[Freeipa-users] Difficulty installing freeipa
Dmitri Pal
dpal at redhat.com
Tue Jun 7 21:33:03 UTC 2011
On 06/07/2011 05:17 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
>
> I continue to work with performance issues. I went into the krb5.conf
> and changed dns_lookup_kdc from true to false. Kinit now responds
> immediately. It's cut the time on "ipa-finduser admin" from 2m30s
> down to 18-20s. How fast "should" this respond?
It should be a matter of less than a second.
Are you using a VM to test? Does it have enough memory?
It is really hard to say what exactly is causing your delays.
IPA does a lot of name resolution. Delays usually related to that. By
turning off the name resolution against DNS in Kerberos you reduced
number of the lookups but probably not eliminated all of them. I suggest
you continue looking into the name resolution more.
This is the best we can say without any logs or specific configurations.
Sorry.
Thanks
Dmitri
>
> -Brian
>
> On 6/6/11 12:31 PM, "Brian Stamper" <brian.p.stamper at nasa.gov> wrote:
>
> This is what I get. I'm not sure which logfiles would be useful
> at this point.
>
> -brian
>
> time ipa-finduser -v admin
>
> Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml
> Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml
> send: "POST /ipa/xml HTTP/1.1\r\nHost:
> freeipa.arc.nasa.gov\r\nAccept-Encoding: gzip\r\nAuthorization:
> negotiate
> YIIFCAYJKoZIhvcSAQICAQBuggT3MIIE86ADAgEFoQMCAQ6iBwMFACAAAACjggFeYYIBWjCCAVagAwIBBaEOGwxBUkMuTkFTQS5HT1aiJzAloAMCAQOhHjAcGwRIVFRQGxRmcmVlaXBhLmFyYy5uYXNhLmdvdqOCARQwggEQoAMCARKhAwIBAqKCAQIEgf9q+QJ59aomNKqyY70zeReIT3azmhvBUenVUlqCtdUChD1EKroAUMynyQTHH7c4WQHoY3GqUDtQOUutqaZiOIpO/j2Hirn+c6v3sXg7214KUNfZ2MIZ2vpNwwNtpOGqnmQ5rwGKnyVA8aB4cK/TOqdu7r0nPmADviKplvdFst68lqzSunZ7OwrUxOa0rGVdbJS5fmCVwOPDHtDJy3j3kARCZUa+jJA4ZmAb4Wn4lvYckoHDxhc/R1mXTSr4NXjqnphoKCR1XcU9b4ng0h336yzlq4d9YwRSR/oBL6ZB1LAgZJrXpWSXAxnCXljOWx4mbnpcD9EFblyH2Mzx7jR56nykggN6MIIDdqADAgESooIDbQSCA2mDC1egtsyNS30+guxSWB4HfXVr5RneyGkI+fb6WttuAaPA2XQwZSY8M52SCH8eEfmtycHwZdcfurVpfYGpLTZuJQ/yRlw2meGOtf2NggwqyPyUiYhZ7s+6gg3rvvDSDsg/Mr4txHZ/V30Zk4cjTrQRmUqzWfMf+0ZtmzGo19oRn1vijXbs3CIsiwER3Zi28qYZYgViqFQghIHm5DKoyIQglR0rjt7iEDJtBF8nxVm7lzXuz7lqKIl/QXAbTVzm6gqwtzjPIb2hLtKdF3QY2q7Kba8LbqV2AOrPPPjh/QsU2cGdxZBTiGR05ggSr3D8PPBqlfQxwvnu2b0QgiWWFEgavawTIE7DDkMZDD8C7I/gmQUHV/0kAHizivGNbuHmklXg/KRUkVS5p7AlnJSv5kYtIjMLbXxX7tKxIy9zzPPrliJDp2fr3ER7iKDVALdLPZ5Htlin0ZnD5H6g6qx3kDPV4PeVAx30qqv0UG/45x/uJEC9/3H3Alt7pF/d0xPOWTXho+tGwRcO1gkb0ygIndDIleDEo9CQh+aNsvUxa4UhgzftpACPIwp39nGk+V+7ajY2Tzb2qaKrt6L2q8lqeFxYZ8bcSxDvNgem3ENpL/6FWb+oi86w5JV5OQm7ECJ7js0PJ4DDqgTsyOcDrKhW1l8xHiJkOgxjg0F3+JwCXY0AWIYPNTNdEoXS5T1yGbCLqSL8PevL/obMUHWZiQxzCiN0oA5NQHWoPZ9l7ScHHpxwds5S6Ze1OLV+JRk0aU7Hj7VSJx9irDaAHkXB4PPwyUCOmLl/cF3hxvsYXoEe8j3yQlEE0GV7a3LIhH1mH66byATeSkDv8Ji6LATdtmVUZYI0KLb6oaZKAjn6Pg19mn1hW7GC6WZSzJvSt01uO7XFjsgDz45hKGMevls3GKEM8wAkiiuVaZ/Oq8zkRaf84DmzyYtOHnoyYUzZ9t4FyG4PcU+DVotcBiFLFk5Q9+BxGRVHZGV2K0tz2UyaI8PtIb2AyMdhyj9dCQrFPbZ5d5iOVeMGhutwGQjC8goPP2Bcz2o28hLv+d7qH5PXlcUeeeRTTk1hvkzAv7dtXIoTxWqaot5qNclXsFf7kiYy6I2dWjMKbjL3Nwyyuf3LO+AVRfB3+qhqKAAquQ0IkRL1lblKVEXvufqKF5Z3YPA=\r\nUser-Agent:
> xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type:
> text/xml\r\nContent-Length: 515\r\n\r\n<?xml
> version='1.0'?>\n<methodCall>\n<methodName>find_users</methodName>\n<params>\n<param>\n<value><string>admin</string></value>\n</param>\n<param>\n<value><array><data>\n<value><string>uid</string></value>\n<value><string>givenname</string></value>\n<value><string>sn</string></value>\n<value><string>homeDirectory</string></value>\n<value><string>loginshell</string></value>\n</data></array></value>\n</param>\n<param>\n<value><int>-1</int></value>\n</param>\n<param>\n<value><int>-1</int></value>\n</param>\n</params>\n</methodCall>\n"
> reply: 'HTTP/1.1 200 OK\r\n'
> header: Date: Mon, 06 Jun 2011 19:25:47 GMT
> header: Server: Apache/2.2.17 (Fedora)
> header: WWW-Authenticate: Negotiate
> YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvgT/A5n14nLzBVzpFQFm8lIUc1dZmoma0UuzN9dxD7ykRe/S6rTZJnlroYZG9cmHK9WmIZX5eg/zThvgz/QVvVufnzTbihT3lUDFa4ING9mtCpigZoTnLWGcIRLKddjFHammKG6SjMU29YgwHIZ2D
> header: Content-Length: 650
> header: Connection: close
> header: Content-Type: text/xml
> body: "<?xml
> version='1.0'?>\n<methodResponse>\n<params>\n<param>\n<value><array><data>\n<value><int>1</int></value>\n<value><struct>\n<member>\n<name>dn</name>\n<value><string>uid=admin,cn=users,cn=accounts,dc=arc,dc=nasa,dc=gov</string></value>\n</member>\n<member>\n<name>loginshell</name>\n<value><string>/bin/bash</string></value>\n</member>\n<member>\n<name>uid</name>\n<value><string>admin</string></value>\n</member>\n<member>\n<name>sn</name>\n<value><string>Administrator</string></value>\n</member>\n<member>\n<name>homedirectory</name>\n<value><string>/home/admin</string></value>\n</member>\n</struct></value>\n</data></array></value>\n</param>\n</params>\n</methodResponse>\n"
> Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml
> send: "POST /ipa/xml HTTP/1.1\r\nHost:
> freeipa.arc.nasa.gov\r\nAccept-Encoding: gzip\r\nAuthorization:
> negotiate
> YIIFCAYJKoZIhvcSAQICAQBuggT3MIIE86ADAgEFoQMCAQ6iBwMFACAAAACjggFeYYIBWjCCAVagAwIBBaEOGwxBUkMuTkFTQS5HT1aiJzAloAMCAQOhHjAcGwRIVFRQGxRmcmVlaXBhLmFyYy5uYXNhLmdvdqOCARQwggEQoAMCARKhAwIBAqKCAQIEgf9q+QJ59aomNKqyY70zeReIT3azmhvBUenVUlqCtdUChD1EKroAUMynyQTHH7c4WQHoY3GqUDtQOUutqaZiOIpO/j2Hirn+c6v3sXg7214KUNfZ2MIZ2vpNwwNtpOGqnmQ5rwGKnyVA8aB4cK/TOqdu7r0nPmADviKplvdFst68lqzSunZ7OwrUxOa0rGVdbJS5fmCVwOPDHtDJy3j3kARCZUa+jJA4ZmAb4Wn4lvYckoHDxhc/R1mXTSr4NXjqnphoKCR1XcU9b4ng0h336yzlq4d9YwRSR/oBL6ZB1LAgZJrXpWSXAxnCXljOWx4mbnpcD9EFblyH2Mzx7jR56nykggN6MIIDdqADAgESooIDbQSCA2k1cPNHqqzr20sQC7iXZ6xc2wfb2DYmkqQBNTrXT33fcXYjo1Bw/Z/jc3pj4ohHrLbnkBe9fYNzaKRy7UXjnydOjKeZv3/7FgxJabRb907+4JojogcUxHR+14wQSW0TBPRvaqBrgkYfbfLXsfJm+yTUIH+GlI2VCkerZM2mbpTD3OU2traM2P8NDYfuJ6Bj23rgMg5Bo8+419npiUtFzOL/6bUeY9WmqDYwHsP4YT47vetLraoLeQckNqZ2D5eZwoUV9dNL485v40OZNInte4UwZoQ3xEygxvAM4Wf26CBzTToo+4hAbd7AhJXGTGguEdi7fx7lQqBSYWjkykFNwGndHWTpxm0Y2k3hU+GDoUzMIgFzMmZjALe1oJQFt0Hpv5Qx1NINDAevbYbdSYtajPQnF4//zwOdC5DGkCDqRyztpU0/4esushEXQkTgGVKZTigcahXtYBRX7qZGkveFhq2nBxIZwlqsv+uu5+GwrLNmm/tiH9ahW+9eyCu6uzQzXp4RqmnFGbjrCdVzDsH8nb2d/ul+l/vVUXguglfkEaRCDYhqusFIAvEVHiVeSD0Lmgoew87XvJ/kKNH3zen0tCofGrNtZ6tc62HOi2pod+TGezOp/f6HBeDKG4csuj3OM+/Li2LvwwfurogJW+N/CU0ilrLt5UaKiaeN+Pw81GQCrZ4575SzN8Y3RUFWPLxvVH/vGiaEHG9Nv3KdnpDREAJDAGSEwLSJYtAFcwMnqsezkrYtFd7DmNvb1DyjAXpOfe6SjYLa0DBHLM2RJ/Ico8HJ1LyXUSex3v4hp8ap0JMdc4nUKzsSFrG0TsPKu/+89tphlQkCN91THQ+QNr03kbGUfsf1LpeeYgf+7lFKU5hrsuUJZgBtAVT6l3KQEco0xe9IDNlJLogeKL9X9cPCa3e4XAUVCJdg8pNVScubTXo41EK6zzPAnvPxxgNprZzrhQtkBEedLYNHNICBsutH9ELtZcSDDYxwFyLFKrOb0p9maZL0Z9VmaqBl43h4QcqLXOJcOmjk0jkXufM5VMJdvjHlkXBS9bkAjRKpdq8jXu4gVdh7nxCAxdw9mLww1VvFLbGB6DxQNNP9ZmSgjbJ1LxvxEqguZh9fAhzY3kEQrjPHa7mT6Vc0xosMAux31K07E7uUcylW38V3+Og=\r\nUser-Agent:
> xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type:
> text/xml\r\nContent-Length: 331\r\n\r\n<?xml
> version='1.0'?>\n<methodCall>\n<methodName>attrs_to_labels</methodName>\n<params>\n<param>\n<value><array><data>\n<value><string>homedirectory</string></value>\n<value><string>loginshell</string></value>\n<value><string>sn</string></value>\n<value><string>uid</string></value>\n</data></array></value>\n</param>\n</params>\n</methodCall>\n"
> reply: 'HTTP/1.1 200 OK\r\n'
> header: Date: Mon, 06 Jun 2011 19:26:18 GMT
> header: Server: Apache/2.2.17 (Fedora)
> header: WWW-Authenticate: Negotiate
> YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv14HufxqWTyNzhsD9xAxrBN5L7jejiqPqHum3FjYTKc2xIrC1ONAloxDyxcOV0isynFIw6/NwpXJKHfzfDbiFPiYjF3xrOakeGDiiVSCL7G12ZNdqErNfP1GVBU5yVg+vIDI+HxfzRa29Gl9eIu1J
> header: Content-Length: 458
> header: Connection: close
> header: Content-Type: text/xml
> body: "<?xml
> version='1.0'?>\n<methodResponse>\n<params>\n<param>\n<value><struct>\n<member>\n<name>loginshell</name>\n<value><string>Login
> Shell</string></value>\n</member>\n<member>\n<name>homedirectory</name>\n<value><string>Home
> Directory</string></value>\n</member>\n<member>\n<name>uid</name>\n<value><string>Login</string></value>\n</member>\n<member>\n<name>sn</name>\n<value><string>Last
> Name</string></value>\n</member>\n</struct></value>\n</param>\n</params>\n</methodResponse>\n"
> Home Directory: /home/admin
> Login Shell: /bin/bash
> Last Name: Administrator
> Login: admin
>
>
> real 1m50.460s
> user 0m0.083s
> sys 0m0.017s
>
> [root at freeipa ~]# time wget https://freeipa.arc.nasa.gov/ipa/xml
> --2011-06-06 12:29:40-- https://freeipa.arc.nasa.gov/ipa/xml
> Resolving freeipa.arc.nasa.gov... 143.232.152.197
> Connecting to freeipa.arc.nasa.gov|143.232.152.197|:443... connected.
> ERROR: cannot verify freeipa.arc.nasa.gov's certificate, issued by
> "/CN=IPA Test Certificate Authority":
> Self-signed certificate encountered.
> To connect to freeipa.arc.nasa.gov insecurely, use
> '--no-check-certificate'.
>
> real 0m0.015s
> user 0m0.011s
> sys 0m0.002s
> [root at freeipa ~]#
>
>
> On 6/6/11 7:56 AM, "Rob Crittenden" <rcritten at redhat.com> wrote:
>
> Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
> >
> > I'm closer. I was able to get logged into the UI. It wasn't
> that I was
> > running firefox from root, but that I had inited as root.
> Same problem
> > really. Dropping back to my own shell and initing I was able
> to reach
> > the GUI. The next problem I need to tackle is the slowness.
> Ipa-finduser
> > admin does return results, but it takes 2m43s.
>
> Definitely getting hung up somewhere. I'd try the -v option to
> ipa-finduser to get a bit more detail on the request. The
> client will
> attempt to find the right IPA Apache server to connect to, make a
> kerberos connection. Apache will then handle the request and
> collect any
> data needed from 389-ds and return it. There are a lot of
> places things
> can break down. By examining the server logs you may be able
> to discern
> where the logjam is.
>
> rob
>
> >
> > [root at freeipa ~]# egrep "freeipa|local" /etc/hosts
> > 127.0.0.1 localhost.localdomain localhost
> > ::1 localhost6.localdomain6 localhost6
> > 1.2.3.4 freeipa.arc.nasa.gov freeipa
> >
> > [root at freeipa ~]# grep host /etc/nsswitch.conf
> > #hosts: db files nisplus nis dns
> > hosts: files dns
> >
> > [root at freeipa ~]# ifconfig eth0
> > eth0 Link encap:Ethernet HWaddr 00:10:18:2D:E6:93
> > inet addr:1.2.3.4
> >
> > I don't see any issues with the configuration there. There are no
> > conflicting "freeipa" hosts in dns. Looks pretty much in
> compliance with
> > the guide:
> >
> > */Configuring /etc/hosts
> > /*/You need to ensure that your ///etc/hosts file is configured
> > correctly, or the *ipa-** commands may not work correctly.
> >
> > The /etc/hosts file should list the FQDN for your IPA server
> before any
> > aliases. You should also ensure that the hostname is not part
> of the
> > localhost entry. The following is an example of a valid hosts
> file:
> > 127.0.0.1 localhost.localdomain localhost
> > ::1 localhost6.localdomain6 localhost6
> > 192.168.1.1 ipaserver.example.com ipaserver
> > /
> >
> > -Brian
> >
> >
> >
> > On 6/3/11 3:58 PM, "Dmitri Pal" <dpal at redhat.com> wrote:
> >
> > On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx
> LLC] wrote:
> >
> > Re: [Freeipa-users] Difficulty installing freeipa
> > I have resolved the install issue.
> >
> >
> > Great!
> >
> >
> >
> > The installer is a bit sloppy and makes some bad
> assumptions.
> > The problem turns out to be that the directory server
> setup
> > seems to be running as dirsrv, not root.
> Ipa-server-install
> > (more specifically dsinstance.py) writes out the file
> > /var/lib/dirsrv/boot.ldif. But it does so as root,
> using root's
> > umask. It doesn't do a check to make sure dirsrv can
> read this
> > file before spawning an external process to create
> the directory
> > server. Part of security best practices recommended
> by the CIS
> > group as well as others is to set root's umask to
> 0077. With
> > this setting in place, dirsrv is unable to read
> > /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl
> to fail when
> > executed from ipa-server-install. I modified
> dsinstance.py to
> > not remove the file and checked it after a failed
> install. It
> > was written properly, so I changed the permission on
> it to 666
> > and re-ran the install. It succeeded.
> >
> >
> > Opened https://fedorahosted.org/freeipa/ticket/1282
> >
> >
> >
> > I'm now back to where I started, which is a partly
> working ipa
> > install. Kinit takes 75 seconds to complete.
> >
> >
> > Seems like a DNS timeout or something related to the name
> resolution.
> >
> >
> > I still can't get to the UI. I'm now going to
> uninstall again,
> > change root's umask to 022, and see if that fixes any
> more of
> > the problems.
> >
> >
> > The UI does not start for me if you try to run FF from
> the root
> > shell. I forget about this frequently and just upgraded
> to F15 and
> > hit it again.
> >
> > If you have a normal user shell, kinit from that shell as
> admin and
> > start browser from it you should have all the right
> context to
> > access UI.
> >
> >
> >
> >
> > -Brian
> >
> >
> >
> > On 6/3/11 3:14 PM, "Brian Stamper"
> <brian.p.stamper at nasa.gov> wrote:
> >
> >
> >
> > Yes, I mentioned in the first email I had
> attempted that. I
> > just ran the uninstall 10 times in a row. Same
> errors:
> >
> > Configuring directory server:
> > [1/17]: creating directory server user
> > [2/17]: creating directory server instance
> > root : CRITICAL failed to restart ds instance Command
> > '/usr/sbin/setup-ds.pl --silent --logfile - -f
> > /tmp/tmpYwtW2p' returned non-zero exit status 1
> > [3/17]: adding default schema
> > [4/17]: enabling memberof plugin
> > [5/17]: enabling referential integrity plugin
> > [6/17]: enabling distributed numeric assignment
> plugin
> > [7/17]: enabling winsync plugin
> > [8/17]: configuring uniqueness plugin
> > [9/17]: creating indices
> > [10/17]: configuring ssl for ds instance
> > [11/17]: configuring certmap.conf
> > [12/17]: restarting directory server
> > [13/17]: adding default layout
> > root : CRITICAL Failed to load
> bootstrap-template.ldif:
> > Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D
> > cn=Directory Manager -y /tmp/tmp0AROuy -f
> /tmp/tmpPC4048'
> > returned non-zero exit status 32
> > [14/17]: configuring Posix uid/gid generation as
> first master
> > [15/17]: adding master entry as first master
> > root : CRITICAL Failed to load master-entry.ldif:
> Command
> > '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory
> > Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned
> > non-zero exit status 32
> > [16/17]: initializing group membership
> > [17/17]: configuring directory to start on boot
> > done configuring dirsrv.
> >
> > As a test I've manually run setup-ds.pl accepting
> all of the
> > defaults. It works fine and installs
> successfully, creating
> > the slapd-freeipa (which is the hostname)
> instance. I then
> > ran remove-ds.pl on the slapd-freeipa instance
> and re-ran
> > the ipa uninstall. When I attempted to reinstall
> ipa, it
> > detected an existing ds. I did a locate for
> dirsrv and found
> > logfiles from an instance called
> slapd-ARC-NASA-GOV, which
> > should be my default freeipa dirsrv instance. To
> try to
> > clean this up, I ran setup-ds.pl and chose custom and
> > created a slapd-ARC-NASA-GOV instance, and then
> immediately
> > removed it with remove-ds.pl. I then re-ran
> > ipa-server-install, which this time did not detect an
> > existing directory server. However, the
> ipa-server-install
> > again failed in the same location.
> >
> > [2/17]: creating directory server instance
> > root : CRITICAL failed to restart ds instance Command
> > '/usr/sbin/setup-ds.pl --silent --logfile - -f
> > /tmp/tmp77JJv1' returned non-zero exit status 1
> >
> >
> > And from the log:
> >
> > 2011-06-03 15:12:41,540 DEBUG Configuring
> directory server:
> > 2011-06-03 15:12:41,541 DEBUG [1/17]: creating
> directory
> > server user
> > 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists
> > 2011-06-03 15:12:41,541 DEBUG Saving StateFile to
> > '/var/lib/ipa/sysrestore/sysrestore.state'
> > 2011-06-03 15:12:41,541 DEBUG Saving StateFile to
> > '/var/lib/ipa/sysrestore/sysrestore.state'
> > 2011-06-03 15:12:41,542 DEBUG [2/17]: creating
> directory
> > server instance
> > 2011-06-03 15:12:41,567 INFO *** Error: no dirsrv
> instances
> > configured
> >
> > 2011-06-03 15:12:41,567 INFO
> > 2011-06-03 15:12:41,567 DEBUG Saving StateFile to
> > '/var/lib/ipa/sysrestore/sysrestore.state'
> > 2011-06-03 15:12:41,568 DEBUG Saving StateFile to
> > '/var/lib/ipa/sysrestore/sysrestore.state'
> > 2011-06-03 15:12:41,568 DEBUG
> > dn: dc=arc,dc=nasa,dc=gov
> > objectClass: top
> > objectClass: domain
> > objectClass: pilotObject
> > dc: arc
> > info: IPA V1.0
> >
> > 2011-06-03 15:12:41,569 DEBUG writing inf template
> > 2011-06-03 15:12:41,570 DEBUG
> > [General]
> > FullMachineName= freeipa.arc.nasa.gov
> > SuiteSpotUserID= dirsrv
> > ServerRoot= /usr/lib64/dirsrv
> > [slapd]
> > ServerPort= 389
> > ServerIdentifier= ARC-NASA-GOV
> > Suffix= dc=arc,dc=nasa,dc=gov
> > RootDN= cn=Directory Manager
> > InstallLdifFile= /var/lib/dirsrv/boot.ldif
> >
> > 2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl
> > 2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48]
> - [Setup]
> > Info Could not import LDIF file
> '/var/lib/dirsrv/boot.ldif'.
> > Error: 59648. Output: importing data ...
> > [03/Jun/2011:15:12:41 -0700] - WARNING: Import is
> running
> > with nsslapd-db-private-import-mem on; No other
> process is
> > allowed to access the database
> > [03/Jun/2011:15:12:42 -0700] -
> check_and_set_import_cache:
> > pagesize: 4096, pages: 997331, procpages: 48998
> > [03/Jun/2011:15:12:42 -0700] - Import allocates
> 1595728KB
> > import cache.
> > [03/Jun/2011:15:12:42 -0700] - import userRoot:
> Beginning
> > import job...
> > [03/Jun/2011:15:12:42 -0700] - import userRoot: Index
> > buffering enabled with bucket size 100
> > [03/Jun/2011:15:12:42 -0700] - import userRoot:
> Could not
> > open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13
> > (Permission denied)
> > [03/Jun/2011:15:12:42 -0700] - import userRoot:
> Aborting all
> > Import threads..
> > [03/Jun/2011:15:12:48 -0700] - import userRoot:
> Import
> > threads aborted.
> > [03/Jun/2011:15:12:48 -0700] - import userRoot:
> Closing files...
> > /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot:
> No such file
> > or directory
> > [03/Jun/2011:15:12:48 -0700] - All database
> threads now stopped
> > [03/Jun/2011:15:12:48 -0700] - import userRoot:
> Import failed.
> >
> > Could not import LDIF file
> '/var/lib/dirsrv/boot.ldif'.
> > Error: 59648. Output: importing data ...
> > [03/Jun/2011:15:12:41 -0700] - WARNING: Import is
> running
> > with nsslapd-db-private-import-mem on; No other
> process is
> > allowed to access the database
> > [03/Jun/2011:15:12:42 -0700] -
> check_and_set_import_cache:
> > pagesize: 4096, pages: 997331, procpages: 48998
> > [03/Jun/2011:15:12:42 -0700] - Import allocates
> 1595728KB
> > import cache.
> > [03/Jun/2011:15:12:42 -0700] - import userRoot:
> Beginning
> > import job...
> > [03/Jun/2011:15:12:42 -0700] - import userRoot: Index
> > buffering enabled with bucket size 100
> > [03/Jun/2011:15:12:42 -0700] - import userRoot:
> Could not
> > open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13
> > (Permission denied)
> > [03/Jun/2011:15:12:42 -0700] - import userRoot:
> Aborting all
> > Import threads..
> > [03/Jun/2011:15:12:48 -0700] - import userRoot:
> Import
> > threads aborted.
> > [03/Jun/2011:15:12:48 -0700] - import userRoot:
> Closing files...
> > /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot:
> No such file
> > or directory
> > [03/Jun/2011:15:12:48 -0700] - All database
> threads now stopped
> > [03/Jun/2011:15:12:48 -0700] - import userRoot:
> Import failed.
> >
> > [11/06/03:15:12:48] - [Setup] Fatal Error: Could
> not create
> > directory server instance 'ARC-NASA-GOV'.
> > Error: Could not create directory server instance
> > 'ARC-NASA-GOV'.
> > [11/06/03:15:12:48] - [Setup] Fatal Exiting . . .
> >
> >
> > -Brian
> >
> > On 6/3/11 2:53 PM, "Dmitri Pal" <dpal at redhat.com>
> wrote:
> >
> >
> > On 06/03/2011 05:38 PM, Stamper, Brian P.
> (ARC-D)[Logyx
> > LLC] wrote:
> >
> > Re: [Freeipa-users] Difficulty installing
> freeipa
> > I've given up on freeipa v2 due to lack of
> > compatibility with hosts I manage. This
> is all on
> > freeipa v1. The server started as Fedora
> 13, and I
> > upgraded to Fedora 14 in an attempt to
> fix the problems.
> >
> > [root at freeipa ~]# uname -r
> > 2.6.35.13-91.fc14.x86_64
> > [root at freeipa ~]# rpm -qa 'ipa*'
> > ipa-client-1.2.2-6.fc14.x86_64
> > ipa-server-selinux-1.2.2-6.fc14.x86_64
> > ipa-python-1.2.2-6.fc14.x86_64
> > ipa-admintools-1.2.2-6.fc14.x86_64
> > ipa-server-1.2.2-6.fc14.x86_64
> > [root at freeipa ~]#
> >
> > I'm not doing anything special at this
> point. I'm
> > not even trying to get clients added. I'm
> trying to
> > do a basic install of ipa-server, with no
> extra
> > arguments. That claimed to succeed but
> wouldn't
> > work, I tried to fix it, uninstalled, any
> attempts
> > to reinstall failed. So right now I'm
> simply trying
> > to get the ipa service back to any kind of
> > functioning status without re-installing
> the OS.
> >
> >
> >
> >
> > Ah this is all old 1.2 IPA.
> > Have you tried
> > ipa-server-install --uninstall
> >
> > Might require several attempts until all the
> errors are
> > cleared.
> >
> >
> >
> > -Brian
> >
> > On 6/3/11 2:30 PM, "Dmitri Pal"
> <dpal at redhat.com> wrote:
> >
> >
> >
> >
> >
> >
> >
> > Is it all on F13?
> > The IPA v2 can't be built on F13 as
> there are
> > many dependencies missing that we
> rely on. There
> > are two many parts this is why we had
> to move to
> > the later versions of F15. We just
> did not have
> > any options. So the server you built
> might in
> > fact be completely broken. I do not
> know how to
> > fix it. It looks like you have some
> instances of
> > the DS left over in a misconfigured
> state.
> >
> > You can try running ipa-server-install
> > --uninstall 4-5 times. That might
> clear things a
> > bit.
> >
> > But let us get back to the original
> problem.
> > Freeipa can be used with the
> LDAP+Kerberos
> > configuration on the clients. You do
> not need to
> > have latest and greatest.
> > There was a nice article referenced
> in some of
> > the earlier threads on the list:
> >
> > http://www.aput.net/~jheiss/krbldap/howto.html <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
> > <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
> > <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
> > <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
> >
> > You can configure very old clients to
> use IPA as
> > NIS server.
> > Let us know how else we can help.
> > Thanks
> > Dmitri
> >
> >
> >
> >
> >
> > -Brian
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110607/d371ed93/attachment.htm>
More information about the Freeipa-users
mailing list