I'm closer. I was able to get logged into the UI. It wasn't that I was
running firefox from root, but that I had inited as root. Same problem really.
Dropping back to my own shell and initing I was able to reach the GUI. The
next problem I need to tackle is the slowness. Ipa-finduser admin does return
results, but it takes 2m43s.
[root@freeipa ~]# egrep "freeipa|local" /etc/hosts
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
1.2.3.4 freeipa.arc.nasa.gov freeipa
[root@freeipa ~]# grep host /etc/nsswitch.conf
#hosts: db files nisplus nis dns
hosts: files dns
[root@freeipa ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:10:18:2D:E6:93
inet addr:1.2.3.4
I don't see any issues with the configuration there. There are no conflicting
"freeipa" hosts in dns. Looks pretty much in compliance with the guide:
Configuring /etc/hosts
You need to ensure that your /etc/hosts file is configured correctly, or the
ipa-* commands may not work correctly.
The /etc/hosts file should list the FQDN for your IPA server before any
aliases. You should also ensure that the hostname is not part of the localhost
entry. The following is an example of a valid hosts file:
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.1.1 ipaserver.example.com ipaserver
-Brian
On 6/3/11 3:58 PM, "Dmitri Pal" <d...@redhat.com> wrote:
On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
Re: [Freeipa-users] Difficulty installing freeipa
I have resolved the install issue.
Great!
The installer is a bit sloppy and makes some bad assumptions. The problem
turns out to be that the directory server setup seems to be running as dirsrv,
not root. Ipa-server-install (more specifically dsinstance.py) writes out the
file /var/lib/dirsrv/boot.ldif. But it does so as root, using root's umask.
It doesn't do a check to make sure dirsrv can read this file before spawning an
external process to create the directory server. Part of security best
practices recommended by the CIS group as well as others is to set root's umask
to 0077. With this setting in place, dirsrv is unable to read
/var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when executed from
ipa-server-install. I modified dsinstance.py to not remove the file and
checked it after a failed install. It was written properly, so I changed the
permission on it to 666 and re-ran the install. It succeeded.
Opened https://fedorahosted.org/freeipa/ticket/1282
I'm now back to where I started, which is a partly working ipa install. Kinit
takes 75 seconds to complete.
Seems like a DNS timeout or something related to the name resolution.
I still can't get to the UI. I'm now going to uninstall again, change root's
umask to 022, and see if that fixes any more of the problems.
The UI does not start for me if you try to run FF from the root shell. I
forget about this frequently and just upgraded to F15 and hit it again.
If you have a normal user shell, kinit from that shell as admin and start
browser from it you should have all the right context to access UI.
-Brian
On 6/3/11 3:14 PM, "Brian Stamper" <brian.p.stam...@nasa.gov> wrote:
Yes, I mentioned in the first email I had attempted that. I just ran the
uninstall 10 times in a row. Same errors:
Configuring directory server:
[1/17]: creating directory server user
[2/17]: creating directory server instance
root : CRITICAL failed to restart ds instance Command
'/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpYwtW2p' returned
non-zero exit status 1
[3/17]: adding default schema
[4/17]: enabling memberof plugin
[5/17]: enabling referential integrity plugin
[6/17]: enabling distributed numeric assignment plugin
[7/17]: enabling winsync plugin
[8/17]: configuring uniqueness plugin
[9/17]: creating indices
[10/17]: configuring ssl for ds instance
[11/17]: configuring certmap.conf
[12/17]: restarting directory server
[13/17]: adding default layout
root : CRITICAL Failed to load bootstrap-template.ldif: Command
'/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp0AROuy
-f /tmp/tmpPC4048' returned non-zero exit status 32
[14/17]: configuring Posix uid/gid generation as first master
[15/17]: adding master entry as first master
root : CRITICAL Failed to load master-entry.ldif: Command
'/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpwyqeVF
-f /tmp/tmp1dDTjN' returned non-zero exit status 32
[16/17]: initializing group membership
[17/17]: configuring directory to start on boot
done configuring dirsrv.
As a test I've manually run setup-ds.pl accepting all of the defaults. It
works fine and installs successfully, creating the slapd-freeipa (which is the
hostname) instance. I then ran remove-ds.pl on the slapd-freeipa instance and
re-ran the ipa uninstall. When I attempted to reinstall ipa, it detected an
existing ds. I did a locate for dirsrv and found logfiles from an instance
called slapd-ARC-NASA-GOV, which should be my default freeipa dirsrv instance.
To try to clean this up, I ran setup-ds.pl and chose custom and created a
slapd-ARC-NASA-GOV instance, and then immediately removed it with remove-ds.pl.
I then re-ran ipa-server-install, which this time did not detect an existing
directory server. However, the ipa-server-install again failed in the same
location.
[2/17]: creating directory server instance
root : CRITICAL failed to restart ds instance Command
'/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp77JJv1' returned
non-zero exit status 1
And from the log:
2011-06-03 15:12:41,540 DEBUG Configuring directory server:
2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory server user
2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists
2011-06-03 15:12:41,541 DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2011-06-03 15:12:41,541 DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory server instance
2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances configured
2011-06-03 15:12:41,567 INFO
2011-06-03 15:12:41,567 DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2011-06-03 15:12:41,568 DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2011-06-03 15:12:41,568 DEBUG
dn: dc=arc,dc=nasa,dc=gov
objectClass: top
objectClass: domain
objectClass: pilotObject
dc: arc
info: IPA V1.0
2011-06-03 15:12:41,569 DEBUG writing inf template
2011-06-03 15:12:41,570 DEBUG
[General]
FullMachineName= freeipa.arc.nasa.gov
SuiteSpotUserID= dirsrv
ServerRoot= /usr/lib64/dirsrv
[slapd]
ServerPort= 389
ServerIdentifier= ARC-NASA-GOV
Suffix= dc=arc,dc=nasa,dc=gov
RootDN= cn=Directory Manager
InstallLdifFile= /var/lib/dirsrv/boot.ldif
2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl
2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup] Info Could not
import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing
data ...
[03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with
nsslapd-db-private-import-mem on; No other process is allowed to access the
database
[03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: pagesize: 4096,
pages: 997331, procpages: 48998
[03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import cache.
[03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import job...
[03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering enabled with
bucket size 100
[03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open LDIF file
"/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
[03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all Import threads..
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads aborted.
[03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
/var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory
[03/Jun/2011:15:12:48 -0700] - All database threads now stopped
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.
Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648.
Output: importing data ...
[03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with
nsslapd-db-private-import-mem on; No other process is allowed to access the
database
[03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: pagesize: 4096,
pages: 997331, procpages: 48998
[03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import cache.
[03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import job...
[03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering enabled with
bucket size 100
[03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open LDIF file
"/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
[03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all Import threads..
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads aborted.
[03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
/var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory
[03/Jun/2011:15:12:48 -0700] - All database threads now stopped
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.
[11/06/03:15:12:48] - [Setup] Fatal Error: Could not create directory server
instance 'ARC-NASA-GOV'.
Error: Could not create directory server instance 'ARC-NASA-GOV'.
[11/06/03:15:12:48] - [Setup] Fatal Exiting . . .
-Brian
On 6/3/11 2:53 PM, "Dmitri Pal" <d...@redhat.com> wrote:
On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
Re: [Freeipa-users] Difficulty installing freeipa
I've given up on freeipa v2 due to lack of compatibility with hosts I manage.
This is all on freeipa v1. The server started as Fedora 13, and I upgraded to
Fedora 14 in an attempt to fix the problems.
[root@freeipa ~]# uname -r
2.6.35.13-91.fc14.x86_64
[root@freeipa ~]# rpm -qa 'ipa*'
ipa-client-1.2.2-6.fc14.x86_64
ipa-server-selinux-1.2.2-6.fc14.x86_64
ipa-python-1.2.2-6.fc14.x86_64
ipa-admintools-1.2.2-6.fc14.x86_64
ipa-server-1.2.2-6.fc14.x86_64
[root@freeipa ~]#
I'm not doing anything special at this point. I'm not even trying to get
clients added. I'm trying to do a basic install of ipa-server, with no extra
arguments. That claimed to succeed but wouldn't work, I tried to fix it,
uninstalled, any attempts to reinstall failed. So right now I'm simply trying
to get the ipa service back to any kind of functioning status without
re-installing the OS.
Ah this is all old 1.2 IPA.
Have you tried
ipa-server-install --uninstall
Might require several attempts until all the errors are cleared.
-Brian
On 6/3/11 2:30 PM, "Dmitri Pal" <d...@redhat.com> wrote:
Is it all on F13?
The IPA v2 can't be built on F13 as there are many dependencies missing that
we rely on. There are two many parts this is why we had to move to the later
versions of F15. We just did not have any options. So the server you built
might in fact be completely broken. I do not know how to fix it. It looks like
you have some instances of the DS left over in a misconfigured state.
You can try running ipa-server-install --uninstall 4-5 times. That might
clear things a bit.
But let us get back to the original problem.
Freeipa can be used with the LDAP+Kerberos configuration on the clients. You
do not need to have latest and greatest.
There was a nice article referenced in some of the earlier threads on the
list:
http://www.aput.net/~jheiss/krbldap/howto.html
<http://www.aput.net/%7Ejheiss/krbldap/howto.html>
<http://www.aput.net/%7Ejheiss/krbldap/howto.html>
<http://www.aput.net/%7Ejheiss/krbldap/howto.html>
You can configure very old clients to use IPA as NIS server.
Let us know how else we can help.
Thanks
Dmitri
-Brian
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
