Re: [Freeipa-users] Problems and questions installing Identity Manager on RHEL V7
On 10/3/2014 2:30 AM, Alexander Bokovoy wrote: This issue is known -- when CA install fails, we rollback but since CA isn't installed, we miss rolling it back. There is a ticket for eventually fixing this issue. Which ticket is this? The rollback was actually disabled to allow troubleshooting the failed installation: https://fedorahosted.org/freeipa/ticket/3990 I think this ticket is unrelated -- its solution only affects ipa-client-install --on-master, not what ipa-server-install does when it rolls back configuration for dirsrv and other servers. I think the idea can be expanded to the entire server installation. I can't find the exact ticket though. Following sequence should clean up all the bits: pkidestroy -s CA -i pki-tomcat rm -rf /var/log/pki/pki-tomcat rm -rf /etc/sysconfig/pki-tomcat rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat rm -rf /var/lib/pki/pki-tomcat rm -rf /etc/pki/pki-tomcat It's not official, but we call this step pki-nuke. It also helps to reboot between multiple reinstalls on a single machine. Rather than rolling back the installation automatically (and delete all files needed to troubleshoot the problem), it would be better to provide an option to the uninstall command to forcibly remove all installed files regardless whether the installation was successful or not, just like the pki-nuke above. We simply have no information about the fact what pkicreate did before it failed. It shouldn't matter. The forced removal should clean up anything that might have been created during the installation. That way the next installation should be able to run without any possibility of conflicts with residual files. I created this Dogtag ticket: https://fedorahosted.org/pki/ticket/1172 When that's implemented, the IPA uninstall script can do this: try: # forcibly remove Dogtag instance pkidestroy -i pki-tomcat except Exception: # ignore error pass try: # forcibly remove DS instance remove-ds.pl -f -i slapd-pki-tomcat except Exception: # ignore error pass ... and so on ... If we use an automatic rollback, in addition to the lost debugging info, sometimes the rollback itself can be buggy so the machine is left in an inconsistent/unusable state. With a separate forced removal like above, we can debug the failed installation, and also debug the failed removal if necessary. -- Endi S. Dewata -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Problems and questions installing Identity Manager on RHEL V7
On Thu, 02 Oct 2014, Endi Sukma Dewata wrote: On 10/1/2014 12:46 PM, Alexander Bokovoy wrote: On Wed, 01 Oct 2014, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: I have tried to deinstall and reinstall the ipa server but the installation is now failing. The ipa-server-install is failing with the following: [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpLb1CmI' returned non-zero exit status 1 Configuration of CA failed This happens each time I try to uninstall and reinstall the ipa server on RHEL V7. Looking at the latest log in /var/log/pki, I see this at the end of the log: 2014-10-01 11:53:10 pkispawn: INFO BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . . 2014-10-01 11:53:10 pkispawn: INFO ... initializing 'pki.deployment.initialization' 2014-10-01 11:53:10 pkispawn: ERROR... PKI subsystem 'CA' for instance 'pki-tomcat' already exists! 2014-10-01 11:53:10 pkispawn: DEBUG... Error Type: SystemExit 2014-10-01 11:53:10 pkispawn: DEBUG... Error Message: 1 2014-10-01 11:53:10 pkispawn: DEBUG... File "/usr/sbin/pkispawn", line 374, in main rv = instance.spawn() File "/usr/lib/python2.7/site-packages/pki/deployment/initialization.py", line 56, in spawn util.instance.verify_subsystem_does_not_exist() File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py", line 990, in verify_subsystem_does_not_exist sys.exit(1) I am no python expert by any means and I'm not sure what this is telling us so any help would be greatly appreciated. This issue is known -- when CA install fails, we rollback but since CA isn't installed, we miss rolling it back. There is a ticket for eventually fixing this issue. Which ticket is this? The rollback was actually disabled to allow troubleshooting the failed installation: https://fedorahosted.org/freeipa/ticket/3990 I think this ticket is unrelated -- its solution only affects ipa-client-install --on-master, not what ipa-server-install does when it rolls back configuration for dirsrv and other servers. I can't find the exact ticket though. Following sequence should clean up all the bits: pkidestroy -s CA -i pki-tomcat rm -rf /var/log/pki/pki-tomcat rm -rf /etc/sysconfig/pki-tomcat rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat rm -rf /var/lib/pki/pki-tomcat rm -rf /etc/pki/pki-tomcat It's not official, but we call this step pki-nuke. It also helps to reboot between multiple reinstalls on a single machine. Rather than rolling back the installation automatically (and delete all files needed to troubleshoot the problem), it would be better to provide an option to the uninstall command to forcibly remove all installed files regardless whether the installation was successful or not, just like the pki-nuke above. We simply have no information about the fact what pkicreate did before it failed. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Problems and questions installing Identity Manager on RHEL V7
On 10/1/2014 12:46 PM, Alexander Bokovoy wrote: On Wed, 01 Oct 2014, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: I have tried to deinstall and reinstall the ipa server but the installation is now failing. The ipa-server-install is failing with the following: [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpLb1CmI' returned non-zero exit status 1 Configuration of CA failed This happens each time I try to uninstall and reinstall the ipa server on RHEL V7. Looking at the latest log in /var/log/pki, I see this at the end of the log: 2014-10-01 11:53:10 pkispawn: INFO BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . . 2014-10-01 11:53:10 pkispawn: INFO ... initializing 'pki.deployment.initialization' 2014-10-01 11:53:10 pkispawn: ERROR... PKI subsystem 'CA' for instance 'pki-tomcat' already exists! 2014-10-01 11:53:10 pkispawn: DEBUG... Error Type: SystemExit 2014-10-01 11:53:10 pkispawn: DEBUG... Error Message: 1 2014-10-01 11:53:10 pkispawn: DEBUG... File "/usr/sbin/pkispawn", line 374, in main rv = instance.spawn() File "/usr/lib/python2.7/site-packages/pki/deployment/initialization.py", line 56, in spawn util.instance.verify_subsystem_does_not_exist() File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py", line 990, in verify_subsystem_does_not_exist sys.exit(1) I am no python expert by any means and I'm not sure what this is telling us so any help would be greatly appreciated. This issue is known -- when CA install fails, we rollback but since CA isn't installed, we miss rolling it back. There is a ticket for eventually fixing this issue. Which ticket is this? The rollback was actually disabled to allow troubleshooting the failed installation: https://fedorahosted.org/freeipa/ticket/3990 Following sequence should clean up all the bits: pkidestroy -s CA -i pki-tomcat rm -rf /var/log/pki/pki-tomcat rm -rf /etc/sysconfig/pki-tomcat rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat rm -rf /var/lib/pki/pki-tomcat rm -rf /etc/pki/pki-tomcat It's not official, but we call this step pki-nuke. It also helps to reboot between multiple reinstalls on a single machine. Rather than rolling back the installation automatically (and delete all files needed to troubleshoot the problem), it would be better to provide an option to the uninstall command to forcibly remove all installed files regardless whether the installation was successful or not, just like the pki-nuke above. -- Endi S. Dewata -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Problems and questions installing Identity Manager on RHEL V7
On Wed, 01 Oct 2014, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: We are trying to install Identity Manager for testing and learning purposes in a test lab environment.We have successfully installed the base product but have run into problems when trying to setup a domain trust to an AD server. We are somewhat limited as to how we can change these systems and since they must function for replication of many different problems, we need to be cautious as to what we change. But they are crash and burn systems. Both the RHEL V7 IdM server system and the W2008 R2 AD server are in the same subnet and the same dns zone. So that is the first questioncan we create a domain trust between these two systems without placing one or the other in a different address subnet or changing the domain name ? No. AD forest by design owns DNS domain of its forest root domain. I'd put it in an example.com case: OK: AD as example.com, IPA as ipa.example.com subdomain OK: AD as ad.example.com subdomain, IPA as example.com OK: AD as example.com, IPA as example.org Anything else would mean tripping over authority of one or another forest root domain and thus will not work. I have tried changing the realm name for the linux server from lab.us.com for example to ipa.lab.us.com and then leaving the AD server in lab.us.com. That gets us a bit further but then we run into problems with what I believe is the kerberos configuration. Right, this should work as long as ipa.lab.us.com DNS domain has proper SRV records for IPA, as well as lab.us.com has proper SRV records for AD forest root domain. I have tried to deinstall and reinstall the ipa server but the installation is now failing. The ipa-server-install is failing with the following: [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpLb1CmI' returned non-zero exit status 1 Configuration of CA failed This happens each time I try to uninstall and reinstall the ipa server on RHEL V7. Looking at the latest log in /var/log/pki, I see this at the end of the log: 2014-10-01 11:53:10 pkispawn: INFO BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . . 2014-10-01 11:53:10 pkispawn: INFO ... initializing 'pki.deployment.initialization' 2014-10-01 11:53:10 pkispawn: ERROR... PKI subsystem 'CA' for instance 'pki-tomcat' already exists! 2014-10-01 11:53:10 pkispawn: DEBUG... Error Type: SystemExit 2014-10-01 11:53:10 pkispawn: DEBUG... Error Message: 1 2014-10-01 11:53:10 pkispawn: DEBUG... File "/usr/sbin/pkispawn", line 374, in main rv = instance.spawn() File "/usr/lib/python2.7/site-packages/pki/deployment/initialization.py", line 56, in spawn util.instance.verify_subsystem_does_not_exist() File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py", line 990, in verify_subsystem_does_not_exist sys.exit(1) I am no python expert by any means and I'm not sure what this is telling us so any help would be greatly appreciated. This issue is known -- when CA install fails, we rollback but since CA isn't installed, we miss rolling it back. There is a ticket for eventually fixing this issue. Following sequence should clean up all the bits: pkidestroy -s CA -i pki-tomcat rm -rf /var/log/pki/pki-tomcat rm -rf /etc/sysconfig/pki-tomcat rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat rm -rf /var/lib/pki/pki-tomcat rm -rf /etc/pki/pki-tomcat It also helps to reboot between multiple reinstalls on a single machine. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Problems and questions installing Identity Manager on RHEL V7
We are trying to install Identity Manager for testing and learning purposes in a test lab environment.We have successfully installed the base product but have run into problems when trying to setup a domain trust to an AD server. We are somewhat limited as to how we can change these systems and since they must function for replication of many different problems, we need to be cautious as to what we change. But they are crash and burn systems. Both the RHEL V7 IdM server system and the W2008 R2 AD server are in the same subnet and the same dns zone. So that is the first questioncan we create a domain trust between these two systems without placing one or the other in a different address subnet or changing the domain name ? I have tried changing the realm name for the linux server from lab.us.com for example to ipa.lab.us.com and then leaving the AD server in lab.us.com. That gets us a bit further but then we run into problems with what I believe is the kerberos configuration. I have tried to deinstall and reinstall the ipa server but the installation is now failing. The ipa-server-install is failing with the following: [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpLb1CmI' returned non-zero exit status 1 Configuration of CA failed This happens each time I try to uninstall and reinstall the ipa server on RHEL V7. Looking at the latest log in /var/log/pki, I see this at the end of the log: 2014-10-01 11:53:10 pkispawn: INFO BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . . 2014-10-01 11:53:10 pkispawn: INFO ... initializing 'pki.deployment.initialization' 2014-10-01 11:53:10 pkispawn: ERROR... PKI subsystem 'CA' for instance 'pki-tomcat' already exists! 2014-10-01 11:53:10 pkispawn: DEBUG... Error Type: SystemExit 2014-10-01 11:53:10 pkispawn: DEBUG... Error Message: 1 2014-10-01 11:53:10 pkispawn: DEBUG... File "/usr/sbin/pkispawn", line 374, in main rv = instance.spawn() File "/usr/lib/python2.7/site-packages/pki/deployment/initialization.py", line 56, in spawn util.instance.verify_subsystem_does_not_exist() File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py", line 990, in verify_subsystem_does_not_exist sys.exit(1) I am no python expert by any means and I'm not sure what this is telling us so any help would be greatly appreciated. Al Licause CSC Americas BCS Technical Specialist HP Customer Support Center Hours 5am-2pm Pacific time USA Manager: mark.bai...@hp.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project