Re: [Freeipa-users] ipa-server-install fails (RHEL 6.5)
rpm -qa | grep krb5 pam_krb5-2.3.11-9.el6.x86_64 *krb5-server-1.10.3-10.el6_4.6.x86_64* krb5-libs-1.10.3-10.el6_4.6.x86_64 krb5-workstation-1.10.3-10.el6_4.6.x86_64 I don't see any segfaults in messages. /var/log/dirsrv/slapd-MIOVISION-LINUX/errors looks pretty clean: 389-Directory/1.2.11.15 B2013.337.1530 ipa1.miovision.linux:389 (/etc/dirsrv/slapd-MIOVISION-LINUX) [04/Feb/2014:15:39:54 -0500] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [04/Feb/2014:15:39:54 -0500] - check_and_set_import_cache: pagesize: 4096, pages: 1497738, procpages: 51916 [04/Feb/2014:15:39:54 -0500] - Import allocates 2396380KB import cache. [04/Feb/2014:15:39:55 -0500] - import userRoot: Beginning import job... [04/Feb/2014:15:39:55 -0500] - import userRoot: Index buffering enabled with bucket size 100 [04/Feb/2014:15:39:56 -0500] - import userRoot: Processing file "/var/lib/dirsrv/boot.ldif" [04/Feb/2014:15:39:56 -0500] - import userRoot: Finished scanning file "/var/lib/dirsrv/boot.ldif" (1 entries) [04/Feb/2014:15:40:03 -0500] - import userRoot: Workers finished; cleaning up... [04/Feb/2014:15:40:04 -0500] - import userRoot: Workers cleaned up. [04/Feb/2014:15:40:05 -0500] - import userRoot: Cleaning up producer thread... [04/Feb/2014:15:40:05 -0500] - import userRoot: Indexing complete. Post-processing... [04/Feb/2014:15:40:06 -0500] - import userRoot: Generating numSubordinates complete. [04/Feb/2014:15:40:07 -0500] - Nothing to do to build ancestorid index [04/Feb/2014:15:40:08 -0500] - import userRoot: Flushing caches... [04/Feb/2014:15:40:08 -0500] - import userRoot: Closing files... [04/Feb/2014:15:40:10 -0500] - All database threads now stopped [04/Feb/2014:15:40:10 -0500] - import userRoot: Import complete. Processed 1 entries in 15 seconds. (0.07 entries/sec) [04/Feb/2014:15:40:18 -0500] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [04/Feb/2014:15:40:19 -0500] - Db home directory is not set. Possibly nsslapd-directory (optinally nsslapd-db-home-directory) is missing in the config file. [04/Feb/2014:15:40:19 -0500] - I'm resizing my cache now...cache was 2453893120 and is now 800 [04/Feb/2014:15:40:36 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests [04/Feb/2014:15:40:36 -0500] - slapd shutting down - signaling operation threads [04/Feb/2014:15:40:37 -0500] - slapd shutting down - closing down internal subsystems and plugins [04/Feb/2014:15:40:37 -0500] - Waiting for 4 database threads to stop [04/Feb/2014:15:40:38 -0500] - All database threads now stopped [04/Feb/2014:15:40:38 -0500] - slapd stopped. [04/Feb/2014:15:40:40 -0500] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [04/Feb/2014:15:40:41 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests [04/Feb/2014:15:40:43 -0500] - The change of nsslapd-ldapilisten will not take effect until the server is restarted [04/Feb/2014:15:41:10 -0500] - Warning: Adding configuration attribute "nsslapd-security" [04/Feb/2014:15:41:13 -0500] - slapd shutting down - signaling operation threads [04/Feb/2014:15:41:14 -0500] - slapd shutting down - waiting for 30 threads to terminate [04/Feb/2014:15:41:14 -0500] - slapd shutting down - closing down internal subsystems and plugins [04/Feb/2014:15:41:15 -0500] - Waiting for 4 database threads to stop [04/Feb/2014:15:41:17 -0500] - All database threads now stopped [04/Feb/2014:15:41:17 -0500] - slapd stopped. [04/Feb/2014:15:41:27 -0500] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [04/Feb/2014:15:41:27 -0500] attrcrypt - No symmetric key found for cipher AES in backend userRoot, attempting to create one... [04/Feb/2014:15:41:28 -0500] attrcrypt - Key for cipher AES successfully generated and stored [04/Feb/2014:15:41:29 -0500] attrcrypt - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one... [04/Feb/2014:15:41:29 -0500] attrcrypt - Key for cipher 3DES successfully generated and stored [04/Feb/2014:15:41:31 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests [04/Feb/2014:15:41:31 -0500] - Listening on All Interfaces port 636 for LDAPS requests [04/Feb/2014:15:41:32 -0500] - Listening on /var/run/slapd-MIOVISION-LINUX.socket for LDAPI requests [04/Feb/2014:15:42:06 -0500] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=miovision,dc=linux--no CoS Templates found, which should be added before the CoS Definition. [04/Feb/2014:15:44:31 -0500] - slapd shutting down - signaling operation threads [04/Feb/2014:15:44:33 -0500] - slapd shutting down - closing down internal subsystems and plugins [04/Feb/2014:15:44:44 -0500] - Waiting for 4 database threads to stop [04/Feb/2014:15:44:47 -0500] - All database threads now stopped [04/Feb/2014:15:44:47 -0500] - slapd stopped. [04/Feb/2014:15:44:49 -0500] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [04/Feb/2014:15:44:51 -0500] schema-compat-plugin - warning: no e
Re: [Freeipa-users] ipa-server-install fails (RHEL 6.5)
Steve Dainard wrote:
Following this guide:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html
STEP 4:
ipa-server-install --setup-dns -p '' -a '' -r
MIOVISION.LINUX -n miovision.linux --hostname ipa1.miovision.linux
--forwarder=10.0.0.2 --forwarder=10.0.0.5
Server host name [ipa1.miovision.linux]:
Warning: skipping DNS resolution of host ipa1.miovision.linux
Unable to resolve IP address for host name
Please provide the IP address to be used for this host name: 10.0.6.3
Adding [10.0.6.3 ipa1.miovision.linux] to your /etc/hosts file
Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [6.0.10.in-addr.arpa.]:
Using reverse zone 6.0.10.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: ipa1.miovision.linux
IP address:10.0.6.3
Domain name: miovision.linux
Realm name:MIOVISION.LINUX
BIND DNS server will be configured to serve IPA domain with:
Forwarders:10.0.0.2, 10.0.0.5
Reverse zone: 6.0.10.in-addr.arpa.
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
...
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
[1/10]: adding sasl mappings to the directory
[2/10]: adding kerberos container to the directory
[3/10]: configuring KDC
[4/10]: initialize kerberos container
Failed to initialize the realm container
[5/10]: adding default ACIs
[6/10]: creating a keytab for the directory
Unexpected error - see /var/log/ipaserver-install.log for details:
CalledProcessError: Command 'kadmin.local -q addprinc -randkey
ldap/ipa1.miovision.linux@MIOVISION.LINUX -x
ipa-setup-override-restrictions' returned non-zero exit status 1
*/var/log/ipaserver-install.log*
add aci:
(target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=miovision,dc=linux";)(targetattr="userCertificate")(version
3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn =
"ldap:///fqdn=ipa1.miovision.linux,cn=computers,cn=accounts,dc=miovision,dc=linux";;)
modifying entry "cn=ipa,cn=etc,dc=miovision,dc=linux"
modify complete
2014-02-04T20:45:51Z DEBUG stderr=ldap_initialize(
ldapi://%2Fvar%2Frun%2Fslapd-MIOVISION-LINUX.socket/??base )
2014-02-04T20:45:51Z DEBUG duration: 6 seconds
2014-02-04T20:45:51Z DEBUG [6/10]: creating a keytab for the directory
2014-02-04T20:45:51Z DEBUG args=kadmin.local -q addprinc -randkey
ldap/ipa1.miovision.linux@MIOVISION.LINUX -x ipa-setup-override-restrictions
2014-02-04T20:45:51Z DEBUG stdout=Authenticating as principal
root/admin@MIOVISION.LINUX with password.
2014-02-04T20:45:51Z DEBUG stderr=kadmin.local: No such entry in the
database while initializing kadmin.local interface
2014-02-04T20:45:51Z INFO File
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
line 614, in run_script
return_value = main_function()
File "/usr/sbin/ipa-server-install", line 1024, in main
subject_base=options.subject)
File
"/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py",
line 183, in create_instance
self.start_creation(runtime=30)
File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
line 358, in start_creation
method()
File
"/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py",
line 386, in __create_ds_keytab
installutils.kadmin_addprinc(ldap_principal)
File
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
line 369, in kadmin_addprinc
kadmin("addprinc -randkey " + principal)
File
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
line 366, in kadmin
"-x", "ipa-setup-override-restrictions"])
File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line
316, in run
raise CalledProcessError(p.returncode, args)
2014-02-04T20:45:51Z INFO The ipa-server-install command failed,
exception: CalledProcessError: Command 'kadmin.local -q addprinc
-randkey ldap/ipa1.miovision.linux@MIOVISION.LINUX -x
ipa-setup-override-restrictions' returned non-zero exit status 1
Steve sent me the logs out-of-band. I think the problem is an earlier
failure after generating the master key:
2014-02-04T20:45:45Z DEBUG args=kdb5_util create -s -r MIOVISION.LINUX
-x ipa-setup-override-restrictions
2014-02-04T20:45:45Z DEBUG stdout=Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm
'MIOVISION.LINUX',
master key name 'K/M@MIOVISION.LINUX'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
2014-02-04T20:45:45Z DEBUG stderr=kdb5_util: add.c:124: ldap_add_ext:
Assertion `ld != ((void *)0)' failed.
What ve
Re: [Freeipa-users] ipa-server-install fails (RHEL 6.5)
Steve Dainard wrote:
Following this guide:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html
STEP 4:
ipa-server-install --setup-dns -p '' -a '' -r
MIOVISION.LINUX -n miovision.linux --hostname ipa1.miovision.linux
--forwarder=10.0.0.2 --forwarder=10.0.0.5
Server host name [ipa1.miovision.linux]:
Warning: skipping DNS resolution of host ipa1.miovision.linux
Unable to resolve IP address for host name
Please provide the IP address to be used for this host name: 10.0.6.3
Adding [10.0.6.3 ipa1.miovision.linux] to your /etc/hosts file
Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [6.0.10.in-addr.arpa.]:
Using reverse zone 6.0.10.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: ipa1.miovision.linux
IP address:10.0.6.3
Domain name: miovision.linux
Realm name:MIOVISION.LINUX
BIND DNS server will be configured to serve IPA domain with:
Forwarders:10.0.0.2, 10.0.0.5
Reverse zone: 6.0.10.in-addr.arpa.
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
...
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
[1/10]: adding sasl mappings to the directory
[2/10]: adding kerberos container to the directory
[3/10]: configuring KDC
[4/10]: initialize kerberos container
Failed to initialize the realm container
[5/10]: adding default ACIs
[6/10]: creating a keytab for the directory
Unexpected error - see /var/log/ipaserver-install.log for details:
CalledProcessError: Command 'kadmin.local -q addprinc -randkey
ldap/ipa1.miovision.linux@MIOVISION.LINUX -x
ipa-setup-override-restrictions' returned non-zero exit status 1
*/var/log/ipaserver-install.log*
add aci:
(target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=miovision,dc=linux";)(targetattr="userCertificate")(version
3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn =
"ldap:///fqdn=ipa1.miovision.linux,cn=computers,cn=accounts,dc=miovision,dc=linux";;)
modifying entry "cn=ipa,cn=etc,dc=miovision,dc=linux"
modify complete
2014-02-04T20:45:51Z DEBUG stderr=ldap_initialize(
ldapi://%2Fvar%2Frun%2Fslapd-MIOVISION-LINUX.socket/??base )
2014-02-04T20:45:51Z DEBUG duration: 6 seconds
2014-02-04T20:45:51Z DEBUG [6/10]: creating a keytab for the directory
2014-02-04T20:45:51Z DEBUG args=kadmin.local -q addprinc -randkey
ldap/ipa1.miovision.linux@MIOVISION.LINUX -x ipa-setup-override-restrictions
2014-02-04T20:45:51Z DEBUG stdout=Authenticating as principal
root/admin@MIOVISION.LINUX with password.
2014-02-04T20:45:51Z DEBUG stderr=kadmin.local: No such entry in the
database while initializing kadmin.local interface
2014-02-04T20:45:51Z INFO File
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
line 614, in run_script
return_value = main_function()
File "/usr/sbin/ipa-server-install", line 1024, in main
subject_base=options.subject)
File
"/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py",
line 183, in create_instance
self.start_creation(runtime=30)
File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
line 358, in start_creation
method()
File
"/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py",
line 386, in __create_ds_keytab
installutils.kadmin_addprinc(ldap_principal)
File
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
line 369, in kadmin_addprinc
kadmin("addprinc -randkey " + principal)
File
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
line 366, in kadmin
"-x", "ipa-setup-override-restrictions"])
File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line
316, in run
raise CalledProcessError(p.returncode, args)
2014-02-04T20:45:51Z INFO The ipa-server-install command failed,
exception: CalledProcessError: Command 'kadmin.local -q addprinc
-randkey ldap/ipa1.miovision.linux@MIOVISION.LINUX -x
ipa-setup-override-restrictions' returned non-zero exit status 1
Hmm, strange. Nothing is jumping out at me for the cause or solution.
What version of IPA is this? rpm -q ipa-server
Any chance you can send the entire server install log? You can send it
to me privately if you'd like.
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
