Re: [Freeipa-users] Trouble with replica install
Ah, I see this thread was resolved already, my MUA just failed to properly attach it to the thread. Please disregard this mail then (but I was right with the root cause though :) Martin On 01/02/2014 05:46 PM, Martin Kosek wrote: > Hello Les, > > Did you manage to resolve the issue? I just got to it after the Christmas > break. Reading few resources online, this error seems to come of a > misconfigured httpd when for example mod_authz_groupfile.so or > mod_authz_user.so Apache modules are not loaded (I have them loaded in > /etc/httpd/conf.modules.d/00-base.conf). > > Did you modify httpd configuration before you run ipa-replica-install in any > way? > > Martin > > On 12/16/2013 01:44 PM, Les Stott wrote: >> Petr, >> >> The below was the error from apache error logs >> >>> Apache logs the following error at the same time... >>> >>> [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration >>> error: couldn't check access. No groups file?: /ipa/xml, referer: >>> https://replica.mydomain.com/ipa/xml >> >> Other lines in the /var/log/httpd/error log at the same time... >> >> [Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START *** >> [Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START *** >> [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: >> couldn't check access. No groups file?: /ipa/xml, referer: >> https://replica.mydomain.com/ipa/xml >> [Mon Dec 16 04:29:01 2013] [notice] caught SIGTERM, shutting down >> [Mon Dec 16 04:29:02 2013] [notice] SELinux policy enabled; httpd running as >> context unconfined_u:system_r:httpd_t:s0 >> >> Regards, >> >> Les >> >> ____ >> From: Petr Spacek [pspa...@redhat.com] >> Sent: Monday, December 16, 2013 10:38 PM >> To: Les Stott; freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] Trouble with replica install >> >> On 16.12.2013 10:55, Les Stott wrote: >>> Sorry, when I said "selinux is in permissive mode, but it's the same as on >>> the master server, so it should be the issue." It should have read as >>> "selinux is in permissive mode, but it's the same as on the master server, >>> so it should NOT be the issue." >>> >>> Les >>> >>> From: freeipa-users-boun...@redhat.com >>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott >>> Sent: Monday, 16 December 2013 8:47 PM >>> To: freeipa-users@redhat.com >>> Subject: [Freeipa-users] Trouble with replica install >>> >>> Hi, >>> >>> Running ipa-server-3.0.0-37.el6.x86_64 on rhel6. >>> Already setup master server, now trying to install replica (which I've done >>> before and its worked fine). >>> >>> The replica install gets all the way to the end but errors out. For the >>> most part, it looks like it is complete, but I want to be sure there are no >>> lingering issues. >>> >>> The error I see in the log is...(domain and ip's changed) >>> >>> >>> 2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com >>> Realm: MYDOMAIN.COM >>> DNS Domain: mydomain.com >>> IPA Server: replica.mydomain.com >>> BaseDN: dc=mydomain,dc=com >>> Domain mydomain.com is already configured in existing SSSD config, creating >>> a new one. >>> The old /etc/sssd/sssd.conf is backed up and will be restored during >>> uninstall. >>> Configured /etc/sssd/sssd.conf >>> trying https://replica.mydomain.com/ipa/xml >>> Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml' >>> Traceback (most recent call last): >>>File "/usr/sbin/ipa-client-install", line 2377, in >>> sys.exit(main()) >>>File "/usr/sbin/ipa-client-install", line 2363, in main >>> rval = install(options, env, fstore, statestore) >>>File "/usr/sbin/ipa-client-install", line 2167, in install >>> remote_env = api.Command['env'](server=True)['result'] >>>File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in >>> __call__ >>> ret = self.run(*args, **options) >>>File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1073, >>> in run >>> return self.forward(*args, **options) >>>File "/us
Re: [Freeipa-users] Trouble with replica install
Hello Les, Did you manage to resolve the issue? I just got to it after the Christmas break. Reading few resources online, this error seems to come of a misconfigured httpd when for example mod_authz_groupfile.so or mod_authz_user.so Apache modules are not loaded (I have them loaded in /etc/httpd/conf.modules.d/00-base.conf). Did you modify httpd configuration before you run ipa-replica-install in any way? Martin On 12/16/2013 01:44 PM, Les Stott wrote: > Petr, > > The below was the error from apache error logs > >> Apache logs the following error at the same time... >> >> [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: >> couldn't check access. No groups file?: /ipa/xml, referer: >> https://replica.mydomain.com/ipa/xml > > Other lines in the /var/log/httpd/error log at the same time... > > [Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START *** > [Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START *** > [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: > couldn't check access. No groups file?: /ipa/xml, referer: > https://replica.mydomain.com/ipa/xml > [Mon Dec 16 04:29:01 2013] [notice] caught SIGTERM, shutting down > [Mon Dec 16 04:29:02 2013] [notice] SELinux policy enabled; httpd running as > context unconfined_u:system_r:httpd_t:s0 > > Regards, > > Les > > > From: Petr Spacek [pspa...@redhat.com] > Sent: Monday, December 16, 2013 10:38 PM > To: Les Stott; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Trouble with replica install > > On 16.12.2013 10:55, Les Stott wrote: >> Sorry, when I said "selinux is in permissive mode, but it's the same as on >> the master server, so it should be the issue." It should have read as >> "selinux is in permissive mode, but it's the same as on the master server, >> so it should NOT be the issue." >> >> Les >> >> From: freeipa-users-boun...@redhat.com >> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott >> Sent: Monday, 16 December 2013 8:47 PM >> To: freeipa-users@redhat.com >> Subject: [Freeipa-users] Trouble with replica install >> >> Hi, >> >> Running ipa-server-3.0.0-37.el6.x86_64 on rhel6. >> Already setup master server, now trying to install replica (which I've done >> before and its worked fine). >> >> The replica install gets all the way to the end but errors out. For the most >> part, it looks like it is complete, but I want to be sure there are no >> lingering issues. >> >> The error I see in the log is...(domain and ip's changed) >> >> >> 2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com >> Realm: MYDOMAIN.COM >> DNS Domain: mydomain.com >> IPA Server: replica.mydomain.com >> BaseDN: dc=mydomain,dc=com >> Domain mydomain.com is already configured in existing SSSD config, creating >> a new one. >> The old /etc/sssd/sssd.conf is backed up and will be restored during >> uninstall. >> Configured /etc/sssd/sssd.conf >> trying https://replica.mydomain.com/ipa/xml >> Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml' >> Traceback (most recent call last): >>File "/usr/sbin/ipa-client-install", line 2377, in >> sys.exit(main()) >>File "/usr/sbin/ipa-client-install", line 2363, in main >> rval = install(options, env, fstore, statestore) >>File "/usr/sbin/ipa-client-install", line 2167, in install >> remote_env = api.Command['env'](server=True)['result'] >>File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in >> __call__ >> ret = self.run(*args, **options) >>File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1073, in >> run >> return self.forward(*args, **options) >>File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 769, in >> forward >> return self.Backend.xmlclient.forward(self.name, *args, **kw) >>File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 776, in >> forward >> raise NetworkError(uri=server, error=e.errmsg) > >> ipalib.errors.NetworkError: cannot connect to >> u'https://replica.mydomain.com/ipa/xml': Internal Server Error > > Please look into /var/log/httpd/errors.log on server replica.mydomain.com and > check error messages there. > > Petr^2 Spacek >
Re: [Freeipa-users] Trouble with replica install - SOLVED
Alexander, I think it was a case of a manually locked down (post install) system that had been previously built. The master was on a vm that was a newer build, but not done in the same way as the older server, so it had a more default out of the box configuration. At least now I now to check this before installing the replica on existing machines. Regards, Les -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Tuesday, 17 December 2013 12:52 AM To: Les Stott Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Trouble with replica install - SOLVED On Mon, 16 Dec 2013, Les Stott wrote: >Figured it out. > >Missing apache modules (not loaded). One of the following > >LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule >auth_digest_module modules/mod_auth_digest.so LoadModule >authn_file_module modules/mod_authn_file.so LoadModule >authn_alias_module modules/mod_authn_alias.so LoadModule >authn_anon_module modules/mod_authn_anon.so LoadModule authn_dbm_module >modules/mod_authn_dbm.so LoadModule authn_default_module >modules/mod_authn_default.so LoadModule authz_host_module >modules/mod_authz_host.so LoadModule authz_user_module >modules/mod_authz_user.so LoadModule authz_owner_module >modules/mod_authz_owner.so LoadModule authz_groupfile_module >modules/mod_authz_groupfile.so LoadModule authz_dbm_module >modules/mod_authz_dbm.so LoadModule authz_default_module >modules/mod_authz_default.so LoadModule authnz_ldap_module >modules/mod_authnz_ldap.so > >I'm not sure which one, i just matched what was on the master and >reinstalled the replica - no errors. Been a long day so i don't feel >like going through one by one, uninstalling/reinstalling etc. I imagine >its probably mod_authz_groupfile.so, but others are probably needed >too. I wonder if this server was refurbished from some other task where original configuration was already changed. FreeIPA install scripts assumes non-modified configuration files. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trouble with replica install - SOLVED
On Mon, 16 Dec 2013, Les Stott wrote: Figured it out. Missing apache modules (not loaded). One of the following LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule auth_digest_module modules/mod_auth_digest.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_alias_module modules/mod_authn_alias.so LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule authn_default_module modules/mod_authn_default.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_owner_module modules/mod_authz_owner.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_dbm_module modules/mod_authz_dbm.so LoadModule authz_default_module modules/mod_authz_default.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so I'm not sure which one, i just matched what was on the master and reinstalled the replica - no errors. Been a long day so i don't feel like going through one by one, uninstalling/reinstalling etc. I imagine its probably mod_authz_groupfile.so, but others are probably needed too. I wonder if this server was refurbished from some other task where original configuration was already changed. FreeIPA install scripts assumes non-modified configuration files. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trouble with replica install - SOLVED
Figured it out. Missing apache modules (not loaded). One of the following LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule auth_digest_module modules/mod_auth_digest.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_alias_module modules/mod_authn_alias.so LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule authn_default_module modules/mod_authn_default.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_owner_module modules/mod_authz_owner.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_dbm_module modules/mod_authz_dbm.so LoadModule authz_default_module modules/mod_authz_default.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so I'm not sure which one, i just matched what was on the master and reinstalled the replica - no errors. Been a long day so i don't feel like going through one by one, uninstalling/reinstalling etc. I imagine its probably mod_authz_groupfile.so, but others are probably needed too. Regards, Les From: Les Stott Sent: Monday, December 16, 2013 11:44 PM To: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Trouble with replica install Petr, The below was the error from apache error logs > Apache logs the following error at the same time... > > [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: > couldn't check access. No groups file?: /ipa/xml, referer: > https://replica.mydomain.com/ipa/xml Other lines in the /var/log/httpd/error log at the same time... [Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START *** [Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START *** [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: couldn't check access. No groups file?: /ipa/xml, referer: https://replica.mydomain.com/ipa/xml [Mon Dec 16 04:29:01 2013] [notice] caught SIGTERM, shutting down [Mon Dec 16 04:29:02 2013] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 Regards, Les From: Petr Spacek [pspa...@redhat.com] Sent: Monday, December 16, 2013 10:38 PM To: Les Stott; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Trouble with replica install On 16.12.2013 10:55, Les Stott wrote: > Sorry, when I said "selinux is in permissive mode, but it's the same as on > the master server, so it should be the issue." It should have read as > "selinux is in permissive mode, but it's the same as on the master server, so > it should NOT be the issue." > > Les > > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott > Sent: Monday, 16 December 2013 8:47 PM > To: freeipa-users@redhat.com > Subject: [Freeipa-users] Trouble with replica install > > Hi, > > Running ipa-server-3.0.0-37.el6.x86_64 on rhel6. > Already setup master server, now trying to install replica (which I've done > before and its worked fine). > > The replica install gets all the way to the end but errors out. For the most > part, it looks like it is complete, but I want to be sure there are no > lingering issues. > > The error I see in the log is...(domain and ip's changed) > > > 2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com > Realm: MYDOMAIN.COM > DNS Domain: mydomain.com > IPA Server: replica.mydomain.com > BaseDN: dc=mydomain,dc=com > Domain mydomain.com is already configured in existing SSSD config, creating a > new one. > The old /etc/sssd/sssd.conf is backed up and will be restored during > uninstall. > Configured /etc/sssd/sssd.conf > trying https://replica.mydomain.com/ipa/xml > Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml' > Traceback (most recent call last): >File "/usr/sbin/ipa-client-install", line 2377, in > sys.exit(main()) >File "/usr/sbin/ipa-client-install", line 2363, in main > rval = install(options, env, fstore, statestore) >File "/usr/sbin/ipa-client-install", line 2167, in install > remote_env = api.Command['env'](server=True)['result'] >File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in > __call__ > ret = self.run(*args, **options) >File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1073, in > run > return self.forward(*args, **options) >File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 769, in > forwa
Re: [Freeipa-users] Trouble with replica install
Petr, The below was the error from apache error logs > Apache logs the following error at the same time... > > [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: > couldn't check access. No groups file?: /ipa/xml, referer: > https://replica.mydomain.com/ipa/xml Other lines in the /var/log/httpd/error log at the same time... [Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START *** [Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START *** [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: couldn't check access. No groups file?: /ipa/xml, referer: https://replica.mydomain.com/ipa/xml [Mon Dec 16 04:29:01 2013] [notice] caught SIGTERM, shutting down [Mon Dec 16 04:29:02 2013] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 Regards, Les From: Petr Spacek [pspa...@redhat.com] Sent: Monday, December 16, 2013 10:38 PM To: Les Stott; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Trouble with replica install On 16.12.2013 10:55, Les Stott wrote: > Sorry, when I said "selinux is in permissive mode, but it's the same as on > the master server, so it should be the issue." It should have read as > "selinux is in permissive mode, but it's the same as on the master server, so > it should NOT be the issue." > > Les > > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott > Sent: Monday, 16 December 2013 8:47 PM > To: freeipa-users@redhat.com > Subject: [Freeipa-users] Trouble with replica install > > Hi, > > Running ipa-server-3.0.0-37.el6.x86_64 on rhel6. > Already setup master server, now trying to install replica (which I've done > before and its worked fine). > > The replica install gets all the way to the end but errors out. For the most > part, it looks like it is complete, but I want to be sure there are no > lingering issues. > > The error I see in the log is...(domain and ip's changed) > > > 2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com > Realm: MYDOMAIN.COM > DNS Domain: mydomain.com > IPA Server: replica.mydomain.com > BaseDN: dc=mydomain,dc=com > Domain mydomain.com is already configured in existing SSSD config, creating a > new one. > The old /etc/sssd/sssd.conf is backed up and will be restored during > uninstall. > Configured /etc/sssd/sssd.conf > trying https://replica.mydomain.com/ipa/xml > Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml' > Traceback (most recent call last): >File "/usr/sbin/ipa-client-install", line 2377, in > sys.exit(main()) >File "/usr/sbin/ipa-client-install", line 2363, in main > rval = install(options, env, fstore, statestore) >File "/usr/sbin/ipa-client-install", line 2167, in install > remote_env = api.Command['env'](server=True)['result'] >File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in > __call__ > ret = self.run(*args, **options) >File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1073, in > run > return self.forward(*args, **options) >File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 769, in > forward > return self.Backend.xmlclient.forward(self.name, *args, **kw) >File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 776, in forward > raise NetworkError(uri=server, error=e.errmsg) > ipalib.errors.NetworkError: cannot connect to > u'https://replica.mydomain.com/ipa/xml': Internal Server Error Please look into /var/log/httpd/errors.log on server replica.mydomain.com and check error messages there. Petr^2 Spacek > > 2013-12-16T09:26:50Z INFO File > "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line > 614, in run_script > return_value = main_function() > >File "/usr/sbin/ipa-replica-install", line 527, in main > raise RuntimeError("Failed to configure the client") > > 2013-12-16T09:26:50Z INFO The ipa-replica-install command failed, exception: > RuntimeError: Failed to configure the client > --- > > Apache logs the following error at the same time... > > [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: > couldn't check access. No groups file?: /ipa/xml, referer: > https://replica.mydomain.com/ipa/xml > > I can login to the gui and it seems ok, but I'm rolling this into production > so I've got to get it right. > > I'm hoping this is just some bug because its an older freeipa on redhat > (minimal install) etc. selinux is in permissive mode, but it's the same as on > the master server, so it should be the issue. > > Is this error critical? How can I fix it? > > Thanks in advance, > > Les ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trouble with replica install
On 16.12.2013 10:55, Les Stott wrote: Sorry, when I said "selinux is in permissive mode, but it's the same as on the master server, so it should be the issue." It should have read as "selinux is in permissive mode, but it's the same as on the master server, so it should NOT be the issue." Les From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott Sent: Monday, 16 December 2013 8:47 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Trouble with replica install Hi, Running ipa-server-3.0.0-37.el6.x86_64 on rhel6. Already setup master server, now trying to install replica (which I've done before and its worked fine). The replica install gets all the way to the end but errors out. For the most part, it looks like it is complete, but I want to be sure there are no lingering issues. The error I see in the log is...(domain and ip's changed) 2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com Realm: MYDOMAIN.COM DNS Domain: mydomain.com IPA Server: replica.mydomain.com BaseDN: dc=mydomain,dc=com Domain mydomain.com is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. Configured /etc/sssd/sssd.conf trying https://replica.mydomain.com/ipa/xml Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml' Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 2377, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 2363, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2167, in install remote_env = api.Command['env'](server=True)['result'] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1073, in run return self.forward(*args, **options) File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 769, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 776, in forward raise NetworkError(uri=server, error=e.errmsg) ipalib.errors.NetworkError: cannot connect to u'https://replica.mydomain.com/ipa/xml': Internal Server Error Please look into /var/log/httpd/errors.log on server replica.mydomain.com and check error messages there. Petr^2 Spacek 2013-12-16T09:26:50Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-replica-install", line 527, in main raise RuntimeError("Failed to configure the client") 2013-12-16T09:26:50Z INFO The ipa-replica-install command failed, exception: RuntimeError: Failed to configure the client --- Apache logs the following error at the same time... [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: couldn't check access. No groups file?: /ipa/xml, referer: https://replica.mydomain.com/ipa/xml I can login to the gui and it seems ok, but I'm rolling this into production so I've got to get it right. I'm hoping this is just some bug because its an older freeipa on redhat (minimal install) etc. selinux is in permissive mode, but it's the same as on the master server, so it should be the issue. Is this error critical? How can I fix it? Thanks in advance, Les ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trouble with replica install
Sorry, when I said "selinux is in permissive mode, but it's the same as on the master server, so it should be the issue." It should have read as "selinux is in permissive mode, but it's the same as on the master server, so it should NOT be the issue." Les From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott Sent: Monday, 16 December 2013 8:47 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Trouble with replica install Hi, Running ipa-server-3.0.0-37.el6.x86_64 on rhel6. Already setup master server, now trying to install replica (which I've done before and its worked fine). The replica install gets all the way to the end but errors out. For the most part, it looks like it is complete, but I want to be sure there are no lingering issues. The error I see in the log is...(domain and ip's changed) 2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com Realm: MYDOMAIN.COM DNS Domain: mydomain.com IPA Server: replica.mydomain.com BaseDN: dc=mydomain,dc=com Domain mydomain.com is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. Configured /etc/sssd/sssd.conf trying https://replica.mydomain.com/ipa/xml Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml' Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 2377, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 2363, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2167, in install remote_env = api.Command['env'](server=True)['result'] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1073, in run return self.forward(*args, **options) File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 769, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 776, in forward raise NetworkError(uri=server, error=e.errmsg) ipalib.errors.NetworkError: cannot connect to u'https://replica.mydomain.com/ipa/xml': Internal Server Error 2013-12-16T09:26:50Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-replica-install", line 527, in main raise RuntimeError("Failed to configure the client") 2013-12-16T09:26:50Z INFO The ipa-replica-install command failed, exception: RuntimeError: Failed to configure the client --- Apache logs the following error at the same time... [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: couldn't check access. No groups file?: /ipa/xml, referer: https://replica.mydomain.com/ipa/xml I can login to the gui and it seems ok, but I'm rolling this into production so I've got to get it right. I'm hoping this is just some bug because its an older freeipa on redhat (minimal install) etc. selinux is in permissive mode, but it's the same as on the master server, so it should be the issue. Is this error critical? How can I fix it? Thanks in advance, Les ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Trouble with replica install
Hi, Running ipa-server-3.0.0-37.el6.x86_64 on rhel6. Already setup master server, now trying to install replica (which I've done before and its worked fine). The replica install gets all the way to the end but errors out. For the most part, it looks like it is complete, but I want to be sure there are no lingering issues. The error I see in the log is...(domain and ip's changed) 2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com Realm: MYDOMAIN.COM DNS Domain: mydomain.com IPA Server: replica.mydomain.com BaseDN: dc=mydomain,dc=com Domain mydomain.com is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. Configured /etc/sssd/sssd.conf trying https://replica.mydomain.com/ipa/xml Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml' Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 2377, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 2363, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2167, in install remote_env = api.Command['env'](server=True)['result'] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1073, in run return self.forward(*args, **options) File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 769, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 776, in forward raise NetworkError(uri=server, error=e.errmsg) ipalib.errors.NetworkError: cannot connect to u'https://replica.mydomain.com/ipa/xml': Internal Server Error 2013-12-16T09:26:50Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-replica-install", line 527, in main raise RuntimeError("Failed to configure the client") 2013-12-16T09:26:50Z INFO The ipa-replica-install command failed, exception: RuntimeError: Failed to configure the client --- Apache logs the following error at the same time... [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: couldn't check access. No groups file?: /ipa/xml, referer: https://replica.mydomain.com/ipa/xml I can login to the gui and it seems ok, but I'm rolling this into production so I've got to get it right. I'm hoping this is just some bug because its an older freeipa on redhat (minimal install) etc. selinux is in permissive mode, but it's the same as on the master server, so it should be the issue. Is this error critical? How can I fix it? Thanks in advance, Les ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users