Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

2016-06-07 Thread Rob Crittenden 

dan.finkelst...@high5games.com wrote:

This advice has gotten me much further, thanks. We didn't have an HBAC
rule for admin and, now with it in place, connection checks and other
commands appear to be working that haven't worked before. I'm still
getting caught on the CA portion of the replica installation.
Confoundingly, neither the ipa-replica-install or ipa-ca-install
commands will complete (the former with the —setup-ca option), the
latter producing this output in the last few lines of
pareplica-ca-install.log:

2016-06-07T12:44:32Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'

2016-06-07T12:44:32Z DEBUG Checking if IPA schema is present in
ldap://ipa-replica.example.com:7389

2016-06-07T12:44:32Z DEBUG retrieving schema for SchemaCache
url=ldap://ipa-replica.example.com:7389
conn=

2016-06-07T12:44:32Z DEBUG Check OK

2016-06-07T12:44:32Z DEBUG Destroyed connection context.ldap2_50387920

2016-06-07T12:44:32Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'

2016-06-07T12:44:32Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 732, in run_script

 return_value = main_function()

   File "/usr/sbin/ipa-ca-install", line 202, in main

 install_replica(safe_options, options, filename)

   File "/usr/sbin/ipa-ca-install", line 150, in install_replica

 ca.install(True, config, options)

   File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
106, in install

 install_step_0(standalone, replica_config, options)

   File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
130, in install_step_0

 ra_p12=getattr(options, 'ra_p12', None))

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1530, in install_replica_ca

 sys.exit("A CA is already configured on this system.")

2016-06-07T12:44:32Z DEBUG The ipa-ca-install command failed, exception:
SystemExit: A CA is already configured on this system.

This occurs when I run either the replica or ca installer commands a
second time.


A second time how? Are you running ipa-server-install --uninstall in 
between?


In any case, when the CA install fails 99 times out of 100 the ipa* 
install logs will contain nothing useful. You need to dig into the CA 
logs to see why the install failed.


rob



Best regards,

Dan



*Daniel Alex Finkelstein*| Senior Dev Ops Engineer

_dan.finkelst...@h5g.com _| 212.604.3447

One World Trade Center, New York, NY 10007

www.high5games.com 

Play High 5 Casino  and Shake
the Sky 

Follow us on: Facebook , Twitter
, YouTube
, Linkedin


//

/This message and any attachments may contain confidential or privileged
information and are only for the use of the intended recipient of this
message. If you are not the intended recipient, please notify the sender
by return email, and delete or destroy this and all copies of this
message and all attachments. Any unauthorized disclosure, use,
distribution, or reproduction of this message or any attachments is
prohibited and may be unlawful./

*From: *Rob Crittenden 
*Date: *Monday, June 6, 2016 at 18:08
*To: *Daniel Finkestein ,
"freeipa-users@redhat.com" 
*Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of
FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,
cannot promote to master

dan.finkelst...@high5games.com 
wrote:

By the way, I want to mention the conncheck: if I don't skip it, it

tries to ssh into the master IPA instance as 'admin@', rather

than the user (root), and fails. All other parts of the connectivity

check work, however. Why does it try to access the master as a Kerberos

principal instead of the process user?

Because the remote master, being an IPA server, should have an admin

account, so it's a known. root over ssh is not allowed in some environments.

There is a ticket open to be able to set the login to be used, right now

admin is hardcoded.

As for the install failure you should now have the appropriate logs to

start diagnosing what was going on in /var/log/pki.

rob

Thanks,

Dan



*Daniel Alex Finkelstein*| Senior Dev Ops Engineer

_dan.finkelst...@h5g.com 
_|
 212.604.3447

One World Trade Center, New York, NY 10007

www.high5games.com 

Play High 5 Casino

Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

2016-06-06 Thread Rob Crittenden 

dan.finkelst...@high5games.com wrote:

By the way, I want to mention the conncheck: if I don't skip it, it
tries to ssh into the master IPA instance as 'admin@', rather
than the user (root), and fails. All other parts of the connectivity
check work, however. Why does it try to access the master as a Kerberos
principal instead of the process user?


Because the remote master, being an IPA server, should have an admin 
account, so it's a known. root over ssh is not allowed in some environments.


There is a ticket open to be able to set the login to be used, right now 
admin is hardcoded.


As for the install failure you should now have the appropriate logs to 
start diagnosing what was going on in /var/log/pki.


rob



Thanks,

Dan



*Daniel Alex Finkelstein*| Senior Dev Ops Engineer

_dan.finkelst...@h5g.com _| 212.604.3447

One World Trade Center, New York, NY 10007

www.high5games.com 

Play High 5 Casino  and Shake
the Sky 

Follow us on: Facebook , Twitter
, YouTube
, Linkedin


//

/This message and any attachments may contain confidential or privileged
information and are only for the use of the intended recipient of this
message. If you are not the intended recipient, please notify the sender
by return email, and delete or destroy this and all copies of this
message and all attachments. Any unauthorized disclosure, use,
distribution, or reproduction of this message or any attachments is
prohibited and may be unlawful./

*From: *Rob Crittenden 
*Date: *Monday, June 6, 2016 at 11:44
*To: *Daniel Finkestein ,
"freeipa-users@redhat.com" 
*Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of
FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,
cannot promote to master

Skipping the conncheck can mask odd problems and should be used sparingly.

rob





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

2016-06-06 Thread Dan.Finkelstein 
By the way, I want to mention the conncheck: if I don't skip it, it tries to 
ssh into the master IPA instance as 'admin@', rather than the user 
(root), and fails. All other parts of the connectivity check work, however. Why 
does it try to access the master as a Kerberos principal instead of the process 
user?

Thanks,
Dan

[cid:image001.jpg@01D1C019.39465100]
Daniel Alex Finkelstein| Senior Dev Ops Engineer
dan.finkelst...@h5g.com | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com
Play High 5 Casino and Shake the 
Sky
Follow us on: Facebook, 
Twitter, 
YouTube, 
Linkedin

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.

From: Rob Crittenden 
Date: Monday, June 6, 2016 at 11:44
To: Daniel Finkestein , 
"freeipa-users@redhat.com" 
Subject: Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 
3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to 
master

Skipping the conncheck can mask odd problems and should be used sparingly.

rob
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

2016-06-06 Thread Dan.Finkelstein 
Swing and a miss: when setting up the replicas, we always use the —setup-ca and 
end the command with the replica  gpg file, but it's the —setup-ca that fails 
as per the earlier messages. If we proceed without —setup-ca, it's fine. I'll 
try it without skipping the connection check, but I don't think the replica 
file is the issue.
Thanks,
Dan

[cid:image001.jpg@01D1BFE8.1A68AAC0]
Daniel Alex Finkelstein| Senior Dev Ops Engineer
dan.finkelst...@h5g.com | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com
Play High 5 Casino and Shake the 
Sky
Follow us on: Facebook, 
Twitter, 
YouTube, 
Linkedin

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.

From: Rob Crittenden 
Date: Monday, June 6, 2016 at 09:51
To: Daniel Finkestein , 
"freeipa-users@redhat.com" 
Subject: Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 
3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to 
master

I think I figured out what is wrong. It is trying to add a NEW CA, not
creating a replica of the CA on this host. You need to pass in the
replica install file as an argument:

# ipa-replica-install foo.example.com

Not sure skipping the conncheck is a great idea either.

rob
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

2016-06-06 Thread Rob Crittenden 

dan.finkelst...@high5games.com wrote:

Swing and a miss: when setting up the replicas, we always use the
—setup-ca and end the command with the replica  gpg file, but it's the
—setup-ca that fails as per the earlier messages. If we proceed without
—setup-ca, it's fine. I'll try it without skipping the connection check,
but I don't think the replica file is the issue.


I meant to say: ipa-ca-install replicafile

When running ipa-ca-install without a replicafile then it assumes you 
are trying to set up a brand new CA which isn't allowed if one already 
exists. The messaging has been improved upstream.


Skipping the conncheck can mask odd problems and should be used sparingly.

rob



Thanks,

Dan



*Daniel Alex Finkelstein*| Senior Dev Ops Engineer

_dan.finkelst...@h5g.com _| 212.604.3447

One World Trade Center, New York, NY 10007

www.high5games.com 

Play High 5 Casino  and Shake
the Sky 

Follow us on: Facebook , Twitter
, YouTube
, Linkedin


//

/This message and any attachments may contain confidential or privileged
information and are only for the use of the intended recipient of this
message. If you are not the intended recipient, please notify the sender
by return email, and delete or destroy this and all copies of this
message and all attachments. Any unauthorized disclosure, use,
distribution, or reproduction of this message or any attachments is
prohibited and may be unlawful./

*From: *Rob Crittenden 
*Date: *Monday, June 6, 2016 at 09:51
*To: *Daniel Finkestein ,
"freeipa-users@redhat.com" 
*Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of
FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,
cannot promote to master

I think I figured out what is wrong. It is trying to add a NEW CA, not

creating a replica of the CA on this host. You need to pass in the

replica install file as an argument:

# ipa-replica-install foo.example.com

Not sure skipping the conncheck is a great idea either.

rob





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

2016-06-03 Thread Rob Crittenden 

dan.finkelst...@high5games.com wrote:

A further update: when I try to install the CA component, it erroneously
says that the CA is installed:

root@ipa ~]# ipa-ca-install --skip-conncheck --debug


[ snip ]


ipa : DEBUGThe ipa-ca-install command failed, exception:
SystemExit: CA is already installed.

CA is already installed.


Try:

# pkidestroy -i pki-tomcat -s CA


Yet:

[root@ipa ~]# ipa-csreplica-manage list

Directory Manager password:

ipa.example.com: CA not configured


Two different methods are used to determine whether a CA is installed. 
I'll open a ticket to look into that.


rob





*Daniel Alex Finkelstein*| Senior Dev Ops Engineer

_dan.finkelst...@h5g.com _| 212.604.3447

One World Trade Center, New York, NY 10007

www.high5games.com 

Play High 5 Casino  and Shake
the Sky 

Follow us on: Facebook , Twitter
, YouTube
, Linkedin


//

/This message and any attachments may contain confidential or privileged
information and are only for the use of the intended recipient of this
message. If you are not the intended recipient, please notify the sender
by return email, and delete or destroy this and all copies of this
message and all attachments. Any unauthorized disclosure, use,
distribution, or reproduction of this message or any attachments is
prohibited and may be unlawful./

*From: * on behalf of Daniel
Finkestein 
*Date: *Thursday, June 2, 2016 at 17:42
*To: *"freeipa-users@redhat.com" 
*Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of
FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,
cannot promote to master

Hi Rob,

There's a few logs in there, I'm not sure which is most informative.
Here are some sections from what I think are relevant logs:

/var/log/pki/pki-tomcat/localhost.log:

Jun 01, 2016 12:16:34 PM org.apache.catalina.core.StandardWrapperValve
invoke

SEVERE: Servlet.service() for servlet [Resteasy] in context with path
[/ca] threw exception

org.jboss.resteasy.spi.UnhandledException:
org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find
MessageBodyWriter for response object of type:
com.netscape.certsrv.base.PKIException$Data of media type:
application/x-www-form-urlencoded

 at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:157)

 at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)

 at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)

 at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)

 at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)

 at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)

 at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)

 at sun.reflect.GeneratedMethodAccessor41.invoke(Unknown Source)

 at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

 at java.lang.reflect.Method.invoke(Method.java:498)

 at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)

 at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)

 at java.security.AccessController.doPrivileged(Native Method)

 at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)

 at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)

 at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)

 at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)

 at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)

 at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)

 at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)

 at java.security.AccessController.doPrivileged(Native Method)

 at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)

 at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

 at sun.reflect.GeneratedMethodAccessor40.invoke(Unknown Source)

 at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

 at

Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

2016-06-02 Thread Dan.Finkelstein 
Hi Rob,
There's a few logs in there, I'm not sure which is most informative. Here are 
some sections from what I think are relevant logs:

/var/log/pki/pki-tomcat/localhost.log:

Jun 01, 2016 12:16:34 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/ca] 
threw exception
org.jboss.resteasy.spi.UnhandledException: 
org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find 
MessageBodyWriter for response object of type: 
com.netscape.certsrv.base.PKIException$Data of media type: 
application/x-www-form-urlencoded
at 
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:157)
at 
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
at 
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
at 
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
at 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at sun.reflect.GeneratedMethodAccessor41.invoke(Unknown Source)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
at 
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at 
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at sun.reflect.GeneratedMethodAccessor40.invoke(Unknown Source)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
at 
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610)
at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at

Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

2016-06-02 Thread Rob Crittenden 

dan.finkelst...@high5games.com wrote:

Hi Sebastian,

Unfortunately, that doesn't seem to be it and reinstalling the replica
with —setup-ca failed again with the same errors. I've included relevant
sections of the logs.

/var/log/ipareplica-install.log:

016-06-02T10:43:16Z DEBUG Starting external process

2016-06-02T10:43:16Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpl8RqSM'

2016-06-02T10:43:16Z DEBUG Process finished, return code=1

2016-06-02T10:43:16Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20160602064316.log

Loading deployment configuration from /tmp/tmpl8RqSM.

2016-06-02T10:43:16Z DEBUG stderr=Traceback (most recent call last):

   File "/usr/sbin/pkispawn", line 717, in 

 main(sys.argv)

   File "/usr/sbin/pkispawn", line 523, in main

 parser.compose_pki_master_dictionary()

   File
"/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py",
line 573, in compose_pki_master_dictionary

 instance.load()

   File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line
454, in load

 subsystem.load()

   File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line
118, in load

 lines = open(self.cs_conf).read().splitlines()

IOError: [Errno 2] No such file or directory:
'/var/lib/pki/pki-tomcat/ca/conf/CS.cfg'

2016-06-02T10:43:16Z CRITICAL Failed to configure CA instance: Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpl8RqSM'' returned non-zero
exit status 1

2016-06-02T10:43:16Z CRITICAL See the installation logs and the
following files/directories for more information:

2016-06-02T10:43:16Z CRITICAL   /var/log/pki-ca-install.log

2016-06-02T10:43:16Z CRITICAL   /var/log/pki/pki-tomcat

2016-06-02T10:43:16Z DEBUG Traceback (most recent call last):

   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation

 run_step(full_msg, method)

   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step

 method()

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
620, in __spawn_instance

 DogtagInstance.spawn_instance(self, cfg_file)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance

 self.handle_setup_error(e)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error

 raise RuntimeError("%s configuration failed." % self.subsystem)

RuntimeError: CA configuration failed.

2016-06-02T10:43:16Z DEBUG   [error] RuntimeError: CA configuration failed.

2016-06-02T10:43:16Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute

 return_value = self.run()

   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 311, in run

 cfgr.run()

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 281, in run

 self.execute()

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 303, in execute

 for nothing in self._executor():

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner

 self._handle_exception(exc_info)

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception

 util.raise_exc_info(exc_info)

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner

 step()

   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from

 raise_exc_info(exc_info)

   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from

 value = gen.send(prev_value)

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 524, in _configure

 executor.next()

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner

 self._handle_exception(exc_info)

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 421, in _handle_exception

 self.__parent._handle_exception(exc_info)

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception

 util.raise_exc_info(exc_info)

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 418, in _handle_exception

 super(ComponentBase, self)._handle_exception(exc_info)

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception

 util.raise_exc_info(exc_info)

   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner

 step()

   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from

 raise_exc_info(exc_info)

   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from

 value =

Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

2016-06-02 Thread Dan.Finkelstein 
Hi Sebastian,
Unfortunately, that doesn't seem to be it and reinstalling the replica with 
—setup-ca failed again with the same errors. I've included relevant sections of 
the logs.

/var/log/ipareplica-install.log:

016-06-02T10:43:16Z DEBUG Starting external process
2016-06-02T10:43:16Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' 
'/tmp/tmpl8RqSM'
2016-06-02T10:43:16Z DEBUG Process finished, return code=1
2016-06-02T10:43:16Z DEBUG stdout=Log file: 
/var/log/pki/pki-ca-spawn.20160602064316.log
Loading deployment configuration from /tmp/tmpl8RqSM.

2016-06-02T10:43:16Z DEBUG stderr=Traceback (most recent call last):
  File "/usr/sbin/pkispawn", line 717, in 
main(sys.argv)
  File "/usr/sbin/pkispawn", line 523, in main
parser.compose_pki_master_dictionary()
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", 
line 573, in compose_pki_master_dictionary
instance.load()
  File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 454, in 
load
subsystem.load()
  File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 118, in 
load
lines = open(self.cs_conf).read().splitlines()
IOError: [Errno 2] No such file or directory: 
'/var/lib/pki/pki-tomcat/ca/conf/CS.cfg'

2016-06-02T10:43:16Z CRITICAL Failed to configure CA instance: Command 
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpl8RqSM'' returned non-zero exit 
status 1
2016-06-02T10:43:16Z CRITICAL See the installation logs and the following 
files/directories for more information:
2016-06-02T10:43:16Z CRITICAL   /var/log/pki-ca-install.log
2016-06-02T10:43:16Z CRITICAL   /var/log/pki/pki-tomcat
2016-06-02T10:43:16Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
418, in start_creation
run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
408, in run_step
method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
620, in __spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 201, in spawn_instance
self.handle_setup_error(e)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 465, in handle_setup_error

raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2016-06-02T10:43:16Z DEBUG   [error] RuntimeError: CA configuration failed.
2016-06-02T10:43:16Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311, 
in run
cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 281, 
in run
self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 303, 
in execute
for nothing in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, 
in __runner
self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, 
in _handle_exception
util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, 
in __runner
step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, 
in run_generator_with_yield_from

raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, 
in run_generator_with_yield_from

value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 524, 
in _configure
executor.next()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, 
in __runner
self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, 
in _handle_exception
self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, 
in _handle_exception
util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, 
in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, 
in _handle_exception
util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, 
in __runner
step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, 
in run_generator_with_yield_from

raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, 
in run_generator_with_yield_from

value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, 
in _install
for nothing in

Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

2016-06-02 Thread Sebastian Schäfer 
Hi Dan,

I had a similar problem when updating my FreeIPA. In my case it turned
out that the certificates that get bundled with the replica preparation
file were expired. This is due to the /root/cacert.p12 file not being
updated during the preparation process until FreeIPA 3.2.2

The file can be recreated with the commands from step 2 of
http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

If that does not solve the problem, it would be good to see (part of)
the actual logfiles of your replica installation attempt.

Best regards
--
Sebastian Schäfer, M. A.
---
Deutsches Zentrum für Luft- und Raumfahrt e.V. (DLR)
Institute of Space Operations and Astronaut Training
Microgravity User Support Center (MUSC)
Linder Höhe | 51147 Köln

Telefon 02203 601-30 01 | Telefax: 02203 61471 | sebastian.schae...@dlr.de
www.DLR.de

On 06/01/2016 06:45 PM, dan.finkelst...@high5games.com wrote:
> Hi folks,
> 
> As the subject suggests, we're converting from FreeIPA 3.0.0 on CentOS 6
> to 4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA
> replicas in CentOS 7 and then hope to promote one of them to the CA
> master. I'm running into two problems:
> 
>  
> 
> The first is that when we create a replica in FreeIPA 4.2.0 with the
> —setup-ca option, that portion fails. Here's a snippet of the output:
> 
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
> 30 seconds
> 
>   [1/23]: creating certificate server user
> 
>   [2/23]: configuring certificate server instance
> 
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpqPeYOW'' returned non-zero exit status 1
> 
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
> installation logs and the following files/directories for more information:
> 
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
> /var/log/pki-ca-install.log
> 
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
> /var/log/pki/pki-tomcat
> 
>   [error] RuntimeError: CA configuration failed.
> 
> Your system may be partly configured.
> 
> Run /usr/sbin/ipa-server-install --uninstall to clean up.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

2016-06-01 Thread Dan.Finkelstein 
Hi folks,
As the subject suggests, we're converting from FreeIPA 3.0.0 on CentOS 6 to 
4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA replicas in 
CentOS 7 and then hope to promote one of them to the CA master. I'm running 
into two problems:

The first is that when we create a replica in FreeIPA 4.2.0 with the —setup-ca 
option, that portion fails. Here's a snippet of the output:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 
seconds
  [1/23]: creating certificate server user
  [2/23]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA 
instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpqPeYOW'' 
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs 
and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Second, I've tried a "trick" where I run an ipa-backup on the 4.2.0 replica and 
then restore it, hoping to convince the server that it's now a master. When I 
try to run ipa-replica-prepare, it quickly exits with the mysterious "no such 
entry" error:

[root@ipa ~]# ipa-replica-prepare ipa4test.example.local --ip-address 
10.55.10.36
Directory Manager (existing master) password:

Preparing replica for ipa4test.example.local from ipa.example.local
no such entry

Ideas, suggestions, and help are very welcome!

Best regards,
Dan



[cid:image001.jpg@01D1BC03.6DD03360]
Daniel Alex Finkelstein| Senior Dev Ops Engineer
dan.finkelst...@h5g.com | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com
Play High 5 Casino and Shake the 
Sky
Follow us on: Facebook, 
Twitter, 
YouTube, 
Linkedin

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project