[Freeipa-users] ipa-server-install fails (RHEL 6.5)
Steve Dainard
sdainard at miovision.com
Wed Feb 5 19:24:11 UTC 2014
And another re-install after snapshot restore gives me no errors. Perhaps
there are some race conditions during initial install?
*Steve Dainard *
IT Infrastructure Manager
Miovision <http://miovision.com/> | *Rethink Traffic*
519-513-2407 ex.250
877-646-8476 (toll-free)
*Blog <http://miovision.com/blog> | **LinkedIn
<https://www.linkedin.com/company/miovision-technologies> | Twitter
<https://twitter.com/miovision> | Facebook
<https://www.facebook.com/miovision>*
------------------------------
Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.
On Wed, Feb 5, 2014 at 12:33 PM, Steve Dainard <sdainard at miovision.com>wrote:
> I just restored the machine from a pre-install snapshot and tried again.
> For some reason we don't fail on the krb config but the installer reports
> db write errors when adding records:
>
> Done configuring directory server (dirsrv).
> Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
> [1/10]: adding sasl mappings to the directory
> [2/10]: adding kerberos container to the directory
> [3/10]: configuring KDC
> [4/10]: initialize kerberos container
> [5/10]: adding default ACIs
> [6/10]: creating a keytab for the directory
> [7/10]: creating a keytab for the machine
> [8/10]: adding the password extension to the directory
> [9/10]: starting the KDC
> [10/10]: configuring KDC to start on boot
> Done configuring Kerberos KDC (krb5kdc).
> Configuring kadmin
> [1/2]: starting kadmin
> [2/2]: configuring kadmin to start on boot
> Done configuring kadmin.
> Configuring ipa_memcached
> [1/2]: starting ipa_memcached
> [2/2]: configuring ipa_memcached to start on boot
> Done configuring ipa_memcached.
> Configuring the web interface (httpd): Estimated time 1 minute
> [1/13]: setting mod_nss port to 443
> [2/13]: setting mod_nss password file
> [3/13]: enabling mod_nss renegotiate
> [4/13]: adding URL rewriting rules
> [5/13]: configuring httpd
> [6/13]: setting up ssl
> [7/13]: setting up browser autoconfig
> [8/13]: publish CA cert
> [9/13]: creating a keytab for httpd
> [10/13]: clean up any existing httpd ccache
> [11/13]: configuring SELinux for httpd
> [12/13]: restarting httpd
> [13/13]: configuring httpd to start on boot
> Done configuring the web interface (httpd).
> Applying LDAP updates
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed:
> Server is unwilling to perform: database is read-only
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed:
> Server is unwilling to perform: database is read-only
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Delete
> Sudo command,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
> ['groupofnames', 'ipapermission', 'top']), ('member', 'cn=Sudo
> Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Delete
> Sudo command')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Delete
> HBAC rule,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
> ['groupofnames', 'ipapermission', 'top']), ('member', 'cn=HBAC
> Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Delete
> HBAC rule')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed:
> Server is unwilling to perform: database is read-only
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed:
> Server is unwilling to perform: database is read-only
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Add Sudo
> command group,cn=permissions,cn=pbac,dc=miovision,dc=linux:
> [('objectclass', ['groupofnames', 'ipapermission', 'top']), ('member',
> 'cn=Sudo Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'),
> ('cn', 'Add Sudo command group')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Add
> Group Password Policy
> costemplate,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
> ['groupofnames', 'ipapermission', 'top']), ('member', 'cn=Password Policy
> Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Add
> Group Password Policy costemplate')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed:
> Server is unwilling to perform: database is read-only
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed:
> Server is unwilling to perform: database is read-only
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed:
> Server is unwilling to perform: database is read-only
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed:
> Server is unwilling to perform: database is read-only
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed:
> Server is unwilling to perform: database is read-only
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=HBAC
> Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux: [('objectclass',
> ['nestedgroup', 'groupofnames', 'top']), ('member', [ipapython.dn.DN('cn=IT
> Security Specialist,cn=roles,cn=accounts,dc=miovision,dc=linux')]), ('cn',
> 'HBAC Administrator'), ('description', 'HBAC Administrator')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Add Sudo
> rule,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
> ['groupofnames', 'ipapermission', 'top']), ('member', 'cn=Sudo
> Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Add
> Sudo rule')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Delete
> Group Password Policy
> costemplate,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
> ['groupofnames', 'ipapermission', 'top']), ('member', 'cn=Password Policy
> Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Delete
> Group Password Policy costemplate')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed:
> Server is unwilling to perform: database is read-only
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Add
> krbPrincipalName to a host,cn=permissions,cn=pbac,dc=miovision,dc=linux:
> [('objectclass', ['top', 'groupofnames', 'ipapermission']), ('member',
> ['cn=Host Administrators,cn=privileges,cn=pbac,dc=miovision,dc=linux',
> 'cn=Host Enrollment,cn=privileges,cn=pbac,dc=miovision,dc=linux']), ('cn',
> 'Add krbPrincipalName to a host')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Manage
> Sudo command group membership,cn=permissions,cn=pbac,dc=miovision,dc=linux:
> [('objectclass', ['groupofnames', 'ipapermission', 'top']), ('member',
> 'cn=Sudo Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'),
> ('cn', 'Manage Sudo command group membership')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Add HBAC
> service groups,cn=permissions,cn=pbac,dc=miovision,dc=linux:
> [('objectclass', ['groupofnames', 'ipapermission', 'top']), ('member',
> 'cn=HBAC Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'),
> ('cn', 'Add HBAC service groups')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Remove
> SELinux User Maps,cn=permissions,cn=pbac,dc=miovision,dc=linux:
> [('objectclass', ['top', 'groupofnames', 'ipapermission']), ('member',
> 'cn=SELinux User Map
> Administrators,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn',
> 'Remove SELinux User Maps')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Write
> IPA Configuration,cn=permissions,cn=pbac,dc=miovision,dc=linux:
> [('objectclass', ['top', 'groupofnames', 'ipapermission']), ('member',
> 'cn=Write IPA Configuration,cn=privileges,cn=pbac,dc=miovision,dc=linux'),
> ('cn', 'Write IPA Configuration')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Manage
> HBAC rule membership,cn=permissions,cn=pbac,dc=miovision,dc=linux:
> [('objectclass', ['groupofnames', 'ipapermission', 'top']), ('member',
> 'cn=HBAC Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'),
> ('cn', 'Manage HBAC rule membership')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=SELinux
> User Map Administrators,cn=privileges,cn=pbac,dc=miovision,dc=linux:
> [('objectclass', ['top', 'groupofnames', 'nestedgroup']), ('cn', 'SELinux
> User Map Administrators'), ('description', 'SELinux User Map
> Administrators')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed:
> Server is unwilling to perform: database is read-only
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Delete
> Sudo rule,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
> ['groupofnames', 'ipapermission', 'top']), ('member', 'cn=Sudo
> Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Delete
> Sudo rule')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Delete
> HBAC services,cn=permissions,cn=pbac,dc=miovision,dc=linux:
> [('objectclass', ['groupofnames', 'ipapermission', 'top']), ('member',
> 'cn=HBAC Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'),
> ('cn', 'Delete HBAC services')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Delete
> Sudo command group,cn=permissions,cn=pbac,dc=miovision,dc=linux:
> [('objectclass', ['groupofnames', 'ipapermission', 'top']), ('member',
> 'cn=Sudo Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'),
> ('cn', 'Delete Sudo command group')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Delete
> Group Password Policy,cn=permissions,cn=pbac,dc=miovision,dc=linux:
> [('objectclass', ['groupofnames', 'ipapermission', 'top']), ('member',
> 'cn=Password Policy
> Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Delete
> Group Password Policy')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Add HBAC
> services,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
> ['groupofnames', 'ipapermission', 'top']), ('member', 'cn=HBAC
> Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Add
> HBAC services')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Delete
> HBAC service groups,cn=permissions,cn=pbac,dc=miovision,dc=linux:
> [('objectclass', ['groupofnames', 'ipapermission', 'top']), ('member',
> 'cn=HBAC Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'),
> ('cn', 'Delete HBAC service groups')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Modify
> Sudo command,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
> ['groupofnames', 'ipapermission', 'top']), ('member', 'cn=Sudo
> Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Modify
> Sudo command')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed:
> Server is unwilling to perform: database is read-only
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Add Sudo
> command,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
> ['groupofnames', 'ipapermission', 'top']), ('member', 'cn=Sudo
> Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Add
> Sudo command')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Modify
> Group Password Policy
> costemplate,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
> ['groupofnames', 'ipapermission', 'top']), ('member', 'cn=Password Policy
> Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Modify
> Group Password Policy costemplate')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Add HBAC
> rule,cn=permissions,cn=pbac,dc=miovision,dc=linux: [('objectclass',
> ['groupofnames', 'ipapermission', 'top']), ('member', 'cn=HBAC
> Administrator,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Add
> HBAC rule')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Modify
> Group membership,cn=privileges,cn=pbac,dc=miovision,dc=linux:
> [('objectclass', ['top', 'groupofnames', 'nestedgroup']), ('member',
> 'cn=helpdesk,cn=roles,cn=accounts,dc=miovision,dc=linux'), ('cn', 'Modify
> Group membership'), ('description', 'Modify Group membership')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=IT
> Specialist,cn=roles,cn=accounts,dc=miovision,dc=linux: [('objectclass',
> ['groupofnames', 'nestedgroup', 'top']), ('cn', 'IT Specialist'),
> ('description', 'IT Specialist')]
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Update failed:
> Server is unwilling to perform: database is read-only
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure Server
> is unwilling to perform: database is read-only arguments: entry=cn=Add
> SELinux User Maps,cn=permissions,cn=pbac,dc=miovision,dc=linux:
> [('objectclass', ['top', 'groupofnames', 'ipapermission']), ('member',
> 'cn=SELinux User Map
> Administrators,cn=privileges,cn=pbac,dc=miovision,dc=linux'), ('cn', 'Add
> SELinux User Maps')]
> Restarting the directory server
> Restarting the KDC
> Configuring DNS (named)
> [1/9]: adding DNS container
> [2/9]: setting up our zone
> [3/9]: setting up reverse zone
> [4/9]: setting up our own record
> [5/9]: setting up kerberos principal
> [6/9]: setting up named.conf
> [7/9]: restarting named
> [8/9]: configuring named to start on boot
> [9/9]: changing resolv.conf to point to ourselves
> Done configuring DNS (named).
>
> Global DNS configuration in LDAP server is empty
> You can use 'dnsconfig-mod' command to set global DNS options that
> would override settings in local named.conf files
>
> Restarting the web server
>
> ==============================================================================
> Setup complete
>
> Next steps:
> 1. You must make sure these network ports are open:
> TCP Ports:
> * 80, 443: HTTP/HTTPS
> * 389, 636: LDAP/LDAPS
> * 88, 464: kerberos
> * 53: bind
> UDP Ports:
> * 88, 464: kerberos
> * 53: bind
> * 123: ntp
>
> 2. You can now obtain a kerberos ticket using the command: 'kinit admin'
> This ticket will allow you to use the IPA tools (e.g., ipa user-add)
> and the web user interface.
>
> Be sure to back up the CA certificate stored in /root/cacert.p12
> This file is required to create replicas. The password for this
> file is the Directory Manager password
>
>
>
> I'd attach the log file, but its 30MB in size... it looks like the DEBUG
> loglevel prints out all the inserts when building the db.
>
>
>
> *Steve Dainard *
> IT Infrastructure Manager
> Miovision <http://miovision.com/> | *Rethink Traffic*
> 519-513-2407 ex.250
> 877-646-8476 (toll-free)
>
> *Blog <http://miovision.com/blog> | **LinkedIn
> <https://www.linkedin.com/company/miovision-technologies> | Twitter
> <https://twitter.com/miovision> | Facebook
> <https://www.facebook.com/miovision>*
> ------------------------------
> Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener,
> ON, Canada | N2C 1L3
> This e-mail may contain information that is privileged or confidential. If
> you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
>
>
> On Wed, Feb 5, 2014 at 12:09 PM, Steve Dainard <sdainard at miovision.com>wrote:
>
>>
>>
>> rpm -qa | grep krb5
>> pam_krb5-2.3.11-9.el6.x86_64
>> *krb5-server-1.10.3-10.el6_4.6.x86_64*
>> krb5-libs-1.10.3-10.el6_4.6.x86_64
>> krb5-workstation-1.10.3-10.el6_4.6.x86_64
>>
>> I don't see any segfaults in messages.
>>
>> /var/log/dirsrv/slapd-MIOVISION-LINUX/errors looks pretty clean:
>>
>> 389-Directory/1.2.11.15 B2013.337.1530
>> ipa1.miovision.linux:389 (/etc/dirsrv/slapd-MIOVISION-LINUX)
>>
>> [04/Feb/2014:15:39:54 -0500] - WARNING: Import is running with
>> nsslapd-db-private-import-mem on; No other process is allowed to access the
>> database
>> [04/Feb/2014:15:39:54 -0500] - check_and_set_import_cache: pagesize:
>> 4096, pages: 1497738, procpages: 51916
>> [04/Feb/2014:15:39:54 -0500] - Import allocates 2396380KB import cache.
>> [04/Feb/2014:15:39:55 -0500] - import userRoot: Beginning import job...
>> [04/Feb/2014:15:39:55 -0500] - import userRoot: Index buffering enabled
>> with bucket size 100
>> [04/Feb/2014:15:39:56 -0500] - import userRoot: Processing file
>> "/var/lib/dirsrv/boot.ldif"
>> [04/Feb/2014:15:39:56 -0500] - import userRoot: Finished scanning file
>> "/var/lib/dirsrv/boot.ldif" (1 entries)
>> [04/Feb/2014:15:40:03 -0500] - import userRoot: Workers finished;
>> cleaning up...
>> [04/Feb/2014:15:40:04 -0500] - import userRoot: Workers cleaned up.
>> [04/Feb/2014:15:40:05 -0500] - import userRoot: Cleaning up producer
>> thread...
>> [04/Feb/2014:15:40:05 -0500] - import userRoot: Indexing complete.
>> Post-processing...
>> [04/Feb/2014:15:40:06 -0500] - import userRoot: Generating
>> numSubordinates complete.
>> [04/Feb/2014:15:40:07 -0500] - Nothing to do to build ancestorid index
>> [04/Feb/2014:15:40:08 -0500] - import userRoot: Flushing caches...
>> [04/Feb/2014:15:40:08 -0500] - import userRoot: Closing files...
>> [04/Feb/2014:15:40:10 -0500] - All database threads now stopped
>> [04/Feb/2014:15:40:10 -0500] - import userRoot: Import complete.
>> Processed 1 entries in 15 seconds. (0.07 entries/sec)
>> [04/Feb/2014:15:40:18 -0500] - 389-Directory/1.2.11.15 B2013.337.1530
>> starting up
>> [04/Feb/2014:15:40:19 -0500] - Db home directory is not set. Possibly
>> nsslapd-directory (optinally nsslapd-db-home-directory) is missing in the
>> config file.
>> [04/Feb/2014:15:40:19 -0500] - I'm resizing my cache now...cache was
>> 2453893120 and is now 8000000
>> [04/Feb/2014:15:40:36 -0500] - slapd started. Listening on All
>> Interfaces port 389 for LDAP requests
>> [04/Feb/2014:15:40:36 -0500] - slapd shutting down - signaling operation
>> threads
>> [04/Feb/2014:15:40:37 -0500] - slapd shutting down - closing down
>> internal subsystems and plugins
>> [04/Feb/2014:15:40:37 -0500] - Waiting for 4 database threads to stop
>> [04/Feb/2014:15:40:38 -0500] - All database threads now stopped
>> [04/Feb/2014:15:40:38 -0500] - slapd stopped.
>> [04/Feb/2014:15:40:40 -0500] - 389-Directory/1.2.11.15 B2013.337.1530
>> starting up
>> [04/Feb/2014:15:40:41 -0500] - slapd started. Listening on All
>> Interfaces port 389 for LDAP requests
>> [04/Feb/2014:15:40:43 -0500] - The change of nsslapd-ldapilisten will not
>> take effect until the server is restarted
>> [04/Feb/2014:15:41:10 -0500] - Warning: Adding configuration attribute
>> "nsslapd-security"
>> [04/Feb/2014:15:41:13 -0500] - slapd shutting down - signaling operation
>> threads
>> [04/Feb/2014:15:41:14 -0500] - slapd shutting down - waiting for 30
>> threads to terminate
>> [04/Feb/2014:15:41:14 -0500] - slapd shutting down - closing down
>> internal subsystems and plugins
>> [04/Feb/2014:15:41:15 -0500] - Waiting for 4 database threads to stop
>> [04/Feb/2014:15:41:17 -0500] - All database threads now stopped
>> [04/Feb/2014:15:41:17 -0500] - slapd stopped.
>> [04/Feb/2014:15:41:27 -0500] - 389-Directory/1.2.11.15 B2013.337.1530
>> starting up
>> [04/Feb/2014:15:41:27 -0500] attrcrypt - No symmetric key found for
>> cipher AES in backend userRoot, attempting to create one...
>> [04/Feb/2014:15:41:28 -0500] attrcrypt - Key for cipher AES successfully
>> generated and stored
>> [04/Feb/2014:15:41:29 -0500] attrcrypt - No symmetric key found for
>> cipher 3DES in backend userRoot, attempting to create one...
>> [04/Feb/2014:15:41:29 -0500] attrcrypt - Key for cipher 3DES successfully
>> generated and stored
>> [04/Feb/2014:15:41:31 -0500] - slapd started. Listening on All
>> Interfaces port 389 for LDAP requests
>> [04/Feb/2014:15:41:31 -0500] - Listening on All Interfaces port 636 for
>> LDAPS requests
>> [04/Feb/2014:15:41:32 -0500] - Listening on
>> /var/run/slapd-MIOVISION-LINUX.socket for LDAPI requests
>> [04/Feb/2014:15:42:06 -0500] - Skipping CoS Definition cn=Password
>> Policy,cn=accounts,dc=miovision,dc=linux--no CoS Templates found, which
>> should be added before the CoS Definition.
>> [04/Feb/2014:15:44:31 -0500] - slapd shutting down - signaling operation
>> threads
>> [04/Feb/2014:15:44:33 -0500] - slapd shutting down - closing down
>> internal subsystems and plugins
>> [04/Feb/2014:15:44:44 -0500] - Waiting for 4 database threads to stop
>> [04/Feb/2014:15:44:47 -0500] - All database threads now stopped
>> [04/Feb/2014:15:44:47 -0500] - slapd stopped.
>> [04/Feb/2014:15:44:49 -0500] - 389-Directory/1.2.11.15 B2013.337.1530
>> starting up
>> [04/Feb/2014:15:44:51 -0500] schema-compat-plugin - warning: no entries
>> set up under cn=computers, cn=compat,dc=miovision,dc=linux
>> [04/Feb/2014:15:44:52 -0500] schema-compat-plugin - warning: no entries
>> set up under cn=ng, cn=compat,dc=miovision,dc=linux
>> [04/Feb/2014:15:44:52 -0500] schema-compat-plugin - warning: no entries
>> set up under ou=sudoers,dc=miovision,dc=linux
>> [04/Feb/2014:15:44:52 -0500] - Skipping CoS Definition cn=Password
>> Policy,cn=accounts,dc=miovision,dc=linux--no CoS Templates found, which
>> should be added before the CoS Definition.
>> [04/Feb/2014:15:44:52 -0500] - Skipping CoS Definition cn=Password
>> Policy,cn=accounts,dc=miovision,dc=linux--no CoS Templates found, which
>> should be added before the CoS Definition.
>> [04/Feb/2014:15:44:53 -0500] - slapd started. Listening on All
>> Interfaces port 389 for LDAP requests
>> [04/Feb/2014:15:44:53 -0500] - Listening on All Interfaces port 636 for
>> LDAPS requests
>> [04/Feb/2014:15:44:53 -0500] - Listening on
>> /var/run/slapd-MIOVISION-LINUX.socket for LDAPI requests
>> [04/Feb/2014:15:44:53 -0500] - The change of nsslapd-maxdescriptors will
>> not take effect until the server is restarted
>> [05/Feb/2014:09:51:59 -0500] - slapd shutting down - signaling operation
>> threads
>> [05/Feb/2014:09:51:59 -0500] - slapd shutting down - waiting for 26
>> threads to terminate
>> [05/Feb/2014:09:52:00 -0500] - slapd shutting down - closing down
>> internal subsystems and plugins
>> [05/Feb/2014:09:52:00 -0500] - Waiting for 4 database threads to stop
>> [05/Feb/2014:09:52:00 -0500] - All database threads now stopped
>> [05/Feb/2014:09:52:00 -0500] - slapd stopped.
>>
>>
>> Thanks,
>>
>> *Steve Dainard *
>> IT Infrastructure Manager
>> Miovision <http://miovision.com/> | *Rethink Traffic*
>> 519-513-2407 ex.250
>> 877-646-8476 (toll-free)
>>
>> *Blog <http://miovision.com/blog> | **LinkedIn
>> <https://www.linkedin.com/company/miovision-technologies> | Twitter
>> <https://twitter.com/miovision> | Facebook
>> <https://www.facebook.com/miovision>*
>> ------------------------------
>> Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener,
>> ON, Canada | N2C 1L3
>> This e-mail may contain information that is privileged or confidential.
>> If you are not the intended recipient, please delete the e-mail and any
>> attachments and notify us immediately.
>>
>>
>> On Wed, Feb 5, 2014 at 11:50 AM, Rob Crittenden <rcritten at redhat.com>wrote:
>>
>>> Steve Dainard wrote:
>>>
>>>> Following this guide:
>>>> https://access.redhat.com/site/documentation/en-US/Red_
>>>> Hat_Enterprise_Linux/6/html/Identity_Management_Guide/
>>>> trust-diff-dns-domains.html
>>>>
>>>> STEP 4:
>>>> ipa-server-install --setup-dns -p '<password>' -a '<password>' -r
>>>> MIOVISION.LINUX -n miovision.linux --hostname ipa1.miovision.linux
>>>> --forwarder=10.0.0.2 --forwarder=10.0.0.5
>>>>
>>>> Server host name [ipa1.miovision.linux]:
>>>>
>>>> Warning: skipping DNS resolution of host ipa1.miovision.linux
>>>> Unable to resolve IP address for host name
>>>> Please provide the IP address to be used for this host name: 10.0.6.3
>>>> Adding [10.0.6.3 ipa1.miovision.linux] to your /etc/hosts file
>>>> Do you want to configure the reverse zone? [yes]:
>>>> Please specify the reverse zone name [6.0.10.in-addr.arpa.]:
>>>> Using reverse zone 6.0.10.in-addr.arpa.
>>>>
>>>> The IPA Master Server will be configured with:
>>>> Hostname: ipa1.miovision.linux
>>>> IP address: 10.0.6.3
>>>> Domain name: miovision.linux
>>>> Realm name: MIOVISION.LINUX
>>>>
>>>> BIND DNS server will be configured to serve IPA domain with:
>>>> Forwarders: 10.0.0.2, 10.0.0.5
>>>> Reverse zone: 6.0.10.in-addr.arpa.
>>>>
>>>> Continue to configure the system with these values? [no]: yes
>>>>
>>>> The following operations may take some minutes to complete.
>>>> Please wait until the prompt is returned.
>>>>
>>>> Configuring NTP daemon (ntpd)
>>>> [1/4]: stopping ntpd
>>>>
>>>> ...
>>>>
>>>> Done configuring directory server (dirsrv).
>>>> Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
>>>> [1/10]: adding sasl mappings to the directory
>>>> [2/10]: adding kerberos container to the directory
>>>> [3/10]: configuring KDC
>>>> [4/10]: initialize kerberos container
>>>> Failed to initialize the realm container
>>>> [5/10]: adding default ACIs
>>>> [6/10]: creating a keytab for the directory
>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>> CalledProcessError: Command 'kadmin.local -q addprinc -randkey
>>>> ldap/ipa1.miovision.linux at MIOVISION.LINUX -x
>>>> ipa-setup-override-restrictions' returned non-zero exit status 1
>>>>
>>>> */var/log/ipaserver-install.log*
>>>>
>>>>
>>>> add aci:
>>>>
>>>> (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=
>>>> miovision,dc=linux")(targetattr="userCertificate")(version
>>>> 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn =
>>>> "ldap:///fqdn=ipa1.miovision.linux,cn=computers,cn=
>>>> accounts,dc=miovision,dc=linux";)
>>>> modifying entry "cn=ipa,cn=etc,dc=miovision,dc=linux"
>>>> modify complete
>>>>
>>>>
>>>> 2014-02-04T20:45:51Z DEBUG stderr=ldap_initialize(
>>>> ldapi://%2Fvar%2Frun%2Fslapd-MIOVISION-LINUX.socket/??base )
>>>>
>>>> 2014-02-04T20:45:51Z DEBUG duration: 6 seconds
>>>> 2014-02-04T20:45:51Z DEBUG [6/10]: creating a keytab for the directory
>>>> 2014-02-04T20:45:51Z DEBUG args=kadmin.local -q addprinc -randkey
>>>> ldap/ipa1.miovision.linux at MIOVISION.LINUX -x ipa-setup-override-
>>>> restrictions
>>>> 2014-02-04T20:45:51Z DEBUG stdout=Authenticating as principal
>>>> root/admin at MIOVISION.LINUX with password.
>>>>
>>>> 2014-02-04T20:45:51Z DEBUG stderr=kadmin.local: No such entry in the
>>>> database while initializing kadmin.local interface
>>>>
>>>> 2014-02-04T20:45:51Z INFO File
>>>> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
>>>> line 614, in run_script
>>>> return_value = main_function()
>>>>
>>>> File "/usr/sbin/ipa-server-install", line 1024, in main
>>>> subject_base=options.subject)
>>>>
>>>> File
>>>> "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py",
>>>> line 183, in create_instance
>>>> self.start_creation(runtime=30)
>>>>
>>>> File "/usr/lib/python2.6/site-packages/ipaserver/install/
>>>> service.py",
>>>> line 358, in start_creation
>>>> method()
>>>>
>>>> File
>>>> "/usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py",
>>>> line 386, in __create_ds_keytab
>>>> installutils.kadmin_addprinc(ldap_principal)
>>>>
>>>> File
>>>> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
>>>> line 369, in kadmin_addprinc
>>>> kadmin("addprinc -randkey " + principal)
>>>>
>>>> File
>>>> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
>>>> line 366, in kadmin
>>>> "-x", "ipa-setup-override-restrictions"])
>>>>
>>>> File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line
>>>> 316, in run
>>>> raise CalledProcessError(p.returncode, args)
>>>>
>>>> 2014-02-04T20:45:51Z INFO The ipa-server-install command failed,
>>>> exception: CalledProcessError: Command 'kadmin.local -q addprinc
>>>> -randkey ldap/ipa1.miovision.linux at MIOVISION.LINUX -x
>>>> ipa-setup-override-restrictions' returned non-zero exit status 1
>>>>
>>>>
>>> Steve sent me the logs out-of-band. I think the problem is an earlier
>>> failure after generating the master key:
>>>
>>> 2014-02-04T20:45:45Z DEBUG args=kdb5_util create -s -r MIOVISION.LINUX
>>> -x ipa-setup-override-restrictions
>>> 2014-02-04T20:45:45Z DEBUG stdout=Loading random data
>>> Initializing database '/var/kerberos/krb5kdc/principal' for realm
>>> 'MIOVISION.LINUX',
>>> master key name 'K/M at MIOVISION.LINUX'
>>> You will be prompted for the database Master Password.
>>> It is important that you NOT FORGET this password.
>>> Enter KDC database master key:
>>> Re-enter KDC database master key to verify:
>>>
>>>
>>> 2014-02-04T20:45:45Z DEBUG stderr=kdb5_util: add.c:124: ldap_add_ext:
>>> Assertion `ld != ((void *)0)' failed.
>>>
>>> What version of krb5_server is installed? Does /var/log/messages
>>> indicate a segfault? Are there any failures in /var/log/dirsrv/slapd-
>>> MIOVISION-LINUX/errors?
>>>
>>> rob
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140205/b5636f28/attachment.htm>
More information about the Freeipa-users
mailing list