[Freeipa-users] ipa-server-install fails (RHEL 6.5)
Steve Dainard
sdainard at miovision.com
Wed Feb 5 17:33:28 UTC 2014
I just restored the machine from a pre-install snapshot and tried again.
For some reason we don't fail on the krb config but the installer reports
db write errors when adding records:
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
[1/10]: adding sasl mappings to the directory
[2/10]: adding kerberos container to the directory
[3/10]: configuring KDC
[4/10]: initialize kerberos container
[5/10]: adding default ACIs
[6/10]: creating a keytab for the directory
[7/10]: creating a keytab for the machine
[8/10]: adding the password extension to the directory
[9/10]: starting the KDC
[10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
[1/2]: starting ipa_memcached
[2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 1 minute
[1/13]: setting mod_nss port to 443
[2/13]: setting mod_nss password file
[3/13]: enabling mod_nss renegotiate
[4/13]: adding URL rewriting rules
[5/13]: configuring httpd
[6/13]: setting up ssl
[7/13]: setting up browser autoconfig
[8/13]: publish CA cert
[9/13]: creating a keytab for httpd
[10/13]: clean up any existing httpd ccache
[11/13]: configuring SELinux for httpd
[12/13]: restarting httpd
[13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed: Server
is unwilling to perform: database is read-only
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed: Server
is unwilling to perform: database is read-only
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Delete Sudo
command,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
['groupofnames', 'ipapermission', 'top']), ('member', 'cn=Sudo
Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Delete
Sudo command')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Delete HBAC
rule,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
['groupofnames', 'ipapermission', 'top']), ('member', 'cn=HBAC
Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Delete
HBAC rule')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed: Server
is unwilling to perform: database is read-only
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed: Server
is unwilling to perform: database is read-only
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Add Sudo
command group,cn=permissions,cn=pbac,dc=miovision,dc=linux:
[('objectclass', ['groupofnames', 'ipapermission', 'top']), ('member',
'cn=Sudo Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'),
('cn', 'Add Sudo command group')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Add Group
Password Policy costemplate,cn=permissions,cn=pbac,dc=miovision,dc=linux:
[('objectclass', ['groupofnames', 'ipapermission', 'top']), ('member',
'cn=Password Policy
Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Add
Group Password Policy costemplate')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed: Server
is unwilling to perform: database is read-only
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed: Server
is unwilling to perform: database is read-only
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed: Server
is unwilling to perform: database is read-only
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed: Server
is unwilling to perform: database is read-only
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed: Server
is unwilling to perform: database is read-only
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=HBAC
Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux: [('objectclass',
['nestedgroup', 'groupofnames', 'top']), ('member', [ipapython.dn.DN('cn=IT
Security Specialist,cn=roles,cn=accounts,dc=miovision,dc=linux')]), ('cn',
'HBAC Administrator'), ('description', 'HBAC Administrator')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Add Sudo
rule,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
['groupofnames', 'ipapermission', 'top']), ('member', 'cn=Sudo
Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Add
Sudo rule')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Delete
Group Password Policy
costemplate,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
['groupofnames', 'ipapermission', 'top']), ('member', 'cn=Password Policy
Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Delete
Group Password Policy costemplate')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed: Server
is unwilling to perform: database is read-only
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Add
krbPrincipalName to a host,cn=permissions,cn=pbac,dc=miovision,dc=linux:
[('objectclass', ['top', 'groupofnames', 'ipapermission']), ('member',
['cn=Host Administrators,cn=privileges,cn=pbac,dc=miovision,dc=linux',
'cn=Host Enrollment,cn=privileges,cn=pbac,dc=miovision,dc=linux']), ('cn',
'Add krbPrincipalName to a host')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Manage Sudo
command group membership,cn=permissions,cn=pbac,dc=miovision,dc=linux:
[('objectclass', ['groupofnames', 'ipapermission', 'top']), ('member',
'cn=Sudo Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'),
('cn', 'Manage Sudo command group membership')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Add HBAC
service groups,cn=permissions,cn=pbac,dc=miovision,dc=linux:
[('objectclass', ['groupofnames', 'ipapermission', 'top']), ('member',
'cn=HBAC Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'),
('cn', 'Add HBAC service groups')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Remove
SELinux User Maps,cn=permissions,cn=pbac,dc=miovision,dc=linux:
[('objectclass', ['top', 'groupofnames', 'ipapermission']), ('member',
'cn=SELinux User Map
Administrators,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn',
'Remove SELinux User Maps')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Write IPA
Configuration,cn=permissions,cn=pbac,dc=miovision,dc=linux:
[('objectclass', ['top', 'groupofnames', 'ipapermission']), ('member',
'cn=Write IPA Configuration,cn=privileges,cn=pbac,dc=miovision,dc=linux'),
('cn', 'Write IPA Configuration')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Manage HBAC
rule membership,cn=permissions,cn=pbac,dc=miovision,dc=linux:
[('objectclass', ['groupofnames', 'ipapermission', 'top']), ('member',
'cn=HBAC Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'),
('cn', 'Manage HBAC rule membership')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=SELinux
User Map Administrators,cn=privileges,cn=pbac,dc=miovision,dc=linux:
[('objectclass', ['top', 'groupofnames', 'nestedgroup']), ('cn', 'SELinux
User Map Administrators'), ('description', 'SELinux User Map
Administrators')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed: Server
is unwilling to perform: database is read-only
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Delete Sudo
rule,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
['groupofnames', 'ipapermission', 'top']), ('member', 'cn=Sudo
Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Delete
Sudo rule')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Delete HBAC
services,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
['groupofnames', 'ipapermission', 'top']), ('member', 'cn=HBAC
Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Delete
HBAC services')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Delete Sudo
command group,cn=permissions,cn=pbac,dc=miovision,dc=linux:
[('objectclass', ['groupofnames', 'ipapermission', 'top']), ('member',
'cn=Sudo Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'),
('cn', 'Delete Sudo command group')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Delete
Group Password Policy,cn=permissions,cn=pbac,dc=miovision,dc=linux:
[('objectclass', ['groupofnames', 'ipapermission', 'top']), ('member',
'cn=Password Policy
Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Delete
Group Password Policy')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Add HBAC
services,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
['groupofnames', 'ipapermission', 'top']), ('member', 'cn=HBAC
Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Add
HBAC services')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Delete HBAC
service groups,cn=permissions,cn=pbac,dc=miovision,dc=linux:
[('objectclass', ['groupofnames', 'ipapermission', 'top']), ('member',
'cn=HBAC Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'),
('cn', 'Delete HBAC service groups')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Modify Sudo
command,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
['groupofnames', 'ipapermission', 'top']), ('member', 'cn=Sudo
Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Modify
Sudo command')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed: Server
is unwilling to perform: database is read-only
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Add Sudo
command,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
['groupofnames', 'ipapermission', 'top']), ('member', 'cn=Sudo
Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Add
Sudo command')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Modify
Group Password Policy
costemplate,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
['groupofnames', 'ipapermission', 'top']), ('member', 'cn=Password Policy
Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Modify
Group Password Policy costemplate')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Add HBAC
rule,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
['groupofnames', 'ipapermission', 'top']), ('member', 'cn=HBAC
Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Add
HBAC rule')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Modify
Group membership,cn=privileges,cn=pbac,dc=miovision,dc=linux:
[('objectclass', ['top', 'groupofnames', 'nestedgroup']), ('member',
'cn=helpdesk,cn=roles,cn=accounts,dc=miovision,dc=linux'), ('cn', 'Modify
Group membership'), ('description', 'Modify Group membership')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=IT
Specialist,cn=roles,cn=accounts,dc=miovision,dc=linux: [('objectclass',
['groupofnames', 'nestedgroup', 'top']), ('cn', 'IT Specialist'),
('description', 'IT Specialist')]
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed: Server
is unwilling to perform: database is read-only
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server is
unwilling to perform: database is read-only arguments: entry=cn=Add SELinux
User Maps,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
['top', 'groupofnames', 'ipapermission']), ('member', 'cn=SELinux User Map
Administrators,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Add
SELinux User Maps')]
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
[1/9]: adding DNS container
[2/9]: setting up our zone
[3/9]: setting up reverse zone
[4/9]: setting up our own record
[5/9]: setting up kerberos principal
[6/9]: setting up named.conf
[7/9]: restarting named
[8/9]: configuring named to start on boot
[9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files
Restarting the web server
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
I'd attach the log file, but its 30MB in size... it looks like the DEBUG
loglevel prints out all the inserts when building the db.
*Steve Dainard *
IT Infrastructure Manager
Miovision <http://miovision.com/> | *Rethink Traffic*
519-513-2407 ex.250
877-646-8476 (toll-free)
*Blog <http://miovision.com/blog> | **LinkedIn
<https://www.linkedin.com/company/miovision-technologies> | Twitter
<https://twitter.com/miovision> | Facebook
<https://www.facebook.com/miovision>*
------------------------------
Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.
On Wed, Feb 5, 2014 at 12:09 PM, Steve Dainard <sdainard at miovision.com>wrote:
>
>
> rpm -qa | grep krb5
> pam_krb5-2.3.11-9.el6.x86_64
> *krb5-server-1.10.3-10.el6_4.6.x86_64*
> krb5-libs-1.10.3-10.el6_4.6.x86_64
> krb5-workstation-1.10.3-10.el6_4.6.x86_64
>
> I don't see any segfaults in messages.
>
> /var/log/dirsrv/slapd-MIOVISION-LINUX/errors looks pretty clean:
>
> 389-Directory/1.2.11.15 B2013.337.1530
> ipa1.miovision.linux:389 (/etc/dirsrv/slapd-MIOVISION-LINUX)
>
> [04/Feb/2014:15:39:54 -0500] - WARNING: Import is running with
> nsslapd-db-private-import-mem on; No other process is allowed to access the
> database
> [04/Feb/2014:15:39:54 -0500] - check_and_set_import_cache: pagesize: 4096,
> pages: 1497738, procpages: 51916
> [04/Feb/2014:15:39:54 -0500] - Import allocates 2396380KB import cache.
> [04/Feb/2014:15:39:55 -0500] - import userRoot: Beginning import job...
> [04/Feb/2014:15:39:55 -0500] - import userRoot: Index buffering enabled
> with bucket size 100
> [04/Feb/2014:15:39:56 -0500] - import userRoot: Processing file
> "/var/lib/dirsrv/boot.ldif"
> [04/Feb/2014:15:39:56 -0500] - import userRoot: Finished scanning file
> "/var/lib/dirsrv/boot.ldif" (1 entries)
> [04/Feb/2014:15:40:03 -0500] - import userRoot: Workers finished; cleaning
> up...
> [04/Feb/2014:15:40:04 -0500] - import userRoot: Workers cleaned up.
> [04/Feb/2014:15:40:05 -0500] - import userRoot: Cleaning up producer
> thread...
> [04/Feb/2014:15:40:05 -0500] - import userRoot: Indexing complete.
> Post-processing...
> [04/Feb/2014:15:40:06 -0500] - import userRoot: Generating numSubordinates
> complete.
> [04/Feb/2014:15:40:07 -0500] - Nothing to do to build ancestorid index
> [04/Feb/2014:15:40:08 -0500] - import userRoot: Flushing caches...
> [04/Feb/2014:15:40:08 -0500] - import userRoot: Closing files...
> [04/Feb/2014:15:40:10 -0500] - All database threads now stopped
> [04/Feb/2014:15:40:10 -0500] - import userRoot: Import complete.
> Processed 1 entries in 15 seconds. (0.07 entries/sec)
> [04/Feb/2014:15:40:18 -0500] - 389-Directory/1.2.11.15 B2013.337.1530
> starting up
> [04/Feb/2014:15:40:19 -0500] - Db home directory is not set. Possibly
> nsslapd-directory (optinally nsslapd-db-home-directory) is missing in the
> config file.
> [04/Feb/2014:15:40:19 -0500] - I'm resizing my cache now...cache was
> 2453893120 and is now 8000000
> [04/Feb/2014:15:40:36 -0500] - slapd started. Listening on All Interfaces
> port 389 for LDAP requests
> [04/Feb/2014:15:40:36 -0500] - slapd shutting down - signaling operation
> threads
> [04/Feb/2014:15:40:37 -0500] - slapd shutting down - closing down internal
> subsystems and plugins
> [04/Feb/2014:15:40:37 -0500] - Waiting for 4 database threads to stop
> [04/Feb/2014:15:40:38 -0500] - All database threads now stopped
> [04/Feb/2014:15:40:38 -0500] - slapd stopped.
> [04/Feb/2014:15:40:40 -0500] - 389-Directory/1.2.11.15 B2013.337.1530
> starting up
> [04/Feb/2014:15:40:41 -0500] - slapd started. Listening on All Interfaces
> port 389 for LDAP requests
> [04/Feb/2014:15:40:43 -0500] - The change of nsslapd-ldapilisten will not
> take effect until the server is restarted
> [04/Feb/2014:15:41:10 -0500] - Warning: Adding configuration attribute
> "nsslapd-security"
> [04/Feb/2014:15:41:13 -0500] - slapd shutting down - signaling operation
> threads
> [04/Feb/2014:15:41:14 -0500] - slapd shutting down - waiting for 30
> threads to terminate
> [04/Feb/2014:15:41:14 -0500] - slapd shutting down - closing down internal
> subsystems and plugins
> [04/Feb/2014:15:41:15 -0500] - Waiting for 4 database threads to stop
> [04/Feb/2014:15:41:17 -0500] - All database threads now stopped
> [04/Feb/2014:15:41:17 -0500] - slapd stopped.
> [04/Feb/2014:15:41:27 -0500] - 389-Directory/1.2.11.15 B2013.337.1530
> starting up
> [04/Feb/2014:15:41:27 -0500] attrcrypt - No symmetric key found for cipher
> AES in backend userRoot, attempting to create one...
> [04/Feb/2014:15:41:28 -0500] attrcrypt - Key for cipher AES successfully
> generated and stored
> [04/Feb/2014:15:41:29 -0500] attrcrypt - No symmetric key found for cipher
> 3DES in backend userRoot, attempting to create one...
> [04/Feb/2014:15:41:29 -0500] attrcrypt - Key for cipher 3DES successfully
> generated and stored
> [04/Feb/2014:15:41:31 -0500] - slapd started. Listening on All Interfaces
> port 389 for LDAP requests
> [04/Feb/2014:15:41:31 -0500] - Listening on All Interfaces port 636 for
> LDAPS requests
> [04/Feb/2014:15:41:32 -0500] - Listening on
> /var/run/slapd-MIOVISION-LINUX.socket for LDAPI requests
> [04/Feb/2014:15:42:06 -0500] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=miovision,dc=linux--no CoS Templates found, which
> should be added before the CoS Definition.
> [04/Feb/2014:15:44:31 -0500] - slapd shutting down - signaling operation
> threads
> [04/Feb/2014:15:44:33 -0500] - slapd shutting down - closing down internal
> subsystems and plugins
> [04/Feb/2014:15:44:44 -0500] - Waiting for 4 database threads to stop
> [04/Feb/2014:15:44:47 -0500] - All database threads now stopped
> [04/Feb/2014:15:44:47 -0500] - slapd stopped.
> [04/Feb/2014:15:44:49 -0500] - 389-Directory/1.2.11.15 B2013.337.1530
> starting up
> [04/Feb/2014:15:44:51 -0500] schema-compat-plugin - warning: no entries
> set up under cn=computers, cn=compat,dc=miovision,dc=linux
> [04/Feb/2014:15:44:52 -0500] schema-compat-plugin - warning: no entries
> set up under cn=ng, cn=compat,dc=miovision,dc=linux
> [04/Feb/2014:15:44:52 -0500] schema-compat-plugin - warning: no entries
> set up under ou=sudoers,dc=miovision,dc=linux
> [04/Feb/2014:15:44:52 -0500] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=miovision,dc=linux--no CoS Templates found, which
> should be added before the CoS Definition.
> [04/Feb/2014:15:44:52 -0500] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=miovision,dc=linux--no CoS Templates found, which
> should be added before the CoS Definition.
> [04/Feb/2014:15:44:53 -0500] - slapd started. Listening on All Interfaces
> port 389 for LDAP requests
> [04/Feb/2014:15:44:53 -0500] - Listening on All Interfaces port 636 for
> LDAPS requests
> [04/Feb/2014:15:44:53 -0500] - Listening on
> /var/run/slapd-MIOVISION-LINUX.socket for LDAPI requests
> [04/Feb/2014:15:44:53 -0500] - The change of nsslapd-maxdescriptors will
> not take effect until the server is restarted
> [05/Feb/2014:09:51:59 -0500] - slapd shutting down - signaling operation
> threads
> [05/Feb/2014:09:51:59 -0500] - slapd shutting down - waiting for 26
> threads to terminate
> [05/Feb/2014:09:52:00 -0500] - slapd shutting down - closing down internal
> subsystems and plugins
> [05/Feb/2014:09:52:00 -0500] - Waiting for 4 database threads to stop
> [05/Feb/2014:09:52:00 -0500] - All database threads now stopped
> [05/Feb/2014:09:52:00 -0500] - slapd stopped.
>
>
> Thanks,
>
> *Steve Dainard *
> IT Infrastructure Manager
> Miovision <http://miovision.com/> | *Rethink Traffic*
> 519-513-2407 ex.250
> 877-646-8476 (toll-free)
>
> *Blog <http://miovision.com/blog> | **LinkedIn
> <https://www.linkedin.com/company/miovision-technologies> | Twitter
> <https://twitter.com/miovision> | Facebook
> <https://www.facebook.com/miovision>*
> ------------------------------
> Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener,
> ON, Canada | N2C 1L3
> This e-mail may contain information that is privileged or confidential. If
> you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
>
>
> On Wed, Feb 5, 2014 at 11:50 AM, Rob Crittenden <rcritten at redhat.com>wrote:
>
>> Steve Dainard wrote:
>>
>>> Following this guide:
>>> https://access.redhat.com/site/documentation/en-US/Red_
>>> Hat_Enterprise_Linux/6/html/Identity_Management_Guide/
>>> trust-diff-dns-domains.html
>>>
>>> STEP 4:
>>> ipa-server-install --setup-dns -p '<password>' -a '<password>' -r
>>> MIOVISION.LINUX -n miovision.linux --hostname ipa1.miovision.linux
>>> --forwarder=10.0.0.2 --forwarder=10.0.0.5
>>>
>>> Server host name [ipa1.miovision.linux]:
>>>
>>> Warning: skipping DNS resolution of host ipa1.miovision.linux
>>> Unable to resolve IP address for host name
>>> Please provide the IP address to be used for this host name: 10.0.6.3
>>> Adding [10.0.6.3 ipa1.miovision.linux] to your /etc/hosts file
>>> Do you want to configure the reverse zone? [yes]:
>>> Please specify the reverse zone name [6.0.10.in-addr.arpa.]:
>>> Using reverse zone 6.0.10.in-addr.arpa.
>>>
>>> The IPA Master Server will be configured with:
>>> Hostname: ipa1.miovision.linux
>>> IP address: 10.0.6.3
>>> Domain name: miovision.linux
>>> Realm name: MIOVISION.LINUX
>>>
>>> BIND DNS server will be configured to serve IPA domain with:
>>> Forwarders: 10.0.0.2, 10.0.0.5
>>> Reverse zone: 6.0.10.in-addr.arpa.
>>>
>>> Continue to configure the system with these values? [no]: yes
>>>
>>> The following operations may take some minutes to complete.
>>> Please wait until the prompt is returned.
>>>
>>> Configuring NTP daemon (ntpd)
>>> [1/4]: stopping ntpd
>>>
>>> ...
>>>
>>> Done configuring directory server (dirsrv).
>>> Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
>>> [1/10]: adding sasl mappings to the directory
>>> [2/10]: adding kerberos container to the directory
>>> [3/10]: configuring KDC
>>> [4/10]: initialize kerberos container
>>> Failed to initialize the realm container
>>> [5/10]: adding default ACIs
>>> [6/10]: creating a keytab for the directory
>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>> CalledProcessError: Command 'kadmin.local -q addprinc -randkey
>>> ldap/ipa1.miovision.linux at MIOVISION.LINUX -x
>>> ipa-setup-override-restrictions' returned non-zero exit status 1
>>>
>>> */var/log/ipaserver-install.log*
>>>
>>>
>>> add aci:
>>>
>>> (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=
>>> miovision,dc=linux")(targetattr="userCertificate")(version
>>> 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn =
>>> "ldap:///fqdn=ipa1.miovision.linux,cn=computers,cn=
>>> accounts,dc=miovision,dc=linux";)
>>> modifying entry "cn=ipa,cn=etc,dc=miovision,dc=linux"
>>> modify complete
>>>
>>>
>>> 2014-02-04T20:45:51Z DEBUG stderr=ldap_initialize(
>>> ldapi://%2Fvar%2Frun%2Fslapd-MIOVISION-LINUX.socket/??base )
>>>
>>> 2014-02-04T20:45:51Z DEBUG duration: 6 seconds
>>> 2014-02-04T20:45:51Z DEBUG [6/10]: creating a keytab for the directory
>>> 2014-02-04T20:45:51Z DEBUG args=kadmin.local -q addprinc -randkey
>>> ldap/ipa1.miovision.linux at MIOVISION.LINUX -x ipa-setup-override-
>>> restrictions
>>> 2014-02-04T20:45:51Z DEBUG stdout=Authenticating as principal
>>> root/admin at MIOVISION.LINUX with password.
>>>
>>> 2014-02-04T20:45:51Z DEBUG stderr=kadmin.local: No such entry in the
>>> database while initializing kadmin.local interface
>>>
>>> 2014-02-04T20:45:51Z INFO File
>>> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
>>> line 614, in run_script
>>> return_value = main_function()
>>>
>>> File "/usr/sbin/ipa-server-install", line 1024, in main
>>> subject_base=options.subject)
>>>
>>> File
>>> "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py",
>>> line 183, in create_instance
>>> self.start_creation(runtime=30)
>>>
>>> File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
>>> line 358, in start_creation
>>> method()
>>>
>>> File
>>> "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py",
>>> line 386, in __create_ds_keytab
>>> installutils.kadmin_addprinc(ldap_principal)
>>>
>>> File
>>> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
>>> line 369, in kadmin_addprinc
>>> kadmin("addprinc -randkey " + principal)
>>>
>>> File
>>> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
>>> line 366, in kadmin
>>> "-x", "ipa-setup-override-restrictions"])
>>>
>>> File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line
>>> 316, in run
>>> raise CalledProcessError(p.returncode, args)
>>>
>>> 2014-02-04T20:45:51Z INFO The ipa-server-install command failed,
>>> exception: CalledProcessError: Command 'kadmin.local -q addprinc
>>> -randkey ldap/ipa1.miovision.linux at MIOVISION.LINUX -x
>>> ipa-setup-override-restrictions' returned non-zero exit status 1
>>>
>>>
>> Steve sent me the logs out-of-band. I think the problem is an earlier
>> failure after generating the master key:
>>
>> 2014-02-04T20:45:45Z DEBUG args=kdb5_util create -s -r MIOVISION.LINUX -x
>> ipa-setup-override-restrictions
>> 2014-02-04T20:45:45Z DEBUG stdout=Loading random data
>> Initializing database '/var/kerberos/krb5kdc/principal' for realm
>> 'MIOVISION.LINUX',
>> master key name 'K/M at MIOVISION.LINUX'
>> You will be prompted for the database Master Password.
>> It is important that you NOT FORGET this password.
>> Enter KDC database master key:
>> Re-enter KDC database master key to verify:
>>
>>
>> 2014-02-04T20:45:45Z DEBUG stderr=kdb5_util: add.c:124: ldap_add_ext:
>> Assertion `ld != ((void *)0)' failed.
>>
>> What version of krb5_server is installed? Does /var/log/messages indicate
>> a segfault? Are there any failures in /var/log/dirsrv/slapd-
>> MIOVISION-LINUX/errors?
>>
>> rob
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140205/a3237677/attachment.htm>
More information about the Freeipa-users
mailing list