<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 3/18/15 10:10 PM, Kim Perrin wrote: <blockquote cite="mid:CANR3jxZJodNEZEhGf-Rt_4mthUur+ReSHj_i+93S_3JEpx2SWg@mail.gmail.com" type="cite"> <pre wrap="">This is about the 6th time of tried installing this replica. Each time I run the ipa-replica-manage del and ipa-csreplica-manage del command before trying. I also build new replica install files each time. Obviously I can't figure out what the problem is. I've tried a variety of things. I'm hoping someone in this community has been this before and solved the issue. At the end of the install I see the client install failure messages, though it appeared as though the server install went well. However it is clear it has not gone well because when I run 'service ipa status' I get this root@noc5-prd:/var/log# service ipa status Directory Service: RUNNING Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} I've attached the ipareplica-install.log file. Here are some relevant entries from the end of the log - 2015-03-19T04:33:02Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain companyz.com --server noc5-prd.companyz.com --realm COMPANYZ.COM 2015-03-19T04:33:02Z DEBUG stdout= 2015-03-19T04:33:02Z DEBUG stderr=Hostname: noc5prd.companyz.com Realm: COMPANYZ.COM DNS Domain: companyz.com IPA Server: noc5-prd.companyz.com BaseDN: dc=companyz,dc=com New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf trying <a class="moz-txt-link-freetext" href="https://noc5-prd.companyz.com/ipa/xml">https://noc5-prd.companyz.com/ipa/xml</a> trying <a class="moz-txt-link-freetext" href="https://noc1-prd.companyz.com/ipa/xml">https://noc1-prd.companyz.com/ipa/xml</a> Connection to <a class="moz-txt-link-freetext" href="https://noc1-prd.companyz.com/ipa/xml">https://noc1-prd.companyz.com/ipa/xml</a> failed with [Errno -8053] (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. Cannot connect to the server due to generic error: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): <a class="moz-txt-link-freetext" href="https://noc5-prd.companyz.com/ipa/xml">https://noc5-prd.companyz.com/ipa/xml</a>, <a class="moz-txt-link-freetext" href="https://noc1-prd.companyz.com/ipa/xml">https://noc1-prd.companyz.com/ipa/xml</a> Installation failed. Rolling back changes. Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. 2015-03-19T04:33:02Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-replica-install", line 536, in main raise RuntimeError("Failed to configure the client") 2015-03-19T04:33:02Z INFO The ipa-replica-install command failed, exception: RuntimeError: Failed to configure the client Anyone have any advice? </pre> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> There are 2 possibilities here. One is you have the old python package scripts which have a bug in these files: /usr/lib/python2.7/site-packages/ipaplatform/fedora/services.py /usr/lib/python2.7/site-packages/ipaplatform/services.py They most likely have "fedora-domain" in them and it needs to be changed to "rhel-domain". The other option is to re-install the OS and freeipa environment, which gets you to clean packages. Deleting and re-installing all the python packages is painful at best. The other possibility is stale certs: certutil -d /etc/pki/nssdb -L You will probably see a stale cert. Remove it. certutil -d /etc/pki/nssdb -D -n "IPA CA" I have run into both of these issues about 1 million times so far. ~J </body> </html>