<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 12/09/2014 04:07 PM, thierry bordaz
wrote:<br>
</div>
<blockquote cite="mid:5487104D.8050205@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 12/09/2014 11:15 AM, thierry
bordaz wrote:<br>
</div>
<blockquote cite="mid:5486CBDF.7050606@redhat.com" type="cite">On
12/09/2014 10:48 AM, Niranjan M.R wrote: <br>
<blockquote type="cite">-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA1 <br>
<br>
On 12/09/2014 02:57 PM, thierry bordaz wrote: <br>
<blockquote type="cite">Hello, <br>
<br>
Niranjan, may I have access to your test machine. <br>
<br>
</blockquote>
It's a vm on my laptop. I am trying to reproduce on another VM
<br>
to which i can give access. I will provide the details of this
VM as soon <br>
as possible. <br>
<br>
Mean while i am providing ns-slapd access logs, ipa-logs and
pkispawn logs. <br>
</blockquote>
<br>
Something curious is that the installer is waiting for DS to
restart but it is looking like DS has not received the
terminaison signal. <br>
<br>
2014-12-09T09:37:49Z DEBUG Waiting for CA to start... <br>
... <br>
2014-12-09T09:42:45Z DEBUG Waiting for CA to start... <br>
<br>
<br>
[09/Dec/2014:04:37:41 -0500] - Warning: Adding configuration
attribute "nsslapd-security" <br>
<br>
<< here we should expect a restart of DS >> <br>
<br>
First why DS did not receive the restart order and then as it is
still running (DS looks idle) what does the install is waiting
for. <br>
</blockquote>
<br>
<blockquote>At the end of the CS configuration, the installer
configure ssl DS, restart DS it and then reach the ldap to
retrieve the CA status. It fails<br>
</blockquote>
<blockquote><tt>pki/pki-tomcat/localhost.2014-12-09.log</tt><br>
<tt>Dec 09, 2014 4:37:49 AM
org.apache.catalina.core.StandardWrapperValve invoke</tt><br>
<tt>SEVERE: Servlet.service() for servlet [caGetStatus] in
context with path [/ca] threw exception</tt><br>
<tt>java.io.IOException: CS server is not ready to serve.</tt><br>
<tt> at
com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443)</tt><br>
<tt> at
javax.servlet.http.HttpServlet.service(HttpServlet.java:728)</tt><br>
<tt> at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)</tt><br>
<tt> at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)</tt><br>
<tt> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</tt><br>
<tt> at java.lang.reflect.Method.invoke(Method.java:606)</tt><br>
<tt> at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)</tt><br>
<tt> at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)</tt><br>
<tt> at
java.security.AccessController.doPrivileged(Native Method)</tt><br>
<tt> at
javax.security.auth.Subject.doAsPrivileged(Subject.java:536)</tt><br>
<tt> at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)</tt><br>
<tt> at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)</tt><br>
<tt> at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:299)</tt><br>
<tt> at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:57)</tt><br>
<tt> at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:193)</tt><br>
<tt> at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189)</tt><br>
<tt> at
java.security.AccessController.doPrivileged(Native Method)</tt><br>
<tt> at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)</tt><br>
<tt> at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)</tt><br>
<tt> at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)</tt><br>
<tt> at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)</tt><br>
<tt> at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)</tt><br>
<tt> at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)</tt><br>
<tt> at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)</tt><br>
<tt> at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)</tt><br>
<tt> at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)</tt><br>
<tt> at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)</tt><br>
<tt> at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)</tt><br>
<tt> at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)</tt><br>
<tt> at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)</tt><br>
<tt> at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)</tt><br>
<tt> at java.lang.Thread.run(Thread.java:745)</tt><br>
<br>
Its fails to reach DS because:<br>
<tt>0.localhost-startStop-1 - [09/Dec/2014:04:37:49 EST] [8] [3]
In Ldap (bound) connection pool to host xxxx port 636, Cannot
connect to LDAP server. Error: netscape.ldap.LDAPException: IO
Error creating JSS SSL Socket (-1)</tt><br>
<br>
Having not been able to restart DS, the secure port is not
enabled so the CA failure after 5min was normal.<br>
</blockquote>
<blockquote>So the remaining question was why the DS service
restart failed.<br>
The systemd file was <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:dirsrv@dir.service">dirsrv@dir.service</a> ->
/usr/lib/systemd/system/dirsrv@.service.<br>
<br>
</blockquote>
</blockquote>
<br>
I compared the installation logs with my own installation and I have
not found any difference that would explain why you got
'/etc/systemd/system/dirsrv.target.wants/dirsrv@dir.service'
instead of
'/etc/systemd/system/dirsrv.target.wants/dirsrv@EXAMPLE-ORG.service'.<br>
<br>
I would like to check if /var/lib/ipa/sysrestore/sysrestore.state
file contains 'serverid=dir' or 'serverid=EXAMPLE-ORG'. would you
please sent it to me ?<br>
<br>
thanks<br>
thierry<br>
<blockquote cite="mid:5487104D.8050205@redhat.com" type="cite">
<blockquote> </blockquote>
<br>
<blockquote cite="mid:5486CBDF.7050606@redhat.com" type="cite"> <br>
<br>
<br>
<blockquote type="cite"> <br>
<br>
<blockquote type="cite">thanks <br>
theirry <br>
<br>
<br>
On 12/09/2014 10:01 AM, Martin Kosek wrote: <br>
<blockquote type="cite">On 12/07/2014 03:01 PM, Niranjan M.R
wrote: <br>
<blockquote type="cite">On 12/06/2014 12:24 AM, Dmitri Pal
wrote: <br>
<blockquote type="cite">Hello, <br>
WE NEED HELP! <br>
The biggest and the most interesting feature of
FreeIPA 4.1.2 is support for the two factor
authentication using HOTP/TOTP compatible software
tokens like FreeOTP (open source compatible
alternative to Google Authenticator) and hardware
tokens like Yubikeys. This feature allows Kerberos and
LDAP clients of a FreeIPA server to authenticate using
the normal account password as the first factor and an
OTP token as a second factor. For those environments
where a 2FA solution is already in place, FreeIPA can
act as a proxy via RADIUS. More about this feature can
be read here. <br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://www.freeipa.org/page/V4/OTP">http://www.freeipa.org/page/V4/OTP</a>
<br>
If you want to see this feature in downstream distros
sooner rather than later we need your help! <br>
Please give it a try and provide feedback. We really,
really need it! <br>
</blockquote>
I am unable to configure ipa-server with
freeipa-server-4.1.2-1.fc20.x86_64, ipa-server-install
fails with below error: <br>
<br>
Done configuring certificate server (pki-tomcatd). <br>
Configuring directory server (dirsrv): Estimated time 10
seconds <br>
[1/3]: configuring ssl for ds instance <br>
[2/3]: restarting directory server <br>
ipa : CRITICAL Failed to restart the directory
server ([Errno 2] No such file or directory: <br>
'/etc/systemd/system/dirsrv.target.wants/dirsrv@EXAMPLE-ORG.service').
See the installation log for details. <br>
[3/3]: adding CA certificate entry <br>
Done configuring directory server (dirsrv). <br>
CA did not start in 300.0s <br>
<br>
<br>
Versions used: <br>
============== <br>
freeipa-client-4.1.2-1.fc20.x86_64 <br>
freeipa-server-4.1.2-1.fc20.x86_64 <br>
libipa_hbac-1.12.2-2.fc20.x86_64 <br>
libipa_hbac-python-1.12.2-2.fc20.x86_64 <br>
sssd-ipa-1.12.2-2.fc20.x86_64 <br>
device-mapper-multipath-0.4.9-56.fc20.x86_64 <br>
python-iniparse-0.4-9.fc20.noarch <br>
freeipa-admintools-4.1.2-1.fc20.x86_64 <br>
freeipa-python-4.1.2-1.fc20.x86_64 <br>
389-ds-base-libs-1.3.3.5-1.fc20.x86_64 <br>
389-ds-base-1.3.3.5-1.fc20.x86_64 <br>
<br>
BaseOS:Fedora release 20 (Heisenbug) <br>
<br>
<br>
Steps to reproduce: <br>
--------------- <br>
<br>
1. On Fedora-20 system, Used mkosek freeipa repo: <br>
[mkosek-freeipa] <br>
name=Copr repo for freeipa owned by mkosek <br>
baseurl=<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://copr-be.cloud.fedoraproject.org/results/mkosek/freeipa/fedora-$releasever-$basearch/">http://copr-be.cloud.fedoraproject.org/results/mkosek/freeipa/fedora-$releasever-$basearch/</a>
<br>
skip_if_unavailable=True <br>
gpgcheck=0 <br>
enabled=1 <br>
<br>
2. Install freeipa-server packages from the above repo <br>
<br>
3. Issue ipa-server-install <br>
<br>
[root@pkiserver1 ~]# ipa-server-install <br>
<br>
The log file for this installation can be found in
/var/log/ipaserver-install.log <br>
==============================================================================
<br>
This program will set up the FreeIPA Server. <br>
<br>
This includes: <br>
* Configure a stand-alone CA (dogtag) for
certificate management <br>
* Configure the Network Time Daemon (ntpd) <br>
* Create and configure an instance of Directory
Server <br>
* Create and configure a Kerberos Key Distribution
Center (KDC) <br>
* Configure Apache (httpd) <br>
<br>
To accept the default shown in brackets, press the Enter
key. <br>
<br>
WARNING: conflicting time&date synchronization
service 'chronyd' will be disabled <br>
in favor of ntpd <br>
<br>
Do you want to configure integrated DNS (BIND)? [no]:
yes <br>
<br>
Existing BIND configuration detected, overwrite? [no]:
yes <br>
Enter the fully qualified domain name of the computer <br>
on which you're setting up server software. Using the
form <br>
<hostname>.<domainname> <br>
Example: master.example.com. <br>
<br>
<br>
Server host name [pkiserver1.example.org]: <br>
<br>
Warning: skipping DNS resolution of host
pkiserver1.example.org <br>
The domain name has been determined based on the host
name. <br>
<br>
Please confirm the domain name [example.org]: <br>
<br>
The kerberos protocol requires a Realm name to be
defined. <br>
This is typically the domain name converted to
uppercase. <br>
<br>
Please provide a realm name [EXAMPLE.ORG]: <br>
Certain directory server operations require an
administrative user. <br>
This user is referred to as the Directory Manager and
has full access <br>
to the Directory for system management tasks and will be
added to the <br>
<br>
The IPA server requires an administrative user, named
'admin'. <br>
This user is a regular system account used for IPA
server administration. <br>
<br>
IPA admin password: <br>
Password (confirm): <br>
<br>
Do you want to configure DNS forwarders? [yes]: no <br>
No DNS forwarders configured <br>
Do you want to configure the reverse zone? [yes]: <br>
Please specify the reverse zone name
[122.168.192.in-addr.arpa.]: <br>
Using reverse zone(s) 122.168.192.in-addr.arpa. <br>
<br>
The IPA Master Server will be configured with: <br>
Hostname: pkiserver1.example.org <br>
IP address(es): 192.168.122.246 <br>
Domain name: example.org <br>
Realm name: EXAMPLE.ORG <br>
<br>
BIND DNS server will be configured to serve IPA domain
with: <br>
Forwarders: No forwarders <br>
Reverse zone(s): 122.168.192.in-addr.arpa. <br>
<br>
Continue to configure the system with these values?
[no]: yes <br>
<br>
The following operations may take some minutes to
complete. <br>
Please wait until the prompt is returned. <br>
<br>
<br>
instance of directory server created for IPA. <br>
The password must be at least 8 characters long. <br>
<br>
Directory Manager password: <br>
Password (confirm): <br>
Configuring NTP daemon (ntpd) <br>
[1/4]: stopping ntpd <br>
[2/4]: writing configuration <br>
[3/4]: configuring ntpd to start on boot <br>
[4/4]: starting ntpd <br>
Done configuring NTP daemon (ntpd). <br>
Configuring directory server (dirsrv): Estimated time 1
minute <br>
[1/38]: creating directory server user <br>
[2/38]: creating directory server instance <br>
[3/38]: adding default schema <br>
[4/38]: enabling memberof plugin <br>
[5/38]: enabling winsync plugin <br>
[6/38]: configuring replication version plugin <br>
[7/38]: enabling IPA enrollment plugin <br>
[8/38]: enabling ldapi <br>
[9/38]: configuring uniqueness plugin <br>
[10/38]: configuring uuid plugin <br>
[11/38]: configuring modrdn plugin <br>
[12/38]: configuring DNS plugin <br>
[13/38]: enabling entryUSN plugin <br>
[14/38]: configuring lockout plugin <br>
[15/38]: creating indices <br>
[16/38]: enabling referential integrity plugin <br>
[17/38]: configuring certmap.conf <br>
[18/38]: configure autobind for root <br>
[19/38]: configure new location for managed entries
<br>
[20/38]: configure dirsrv ccache <br>
[21/38]: enable SASL mapping fallback <br>
[22/38]: restarting directory server <br>
[23/38]: adding default layout <br>
[24/38]: adding delegation layout <br>
[25/38]: creating container for managed entries <br>
[26/38]: configuring user private groups <br>
[27/38]: configuring netgroups from hostgroups <br>
[28/38]: creating default Sudo bind user <br>
[29/38]: creating default Auto Member layout <br>
[30/38]: adding range check plugin <br>
[31/38]: creating default HBAC rule allow_all <br>
[32/38]: initializing group membership <br>
[33/38]: adding master entry <br>
[34/38]: configuring Posix uid/gid generation <br>
[35/38]: adding replication acis <br>
[36/38]: enabling compatibility plugin <br>
[37/38]: tuning directory server <br>
[38/38]: configuring directory to start on boot <br>
Done configuring directory server (dirsrv). <br>
Configuring certificate server (pki-tomcatd): Estimated
time 3 minutes 30 seconds <br>
[1/27]: creating certificate server user <br>
[2/27]: configuring certificate server instance <br>
[3/27]: stopping certificate server instance to
update CS.cfg <br>
[4/27]: backing up CS.cfg <br>
[5/27]: disabling nonces <br>
[6/27]: set up CRL publishing <br>
[7/27]: enable PKIX certificate path discovery and
validation <br>
[8/27]: starting certificate server instance <br>
[9/27]: creating RA agent certificate database <br>
[10/27]: importing CA chain to RA certificate
database <br>
[11/27]: fixing RA database permissions <br>
[12/27]: setting up signing cert profile <br>
[13/27]: set certificate subject base <br>
[14/27]: enabling Subject Key Identifier <br>
[15/27]: enabling Subject Alternative Name <br>
[16/27]: enabling CRL and OCSP extensions for
certificates <br>
[17/27]: setting audit signing renewal to 2 years <br>
[18/27]: configuring certificate server to start on
boot <br>
[19/27]: restarting certificate server <br>
[20/27]: requesting RA certificate from CA <br>
[21/27]: issuing RA agent certificate <br>
[22/27]: adding RA agent as a trusted user <br>
[23/27]: configure certmonger for renewals <br>
[24/27]: configure certificate renewals <br>
[25/27]: configure RA certificate renewal <br>
[26/27]: configure Server-Cert certificate renewal <br>
[27/27]: Configure HTTP to proxy connections <br>
Done configuring certificate server (pki-tomcatd). <br>
Configuring directory server (dirsrv): Estimated time 10
seconds <br>
[1/3]: configuring ssl for ds instance <br>
[2/3]: restarting directory server <br>
ipa : CRITICAL Failed to restart the directory
server ([Errno 2] No such file or directory: <br>
'/etc/systemd/system/dirsrv.target.wants/dirsrv@EXAMPLE-ORG.service').
See the installation log for details. <br>
[3/3]: adding CA certificate entry <br>
Done configuring directory server (dirsrv). <br>
<br>
CA did not start in 300.0s <br>
<br>
Attaching ipaserver-install.log, pkispawn logs <br>
<br>
Any hints on how to overcome the above error. <br>
</blockquote>
The error is obviously in Directory Server restart. I am
not sure what causes <br>
<br>
2014-12-07T11:16:25Z DEBUG [2/3]: restarting directory
server <br>
2014-12-07T11:16:25Z CRITICAL Failed to restart the
directory server ([Errno 2] <br>
No such file or directory: <br>
'/etc/systemd/system/dirsrv.target.wants/dirsrv@EXAMPLE-ORG.service').
See the <br>
installation log for details. <br>
<br>
The first restart worked and it uses the same call, AFAIK.
It would be <br>
interesting to see the latest logs of the instance after
ipa-server-install <br>
crashes: <br>
<br>
# systemctl status <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:dirsrv@EXAMPLE-ORG.service">dirsrv@EXAMPLE-ORG.service</a>
<br>
<br>
It may have some useful logs that would reveal what
happened. <br>
<br>
Martin <br>
</blockquote>
</blockquote>
<br>
- -- Niranjan <br>
irc: mrniranjan <br>
-----BEGIN PGP SIGNATURE----- <br>
Version: GnuPG v1 <br>
<br>
iKYEARECAGYFAlSGxYFfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
<br>
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEY3OTE3QTg3ODE0RkVCQ0YyNjgyOTRENjJF
<br>
RURDNTVGNjA0N0M3QzcACgkQLu3FX2BHx8e61wCgtCSWtdpOMWVP+Pr7fPmoXiPC
<br>
DAsAoI0phFg3dtQJNRvpm8YCjLEs9r66 <br>
=1MYR <br>
-----END PGP SIGNATURE----- <br>
</blockquote>
<br>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>