[Freeipa-users] Replica install fails at client install

Janelle janellenicole80 at gmail.com
Thu Mar 19 13:52:38 UTC 2015 

On 3/18/15 10:10 PM, Kim Perrin wrote:
> This is about the 6th time of tried installing this replica. Each time
> I run the ipa-replica-manage del and ipa-csreplica-manage del command
> before trying. I also build new replica install files each time.
> Obviously I can't figure out what the problem is. I've tried a variety
> of things. I'm hoping someone in this community has been this before
> and solved the issue.
> At the end of the install I see the client install failure messages,
> though it appeared as though the server install went well. However it
> is clear it has not gone well because when I run 'service ipa status'
> I get this
>
> root at noc5-prd:/var/log# service ipa status
> Directory Service: RUNNING
> Unknown error when retrieving list of services from LDAP: {'info':
> 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication
> method'}
>
>
> I've attached the ipareplica-install.log file.  Here are some relevant
> entries from the end of the log -
>
> 2015-03-19T04:33:02Z DEBUG args=/usr/sbin/ipa-client-install
> --on-master --unattended --domain companyz.com --server
> noc5-prd.companyz.com --realm COMPANYZ.COM
> 2015-03-19T04:33:02Z DEBUG stdout=
> 2015-03-19T04:33:02Z DEBUG stderr=Hostname: noc5prd.companyz.com
> Realm: COMPANYZ.COM
> DNS Domain: companyz.com
> IPA Server: noc5-prd.companyz.com
> BaseDN: dc=companyz,dc=com
> New SSSD config will be created
> Configured sudoers in /etc/nsswitch.conf
> Configured /etc/sssd/sssd.conf
> trying https://noc5-prd.companyz.com/ipa/xml
> trying https://noc1-prd.companyz.com/ipa/xml
> Connection to https://noc1-prd.companyz.com/ipa/xml failed with [Errno
> -8053] (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in
> use.
> Cannot connect to the server due to generic error: cannot connect to
> Gettext('any of the configured servers', domain='ipa',
> localedir=None): https://noc5-prd.companyz.com/ipa/xml,
> https://noc1-prd.companyz.com/ipa/xml
> Installation failed. Rolling back changes.
> Removing Kerberos service principals from /etc/krb5.keytab
> Disabling client Kerberos and LDAP configurations
> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
> /etc/sssd/sssd.conf.deleted
> nscd daemon is not installed, skip configuration
> nslcd daemon is not installed, skip configuration
> Client uninstall complete.
> 2015-03-19T04:33:02Z INFO   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
> line 614, in run_script
>      return_value = main_function()
>    File "/usr/sbin/ipa-replica-install", line 536, in main
>      raise RuntimeError("Failed to configure the client")
> 2015-03-19T04:33:02Z INFO The ipa-replica-install command failed,
> exception: RuntimeError: Failed to configure the client
>
> Anyone have any advice?
>
>
There are 2 possibilities here. One is you have the old python package 
scripts which have a bug in these files:

/usr/lib/python2.7/site-packages/ipaplatform/fedora/services.py
/usr/lib/python2.7/site-packages/ipaplatform/services.py

They most likely have "fedora-domain" in them and it needs to be changed 
to "rhel-domain".  The other option is to re-install the OS and freeipa 
environment, which gets you to clean packages.  Deleting and 
re-installing all the python packages is painful at best.

The other possibility is stale certs:

certutil -d /etc/pki/nssdb -L

You will probably see a stale cert. Remove it.

certutil -d /etc/pki/nssdb -D -n "IPA CA"

I have run into both of these issues about 1 million times so far.

~J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150319/a1aa4e15/attachment.htm>

More information about the Freeipa-users mailing list