Re: [Freeipa-users] Saltstack and ipa-install on Centos7 failing
Looks like a bug, yes. I am just not sure whether in missing Saltstack SELinux
module or the actual SELinux policy. You can try filing a bug to SELinux policy.
Looking at SaltStack Troubleshooting guide, would switching to rpm_script_t
help?
http://docs.saltstack.com/en/latest/topics/troubleshooting/#salt-and-selinux
On 03/16/2015 05:21 PM, Andrew Holway wrote:
Hi,
I think this is perhaps a bug?
Thanks,
Andrew
On 13 March 2015 at 15:55, Andrew Holway andrew.hol...@gmail.com wrote:
On 13 March 2015 at 15:33, Michael Lasevich mlasev...@gmail.com wrote:
Is SELinux on?
Yes,
ipa-server-install is running in the initrc_t domain but I guess its set
up to run unconfined
ps -Z with ipa-server-install run from salt-stack :
system_u:system_r:init_t:s0 root 1568 0.0 1.4 231308 14652 ?
Ss 14:31 0:00 /bin/python2 /usr/bin/salt-minion
system_u:system_r:initrc_t:s0 root 3101 1.0 4.8 222004 49232 ?
S14:47 0:01 /usr/bin/python -E /usr/sbin/ipa-server-install
ps -Z with ipa-server-install run from console :
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 4503 23.7 4.8
323356 48860 pts/1 S+ 14:53 0:00 /usr/bin/python -E
/sbin/ipa-server-install
On Mar 13, 2015 7:46 AM, Andrew Holway andrew.hol...@gmail.com wrote:
Hallo
I have a quite odd situation. I am using saltstack to set up freeipa
servers on Centos 7 but I am getting the following error:
failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent
--logfile - -f /tmp/tmp5witgD' returned non-zero exit status 1
Saltstack outputs the command it is trying to run:
ipa-server-install -a password --realm CLOUD.DOMAIN.DE -P password -p
password -n cloud.domain.de --setup-dns --unattended --no-forwarders
However if I run this command manually on a clean machine it works fine.
It works on Centos 6.
I see this in the slapd error log:
[root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors
389-Directory/1.3.1.6 B2014.219.1825
freeipa-2.cloud.native-instruments.de:389
(/etc/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE)
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape
Portable Runtime error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape
Portable Runtime error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
[root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors | sed
s/NATIVE-INSTRUMENTS/DOMAIN/g
389-Directory/1.3.1.6 B2014.219.1825
freeipa-2.cloud.native-instruments.de:389
(/etc/dirsrv/slapd-CLOUD-DOMAIN-DE)
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime
error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime
error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
ipaserver-install.log
015-03-13T10:45:57Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-03-13T10:45:57Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2015-03-13T10:45:57Z DEBUG httpd is not configured
2015-03-13T10:45:57Z DEBUG kadmin is not configured
2015-03-13T10:45:57Z DEBUG dirsrv is not configured
2015-03-13T10:45:57Z DEBUG pki-cad is not configured
2015-03-13T10:45:57Z DEBUG pki-tomcatd is not configured
2015-03-13T10:45:57Z DEBUG install is not configured
2015-03-13T10:45:57Z DEBUG krb5kdc is not configured
2015-03-13T10:45:57Z DEBUG ntpd is not configured
2015-03-13T10:45:57Z DEBUG named is not configured
2015-03-13T10:45:57Z DEBUG ipa_memcached is not configured
2015-03-13T10:45:57Z DEBUG filestore is tracking no files
2015-03-13T10:45:57Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2015-03-13T10:45:57Z DEBUG /usr/sbin/ipa-server-install was invoked with
options: {'reverse_zone': None, 'mkhomedir': False, 'create_sshfp': True,
'conf_sshd': True, 'conf_ntp': True, 'subject': None, 'no_forwarders':
True, 'ui_redirect': True, 'domain_name': 'cloud.domain.de', 'idmax':
0, 'hbac_allow': False, 'no_reverse': False, 'dirsrv_pkcs12': None,
'unattended': True, 'trust_sshfp': False, 'external_ca_file': None,
'no_host_dns': False, 'http_pkcs12': None, 'realm_name': '
CLOUD.DOMAIN.DE', 'forwarders': None, 'idstart': 154440,
'external_ca': False, 'ip_address': None, 'conf_ssh': True, 'zonemgr':
None, 'root_ca_file': None, 'setup_dns': True,
Re: [Freeipa-users] Saltstack and ipa-install on Centos7 failing
Hi,
I think this is perhaps a bug?
Thanks,
Andrew
On 13 March 2015 at 15:55, Andrew Holway andrew.hol...@gmail.com wrote:
On 13 March 2015 at 15:33, Michael Lasevich mlasev...@gmail.com wrote:
Is SELinux on?
Yes,
ipa-server-install is running in the initrc_t domain but I guess its set
up to run unconfined
ps -Z with ipa-server-install run from salt-stack :
system_u:system_r:init_t:s0 root 1568 0.0 1.4 231308 14652 ?
Ss 14:31 0:00 /bin/python2 /usr/bin/salt-minion
system_u:system_r:initrc_t:s0 root 3101 1.0 4.8 222004 49232 ?
S14:47 0:01 /usr/bin/python -E /usr/sbin/ipa-server-install
ps -Z with ipa-server-install run from console :
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 4503 23.7 4.8
323356 48860 pts/1 S+ 14:53 0:00 /usr/bin/python -E
/sbin/ipa-server-install
On Mar 13, 2015 7:46 AM, Andrew Holway andrew.hol...@gmail.com wrote:
Hallo
I have a quite odd situation. I am using saltstack to set up freeipa
servers on Centos 7 but I am getting the following error:
failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent
--logfile - -f /tmp/tmp5witgD' returned non-zero exit status 1
Saltstack outputs the command it is trying to run:
ipa-server-install -a password --realm CLOUD.DOMAIN.DE -P password -p
password -n cloud.domain.de --setup-dns --unattended --no-forwarders
However if I run this command manually on a clean machine it works fine.
It works on Centos 6.
I see this in the slapd error log:
[root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors
389-Directory/1.3.1.6 B2014.219.1825
freeipa-2.cloud.native-instruments.de:389
(/etc/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE)
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape
Portable Runtime error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape
Portable Runtime error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
[root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors | sed
s/NATIVE-INSTRUMENTS/DOMAIN/g
389-Directory/1.3.1.6 B2014.219.1825
freeipa-2.cloud.native-instruments.de:389
(/etc/dirsrv/slapd-CLOUD-DOMAIN-DE)
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime
error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime
error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
ipaserver-install.log
015-03-13T10:45:57Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-03-13T10:45:57Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2015-03-13T10:45:57Z DEBUG httpd is not configured
2015-03-13T10:45:57Z DEBUG kadmin is not configured
2015-03-13T10:45:57Z DEBUG dirsrv is not configured
2015-03-13T10:45:57Z DEBUG pki-cad is not configured
2015-03-13T10:45:57Z DEBUG pki-tomcatd is not configured
2015-03-13T10:45:57Z DEBUG install is not configured
2015-03-13T10:45:57Z DEBUG krb5kdc is not configured
2015-03-13T10:45:57Z DEBUG ntpd is not configured
2015-03-13T10:45:57Z DEBUG named is not configured
2015-03-13T10:45:57Z DEBUG ipa_memcached is not configured
2015-03-13T10:45:57Z DEBUG filestore is tracking no files
2015-03-13T10:45:57Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2015-03-13T10:45:57Z DEBUG /usr/sbin/ipa-server-install was invoked with
options: {'reverse_zone': None, 'mkhomedir': False, 'create_sshfp': True,
'conf_sshd': True, 'conf_ntp': True, 'subject': None, 'no_forwarders':
True, 'ui_redirect': True, 'domain_name': 'cloud.domain.de', 'idmax':
0, 'hbac_allow': False, 'no_reverse': False, 'dirsrv_pkcs12': None,
'unattended': True, 'trust_sshfp': False, 'external_ca_file': None,
'no_host_dns': False, 'http_pkcs12': None, 'realm_name': '
CLOUD.DOMAIN.DE', 'forwarders': None, 'idstart': 154440,
'external_ca': False, 'ip_address': None, 'conf_ssh': True, 'zonemgr':
None, 'root_ca_file': None, 'setup_dns': True, 'host_name': None, 'debug':
False, 'external_cert_file': None, 'uninstall': False}
2015-03-13T10:45:57Z DEBUG missing options might be asked for
interactively later
2015-03-13T10:45:57Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2015-03-13T10:45:57Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-03-13T10:45:57Z
Re: [Freeipa-users] Saltstack and ipa-install on Centos7 failing
Hi Dimitri
type=AVC msg=audit(1426243559.181:623): avc: *denied* { create } for
pid=2740 comm=ns-slapd name=imports
scontext=system_u:system_r:dirsrv_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1426243559.388:625): avc: *denied* { create } for
pid=2754 comm=ns-slapd name=imports
scontext=system_u:system_r:dirsrv_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
I cant find the name of the tool that scans the audit log and proposes
boolean changes. So much of this stuff seems to be GUI tools.
On 13 March 2015 at 14:15, Dmitri Pal d...@redhat.com wrote:
On 03/13/2015 07:43 AM, Andrew Holway wrote:
Hallo
I have a quite odd situation. I am using saltstack to set up freeipa
servers on Centos 7 but I am getting the following error:
failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent
--logfile - -f /tmp/tmp5witgD' returned non-zero exit status 1
Saltstack outputs the command it is trying to run:
ipa-server-install -a password --realm CLOUD.DOMAIN.DE -P password -p
password -n cloud.domain.de --setup-dns --unattended --no-forwarders
However if I run this command manually on a clean machine it works fine.
It works on Centos 6.
It usually means that you have different privileges and context when you
are running command manually and via SaltStack.
There is probably a different user and a different SELinux context.
Do you see any AVC denials?
It really seems that you have two DS instances going on the same machine.
I suspewt that when run manually as root you sort of override the lock and
things go through but when you do it via SaltStack it is different.
Why do you need two DS instances?
I see this in the slapd error log:
[root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors
389-Directory/1.3.1.6 B2014.219.1825
freeipa-2.cloud.native-instruments.de:389
(/etc/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE)
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape
Portable Runtime error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape
Portable Runtime error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
[root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors | sed
s/NATIVE-INSTRUMENTS/DOMAIN/g
389-Directory/1.3.1.6 B2014.219.1825
freeipa-2.cloud.native-instruments.de:389
(/etc/dirsrv/slapd-CLOUD-DOMAIN-DE)
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime
error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime
error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
ipaserver-install.log
015-03-13T10:45:57Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-03-13T10:45:57Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2015-03-13T10:45:57Z DEBUG httpd is not configured
2015-03-13T10:45:57Z DEBUG kadmin is not configured
2015-03-13T10:45:57Z DEBUG dirsrv is not configured
2015-03-13T10:45:57Z DEBUG pki-cad is not configured
2015-03-13T10:45:57Z DEBUG pki-tomcatd is not configured
2015-03-13T10:45:57Z DEBUG install is not configured
2015-03-13T10:45:57Z DEBUG krb5kdc is not configured
2015-03-13T10:45:57Z DEBUG ntpd is not configured
2015-03-13T10:45:57Z DEBUG named is not configured
2015-03-13T10:45:57Z DEBUG ipa_memcached is not configured
2015-03-13T10:45:57Z DEBUG filestore is tracking no files
2015-03-13T10:45:57Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2015-03-13T10:45:57Z DEBUG /usr/sbin/ipa-server-install was invoked with
options: {'reverse_zone': None, 'mkhomedir': False, 'create_sshfp': True,
'conf_sshd': True, 'conf_ntp': True, 'subject': None, 'no_forwarders':
True, 'ui_redirect': True, 'domain_name': 'cloud.domain.de', 'idmax': 0,
'hbac_allow': False, 'no_reverse': False, 'dirsrv_pkcs12': None,
'unattended': True, 'trust_sshfp': False, 'external_ca_file': None,
'no_host_dns': False, 'http_pkcs12': None, 'realm_name': 'CLOUD.DOMAIN.DE',
'forwarders': None, 'idstart': 154440, 'external_ca': False,
'ip_address': None, 'conf_ssh': True, 'zonemgr': None, 'root_ca_file':
None, 'setup_dns': True, 'host_name': None, 'debug': False,
'external_cert_file': None, 'uninstall': False}
2015-03-13T10:45:57Z DEBUG missing options might be asked for
Re: [Freeipa-users] Saltstack and ipa-install on Centos7 failing
Is SELinux on?
On Mar 13, 2015 7:46 AM, Andrew Holway andrew.hol...@gmail.com wrote:
Hallo
I have a quite odd situation. I am using saltstack to set up freeipa
servers on Centos 7 but I am getting the following error:
failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent
--logfile - -f /tmp/tmp5witgD' returned non-zero exit status 1
Saltstack outputs the command it is trying to run:
ipa-server-install -a password --realm CLOUD.DOMAIN.DE -P password -p
password -n cloud.domain.de --setup-dns --unattended --no-forwarders
However if I run this command manually on a clean machine it works fine.
It works on Centos 6.
I see this in the slapd error log:
[root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors
389-Directory/1.3.1.6 B2014.219.1825
freeipa-2.cloud.native-instruments.de:389
(/etc/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE)
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape
Portable Runtime error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape
Portable Runtime error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
[root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors | sed
s/NATIVE-INSTRUMENTS/DOMAIN/g
389-Directory/1.3.1.6 B2014.219.1825
freeipa-2.cloud.native-instruments.de:389
(/etc/dirsrv/slapd-CLOUD-DOMAIN-DE)
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime
error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime
error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
ipaserver-install.log
015-03-13T10:45:57Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-03-13T10:45:57Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2015-03-13T10:45:57Z DEBUG httpd is not configured
2015-03-13T10:45:57Z DEBUG kadmin is not configured
2015-03-13T10:45:57Z DEBUG dirsrv is not configured
2015-03-13T10:45:57Z DEBUG pki-cad is not configured
2015-03-13T10:45:57Z DEBUG pki-tomcatd is not configured
2015-03-13T10:45:57Z DEBUG install is not configured
2015-03-13T10:45:57Z DEBUG krb5kdc is not configured
2015-03-13T10:45:57Z DEBUG ntpd is not configured
2015-03-13T10:45:57Z DEBUG named is not configured
2015-03-13T10:45:57Z DEBUG ipa_memcached is not configured
2015-03-13T10:45:57Z DEBUG filestore is tracking no files
2015-03-13T10:45:57Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2015-03-13T10:45:57Z DEBUG /usr/sbin/ipa-server-install was invoked with
options: {'reverse_zone': None, 'mkhomedir': False, 'create_sshfp': True,
'conf_sshd': True, 'conf_ntp': True, 'subject': None, 'no_forwarders':
True, 'ui_redirect': True, 'domain_name': 'cloud.domain.de', 'idmax': 0,
'hbac_allow': False, 'no_reverse': False, 'dirsrv_pkcs12': None,
'unattended': True, 'trust_sshfp': False, 'external_ca_file': None,
'no_host_dns': False, 'http_pkcs12': None, 'realm_name': 'CLOUD.DOMAIN.DE',
'forwarders': None, 'idstart': 154440, 'external_ca': False,
'ip_address': None, 'conf_ssh': True, 'zonemgr': None, 'root_ca_file':
None, 'setup_dns': True, 'host_name': None, 'debug': False,
'external_cert_file': None, 'uninstall': False}
2015-03-13T10:45:57Z DEBUG missing options might be asked for
interactively later
2015-03-13T10:45:57Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2015-03-13T10:45:57Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-03-13T10:45:57Z DEBUG Starting external process
2015-03-13T10:45:57Z DEBUG args=/bin/systemctl is-enabled chronyd.service
2015-03-13T10:45:57Z DEBUG Process finished, return code=0
2015-03-13T10:45:57Z DEBUG stdout=enabled
2015-03-13T10:45:57Z DEBUG stderr=
2015-03-13T10:45:57Z DEBUG Starting external process
2015-03-13T10:45:57Z DEBUG args=/usr/sbin/httpd -t -D DUMP_VHOSTS
2015-03-13T10:45:57Z DEBUG Process finished, return code=0
2015-03-13T10:45:57Z DEBUG stdout=VirtualHost configuration:
*:8443 is a NameVirtualHost
default server freeipa-2.cloud.domain.de
(/etc/httpd/conf.d/nss.conf:86)
port 8443 namevhost freeipa-2.cloud.domain.de
(/etc/httpd/conf.d/nss.conf:86)
port 8443 namevhost freeipa-2.cloud.domain.de
(/etc/httpd/conf.d/nss.conf:86)
2015-03-13T10:45:57Z DEBUG stderr=
Re: [Freeipa-users] Saltstack and ipa-install on Centos7 failing
Old bug report -
https://bugzilla.redhat.com/show_bug.cgi?format=multipleid=959953
On 13 March 2015 at 15:24, Andrew Holway andrew.hol...@gmail.com wrote:
Hi Dimitri
type=AVC msg=audit(1426243559.181:623): avc: *denied* { create } for
pid=2740 comm=ns-slapd name=imports
scontext=system_u:system_r:dirsrv_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1426243559.388:625): avc: *denied* { create } for
pid=2754 comm=ns-slapd name=imports
scontext=system_u:system_r:dirsrv_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
I cant find the name of the tool that scans the audit log and proposes
boolean changes. So much of this stuff seems to be GUI tools.
On 13 March 2015 at 14:15, Dmitri Pal d...@redhat.com wrote:
On 03/13/2015 07:43 AM, Andrew Holway wrote:
Hallo
I have a quite odd situation. I am using saltstack to set up freeipa
servers on Centos 7 but I am getting the following error:
failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent
--logfile - -f /tmp/tmp5witgD' returned non-zero exit status 1
Saltstack outputs the command it is trying to run:
ipa-server-install -a password --realm CLOUD.DOMAIN.DE -P password -p
password -n cloud.domain.de --setup-dns --unattended --no-forwarders
However if I run this command manually on a clean machine it works fine.
It works on Centos 6.
It usually means that you have different privileges and context when you
are running command manually and via SaltStack.
There is probably a different user and a different SELinux context.
Do you see any AVC denials?
It really seems that you have two DS instances going on the same machine.
I suspewt that when run manually as root you sort of override the lock and
things go through but when you do it via SaltStack it is different.
Why do you need two DS instances?
I see this in the slapd error log:
[root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors
389-Directory/1.3.1.6 B2014.219.1825
freeipa-2.cloud.native-instruments.de:389
(/etc/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE)
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape
Portable Runtime error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape
Portable Runtime error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
[root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors | sed
s/NATIVE-INSTRUMENTS/DOMAIN/g
389-Directory/1.3.1.6 B2014.219.1825
freeipa-2.cloud.native-instruments.de:389
(/etc/dirsrv/slapd-CLOUD-DOMAIN-DE)
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime
error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime
error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
ipaserver-install.log
015-03-13T10:45:57Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-03-13T10:45:57Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2015-03-13T10:45:57Z DEBUG httpd is not configured
2015-03-13T10:45:57Z DEBUG kadmin is not configured
2015-03-13T10:45:57Z DEBUG dirsrv is not configured
2015-03-13T10:45:57Z DEBUG pki-cad is not configured
2015-03-13T10:45:57Z DEBUG pki-tomcatd is not configured
2015-03-13T10:45:57Z DEBUG install is not configured
2015-03-13T10:45:57Z DEBUG krb5kdc is not configured
2015-03-13T10:45:57Z DEBUG ntpd is not configured
2015-03-13T10:45:57Z DEBUG named is not configured
2015-03-13T10:45:57Z DEBUG ipa_memcached is not configured
2015-03-13T10:45:57Z DEBUG filestore is tracking no files
2015-03-13T10:45:57Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2015-03-13T10:45:57Z DEBUG /usr/sbin/ipa-server-install was invoked with
options: {'reverse_zone': None, 'mkhomedir': False, 'create_sshfp': True,
'conf_sshd': True, 'conf_ntp': True, 'subject': None, 'no_forwarders':
True, 'ui_redirect': True, 'domain_name': 'cloud.domain.de', 'idmax': 0,
'hbac_allow': False, 'no_reverse': False, 'dirsrv_pkcs12': None,
'unattended': True, 'trust_sshfp': False, 'external_ca_file': None,
'no_host_dns': False, 'http_pkcs12': None, 'realm_name': 'CLOUD.DOMAIN.DE',
'forwarders': None, 'idstart': 154440, 'external_ca': False,
'ip_address': None, 'conf_ssh': True, 'zonemgr': None, 'root_ca_file':
None,
Re: [Freeipa-users] Saltstack and ipa-install on Centos7 failing
On 13 March 2015 at 15:33, Michael Lasevich mlasev...@gmail.com wrote:
Is SELinux on?
Yes,
ipa-server-install is running in the initrc_t domain but I guess its set up
to run unconfined
ps -Z with ipa-server-install run from salt-stack :
system_u:system_r:init_t:s0 root 1568 0.0 1.4 231308 14652 ?
Ss 14:31 0:00 /bin/python2 /usr/bin/salt-minion
system_u:system_r:initrc_t:s0 root 3101 1.0 4.8 222004 49232 ?
S14:47 0:01 /usr/bin/python -E /usr/sbin/ipa-server-install
ps -Z with ipa-server-install run from console :
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 4503 23.7 4.8
323356 48860 pts/1 S+ 14:53 0:00 /usr/bin/python -E
/sbin/ipa-server-install
On Mar 13, 2015 7:46 AM, Andrew Holway andrew.hol...@gmail.com wrote:
Hallo
I have a quite odd situation. I am using saltstack to set up freeipa
servers on Centos 7 but I am getting the following error:
failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent
--logfile - -f /tmp/tmp5witgD' returned non-zero exit status 1
Saltstack outputs the command it is trying to run:
ipa-server-install -a password --realm CLOUD.DOMAIN.DE -P password -p
password -n cloud.domain.de --setup-dns --unattended --no-forwarders
However if I run this command manually on a clean machine it works fine.
It works on Centos 6.
I see this in the slapd error log:
[root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors
389-Directory/1.3.1.6 B2014.219.1825
freeipa-2.cloud.native-instruments.de:389
(/etc/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE)
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape
Portable Runtime error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape
Portable Runtime error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
[root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors | sed
s/NATIVE-INSTRUMENTS/DOMAIN/g
389-Directory/1.3.1.6 B2014.219.1825
freeipa-2.cloud.native-instruments.de:389
(/etc/dirsrv/slapd-CLOUD-DOMAIN-DE)
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime
error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
[13/Mar/2015:10:45:59 +] - Error - Unable to create
/var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime
error -5966 (Access Denied.)
[13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts
with other slapd processes
ipaserver-install.log
015-03-13T10:45:57Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-03-13T10:45:57Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2015-03-13T10:45:57Z DEBUG httpd is not configured
2015-03-13T10:45:57Z DEBUG kadmin is not configured
2015-03-13T10:45:57Z DEBUG dirsrv is not configured
2015-03-13T10:45:57Z DEBUG pki-cad is not configured
2015-03-13T10:45:57Z DEBUG pki-tomcatd is not configured
2015-03-13T10:45:57Z DEBUG install is not configured
2015-03-13T10:45:57Z DEBUG krb5kdc is not configured
2015-03-13T10:45:57Z DEBUG ntpd is not configured
2015-03-13T10:45:57Z DEBUG named is not configured
2015-03-13T10:45:57Z DEBUG ipa_memcached is not configured
2015-03-13T10:45:57Z DEBUG filestore is tracking no files
2015-03-13T10:45:57Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2015-03-13T10:45:57Z DEBUG /usr/sbin/ipa-server-install was invoked with
options: {'reverse_zone': None, 'mkhomedir': False, 'create_sshfp': True,
'conf_sshd': True, 'conf_ntp': True, 'subject': None, 'no_forwarders':
True, 'ui_redirect': True, 'domain_name': 'cloud.domain.de', 'idmax': 0,
'hbac_allow': False, 'no_reverse': False, 'dirsrv_pkcs12': None,
'unattended': True, 'trust_sshfp': False, 'external_ca_file': None,
'no_host_dns': False, 'http_pkcs12': None, 'realm_name': 'CLOUD.DOMAIN.DE',
'forwarders': None, 'idstart': 154440, 'external_ca': False,
'ip_address': None, 'conf_ssh': True, 'zonemgr': None, 'root_ca_file':
None, 'setup_dns': True, 'host_name': None, 'debug': False,
'external_cert_file': None, 'uninstall': False}
2015-03-13T10:45:57Z DEBUG missing options might be asked for
interactively later
2015-03-13T10:45:57Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2015-03-13T10:45:57Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-03-13T10:45:57Z DEBUG Starting external process
2015-03-13T10:45:57Z DEBUG args=/bin/systemctl is-enabled chronyd.service
2015-03-13T10:45:57Z DEBUG Process
