[Freeipa-users] Problems and questions installing Identity Manager on RHEL V7

Wed Oct 1 17:46:22 UTC 2014

On Wed, 01 Oct 2014, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
>
>
>We are trying to install Identity Manager for testing and learning purposes in a test lab
>environment.    We have successfully installed the base product but have run into problems
>when trying to setup a domain trust to an AD server.
>
>We are somewhat limited as to how we can change these systems and since they must function
>for replication of many different problems, we need to be cautious as to what we change.
>But they are crash and burn systems.
>
>Both the RHEL V7 IdM server system and the W2008 R2 AD server are in the same subnet
>and the same dns zone.
>
>
>So that is the first question....can we create a domain trust between these two systems
>without placing one or the other in a different address subnet or changing the domain name ?
No.

AD forest by design owns DNS domain of its forest root domain.

I'd put it in an example.com case:

OK:  AD as example.com, IPA as ipa.example.com subdomain
OK:  AD as ad.example.com subdomain, IPA as example.com
OK:  AD as example.com, IPA as example.org

Anything else would mean tripping over authority of one or another
forest root domain and thus will not work.

>I have tried changing the realm name for the linux server from lab.us.com for example to
>ipa.lab.us.com and then leaving the AD server in lab.us.com.   That gets us a bit further
>but then we run into problems with what I believe is the kerberos configuration.
Right, this should work as long as ipa.lab.us.com DNS domain has proper SRV
records for IPA, as well as lab.us.com has proper SRV records for AD
forest root domain.

>I have tried to deinstall and reinstall the ipa server but the installation is now failing.
>
>
>The ipa-server-install is failing with the following:
>
>  [37/38]: tuning directory server
>  [38/38]: configuring directory to start on boot
>Done configuring directory server (dirsrv).
>Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
>  [1/22]: creating certificate server user
>  [2/22]: configuring certificate server instance
>ipa         : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpLb1CmI' returned non-zero exit status 1
>Configuration of CA failed
>
>This happens each time I try to uninstall and reinstall the ipa server on RHEL V7.
>
>
>Looking at the latest log in /var/log/pki, I see this at the end of the log:
>
>2014-10-01 11:53:10 pkispawn    : INFO     BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . .
>2014-10-01 11:53:10 pkispawn    : INFO     ... initializing 'pki.deployment.initialization'
>2014-10-01 11:53:10 pkispawn    : ERROR    ....... PKI subsystem 'CA' for instance 'pki-tomcat' already exists!
>2014-10-01 11:53:10 pkispawn    : DEBUG    ....... Error Type: SystemExit
>2014-10-01 11:53:10 pkispawn    : DEBUG    ....... Error Message: 1
>2014-10-01 11:53:10 pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 374, in main
>    rv = instance.spawn()
>  File "/usr/lib/python2.7/site-packages/pki/deployment/initialization.py", line 56, in spawn
>    util.instance.verify_subsystem_does_not_exist()
>  File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py", line 990, in verify_subsystem_does_not_exist
>    sys.exit(1)
>
>I am no python expert by any means and I'm not sure what this is telling us so any help
>would be greatly appreciated.
This issue is known -- when CA install fails, we rollback but since CA
isn't installed, we miss rolling it back. There is a ticket for
eventually fixing this issue.

Following sequence should clean up all the bits:

pkidestroy -s CA -i pki-tomcat
rm -rf /var/log/pki/pki-tomcat
rm -rf /etc/sysconfig/pki-tomcat
rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
rm -rf /var/lib/pki/pki-tomcat
rm -rf /etc/pki/pki-tomcat

It also helps to reboot between multiple reinstalls on a single machine.

-- 
/ Alexander Bokovoy