[Freeipa-users] Trouble with replica install - SOLVED

Les Stott Less at imagine-sw.com
Mon Dec 16 13:32:42 UTC 2013 

Figured it out.

Missing apache modules (not loaded). One of the following....

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

I'm not sure which one, i just matched what was on the master and reinstalled the replica - no errors. Been a long day so i don't feel like going through one by one, uninstalling/reinstalling etc. I imagine its probably mod_authz_groupfile.so, but others are probably needed too.

Regards,

Les



________________________________________
From: Les Stott
Sent: Monday, December 16, 2013 11:44 PM
To: freeipa-users at redhat.com
Subject: RE: [Freeipa-users] Trouble with replica install

Petr,

The below was the error from apache error logs....

> Apache logs the following error at the same time...
>
> [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error:  couldn't check access.  No groups file?: /ipa/xml, referer: https://replica.mydomain.com/ipa/xml

Other lines in the /var/log/httpd/error log at the same time...

[Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START ***
[Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START ***
[Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error:  couldn't check access.  No groups file?: /ipa/xml, referer: https://replica.mydomain.com/ipa/xml
[Mon Dec 16 04:29:01 2013] [notice] caught SIGTERM, shutting down
[Mon Dec 16 04:29:02 2013] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0

Regards,

Les

________________________________________
From: Petr Spacek [pspacek at redhat.com]
Sent: Monday, December 16, 2013 10:38 PM
To: Les Stott; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Trouble with replica install

On 16.12.2013 10:55, Les Stott wrote:
> Sorry, when I said "selinux is in permissive mode, but it's the same as on the master server, so it should be the issue." It should have read as "selinux is in permissive mode, but it's the same as on the master server, so it should NOT be the issue."
>
> Les
>
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Les Stott
> Sent: Monday, 16 December 2013 8:47 PM
> To: freeipa-users at redhat.com
> Subject: [Freeipa-users] Trouble with replica install
>
> Hi,
>
> Running ipa-server-3.0.0-37.el6.x86_64 on rhel6.
> Already setup master server, now trying to install replica (which I've done before and its worked fine).
>
> The replica install gets all the way to the end but errors out. For the most part, it looks like it is complete, but I want to be sure there are no lingering issues.
>
> The error I see in the log is...(domain and ip's changed)
>
> ------------------------
> 2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com
> Realm: MYDOMAIN.COM
> DNS Domain: mydomain.com
> IPA Server: replica.mydomain.com
> BaseDN: dc=mydomain,dc=com
> Domain mydomain.com is already configured in existing SSSD config, creating a new one.
> The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
> Configured /etc/sssd/sssd.conf
> trying https://replica.mydomain.com/ipa/xml
> Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml'
> Traceback (most recent call last):
>    File "/usr/sbin/ipa-client-install", line 2377, in <module>
>      sys.exit(main())
>    File "/usr/sbin/ipa-client-install", line 2363, in main
>      rval = install(options, env, fstore, statestore)
>    File "/usr/sbin/ipa-client-install", line 2167, in install
>      remote_env = api.Command['env'](server=True)['result']
>    File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__
>      ret = self.run(*args, **options)
>    File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1073, in run
>      return self.forward(*args, **options)
>    File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 769, in forward
>      return self.Backend.xmlclient.forward(self.name, *args, **kw)
>    File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 776, in forward
>      raise NetworkError(uri=server, error=e.errmsg)

> ipalib.errors.NetworkError: cannot connect to u'https://replica.mydomain.com/ipa/xml': Internal Server Error

Please look into /var/log/httpd/errors.log on server replica.mydomain.com and
check error messages there.

Petr^2 Spacek

>
> 2013-12-16T09:26:50Z INFO   File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script
>      return_value = main_function()
>
>    File "/usr/sbin/ipa-replica-install", line 527, in main
>      raise RuntimeError("Failed to configure the client")
>
> 2013-12-16T09:26:50Z INFO The ipa-replica-install command failed, exception: RuntimeError: Failed to configure the client
> -------------------
>
> Apache logs the following error at the same time...
>
> [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error:  couldn't check access.  No groups file?: /ipa/xml, referer: https://replica.mydomain.com/ipa/xml
>
> I can login to the gui and it seems ok, but I'm rolling this into production so I've got to get it right.
>
> I'm hoping this is just some bug because its an older freeipa on redhat (minimal install) etc. selinux is in permissive mode, but it's the same as on the master server, so it should be the issue.
>
> Is this error critical? How can I fix it?
>
> Thanks in advance,
>
> Les

More information about the Freeipa-users mailing list