Re: [Freeipa-users] Problem to install FreeIPA Server 3.0 on a RedHat 6.4

[Rob Crittenden]

bahan w wrote:

Hello everyone.

@Rob, I checked indeed in the logs /var/log/pki-ca and there was a
problem, so I performed the pki-remove command :
pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force

After this, I was able to reproduce my initial error with the permission
denied.
The permission denied was occuring because the /var logical volume had a
noexec option in the /etc/fstab.

Modifying this to exec solved my problem.
By the way, I'm not sure this is normal to execute script in /var. If I
remember well, it was not designed for this, am I wrong ?

Thank you everyone for your answers, it helped a lot.


Can you be more specific on what script was being executed? It sounds a 
bit odd but it may be instance-specific scripts.


rob
f


Best regards.

Bahan

On Mon, Jun 1, 2015 at 4:58 PM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote:

bahan w wrote:

Hello everyone.

I modified the /etc/selinux/config file :
#
# This file controls the state of SELinux on the system.
# SELINUX=disabled
#   enforcing - SELinux security policy is enforced.
#   permissive - SELinux prints warnings instead of enforcing.
#   disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
#   targeted - Only targeted network daemons are protected.
#   strict - Full SELinux protection.
SELINUXTYPE=targeted
#

Then I rebooted.
#
reboot
#

Here is the result of getenforce :
#
Permissive
#

I removed the ipa-server that I had and I tried te 3.0.0-42 :
#
yum install ipa-server-3.0.0-42.el6.x86_64
Loaded plugins: security
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ipa-server.x86_64 0:3.0.0-42.el6 will be installed
--> Processing Dependency: ipa-client = 3.0.0-42.el6 for package:
ipa-server-3.0.0-42.el6.x86_64
--> Processing Dependency: ipa-admintools = 3.0.0-42.el6 for
package:
ipa-server-3.0.0-42.el6.x86_64
--> Processing Dependency: ipa-python = 3.0.0-42.el6 for package:
ipa-server-3.0.0-42.el6.x86_64
--> Processing Dependency: ipa-server-selinux = 3.0.0-42.el6 for
package: ipa-server-3.0.0-42.el6.x86_64
--> Running transaction check
---> Package ipa-admintools.x86_64 0:3.0.0-42.el6 will be installed
---> Package ipa-client.x86_64 0:3.0.0-42.el6 will be installed
---> Package ipa-python.x86_64 0:3.0.0-42.el6 will be installed
---> Package ipa-server-selinux.x86_64 0:3.0.0-42.el6 will be
installed
--> Finished Dependency Resolution

Dependencies Resolved


==
   Package   Arch
VersionRepository   Size

==
Installing:
   ipa-serverx86_64
3.0.0-42.el6   standard1.1 M
Installing for dependencies:
   ipa-admintoolsx86_64
3.0.0-42.el6   standard 67 k
   ipa-clientx86_64
3.0.0-42.el6   standard145 k
   ipa-pythonx86_64
3.0.0-42.el6   standard928 k
   ipa-server-selinuxx86_64
3.0.0-42.el6   standard 66 k

Transaction Summary

==
Install   5 Package(s)

Total download size: 2.3 M
Installed size: 9.2 M
Is this ok [y/N]: y
Downloading Packages:
(1/5):
ipa-admintools-3.0.0-42.el6.x86_64.rpm
|  67 kB 00:00
(2/5):
ipa-client-3.0.0-42.el6.x86_64.rpm
| 145 kB 00:00
(3/5):
ipa-python-3.0.0-42.el6.x86_64.rpm

Re: [Freeipa-users] Problem to install FreeIPA Server 3.0 on a RedHat 6.4

[Rob Crittenden]

bahan w wrote:

Hello everyone.

I modified the /etc/selinux/config file :
#
# This file controls the state of SELinux on the system.
# SELINUX=disabled
#   enforcing - SELinux security policy is enforced.
#   permissive - SELinux prints warnings instead of enforcing.
#   disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
#   targeted - Only targeted network daemons are protected.
#   strict - Full SELinux protection.
SELINUXTYPE=targeted
#

Then I rebooted.
#
reboot
#

Here is the result of getenforce :
#
Permissive
#

I removed the ipa-server that I had and I tried te 3.0.0-42 :
#
yum install ipa-server-3.0.0-42.el6.x86_64
Loaded plugins: security
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ipa-server.x86_64 0:3.0.0-42.el6 will be installed
--> Processing Dependency: ipa-client = 3.0.0-42.el6 for package:
ipa-server-3.0.0-42.el6.x86_64
--> Processing Dependency: ipa-admintools = 3.0.0-42.el6 for package:
ipa-server-3.0.0-42.el6.x86_64
--> Processing Dependency: ipa-python = 3.0.0-42.el6 for package:
ipa-server-3.0.0-42.el6.x86_64
--> Processing Dependency: ipa-server-selinux = 3.0.0-42.el6 for
package: ipa-server-3.0.0-42.el6.x86_64
--> Running transaction check
---> Package ipa-admintools.x86_64 0:3.0.0-42.el6 will be installed
---> Package ipa-client.x86_64 0:3.0.0-42.el6 will be installed
---> Package ipa-python.x86_64 0:3.0.0-42.el6 will be installed
---> Package ipa-server-selinux.x86_64 0:3.0.0-42.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==
  Package   Arch
VersionRepository   Size
==
Installing:
  ipa-serverx86_64
3.0.0-42.el6   standard1.1 M
Installing for dependencies:
  ipa-admintoolsx86_64
3.0.0-42.el6   standard 67 k
  ipa-clientx86_64
3.0.0-42.el6   standard145 k
  ipa-pythonx86_64
3.0.0-42.el6   standard928 k
  ipa-server-selinuxx86_64
3.0.0-42.el6   standard 66 k

Transaction Summary
==
Install   5 Package(s)

Total download size: 2.3 M
Installed size: 9.2 M
Is this ok [y/N]: y
Downloading Packages:
(1/5):
ipa-admintools-3.0.0-42.el6.x86_64.rpm
|  67 kB 00:00
(2/5):
ipa-client-3.0.0-42.el6.x86_64.rpm
| 145 kB 00:00
(3/5):
ipa-python-3.0.0-42.el6.x86_64.rpm
| 928 kB 00:00
(4/5):
ipa-server-3.0.0-42.el6.x86_64.rpm
| 1.1 MB 00:00
(5/5):
ipa-server-selinux-3.0.0-42.el6.x86_64.rpm
|  66 kB 00:00
--
Total
6.8 MB/s | 2.3 MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
   Installing :
ipa-python-3.0.0-42.el6.x86_64
1/5
   Installing :
ipa-client-3.0.0-42.el6.x86_64
2/5
   Installing :
ipa-admintools-3.0.0-42.el6.x86_64
3/5
   Installing :
ipa-server-3.0.0-42.el6.x86_64
4/5
   Installing :
ipa-server-selinux-3.0.0-42.el6.x86_64
5/5
libsepol.print_missing_requirements: ipa_dogtag's global requirements
were not met: type/attribute pki_ca_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule:  Failed!
   Verifying  :
ipa-server-3.0.0-42.el6.x86_64
1/5
   Verifying  :
ipa-server-selinux-3.0.0-42.el6.x86_64
2/5
   Verifying  :
ipa-python-3.0.0-42.el6.x86_64
3/5
   Verifying  :
ipa-client-3.0.0-42.el6.x86_64
4/5
   Verifying  :
ipa-admintools-3.0.0-42.el6.x86_64
5/5

Installed:
   ipa-server.x86_64 0:3.0.0-42.el6

Dependency Installed:
   ipa-admintools.x86_64 0:3.0.0-42.el6 ipa-client.x86_64
0:3.0.0-42.el6 ipa-python.x86_64 0:3.0.0-42.el6
   ipa-server-selinux.x86_64 0:3.0.0-42.el6

Complete!
#

The errors lin

Re: [Freeipa-users] Problem to install FreeIPA Server 3.0 on a RedHat 6.4

[bahan w]

Hello everyone.

I modified the /etc/selinux/config file :
#
# This file controls the state of SELinux on the system.
# SELINUX=disabled
#   enforcing - SELinux security policy is enforced.
#   permissive - SELinux prints warnings instead of enforcing.
#   disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
#   targeted - Only targeted network daemons are protected.
#   strict - Full SELinux protection.
SELINUXTYPE=targeted
#

Then I rebooted.
#
reboot
#

Here is the result of getenforce :
#
Permissive
#

I removed the ipa-server that I had and I tried te 3.0.0-42 :
#
yum install ipa-server-3.0.0-42.el6.x86_64
Loaded plugins: security
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ipa-server.x86_64 0:3.0.0-42.el6 will be installed
--> Processing Dependency: ipa-client = 3.0.0-42.el6 for package:
ipa-server-3.0.0-42.el6.x86_64
--> Processing Dependency: ipa-admintools = 3.0.0-42.el6 for package:
ipa-server-3.0.0-42.el6.x86_64
--> Processing Dependency: ipa-python = 3.0.0-42.el6 for package:
ipa-server-3.0.0-42.el6.x86_64
--> Processing Dependency: ipa-server-selinux = 3.0.0-42.el6 for package:
ipa-server-3.0.0-42.el6.x86_64
--> Running transaction check
---> Package ipa-admintools.x86_64 0:3.0.0-42.el6 will be installed
---> Package ipa-client.x86_64 0:3.0.0-42.el6 will be installed
---> Package ipa-python.x86_64 0:3.0.0-42.el6 will be installed
---> Package ipa-server-selinux.x86_64 0:3.0.0-42.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==
 Package   Arch
VersionRepository   Size
==
Installing:
 ipa-serverx86_64
3.0.0-42.el6   standard1.1 M
Installing for dependencies:
 ipa-admintoolsx86_64
3.0.0-42.el6   standard 67 k
 ipa-clientx86_64
3.0.0-42.el6   standard145 k
 ipa-pythonx86_64
3.0.0-42.el6   standard928 k
 ipa-server-selinuxx86_64
3.0.0-42.el6   standard 66 k

Transaction Summary
==
Install   5 Package(s)

Total download size: 2.3 M
Installed size: 9.2 M
Is this ok [y/N]: y
Downloading Packages:
(1/5):
ipa-admintools-3.0.0-42.el6.x86_64.rpm
|  67 kB 00:00
(2/5):
ipa-client-3.0.0-42.el6.x86_64.rpm
| 145 kB 00:00
(3/5):
ipa-python-3.0.0-42.el6.x86_64.rpm
| 928 kB 00:00
(4/5):
ipa-server-3.0.0-42.el6.x86_64.rpm
| 1.1 MB 00:00
(5/5):
ipa-server-selinux-3.0.0-42.el6.x86_64.rpm
|  66 kB 00:00
--
Total
6.8 MB/s | 2.3 MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing :
ipa-python-3.0.0-42.el6.x86_64
1/5
  Installing :
ipa-client-3.0.0-42.el6.x86_64
2/5
  Installing :
ipa-admintools-3.0.0-42.el6.x86_64
3/5
  Installing :
ipa-server-3.0.0-42.el6.x86_64
4/5
  Installing :
ipa-server-selinux-3.0.0-42.el6.x86_64
5/5
libsepol.print_missing_requirements: ipa_dogtag's global requirements were
not met: type/attribute pki_ca_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule:  Failed!
  Verifying  :
ipa-server-3.0.0-42.el6.x86_64
1/5
  Verifying  :
ipa-server-selinux-3.0.0-42.el6.x86_64
2/5
  Verifying  :
ipa-python-3.0.0-42.el6.x86_64
3/5
  Verifying  :
ipa-client-3.0.0-42.el6.x86_64
4/5
  Verifying  :
ipa-admintools-3.0.0-42.el6.x86_64
5/5

Installed:
  ipa-server.x86_64 0:3.0.0-42.el6

Dependency Installed:
  ipa-admintools.x86_64 0:3.0.0-42.el6 ipa-client.x86_64
0:3.0.0-42.el6 ipa-python.x86_64 0:3.0.0-42.el6
  ipa-server-selinux.x86_64 0:3.0.0-42.el6

Complete!
#

The errors linked with dogtag is still there.
Now,

Re: [Freeipa-users] Problem to install FreeIPA Server 3.0 on a RedHat 6.4

[Sam]

@bahan

Could you also send the output of getenforce as well, just to make sure that 
selinux is permissive and persisting beyond reboots.

Cheers 

Sam

On 30 May 2015 1:10 pm, Lukas Slebodnik  wrote:
>
> On (29/05/15 18:56), bahan w wrote: 
> >Hm. 
> > 
> >@Jakub : 
> >I cannot upgrade, because I am not the hosting provider managing this VM 
> >unfortunately. 
> >I need to make it work with RHEL 6.4. 
> > 
> >@Sam : 
> >Selinux is deactivated : 
> > 
> >cat /etc/selinux/config 
> ># This file controls the state of SELinux on the system. 
> ># SELINUX=disabled 
> >#   enforcing - SELinux security policy is enforced. 
> >#   permissive - SELinux prints warnings instead of enforcing. 
> >#   disabled - SELinux is fully disabled. 
> >SELINUX=disabled 
> We do not test with disabled SELinux. 
> Could you try with "permissive" ? 
>
> LS 
>
> -- 
> Manage your subscription for the Freeipa-users mailing list: 
> https://www.redhat.com/mailman/listinfo/freeipa-users 
> Go to http://freeipa.org for more info on the project 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem to install FreeIPA Server 3.0 on a RedHat 6.4

[Lukas Slebodnik]

On (29/05/15 18:56), bahan w wrote:
>Hm.
>
>@Jakub :
>I cannot upgrade, because I am not the hosting provider managing this VM
>unfortunately.
>I need to make it work with RHEL 6.4.
>
>@Sam :
>Selinux is deactivated :
>
>cat /etc/selinux/config
># This file controls the state of SELinux on the system.
># SELINUX=disabled
>#   enforcing - SELinux security policy is enforced.
>#   permissive - SELinux prints warnings instead of enforcing.
>#   disabled - SELinux is fully disabled.
>SELINUX=disabled
We do not test with disabled SELinux.
Could you try with "permissive" ?

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem to install FreeIPA Server 3.0 on a RedHat 6.4

[bahan w]

Hm.

@Jakub :
I cannot upgrade, because I am not the hosting provider managing this VM
unfortunately.
I need to make it work with RHEL 6.4.

@Sam :
Selinux is deactivated :

cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX=disabled
#   enforcing - SELinux security policy is enforced.
#   permissive - SELinux prints warnings instead of enforcing.
#   disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#   targeted - Only targeted network daemons are protected.
#   strict - Full SELinux protection.
SELINUXTYPE=targeted

Best regards.

Bahan


On Fri, May 29, 2015 at 6:39 PM,  wrote:

> Seem to be a fair few things implicating selinux there.
>
> Have you got it set to enforcing mode? If so, have you set any particular
> policy that may be angered by this?
>
> Sam
>
>
> May 29 2015 5:37 PM, "bahan w"  <%22bahan%20w%22%20%3cbahanw042...@gmail.com%3E>> wrote:
>
> Hello everyone.
>
> I send you this mail because I have a problem with the installation of
> FreeIPA Server 3.0 on a VM running on RHEL 6.4.
>
> First, when I performed the yum install ipa-server, I got an error but the
> installation finished finally with a complete.
> Here it is :
>
> 
>
> ===
> Install 4 Package(s)
>
> Total download size: 1.4 M
> Installed size: 4.6 M
> Is this ok [y/N]: y
> Downloading Packages:
> (1/4): ipa-admintools-3.0.0-42.el6.x86_64.rpm | 67 kB 00:00
> (2/4): ipa-client-3.0.0-42.el6.x86_64.rpm | 145 kB 00:00
> (3/4): ipa-server-3.0.0-42.el6.x86_64.rpm | 1.1 MB 00:00
> (4/4): ipa-server-selinux-3.0.0-42.el6.x86_64.rpm | 66 kB 00:00
>
> ---
> Total 7.3 MB/s | 1.4 MB 00:00
> Total 7.3 MB/s | 1.4 MB 00:00
> Running rpm_check_debug
> Running Transaction Test
> Transaction Test Succeeded
> Running Transaction
> Installing : ipa-client-3.0.0-42.el6.x86_64 1/4
> Installing : ipa-admintools-3.0.0-42.el6.x86_64 2/4
> Installing : ipa-server-3.0.0-42.el6.x86_64 3/4
> Installing : ipa-server-selinux-3.0.0-42.el6.x86_64 4/4
> libsepol.print_missing_requirements: ipa_dogtag's global requirements were
> not met: type/attribute pki_ca_t (No such file or directory).
> libsemanage.semanage_link_sandbox: Link packages failed (No such file or
> directory).
> semodule: Failed!
> Verifying : ipa-server-3.0.0-42.el6.x86_64 1/4
> Verifying : ipa-server-selinux-3.0.0-42.el6.x86_64 2/4
> Verifying : ipa-client-3.0.0-42.el6.x86_64 3/4
> Verifying : ipa-admintools-3.0.0-42.el6.x86_64
>
> Installed:
> ipa-server.x86_64 0:3.0.0-42.el6
>
> Dependency Installed:
> ipa-admintools.x86_64 0:3.0.0-42.el6 ipa-client.x86_64 0:3.0.0-42.el6
> ipa-server-selinux.x86_64 0:3.0.0-42.el6
>
> Complete!
> 
> Are these two errors blocking in order to use FreeIPA Server ? Or is it
> fine ?
> libsepol.print_missing_requirements: ipa_dogtag's global requirements were
> not met: type/attribute pki_ca_t (No such file or directory).
> libsemanage.semanage_link_sandbox: Link packages failed (No such file or
> directory).
> semodule: Failed!
>
> Furthermore, when I try a ipa-server-install, I got also an error message
> during step
>
> 
> Configuring directory server (dirsrv): Estimated time 1 minute
>   [1/38]: creating directory server user
>   [2/38]: creating directory server instance
> ipa : CRITICAL failed to create ds instance Command '/usr/sbin/
> setup-ds.pl --silent --logfile - -f /tmp/tmpPamNs8' returned non-zero
> exit status 1
> 
>
> And when I checked in the log, here is what I see
>
> Here is the message I see :
> 
> 2015-05-29T15:56:49Z DEBUG calling setup-ds.pl
> 4944 2015-05-29T15:56:49Z DEBUG args=/usr/sbin/setup-ds.pl --silent
> --logfile - -f /tmp/tmpkCAtzh
> 4945 2015-05-29T15:56:49Z DEBUG stdout=[15/05/29:17:56:49] - [Setup] Info
> Could not import LDIF file '/var/lib/dirsrv/boot.ldif'.  Error: 32256.
> Output: sh: /var/lib/dirsrv/scripts-MyRealm/ldif2db: Permission
> denied
> 4946
> 4947 Could not import LDIF file '/var/lib/dirsrv/boot.ldif'.  Error:
> 32256.  Output: sh: /var/lib/dirsrv/scripts-MyRealm/ldif2db: Permission
> denied
> 4948
> 4949 [15/05/29:17:56:49] - [Setup] Fatal Error: Could not create directory
> server instance 'MyRealm'.
> 4950 Error: Could not create directory server instance 'MyRealm'.
> 4951 [15/05/29:17:56:49] - [Setup] Fatal Exiting . . .
> 
>
> When I check the perm on the folders, everything is fine :
>
> 

Re: [Freeipa-users] Problem to install FreeIPA Server 3.0 on a RedHat 6.4

[Jakub Hrozek]

On Fri, May 29, 2015 at 06:25:24PM +0200, bahan w wrote:
> Hello everyone.
> 
> I send you this mail because I have a problem with the installation of
> FreeIPA Server 3.0 on a VM running on RHEL 6.4.

This is really old, please upgrade if you can, ideally to RHEL-7.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project