[Freeipa-users] ipa-client-install failing on new ipa-server

Dmitri Pal dpal at redhat.com
Wed Mar 25 03:11:49 UTC 2015 

On 03/24/2015 09:17 PM, Anthony Lanni wrote:
> While running ipa-server-install, it's failing out at the end with an 
> error regarding the client install on the server. This happens 
> regardless of how I input the options, but here's the latest command:
>
> ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM 
> <http://EXAMPLE.COM> -n example.com <http://example.com> -p passwd1 -a 
> passwd2 --hostname=ldap-server-01.example.com 
> <http://ldap-server-01.example.com> --forwarder=10.0.1.20 
> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
>
> Runs through the entire setup and gives me this:
>
> [...]
> ipa         : DEBUG  args=/usr/sbin/ipa-client-install --on-master 
> --unattended --domain example.com <http://example.com> --server 
> ldap-server-01.example.com <http://ldap-server-01.example.com> --realm 
> EXAMPLE.COM <http://EXAMPLE.COM> --hostname ldap-server-01.example.com 
> <http://ldap-server-01.example.com>
> ipa         : DEBUG    stdout=
>
> ipa         : DEBUG    stderr=Hostname: ldap-server-01.example.com 
> <http://ldap-server-01.example.com>
> Realm: EXAMPLE.COM <http://EXAMPLE.COM>
> DNS Domain: example.com <http://example.com>
> IPA Server: ldap-server-01.example.com <http://ldap-server-01.example.com>
> BaseDN: dc=example,dc=com
> New SSSD config will be created
> Configured /etc/sssd/sssd.conf
> Traceback (most recent call last):
>   File "/usr/sbin/ipa-client-install", line 2377, in <module>
>     sys.exit(main())
>   File "/usr/sbin/ipa-client-install", line 2363, in main
>     rval = install(options, env, fstore, statestore)
>   File "/usr/sbin/ipa-client-install", line 2135, in install
> delete_persistent_client_session_data(host_principal)
>   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in 
> delete_persistent_client_session_data
>     kernel_keyring.del_key(keyname)
>   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", 
> line 99, in del_key
>     real_key = get_real_key(key)
>   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", 
> line 45, in get_real_key
>     (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, 
> key], raiseonerr=False)

Is keyctl installed? Can you run it manually?
Any SELinux denials?

>   File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 
> 295, in run
>     close_fds=True, env=env, cwd=cwd)
>   File "/usr/lib64/python2.6/subprocess.py", line 642, in __init__
>     errread, errwrite)
>   File "/usr/lib64/python2.6/subprocess.py", line 1234, in _execute_child
>     raise child_exception
> OSError: [Errno 8] Exec format error
>
> ipa         : INFO       File 
> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", 
> line 614, in run_script
>     return_value = main_function()
>
>   File "/usr/sbin/ipa-server-install", line 1103, in main
>     sys.exit("Configuration of client side components 
> failed!\nipa-client-install returned: " + str(e))
>
> ipa         : INFO     The ipa-server-install command failed, 
> exception: SystemExit: Configuration of client side components failed!
> ipa-client-install returned: Command '/usr/sbin/ipa-client-install 
> --on-master --unattended --domain example.com <http://example.com> 
> --server ldap-server-01.example.com 
> <http://ldap-server-01.example.com> --realm EXAMPLE.COM 
> <http://EXAMPLE.COM> --hostname ldap-server-01.advdc.com 
> <http://ldap-server-01.advdc.com>' returned non-zero exit status 1
>
>
> Same details (without the debug messages, of course) in 
> /var/log/ipaserver-install.log. From ipaclient-install.log:
> [...]
> 2015-03-24T23:15:26Z DEBUG Backing up system configuration file 
> '/etc/sssd/sssd.conf'
> 2015-03-24T23:15:26Z DEBUG   -> Not backing up - '/etc/sssd/sssd.conf' 
> doesn't exist
> 2015-03-24T23:15:26Z INFO New SSSD config will be created
> 2015-03-24T23:15:26Z INFO Configured /etc/sssd/sssd.conf
> 2015-03-24T23:15:26Z DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb 
> -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
> 2015-03-24T23:15:26Z DEBUG stdout=
> 2015-03-24T23:15:26Z DEBUG stderr=
> 2015-03-24T23:15:26Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab 
> host/ldap-server-01.example.com at EXAMPLE.COM 
> <mailto:ldap-server-01.example.com at EXAMPLE.COM>
> 2015-03-24T23:15:26Z DEBUG stdout=
> 2015-03-24T23:15:26Z DEBUG stderr=
>
> I'm running on CENTOS 6.5, freeipa 3.0.0.37
>
> #> ipactl status
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: RUNNING
> DNS Service: RUNNING
> MEMCACHE Service: RUNNING
> HTTP Service: RUNNING
> CA Service: RUNNING
>
> I noticed that there's no host certificate for the server when I look 
> at the host details in the web interface.
>
> thx
> anthony
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150324/259e9875/attachment.htm>

More information about the Freeipa-users mailing list