pw> -k /etc/ipa/portal.keytab Failed to parse result: PrincipalName not found.
Retrying with pre-4.0 keytab retrieval method... Failed to parse result: PrincipalName not found.
Failed to get keytab! Failed to get keytab
On Sat, May 12, 2018 at 2:28 PM, Alexander Bokovoy abokovoy@redhat.com wrote:
On la, 12 touko 2018, Joseph Flynn wrote:
Yes, thank you Alexander.
Yes I performed the enrollment (if running the client install the same as 'enrolling'?)
Thing is, 'from ipalib import api' assumes ipalib Python module is installed. That module is a strict requirement of freeipa-client package in Fedora (I have development version installed but that doesn't change with what I package in Fedora):
# rpm -qf /usr/lib/python3.6/site-packages/ipalib python3-ipalib-4.6.90.pre1.dev201804271410+gitdcde5a791-0.fc28.noarch # rpm -q --whatrequires python3-ipalib python3-ipaclient-4.6.90.pre1.dev201804271410+gitdcde5a791-0.fc28.noarch freeipa-python-compat-4.6.90.pre1.dev201804271410+gitdcde5a7 91-0.fc28.noarch # rpm -q --whatrequires python3-ipaclient python3-ipa-desktop-profile-client-0.0.6-5.fc28.noarch python3-ipaserver-4.6.90.pre1.dev201804271410+gitdcde5a791-0.fc28.noarch freeipa-client-4.6.90.pre1.dev201804271410+gitdcde5a791-0.fc28.x86_64 python3-ipatests-4.6.90.pre1.dev201804271410+gitdcde5a791-0.fc28.noarch
So, freeipa-client package requires ipalib Python package and there is no way you'd get an error unless you are using a different python version.
That one (using python 2 in create-portal-user) is a likely your issue: Fedora 28 has Python 3 by default and only Python 3 versions of IPA libraries are installed. You can install python2-ipaclient manually, this should bring python 2 versions of IPA libraries and make freeipa community portal code happy.
To make it easier to read, I have the executed steps and the error formatted for easy reading in http://agileiomo.blogspot.com/2018/05/errors-i-am-seeing-wit h-installing.html
On Sat, May 12, 2018 at 3:26 AM, Alexander Bokovoy abokovoy@redhat.com wrote:
On pe, 11 touko 2018, Henery Hawk via FreeIPA-users wrote:
Trying to follow the install instructions for the portal at
http://freeipa-community-portal.readthedocs.io/en/latest/ deploy.html#installation. Using Fedora Server 28.
Any thoughts?
When creating the stage user via script I get the following error:
[*] sudo ./create-portal-user Traceback (most recent call last): File "./create-portal-user", line 27, in <module> from ipalib import api ImportError: No module named ipalib
Do you have this machine enrolled to IPA itself?
The first thing you are asked to do before installation of the portal app is to enroll themachine to IPA:
Before continuing into the installation, the server should be enrolled as a FreeIPA client of the FreeIPA domain it belongs to. Running:
ipa-client-install
with your favorite options will do.
I try to manually install ipalib which brings me to another error:
[*] sudo pip install ipalib . . . In distributed package, building from C files... Traceback (most recent call last): File "<string>", line 1, in <module> File "/tmp/pip-install-qQYKRY/gssapi/setup.py", line 109, in
<module> raise Exception("Could not find main GSSAPI shared library. Please " Exception: Could not find main GSSAPI shared library. Please try setting GSSAPI_MAIN_LIB yourself or setting ENABLE_SUPPORT_DETECTION to 'false'
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-install-qQYKRY/gssapi/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland