<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 3/18/15 10:10 PM, Kim Perrin wrote:<br>
<blockquote
cite="mid:CANR3jxZJodNEZEhGf-Rt_4mthUur+ReSHj_i+93S_3JEpx2SWg@mail.gmail.com"
type="cite">
<pre wrap="">This is about the 6th time of tried installing this replica. Each time
I run the ipa-replica-manage del and ipa-csreplica-manage del command
before trying. I also build new replica install files each time.
Obviously I can't figure out what the problem is. I've tried a variety
of things. I'm hoping someone in this community has been this before
and solved the issue.
At the end of the install I see the client install failure messages,
though it appeared as though the server install went well. However it
is clear it has not gone well because when I run 'service ipa status'
I get this
root@noc5-prd:/var/log# service ipa status
Directory Service: RUNNING
Unknown error when retrieving list of services from LDAP: {'info':
'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication
method'}
I've attached the ipareplica-install.log file. Here are some relevant
entries from the end of the log -
2015-03-19T04:33:02Z DEBUG args=/usr/sbin/ipa-client-install
--on-master --unattended --domain companyz.com --server
noc5-prd.companyz.com --realm COMPANYZ.COM
2015-03-19T04:33:02Z DEBUG stdout=
2015-03-19T04:33:02Z DEBUG stderr=Hostname: noc5prd.companyz.com
Realm: COMPANYZ.COM
DNS Domain: companyz.com
IPA Server: noc5-prd.companyz.com
BaseDN: dc=companyz,dc=com
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying <a class="moz-txt-link-freetext" href="https://noc5-prd.companyz.com/ipa/xml">https://noc5-prd.companyz.com/ipa/xml</a>
trying <a class="moz-txt-link-freetext" href="https://noc1-prd.companyz.com/ipa/xml">https://noc1-prd.companyz.com/ipa/xml</a>
Connection to <a class="moz-txt-link-freetext" href="https://noc1-prd.companyz.com/ipa/xml">https://noc1-prd.companyz.com/ipa/xml</a> failed with [Errno
-8053] (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in
use.
Cannot connect to the server due to generic error: cannot connect to
Gettext('any of the configured servers', domain='ipa',
localedir=None): <a class="moz-txt-link-freetext" href="https://noc5-prd.companyz.com/ipa/xml">https://noc5-prd.companyz.com/ipa/xml</a>,
<a class="moz-txt-link-freetext" href="https://noc1-prd.companyz.com/ipa/xml">https://noc1-prd.companyz.com/ipa/xml</a>
Installation failed. Rolling back changes.
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
2015-03-19T04:33:02Z INFO File
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
line 614, in run_script
return_value = main_function()
File "/usr/sbin/ipa-replica-install", line 536, in main
raise RuntimeError("Failed to configure the client")
2015-03-19T04:33:02Z INFO The ipa-replica-install command failed,
exception: RuntimeError: Failed to configure the client
Anyone have any advice?
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
There are 2 possibilities here. One is you have the old python
package scripts which have a bug in these files:<br>
<br>
/usr/lib/python2.7/site-packages/ipaplatform/fedora/services.py<br>
/usr/lib/python2.7/site-packages/ipaplatform/services.py<br>
<br>
They most likely have "fedora-domain" in them and it needs to be
changed to "rhel-domain". The other option is to re-install the OS
and freeipa environment, which gets you to clean packages. Deleting
and re-installing all the python packages is painful at best.<br>
<br>
The other possibility is stale certs:<br>
<br>
certutil -d /etc/pki/nssdb -L<br>
<br>
You will probably see a stale cert. Remove it.<br>
<br>
certutil -d /etc/pki/nssdb -D -n "IPA CA"<br>
<br>
I have run into both of these issues about 1 million times so far.<br>
<br>
~J
</body>
</html>