On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
>
> I have resolved the install issue.

Great!

>
> The installer is a bit sloppy and makes some bad assumptions.  The
> problem turns out to be that the directory server setup seems to be
> running as dirsrv, not root.  Ipa-server-install (more specifically
> dsinstance.py) writes out the file /var/lib/dirsrv/boot.ldif.  But it
> does so as root, using root's umask.  It doesn't do a check to make
> sure dirsrv can read this file before spawning an external process to
> create the directory server.  Part of security best practices
> recommended by the CIS group as well as others is to set root's umask
> to 0077.  With this setting in place, dirsrv is unable to read
> /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when
> executed from ipa-server-install.  I modified dsinstance.py to not
> remove the file and checked it after a failed install.  It was written
> properly, so I changed the permission on it to 666 and re-ran the
> install.  It succeeded.

Opened https://fedorahosted.org/freeipa/ticket/1282

>
> I'm now back to where I started, which is a partly working ipa
> install.  Kinit takes 75 seconds to complete. 

Seems like a DNS timeout or something related to the name resolution.

>  I still can't get to the UI.  I'm now going to uninstall again,
> change root's umask to 022, and see if that fixes any more of the
> problems.

The UI does not start for me if you try to run FF from the root shell. I
forget about this frequently and just upgraded to F15 and hit it again.

If you have a normal user shell, kinit from that shell as admin and
start browser from it you should have all the right context to access UI.


>
> -Brian
>
>  
>
> On 6/3/11 3:14 PM, "Brian Stamper" <brian.p.stam...@nasa.gov> wrote:
>
>
>     Yes, I mentioned in the first email I had attempted that.  I just
>     ran the uninstall 10 times in a row.  Same errors:
>
>     Configuring directory server:
>       [1/17]: creating directory server user
>       [2/17]: creating directory server instance
>     root        : CRITICAL failed to restart ds instance Command
>     '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpYwtW2p'
>     returned non-zero exit status 1
>       [3/17]: adding default schema
>       [4/17]: enabling memberof plugin
>       [5/17]: enabling referential integrity plugin
>       [6/17]: enabling distributed numeric assignment plugin
>       [7/17]: enabling winsync plugin
>       [8/17]: configuring uniqueness plugin
>       [9/17]: creating indices
>       [10/17]: configuring ssl for ds instance
>       [11/17]: configuring certmap.conf
>       [12/17]: restarting directory server
>       [13/17]: adding default layout
>     root        : CRITICAL Failed to load bootstrap-template.ldif:
>     Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory
>     Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048' returned non-zero
>     exit status 32
>       [14/17]: configuring Posix uid/gid generation as first master
>       [15/17]: adding master entry as first master
>     root        : CRITICAL Failed to load master-entry.ldif: Command
>     '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y
>     /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned non-zero exit status 32
>       [16/17]: initializing group membership
>       [17/17]: configuring directory to start on boot
>     done configuring dirsrv.
>
>     As a test I've manually run setup-ds.pl accepting all of the
>     defaults.  It works fine and installs successfully, creating the
>     slapd-freeipa (which is the hostname) instance.  I then ran
>     remove-ds.pl on the slapd-freeipa instance and re-ran the ipa
>     uninstall.  When I attempted to reinstall ipa, it detected an
>     existing ds.  I did a locate for dirsrv and found logfiles from an
>     instance called slapd-ARC-NASA-GOV, which should be my default
>     freeipa dirsrv instance.  To try to clean this up, I ran
>     setup-ds.pl and chose custom and created a slapd-ARC-NASA-GOV
>     instance, and then immediately removed it with remove-ds.pl.  I
>     then re-ran ipa-server-install, which this time did not detect an
>     existing directory server.  However, the ipa-server-install again
>     failed in the same location.
>
>       [2/17]: creating directory server instance
>     root        : CRITICAL failed to restart ds instance Command
>     '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp77JJv1'
>     returned non-zero exit status 1
>
>
>     And from the log:
>
>     2011-06-03 15:12:41,540 DEBUG Configuring directory server:
>     2011-06-03 15:12:41,541 DEBUG   [1/17]: creating directory server user
>     2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists
>     2011-06-03 15:12:41,541 DEBUG Saving StateFile to
>     '/var/lib/ipa/sysrestore/sysrestore.state'
>     2011-06-03 15:12:41,541 DEBUG Saving StateFile to
>     '/var/lib/ipa/sysrestore/sysrestore.state'
>     2011-06-03 15:12:41,542 DEBUG   [2/17]: creating directory server
>     instance
>     2011-06-03 15:12:41,567 INFO   *** Error: no dirsrv instances
>     configured
>
>     2011-06-03 15:12:41,567 INFO
>     2011-06-03 15:12:41,567 DEBUG Saving StateFile to
>     '/var/lib/ipa/sysrestore/sysrestore.state'
>     2011-06-03 15:12:41,568 DEBUG Saving StateFile to
>     '/var/lib/ipa/sysrestore/sysrestore.state'
>     2011-06-03 15:12:41,568 DEBUG
>     dn: dc=arc,dc=nasa,dc=gov
>     objectClass: top
>     objectClass: domain
>     objectClass: pilotObject
>     dc: arc
>     info: IPA V1.0
>
>     2011-06-03 15:12:41,569 DEBUG writing inf template
>     2011-06-03 15:12:41,570 DEBUG
>     [General]
>     FullMachineName=   freeipa.arc.nasa.gov
>     SuiteSpotUserID=   dirsrv
>     ServerRoot=    /usr/lib64/dirsrv
>     [slapd]
>     ServerPort=   389
>     ServerIdentifier=   ARC-NASA-GOV
>     Suffix=   dc=arc,dc=nasa,dc=gov
>     RootDN=   cn=Directory Manager
>     InstallLdifFile= /var/lib/dirsrv/boot.ldif
>
>     2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl
>     2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup] Info
>     Could not import LDIF file '/var/lib/dirsrv/boot.ldif'.  Error:
>     59648.  Output: importing data ...
>     [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with
>     nsslapd-db-private-import-mem on; No other process is allowed to
>     access the database
>     [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache:
>     pagesize: 4096, pages: 997331, procpages: 48998
>     [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import
>     cache.
>     [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import
>     job...
>     [03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering
>     enabled with bucket size 100
>     [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open
>     LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
>     [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all
>     Import threads..
>     [03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads
>     aborted.
>     [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
>     /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or
>     directory
>     [03/Jun/2011:15:12:48 -0700] - All database threads now stopped
>     [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.
>
>     Could not import LDIF file '/var/lib/dirsrv/boot.ldif'.  Error:
>     59648.  Output: importing data ...
>     [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with
>     nsslapd-db-private-import-mem on; No other process is allowed to
>     access the database
>     [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache:
>     pagesize: 4096, pages: 997331, procpages: 48998
>     [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import
>     cache.
>     [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import
>     job...
>     [03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering
>     enabled with bucket size 100
>     [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open
>     LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
>     [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all
>     Import threads..
>     [03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads
>     aborted.
>     [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
>     /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or
>     directory
>     [03/Jun/2011:15:12:48 -0700] - All database threads now stopped
>     [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.
>
>     [11/06/03:15:12:48] - [Setup] Fatal Error: Could not create
>     directory server instance 'ARC-NASA-GOV'.
>     Error: Could not create directory server instance 'ARC-NASA-GOV'.
>     [11/06/03:15:12:48] - [Setup] Fatal Exiting . . .
>
>
>     -Brian
>
>     On 6/3/11 2:53 PM, "Dmitri Pal" <d...@redhat.com> wrote:
>
>          On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx LLC]
>         wrote:
>
>             Re: [Freeipa-users] Difficulty installing freeipa
>              I've given up on freeipa v2 due to lack of compatibility
>             with hosts I manage.  This is all on freeipa v1.  The
>             server started as Fedora 13, and I upgraded to Fedora 14
>             in an attempt to fix the problems.
>              
>              [root@freeipa ~]# uname -r
>              2.6.35.13-91.fc14.x86_64
>              [root@freeipa ~]# rpm -qa 'ipa*'
>              ipa-client-1.2.2-6.fc14.x86_64
>              ipa-server-selinux-1.2.2-6.fc14.x86_64
>              ipa-python-1.2.2-6.fc14.x86_64
>              ipa-admintools-1.2.2-6.fc14.x86_64
>              ipa-server-1.2.2-6.fc14.x86_64
>              [root@freeipa ~]#
>              
>              I'm not doing anything special at this point.  I'm not
>             even trying to get clients added.  I'm trying to do a
>             basic install of ipa-server, with no extra arguments.
>              That claimed to succeed but wouldn't work, I tried to fix
>             it, uninstalled, any attempts to reinstall failed.  So
>             right now I'm simply trying to get the ipa service back to
>             any kind of functioning status without re-installing the OS.
>              
>              
>
>
>          Ah this is all old 1.2 IPA.
>          Have you tried
>          ipa-server-install --uninstall
>          
>          Might require several attempts until all the errors are cleared.
>          
>          
>
>             -Brian
>              
>              On 6/3/11 2:30 PM, "Dmitri Pal" <d...@redhat.com> wrote:
>               
>
>
>
>                      
>
>                  Is it all on F13?
>                   The IPA v2 can't be built on F13 as there are many
>                 dependencies missing that we rely on. There are two
>                 many parts this is why we had to move to the later
>                 versions of F15. We just did not have any options. So
>                 the server you built might in fact be completely
>                 broken. I do not know how to fix it. It looks like you
>                 have some instances of the DS left over in a
>                 misconfigured state.
>                   
>                   You can try running ipa-server-install --uninstall
>                 4-5 times. That might clear things a bit.
>                   
>                   But let us get back to the original problem.
>                   Freeipa can be used with the LDAP+Kerberos
>                 configuration on the clients. You do not need to have
>                 latest and greatest.
>                   There was a nice article referenced in some of the
>                 earlier threads on the list:
>                   
>                  http://www.aput.net/~jheiss/krbldap/howto.html
>                 <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
>                 <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
>                  <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
>                  
>                  You can configure very old clients to use IPA as NIS
>                 server.
>                  Let us know how else we can help.
>                   Thanks
>                   Dmitri
>                   
>                   
>                   
>
>
>                       -Brian
>                      
>                      
>                      _______________________________________________
>                      Freeipa-users mailing list
>                      Freeipa-users@redhat.com
>                      https://www.redhat.com/mailman/listinfo/freeipa-users
>                       
>                      
>
>                  
>                   
>                   
>                  
>
>
>
>
>             _______________________________________________
>             Freeipa-users mailing list
>             Freeipa-users@redhat.com
>             https://www.redhat.com/mailman/listinfo/freeipa-users
>              
>
>
>          
>          
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to