[Freeipa-users] ipa-server-install fails (RHEL 6.5)

Rob Crittenden rcritten at redhat.com
Wed Feb 5 12:59:43 UTC 2014 

Steve Dainard wrote:
> Following this guide:
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html
>
> STEP 4:
> ipa-server-install --setup-dns -p '<password>' -a '<password>' -r
> MIOVISION.LINUX -n miovision.linux --hostname ipa1.miovision.linux
> --forwarder=10.0.0.2 --forwarder=10.0.0.5
>
> Server host name [ipa1.miovision.linux]:
>
> Warning: skipping DNS resolution of host ipa1.miovision.linux
> Unable to resolve IP address for host name
> Please provide the IP address to be used for this host name: 10.0.6.3
> Adding [10.0.6.3 ipa1.miovision.linux] to your /etc/hosts file
> Do you want to configure the reverse zone? [yes]:
> Please specify the reverse zone name [6.0.10.in-addr.arpa.]:
> Using reverse zone 6.0.10.in-addr.arpa.
>
> The IPA Master Server will be configured with:
> Hostname:      ipa1.miovision.linux
> IP address:    10.0.6.3
> Domain name:   miovision.linux
> Realm name:    MIOVISION.LINUX
>
> BIND DNS server will be configured to serve IPA domain with:
> Forwarders:    10.0.0.2, 10.0.0.5
> Reverse zone:  6.0.10.in-addr.arpa.
>
> Continue to configure the system with these values? [no]: yes
>
> The following operations may take some minutes to complete.
> Please wait until the prompt is returned.
>
> Configuring NTP daemon (ntpd)
>    [1/4]: stopping ntpd
>
> ...
>
> Done configuring directory server (dirsrv).
> Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
>    [1/10]: adding sasl mappings to the directory
>    [2/10]: adding kerberos container to the directory
>    [3/10]: configuring KDC
>    [4/10]: initialize kerberos container
> Failed to initialize the realm container
>    [5/10]: adding default ACIs
>    [6/10]: creating a keytab for the directory
> Unexpected error - see /var/log/ipaserver-install.log for details:
> CalledProcessError: Command 'kadmin.local -q addprinc -randkey
> ldap/ipa1.miovision.linux at MIOVISION.LINUX -x
> ipa-setup-override-restrictions' returned non-zero exit status 1
>
> */var/log/ipaserver-install.log*
>
> add aci:
>
> (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=miovision,dc=linux")(targetattr="userCertificate")(version
> 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn =
> "ldap:///fqdn=ipa1.miovision.linux,cn=computers,cn=accounts,dc=miovision,dc=linux";)
> modifying entry "cn=ipa,cn=etc,dc=miovision,dc=linux"
> modify complete
>
>
> 2014-02-04T20:45:51Z DEBUG stderr=ldap_initialize(
> ldapi://%2Fvar%2Frun%2Fslapd-MIOVISION-LINUX.socket/??base )
>
> 2014-02-04T20:45:51Z DEBUG   duration: 6 seconds
> 2014-02-04T20:45:51Z DEBUG   [6/10]: creating a keytab for the directory
> 2014-02-04T20:45:51Z DEBUG args=kadmin.local -q addprinc -randkey
> ldap/ipa1.miovision.linux at MIOVISION.LINUX -x ipa-setup-override-restrictions
> 2014-02-04T20:45:51Z DEBUG stdout=Authenticating as principal
> root/admin at MIOVISION.LINUX with password.
>
> 2014-02-04T20:45:51Z DEBUG stderr=kadmin.local: No such entry in the
> database while initializing kadmin.local interface
>
> 2014-02-04T20:45:51Z INFO   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
> line 614, in run_script
>      return_value = main_function()
>
>    File "/usr/sbin/ipa-server-install", line 1024, in main
>      subject_base=options.subject)
>
>    File
> "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py",
> line 183, in create_instance
>      self.start_creation(runtime=30)
>
>    File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
> line 358, in start_creation
>      method()
>
>    File
> "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py",
> line 386, in __create_ds_keytab
>      installutils.kadmin_addprinc(ldap_principal)
>
>    File
> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
> line 369, in kadmin_addprinc
>      kadmin("addprinc -randkey " + principal)
>
>    File
> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
> line 366, in kadmin
>      "-x", "ipa-setup-override-restrictions"])
>
>    File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line
> 316, in run
>      raise CalledProcessError(p.returncode, args)
>
> 2014-02-04T20:45:51Z INFO The ipa-server-install command failed,
> exception: CalledProcessError: Command 'kadmin.local -q addprinc
> -randkey ldap/ipa1.miovision.linux at MIOVISION.LINUX -x
> ipa-setup-override-restrictions' returned non-zero exit status 1
>

Hmm, strange. Nothing is jumping out at me for the cause or solution. 
What version of IPA is this? rpm -q ipa-server

Any chance you can send the entire server install log? You can send it 
to me privately if you'd like.

rob

More information about the Freeipa-users mailing list