On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > I have resolved the install issue.
Great! > > The installer is a bit sloppy and makes some bad assumptions. The > problem turns out to be that the directory server setup seems to be > running as dirsrv, not root. Ipa-server-install (more specifically > dsinstance.py) writes out the file /var/lib/dirsrv/boot.ldif. But it > does so as root, using root's umask. It doesn't do a check to make > sure dirsrv can read this file before spawning an external process to > create the directory server. Part of security best practices > recommended by the CIS group as well as others is to set root's umask > to 0077. With this setting in place, dirsrv is unable to read > /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when > executed from ipa-server-install. I modified dsinstance.py to not > remove the file and checked it after a failed install. It was written > properly, so I changed the permission on it to 666 and re-ran the > install. It succeeded. Opened https://fedorahosted.org/freeipa/ticket/1282 > > I'm now back to where I started, which is a partly working ipa > install. Kinit takes 75 seconds to complete. Seems like a DNS timeout or something related to the name resolution. > I still can't get to the UI. I'm now going to uninstall again, > change root's umask to 022, and see if that fixes any more of the > problems. The UI does not start for me if you try to run FF from the root shell. I forget about this frequently and just upgraded to F15 and hit it again. If you have a normal user shell, kinit from that shell as admin and start browser from it you should have all the right context to access UI. > > -Brian > > > > On 6/3/11 3:14 PM, "Brian Stamper" <[email protected]> wrote: > > > Yes, I mentioned in the first email I had attempted that. I just > ran the uninstall 10 times in a row. Same errors: > > Configuring directory server: > [1/17]: creating directory server user > [2/17]: creating directory server instance > root : CRITICAL failed to restart ds instance Command > '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpYwtW2p' > returned non-zero exit status 1 > [3/17]: adding default schema > [4/17]: enabling memberof plugin > [5/17]: enabling referential integrity plugin > [6/17]: enabling distributed numeric assignment plugin > [7/17]: enabling winsync plugin > [8/17]: configuring uniqueness plugin > [9/17]: creating indices > [10/17]: configuring ssl for ds instance > [11/17]: configuring certmap.conf > [12/17]: restarting directory server > [13/17]: adding default layout > root : CRITICAL Failed to load bootstrap-template.ldif: > Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory > Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048' returned non-zero > exit status 32 > [14/17]: configuring Posix uid/gid generation as first master > [15/17]: adding master entry as first master > root : CRITICAL Failed to load master-entry.ldif: Command > '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y > /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned non-zero exit status 32 > [16/17]: initializing group membership > [17/17]: configuring directory to start on boot > done configuring dirsrv. > > As a test I've manually run setup-ds.pl accepting all of the > defaults. It works fine and installs successfully, creating the > slapd-freeipa (which is the hostname) instance. I then ran > remove-ds.pl on the slapd-freeipa instance and re-ran the ipa > uninstall. When I attempted to reinstall ipa, it detected an > existing ds. I did a locate for dirsrv and found logfiles from an > instance called slapd-ARC-NASA-GOV, which should be my default > freeipa dirsrv instance. To try to clean this up, I ran > setup-ds.pl and chose custom and created a slapd-ARC-NASA-GOV > instance, and then immediately removed it with remove-ds.pl. I > then re-ran ipa-server-install, which this time did not detect an > existing directory server. However, the ipa-server-install again > failed in the same location. > > [2/17]: creating directory server instance > root : CRITICAL failed to restart ds instance Command > '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp77JJv1' > returned non-zero exit status 1 > > > And from the log: > > 2011-06-03 15:12:41,540 DEBUG Configuring directory server: > 2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory server user > 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists > 2011-06-03 15:12:41,541 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,541 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory server > instance > 2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances > configured > > 2011-06-03 15:12:41,567 INFO > 2011-06-03 15:12:41,567 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,568 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,568 DEBUG > dn: dc=arc,dc=nasa,dc=gov > objectClass: top > objectClass: domain > objectClass: pilotObject > dc: arc > info: IPA V1.0 > > 2011-06-03 15:12:41,569 DEBUG writing inf template > 2011-06-03 15:12:41,570 DEBUG > [General] > FullMachineName= freeipa.arc.nasa.gov > SuiteSpotUserID= dirsrv > ServerRoot= /usr/lib64/dirsrv > [slapd] > ServerPort= 389 > ServerIdentifier= ARC-NASA-GOV > Suffix= dc=arc,dc=nasa,dc=gov > RootDN= cn=Directory Manager > InstallLdifFile= /var/lib/dirsrv/boot.ldif > > 2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl > 2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup] Info > Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: > 59648. Output: importing data ... > [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: > pagesize: 4096, pages: 997331, procpages: 48998 > [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import > cache. > [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import > job... > [03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering > enabled with bucket size 100 > [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open > LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied) > [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all > Import threads.. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads > aborted. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files... > /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or > directory > [03/Jun/2011:15:12:48 -0700] - All database threads now stopped > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed. > > Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: > 59648. Output: importing data ... > [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: > pagesize: 4096, pages: 997331, procpages: 48998 > [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import > cache. > [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import > job... > [03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering > enabled with bucket size 100 > [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open > LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied) > [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all > Import threads.. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads > aborted. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files... > /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or > directory > [03/Jun/2011:15:12:48 -0700] - All database threads now stopped > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed. > > [11/06/03:15:12:48] - [Setup] Fatal Error: Could not create > directory server instance 'ARC-NASA-GOV'. > Error: Could not create directory server instance 'ARC-NASA-GOV'. > [11/06/03:15:12:48] - [Setup] Fatal Exiting . . . > > > -Brian > > On 6/3/11 2:53 PM, "Dmitri Pal" <[email protected]> wrote: > > On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] > wrote: > > Re: [Freeipa-users] Difficulty installing freeipa > I've given up on freeipa v2 due to lack of compatibility > with hosts I manage. This is all on freeipa v1. The > server started as Fedora 13, and I upgraded to Fedora 14 > in an attempt to fix the problems. > > [root@freeipa ~]# uname -r > 2.6.35.13-91.fc14.x86_64 > [root@freeipa ~]# rpm -qa 'ipa*' > ipa-client-1.2.2-6.fc14.x86_64 > ipa-server-selinux-1.2.2-6.fc14.x86_64 > ipa-python-1.2.2-6.fc14.x86_64 > ipa-admintools-1.2.2-6.fc14.x86_64 > ipa-server-1.2.2-6.fc14.x86_64 > [root@freeipa ~]# > > I'm not doing anything special at this point. I'm not > even trying to get clients added. I'm trying to do a > basic install of ipa-server, with no extra arguments. > That claimed to succeed but wouldn't work, I tried to fix > it, uninstalled, any attempts to reinstall failed. So > right now I'm simply trying to get the ipa service back to > any kind of functioning status without re-installing the OS. > > > > > Ah this is all old 1.2 IPA. > Have you tried > ipa-server-install --uninstall > > Might require several attempts until all the errors are cleared. > > > > -Brian > > On 6/3/11 2:30 PM, "Dmitri Pal" <[email protected]> wrote: > > > > > > > Is it all on F13? > The IPA v2 can't be built on F13 as there are many > dependencies missing that we rely on. There are two > many parts this is why we had to move to the later > versions of F15. We just did not have any options. So > the server you built might in fact be completely > broken. I do not know how to fix it. It looks like you > have some instances of the DS left over in a > misconfigured state. > > You can try running ipa-server-install --uninstall > 4-5 times. That might clear things a bit. > > But let us get back to the original problem. > Freeipa can be used with the LDAP+Kerberos > configuration on the clients. You do not need to have > latest and greatest. > There was a nice article referenced in some of the > earlier threads on the list: > > http://www.aput.net/~jheiss/krbldap/howto.html > <http://www.aput.net/%7Ejheiss/krbldap/howto.html> > <http://www.aput.net/%7Ejheiss/krbldap/howto.html> > <http://www.aput.net/%7Ejheiss/krbldap/howto.html> > > You can configure very old clients to use IPA as NIS > server. > Let us know how else we can help. > Thanks > Dmitri > > > > > > -Brian > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
