subject:"\[Freeipa\-users\] Difficulty installing freeipa"

Re: [Freeipa-users] Difficulty installing freeipa

2011-06-08 Thread Rob Crittenden


Dmitri Pal wrote:

  On 06/07/2011 05:17 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:


I continue to work with performance issues. I went into the krb5.conf
and changed dns_lookup_kdc from true to false. Kinit now responds
immediately. It’s cut the time on “ipa-finduser admin” from 2m30s down
to 18-20s. How fast “should” this respond?


It should be a matter of less than a second.
Are you using a VM to test? Does it have enough memory?
It is really hard to say what exactly is causing your delays.
IPA does a lot of name resolution. Delays usually related to that. By
turning off the name resolution against DNS in Kerberos you reduced
number of the lookups but probably not eliminated all of them. I suggest
you continue looking into the name resolution more.
This is the best we can say without any logs or specific configurations.
Sorry.


Well, not quite sub-second processing. Two kerberos authentications have 
to occur and those tend to be slow, 300ms or so each, plus processing 
time and such. A typical v1 command will take 1-3 seconds. It seems 
sometimes that the first execution is a bit slower as a lot of python 
modules need to get loaded but subsequent runs tend to speed up a bit. 
18-20 is still far out of line of what I'd expect.


The logs to look at on the server are:

/var/log/dirsrv/slapd-YOURINSTANCE/access

You'd need to find the BIND for your user to get the connection number, 
then trace that through to see how long the LDAP part took. This is 
likley to be very fast.


/var/log/httpd/error_log

This will show the XML-RPC handling time, any errors, etc.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Difficulty installing freeipa

2011-06-07 Thread Stamper, Brian P. (ARC-D)[Logyx LLC]


The short answer is, it's not.  I don't really use DNS, I rely on hosts files, 
particularly in this test environment.

-brian

From: Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Tuesday, June 07, 2011 4:13 PM
To: Stamper, Brian P. (ARC-D)[Logyx LLC]; freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Difficulty installing freeipa

Hi,

Where is DNS being done and how?

I tend to agree with Dmitri, it looks like DNS related issues.

regards



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Stamper, Brian P. (ARC-D)[Logyx LLC] [brian.p.stam...@nasa.gov]
Sent: Wednesday, 8 June 2011 10:12 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Difficulty installing freeipa


I’m not using a VM, I’m using a workstation dedicated to just FreeIPA.  It has 
4GB memory.
Which logs are you interested in?  I’ve been looking through all I can find and 
have seen nothing relevant.

-Brian

[root@freeipa ~]# free
 total   used   free sharedbuffers cached
Mem:   398932420437201945604  0 2193681202000
-/+ buffers/cache: 6223523366972
Swap:  8191992  08191992
[root@freeipa ~]#

load average: 0.00, 0.05, 0.05


[root@freeipa ~]# date ; time ipa-finduser admin
Tue Jun  7 14:46:59 PDT 2011
Home Directory: /home/admin
Login Shell: /bin/bash
Last Name: Administrator
Login: admin

real0m20.688s
user0m0.072s
sys0m0.022s


[root@freeipa ~]# tail -3 /var/log/ipa_error.log
2011-06-03 16:01:58,882 root INFO IPA: get_user_by_principal 
'ad...@arc.nasa.gov'
2011-06-03 16:02:19,254 root INFO IPA: get_user_by_principal 
'ad...@arc.nasa.gov'
2011-06-03 16:02:39,455 root INFO IPA: get_user_by_principal 
'ad...@arc.nasa.gov'

[root@freeipa ~]# tail -5 /var/log/krb5kdc.log
Jun 07 14:17:31 freeipa.arc.nasa.gov krb5kdc[7680](info): commencing operation
Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes 
{18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 
ses=18}, ad...@arc.nasa.gov for 
krbtgt/arc.nasa@arc.nasa.gov
Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes 
{18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 
ses=18}, ad...@arc.nasa.gov for 
krbtgt/arc.nasa@arc.nasa.gov
Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (4 etypes {18 
17 16 23}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 
ses=18}, ad...@arc.nasa.gov for 
ldap/freeipa.arc.nasa@arc.nasa.gov
Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes 
{18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 
ses=18}, ad...@arc.nasa.gov for 
krbtgt/arc.nasa@arc.nasa.gov

[root@freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/access
[07/Jun/2011:14:47:20 -0700] conn=20 op=14 RESULT err=0 tag=101 nentries=1 
etime=0
[07/Jun/2011:14:47:20 -0700] conn=20 op=15 SRCH base="dc=arc,dc=nasa,dc=gov" 
scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ad...@arc.nasa.gov))"
 attrs="krbPrincipalName krbcanonicalname objectClass krbPrincipalKey 
krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration 
krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference 
krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount 
krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbExtraData 
krbObjectReferences krballowedtodelegateto"
[07/Jun/2011:14:47:20 -0700] conn=20 op=15 RESULT err=0 tag=101 nentries=1 
etime=0

[root@freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors
[07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up
[07/Jun/2011:14:12:03 -0700] - slapd started.  Listening on All Interfaces port 
389 for LDAP requests
[07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS 
requests

[root@freeipa ~]# tail -5 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors
[07/Jun/2011:14:12:02 -0700] - All database threads now stopped
[07/Jun/2011:14:12:02 -0700] - slapd stopped.
[07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up
[07/Jun/2011:14:12:03 -0700] - slapd started.  Listening on All Interfaces port 
389 for LDAP requests
[07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS 
requests


On 6/7/11 2:33 PM, "Dmitri Pal" > wrote:

 On 06/07/2011 05:17 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
Re: [Freeipa-users] Difficulty installing freeipa
 I continue to work with performance issues.  I went into the krb5.conf and 
changed dns_lookup_kdc from true to false.  Kinit now responds immediately.  
It’s cut the time on “ipa-finduser admin” from 2m30s down to 18-20s.  How fast 
“should” this respond?


 It should be a matter of less than a

Re: [Freeipa-users] Difficulty installing freeipa

2011-06-07 Thread Steven Jones

Hi,

Where is DNS being done and how?

I tend to agree with Dmitri, it looks like DNS related issues.

regards



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Stamper, Brian P. (ARC-D)[Logyx LLC] [brian.p.stam...@nasa.gov]
Sent: Wednesday, 8 June 2011 10:12 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Difficulty installing freeipa


I’m not using a VM, I’m using a workstation dedicated to just FreeIPA.  It has 
4GB memory.
Which logs are you interested in?  I’ve been looking through all I can find and 
have seen nothing relevant.

-Brian

[root@freeipa ~]# free
 total   used   free sharedbuffers cached
Mem:   398932420437201945604  0 2193681202000
-/+ buffers/cache: 6223523366972
Swap:  8191992  08191992
[root@freeipa ~]#

load average: 0.00, 0.05, 0.05


[root@freeipa ~]# date ; time ipa-finduser admin
Tue Jun  7 14:46:59 PDT 2011
Home Directory: /home/admin
Login Shell: /bin/bash
Last Name: Administrator
Login: admin

real0m20.688s
user0m0.072s
sys0m0.022s


[root@freeipa ~]# tail -3 /var/log/ipa_error.log
2011-06-03 16:01:58,882 root INFO IPA: get_user_by_principal 
'ad...@arc.nasa.gov'
2011-06-03 16:02:19,254 root INFO IPA: get_user_by_principal 
'ad...@arc.nasa.gov'
2011-06-03 16:02:39,455 root INFO IPA: get_user_by_principal 
'ad...@arc.nasa.gov'

[root@freeipa ~]# tail -5 /var/log/krb5kdc.log
Jun 07 14:17:31 freeipa.arc.nasa.gov krb5kdc[7680](info): commencing operation
Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes 
{18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 
ses=18}, ad...@arc.nasa.gov for 
krbtgt/arc.nasa@arc.nasa.gov
Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes 
{18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 
ses=18}, ad...@arc.nasa.gov for 
krbtgt/arc.nasa@arc.nasa.gov
Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (4 etypes {18 
17 16 23}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 
ses=18}, ad...@arc.nasa.gov for 
ldap/freeipa.arc.nasa@arc.nasa.gov
Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes 
{18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 
ses=18}, ad...@arc.nasa.gov for 
krbtgt/arc.nasa@arc.nasa.gov

[root@freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/access
[07/Jun/2011:14:47:20 -0700] conn=20 op=14 RESULT err=0 tag=101 nentries=1 
etime=0
[07/Jun/2011:14:47:20 -0700] conn=20 op=15 SRCH base="dc=arc,dc=nasa,dc=gov" 
scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ad...@arc.nasa.gov))"
 attrs="krbPrincipalName krbcanonicalname objectClass krbPrincipalKey 
krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration 
krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference 
krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount 
krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbExtraData 
krbObjectReferences krballowedtodelegateto"
[07/Jun/2011:14:47:20 -0700] conn=20 op=15 RESULT err=0 tag=101 nentries=1 
etime=0

[root@freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors
[07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up
[07/Jun/2011:14:12:03 -0700] - slapd started.  Listening on All Interfaces port 
389 for LDAP requests
[07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS 
requests

[root@freeipa ~]# tail -5 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors
[07/Jun/2011:14:12:02 -0700] - All database threads now stopped
[07/Jun/2011:14:12:02 -0700] - slapd stopped.
[07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up
[07/Jun/2011:14:12:03 -0700] - slapd started.  Listening on All Interfaces port 
389 for LDAP requests
[07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS 
requests


On 6/7/11 2:33 PM, "Dmitri Pal" > wrote:

 On 06/07/2011 05:17 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
Re: [Freeipa-users] Difficulty installing freeipa
 I continue to work with performance issues.  I went into the krb5.conf and 
changed dns_lookup_kdc from true to false.  Kinit now responds immediately.  
It’s cut the time on “ipa-finduser admin” from 2m30s down to 18-20s.  How fast 
“should” this respond?


 It should be a matter of less than a second.
 Are you using a VM to test? Does it have enough memory?
 It is really hard to say what exactly is causing your delays.
 IPA does a lot of name resolution. Delays usually related to that. By turning 
off the name resolution against DNS in Kerberos you reduced number of the 
lookups but probably not eliminated all of them. I suggest you continue looking 
into the na

Re: [Freeipa-users] Difficulty installing freeipa

2011-06-07 Thread Stamper, Brian P. (ARC-D)[Logyx LLC]


I'm not using a VM, I'm using a workstation dedicated to just FreeIPA.  It has 
4GB memory.
Which logs are you interested in?  I've been looking through all I can find and 
have seen nothing relevant.

-Brian

[root@freeipa ~]# free
 total   used   free sharedbuffers cached
Mem:   398932420437201945604  0 2193681202000
-/+ buffers/cache: 6223523366972
Swap:  8191992  08191992
[root@freeipa ~]#

load average: 0.00, 0.05, 0.05


[root@freeipa ~]# date ; time ipa-finduser admin
Tue Jun  7 14:46:59 PDT 2011
Home Directory: /home/admin
Login Shell: /bin/bash
Last Name: Administrator
Login: admin

real0m20.688s
user0m0.072s
sys0m0.022s


[root@freeipa ~]# tail -3 /var/log/ipa_error.log
2011-06-03 16:01:58,882 root INFO IPA: get_user_by_principal 
'ad...@arc.nasa.gov'
2011-06-03 16:02:19,254 root INFO IPA: get_user_by_principal 
'ad...@arc.nasa.gov'
2011-06-03 16:02:39,455 root INFO IPA: get_user_by_principal 
'ad...@arc.nasa.gov'

[root@freeipa ~]# tail -5 /var/log/krb5kdc.log
Jun 07 14:17:31 freeipa.arc.nasa.gov krb5kdc[7680](info): commencing operation
Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes 
{18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 
ses=18}, ad...@arc.nasa.gov for krbtgt/arc.nasa@arc.nasa.gov
Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes 
{18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 
ses=18}, ad...@arc.nasa.gov for krbtgt/arc.nasa@arc.nasa.gov
Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (4 etypes {18 
17 16 23}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 
ses=18}, ad...@arc.nasa.gov for ldap/freeipa.arc.nasa@arc.nasa.gov
Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes 
{18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 
ses=18}, ad...@arc.nasa.gov for krbtgt/arc.nasa@arc.nasa.gov

[root@freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/access
[07/Jun/2011:14:47:20 -0700] conn=20 op=14 RESULT err=0 tag=101 nentries=1 
etime=0
[07/Jun/2011:14:47:20 -0700] conn=20 op=15 SRCH base="dc=arc,dc=nasa,dc=gov" 
scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ad...@arc.nasa.gov))"
 attrs="krbPrincipalName krbcanonicalname objectClass krbPrincipalKey 
krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration 
krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference 
krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount 
krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbExtraData 
krbObjectReferences krballowedtodelegateto"
[07/Jun/2011:14:47:20 -0700] conn=20 op=15 RESULT err=0 tag=101 nentries=1 
etime=0

[root@freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors
[07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up
[07/Jun/2011:14:12:03 -0700] - slapd started.  Listening on All Interfaces port 
389 for LDAP requests
[07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS 
requests

[root@freeipa ~]# tail -5 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors
[07/Jun/2011:14:12:02 -0700] - All database threads now stopped
[07/Jun/2011:14:12:02 -0700] - slapd stopped.
[07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up
[07/Jun/2011:14:12:03 -0700] - slapd started.  Listening on All Interfaces port 
389 for LDAP requests
[07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS 
requests


On 6/7/11 2:33 PM, "Dmitri Pal"  wrote:

 On 06/07/2011 05:17 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
Re: [Freeipa-users] Difficulty installing freeipa
 I continue to work with performance issues.  I went into the krb5.conf and 
changed dns_lookup_kdc from true to false.  Kinit now responds immediately.  
It's cut the time on "ipa-finduser admin" from 2m30s down to 18-20s.  How fast 
"should" this respond?


 It should be a matter of less than a second.
 Are you using a VM to test? Does it have enough memory?
 It is really hard to say what exactly is causing your delays.
 IPA does a lot of name resolution. Delays usually related to that. By turning 
off the name resolution against DNS in Kerberos you reduced number of the 
lookups but probably not eliminated all of them. I suggest you continue looking 
into the name resolution more.
 This is the best we can say without any logs or specific configurations. Sorry.

 Thanks
 Dmitri
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Difficulty installing freeipa

2011-06-06 Thread Rob Crittenden


Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:


I’m closer. I was able to get logged into the UI. It wasn’t that I was
running firefox from root, but that I had inited as root. Same problem
really. Dropping back to my own shell and initing I was able to reach
the GUI. The next problem I need to tackle is the slowness. Ipa-finduser
admin does return results, but it takes 2m43s.


Definitely getting hung up somewhere. I'd try the -v option to 
ipa-finduser to get a bit more detail on the request. The client will 
attempt to find the right IPA Apache server to connect to, make a 
kerberos connection. Apache will then handle the request and collect any 
data needed from 389-ds and return it. There are a lot of places things 
can break down. By examining the server logs you may be able to discern 
where the logjam is.


rob



[root@freeipa ~]# egrep "freeipa|local" /etc/hosts
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
1.2.3.4 freeipa.arc.nasa.gov freeipa

[root@freeipa ~]# grep host /etc/nsswitch.conf
#hosts: db files nisplus nis dns
hosts: files dns

[root@freeipa ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:10:18:2D:E6:93
inet addr:1.2.3.4

I don’t see any issues with the configuration there. There are no
conflicting “freeipa” hosts in dns. Looks pretty much in compliance with
the guide:

*/Configuring /etc/hosts
/*/You need to ensure that your ///etc/hosts file is configured
correctly, or the *ipa-** commands may not work correctly.

The /etc/hosts file should list the FQDN for your IPA server before any
aliases. You should also ensure that the hostname is not part of the
localhost entry. The following is an example of a valid hosts file:
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.1.1 ipaserver.example.com ipaserver
/

-Brian



On 6/3/11 3:58 PM, "Dmitri Pal"  wrote:

On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:

    Re: [Freeipa-users] Difficulty installing freeipa
I have resolved the install issue.


Great!



The installer is a bit sloppy and makes some bad assumptions.
The problem turns out to be that the directory server setup
seems to be running as dirsrv, not root. Ipa-server-install
(more specifically dsinstance.py) writes out the file
/var/lib/dirsrv/boot.ldif. But it does so as root, using root’s
umask. It doesn’t do a check to make sure dirsrv can read this
file before spawning an external process to create the directory
server. Part of security best practices recommended by the CIS
group as well as others is to set root’s umask to 0077. With
this setting in place, dirsrv is unable to read
/var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when
executed from ipa-server-install. I modified dsinstance.py to
not remove the file and checked it after a failed install. It
was written properly, so I changed the permission on it to 666
and re-ran the install. It succeeded.


Opened https://fedorahosted.org/freeipa/ticket/1282



I’m now back to where I started, which is a partly working ipa
install. Kinit takes 75 seconds to complete.


Seems like a DNS timeout or something related to the name resolution.


I still can’t get to the UI. I’m now going to uninstall again,
change root’s umask to 022, and see if that fixes any more of
the problems.


The UI does not start for me if you try to run FF from the root
shell. I forget about this frequently and just upgraded to F15 and
hit it again.

If you have a normal user shell, kinit from that shell as admin and
start browser from it you should have all the right context to
access UI.




-Brian



On 6/3/11 3:14 PM, "Brian Stamper"  wrote:



Yes, I mentioned in the first email I had attempted that. I
just ran the uninstall 10 times in a row. Same errors:

Configuring directory server:
[1/17]: creating directory server user
[2/17]: creating directory server instance
root : CRITICAL failed to restart ds instance Command
'/usr/sbin/setup-ds.pl --silent --logfile - -f
/tmp/tmpYwtW2p' returned non-zero exit status 1
[3/17]: adding default schema
[4/17]: enabling memberof plugin
[5/17]: enabling referential integrity plugin
[6/17]: enabling distributed numeric assignment plugin
[7/17]: enabling winsync plugin
[8/17]: configuring uniqueness plugin
[9/17]: creating indices
[10/17]: configuring ssl for ds instance
[11/17]: configuring certmap.conf
[12/17]: restarting directory server
[13/17]: adding default layout
root : CR

Re: [Freeipa-users] Difficulty installing freeipa

2011-06-03 Thread Stamper, Brian P. (ARC-D)[Logyx LLC]


I'm closer.  I was able to get logged into the UI.  It wasn't that I was 
running firefox from root, but that I had inited as root.  Same problem really. 
 Dropping back to my own shell and initing I was able to reach the GUI.  The 
next problem I need to tackle is the slowness.  Ipa-finduser admin does return 
results, but it takes 2m43s.

[root@freeipa ~]# egrep "freeipa|local" /etc/hosts
127.0.0.1   localhost.localdomain   localhost
::1 localhost6.localdomain6 localhost6
1.2.3.4 freeipa.arc.nasa.govfreeipa

[root@freeipa ~]# grep host /etc/nsswitch.conf
#hosts: db files nisplus nis dns
hosts:  files dns

[root@freeipa ~]# ifconfig eth0
eth0  Link encap:Ethernet  HWaddr 00:10:18:2D:E6:93
  inet addr:1.2.3.4

I don't see any issues with the configuration there.  There are no conflicting 
"freeipa" hosts in dns.  Looks pretty much in compliance with the guide:

Configuring /etc/hosts
You need to ensure that your /etc/hosts file is configured correctly, or the 
ipa-* commands may not work correctly.

The /etc/hosts file should list the FQDN for your IPA server before any 
aliases. You should also ensure that the hostname is not part of the localhost 
entry. The following is an example of a valid hosts file:
127.0.0.1   localhost.localdomain   localhost
::1 localhost6.localdomain6 localhost6
192.168.1.1 ipaserver.example.com  ipaserver


-Brian



On 6/3/11 3:58 PM, "Dmitri Pal"  wrote:

 On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
Re: [Freeipa-users] Difficulty installing freeipa
 I have resolved the install issue.


 Great!



 The installer is a bit sloppy and makes some bad assumptions.  The problem 
turns out to be that the directory server setup seems to be running as dirsrv, 
not root.  Ipa-server-install (more specifically dsinstance.py) writes out the 
file /var/lib/dirsrv/boot.ldif.  But it does so as root, using root's umask.  
It doesn't do a check to make sure dirsrv can read this file before spawning an 
external process to create the directory server.  Part of security best 
practices recommended by the CIS group as well as others is to set root's umask 
to 0077.  With this setting in place, dirsrv is unable to read 
/var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when executed from 
ipa-server-install.  I modified dsinstance.py to not remove the file and 
checked it after a failed install.  It was written properly, so I changed the 
permission on it to 666 and re-ran the install.  It succeeded.


 Opened https://fedorahosted.org/freeipa/ticket/1282



 I'm now back to where I started, which is a partly working ipa install.  Kinit 
takes 75 seconds to complete.

 Seems like a DNS timeout or something related to the name resolution.


I still can't get to the UI.  I'm now going to uninstall again, change root's 
umask to 022, and see if that fixes any more of the problems.


 The UI does not start for me if you try to run FF from the root shell. I 
forget about this frequently and just upgraded to F15 and hit it again.

 If you have a normal user shell, kinit from that shell as admin and start 
browser from it you should have all the right context to access UI.




 -Brian



 On 6/3/11 3:14 PM, "Brian Stamper"  wrote:



 Yes, I mentioned in the first email I had attempted that.  I just ran the 
uninstall 10 times in a row.  Same errors:

 Configuring directory server:
   [1/17]: creating directory server user
   [2/17]: creating directory server instance
 root: CRITICAL failed to restart ds instance Command 
'/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpYwtW2p' returned 
non-zero exit status 1
   [3/17]: adding default schema
   [4/17]: enabling memberof plugin
   [5/17]: enabling referential integrity plugin
   [6/17]: enabling distributed numeric assignment plugin
   [7/17]: enabling winsync plugin
   [8/17]: configuring uniqueness plugin
   [9/17]: creating indices
   [10/17]: configuring ssl for ds instance
   [11/17]: configuring certmap.conf
   [12/17]: restarting directory server
   [13/17]: adding default layout
 root: CRITICAL Failed to load bootstrap-template.ldif: Command 
'/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp0AROuy 
-f /tmp/tmpPC4048' returned non-zero exit status 32
   [14/17]: configuring Posix uid/gid generation as first master
   [15/17]: adding master entry as first master
 root: CRITICAL Failed to load master-entry.ldif: Command 
'/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpwyqeVF 
-f /tmp/tmp1dDTjN' returned non-zero exit status 32
   [16/17]: initializing group membership
   [17/17]: configuring directory to start on boot
 done configuring dirsrv.

 As a test I've manually run setup-ds.pl accepting all of the defaults.  It 
works fine and installs succe

Re: [Freeipa-users] Difficulty installing freeipa

2011-06-03 Thread Dmitri Pal

G   [1/17]: creating directory server user
> 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists
> 2011-06-03 15:12:41,541 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,541 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,542 DEBUG   [2/17]: creating directory server
> instance
> 2011-06-03 15:12:41,567 INFO   *** Error: no dirsrv instances
> configured
>
> 2011-06-03 15:12:41,567 INFO
> 2011-06-03 15:12:41,567 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,568 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,568 DEBUG
> dn: dc=arc,dc=nasa,dc=gov
> objectClass: top
> objectClass: domain
> objectClass: pilotObject
> dc: arc
> info: IPA V1.0
>
> 2011-06-03 15:12:41,569 DEBUG writing inf template
> 2011-06-03 15:12:41,570 DEBUG
> [General]
> FullMachineName=   freeipa.arc.nasa.gov
> SuiteSpotUserID=   dirsrv
> ServerRoot=/usr/lib64/dirsrv
> [slapd]
> ServerPort=   389
> ServerIdentifier=   ARC-NASA-GOV
> Suffix=   dc=arc,dc=nasa,dc=gov
> RootDN=   cn=Directory Manager
> InstallLdifFile= /var/lib/dirsrv/boot.ldif
>
> 2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl
> 2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup] Info
> Could not import LDIF file '/var/lib/dirsrv/boot.ldif'.  Error:
> 59648.  Output: importing data ...
> [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with
> nsslapd-db-private-import-mem on; No other process is allowed to
> access the database
> [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache:
> pagesize: 4096, pages: 997331, procpages: 48998
> [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import
> cache.
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import
> job...
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering
> enabled with bucket size 100
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open
> LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all
> Import threads..
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads
> aborted.
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
> /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or
> directory
> [03/Jun/2011:15:12:48 -0700] - All database threads now stopped
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.
>
> Could not import LDIF file '/var/lib/dirsrv/boot.ldif'.  Error:
> 59648.  Output: importing data ...
> [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with
> nsslapd-db-private-import-mem on; No other process is allowed to
> access the database
> [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache:
> pagesize: 4096, pages: 997331, procpages: 48998
> [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import
> cache.
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import
> job...
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering
> enabled with bucket size 100
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open
> LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all
> Import threads..
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads
> aborted.
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
>     /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or
> directory
> [03/Jun/2011:15:12:48 -0700] - All database threads now stopped
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.
>
> [11/06/03:15:12:48] - [Setup] Fatal Error: Could not create
> directory server instance 'ARC-NASA-GOV'.
> Error: Could not create directory server instance 'ARC-NASA-GOV'.
> [11/06/03:15:12:48] - [Setup] Fatal Exiting . . .
>
>
> -Brian
>
> On 6/3/11 2:53 PM, "Dmitri Pal"  wrote:
>
>  On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx LLC]
> wrote:
>
> Re: [Freeipa-users] Difficulty installing freeipa
>  I've given up on freeipa v2 due to lack of compatibility
>

Re: [Freeipa-users] Difficulty installing freeipa

2011-06-03 Thread Stamper, Brian P. (ARC-D)[Logyx LLC]

rc,dc=nasa,dc=gov
RootDN=   cn=Directory Manager
InstallLdifFile= /var/lib/dirsrv/boot.ldif

2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl
2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup] Info Could not 
import LDIF file '/var/lib/dirsrv/boot.ldif'.  Error: 59648.  Output: importing 
data ...
[03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with 
nsslapd-db-private-import-mem on; No other process is allowed to access the 
database
[03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: pagesize: 4096, 
pages: 997331, procpages: 48998
[03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import cache.
[03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import job...
[03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering enabled with 
bucket size 100
[03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open LDIF file 
"/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
[03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all Import threads...
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads aborted.
[03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
/var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory
[03/Jun/2011:15:12:48 -0700] - All database threads now stopped
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.

Could not import LDIF file '/var/lib/dirsrv/boot.ldif'.  Error: 59648.  Output: 
importing data ...
[03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with 
nsslapd-db-private-import-mem on; No other process is allowed to access the 
database
[03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: pagesize: 4096, 
pages: 997331, procpages: 48998
[03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import cache.
[03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import job...
[03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering enabled with 
bucket size 100
[03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open LDIF file 
"/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
[03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all Import threads...
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads aborted.
[03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
/var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory
[03/Jun/2011:15:12:48 -0700] - All database threads now stopped
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.

[11/06/03:15:12:48] - [Setup] Fatal Error: Could not create directory server 
instance 'ARC-NASA-GOV'.
Error: Could not create directory server instance 'ARC-NASA-GOV'.
[11/06/03:15:12:48] - [Setup] Fatal Exiting . . .


-Brian

On 6/3/11 2:53 PM, "Dmitri Pal"  wrote:

 On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
Re: [Freeipa-users] Difficulty installing freeipa
 I've given up on freeipa v2 due to lack of compatibility with hosts I manage.  
This is all on freeipa v1.  The server started as Fedora 13, and I upgraded to 
Fedora 14 in an attempt to fix the problems.

 [root@freeipa ~]# uname -r
 2.6.35.13-91.fc14.x86_64
 [root@freeipa ~]# rpm -qa 'ipa*'
 ipa-client-1.2.2-6.fc14.x86_64
 ipa-server-selinux-1.2.2-6.fc14.x86_64
 ipa-python-1.2.2-6.fc14.x86_64
 ipa-admintools-1.2.2-6.fc14.x86_64
 ipa-server-1.2.2-6.fc14.x86_64
 [root@freeipa ~]#

 I'm not doing anything special at this point.  I'm not even trying to get 
clients added.  I'm trying to do a basic install of ipa-server, with no extra 
arguments.  That claimed to succeed but wouldn't work, I tried to fix it, 
uninstalled, any attempts to reinstall failed.  So right now I'm simply trying 
to get the ipa service back to any kind of functioning status without 
re-installing the OS.



 Ah this is all old 1.2 IPA.
 Have you tried
 ipa-server-install --uninstall

 Might require several attempts until all the errors are cleared.


-Brian

 On 6/3/11 2:30 PM, "Dmitri Pal"  wrote:




 Is it all on F13?
  The IPA v2 can't be built on F13 as there are many dependencies missing that 
we rely on. There are two many parts this is why we had to move to the later 
versions of F15. We just did not have any options. So the server you built 
might in fact be completely broken. I do not know how to fix it. It looks like 
you have some instances of the DS left over in a misconfigured state.

  You can try running ipa-server-install --uninstall 4-5 times. That might 
clear things a bit.

  But let us get back to the original problem.
  Freeipa can be used with the LDAP+Kerberos configuration on the clients. You 
do not need to have latest and greatest.
  There was a nice article referenced in some of the earlier threads on the 
list:

 http://www.aput.net/~jheiss/krbldap/howto.html 
<http://www.aput.net/%7Ejheiss/krbldap/howto.html>  
<http://www.aput.net/%7Ejhe

Re: [Freeipa-users] Difficulty installing freeipa

2011-06-03 Thread Stamper, Brian P. (ARC-D)[Logyx LLC]

 stopped
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.

Could not import LDIF file '/var/lib/dirsrv/boot.ldif'.  Error: 59648.  Output: 
importing data ...
[03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with 
nsslapd-db-private-import-mem on; No other process is allowed to access the 
database
[03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: pagesize: 4096, 
pages: 997331, procpages: 48998
[03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import cache.
[03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import job...
[03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering enabled with 
bucket size 100
[03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open LDIF file 
"/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
[03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all Import threads...
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads aborted.
[03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
/var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory
[03/Jun/2011:15:12:48 -0700] - All database threads now stopped
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.

[11/06/03:15:12:48] - [Setup] Fatal Error: Could not create directory server 
instance 'ARC-NASA-GOV'.
Error: Could not create directory server instance 'ARC-NASA-GOV'.
[11/06/03:15:12:48] - [Setup] Fatal Exiting . . .


-Brian

On 6/3/11 2:53 PM, "Dmitri Pal"  wrote:

 On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
Re: [Freeipa-users] Difficulty installing freeipa
 I've given up on freeipa v2 due to lack of compatibility with hosts I manage.  
This is all on freeipa v1.  The server started as Fedora 13, and I upgraded to 
Fedora 14 in an attempt to fix the problems.

 [root@freeipa ~]# uname -r
 2.6.35.13-91.fc14.x86_64
 [root@freeipa ~]# rpm -qa 'ipa*'
 ipa-client-1.2.2-6.fc14.x86_64
 ipa-server-selinux-1.2.2-6.fc14.x86_64
 ipa-python-1.2.2-6.fc14.x86_64
 ipa-admintools-1.2.2-6.fc14.x86_64
 ipa-server-1.2.2-6.fc14.x86_64
 [root@freeipa ~]#

 I'm not doing anything special at this point.  I'm not even trying to get 
clients added.  I'm trying to do a basic install of ipa-server, with no extra 
arguments.  That claimed to succeed but wouldn't work, I tried to fix it, 
uninstalled, any attempts to reinstall failed.  So right now I'm simply trying 
to get the ipa service back to any kind of functioning status without 
re-installing the OS.



 Ah this is all old 1.2 IPA.
 Have you tried
 ipa-server-install --uninstall

 Might require several attempts until all the errors are cleared.


-Brian

 On 6/3/11 2:30 PM, "Dmitri Pal"  wrote:




 Is it all on F13?
  The IPA v2 can't be built on F13 as there are many dependencies missing that 
we rely on. There are two many parts this is why we had to move to the later 
versions of F15. We just did not have any options. So the server you built 
might in fact be completely broken. I do not know how to fix it. It looks like 
you have some instances of the DS left over in a misconfigured state.

  You can try running ipa-server-install --uninstall 4-5 times. That might 
clear things a bit.

  But let us get back to the original problem.
  Freeipa can be used with the LDAP+Kerberos configuration on the clients. You 
do not need to have latest and greatest.
  There was a nice article referenced in some of the earlier threads on the 
list:

 http://www.aput.net/~jheiss/krbldap/howto.html 
<http://www.aput.net/%7Ejheiss/krbldap/howto.html>  
<http://www.aput.net/%7Ejheiss/krbldap/howto.html>

 You can configure very old clients to use IPA as NIS server.
 Let us know how else we can help.
  Thanks
  Dmitri




  -Brian


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users









___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Difficulty installing freeipa

2011-06-03 Thread Dmitri Pal

On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
>
> I've given up on freeipa v2 due to lack of compatibility with hosts I
> manage.  This is all on freeipa v1.  The server started as Fedora 13,
> and I upgraded to Fedora 14 in an attempt to fix the problems.
>
> [root@freeipa ~]# uname -r
> 2.6.35.13-91.fc14.x86_64
> [root@freeipa ~]# rpm -qa 'ipa*'
> ipa-client-1.2.2-6.fc14.x86_64
> ipa-server-selinux-1.2.2-6.fc14.x86_64
> ipa-python-1.2.2-6.fc14.x86_64
> ipa-admintools-1.2.2-6.fc14.x86_64
> ipa-server-1.2.2-6.fc14.x86_64
> [root@freeipa ~]#
>
> I'm not doing anything special at this point.  I'm not even trying to
> get clients added.  I'm trying to do a basic install of ipa-server,
> with no extra arguments.  That claimed to succeed but wouldn't work, I
> tried to fix it, uninstalled, any attempts to reinstall failed.  So
> right now I'm simply trying to get the ipa service back to any kind of
> functioning status without re-installing the OS.
>

Ah this is all old 1.2 IPA.
Have you tried
ipa-server-install --uninstall

Might require several attempts until all the errors are cleared.

> -Brian
>
> On 6/3/11 2:30 PM, "Dmitri Pal"  wrote:
>
>
> Is it all on F13?
>  The IPA v2 can't be built on F13 as there are many dependencies
> missing that we rely on. There are two many parts this is why we
> had to move to the later versions of F15. We just did not have any
> options. So the server you built might in fact be completely
> broken. I do not know how to fix it. It looks like you have some
> instances of the DS left over in a misconfigured state.
>  
>  You can try running ipa-server-install --uninstall 4-5 times.
> That might clear things a bit.
>  
>  But let us get back to the original problem.
>  Freeipa can be used with the LDAP+Kerberos configuration on the
> clients. You do not need to have latest and greatest.
>  There was a nice article referenced in some of the earlier
> threads on the list:
>  
> http://www.aput.net/~jheiss/krbldap/howto.html
> 
> 
>
> You can configure very old clients to use IPA as NIS server.
> Let us know how else we can help.
>  Thanks
>  Dmitri
>  
>  
>
>
>  -Brian
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>  
>
>
>  
>  
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Difficulty installing freeipa

2011-06-03 Thread Simo Sorce

On Fri, 2011-06-03 at 16:38 -0500, Stamper, Brian P. (ARC-D)[Logyx LLC]
wrote:
> 
> I've given up on freeipa v2 due to lack of compatibility with hosts I
> manage.  This is all on freeipa v1.  The server started as Fedora 13,
> and I upgraded to Fedora 14 in an attempt to fix the problems. 

Brian, I am curious, what compatibility are you lacking ?
I can't think any difference in the supported list of clients, with v2
we have native sssd support that was not available in v1, but the legacy
support is basically identical.

Can you elaborate on which problem you found on which clients ?

Thanks,
Simo

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Difficulty installing freeipa

2011-06-03 Thread Stamper, Brian P. (ARC-D)[Logyx LLC]


I've given up on freeipa v2 due to lack of compatibility with hosts I manage.  
This is all on freeipa v1.  The server started as Fedora 13, and I upgraded to 
Fedora 14 in an attempt to fix the problems.

[root@freeipa ~]# uname -r
2.6.35.13-91.fc14.x86_64
[root@freeipa ~]# rpm -qa 'ipa*'
ipa-client-1.2.2-6.fc14.x86_64
ipa-server-selinux-1.2.2-6.fc14.x86_64
ipa-python-1.2.2-6.fc14.x86_64
ipa-admintools-1.2.2-6.fc14.x86_64
ipa-server-1.2.2-6.fc14.x86_64
[root@freeipa ~]#

I'm not doing anything special at this point.  I'm not even trying to get 
clients added.  I'm trying to do a basic install of ipa-server, with no extra 
arguments.  That claimed to succeed but wouldn't work, I tried to fix it, 
uninstalled, any attempts to reinstall failed.  So right now I'm simply trying 
to get the ipa service back to any kind of functioning status without 
re-installing the OS.

-Brian

On 6/3/11 2:30 PM, "Dmitri Pal"  wrote:

Is it all on F13?
 The IPA v2 can't be built on F13 as there are many dependencies missing that 
we rely on. There are two many parts this is why we had to move to the later 
versions of F15. We just did not have any options. So the server you built 
might in fact be completely broken. I do not know how to fix it. It looks like 
you have some instances of the DS left over in a misconfigured state.

 You can try running ipa-server-install --uninstall 4-5 times. That might clear 
things a bit.

 But let us get back to the original problem.
 Freeipa can be used with the LDAP+Kerberos configuration on the clients. You 
do not need to have latest and greatest.
 There was a nice article referenced in some of the earlier threads on the list:

http://www.aput.net/~jheiss/krbldap/howto.html 


You can configure very old clients to use IPA as NIS server.
Let us know how else we can help.
 Thanks
 Dmitri



 -Brian


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Difficulty installing freeipa

2011-06-03 Thread Dmitri Pal

On 06/03/2011 05:09 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
> I initially started testing with FreeIPA on Fedora 15, using ipa 2.x.
>  The server install went smoothly, however I was unable to add clients
> due to lack of backward compatibility, since ipa 2.x isn't available
> for most of the systems I manage.
>
> I decided to rebuild the test ipa server.  I build a fresh Fedora 13
> system and installed the yum packages.  Initially the ipa server
> installed without errors.  However they were some issues.  It hadn't
> configured httpd to autostart, and when I did start httpd, I was
> unable to get to the management UI.  Attempting to kinit would pause
> for ~10-15 seconds before requesting a password.  I was able to get
> the ticket.  Attempting to then reach the website, after configuring
> firefox and importing the certs, resulted in the "Service temporarily
> unavailable" error.  All of this seemed to indicate a problem with the
> hosts file, but checking it multiple times, as well as checking all
> variations of name resolution indicated nothing.
>
> I decided to reinstall to try to fix the kerb oddness and hopefully
> get to the website gui.  I ran ipa-server-install ---uninstall and
> attempted to reinstall, and got the following error:
>
> CRITICAL Failed to load bootstrap-template.ldif: Command
> '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -w
> password --f /tmp/tmpe1aE3t' returned non-zero exit status 32
>
> Which led me to this bug, which was reported fixed in 2008:
> https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=448287
> 
>
> Here is an excerpt from the install log:
>
> 2011-06-02 12:40:02,619 DEBUG calling setup-ds.pl
> 2011-06-02 12:40:09,869 INFO [11/06/02:12:40:09] - [Setup] Info Could
> not import LDIF file '/var/lib/dirsrv/boot.ldif'.  Error: 59648.
>  Output: importing data ...
> [02/Jun/2011:12:40:03 -0700] - WARNING: Import is running with
> nsslapd-db-private-import-mem on; No other process is allowed to
> access the database
> [02/Jun/2011:12:40:03 -0700] - check_and_set_import_cache: pagesize:
> 4096, pages: 997331, procpages: 49464
> [02/Jun/2011:12:40:03 -0700] - Import allocates 1595728KB import cache.
> [02/Jun/2011:12:40:03 -0700] - import userRoot: Beginning import job...
> [02/Jun/2011:12:40:03 -0700] - import userRoot: Index buffering
> enabled with bucket size 100
> [02/Jun/2011:12:40:04 -0700] - import userRoot: Could not open LDIF
> file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
> [02/Jun/2011:12:40:04 -0700] - import userRoot: Aborting all Import
> threads...
> [02/Jun/2011:12:40:09 -0700] - import userRoot: Import threads aborted.
> [02/Jun/2011:12:40:09 -0700] - import userRoot: Closing files...
> /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory
> [02/Jun/2011:12:40:09 -0700] - All database threads now stopped
> [02/Jun/2011:12:40:09 -0700] - import userRoot: Import failed.
>
> Could not import LDIF file '/var/lib/dirsrv/boot.ldif'.  Error: 59648.
>  Output: importing data ...
> [02/Jun/2011:12:40:03 -0700] - WARNING: Import is running with
> nsslapd-db-private-import-mem on; No other process is allowed to
> access the database
> [02/Jun/2011:12:40:03 -0700] - check_and_set_import_cache: pagesize:
> 4096, pages: 997331, procpages: 49464
> [02/Jun/2011:12:40:03 -0700] - Import allocates 1595728KB import cache.
> [02/Jun/2011:12:40:03 -0700] - import userRoot: Beginning import job...
> [02/Jun/2011:12:40:03 -0700] - import userRoot: Index buffering
> enabled with bucket size 100
> [02/Jun/2011:12:40:04 -0700] - import userRoot: Could not open LDIF
> file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
> [02/Jun/2011:12:40:04 -0700] - import userRoot: Aborting all Import
> threads...
> [02/Jun/2011:12:40:09 -0700] - import userRoot: Import threads aborted.
> [02/Jun/2011:12:40:09 -0700] - import userRoot: Closing files...
> /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory
> [02/Jun/2011:12:40:09 -0700] - All database threads now stopped
> [02/Jun/2011:12:40:09 -0700] - import userRoot: Import failed.
>
> [11/06/02:12:40:09] - [Setup] Fatal Error: Could not create directory
> server instance 'ARC-NASA-GOV'.
> Error: Could not create directory server instance 'ARC-NASA-GOV'.
> [11/06/02:12:40:09] - [Setup] Fatal Exiting . . .
> Log file is '-'
>
> Exiting . . .
> Log file is '-'
>
> 2011-06-02 12:40:09,870 INFO
> 2011-06-02 12:40:09,870 CRITICAL failed to restart ds instance Command
> '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpLtRn9j'
> returned non-zero exit status 1
> 2011-06-02 12:40:09,870 DEBUG restarting ds instance
> 2011-06-02 12:40:12,030 INFO Shutting down dirsrv:
> ARC-NASA-GOV... server already stopped[FAILED]
>   *** Error: 1 instance(s) unsuccessfully stopped[FAILED]
> Starting dirsrv:
> ARC-NASA-GOV...[  OK  ]
>
> All my attempts to re-install ipa-server now

[Freeipa-users] Difficulty installing freeipa

2011-06-03 Thread Stamper, Brian P. (ARC-D)[Logyx LLC]

I initially started testing with FreeIPA on Fedora 15, using ipa 2.x.  The 
server install went smoothly, however I was unable to add clients due to lack 
of backward compatibility, since ipa 2.x isn't available for most of the 
systems I manage.

I decided to rebuild the test ipa server.  I build a fresh Fedora 13 system and 
installed the yum packages.  Initially the ipa server installed without errors. 
 However they were some issues.  It hadn't configured httpd to autostart, and 
when I did start httpd, I was unable to get to the management UI.  Attempting 
to kinit would pause for ~10-15 seconds before requesting a password.  I was 
able to get the ticket.  Attempting to then reach the website, after 
configuring firefox and importing the certs, resulted in the "Service 
temporarily unavailable" error.  All of this seemed to indicate a problem with 
the hosts file, but checking it multiple times, as well as checking all 
variations of name resolution indicated nothing.

I decided to reinstall to try to fix the kerb oddness and hopefully get to the 
website gui.  I ran ipa-server-install -uninstall and attempted to reinstall, 
and got the following error:

CRITICAL Failed to load bootstrap-template.ldif: Command
'/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -w password -f 
/tmp/tmpe1aE3t' returned non-zero exit status 32

Which led me to this bug, which was reported fixed in 2008:
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=448287

Here is an excerpt from the install log:

2011-06-02 12:40:02,619 DEBUG calling setup-ds.pl
2011-06-02 12:40:09,869 INFO [11/06/02:12:40:09] - [Setup] Info Could not 
import LDIF file '/var/lib/dirsrv/boot.ldif'.  Error: 59648.  Output: importing 
data ...
[02/Jun/2011:12:40:03 -0700] - WARNING: Import is running with 
nsslapd-db-private-import-mem on; No other process is allowed to access the 
database
[02/Jun/2011:12:40:03 -0700] - check_and_set_import_cache: pagesize: 4096, 
pages: 997331, procpages: 49464
[02/Jun/2011:12:40:03 -0700] - Import allocates 1595728KB import cache.
[02/Jun/2011:12:40:03 -0700] - import userRoot: Beginning import job...
[02/Jun/2011:12:40:03 -0700] - import userRoot: Index buffering enabled with 
bucket size 100
[02/Jun/2011:12:40:04 -0700] - import userRoot: Could not open LDIF file 
"/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
[02/Jun/2011:12:40:04 -0700] - import userRoot: Aborting all Import threads...
[02/Jun/2011:12:40:09 -0700] - import userRoot: Import threads aborted.
[02/Jun/2011:12:40:09 -0700] - import userRoot: Closing files...
/var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory
[02/Jun/2011:12:40:09 -0700] - All database threads now stopped
[02/Jun/2011:12:40:09 -0700] - import userRoot: Import failed.

Could not import LDIF file '/var/lib/dirsrv/boot.ldif'.  Error: 59648.  Output: 
importing data ...
[02/Jun/2011:12:40:03 -0700] - WARNING: Import is running with 
nsslapd-db-private-import-mem on; No other process is allowed to access the 
database
[02/Jun/2011:12:40:03 -0700] - check_and_set_import_cache: pagesize: 4096, 
pages: 997331, procpages: 49464
[02/Jun/2011:12:40:03 -0700] - Import allocates 1595728KB import cache.
[02/Jun/2011:12:40:03 -0700] - import userRoot: Beginning import job...
[02/Jun/2011:12:40:03 -0700] - import userRoot: Index buffering enabled with 
bucket size 100
[02/Jun/2011:12:40:04 -0700] - import userRoot: Could not open LDIF file 
"/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
[02/Jun/2011:12:40:04 -0700] - import userRoot: Aborting all Import threads...
[02/Jun/2011:12:40:09 -0700] - import userRoot: Import threads aborted.
[02/Jun/2011:12:40:09 -0700] - import userRoot: Closing files...
/var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory
[02/Jun/2011:12:40:09 -0700] - All database threads now stopped
[02/Jun/2011:12:40:09 -0700] - import userRoot: Import failed.

[11/06/02:12:40:09] - [Setup] Fatal Error: Could not create directory server 
instance 'ARC-NASA-GOV'.
Error: Could not create directory server instance 'ARC-NASA-GOV'.
[11/06/02:12:40:09] - [Setup] Fatal Exiting . . .
Log file is '-'

Exiting . . .
Log file is '-'

2011-06-02 12:40:09,870 INFO
2011-06-02 12:40:09,870 CRITICAL failed to restart ds instance Command 
'/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpLtRn9j' returned 
non-zero exit status 1
2011-06-02 12:40:09,870 DEBUG restarting ds instance
2011-06-02 12:40:12,030 INFO Shutting down dirsrv:
ARC-NASA-GOV... server already stopped[FAILED]
  *** Error: 1 instance(s) unsuccessfully stopped[FAILED]
Starting dirsrv:
ARC-NASA-GOV...[  OK  ]

All my attempts to re-install ipa-server now fail.  I've tried removing all 51 
packages associated with ipa-server and re-installing them.  I've removed all 
51 packages and deleted every file I could find associated with nscd, 389, ipa, 
sssd, etc.  I have been unable to return the system to a state that will allow 
a reinstall of

Re: [Freeipa-users] Difficulty installing freeipa

Re: [Freeipa-users] Difficulty installing freeipa

Re: [Freeipa-users] Difficulty installing freeipa

Re: [Freeipa-users] Difficulty installing freeipa

Re: [Freeipa-users] Difficulty installing freeipa

Re: [Freeipa-users] Difficulty installing freeipa

Re: [Freeipa-users] Difficulty installing freeipa

Re: [Freeipa-users] Difficulty installing freeipa

Re: [Freeipa-users] Difficulty installing freeipa

Re: [Freeipa-users] Difficulty installing freeipa

Re: [Freeipa-users] Difficulty installing freeipa

Re: [Freeipa-users] Difficulty installing freeipa

Re: [Freeipa-users] Difficulty installing freeipa

[Freeipa-users] Difficulty installing freeipa

14 matches

Site Navigation

Mail list logo

Footer information