Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:


I’m closer. I was able to get logged into the UI. It wasn’t that I was
running firefox from root, but that I had inited as root. Same problem
really. Dropping back to my own shell and initing I was able to reach
the GUI. The next problem I need to tackle is the slowness. Ipa-finduser
admin does return results, but it takes 2m43s.

Definitely getting hung up somewhere. I'd try the -v option to ipa-finduser to get a bit more detail on the request. The client will attempt to find the right IPA Apache server to connect to, make a kerberos connection. Apache will then handle the request and collect any data needed from 389-ds and return it. There are a lot of places things can break down. By examining the server logs you may be able to discern where the logjam is.

rob


[root@freeipa ~]# egrep "freeipa|local" /etc/hosts
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
1.2.3.4 freeipa.arc.nasa.gov freeipa

[root@freeipa ~]# grep host /etc/nsswitch.conf
#hosts: db files nisplus nis dns
hosts: files dns

[root@freeipa ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:10:18:2D:E6:93
inet addr:1.2.3.4

I don’t see any issues with the configuration there. There are no
conflicting “freeipa” hosts in dns. Looks pretty much in compliance with
the guide:

*/Configuring /etc/hosts
/*/You need to ensure that your ///etc/hosts file is configured
correctly, or the *ipa-** commands may not work correctly.

The /etc/hosts file should list the FQDN for your IPA server before any
aliases. You should also ensure that the hostname is not part of the
localhost entry. The following is an example of a valid hosts file:
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.1.1 ipaserver.example.com ipaserver
/

-Brian



On 6/3/11 3:58 PM, "Dmitri Pal" <d...@redhat.com> wrote:

    On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:

        Re: [Freeipa-users] Difficulty installing freeipa
        I have resolved the install issue.


    Great!



        The installer is a bit sloppy and makes some bad assumptions.
        The problem turns out to be that the directory server setup
        seems to be running as dirsrv, not root. Ipa-server-install
        (more specifically dsinstance.py) writes out the file
        /var/lib/dirsrv/boot.ldif. But it does so as root, using root’s
        umask. It doesn’t do a check to make sure dirsrv can read this
        file before spawning an external process to create the directory
        server. Part of security best practices recommended by the CIS
        group as well as others is to set root’s umask to 0077. With
        this setting in place, dirsrv is unable to read
        /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when
        executed from ipa-server-install. I modified dsinstance.py to
        not remove the file and checked it after a failed install. It
        was written properly, so I changed the permission on it to 666
        and re-ran the install. It succeeded.


    Opened https://fedorahosted.org/freeipa/ticket/1282



        I’m now back to where I started, which is a partly working ipa
        install. Kinit takes 75 seconds to complete.


    Seems like a DNS timeout or something related to the name resolution.


        I still can’t get to the UI. I’m now going to uninstall again,
        change root’s umask to 022, and see if that fixes any more of
        the problems.


    The UI does not start for me if you try to run FF from the root
    shell. I forget about this frequently and just upgraded to F15 and
    hit it again.

    If you have a normal user shell, kinit from that shell as admin and
    start browser from it you should have all the right context to
    access UI.




        -Brian



        On 6/3/11 3:14 PM, "Brian Stamper" <brian.p.stam...@nasa.gov> wrote:



            Yes, I mentioned in the first email I had attempted that. I
            just ran the uninstall 10 times in a row. Same errors:

            Configuring directory server:
            [1/17]: creating directory server user
            [2/17]: creating directory server instance
            root : CRITICAL failed to restart ds instance Command
            '/usr/sbin/setup-ds.pl --silent --logfile - -f
            /tmp/tmpYwtW2p' returned non-zero exit status 1
            [3/17]: adding default schema
            [4/17]: enabling memberof plugin
            [5/17]: enabling referential integrity plugin
            [6/17]: enabling distributed numeric assignment plugin
            [7/17]: enabling winsync plugin
            [8/17]: configuring uniqueness plugin
            [9/17]: creating indices
            [10/17]: configuring ssl for ds instance
            [11/17]: configuring certmap.conf
            [12/17]: restarting directory server
            [13/17]: adding default layout
            root : CRITICAL Failed to load bootstrap-template.ldif:
            Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D
            cn=Directory Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048'
            returned non-zero exit status 32
            [14/17]: configuring Posix uid/gid generation as first master
            [15/17]: adding master entry as first master
            root : CRITICAL Failed to load master-entry.ldif: Command
            '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory
            Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned
            non-zero exit status 32
            [16/17]: initializing group membership
            [17/17]: configuring directory to start on boot
            done configuring dirsrv.

            As a test I’ve manually run setup-ds.pl accepting all of the
            defaults. It works fine and installs successfully, creating
            the slapd-freeipa (which is the hostname) instance. I then
            ran remove-ds.pl on the slapd-freeipa instance and re-ran
            the ipa uninstall. When I attempted to reinstall ipa, it
            detected an existing ds. I did a locate for dirsrv and found
            logfiles from an instance called slapd-ARC-NASA-GOV, which
            should be my default freeipa dirsrv instance. To try to
            clean this up, I ran setup-ds.pl and chose custom and
            created a slapd-ARC-NASA-GOV instance, and then immediately
            removed it with remove-ds.pl. I then re-ran
            ipa-server-install, which this time did not detect an
            existing directory server. However, the ipa-server-install
            again failed in the same location.

            [2/17]: creating directory server instance
            root : CRITICAL failed to restart ds instance Command
            '/usr/sbin/setup-ds.pl --silent --logfile - -f
            /tmp/tmp77JJv1' returned non-zero exit status 1


            And from the log:

            2011-06-03 15:12:41,540 DEBUG Configuring directory server:
            2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory
            server user
            2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists
            2011-06-03 15:12:41,541 DEBUG Saving StateFile to
            '/var/lib/ipa/sysrestore/sysrestore.state'
            2011-06-03 15:12:41,541 DEBUG Saving StateFile to
            '/var/lib/ipa/sysrestore/sysrestore.state'
            2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory
            server instance
            2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances
            configured

            2011-06-03 15:12:41,567 INFO
            2011-06-03 15:12:41,567 DEBUG Saving StateFile to
            '/var/lib/ipa/sysrestore/sysrestore.state'
            2011-06-03 15:12:41,568 DEBUG Saving StateFile to
            '/var/lib/ipa/sysrestore/sysrestore.state'
            2011-06-03 15:12:41,568 DEBUG
            dn: dc=arc,dc=nasa,dc=gov
            objectClass: top
            objectClass: domain
            objectClass: pilotObject
            dc: arc
            info: IPA V1.0

            2011-06-03 15:12:41,569 DEBUG writing inf template
            2011-06-03 15:12:41,570 DEBUG
            [General]
            FullMachineName= freeipa.arc.nasa.gov
            SuiteSpotUserID= dirsrv
            ServerRoot= /usr/lib64/dirsrv
            [slapd]
            ServerPort= 389
            ServerIdentifier= ARC-NASA-GOV
            Suffix= dc=arc,dc=nasa,dc=gov
            RootDN= cn=Directory Manager
            InstallLdifFile= /var/lib/dirsrv/boot.ldif

            2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl
            2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup]
            Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'.
            Error: 59648. Output: importing data ...
            [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running
            with nsslapd-db-private-import-mem on; No other process is
            allowed to access the database
            [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache:
            pagesize: 4096, pages: 997331, procpages: 48998
            [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB
            import cache.
            [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning
            import job...
            [03/Jun/2011:15:12:42 -0700] - import userRoot: Index
            buffering enabled with bucket size 100
            [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not
            open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13
            (Permission denied)
            [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all
            Import threads..
            [03/Jun/2011:15:12:48 -0700] - import userRoot: Import
            threads aborted.
            [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
            /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file
            or directory
            [03/Jun/2011:15:12:48 -0700] - All database threads now stopped
            [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.

            Could not import LDIF file '/var/lib/dirsrv/boot.ldif'.
            Error: 59648. Output: importing data ...
            [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running
            with nsslapd-db-private-import-mem on; No other process is
            allowed to access the database
            [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache:
            pagesize: 4096, pages: 997331, procpages: 48998
            [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB
            import cache.
            [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning
            import job...
            [03/Jun/2011:15:12:42 -0700] - import userRoot: Index
            buffering enabled with bucket size 100
            [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not
            open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13
            (Permission denied)
            [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all
            Import threads..
            [03/Jun/2011:15:12:48 -0700] - import userRoot: Import
            threads aborted.
            [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
            /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file
            or directory
            [03/Jun/2011:15:12:48 -0700] - All database threads now stopped
            [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.

            [11/06/03:15:12:48] - [Setup] Fatal Error: Could not create
            directory server instance 'ARC-NASA-GOV'.
            Error: Could not create directory server instance
            'ARC-NASA-GOV'.
            [11/06/03:15:12:48] - [Setup] Fatal Exiting . . .


            -Brian

            On 6/3/11 2:53 PM, "Dmitri Pal" <d...@redhat.com> wrote:


                On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx
                LLC] wrote:

                    Re: [Freeipa-users] Difficulty installing freeipa
                    I’ve given up on freeipa v2 due to lack of
                    compatibility with hosts I manage. This is all on
                    freeipa v1. The server started as Fedora 13, and I
                    upgraded to Fedora 14 in an attempt to fix the problems.

                    [root@freeipa ~]# uname -r
                    2.6.35.13-91.fc14.x86_64
                    [root@freeipa ~]# rpm -qa 'ipa*'
                    ipa-client-1.2.2-6.fc14.x86_64
                    ipa-server-selinux-1.2.2-6.fc14.x86_64
                    ipa-python-1.2.2-6.fc14.x86_64
                    ipa-admintools-1.2.2-6.fc14.x86_64
                    ipa-server-1.2.2-6.fc14.x86_64
                    [root@freeipa ~]#

                    I’m not doing anything special at this point. I’m
                    not even trying to get clients added. I’m trying to
                    do a basic install of ipa-server, with no extra
                    arguments. That claimed to succeed but wouldn’t
                    work, I tried to fix it, uninstalled, any attempts
                    to reinstall failed. So right now I’m simply trying
                    to get the ipa service back to any kind of
                    functioning status without re-installing the OS.




                Ah this is all old 1.2 IPA.
                Have you tried
                ipa-server-install --uninstall

                Might require several attempts until all the errors are
                cleared.



                    -Brian

                    On 6/3/11 2:30 PM, "Dmitri Pal" <d...@redhat.com> wrote:







                        Is it all on F13?
                        The IPA v2 can't be built on F13 as there are
                        many dependencies missing that we rely on. There
                        are two many parts this is why we had to move to
                        the later versions of F15. We just did not have
                        any options. So the server you built might in
                        fact be completely broken. I do not know how to
                        fix it. It looks like you have some instances of
                        the DS left over in a misconfigured state.

                        You can try running ipa-server-install
                        --uninstall 4-5 times. That might clear things a
                        bit.

                        But let us get back to the original problem.
                        Freeipa can be used with the LDAP+Kerberos
                        configuration on the clients. You do not need to
                        have latest and greatest.
                        There was a nice article referenced in some of
                        the earlier threads on the list:

                        http://www.aput.net/~jheiss/krbldap/howto.html
                        <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
                        <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
                        <http://www.aput.net/%7Ejheiss/krbldap/howto.html>

                        You can configure very old clients to use IPA as
                        NIS server.
                        Let us know how else we can help.
                        Thanks
                        Dmitri





                            -Brian


                            _______________________________________________
                            Freeipa-users mailing list
                            Freeipa-users@redhat.com
                            
https://www.redhat.com/mailman/listinfo/freeipa-users











                    _______________________________________________
                    Freeipa-users mailing list
                    Freeipa-users@redhat.com
                    https://www.redhat.com/mailman/listinfo/freeipa-users











        _______________________________________________
        Freeipa-users mailing list
        Freeipa-users@redhat.com
        https://www.redhat.com/mailman/listinfo/freeipa-users






_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to