[Freeipa-users] Difficulty installing freeipa
Dmitri Pal
dpal at redhat.com
Fri Jun 3 22:58:48 UTC 2011
On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
>
> I have resolved the install issue.
Great!
>
> The installer is a bit sloppy and makes some bad assumptions. The
> problem turns out to be that the directory server setup seems to be
> running as dirsrv, not root. Ipa-server-install (more specifically
> dsinstance.py) writes out the file /var/lib/dirsrv/boot.ldif. But it
> does so as root, using root's umask. It doesn't do a check to make
> sure dirsrv can read this file before spawning an external process to
> create the directory server. Part of security best practices
> recommended by the CIS group as well as others is to set root's umask
> to 0077. With this setting in place, dirsrv is unable to read
> /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when
> executed from ipa-server-install. I modified dsinstance.py to not
> remove the file and checked it after a failed install. It was written
> properly, so I changed the permission on it to 666 and re-ran the
> install. It succeeded.
Opened https://fedorahosted.org/freeipa/ticket/1282
>
> I'm now back to where I started, which is a partly working ipa
> install. Kinit takes 75 seconds to complete.
Seems like a DNS timeout or something related to the name resolution.
> I still can't get to the UI. I'm now going to uninstall again,
> change root's umask to 022, and see if that fixes any more of the
> problems.
The UI does not start for me if you try to run FF from the root shell. I
forget about this frequently and just upgraded to F15 and hit it again.
If you have a normal user shell, kinit from that shell as admin and
start browser from it you should have all the right context to access UI.
>
> -Brian
>
>
>
> On 6/3/11 3:14 PM, "Brian Stamper" <brian.p.stamper at nasa.gov> wrote:
>
>
> Yes, I mentioned in the first email I had attempted that. I just
> ran the uninstall 10 times in a row. Same errors:
>
> Configuring directory server:
> [1/17]: creating directory server user
> [2/17]: creating directory server instance
> root : CRITICAL failed to restart ds instance Command
> '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpYwtW2p'
> returned non-zero exit status 1
> [3/17]: adding default schema
> [4/17]: enabling memberof plugin
> [5/17]: enabling referential integrity plugin
> [6/17]: enabling distributed numeric assignment plugin
> [7/17]: enabling winsync plugin
> [8/17]: configuring uniqueness plugin
> [9/17]: creating indices
> [10/17]: configuring ssl for ds instance
> [11/17]: configuring certmap.conf
> [12/17]: restarting directory server
> [13/17]: adding default layout
> root : CRITICAL Failed to load bootstrap-template.ldif:
> Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory
> Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048' returned non-zero
> exit status 32
> [14/17]: configuring Posix uid/gid generation as first master
> [15/17]: adding master entry as first master
> root : CRITICAL Failed to load master-entry.ldif: Command
> '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y
> /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned non-zero exit status 32
> [16/17]: initializing group membership
> [17/17]: configuring directory to start on boot
> done configuring dirsrv.
>
> As a test I've manually run setup-ds.pl accepting all of the
> defaults. It works fine and installs successfully, creating the
> slapd-freeipa (which is the hostname) instance. I then ran
> remove-ds.pl on the slapd-freeipa instance and re-ran the ipa
> uninstall. When I attempted to reinstall ipa, it detected an
> existing ds. I did a locate for dirsrv and found logfiles from an
> instance called slapd-ARC-NASA-GOV, which should be my default
> freeipa dirsrv instance. To try to clean this up, I ran
> setup-ds.pl and chose custom and created a slapd-ARC-NASA-GOV
> instance, and then immediately removed it with remove-ds.pl. I
> then re-ran ipa-server-install, which this time did not detect an
> existing directory server. However, the ipa-server-install again
> failed in the same location.
>
> [2/17]: creating directory server instance
> root : CRITICAL failed to restart ds instance Command
> '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp77JJv1'
> returned non-zero exit status 1
>
>
> And from the log:
>
> 2011-06-03 15:12:41,540 DEBUG Configuring directory server:
> 2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory server user
> 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists
> 2011-06-03 15:12:41,541 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,541 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory server
> instance
> 2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances
> configured
>
> 2011-06-03 15:12:41,567 INFO
> 2011-06-03 15:12:41,567 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,568 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,568 DEBUG
> dn: dc=arc,dc=nasa,dc=gov
> objectClass: top
> objectClass: domain
> objectClass: pilotObject
> dc: arc
> info: IPA V1.0
>
> 2011-06-03 15:12:41,569 DEBUG writing inf template
> 2011-06-03 15:12:41,570 DEBUG
> [General]
> FullMachineName= freeipa.arc.nasa.gov
> SuiteSpotUserID= dirsrv
> ServerRoot= /usr/lib64/dirsrv
> [slapd]
> ServerPort= 389
> ServerIdentifier= ARC-NASA-GOV
> Suffix= dc=arc,dc=nasa,dc=gov
> RootDN= cn=Directory Manager
> InstallLdifFile= /var/lib/dirsrv/boot.ldif
>
> 2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl
> 2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup] Info
> Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error:
> 59648. Output: importing data ...
> [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with
> nsslapd-db-private-import-mem on; No other process is allowed to
> access the database
> [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache:
> pagesize: 4096, pages: 997331, procpages: 48998
> [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import
> cache.
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import
> job...
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering
> enabled with bucket size 100
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open
> LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all
> Import threads..
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads
> aborted.
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
> /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or
> directory
> [03/Jun/2011:15:12:48 -0700] - All database threads now stopped
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.
>
> Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error:
> 59648. Output: importing data ...
> [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with
> nsslapd-db-private-import-mem on; No other process is allowed to
> access the database
> [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache:
> pagesize: 4096, pages: 997331, procpages: 48998
> [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import
> cache.
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import
> job...
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering
> enabled with bucket size 100
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open
> LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all
> Import threads..
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads
> aborted.
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
> /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or
> directory
> [03/Jun/2011:15:12:48 -0700] - All database threads now stopped
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.
>
> [11/06/03:15:12:48] - [Setup] Fatal Error: Could not create
> directory server instance 'ARC-NASA-GOV'.
> Error: Could not create directory server instance 'ARC-NASA-GOV'.
> [11/06/03:15:12:48] - [Setup] Fatal Exiting . . .
>
>
> -Brian
>
> On 6/3/11 2:53 PM, "Dmitri Pal" <dpal at redhat.com> wrote:
>
> On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx LLC]
> wrote:
>
> Re: [Freeipa-users] Difficulty installing freeipa
> I've given up on freeipa v2 due to lack of compatibility
> with hosts I manage. This is all on freeipa v1. The
> server started as Fedora 13, and I upgraded to Fedora 14
> in an attempt to fix the problems.
>
> [root at freeipa ~]# uname -r
> 2.6.35.13-91.fc14.x86_64
> [root at freeipa ~]# rpm -qa 'ipa*'
> ipa-client-1.2.2-6.fc14.x86_64
> ipa-server-selinux-1.2.2-6.fc14.x86_64
> ipa-python-1.2.2-6.fc14.x86_64
> ipa-admintools-1.2.2-6.fc14.x86_64
> ipa-server-1.2.2-6.fc14.x86_64
> [root at freeipa ~]#
>
> I'm not doing anything special at this point. I'm not
> even trying to get clients added. I'm trying to do a
> basic install of ipa-server, with no extra arguments.
> That claimed to succeed but wouldn't work, I tried to fix
> it, uninstalled, any attempts to reinstall failed. So
> right now I'm simply trying to get the ipa service back to
> any kind of functioning status without re-installing the OS.
>
>
>
>
> Ah this is all old 1.2 IPA.
> Have you tried
> ipa-server-install --uninstall
>
> Might require several attempts until all the errors are cleared.
>
>
>
> -Brian
>
> On 6/3/11 2:30 PM, "Dmitri Pal" <dpal at redhat.com> wrote:
>
>
>
>
>
>
> Is it all on F13?
> The IPA v2 can't be built on F13 as there are many
> dependencies missing that we rely on. There are two
> many parts this is why we had to move to the later
> versions of F15. We just did not have any options. So
> the server you built might in fact be completely
> broken. I do not know how to fix it. It looks like you
> have some instances of the DS left over in a
> misconfigured state.
>
> You can try running ipa-server-install --uninstall
> 4-5 times. That might clear things a bit.
>
> But let us get back to the original problem.
> Freeipa can be used with the LDAP+Kerberos
> configuration on the clients. You do not need to have
> latest and greatest.
> There was a nice article referenced in some of the
> earlier threads on the list:
>
> http://www.aput.net/~jheiss/krbldap/howto.html
> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
>
> You can configure very old clients to use IPA as NIS
> server.
> Let us know how else we can help.
> Thanks
> Dmitri
>
>
>
>
>
> -Brian
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110603/a629b13e/attachment.htm>
More information about the Freeipa-users
mailing list