Re: [Freeipa-users] Issue with replication install
The IPA server is version 2.0.0 R3 which is supposed to install on fc14 with some packages from updates-testing repo, while the replica install is on server 2.0.1 Yes, there is no dogtagcert.p12 file; here are the files contained: realm_info/httpcert.p12 realm_info/cacert.p12 realm_info/ldappwd realm_info/ra.p12 realm_info/http_pin.txt realm_info/realm_info realm_info/configure.jar realm_info/dscert.p12 realm_info/dirsrv_pin.txt realm_info/pwdfile.txt.ori realm_info/pwdfile.txt realm_info/kpasswd.keytab realm_info/preferences.htm realm_info/ca.crt I have upgraded the IPA box to fc15 and freeipa-2.0.1 in the quest to get a correct replica package but that seems to have created another problem as it has broken the tomcat and thus pki-ca. Jun 3, 2011 10:09:29 AM org.apache.catalina.loader.WebappLoader start SEVERE: LifecycleException java.io.IOException: Failed to access resource /WEB-INF/lib/jakarta-commons-collections.jar at org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1050) at org.apache.catalina.loader.WebappLoader.start(WebappLoader.java:681) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4541) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1061) at org.apache.catalina.core.StandardHost.start(StandardHost.java:785) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463) at org.apache.catalina.core.StandardService.start(StandardService.java:525) at org.apache.catalina.core.StandardServer.start(StandardServer.java:701) at org.apache.catalina.startup.Catalina.start(Catalina.java:585) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Caused by: javax.naming.NamingException: Resource jakarta-commons-collections.jar not found at org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:209) at org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1048) ... 24 more It seems to me that it is looking for jakarta-commons-collections.jar which exist but is a package from the old tomcat6-6.0.26. Thanks __Ide On Thu, Jun 2, 2011 at 11:08 AM, Rob Crittenden rcrit...@redhat.com wrote: Uzor Ide wrote: Thanks Rob I did run the certutil -L -d /etc/dirsrv/slapd-PKI-IPA command; the nssdb is empty If the CA cert is supposed to exist there at that stage of install, then that would be the problem. Both the slapd-PKI-IPA error and access does not contain much. I attached them herein with the ipareplica-install.log. How old is the prepared replica file, and was it created with an older version of IPA? In one of the last release candidates we started creating a separate SSL certificate for the 389-ds instance used by dogtag. I get the feeling that doesn't exist which would explain why SSL is failing. You can check by doing something like: # gpg -d replica-info-your-server.gpg | tar tvf - The file you're looking for is dogtagcert.p12 rob thanks Ide On Wed, Jun 1, 2011 at 11:40 AM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Uzor Ide wrote: Hi all We are trying to setup a backup IPA server and decided to toe that replication route. The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to fedora 15 and freeipa 2.0.1. Note we first did ipa-server-install --uninstall before upgrading the freeipa packages so as to make sure that the server is relatively clean. However when I run that ipa-replica-install command, I end up with the following error in the
[Freeipa-users] Difficulty installing freeipa
I initially started testing with FreeIPA on Fedora 15, using ipa 2.x. The server install went smoothly, however I was unable to add clients due to lack of backward compatibility, since ipa 2.x isn't available for most of the systems I manage. I decided to rebuild the test ipa server. I build a fresh Fedora 13 system and installed the yum packages. Initially the ipa server installed without errors. However they were some issues. It hadn't configured httpd to autostart, and when I did start httpd, I was unable to get to the management UI. Attempting to kinit would pause for ~10-15 seconds before requesting a password. I was able to get the ticket. Attempting to then reach the website, after configuring firefox and importing the certs, resulted in the Service temporarily unavailable error. All of this seemed to indicate a problem with the hosts file, but checking it multiple times, as well as checking all variations of name resolution indicated nothing. I decided to reinstall to try to fix the kerb oddness and hopefully get to the website gui. I ran ipa-server-install -uninstall and attempted to reinstall, and got the following error: CRITICAL Failed to load bootstrap-template.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -w password -f /tmp/tmpe1aE3t' returned non-zero exit status 32 Which led me to this bug, which was reported fixed in 2008: https://bugzilla.redhat.com/show_bug.cgi?format=multipleid=448287 Here is an excerpt from the install log: 2011-06-02 12:40:02,619 DEBUG calling setup-ds.pl 2011-06-02 12:40:09,869 INFO [11/06/02:12:40:09] - [Setup] Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ... [02/Jun/2011:12:40:03 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [02/Jun/2011:12:40:03 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 49464 [02/Jun/2011:12:40:03 -0700] - Import allocates 1595728KB import cache. [02/Jun/2011:12:40:03 -0700] - import userRoot: Beginning import job... [02/Jun/2011:12:40:03 -0700] - import userRoot: Index buffering enabled with bucket size 100 [02/Jun/2011:12:40:04 -0700] - import userRoot: Could not open LDIF file /var/lib/dirsrv/boot.ldif, errno 13 (Permission denied) [02/Jun/2011:12:40:04 -0700] - import userRoot: Aborting all Import threads... [02/Jun/2011:12:40:09 -0700] - import userRoot: Import threads aborted. [02/Jun/2011:12:40:09 -0700] - import userRoot: Closing files... /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory [02/Jun/2011:12:40:09 -0700] - All database threads now stopped [02/Jun/2011:12:40:09 -0700] - import userRoot: Import failed. Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ... [02/Jun/2011:12:40:03 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [02/Jun/2011:12:40:03 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 49464 [02/Jun/2011:12:40:03 -0700] - Import allocates 1595728KB import cache. [02/Jun/2011:12:40:03 -0700] - import userRoot: Beginning import job... [02/Jun/2011:12:40:03 -0700] - import userRoot: Index buffering enabled with bucket size 100 [02/Jun/2011:12:40:04 -0700] - import userRoot: Could not open LDIF file /var/lib/dirsrv/boot.ldif, errno 13 (Permission denied) [02/Jun/2011:12:40:04 -0700] - import userRoot: Aborting all Import threads... [02/Jun/2011:12:40:09 -0700] - import userRoot: Import threads aborted. [02/Jun/2011:12:40:09 -0700] - import userRoot: Closing files... /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory [02/Jun/2011:12:40:09 -0700] - All database threads now stopped [02/Jun/2011:12:40:09 -0700] - import userRoot: Import failed. [11/06/02:12:40:09] - [Setup] Fatal Error: Could not create directory server instance 'ARC-NASA-GOV'. Error: Could not create directory server instance 'ARC-NASA-GOV'. [11/06/02:12:40:09] - [Setup] Fatal Exiting . . . Log file is '-' Exiting . . . Log file is '-' 2011-06-02 12:40:09,870 INFO 2011-06-02 12:40:09,870 CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpLtRn9j' returned non-zero exit status 1 2011-06-02 12:40:09,870 DEBUG restarting ds instance 2011-06-02 12:40:12,030 INFO Shutting down dirsrv: ARC-NASA-GOV... server already stopped[FAILED] *** Error: 1 instance(s) unsuccessfully stopped[FAILED] Starting dirsrv: ARC-NASA-GOV...[ OK ] All my attempts to re-install ipa-server now fail. I've tried removing all 51 packages associated with ipa-server and re-installing them. I've removed all 51 packages and deleted every file I could find associated with nscd, 389, ipa, sssd, etc. I have been unable to return the system to a state that will allow a reinstall of
Re: [Freeipa-users] Difficulty installing freeipa
On 06/03/2011 05:09 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: I initially started testing with FreeIPA on Fedora 15, using ipa 2.x. The server install went smoothly, however I was unable to add clients due to lack of backward compatibility, since ipa 2.x isn't available for most of the systems I manage. I decided to rebuild the test ipa server. I build a fresh Fedora 13 system and installed the yum packages. Initially the ipa server installed without errors. However they were some issues. It hadn't configured httpd to autostart, and when I did start httpd, I was unable to get to the management UI. Attempting to kinit would pause for ~10-15 seconds before requesting a password. I was able to get the ticket. Attempting to then reach the website, after configuring firefox and importing the certs, resulted in the Service temporarily unavailable error. All of this seemed to indicate a problem with the hosts file, but checking it multiple times, as well as checking all variations of name resolution indicated nothing. I decided to reinstall to try to fix the kerb oddness and hopefully get to the website gui. I ran ipa-server-install ---uninstall and attempted to reinstall, and got the following error: CRITICAL Failed to load bootstrap-template.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -w password --f /tmp/tmpe1aE3t' returned non-zero exit status 32 Which led me to this bug, which was reported fixed in 2008: https://bugzilla.redhat.com/show_bug.cgi?format=multipleid=448287 https://bugzilla.redhat.com/show_bug.cgi?format=multipleid=448287 Here is an excerpt from the install log: 2011-06-02 12:40:02,619 DEBUG calling setup-ds.pl 2011-06-02 12:40:09,869 INFO [11/06/02:12:40:09] - [Setup] Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ... [02/Jun/2011:12:40:03 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [02/Jun/2011:12:40:03 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 49464 [02/Jun/2011:12:40:03 -0700] - Import allocates 1595728KB import cache. [02/Jun/2011:12:40:03 -0700] - import userRoot: Beginning import job... [02/Jun/2011:12:40:03 -0700] - import userRoot: Index buffering enabled with bucket size 100 [02/Jun/2011:12:40:04 -0700] - import userRoot: Could not open LDIF file /var/lib/dirsrv/boot.ldif, errno 13 (Permission denied) [02/Jun/2011:12:40:04 -0700] - import userRoot: Aborting all Import threads... [02/Jun/2011:12:40:09 -0700] - import userRoot: Import threads aborted. [02/Jun/2011:12:40:09 -0700] - import userRoot: Closing files... /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory [02/Jun/2011:12:40:09 -0700] - All database threads now stopped [02/Jun/2011:12:40:09 -0700] - import userRoot: Import failed. Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ... [02/Jun/2011:12:40:03 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [02/Jun/2011:12:40:03 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 49464 [02/Jun/2011:12:40:03 -0700] - Import allocates 1595728KB import cache. [02/Jun/2011:12:40:03 -0700] - import userRoot: Beginning import job... [02/Jun/2011:12:40:03 -0700] - import userRoot: Index buffering enabled with bucket size 100 [02/Jun/2011:12:40:04 -0700] - import userRoot: Could not open LDIF file /var/lib/dirsrv/boot.ldif, errno 13 (Permission denied) [02/Jun/2011:12:40:04 -0700] - import userRoot: Aborting all Import threads... [02/Jun/2011:12:40:09 -0700] - import userRoot: Import threads aborted. [02/Jun/2011:12:40:09 -0700] - import userRoot: Closing files... /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory [02/Jun/2011:12:40:09 -0700] - All database threads now stopped [02/Jun/2011:12:40:09 -0700] - import userRoot: Import failed. [11/06/02:12:40:09] - [Setup] Fatal Error: Could not create directory server instance 'ARC-NASA-GOV'. Error: Could not create directory server instance 'ARC-NASA-GOV'. [11/06/02:12:40:09] - [Setup] Fatal Exiting . . . Log file is '-' Exiting . . . Log file is '-' 2011-06-02 12:40:09,870 INFO 2011-06-02 12:40:09,870 CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpLtRn9j' returned non-zero exit status 1 2011-06-02 12:40:09,870 DEBUG restarting ds instance 2011-06-02 12:40:12,030 INFO Shutting down dirsrv: ARC-NASA-GOV... server already stopped[FAILED] *** Error: 1 instance(s) unsuccessfully stopped[FAILED] Starting dirsrv: ARC-NASA-GOV...[ OK ] All my attempts to re-install ipa-server now fail. I've tried removing all 51 packages associated with ipa-server and re-installing them. I've
Re: [Freeipa-users] Difficulty installing freeipa
I've given up on freeipa v2 due to lack of compatibility with hosts I manage. This is all on freeipa v1. The server started as Fedora 13, and I upgraded to Fedora 14 in an attempt to fix the problems. [root@freeipa ~]# uname -r 2.6.35.13-91.fc14.x86_64 [root@freeipa ~]# rpm -qa 'ipa*' ipa-client-1.2.2-6.fc14.x86_64 ipa-server-selinux-1.2.2-6.fc14.x86_64 ipa-python-1.2.2-6.fc14.x86_64 ipa-admintools-1.2.2-6.fc14.x86_64 ipa-server-1.2.2-6.fc14.x86_64 [root@freeipa ~]# I'm not doing anything special at this point. I'm not even trying to get clients added. I'm trying to do a basic install of ipa-server, with no extra arguments. That claimed to succeed but wouldn't work, I tried to fix it, uninstalled, any attempts to reinstall failed. So right now I'm simply trying to get the ipa service back to any kind of functioning status without re-installing the OS. -Brian On 6/3/11 2:30 PM, Dmitri Pal d...@redhat.com wrote: Is it all on F13? The IPA v2 can't be built on F13 as there are many dependencies missing that we rely on. There are two many parts this is why we had to move to the later versions of F15. We just did not have any options. So the server you built might in fact be completely broken. I do not know how to fix it. It looks like you have some instances of the DS left over in a misconfigured state. You can try running ipa-server-install --uninstall 4-5 times. That might clear things a bit. But let us get back to the original problem. Freeipa can be used with the LDAP+Kerberos configuration on the clients. You do not need to have latest and greatest. There was a nice article referenced in some of the earlier threads on the list: http://www.aput.net/~jheiss/krbldap/howto.html http://www.aput.net/%7Ejheiss/krbldap/howto.html You can configure very old clients to use IPA as NIS server. Let us know how else we can help. Thanks Dmitri -Brian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Difficulty installing freeipa
On Fri, 2011-06-03 at 16:38 -0500, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: I've given up on freeipa v2 due to lack of compatibility with hosts I manage. This is all on freeipa v1. The server started as Fedora 13, and I upgraded to Fedora 14 in an attempt to fix the problems. Brian, I am curious, what compatibility are you lacking ? I can't think any difference in the supported list of clients, with v2 we have native sssd support that was not available in v1, but the legacy support is basically identical. Can you elaborate on which problem you found on which clients ? Thanks, Simo -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Difficulty installing freeipa
On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: I've given up on freeipa v2 due to lack of compatibility with hosts I manage. This is all on freeipa v1. The server started as Fedora 13, and I upgraded to Fedora 14 in an attempt to fix the problems. [root@freeipa ~]# uname -r 2.6.35.13-91.fc14.x86_64 [root@freeipa ~]# rpm -qa 'ipa*' ipa-client-1.2.2-6.fc14.x86_64 ipa-server-selinux-1.2.2-6.fc14.x86_64 ipa-python-1.2.2-6.fc14.x86_64 ipa-admintools-1.2.2-6.fc14.x86_64 ipa-server-1.2.2-6.fc14.x86_64 [root@freeipa ~]# I'm not doing anything special at this point. I'm not even trying to get clients added. I'm trying to do a basic install of ipa-server, with no extra arguments. That claimed to succeed but wouldn't work, I tried to fix it, uninstalled, any attempts to reinstall failed. So right now I'm simply trying to get the ipa service back to any kind of functioning status without re-installing the OS. Ah this is all old 1.2 IPA. Have you tried ipa-server-install --uninstall Might require several attempts until all the errors are cleared. -Brian On 6/3/11 2:30 PM, Dmitri Pal d...@redhat.com wrote: Is it all on F13? The IPA v2 can't be built on F13 as there are many dependencies missing that we rely on. There are two many parts this is why we had to move to the later versions of F15. We just did not have any options. So the server you built might in fact be completely broken. I do not know how to fix it. It looks like you have some instances of the DS left over in a misconfigured state. You can try running ipa-server-install --uninstall 4-5 times. That might clear things a bit. But let us get back to the original problem. Freeipa can be used with the LDAP+Kerberos configuration on the clients. You do not need to have latest and greatest. There was a nice article referenced in some of the earlier threads on the list: http://www.aput.net/~jheiss/krbldap/howto.html http://www.aput.net/%7Ejheiss/krbldap/howto.html http://www.aput.net/%7Ejheiss/krbldap/howto.html You can configure very old clients to use IPA as NIS server. Let us know how else we can help. Thanks Dmitri -Brian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Difficulty installing freeipa
Yes, I mentioned in the first email I had attempted that. I just ran the uninstall 10 times in a row. Same errors: Configuring directory server: [1/17]: creating directory server user [2/17]: creating directory server instance root: CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpYwtW2p' returned non-zero exit status 1 [3/17]: adding default schema [4/17]: enabling memberof plugin [5/17]: enabling referential integrity plugin [6/17]: enabling distributed numeric assignment plugin [7/17]: enabling winsync plugin [8/17]: configuring uniqueness plugin [9/17]: creating indices [10/17]: configuring ssl for ds instance [11/17]: configuring certmap.conf [12/17]: restarting directory server [13/17]: adding default layout root: CRITICAL Failed to load bootstrap-template.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048' returned non-zero exit status 32 [14/17]: configuring Posix uid/gid generation as first master [15/17]: adding master entry as first master root: CRITICAL Failed to load master-entry.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned non-zero exit status 32 [16/17]: initializing group membership [17/17]: configuring directory to start on boot done configuring dirsrv. As a test I've manually run setup-ds.pl accepting all of the defaults. It works fine and installs successfully, creating the slapd-freeipa (which is the hostname) instance. I then ran remove-ds.pl on the slapd-freeipa instance and re-ran the ipa uninstall. When I attempted to reinstall ipa, it detected an existing ds. I did a locate for dirsrv and found logfiles from an instance called slapd-ARC-NASA-GOV, which should be my default freeipa dirsrv instance. To try to clean this up, I ran setup-ds.pl and chose custom and created a slapd-ARC-NASA-GOV instance, and then immediately removed it with remove-ds.pl. I then re-ran ipa-server-install, which this time did not detect an existing directory server. However, the ipa-server-install again failed in the same location. [2/17]: creating directory server instance root: CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp77JJv1' returned non-zero exit status 1 And from the log: 2011-06-03 15:12:41,540 DEBUG Configuring directory server: 2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory server user 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists 2011-06-03 15:12:41,541 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,541 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory server instance 2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances configured 2011-06-03 15:12:41,567 INFO 2011-06-03 15:12:41,567 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,568 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,568 DEBUG dn: dc=arc,dc=nasa,dc=gov objectClass: top objectClass: domain objectClass: pilotObject dc: arc info: IPA V1.0 2011-06-03 15:12:41,569 DEBUG writing inf template 2011-06-03 15:12:41,570 DEBUG [General] FullMachineName= freeipa.arc.nasa.gov SuiteSpotUserID= dirsrv ServerRoot=/usr/lib64/dirsrv [slapd] ServerPort= 389 ServerIdentifier= ARC-NASA-GOV Suffix= dc=arc,dc=nasa,dc=gov RootDN= cn=Directory Manager InstallLdifFile= /var/lib/dirsrv/boot.ldif 2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl 2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup] Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ... [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 48998 [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import cache. [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import job... [03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering enabled with bucket size 100 [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open LDIF file /var/lib/dirsrv/boot.ldif, errno 13 (Permission denied) [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all Import threads... [03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads aborted. [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files... /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory [03/Jun/2011:15:12:48 -0700] - All database threads now stopped [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed. Could not import LDIF file
Re: [Freeipa-users] Difficulty installing freeipa
I have resolved the install issue. The installer is a bit sloppy and makes some bad assumptions. The problem turns out to be that the directory server setup seems to be running as dirsrv, not root. Ipa-server-install (more specifically dsinstance.py) writes out the file /var/lib/dirsrv/boot.ldif. But it does so as root, using root's umask. It doesn't do a check to make sure dirsrv can read this file before spawning an external process to create the directory server. Part of security best practices recommended by the CIS group as well as others is to set root's umask to 0077. With this setting in place, dirsrv is unable to read /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when executed from ipa-server-install. I modified dsinstance.py to not remove the file and checked it after a failed install. It was written properly, so I changed the permission on it to 666 and re-ran the install. It succeeded. I'm now back to where I started, which is a partly working ipa install. Kinit takes 75 seconds to complete. I still can't get to the UI. I'm now going to uninstall again, change root's umask to 022, and see if that fixes any more of the problems. -Brian On 6/3/11 3:14 PM, Brian Stamper brian.p.stam...@nasa.gov wrote: Yes, I mentioned in the first email I had attempted that. I just ran the uninstall 10 times in a row. Same errors: Configuring directory server: [1/17]: creating directory server user [2/17]: creating directory server instance root: CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpYwtW2p' returned non-zero exit status 1 [3/17]: adding default schema [4/17]: enabling memberof plugin [5/17]: enabling referential integrity plugin [6/17]: enabling distributed numeric assignment plugin [7/17]: enabling winsync plugin [8/17]: configuring uniqueness plugin [9/17]: creating indices [10/17]: configuring ssl for ds instance [11/17]: configuring certmap.conf [12/17]: restarting directory server [13/17]: adding default layout root: CRITICAL Failed to load bootstrap-template.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048' returned non-zero exit status 32 [14/17]: configuring Posix uid/gid generation as first master [15/17]: adding master entry as first master root: CRITICAL Failed to load master-entry.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned non-zero exit status 32 [16/17]: initializing group membership [17/17]: configuring directory to start on boot done configuring dirsrv. As a test I've manually run setup-ds.pl accepting all of the defaults. It works fine and installs successfully, creating the slapd-freeipa (which is the hostname) instance. I then ran remove-ds.pl on the slapd-freeipa instance and re-ran the ipa uninstall. When I attempted to reinstall ipa, it detected an existing ds. I did a locate for dirsrv and found logfiles from an instance called slapd-ARC-NASA-GOV, which should be my default freeipa dirsrv instance. To try to clean this up, I ran setup-ds.pl and chose custom and created a slapd-ARC-NASA-GOV instance, and then immediately removed it with remove-ds.pl. I then re-ran ipa-server-install, which this time did not detect an existing directory server. However, the ipa-server-install again failed in the same location. [2/17]: creating directory server instance root: CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp77JJv1' returned non-zero exit status 1 And from the log: 2011-06-03 15:12:41,540 DEBUG Configuring directory server: 2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory server user 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists 2011-06-03 15:12:41,541 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,541 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory server instance 2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances configured 2011-06-03 15:12:41,567 INFO 2011-06-03 15:12:41,567 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,568 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,568 DEBUG dn: dc=arc,dc=nasa,dc=gov objectClass: top objectClass: domain objectClass: pilotObject dc: arc info: IPA V1.0 2011-06-03 15:12:41,569 DEBUG writing inf template 2011-06-03 15:12:41,570 DEBUG [General] FullMachineName= freeipa.arc.nasa.gov SuiteSpotUserID= dirsrv ServerRoot=/usr/lib64/dirsrv [slapd] ServerPort= 389 ServerIdentifier= ARC-NASA-GOV Suffix= dc=arc,dc=nasa,dc=gov RootDN= cn=Directory Manager InstallLdifFile= /var/lib/dirsrv/boot.ldif 2011-06-03
Re: [Freeipa-users] Difficulty installing freeipa
On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: I have resolved the install issue. Great! The installer is a bit sloppy and makes some bad assumptions. The problem turns out to be that the directory server setup seems to be running as dirsrv, not root. Ipa-server-install (more specifically dsinstance.py) writes out the file /var/lib/dirsrv/boot.ldif. But it does so as root, using root's umask. It doesn't do a check to make sure dirsrv can read this file before spawning an external process to create the directory server. Part of security best practices recommended by the CIS group as well as others is to set root's umask to 0077. With this setting in place, dirsrv is unable to read /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when executed from ipa-server-install. I modified dsinstance.py to not remove the file and checked it after a failed install. It was written properly, so I changed the permission on it to 666 and re-ran the install. It succeeded. Opened https://fedorahosted.org/freeipa/ticket/1282 I'm now back to where I started, which is a partly working ipa install. Kinit takes 75 seconds to complete. Seems like a DNS timeout or something related to the name resolution. I still can't get to the UI. I'm now going to uninstall again, change root's umask to 022, and see if that fixes any more of the problems. The UI does not start for me if you try to run FF from the root shell. I forget about this frequently and just upgraded to F15 and hit it again. If you have a normal user shell, kinit from that shell as admin and start browser from it you should have all the right context to access UI. -Brian On 6/3/11 3:14 PM, Brian Stamper brian.p.stam...@nasa.gov wrote: Yes, I mentioned in the first email I had attempted that. I just ran the uninstall 10 times in a row. Same errors: Configuring directory server: [1/17]: creating directory server user [2/17]: creating directory server instance root: CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpYwtW2p' returned non-zero exit status 1 [3/17]: adding default schema [4/17]: enabling memberof plugin [5/17]: enabling referential integrity plugin [6/17]: enabling distributed numeric assignment plugin [7/17]: enabling winsync plugin [8/17]: configuring uniqueness plugin [9/17]: creating indices [10/17]: configuring ssl for ds instance [11/17]: configuring certmap.conf [12/17]: restarting directory server [13/17]: adding default layout root: CRITICAL Failed to load bootstrap-template.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048' returned non-zero exit status 32 [14/17]: configuring Posix uid/gid generation as first master [15/17]: adding master entry as first master root: CRITICAL Failed to load master-entry.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned non-zero exit status 32 [16/17]: initializing group membership [17/17]: configuring directory to start on boot done configuring dirsrv. As a test I've manually run setup-ds.pl accepting all of the defaults. It works fine and installs successfully, creating the slapd-freeipa (which is the hostname) instance. I then ran remove-ds.pl on the slapd-freeipa instance and re-ran the ipa uninstall. When I attempted to reinstall ipa, it detected an existing ds. I did a locate for dirsrv and found logfiles from an instance called slapd-ARC-NASA-GOV, which should be my default freeipa dirsrv instance. To try to clean this up, I ran setup-ds.pl and chose custom and created a slapd-ARC-NASA-GOV instance, and then immediately removed it with remove-ds.pl. I then re-ran ipa-server-install, which this time did not detect an existing directory server. However, the ipa-server-install again failed in the same location. [2/17]: creating directory server instance root: CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp77JJv1' returned non-zero exit status 1 And from the log: 2011-06-03 15:12:41,540 DEBUG Configuring directory server: 2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory server user 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists 2011-06-03 15:12:41,541 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,541 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory server instance 2011-06-03 15:12:41,567
Re: [Freeipa-users] Difficulty installing freeipa
I'm closer. I was able to get logged into the UI. It wasn't that I was running firefox from root, but that I had inited as root. Same problem really. Dropping back to my own shell and initing I was able to reach the GUI. The next problem I need to tackle is the slowness. Ipa-finduser admin does return results, but it takes 2m43s. [root@freeipa ~]# egrep freeipa|local /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 1.2.3.4 freeipa.arc.nasa.govfreeipa [root@freeipa ~]# grep host /etc/nsswitch.conf #hosts: db files nisplus nis dns hosts: files dns [root@freeipa ~]# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:10:18:2D:E6:93 inet addr:1.2.3.4 I don't see any issues with the configuration there. There are no conflicting freeipa hosts in dns. Looks pretty much in compliance with the guide: Configuring /etc/hosts You need to ensure that your /etc/hosts file is configured correctly, or the ipa-* commands may not work correctly. The /etc/hosts file should list the FQDN for your IPA server before any aliases. You should also ensure that the hostname is not part of the localhost entry. The following is an example of a valid hosts file: 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 192.168.1.1 ipaserver.example.com ipaserver -Brian On 6/3/11 3:58 PM, Dmitri Pal d...@redhat.com wrote: On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: Re: [Freeipa-users] Difficulty installing freeipa I have resolved the install issue. Great! The installer is a bit sloppy and makes some bad assumptions. The problem turns out to be that the directory server setup seems to be running as dirsrv, not root. Ipa-server-install (more specifically dsinstance.py) writes out the file /var/lib/dirsrv/boot.ldif. But it does so as root, using root's umask. It doesn't do a check to make sure dirsrv can read this file before spawning an external process to create the directory server. Part of security best practices recommended by the CIS group as well as others is to set root's umask to 0077. With this setting in place, dirsrv is unable to read /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when executed from ipa-server-install. I modified dsinstance.py to not remove the file and checked it after a failed install. It was written properly, so I changed the permission on it to 666 and re-ran the install. It succeeded. Opened https://fedorahosted.org/freeipa/ticket/1282 I'm now back to where I started, which is a partly working ipa install. Kinit takes 75 seconds to complete. Seems like a DNS timeout or something related to the name resolution. I still can't get to the UI. I'm now going to uninstall again, change root's umask to 022, and see if that fixes any more of the problems. The UI does not start for me if you try to run FF from the root shell. I forget about this frequently and just upgraded to F15 and hit it again. If you have a normal user shell, kinit from that shell as admin and start browser from it you should have all the right context to access UI. -Brian On 6/3/11 3:14 PM, Brian Stamper brian.p.stam...@nasa.gov wrote: Yes, I mentioned in the first email I had attempted that. I just ran the uninstall 10 times in a row. Same errors: Configuring directory server: [1/17]: creating directory server user [2/17]: creating directory server instance root: CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpYwtW2p' returned non-zero exit status 1 [3/17]: adding default schema [4/17]: enabling memberof plugin [5/17]: enabling referential integrity plugin [6/17]: enabling distributed numeric assignment plugin [7/17]: enabling winsync plugin [8/17]: configuring uniqueness plugin [9/17]: creating indices [10/17]: configuring ssl for ds instance [11/17]: configuring certmap.conf [12/17]: restarting directory server [13/17]: adding default layout root: CRITICAL Failed to load bootstrap-template.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048' returned non-zero exit status 32 [14/17]: configuring Posix uid/gid generation as first master [15/17]: adding master entry as first master root: CRITICAL Failed to load master-entry.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned non-zero exit status 32 [16/17]: initializing group membership [17/17]: configuring directory to start on boot done configuring dirsrv. As a test I've manually run setup-ds.pl accepting all of the defaults. It works fine and installs successfully, creating the slapd-freeipa (which is the hostname) instance. I then ran remove-ds.pl
