Issue

IPA replica install failed with the error : "chown: invalid group: ‘pkiuser:pkiuser’"

During the installation we can see its trying to start the "pki-tomcatd" and its failing with the following errors :

var/log/./pki/pki-ca-spawn.20180529112556.log:1486:2018-05-29 11:26:03 pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
var/log/./pki/pki-ca-spawn.20180529112556.log:1487:2018-05-29 11:26:03 pkispawn    : INFO     ....... executing 'systemctl start pki-tomcatd@pki-tomcat.service'


var/log/./messages:2258:May 29 11:26:03 ed-linuxdc-prd systemd: Reloading.
var/log/./messages:2259:May 29 11:26:03 ed-linuxdc-prd systemd: Created slice system-pki\x2dtomcatd.slice.
var/log/./messages:2260:May 29 11:26:03 ed-linuxdc-prd systemd: Starting system-pki\x2dtomcatd.slice.
var/log/./messages:2261:May 29 11:26:03 ed-linuxdc-prd systemd: Starting PKI Tomcat Server pki-tomcat...
var/log/./messages:2262:May 29 11:26:03 ed-linuxdc-prd pkidaemon: chown: invalid group: ‘pkiuser:pkiuser’
var/log/./messages:2263:May 29 11:26:03 ed-linuxdc-prd pkidaemon: chown: invalid group: ‘pkiuser:pkiuser’
var/log/./messages:2264:May 29 11:26:03 ed-linuxdc-prd pkidaemon: chown: invalid group: ‘pkiuser:pkiuser’
var/log/./messages:2265:May 29 11:26:03 ed-linuxdc-prd pkidaemon: chown: invalid group: ‘pkiuser:pkiuser’
var/log/./messages:2266:May 29 11:26:03 ed-linuxdc-prd pkidaemon: chown: invalid group: ‘pkiuser:pkiuser’

We also noticed teh following AVC denials in audit.logs

--snip --
type=AVC msg=audit(1527607563.894:297): avc:  denied  { search } for pid=9953 comm="chown" name="sss" dev="sda2" ino=265878 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir

type=AVC msg=audit(1527607564.545:302): avc:  denied  { search } for pid=10022 comm="pki-server" name="sss" dev="sda2" ino=265878 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir