[Freeipa-users] ipa-server-install fails at client phase
From: Davide Siluri Sent: 14 April 2017 17:12 To: freeipa-users@redhat.com Subject: [Freeipa-users] ipa-server-install fails at client phase Hello Ryan, I had that same issue with FreeIPA 4.4 on RH 7.3. ? In my case IPA installation linked a wrong dependency with python36u-mod_wsgi. Remove python36u package and install mod_wsgi (in my case mod_wsgi-3.4-12.el7_0.x86_64) before running IPA install procedure again. That should solve the problem. Regards Davide -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-server-install fails at client phase
Hello All,
Version: IPAv4.4
OS: RHEL 7.3
Having a python import issue during ipa-server-install here, and the internets
are failing me. Please note that the urls and server names have been
abstracted. During the install run, I get the following:
Forwarding 'schema' to json server 'https://ipaserver.domain.com/ipa/json'
Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 3128, in
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 3109, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 2818, in install
api.finalize()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in
finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in
__do_if_not_done
getattr(self, name)()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in
load_plugins
for package in self.packages:
File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in
packages
ipaclient.remote_plugins.get_package(self),
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py",
line 118, in get_package
plugins = schema.get_package(server_info, client)
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
line 543, in get_package
schema = Schema(client)
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
line 387, in __init__
fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
line 426, in _fetch
schema = client.forward(u'schema', **kwargs)['result']
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1033, in forward
raise NetworkError(uri=server, error=e.errmsg)
ipalib.errors.NetworkError: cannot connect to
''https://ipaserver.domain.com/ipa/json: Internal Server Error
ipa.ipapython.install.cli.install_tool(Server): ERROR Configuration of
client side components failed!
ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install
command failed. See /var/log/ipaserver-install.log for more information
The install log doesn’t really tell me whole lot, save for a full stacktrace
when running “ipa-client-install”:
2017-02-15T20:40:12Z DEBUG args=/usr/sbin/ipa-client-install --on-master
--unattended --domain domain.com --server ipaserver.domain.com --realm
REALM.COM --hostname ipaserver.domain.com
2017-02-15T20:40:13Z DEBUG Process finished, return code=1
2017-02-15T20:40:13Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318,
in run
cfgr.run()
…truncated…
However, in the httpd logs I see the following:
[Wed Feb 15 14:40:13.488496 2017] [wsgi:error] [pid 39142] [remote
172.20.151.7:58476] mod_wsgi (pid=39142): Target WSGI script
'/usr/share/ipa/wsgi.py' cannot be loaded as Python module.
[Wed Feb 15 14:40:13.488546 2017] [wsgi:error] [pid 39142] [remote
172.20.151.7:58476] mod_wsgi (pid=39142): Exception occurred processing WSGI
script '/usr/share/ipa/wsgi.py'.
[Wed Feb 15 14:40:13.488638 2017] [wsgi:error] [pid 39142] [remote
172.20.151.7:58476] Traceback (most recent call last):
[Wed Feb 15 14:40:13.488664 2017] [wsgi:error] [pid 39142] [remote
172.20.151.7:58476] File "/usr/share/ipa/wsgi.py", line 26, in
[Wed Feb 15 14:40:13.488674 2017] [wsgi:error] [pid 39142] [remote
172.20.151.7:58476] from ipalib import api
[Wed Feb 15 14:40:13.488691 2017] [wsgi:error] [pid 39142] [remote
172.20.151.7:58476] ImportError: No module named 'ipalib'
Along with other import errors. However, I have confirmed I am able to import
these global modules:
[root@720941-ipa ~]# python
Python 2.7.5 (default, Aug 2 2016, 04:20:16)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from ipalib import api
>>> api
I can also run the wsgi script directly without issue:
[root@720941-ipa ~]# python /usr/share/ipa/wsgi.py
ipa: INFO: *** PROCESS START ***
Can someone point me in the right direction here? Thank you in advance for your
help!
--
Ryan Hutchison, RHCE/CCNA
Enterprise Support Architect
Rackspace Hosting
Direct: (210) 312-8157
Mobile: (210) 452-4349
smime.p7s
Description: S/MIME cryptographic signature
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-server-install fails at DogTag restart
On Wed, Dec 14, 2016 at 05:35:35PM +, Tommy Nikjoo wrote:
> Hi,
>
> I'm trying to install FreeIPA on CentOS 7 using the yum package, but I
> keep getting an error when it tries to restart DogTag
>
> [26/31]: restarting certificate server
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart
> the Dogtag instance.See the installation log for details.
> [27/31]: migrating certificate profiles to LDAP
> [error] NetworkError: cannot connect to
> 'https://ldap2.armourcomms.com:8443/ca/rest/account/login': ''
> ipa.ipapython.install.cli.install_tool(Server): ERRORcannot connect
> to 'https://ldap2.armourcomms.com:8443/ca/rest/account/login': ''
> ipa.ipapython.install.cli.install_tool(Server): ERRORThe
> ipa-server-install command failed. See /var/log/ipaserver-install.log
> for more information
>
>
> The log shows the following error
>
> 2016-12-14T16:53:05Z DEBUG NSSConnection init ldap.example.com
> 2016-12-14T16:53:05Z DEBUG Connecting: x.x.x.x:0
> 2016-12-14T16:53:05Z DEBUG approved_usage = SSL Server intended_usage =
> SSL Server
> 2016-12-14T16:53:05Z DEBUG cert valid True for
> "CN=ldap.example.com,O=EXAMPLE.COM"
> 2016-12-14T16:53:05Z DEBUG handshake complete, peer = x.x.x.x:8443
> 2016-12-14T16:53:05Z DEBUG Protocol: TLS1.2
> 2016-12-14T16:53:05Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
> 2016-12-14T16:53:05Z DEBUG response status 200
> 2016-12-14T16:53:05Z DEBUG response headers {'content-length': '205',
> 'set-cookie': 'JSESSIONID=9B6C767CDBED07088646235E68E831E0; Path=/ca/;
> Secure; HttpOnly', 'expires': 'Thu, 01 Jan 1970 00:00:00 UTC', 'server':
> 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Wed, 14 Dec
> 2016 16:53:05 GMT', 'content-type': 'application/xml'}
> 2016-12-14T16:53:05Z DEBUG response body ' encoding="UTF-8" standalone="yes"?> id="ipara">iparaCertificate Manager
> AgentsRegistration Manager Agents'
> 2016-12-14T16:53:05Z DEBUG request POST
> https://ldap.example.com:8443/ca/rest/profiles/raw
> 2016-12-14T16:53:05Z DEBUG request body
> 'profileId=IECUserRoles\nclassId=caEnrollImpl\ndesc=Enroll user
> certificates with IECUserRoles extension via IPA-RA agent
> authentication.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=raCertAuth\nname=IPA-RA
> Agent-Authenticated Server Certificate
> Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject
> Name
> Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject
> Name
> Default\npolicyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
> O=EXAMPLE.COM\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity
> Constraint\npolicyset.serverCertSet.2.constraint.params.range=740\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity
> Default\npolicyset.serverCertSet.2.default.params.range=731\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key
> Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key
> Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No
> Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority
> Key Identifier
> Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No
> Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA
> Extension
>
[Freeipa-users] ipa-server-install fails at DogTag restart
Hi,
I'm trying to install FreeIPA on CentOS 7 using the yum package, but I
keep getting an error when it tries to restart DogTag
[26/31]: restarting certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart
the Dogtag instance.See the installation log for details.
[27/31]: migrating certificate profiles to LDAP
[error] NetworkError: cannot connect to
'https://ldap2.armourcomms.com:8443/ca/rest/account/login': ''
ipa.ipapython.install.cli.install_tool(Server): ERRORcannot connect
to 'https://ldap2.armourcomms.com:8443/ca/rest/account/login': ''
ipa.ipapython.install.cli.install_tool(Server): ERRORThe
ipa-server-install command failed. See /var/log/ipaserver-install.log
for more information
The log shows the following error
2016-12-14T16:53:05Z DEBUG NSSConnection init ldap.example.com
2016-12-14T16:53:05Z DEBUG Connecting: x.x.x.x:0
2016-12-14T16:53:05Z DEBUG approved_usage = SSL Server intended_usage =
SSL Server
2016-12-14T16:53:05Z DEBUG cert valid True for
"CN=ldap.example.com,O=EXAMPLE.COM"
2016-12-14T16:53:05Z DEBUG handshake complete, peer = x.x.x.x:8443
2016-12-14T16:53:05Z DEBUG Protocol: TLS1.2
2016-12-14T16:53:05Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
2016-12-14T16:53:05Z DEBUG response status 200
2016-12-14T16:53:05Z DEBUG response headers {'content-length': '205',
'set-cookie': 'JSESSIONID=9B6C767CDBED07088646235E68E831E0; Path=/ca/;
Secure; HttpOnly', 'expires': 'Thu, 01 Jan 1970 00:00:00 UTC', 'server':
'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Wed, 14 Dec
2016 16:53:05 GMT', 'content-type': 'application/xml'}
2016-12-14T16:53:05Z DEBUG response body 'iparaCertificate Manager
AgentsRegistration Manager Agents'
2016-12-14T16:53:05Z DEBUG request POST
https://ldap.example.com:8443/ca/rest/profiles/raw
2016-12-14T16:53:05Z DEBUG request body
'profileId=IECUserRoles\nclassId=caEnrollImpl\ndesc=Enroll user
certificates with IECUserRoles extension via IPA-RA agent
authentication.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=raCertAuth\nname=IPA-RA
Agent-Authenticated Server Certificate
Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject
Name
Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject
Name
Default\npolicyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
O=EXAMPLE.COM\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity
Constraint\npolicyset.serverCertSet.2.constraint.params.range=740\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity
Default\npolicyset.serverCertSet.2.default.params.range=731\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key
Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key
Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No
Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority
Key Identifier
Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No
Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA
Extension
Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.example.com/ca/ocsp\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key
Usage Extension
Re: [Freeipa-users] ipa-server-install fails at last leg?
On 14/10/15 07:56, Martin Kosek wrote: On 10/13/2015 12:23 PM, lejeczek wrote: dear all, my first try at ipa server, I get this when install fails: Hi lejeczek, Can you please start with specifying your IPA version? http://www.freeipa.org/page/Troubleshooting#Reporting_bugs it's: ipa-server-4.1.0-18.sl7_1.4.x86_64 and I did file a report before asking the list, also attached a log there. I'm now trying a plain vanilla virtual system and it succeeded there. Where to start troubleshooting it, it seems like that java process hangs on while installer tries to restart httpd. [15/16]: restarting httpd [error] CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1 Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1 then I can see that httpd fails to restart for: Starting The Apache HTTP Server... (98)Address already in use: AH00072: make_sock: could not bind to address [::]:8443 (98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:8443 no listening sockets available, shutting down and port is bound by: UIDPID PPID CSZ RSS PSR STIME TTY TIME CMD pkiuser 5330 1 1 2128224 494604 5 11:00 ? 00:00:16 java -agentpath:/usr/lib64/libabrt-java-connector.so=abrt=on -DRESTEASY_LIB=/usr/share/java/resteasy-base -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy org.apache.catalina.startup.Bootstrap start and this is as you can see, the process, the result of the ipa-server-install itself. Any suggestions as what is the problem there? It is expected that Dogtag takes over port 8443. What FreeIPA does is re-configure installed mod_nss (nss.conf) originally listening on 8443 to occupy port 443 instead. So this failure likely means that something else is bound to port 8443, whether it is other Apache module or other program. I would start with # netstat -putna run before the installation to see what's it. Upstream wise, there should be a check since https://fedorahosted.org/freeipa/ticket/4564 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-server-install fails at last leg?
On 10/13/2015 12:23 PM, lejeczek wrote: > dear all, > > my first try at ipa server, I get this when install fails: Hi lejeczek, Can you please start with specifying your IPA version? http://www.freeipa.org/page/Troubleshooting#Reporting_bugs > [15/16]: restarting httpd > [error] CalledProcessError: Command ''/bin/systemctl' 'restart' > 'httpd.service'' returned non-zero exit status 1 > Unexpected error - see /var/log/ipaserver-install.log for details: > CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' > returned non-zero exit status 1 > > then I can see that httpd fails to restart for: > > Starting The Apache HTTP Server... > (98)Address already in use: AH00072: make_sock: could not bind to address > [::]:8443 > (98)Address already in use: AH00072: make_sock: could not bind to address > 0.0.0.0:8443 > no listening sockets available, shutting down > > and port is bound by: > > UIDPID PPID CSZ RSS PSR STIME TTY TIME CMD > pkiuser 5330 1 1 2128224 494604 5 11:00 ? 00:00:16 java > -agentpath:/usr/lib64/libabrt-java-connector.so=abrt=on > -DRESTEASY_LIB=/usr/share/java/resteasy-base -classpath > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar > -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat > -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp > -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > -Djava.security.manager > -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy > org.apache.catalina.startup.Bootstrap start > > and this is as you can see, the process, the result of the ipa-server-install > itself. > Any suggestions as what is the problem there? It is expected that Dogtag takes over port 8443. What FreeIPA does is re-configure installed mod_nss (nss.conf) originally listening on 8443 to occupy port 443 instead. So this failure likely means that something else is bound to port 8443, whether it is other Apache module or other program. I would start with # netstat -putna run before the installation to see what's it. Upstream wise, there should be a check since https://fedorahosted.org/freeipa/ticket/4564 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-server-install fails at last leg?
dear all, my first try at ipa server, I get this when install fails: [15/16]: restarting httpd [error] CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1 Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1 then I can see that httpd fails to restart for: Starting The Apache HTTP Server... (98)Address already in use: AH00072: make_sock: could not bind to address [::]:8443 (98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:8443 no listening sockets available, shutting down and port is bound by: UIDPID PPID CSZ RSS PSR STIME TTY TIME CMD pkiuser 5330 1 1 2128224 494604 5 11:00 ? 00:00:16 java -agentpath:/usr/lib64/libabrt-java-connector.so=abrt=on -DRESTEASY_LIB=/usr/share/java/resteasy-base -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy org.apache.catalina.startup.Bootstrap start and this is as you can see, the process, the result of the ipa-server-install itself. Any suggestions as what is the problem there? many thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-server-install fails (RHEL 6.5)
Steve Dainard wrote: Following this guide: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html STEP 4: ipa-server-install --setup-dns -p 'password' -a 'password' -r MIOVISION.LINUX -n miovision.linux --hostname ipa1.miovision.linux --forwarder=10.0.0.2 --forwarder=10.0.0.5 Server host name [ipa1.miovision.linux]: Warning: skipping DNS resolution of host ipa1.miovision.linux Unable to resolve IP address for host name Please provide the IP address to be used for this host name: 10.0.6.3 Adding [10.0.6.3 ipa1.miovision.linux] to your /etc/hosts file Do you want to configure the reverse zone? [yes]: Please specify the reverse zone name [6.0.10.in-addr.arpa.]: Using reverse zone 6.0.10.in-addr.arpa. The IPA Master Server will be configured with: Hostname: ipa1.miovision.linux IP address:10.0.6.3 Domain name: miovision.linux Realm name:MIOVISION.LINUX BIND DNS server will be configured to serve IPA domain with: Forwarders:10.0.0.2, 10.0.0.5 Reverse zone: 6.0.10.in-addr.arpa. Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd ... Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container Failed to initialize the realm container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command 'kadmin.local -q addprinc -randkey ldap/ipa1.miovision.linux@MIOVISION.LINUX -x ipa-setup-override-restrictions' returned non-zero exit status 1 */var/log/ipaserver-install.log* add aci: (target=ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=miovision,dc=linux;)(targetattr=userCertificate)(version 3.0; acl Modify CA Certificates for renewals; allow(write) userdn = ldap:///fqdn=ipa1.miovision.linux,cn=computers,cn=accounts,dc=miovision,dc=linux;;) modifying entry cn=ipa,cn=etc,dc=miovision,dc=linux modify complete 2014-02-04T20:45:51Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-MIOVISION-LINUX.socket/??base ) 2014-02-04T20:45:51Z DEBUG duration: 6 seconds 2014-02-04T20:45:51Z DEBUG [6/10]: creating a keytab for the directory 2014-02-04T20:45:51Z DEBUG args=kadmin.local -q addprinc -randkey ldap/ipa1.miovision.linux@MIOVISION.LINUX -x ipa-setup-override-restrictions 2014-02-04T20:45:51Z DEBUG stdout=Authenticating as principal root/admin@MIOVISION.LINUX with password. 2014-02-04T20:45:51Z DEBUG stderr=kadmin.local: No such entry in the database while initializing kadmin.local interface 2014-02-04T20:45:51Z INFO File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 614, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1024, in main subject_base=options.subject) File /usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py, line 183, in create_instance self.start_creation(runtime=30) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 358, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py, line 386, in __create_ds_keytab installutils.kadmin_addprinc(ldap_principal) File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 369, in kadmin_addprinc kadmin(addprinc -randkey + principal) File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 366, in kadmin -x, ipa-setup-override-restrictions]) File /usr/lib/python2.6/site-packages/ipapython/ipautil.py, line 316, in run raise CalledProcessError(p.returncode, args) 2014-02-04T20:45:51Z INFO The ipa-server-install command failed, exception: CalledProcessError: Command 'kadmin.local -q addprinc -randkey ldap/ipa1.miovision.linux@MIOVISION.LINUX -x ipa-setup-override-restrictions' returned non-zero exit status 1 Hmm, strange. Nothing is jumping out at me for the cause or solution. What version of IPA is this? rpm -q ipa-server Any chance you can send the entire server install log? You can send it to me privately if you'd like. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails (RHEL 6.5)
Steve Dainard wrote: Following this guide: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html STEP 4: ipa-server-install --setup-dns -p 'password' -a 'password' -r MIOVISION.LINUX -n miovision.linux --hostname ipa1.miovision.linux --forwarder=10.0.0.2 --forwarder=10.0.0.5 Server host name [ipa1.miovision.linux]: Warning: skipping DNS resolution of host ipa1.miovision.linux Unable to resolve IP address for host name Please provide the IP address to be used for this host name: 10.0.6.3 Adding [10.0.6.3 ipa1.miovision.linux] to your /etc/hosts file Do you want to configure the reverse zone? [yes]: Please specify the reverse zone name [6.0.10.in-addr.arpa.]: Using reverse zone 6.0.10.in-addr.arpa. The IPA Master Server will be configured with: Hostname: ipa1.miovision.linux IP address:10.0.6.3 Domain name: miovision.linux Realm name:MIOVISION.LINUX BIND DNS server will be configured to serve IPA domain with: Forwarders:10.0.0.2, 10.0.0.5 Reverse zone: 6.0.10.in-addr.arpa. Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd ... Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container Failed to initialize the realm container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command 'kadmin.local -q addprinc -randkey ldap/ipa1.miovision.linux@MIOVISION.LINUX -x ipa-setup-override-restrictions' returned non-zero exit status 1 */var/log/ipaserver-install.log* add aci: (target=ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=miovision,dc=linux;)(targetattr=userCertificate)(version 3.0; acl Modify CA Certificates for renewals; allow(write) userdn = ldap:///fqdn=ipa1.miovision.linux,cn=computers,cn=accounts,dc=miovision,dc=linux;;) modifying entry cn=ipa,cn=etc,dc=miovision,dc=linux modify complete 2014-02-04T20:45:51Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-MIOVISION-LINUX.socket/??base ) 2014-02-04T20:45:51Z DEBUG duration: 6 seconds 2014-02-04T20:45:51Z DEBUG [6/10]: creating a keytab for the directory 2014-02-04T20:45:51Z DEBUG args=kadmin.local -q addprinc -randkey ldap/ipa1.miovision.linux@MIOVISION.LINUX -x ipa-setup-override-restrictions 2014-02-04T20:45:51Z DEBUG stdout=Authenticating as principal root/admin@MIOVISION.LINUX with password. 2014-02-04T20:45:51Z DEBUG stderr=kadmin.local: No such entry in the database while initializing kadmin.local interface 2014-02-04T20:45:51Z INFO File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 614, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1024, in main subject_base=options.subject) File /usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py, line 183, in create_instance self.start_creation(runtime=30) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 358, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py, line 386, in __create_ds_keytab installutils.kadmin_addprinc(ldap_principal) File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 369, in kadmin_addprinc kadmin(addprinc -randkey + principal) File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 366, in kadmin -x, ipa-setup-override-restrictions]) File /usr/lib/python2.6/site-packages/ipapython/ipautil.py, line 316, in run raise CalledProcessError(p.returncode, args) 2014-02-04T20:45:51Z INFO The ipa-server-install command failed, exception: CalledProcessError: Command 'kadmin.local -q addprinc -randkey ldap/ipa1.miovision.linux@MIOVISION.LINUX -x ipa-setup-override-restrictions' returned non-zero exit status 1 Steve sent me the logs out-of-band. I think the problem is an earlier failure after generating the master key: 2014-02-04T20:45:45Z DEBUG args=kdb5_util create -s -r MIOVISION.LINUX -x ipa-setup-override-restrictions 2014-02-04T20:45:45Z DEBUG stdout=Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'MIOVISION.LINUX', master key name 'K/M@MIOVISION.LINUX' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: 2014-02-04T20:45:45Z DEBUG stderr=kdb5_util: add.c:124: ldap_add_ext: Assertion `ld != ((void *)0)' failed. What version of
Re: [Freeipa-users] ipa-server-install fails (RHEL 6.5)
rpm -qa | grep krb5 pam_krb5-2.3.11-9.el6.x86_64 *krb5-server-1.10.3-10.el6_4.6.x86_64* krb5-libs-1.10.3-10.el6_4.6.x86_64 krb5-workstation-1.10.3-10.el6_4.6.x86_64 I don't see any segfaults in messages. /var/log/dirsrv/slapd-MIOVISION-LINUX/errors looks pretty clean: 389-Directory/1.2.11.15 B2013.337.1530 ipa1.miovision.linux:389 (/etc/dirsrv/slapd-MIOVISION-LINUX) [04/Feb/2014:15:39:54 -0500] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [04/Feb/2014:15:39:54 -0500] - check_and_set_import_cache: pagesize: 4096, pages: 1497738, procpages: 51916 [04/Feb/2014:15:39:54 -0500] - Import allocates 2396380KB import cache. [04/Feb/2014:15:39:55 -0500] - import userRoot: Beginning import job... [04/Feb/2014:15:39:55 -0500] - import userRoot: Index buffering enabled with bucket size 100 [04/Feb/2014:15:39:56 -0500] - import userRoot: Processing file /var/lib/dirsrv/boot.ldif [04/Feb/2014:15:39:56 -0500] - import userRoot: Finished scanning file /var/lib/dirsrv/boot.ldif (1 entries) [04/Feb/2014:15:40:03 -0500] - import userRoot: Workers finished; cleaning up... [04/Feb/2014:15:40:04 -0500] - import userRoot: Workers cleaned up. [04/Feb/2014:15:40:05 -0500] - import userRoot: Cleaning up producer thread... [04/Feb/2014:15:40:05 -0500] - import userRoot: Indexing complete. Post-processing... [04/Feb/2014:15:40:06 -0500] - import userRoot: Generating numSubordinates complete. [04/Feb/2014:15:40:07 -0500] - Nothing to do to build ancestorid index [04/Feb/2014:15:40:08 -0500] - import userRoot: Flushing caches... [04/Feb/2014:15:40:08 -0500] - import userRoot: Closing files... [04/Feb/2014:15:40:10 -0500] - All database threads now stopped [04/Feb/2014:15:40:10 -0500] - import userRoot: Import complete. Processed 1 entries in 15 seconds. (0.07 entries/sec) [04/Feb/2014:15:40:18 -0500] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [04/Feb/2014:15:40:19 -0500] - Db home directory is not set. Possibly nsslapd-directory (optinally nsslapd-db-home-directory) is missing in the config file. [04/Feb/2014:15:40:19 -0500] - I'm resizing my cache now...cache was 2453893120 and is now 800 [04/Feb/2014:15:40:36 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests [04/Feb/2014:15:40:36 -0500] - slapd shutting down - signaling operation threads [04/Feb/2014:15:40:37 -0500] - slapd shutting down - closing down internal subsystems and plugins [04/Feb/2014:15:40:37 -0500] - Waiting for 4 database threads to stop [04/Feb/2014:15:40:38 -0500] - All database threads now stopped [04/Feb/2014:15:40:38 -0500] - slapd stopped. [04/Feb/2014:15:40:40 -0500] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [04/Feb/2014:15:40:41 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests [04/Feb/2014:15:40:43 -0500] - The change of nsslapd-ldapilisten will not take effect until the server is restarted [04/Feb/2014:15:41:10 -0500] - Warning: Adding configuration attribute nsslapd-security [04/Feb/2014:15:41:13 -0500] - slapd shutting down - signaling operation threads [04/Feb/2014:15:41:14 -0500] - slapd shutting down - waiting for 30 threads to terminate [04/Feb/2014:15:41:14 -0500] - slapd shutting down - closing down internal subsystems and plugins [04/Feb/2014:15:41:15 -0500] - Waiting for 4 database threads to stop [04/Feb/2014:15:41:17 -0500] - All database threads now stopped [04/Feb/2014:15:41:17 -0500] - slapd stopped. [04/Feb/2014:15:41:27 -0500] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [04/Feb/2014:15:41:27 -0500] attrcrypt - No symmetric key found for cipher AES in backend userRoot, attempting to create one... [04/Feb/2014:15:41:28 -0500] attrcrypt - Key for cipher AES successfully generated and stored [04/Feb/2014:15:41:29 -0500] attrcrypt - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one... [04/Feb/2014:15:41:29 -0500] attrcrypt - Key for cipher 3DES successfully generated and stored [04/Feb/2014:15:41:31 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests [04/Feb/2014:15:41:31 -0500] - Listening on All Interfaces port 636 for LDAPS requests [04/Feb/2014:15:41:32 -0500] - Listening on /var/run/slapd-MIOVISION-LINUX.socket for LDAPI requests [04/Feb/2014:15:42:06 -0500] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=miovision,dc=linux--no CoS Templates found, which should be added before the CoS Definition. [04/Feb/2014:15:44:31 -0500] - slapd shutting down - signaling operation threads [04/Feb/2014:15:44:33 -0500] - slapd shutting down - closing down internal subsystems and plugins [04/Feb/2014:15:44:44 -0500] - Waiting for 4 database threads to stop [04/Feb/2014:15:44:47 -0500] - All database threads now stopped [04/Feb/2014:15:44:47 -0500] - slapd stopped. [04/Feb/2014:15:44:49 -0500] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [04/Feb/2014:15:44:51 -0500] schema-compat-plugin - warning: no
[Freeipa-users] ipa-server-install fails (RHEL 6.5)
Following this guide: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html STEP 4: ipa-server-install --setup-dns -p 'password' -a 'password' -r MIOVISION.LINUX -n miovision.linux --hostname ipa1.miovision.linux --forwarder=10.0.0.2 --forwarder=10.0.0.5 Server host name [ipa1.miovision.linux]: Warning: skipping DNS resolution of host ipa1.miovision.linux Unable to resolve IP address for host name Please provide the IP address to be used for this host name: 10.0.6.3 Adding [10.0.6.3 ipa1.miovision.linux] to your /etc/hosts file Do you want to configure the reverse zone? [yes]: Please specify the reverse zone name [6.0.10.in-addr.arpa.]: Using reverse zone 6.0.10.in-addr.arpa. The IPA Master Server will be configured with: Hostname: ipa1.miovision.linux IP address:10.0.6.3 Domain name: miovision.linux Realm name:MIOVISION.LINUX BIND DNS server will be configured to serve IPA domain with: Forwarders:10.0.0.2, 10.0.0.5 Reverse zone: 6.0.10.in-addr.arpa. Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd ... Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container Failed to initialize the realm container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command 'kadmin.local -q addprinc -randkey ldap/ipa1.miovision.linux@MIOVISION.LINUX -x ipa-setup-override-restrictions' returned non-zero exit status 1 */var/log/ipaserver-install.log* add aci: (target=ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=miovision,dc=linux;)(targetattr=userCertificate)(version 3.0; acl Modify CA Certificates for renewals; allow(write) userdn = ldap:///fqdn=ipa1.miovision.linux,cn=computers,cn=accounts,dc=miovision,dc=linux;;) modifying entry cn=ipa,cn=etc,dc=miovision,dc=linux modify complete 2014-02-04T20:45:51Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-MIOVISION-LINUX.socket/??base ) 2014-02-04T20:45:51Z DEBUG duration: 6 seconds 2014-02-04T20:45:51Z DEBUG [6/10]: creating a keytab for the directory 2014-02-04T20:45:51Z DEBUG args=kadmin.local -q addprinc -randkey ldap/ipa1.miovision.linux@MIOVISION.LINUX -x ipa-setup-override-restrictions 2014-02-04T20:45:51Z DEBUG stdout=Authenticating as principal root/admin@MIOVISION.LINUX with password. 2014-02-04T20:45:51Z DEBUG stderr=kadmin.local: No such entry in the database while initializing kadmin.local interface 2014-02-04T20:45:51Z INFO File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 614, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1024, in main subject_base=options.subject) File /usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py, line 183, in create_instance self.start_creation(runtime=30) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 358, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py, line 386, in __create_ds_keytab installutils.kadmin_addprinc(ldap_principal) File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 369, in kadmin_addprinc kadmin(addprinc -randkey + principal) File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 366, in kadmin -x, ipa-setup-override-restrictions]) File /usr/lib/python2.6/site-packages/ipapython/ipautil.py, line 316, in run raise CalledProcessError(p.returncode, args) 2014-02-04T20:45:51Z INFO The ipa-server-install command failed, exception: CalledProcessError: Command 'kadmin.local -q addprinc -randkey ldap/ipa1.miovision.linux@MIOVISION.LINUX -x ipa-setup-override-restrictions' returned non-zero exit status 1 *Steve Dainard * IT Infrastructure Manager Miovision http://miovision.com/ | *Rethink Traffic* 519-513-2407 ex.250 877-646-8476 (toll-free) *Blog http://miovision.com/blog | **LinkedIn https://www.linkedin.com/company/miovision-technologies | Twitter https://twitter.com/miovision | Facebook https://www.facebook.com/miovision* -- Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. ___ Freeipa-users mailing list Freeipa-users@redhat.com
[Freeipa-users] ipa-server-install fails
How do I add the updates-devel repo to fedora. I'm having issues with fedora 14 and ipa 2.0 beta 1 installing. I added the bleeding edge repo for ipa and updates-testing for fedora but I still get errors during the ca authority portion of the install. Corey On Jan 18, 2011, at 11:00 AM, freeipa-users-requ...@redhat.com freeipa-users-requ...@redhat.com wrote: Send Freeipa-users mailing list submissions to freeipa-users@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-requ...@redhat.com You can reach the person managing the list at freeipa-users-ow...@redhat.com When replying, please edit your Subject line so it is more specific than Re: Contents of Freeipa-users digest... Today's Topics: 1. Re: Unable to change Admin password (Simo Sorce) 2. Re: certificate verify failed - WinSync strangeness - ipa-server-1.2.2-0 (Simo Sorce) 3. Re: ipa-server-install fails (Geerten Schram) -- Message: 1 Date: Mon, 17 Jan 2011 14:10:37 -0500 From: Simo Sorce sso...@redhat.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to change Admin password Message-ID: 20110117141037.2d899...@willson.li.ssimo.org Content-Type: text/plain; charset=US-ASCII On Wed, 12 Jan 2011 20:02:14 + ide4...@gmail.com wrote: Yes ipa_kpasswd is running. Sent on the TELUS Mobility network with BlackBerry Can you check it was able to bind to udp ports ? I just noticed it wasn't able to in my fedora 14, and posted a patch. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Message: 2 Date: Mon, 17 Jan 2011 14:13:14 -0500 From: Simo Sorce sso...@redhat.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] certificate verify failed - WinSync strangeness - ipa-server-1.2.2-0 Message-ID: 20110117141314.2a80a...@willson.li.ssimo.org Content-Type: text/plain; charset=US-ASCII On Wed, 12 Jan 2011 12:03:59 -0600 d...@killbrad.com d...@killbrad.com wrote: Ok, so the ipa-server-certinstall script seems to be where things did not work as I perhaps expected them to. I manually put the certificates in the dirsrv cert db, and the web interface cert db. The ipa-replica-manage uses replication.py, which is declaring CACERT=/usr/share/ipa/html/ca.crt It looks like this is where the error is being caused. The certification there is still the original IPA Test Certificate Authority. If I point it to the DigiCertCA.crt (which should work), OR the AD-ca.crt file, I get the same error as originally mentioned when running 'ipa-replica-manage list'. If I comment out the CACERT variable it does as expected: unexpected error: global name 'CACERT' is not defined So, can someone give me some advice about where else it may be reading the certificate from, or how I can do things the proper way for IPA? /etc/ipa/ca.crt is another place where the cert can be found. but for winsync you can pass the cacert on the command line, have you tried that ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Message: 3 Date: Tue, 18 Jan 2011 00:47:33 +0100 From: Geerten Schram geer...@schram.name To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-server-install fails Message-ID: 201101180047.34231.geer...@schram.name Content-Type: Text/Plain; charset=iso-8859-1 On Thursday 13 January 2011 04:17:11 Dmitri Pal wrote: Dmitri Pal wrote: Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, This is the same issue I was hitting when I was testing beta and the workaround with the links to java jars described in the release notes fixed this issue. The latest devel repository has this fixed. You might try installing from there. http://jdennis.fedorapeople.org/ipa-devel/ Make sure you also have updates testing enabled since some other packages we depend on have been fixed in the recent weeks. Just started package install will take a while since many packages changed in last couple weeks. Will let you know if I see any issues with the today's build. Yes it installed fine with all defaults. I will play with it more later today. Indeed it does. Works very nicely with the ipa-devel + update
Re: [Freeipa-users] ipa-server-install fails
On 01/18/2011 04:32 PM, Corey Hemminger wrote: How do I add the updates-devel repo to fedora. I'm having issues with fedora 14 and ipa 2.0 beta 1 installing. I added the bleeding edge repo for ipa and updates-testing for fedora but I still get errors during the ca authority portion of the install. Corey Hi Corey: That doesn't give us much information to go on. Could you please tell us what the errors are? It would also help to know the versions of a couple of the key packages, e.g. $ rpm -q ipa-server-install pki-ca After you enabled the repos did you do a yum upgrade? To enable updates-devel edit /etc/yum.repos.d/fedora-updates.repo and make sure the enabled value is 1, e.g. enabled=1 -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails
Dimitri, I didn't mean it to be an insult. yes it was unstable, very unstable for 24 hours. but also a ton of work was done in that time frame. I'm just starting to evaluate IPA and I found it encouraging that bugs got fixed quickly. I'd only suggest rolling pre2 since it seems that ipa-server-install is broken for more than just me and my environment. -Jeff On Thu, Jan 13, 2011 at 12:40 AM, Dmitri Pal d...@redhat.com wrote: Jeff B wrote: The build right now is the first time I've been able to get everything(?) working including the UI. So grab it quick! :D I was updating yesterday evening and all day today and ran into all kinds of issues that came and went with today's checkins. Sorry. It will get better. We really working hard to make it a first class product. We are not there yet but we are coming there from all sorts of directions at the same time. Thanks, Dmitri On Wed, Jan 12, 2011 at 10:02 PM, Dmitri Pal d...@redhat.com wrote: Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, This is the same issue I was hitting when I was testing beta and the workaround with the links to java jars described in the release notes fixed this issue. The latest devel repository has this fixed. You might try installing from there. http://jdennis.fedorapeople.org/ipa-devel/ Make sure you also have updates testing enabled since some other packages we depend on have been fixed in the recent weeks. Just started package install will take a while since many packages changed in last couple weeks. Will let you know if I see any issues with the today's build. Thanks Dmitri Geerten Schram ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails
Jeff B wrote: Dimitri, I didn't mean it to be an insult. Oh no, do not take me wrong. I just understand your pain and feel guilty. yes it was unstable, very unstable for 24 hours. but also a ton of work was done in that time frame. I'm just starting to evaluate IPA and I found it encouraging that bugs got fixed quickly. I'd only suggest rolling pre2 since it seems that ipa-server-install is broken for more than just me and my environment. We will try... -Jeff On Thu, Jan 13, 2011 at 12:40 AM, Dmitri Pal d...@redhat.com wrote: Jeff B wrote: The build right now is the first time I've been able to get everything(?) working including the UI. So grab it quick! :D I was updating yesterday evening and all day today and ran into all kinds of issues that came and went with today's checkins. Sorry. It will get better. We really working hard to make it a first class product. We are not there yet but we are coming there from all sorts of directions at the same time. Thanks, Dmitri On Wed, Jan 12, 2011 at 10:02 PM, Dmitri Pal d...@redhat.com wrote: Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, This is the same issue I was hitting when I was testing beta and the workaround with the links to java jars described in the release notes fixed this issue. The latest devel repository has this fixed. You might try installing from there. http://jdennis.fedorapeople.org/ipa-devel/ Make sure you also have updates testing enabled since some other packages we depend on have been fixed in the recent weeks. Just started package install will take a while since many packages changed in last couple weeks. Will let you know if I see any issues with the today's build. Thanks Dmitri Geerten Schram ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails
Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, Geerten Schram You would need to escape any spaces to try pasting the command on the command-line. What version of pki-ca and pki-silent do you have installed? You might also want to look at /var/log/pki-ca/debug for perhaps more details. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails
Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, This is the same issue I was hitting when I was testing beta and the workaround with the links to java jars described in the release notes fixed this issue. The latest devel repository has this fixed. You might try installing from there. http://jdennis.fedorapeople.org/ipa-devel/ Make sure you also have updates testing enabled since some other packages we depend on have been fixed in the recent weeks. Just started package install will take a while since many packages changed in last couple weeks. Will let you know if I see any issues with the today's build. Thanks Dmitri Geerten Schram ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails
Dmitri Pal wrote: Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, This is the same issue I was hitting when I was testing beta and the workaround with the links to java jars described in the release notes fixed this issue. The latest devel repository has this fixed. You might try installing from there. http://jdennis.fedorapeople.org/ipa-devel/ Make sure you also have updates testing enabled since some other packages we depend on have been fixed in the recent weeks. Just started package install will take a while since many packages changed in last couple weeks. Will let you know if I see any issues with the today's build. Yes it installed fine with all defaults. I will play with it more later today. Thanks Dmitri Geerten Schram ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails
The build right now is the first time I've been able to get everything(?) working including the UI. So grab it quick! :D I was updating yesterday evening and all day today and ran into all kinds of issues that came and went with today's checkins. On Wed, Jan 12, 2011 at 10:02 PM, Dmitri Pal d...@redhat.com wrote: Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, This is the same issue I was hitting when I was testing beta and the workaround with the links to java jars described in the release notes fixed this issue. The latest devel repository has this fixed. You might try installing from there. http://jdennis.fedorapeople.org/ipa-devel/ Make sure you also have updates testing enabled since some other packages we depend on have been fixed in the recent weeks. Just started package install will take a while since many packages changed in last couple weeks. Will let you know if I see any issues with the today's build. Thanks Dmitri Geerten Schram ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails
Jeff B wrote: The build right now is the first time I've been able to get everything(?) working including the UI. So grab it quick! :D I was updating yesterday evening and all day today and ran into all kinds of issues that came and went with today's checkins. Sorry. It will get better. We really working hard to make it a first class product. We are not there yet but we are coming there from all sorts of directions at the same time. Thanks, Dmitri On Wed, Jan 12, 2011 at 10:02 PM, Dmitri Pal d...@redhat.com wrote: Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, This is the same issue I was hitting when I was testing beta and the workaround with the links to java jars described in the release notes fixed this issue. The latest devel repository has this fixed. You might try installing from there. http://jdennis.fedorapeople.org/ipa-devel/ Make sure you also have updates testing enabled since some other packages we depend on have been fixed in the recent weeks. Just started package install will take a while since many packages changed in last couple weeks. Will let you know if I see any issues with the today's build. Thanks Dmitri Geerten Schram ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
