Hello, I'm using Puppet to try to install ipa masters and replicas. I can generally get this to work on Vagrant VMs, but on the target VMs the server part succeeds until it attempts to install the ipa client and then this fails (please see extracts of logs below).
The /etc/ipa/nssdb directory is left empty. On a replica I can copy this from the master along with /etc/openldap/ldap.conf and the client works (apart from mkhomedir) when sssd is started. Should /etc/ipa/nssdb be populated on the master at this stage of the installation and, if so, then why isn't this happening? Selinux is enabled on the target VMs, but presumably this isn't an issue. Many thanks Bob Hinton trying https://ipa001.jackland.co.uk/ipa/json Forwarding 'ping' to json server 'https://ipa001.jackland.co.uk/ipa/json' Cannot connect to the server due to generic error: cannot connect to 'https://ipa001.jackland.co.uk/ipa/json': Internal Server Error Installation failed. As this is IPA server, changes will not be rolled back. 2015-05-28T11:41:25Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 646, in run_script return_value = main_function() File "/usr/sbin/ipa-server-install", line 1292, in main sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e)) 2015-05-28T11:41:25Z DEBUG The ipa-server-install command failed, exception: SystemExit: Configuration of client side components failed! ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'jackland.co.uk' '--server' 'ipa001.jackland.co.uk' '--realm' 'JACKLAND.CO.UK' '--hostname' 'ipa001.jackland.co.uk' '--mkhomedir'' returned non-zero exit status 1 [root@ipa001 log]# 3d:a7:7b:d1:a6:45:b5:9d:d0:00:3e:34:de:b4:7f:0c: 37:0d:fa:1b:bb:32:2c:4b:13:35:b3:98:df:d9:62:8a: 97:3b:54:df:fb:46:f0:29:ea:c1:3d:9d:cf:f8:f8:2d: c7:3d:c0:50:7d:6d:3f:71:ad:fb:0a:74:ef:e5:eb:c0: 12:7c:96:b3:b0:da:bb:65:f9:a6:33:9f:82:af:99:ee: 50:34:44:84:0f:0e:5f:2a:67:84:b3:cc:5f:95:8c:1a Fingerprint (MD5): c3:db:00:21:a0:57:a0:d3:a4:31:a8:80:e2:9b:cb:c1 Fingerprint (SHA1): 77:2f:9f:2a:74:3e:62:09:b9:37:70:a3:74:99:5a:a0: d5:4a:37:ed 2015-05-28T11:41:25Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2015-05-28T11:41:25Z DEBUG cert valid True for "CN=ipa001.jackland.co.uk,O=JACKLAND.CO.UK" 2015-05-28T11:41:25Z DEBUG handshake complete, peer = 10.220.4.250:443 2015-05-28T11:41:25Z DEBUG Protocol: TLS1.1 2015-05-28T11:41:25Z DEBUG Cipher: TLS_RSA_WITH_AES_128_CBC_SHA 2015-05-28T11:41:25Z ERROR Cannot connect to the server due to generic error: cannot connect to 'https://ipa001.jackland.co.uk/ipa/json': Internal Server Error 2015-05-28T11:41:25Z WARNING Installation failed. As this is IPA server, changes will not be rolled back. [root@ipa001 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful [root@ipa001 ~]# cd /tmp [root@ipa001 tmp]# wget https://ipa001.jackland.co.uk/ipa/json --2015-05-28 13:45:04-- https://ipa001.jackland.co.uk/ipa/json Resolving ipa001.jackland.co.uk (ipa001.jackland.co.uk)... 10.220.4.250 Connecting to ipa001.jackland.co.uk (ipa001.jackland.co.uk)|10.220.4.250|:443... connected. ERROR: cannot verify ipa001.jackland.co.uk's certificate, issued by ‘/O=JACKLAND.CO.UK/CN=Certificate Authority’: Self-signed certificate encountered. To connect to ipa001.jackland.co.uk insecurely, use `--no-check-certificate'. [root@ipa001 tmp]# wget --no-check-certificate https://ipa001.jackland.co.uk/ipa/json --2015-05-28 13:45:26-- https://ipa001.jackland.co.uk/ipa/json Resolving ipa001.jackland.co.uk (ipa001.jackland.co.uk)... 10.220.4.250 Connecting to ipa001.jackland.co.uk (ipa001.jackland.co.uk)|10.220.4.250|:443... connected. WARNING: cannot verify ipa001.jackland.co.uk's certificate, issued by ‘/O=JACKLAND.CO.UK/CN=Certificate Authority’: Self-signed certificate encountered. HTTP request sent, awaiting response... 401 Unauthorized Authorization failed. [root@ipa001 tmp]# ls -l /etc/ipa/nssdb/ total 0 [root@ipa001 tmp]# -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project