On 3/18/15 10:10 PM, Kim Perrin wrote:
This is about the 6th time of tried installing this replica. Each time
I run the ipa-replica-manage del and ipa-csreplica-manage del command
before trying. I also build new replica install files each time.
Obviously I can't figure out what the problem is. I've tried a variety
of things. I'm hoping someone in this community has been this before
and solved the issue.
At the end of the install I see the client install failure messages,
though it appeared as though the server install went well. However it
is clear it has not gone well because when I run 'service ipa status'
I get this

root@noc5-prd:/var/log# service ipa status
Directory Service: RUNNING
Unknown error when retrieving list of services from LDAP: {'info':
'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication

I've attached the ipareplica-install.log file.  Here are some relevant
entries from the end of the log -

2015-03-19T04:33:02Z DEBUG args=/usr/sbin/ipa-client-install
--on-master --unattended --domain companyz.com --server
noc5-prd.companyz.com --realm COMPANYZ.COM
2015-03-19T04:33:02Z DEBUG stdout=
2015-03-19T04:33:02Z DEBUG stderr=Hostname: noc5prd.companyz.com
DNS Domain: companyz.com
IPA Server: noc5-prd.companyz.com
BaseDN: dc=companyz,dc=com
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://noc5-prd.companyz.com/ipa/xml
trying https://noc1-prd.companyz.com/ipa/xml
Connection to https://noc1-prd.companyz.com/ipa/xml failed with [Errno
-8053] (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in
Cannot connect to the server due to generic error: cannot connect to
Gettext('any of the configured servers', domain='ipa',
localedir=None): https://noc5-prd.companyz.com/ipa/xml,
Installation failed. Rolling back changes.
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
2015-03-19T04:33:02Z INFO   File
line 614, in run_script
     return_value = main_function()
   File "/usr/sbin/ipa-replica-install", line 536, in main
     raise RuntimeError("Failed to configure the client")
2015-03-19T04:33:02Z INFO The ipa-replica-install command failed,
exception: RuntimeError: Failed to configure the client

Anyone have any advice?

There are 2 possibilities here. One is you have the old python package scripts which have a bug in these files:


They most likely have "fedora-domain" in them and it needs to be changed to "rhel-domain". The other option is to re-install the OS and freeipa environment, which gets you to clean packages. Deleting and re-installing all the python packages is painful at best.

The other possibility is stale certs:

certutil -d /etc/pki/nssdb -L

You will probably see a stale cert. Remove it.

certutil -d /etc/pki/nssdb -D -n "IPA CA"

I have run into both of these issues about 1 million times so far.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to