Re: [Freeipa-users] Saltstack and ipa-install on Centos7 failing
Looks like a bug, yes. I am just not sure whether in missing Saltstack SELinux module or the actual SELinux policy. You can try filing a bug to SELinux policy. Looking at SaltStack Troubleshooting guide, would switching to rpm_script_t help? http://docs.saltstack.com/en/latest/topics/troubleshooting/#salt-and-selinux On 03/16/2015 05:21 PM, Andrew Holway wrote: Hi, I think this is perhaps a bug? Thanks, Andrew On 13 March 2015 at 15:55, Andrew Holway andrew.hol...@gmail.com wrote: On 13 March 2015 at 15:33, Michael Lasevich mlasev...@gmail.com wrote: Is SELinux on? Yes, ipa-server-install is running in the initrc_t domain but I guess its set up to run unconfined ps -Z with ipa-server-install run from salt-stack : system_u:system_r:init_t:s0 root 1568 0.0 1.4 231308 14652 ? Ss 14:31 0:00 /bin/python2 /usr/bin/salt-minion system_u:system_r:initrc_t:s0 root 3101 1.0 4.8 222004 49232 ? S14:47 0:01 /usr/bin/python -E /usr/sbin/ipa-server-install ps -Z with ipa-server-install run from console : unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 4503 23.7 4.8 323356 48860 pts/1 S+ 14:53 0:00 /usr/bin/python -E /sbin/ipa-server-install On Mar 13, 2015 7:46 AM, Andrew Holway andrew.hol...@gmail.com wrote: Hallo I have a quite odd situation. I am using saltstack to set up freeipa servers on Centos 7 but I am getting the following error: failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp5witgD' returned non-zero exit status 1 Saltstack outputs the command it is trying to run: ipa-server-install -a password --realm CLOUD.DOMAIN.DE -P password -p password -n cloud.domain.de --setup-dns --unattended --no-forwarders However if I run this command manually on a clean machine it works fine. It works on Centos 6. I see this in the slapd error log: [root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors 389-Directory/1.3.1.6 B2014.219.1825 freeipa-2.cloud.native-instruments.de:389 (/etc/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE) [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes [root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors | sed s/NATIVE-INSTRUMENTS/DOMAIN/g 389-Directory/1.3.1.6 B2014.219.1825 freeipa-2.cloud.native-instruments.de:389 (/etc/dirsrv/slapd-CLOUD-DOMAIN-DE) [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes ipaserver-install.log 015-03-13T10:45:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-03-13T10:45:57Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2015-03-13T10:45:57Z DEBUG httpd is not configured 2015-03-13T10:45:57Z DEBUG kadmin is not configured 2015-03-13T10:45:57Z DEBUG dirsrv is not configured 2015-03-13T10:45:57Z DEBUG pki-cad is not configured 2015-03-13T10:45:57Z DEBUG pki-tomcatd is not configured 2015-03-13T10:45:57Z DEBUG install is not configured 2015-03-13T10:45:57Z DEBUG krb5kdc is not configured 2015-03-13T10:45:57Z DEBUG ntpd is not configured 2015-03-13T10:45:57Z DEBUG named is not configured 2015-03-13T10:45:57Z DEBUG ipa_memcached is not configured 2015-03-13T10:45:57Z DEBUG filestore is tracking no files 2015-03-13T10:45:57Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-03-13T10:45:57Z DEBUG /usr/sbin/ipa-server-install was invoked with options: {'reverse_zone': None, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'subject': None, 'no_forwarders': True, 'ui_redirect': True, 'domain_name': 'cloud.domain.de', 'idmax': 0, 'hbac_allow': False, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': True, 'trust_sshfp': False, 'external_ca_file': None, 'no_host_dns': False, 'http_pkcs12': None, 'realm_name': ' CLOUD.DOMAIN.DE', 'forwarders': None, 'idstart': 154440, 'external_ca': False, 'ip_address': None, 'conf_ssh': True, 'zonemgr': None, 'root_ca_file': None, 'setup_dns': True,
Re: [Freeipa-users] Saltstack and ipa-install on Centos7 failing
Hi, I think this is perhaps a bug? Thanks, Andrew On 13 March 2015 at 15:55, Andrew Holway andrew.hol...@gmail.com wrote: On 13 March 2015 at 15:33, Michael Lasevich mlasev...@gmail.com wrote: Is SELinux on? Yes, ipa-server-install is running in the initrc_t domain but I guess its set up to run unconfined ps -Z with ipa-server-install run from salt-stack : system_u:system_r:init_t:s0 root 1568 0.0 1.4 231308 14652 ? Ss 14:31 0:00 /bin/python2 /usr/bin/salt-minion system_u:system_r:initrc_t:s0 root 3101 1.0 4.8 222004 49232 ? S14:47 0:01 /usr/bin/python -E /usr/sbin/ipa-server-install ps -Z with ipa-server-install run from console : unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 4503 23.7 4.8 323356 48860 pts/1 S+ 14:53 0:00 /usr/bin/python -E /sbin/ipa-server-install On Mar 13, 2015 7:46 AM, Andrew Holway andrew.hol...@gmail.com wrote: Hallo I have a quite odd situation. I am using saltstack to set up freeipa servers on Centos 7 but I am getting the following error: failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp5witgD' returned non-zero exit status 1 Saltstack outputs the command it is trying to run: ipa-server-install -a password --realm CLOUD.DOMAIN.DE -P password -p password -n cloud.domain.de --setup-dns --unattended --no-forwarders However if I run this command manually on a clean machine it works fine. It works on Centos 6. I see this in the slapd error log: [root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors 389-Directory/1.3.1.6 B2014.219.1825 freeipa-2.cloud.native-instruments.de:389 (/etc/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE) [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes [root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors | sed s/NATIVE-INSTRUMENTS/DOMAIN/g 389-Directory/1.3.1.6 B2014.219.1825 freeipa-2.cloud.native-instruments.de:389 (/etc/dirsrv/slapd-CLOUD-DOMAIN-DE) [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes ipaserver-install.log 015-03-13T10:45:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-03-13T10:45:57Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2015-03-13T10:45:57Z DEBUG httpd is not configured 2015-03-13T10:45:57Z DEBUG kadmin is not configured 2015-03-13T10:45:57Z DEBUG dirsrv is not configured 2015-03-13T10:45:57Z DEBUG pki-cad is not configured 2015-03-13T10:45:57Z DEBUG pki-tomcatd is not configured 2015-03-13T10:45:57Z DEBUG install is not configured 2015-03-13T10:45:57Z DEBUG krb5kdc is not configured 2015-03-13T10:45:57Z DEBUG ntpd is not configured 2015-03-13T10:45:57Z DEBUG named is not configured 2015-03-13T10:45:57Z DEBUG ipa_memcached is not configured 2015-03-13T10:45:57Z DEBUG filestore is tracking no files 2015-03-13T10:45:57Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-03-13T10:45:57Z DEBUG /usr/sbin/ipa-server-install was invoked with options: {'reverse_zone': None, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'subject': None, 'no_forwarders': True, 'ui_redirect': True, 'domain_name': 'cloud.domain.de', 'idmax': 0, 'hbac_allow': False, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': True, 'trust_sshfp': False, 'external_ca_file': None, 'no_host_dns': False, 'http_pkcs12': None, 'realm_name': ' CLOUD.DOMAIN.DE', 'forwarders': None, 'idstart': 154440, 'external_ca': False, 'ip_address': None, 'conf_ssh': True, 'zonemgr': None, 'root_ca_file': None, 'setup_dns': True, 'host_name': None, 'debug': False, 'external_cert_file': None, 'uninstall': False} 2015-03-13T10:45:57Z DEBUG missing options might be asked for interactively later 2015-03-13T10:45:57Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2015-03-13T10:45:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-03-13T10:45:57Z
Re: [Freeipa-users] Saltstack and ipa-install on Centos7 failing
Hi Dimitri type=AVC msg=audit(1426243559.181:623): avc: *denied* { create } for pid=2740 comm=ns-slapd name=imports scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(1426243559.388:625): avc: *denied* { create } for pid=2754 comm=ns-slapd name=imports scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir I cant find the name of the tool that scans the audit log and proposes boolean changes. So much of this stuff seems to be GUI tools. On 13 March 2015 at 14:15, Dmitri Pal d...@redhat.com wrote: On 03/13/2015 07:43 AM, Andrew Holway wrote: Hallo I have a quite odd situation. I am using saltstack to set up freeipa servers on Centos 7 but I am getting the following error: failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp5witgD' returned non-zero exit status 1 Saltstack outputs the command it is trying to run: ipa-server-install -a password --realm CLOUD.DOMAIN.DE -P password -p password -n cloud.domain.de --setup-dns --unattended --no-forwarders However if I run this command manually on a clean machine it works fine. It works on Centos 6. It usually means that you have different privileges and context when you are running command manually and via SaltStack. There is probably a different user and a different SELinux context. Do you see any AVC denials? It really seems that you have two DS instances going on the same machine. I suspewt that when run manually as root you sort of override the lock and things go through but when you do it via SaltStack it is different. Why do you need two DS instances? I see this in the slapd error log: [root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors 389-Directory/1.3.1.6 B2014.219.1825 freeipa-2.cloud.native-instruments.de:389 (/etc/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE) [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes [root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors | sed s/NATIVE-INSTRUMENTS/DOMAIN/g 389-Directory/1.3.1.6 B2014.219.1825 freeipa-2.cloud.native-instruments.de:389 (/etc/dirsrv/slapd-CLOUD-DOMAIN-DE) [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes ipaserver-install.log 015-03-13T10:45:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-03-13T10:45:57Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2015-03-13T10:45:57Z DEBUG httpd is not configured 2015-03-13T10:45:57Z DEBUG kadmin is not configured 2015-03-13T10:45:57Z DEBUG dirsrv is not configured 2015-03-13T10:45:57Z DEBUG pki-cad is not configured 2015-03-13T10:45:57Z DEBUG pki-tomcatd is not configured 2015-03-13T10:45:57Z DEBUG install is not configured 2015-03-13T10:45:57Z DEBUG krb5kdc is not configured 2015-03-13T10:45:57Z DEBUG ntpd is not configured 2015-03-13T10:45:57Z DEBUG named is not configured 2015-03-13T10:45:57Z DEBUG ipa_memcached is not configured 2015-03-13T10:45:57Z DEBUG filestore is tracking no files 2015-03-13T10:45:57Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-03-13T10:45:57Z DEBUG /usr/sbin/ipa-server-install was invoked with options: {'reverse_zone': None, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'subject': None, 'no_forwarders': True, 'ui_redirect': True, 'domain_name': 'cloud.domain.de', 'idmax': 0, 'hbac_allow': False, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': True, 'trust_sshfp': False, 'external_ca_file': None, 'no_host_dns': False, 'http_pkcs12': None, 'realm_name': 'CLOUD.DOMAIN.DE', 'forwarders': None, 'idstart': 154440, 'external_ca': False, 'ip_address': None, 'conf_ssh': True, 'zonemgr': None, 'root_ca_file': None, 'setup_dns': True, 'host_name': None, 'debug': False, 'external_cert_file': None, 'uninstall': False} 2015-03-13T10:45:57Z DEBUG missing options might be asked for
Re: [Freeipa-users] Saltstack and ipa-install on Centos7 failing
Is SELinux on? On Mar 13, 2015 7:46 AM, Andrew Holway andrew.hol...@gmail.com wrote: Hallo I have a quite odd situation. I am using saltstack to set up freeipa servers on Centos 7 but I am getting the following error: failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp5witgD' returned non-zero exit status 1 Saltstack outputs the command it is trying to run: ipa-server-install -a password --realm CLOUD.DOMAIN.DE -P password -p password -n cloud.domain.de --setup-dns --unattended --no-forwarders However if I run this command manually on a clean machine it works fine. It works on Centos 6. I see this in the slapd error log: [root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors 389-Directory/1.3.1.6 B2014.219.1825 freeipa-2.cloud.native-instruments.de:389 (/etc/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE) [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes [root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors | sed s/NATIVE-INSTRUMENTS/DOMAIN/g 389-Directory/1.3.1.6 B2014.219.1825 freeipa-2.cloud.native-instruments.de:389 (/etc/dirsrv/slapd-CLOUD-DOMAIN-DE) [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes ipaserver-install.log 015-03-13T10:45:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-03-13T10:45:57Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2015-03-13T10:45:57Z DEBUG httpd is not configured 2015-03-13T10:45:57Z DEBUG kadmin is not configured 2015-03-13T10:45:57Z DEBUG dirsrv is not configured 2015-03-13T10:45:57Z DEBUG pki-cad is not configured 2015-03-13T10:45:57Z DEBUG pki-tomcatd is not configured 2015-03-13T10:45:57Z DEBUG install is not configured 2015-03-13T10:45:57Z DEBUG krb5kdc is not configured 2015-03-13T10:45:57Z DEBUG ntpd is not configured 2015-03-13T10:45:57Z DEBUG named is not configured 2015-03-13T10:45:57Z DEBUG ipa_memcached is not configured 2015-03-13T10:45:57Z DEBUG filestore is tracking no files 2015-03-13T10:45:57Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-03-13T10:45:57Z DEBUG /usr/sbin/ipa-server-install was invoked with options: {'reverse_zone': None, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'subject': None, 'no_forwarders': True, 'ui_redirect': True, 'domain_name': 'cloud.domain.de', 'idmax': 0, 'hbac_allow': False, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': True, 'trust_sshfp': False, 'external_ca_file': None, 'no_host_dns': False, 'http_pkcs12': None, 'realm_name': 'CLOUD.DOMAIN.DE', 'forwarders': None, 'idstart': 154440, 'external_ca': False, 'ip_address': None, 'conf_ssh': True, 'zonemgr': None, 'root_ca_file': None, 'setup_dns': True, 'host_name': None, 'debug': False, 'external_cert_file': None, 'uninstall': False} 2015-03-13T10:45:57Z DEBUG missing options might be asked for interactively later 2015-03-13T10:45:57Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2015-03-13T10:45:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-03-13T10:45:57Z DEBUG Starting external process 2015-03-13T10:45:57Z DEBUG args=/bin/systemctl is-enabled chronyd.service 2015-03-13T10:45:57Z DEBUG Process finished, return code=0 2015-03-13T10:45:57Z DEBUG stdout=enabled 2015-03-13T10:45:57Z DEBUG stderr= 2015-03-13T10:45:57Z DEBUG Starting external process 2015-03-13T10:45:57Z DEBUG args=/usr/sbin/httpd -t -D DUMP_VHOSTS 2015-03-13T10:45:57Z DEBUG Process finished, return code=0 2015-03-13T10:45:57Z DEBUG stdout=VirtualHost configuration: *:8443 is a NameVirtualHost default server freeipa-2.cloud.domain.de (/etc/httpd/conf.d/nss.conf:86) port 8443 namevhost freeipa-2.cloud.domain.de (/etc/httpd/conf.d/nss.conf:86) port 8443 namevhost freeipa-2.cloud.domain.de (/etc/httpd/conf.d/nss.conf:86) 2015-03-13T10:45:57Z DEBUG stderr=
Re: [Freeipa-users] Saltstack and ipa-install on Centos7 failing
Old bug report - https://bugzilla.redhat.com/show_bug.cgi?format=multipleid=959953 On 13 March 2015 at 15:24, Andrew Holway andrew.hol...@gmail.com wrote: Hi Dimitri type=AVC msg=audit(1426243559.181:623): avc: *denied* { create } for pid=2740 comm=ns-slapd name=imports scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(1426243559.388:625): avc: *denied* { create } for pid=2754 comm=ns-slapd name=imports scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir I cant find the name of the tool that scans the audit log and proposes boolean changes. So much of this stuff seems to be GUI tools. On 13 March 2015 at 14:15, Dmitri Pal d...@redhat.com wrote: On 03/13/2015 07:43 AM, Andrew Holway wrote: Hallo I have a quite odd situation. I am using saltstack to set up freeipa servers on Centos 7 but I am getting the following error: failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp5witgD' returned non-zero exit status 1 Saltstack outputs the command it is trying to run: ipa-server-install -a password --realm CLOUD.DOMAIN.DE -P password -p password -n cloud.domain.de --setup-dns --unattended --no-forwarders However if I run this command manually on a clean machine it works fine. It works on Centos 6. It usually means that you have different privileges and context when you are running command manually and via SaltStack. There is probably a different user and a different SELinux context. Do you see any AVC denials? It really seems that you have two DS instances going on the same machine. I suspewt that when run manually as root you sort of override the lock and things go through but when you do it via SaltStack it is different. Why do you need two DS instances? I see this in the slapd error log: [root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors 389-Directory/1.3.1.6 B2014.219.1825 freeipa-2.cloud.native-instruments.de:389 (/etc/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE) [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes [root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors | sed s/NATIVE-INSTRUMENTS/DOMAIN/g 389-Directory/1.3.1.6 B2014.219.1825 freeipa-2.cloud.native-instruments.de:389 (/etc/dirsrv/slapd-CLOUD-DOMAIN-DE) [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes ipaserver-install.log 015-03-13T10:45:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-03-13T10:45:57Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2015-03-13T10:45:57Z DEBUG httpd is not configured 2015-03-13T10:45:57Z DEBUG kadmin is not configured 2015-03-13T10:45:57Z DEBUG dirsrv is not configured 2015-03-13T10:45:57Z DEBUG pki-cad is not configured 2015-03-13T10:45:57Z DEBUG pki-tomcatd is not configured 2015-03-13T10:45:57Z DEBUG install is not configured 2015-03-13T10:45:57Z DEBUG krb5kdc is not configured 2015-03-13T10:45:57Z DEBUG ntpd is not configured 2015-03-13T10:45:57Z DEBUG named is not configured 2015-03-13T10:45:57Z DEBUG ipa_memcached is not configured 2015-03-13T10:45:57Z DEBUG filestore is tracking no files 2015-03-13T10:45:57Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-03-13T10:45:57Z DEBUG /usr/sbin/ipa-server-install was invoked with options: {'reverse_zone': None, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'subject': None, 'no_forwarders': True, 'ui_redirect': True, 'domain_name': 'cloud.domain.de', 'idmax': 0, 'hbac_allow': False, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': True, 'trust_sshfp': False, 'external_ca_file': None, 'no_host_dns': False, 'http_pkcs12': None, 'realm_name': 'CLOUD.DOMAIN.DE', 'forwarders': None, 'idstart': 154440, 'external_ca': False, 'ip_address': None, 'conf_ssh': True, 'zonemgr': None, 'root_ca_file': None,
Re: [Freeipa-users] Saltstack and ipa-install on Centos7 failing
On 13 March 2015 at 15:33, Michael Lasevich mlasev...@gmail.com wrote: Is SELinux on? Yes, ipa-server-install is running in the initrc_t domain but I guess its set up to run unconfined ps -Z with ipa-server-install run from salt-stack : system_u:system_r:init_t:s0 root 1568 0.0 1.4 231308 14652 ? Ss 14:31 0:00 /bin/python2 /usr/bin/salt-minion system_u:system_r:initrc_t:s0 root 3101 1.0 4.8 222004 49232 ? S14:47 0:01 /usr/bin/python -E /usr/sbin/ipa-server-install ps -Z with ipa-server-install run from console : unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 4503 23.7 4.8 323356 48860 pts/1 S+ 14:53 0:00 /usr/bin/python -E /sbin/ipa-server-install On Mar 13, 2015 7:46 AM, Andrew Holway andrew.hol...@gmail.com wrote: Hallo I have a quite odd situation. I am using saltstack to set up freeipa servers on Centos 7 but I am getting the following error: failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp5witgD' returned non-zero exit status 1 Saltstack outputs the command it is trying to run: ipa-server-install -a password --realm CLOUD.DOMAIN.DE -P password -p password -n cloud.domain.de --setup-dns --unattended --no-forwarders However if I run this command manually on a clean machine it works fine. It works on Centos 6. I see this in the slapd error log: [root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors 389-Directory/1.3.1.6 B2014.219.1825 freeipa-2.cloud.native-instruments.de:389 (/etc/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE) [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-NATIVE-INSTRUMENTS-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes [root@freeipa-2 slapd-CLOUD-NATIVE-INSTRUMENTS-DE]# cat errors | sed s/NATIVE-INSTRUMENTS/DOMAIN/g 389-Directory/1.3.1.6 B2014.219.1825 freeipa-2.cloud.native-instruments.de:389 (/etc/dirsrv/slapd-CLOUD-DOMAIN-DE) [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes [13/Mar/2015:10:45:59 +] - Error - Unable to create /var/lock/dirsrv/slapd-CLOUD-DOMAIN-DE/imports, Netscape Portable Runtime error -5966 (Access Denied.) [13/Mar/2015:10:45:59 +] - Shutting down due to possible conflicts with other slapd processes ipaserver-install.log 015-03-13T10:45:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-03-13T10:45:57Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2015-03-13T10:45:57Z DEBUG httpd is not configured 2015-03-13T10:45:57Z DEBUG kadmin is not configured 2015-03-13T10:45:57Z DEBUG dirsrv is not configured 2015-03-13T10:45:57Z DEBUG pki-cad is not configured 2015-03-13T10:45:57Z DEBUG pki-tomcatd is not configured 2015-03-13T10:45:57Z DEBUG install is not configured 2015-03-13T10:45:57Z DEBUG krb5kdc is not configured 2015-03-13T10:45:57Z DEBUG ntpd is not configured 2015-03-13T10:45:57Z DEBUG named is not configured 2015-03-13T10:45:57Z DEBUG ipa_memcached is not configured 2015-03-13T10:45:57Z DEBUG filestore is tracking no files 2015-03-13T10:45:57Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-03-13T10:45:57Z DEBUG /usr/sbin/ipa-server-install was invoked with options: {'reverse_zone': None, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'subject': None, 'no_forwarders': True, 'ui_redirect': True, 'domain_name': 'cloud.domain.de', 'idmax': 0, 'hbac_allow': False, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': True, 'trust_sshfp': False, 'external_ca_file': None, 'no_host_dns': False, 'http_pkcs12': None, 'realm_name': 'CLOUD.DOMAIN.DE', 'forwarders': None, 'idstart': 154440, 'external_ca': False, 'ip_address': None, 'conf_ssh': True, 'zonemgr': None, 'root_ca_file': None, 'setup_dns': True, 'host_name': None, 'debug': False, 'external_cert_file': None, 'uninstall': False} 2015-03-13T10:45:57Z DEBUG missing options might be asked for interactively later 2015-03-13T10:45:57Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2015-03-13T10:45:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-03-13T10:45:57Z DEBUG Starting external process 2015-03-13T10:45:57Z DEBUG args=/bin/systemctl is-enabled chronyd.service 2015-03-13T10:45:57Z DEBUG Process