[Freeipa-users] Replica install fails at client install

Rob Crittenden rcritten at redhat.com
Thu Mar 19 14:26:07 UTC 2015 

Janelle wrote:
> On 3/18/15 10:10 PM, Kim Perrin wrote:
>> This is about the 6th time of tried installing this replica. Each time
>> I run the ipa-replica-manage del and ipa-csreplica-manage del command
>> before trying. I also build new replica install files each time.
>> Obviously I can't figure out what the problem is. I've tried a variety
>> of things. I'm hoping someone in this community has been this before
>> and solved the issue.
>> At the end of the install I see the client install failure messages,
>> though it appeared as though the server install went well. However it
>> is clear it has not gone well because when I run 'service ipa status'
>> I get this
>>
>> root at noc5-prd:/var/log# service ipa status
>> Directory Service: RUNNING
>> Unknown error when retrieving list of services from LDAP: {'info':
>> 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication
>> method'}
>>
>>
>> I've attached the ipareplica-install.log file.  Here are some relevant
>> entries from the end of the log -
>>
>> 2015-03-19T04:33:02Z DEBUG args=/usr/sbin/ipa-client-install
>> --on-master --unattended --domain companyz.com --server
>> noc5-prd.companyz.com --realm COMPANYZ.COM
>> 2015-03-19T04:33:02Z DEBUG stdout=
>> 2015-03-19T04:33:02Z DEBUG stderr=Hostname: noc5prd.companyz.com
>> Realm: COMPANYZ.COM
>> DNS Domain: companyz.com
>> IPA Server: noc5-prd.companyz.com
>> BaseDN: dc=companyz,dc=com
>> New SSSD config will be created
>> Configured sudoers in /etc/nsswitch.conf
>> Configured /etc/sssd/sssd.conf
>> trying https://noc5-prd.companyz.com/ipa/xml
>> trying https://noc1-prd.companyz.com/ipa/xml
>> Connection to https://noc1-prd.companyz.com/ipa/xml failed with [Errno
>> -8053] (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in
>> use.
>> Cannot connect to the server due to generic error: cannot connect to
>> Gettext('any of the configured servers', domain='ipa',
>> localedir=None): https://noc5-prd.companyz.com/ipa/xml,
>> https://noc1-prd.companyz.com/ipa/xml
>> Installation failed. Rolling back changes.
>> Removing Kerberos service principals from /etc/krb5.keytab
>> Disabling client Kerberos and LDAP configurations
>> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
>> /etc/sssd/sssd.conf.deleted
>> nscd daemon is not installed, skip configuration
>> nslcd daemon is not installed, skip configuration
>> Client uninstall complete.
>> 2015-03-19T04:33:02Z INFO   File
>> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
>> line 614, in run_script
>>     return_value = main_function()
>>   File "/usr/sbin/ipa-replica-install", line 536, in main
>>     raise RuntimeError("Failed to configure the client")
>> 2015-03-19T04:33:02Z INFO The ipa-replica-install command failed,
>> exception: RuntimeError: Failed to configure the client
>>
>> Anyone have any advice?
>>
>>

I think the issue is related to this:

trying https://noc5-prd.companyz.com/ipa/xml
trying https://noc1-prd.companyz.com/ipa/xml

It would seem that the client NSS database isn't being properly shutdown
between connection attempts.

Is noc5 operational? If not then removing it from the SRV records would
probably be the fastest way to work around this.

What version of IPA is this?

> There are 2 possibilities here. One is you have the old python package
> scripts which have a bug in these files:
> 
> /usr/lib/python2.7/site-packages/ipaplatform/fedora/services.py
> /usr/lib/python2.7/site-packages/ipaplatform/services.py
> 
> They most likely have "fedora-domain" in them and it needs to be changed
> to "rhel-domain".  The other option is to re-install the OS and freeipa
> environment, which gets you to clean packages.  Deleting and
> re-installing all the python packages is painful at best.

I think that was only a problem when trying to install 4.x in RHEL using
the upstream COPR repositories.

> 
> The other possibility is stale certs:
> 
> certutil -d /etc/pki/nssdb -L
> 
> You will probably see a stale cert. Remove it.
> 
> certutil -d /etc/pki/nssdb -D -n "IPA CA"
> 
> I have run into both of these issues about 1 million times so far.

On a replica install it is always adding the same cert which shouldn't
be a problem:

# certutil -L -d /etc/pki/nssdb/

Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

IPA CA                                                       CT,C,C
# certutil -A -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt  -d
/etc/pki/nssdb/
# echo $?
0

rob

More information about the Freeipa-users mailing list