[Freeipa-users] i could use some help with installing FreeIPA

Galen Brownsmith galens at capaccess.org
Tue Dec 17 06:39:20 UTC 2013 

> Please look at the pki instance DS logs to determine whether the DS
> instance was installed and configured correctly.
> http://www.freeipa.org/page/Troubleshooting#Server_Installation
> Please publish these logs here.

Full logs attached.

Admittedly, I'm not sure how to increase the logging level.  slapd
isn't running when I'm in an uninstalled state so I can't issue
lldapmodify, and i don't know where to add commands to increase
logging during the installation process.


It doesn't look like it is an issue with the directory server.
The full log follows, but the only warnings and error in
/var/log/dirsrv/slapd-MARPHOD-NET/errors are ones that look (to me)
normal during configuration and installation.:
[17/Dec/2013:01:06:51 -0500] - WARNING: Import is running with
nsslapd-db-private-import-mem on; No other process is allowed to
access the database
...
[17/Dec/2013:01:06:53 -0500] - Db home directory is not set. Possibly
nsslapd-directory (optionally nsslapd-db-home-directory) is missing in
the config file.
...
[17/Dec/2013:01:06:53 -0500] - Db home directory is not set. Possibly
nsslapd-directory (optionally nsslapd-db-home-directory) is missing in
the config file.
[17/Dec/2013:01:11:44 -0500] schema-compat-plugin - warning: no
entries set up under cn=computers, cn=compat,dc=marphod,dc=net
[17/Dec/2013:01:11:44 -0500] schema-compat-plugin - warning: no
entries set up under cn=ng, cn=compat,dc=marphod,dc=net
[17/Dec/2013:01:11:44 -0500] schema-compat-plugin - warning: no
entries set up under ou=sudoers,dc=marphod,dc=net
[17/Dec/2013:01:11:44 -0500] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=marphod,dc=net--no CoS Templates found, which
should be added before the CoS Definition.


There are some errors in the access log, but they seem to be in
response to failed searches:
[17/Dec/2013:01:11:40 -0500] conn=17 op=2 SRCH base="cn=Schema
Compatibility,cn=plugins,cn=config" scope=0 filter="(objectClass=*)"
attrs="aci * attributeTypes objectClasses aci"
[17/Dec/2013:01:11:40 -0500] conn=17 op=2 RESULT err=32 tag=101
nentries=0 etime=0
...
[17/Dec/2013:01:11:40 -0500] conn=17 op=6 SRCH
base="cn=users,cn=Schema Compatibility,cn=plugins,cn=config" scope=0
filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses
aci"
[17/Dec/2013:01:11:40 -0500] conn=17 op=6 RESULT err=32 tag=101
nentries=0 etime=0
...
[17/Dec/2013:01:11:40 -0500] conn=17 op=10 SRCH
base="cn=computers,cn=Schema Compatibility,cn=plugins,cn=config"
scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes
objectClasses aci"
[17/Dec/2013:01:11:40 -0500] conn=17 op=10 RESULT err=32 tag=101
nentries=0 etime=0
...
[17/Dec/2013:01:11:40 -0500] conn=17 op=12 SRCH base="cn=ng,cn=Schema
Compatibility,cn=plugins,cn=config" scope=0 filter="(objectClass=*)"
attrs="aci * attributeTypes objectClasses aci"
[17/Dec/2013:01:11:40 -0500] conn=17 op=12 RESULT err=32 tag=101
nentries=0 etime=0
...
[17/Dec/2013:01:11:40 -0500] conn=17 op=14 SRCH
base="cn=groups,cn=Schema Compatibility,cn=plugins,cn=config" scope=0
filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses
aci"
[17/Dec/2013:01:11:40 -0500] conn=17 op=14 RESULT err=32 tag=101
nentries=0 etime=0
...
[17/Dec/2013:01:11:44 -0500] conn=3 op=2 SRCH base="o=ipaca" scope=0
filter="(objectClass=*)" attrs=ALL
[17/Dec/2013:01:11:44 -0500] conn=3 op=2 RESULT err=32 tag=101
nentries=0 etime=0


systemctl also reports that dirsrv at MARPHOD-NET is running fine
# systemctl  status dirsrv at MARPHOD-NET
dirsrv at MARPHOD-NET.service - 389 Directory Server MARPHOD-NET.
   Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled)
   Active: active (running) since Tue 2013-12-17 01:11:44 EST; 9min ago
 Main PID: 647 (ns-slapd)
   CGroup: name=systemd:/user/1000.user/1.session/system/dirsrv at .service/dirsrv at MARPHOD-NET.service
           └─647 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-MARPHOD-NET -i /var/...

Dec 17 01:11:44 woeg.marphod.net systemd[1]: Started 389 Directory Server MA....





----------------------------------------------------------------------
That's the news from the Mystic River, where all the alliums are
strong, all the degu are good looking, and all the stuffed animals are
above average.
"May the ducks of your life quack ever harmoniously" - A. Yelton
galens at capaccess.org galens at marphod.net marphod at gmail.com & others


On Mon, Dec 16, 2013 at 10:30 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>
> Dmitri Pal wrote:
>>
>> On 12/16/2013 06:46 PM, Galen Brownsmith wrote:
>>>
>>> My install fails on the invocation of pkispawn with a Socket Error in
>>> the pki-ca-spawn log  ; anyone have any ideas?  (It isn't the issue
>>> with special characters in the DM's password, as my Directory Manager
>>> and IPA Admin passwords may be 32 characters long, but only contain
>>> [A-Za-z0-9_] )
>>>
>>> Configuration and Error Messages follow.
>>>
>>> Target System: Fedora19 64bit LXC Container running on top of a
>>> Fedora19 64bit host.  Kernel 3.11.10, Q9550 Intel CPU.
>>> Attempting to install freeipa server 3.3.3 .  SEllinux has been set to
>>> 'disabled' on the host and container.
>>>
>>> /etc/hosts:
>>> # IP            FQDN                            Alias(es)
>>> 127.0.0.1       localhost.localdomain           localhost localhost4
>>> 192.168.253.94 woeg.marphod.net <http://woeg.marphod.net> woeg
>>>
>>> # Peers
>>> 192.168.253.99 skete.marphod.net <http://skete.marphod.net> skete
>>> wiki.marphod.net <http://wiki.marphod.net> wiki www.marphod.net
>>> <http://www.marphod.net> www
>>>
>>> [... several more machines]
>>>
>>> /etc/resolv.conf
>>> ; generated by /usr/sbin/dhclient-script
>>> search marphod.net <http://marphod.net>
>>> nameserver 192.168.253.1
>>>
>>> /etc/sysconfig/network:
>>> NETWORKING=yes
>>> HOSTNAME=woeg.marphod.net <http://woeg.marphod.net>
>>>
>>>
>>> No software firewall on the Container:
>>> # iptables -L
>>> Chain INPUT (policy ACCEPT)
>>> target     prot opt source destination
>>>
>>> Chain FORWARD (policy ACCEPT)
>>> target     prot opt source destination
>>>
>>> Chain OUTPUT (policy ACCEPT)
>>> target     prot opt source               destination
>>>
>>>
>>> Not using NetworkManager.  The machine has a virtual nic, and is
>>> connected to the bridge on the host, and can interact with the outside
>>> world.
>>>
>>> Installation commands:
>>> # ipa-server-install --uninstall -U
>>> # pkidestroy -s CA -i pki-tomcat
>>> # ipa-server-install -N -d --no-host-dns
>>>
>>> I select the defaults during the interactive install.
>>>
>>> During installation, everything seems to run fine up to the invocation
>>> of pkispawn.   I then get the errors:
>>> <text>
>>> Installing CA into /var/lib/pki/pki-tomcat.
>>> Storing deployment configuration into
>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>>> Installation failed.
>>>
>>> ipa         : DEBUG    stderr=Job for pki-tomcatd at pki-tomcat.service
>>> failed. See 'systemctl status pki-tomcatd at pki-tomcat.service' and
>>> 'journalctl -xn' for details.
>>> pkispawn    : ERROR    ....... server failed to restart
>>>
>>> ipa         : CRITICAL failed to configure ca instance Command
>>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpwNB5bU' returned non-zero exit
>>> status 1
>>> ipa         : DEBUG      File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>> line 622, in run_script
>>>     return_value = main_function()
>>>
>>>   File "/usr/sbin/ipa-server-install", line 1074, in main
>>>     dm_password, subject_base=options.subject)
>>>
>>>   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>> line 478, in configure_instance
>>>     self.start_creation(runtime=210)
>>>
>>>   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>>> 364, in start_creation
>>>     method()
>>>
>>>   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>> line 604, in __spawn_instance
>>>     raise RuntimeError('Configuration of CA failed')
>>>
>>> ipa         : DEBUG    The ipa-server-install command failed,
>>> exception: RuntimeError: Configuration of CA failed
>>> Configuration of CA failed
>>> </text>
>>>
>>> the relevant errors from /var/log/pki/pki-ca-spawn.timestamp.log: (the
>>> ... skipping... is from the file)
>>> <text>
>>> ...skipping...
>>> y still be down
>>> 2013-12-16 18:12:23 pkispawn    : DEBUG    ........... No connection -
>>> exception thrown: Cannot connect to proxy. Socket error: [Errno 111]
>>> Connection refused.
>>> 2013-12-16 18:12:24 pkispawn    : DEBUG    ........... No connection -
>>> server may still be down
>>> 2013-12-16 18:12:24 pkispawn    : DEBUG    ........... No connection -
>>> exception thrown: Cannot connect to proxy. Socket error: [Errno 111]
>>> Connection refused.
>>> 2013-12-16 18:12:25 pkispawn    : DEBUG    ........... No connection -
>>> server may still be down
>>> ...
>>> (error repeated 12 more times)
>>> ...
>>> 2013-12-16 18:12:39 pkispawn    : ERROR    ....... server failed to
>>> restart
>>> 2013-12-16 18:12:39 pkispawn    : DEBUG    ....... Error Type: SystemExit
>>> 2013-12-16 18:12:39 pkispawn    : DEBUG    ....... Error Message: 1
>>> 2013-12-16 18:12:39 pkispawn    : DEBUG    .......   File
>>> "/usr/sbin/pkispawn", line 374, in main
>>>     rv = instance.spawn()
>>>   File
>>> "/usr/lib/python2.7/site-packages/pki/deployment/configuration.py",
>>> line 102, in spawn
>>>     sys.exit(1)
>>> </text>
>>>
>>
>> You are trying it in a container. I do not know whether this makes a
>> difference.
>> It might be due to the fact that underlying directory server has not
>> started.
>> Please look at the pki instance DS logs to determine whether the DS
>> instance was installed and configured correctly.
>> http://www.freeipa.org/page/Troubleshooting#Server_Installation
>> Please publish these logs here.
>
>
> I'm not entirely sure that IPA works in a container. I think that Nathaniel looked at this a few months ago but I can't recall his findings.
>
> rob
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: access
Type: application/octet-stream
Size: 60877 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131217/2834050d/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: errors
Type: application/octet-stream
Size: 5645 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131217/2834050d/attachment-0001.obj>

More information about the Freeipa-users mailing list