[Freeipa-users] ipa-client-install error during ipa-replica-install

Marco Pizzoli marco.pizzoli at gmail.com
Sun Mar 25 15:35:27 UTC 2012 

Hi guys,
I'm still working with the beta version.
I tried the setup of another replica and this is what I'm getting:

[root at freeipa04 ~]# ipa-replica-install --setup-dns --no-forwarders
/var/lib/ipa/replica-info-freeipa04.unix.mydomain.it.gpg
Directory Manager (existing master) password:

Warning: Hostname (freeipa04.unix.mydomain.it) not found in DNS
Run connection check to master
Check connection from replica to remote master 'freeipa01.unix.mydomain.it':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin at UNIX.MYDOMAIN.IT password:

Execute check on remote master
admin at freeipa01.unix.mydomain.it's password:
Check connection from master to remote replica 'freeipa04.unix.mydomain.it':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

Connection from master to replica is OK.

Connection check OK
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server: Estimated time 1 minute
  [1/30]: creating directory server user
  [2/30]: creating directory server instance
  [3/30]: adding default schema
  [4/30]: enabling memberof plugin
  [5/30]: enabling referential integrity plugin
  [6/30]: enabling winsync plugin
  [7/30]: configuring replication version plugin
  [8/30]: enabling IPA enrollment plugin
  [9/30]: enabling ldapi
  [10/30]: configuring uniqueness plugin
  [11/30]: configuring uuid plugin
  [12/30]: configuring modrdn plugin
  [13/30]: enabling entryUSN plugin
  [14/30]: configuring lockout plugin
  [15/30]: creating indices
  [16/30]: configuring ssl for ds instance
  [17/30]: configuring certmap.conf
  [18/30]: configure autobind for root
  [19/30]: configure new location for managed entries
  [20/30]: restarting directory server
  [21/30]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update succeeded
  [22/30]: adding replication acis
  [23/30]: setting Auto Member configuration
  [24/30]: enabling S4U2Proxy delegation
  [25/30]: initializing group membership
  [26/30]: adding master entry
  [27/30]: configuring Posix uid/gid generation
  [28/30]: enabling compatibility plugin
  [29/30]: tuning directory server
  [30/30]: configuring directory to start on boot
done configuring dirsrv.
Configuring Kerberos KDC: Estimated time 30 seconds
  [1/9]: adding sasl mappings to the directory
  [2/9]: writing stash file from DS
  [3/9]: configuring KDC
  [4/9]: creating a keytab for the directory
  [5/9]: creating a keytab for the machine
  [6/9]: adding the password extension to the directory
  [7/9]: enable GSSAPI for replication
  [8/9]: starting the KDC
  [9/9]: configuring KDC to start on boot
done configuring krb5kdc.
Configuring kadmin
  [1/2]: starting kadmin
  [2/2]: configuring kadmin to start on boot
done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached
  [2/2]: configuring ipa_memcached to start on boot
done configuring ipa_memcached.
Configuring the web interface: Estimated time 1 minute
  [1/13]: disabling mod_ssl in httpd
  [2/13]: setting mod_nss port to 443
  [3/13]: setting mod_nss password file
  [4/13]: enabling mod_nss renegotiate
  [5/13]: adding URL rewriting rules
  [6/13]: configuring httpd
  [7/13]: setting up ssl
  [8/13]: publish CA cert
  [9/13]: creating a keytab for httpd
  [10/13]: clean up any existing httpd ccache
  [11/13]: configuring SELinux for httpd
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
done configuring httpd.
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Restarting the web server
Using reverse zone 146.168.192.in-addr.arpa.
Configuring named:
  [1/8]: adding NS record to the zone
  [2/8]: setting up reverse zone
  [3/8]: setting up our own record
  [4/8]: setting up kerberos principal
  [5/8]: setting up named.conf
  [6/8]: restarting named
  [7/8]: configuring named to start on boot
  [8/8]: changing resolv.conf to point to ourselves
done configuring named.
Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install
--on-master --unattended --domain unix.mydomain.it --server
freeipa04.unix.mydomain.it --realm UNIX.MYDOMAIN.IT' returned non-zero exit
status 1
creation of replica failed: Failed to configure the client

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
[root at freeipa04 ~]#

And these are my last lines of the file /var/log/ipaclient-install.log

[cut]
2012-03-25T15:13:40Z DEBUG stdout=Kerberos 5 version 1.9.3

2012-03-25T15:13:40Z DEBUG stderr=
2012-03-25T15:13:40Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/role.py'
2012-03-25T15:13:40Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py'
2012-03-25T15:13:40Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py'
2012-03-25T15:13:40Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/service.py'
2012-03-25T15:13:40Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py'
2012-03-25T15:13:40Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py'
2012-03-25T15:13:40Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py'
2012-03-25T15:13:40Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/user.py'
2012-03-25T15:13:40Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py'
2012-03-25T15:13:40Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/xmlclient.py'
2012-03-25T15:13:42Z DEBUG Backing up system configuration file
'/etc/sssd/sssd.conf'
2012-03-25T15:13:42Z DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2012-03-25T15:13:42Z DEBUG Unable to activate the SSH service in SSSD
config.
2012-03-25T15:13:42Z DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n
IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
2012-03-25T15:13:42Z DEBUG stdout=
2012-03-25T15:13:42Z DEBUG stderr=certutil: could not add certificate to
token or database: Error adding certificate to database.

I tried to manually execute the command "/usr/bin/certutil -A -d
/etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt"
[root at freeipa04 ~]# /usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t
CT,C,C -a -i /etc/ipa/ca.crt
[root at freeipa04 ~]# echo $?
0

Any help?
Thanks in advance as usual

Marco
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120325/d73b2920/attachment.htm>

More information about the Freeipa-users mailing list