[Freeipa-users] ipa-replica-install fails because dirsrv failed to start

Ludwig Krispenz lkrispen at redhat.com
Thu Oct 27 09:06:13 UTC 2016 

On 10/27/2016 10:48 AM, Jochen Demmer wrote:
>
>
> Am 27.10.2016 um 10:21 schrieb Martin Basti:
>>
>>
>>
>> On 27.10.2016 10:02, Jochen Demmer wrote:
>>>
>>>
>>> Am 26.10.2016 um 17:31 schrieb Martin Basti:
>>>>
>>>>
>>>>
>>>> On 26.10.2016 17:25, Jochen Demmer wrote:
>>>>>
>>>>>
>>>>> Am 26.10.2016 um 16:48 schrieb Martin Basti:
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 26.10.2016 16:42, Jochen Demmer wrote:
>>>>>>>
>>>>>>>
>>>>>>> Am 26.10.2016 um 16:27 schrieb Martin Basti:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 26.10.2016 16:10, Jochen Demmer wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> my answers also inline.
>>>>>>>>>
>>>>>>>>> Am 26.10.2016 um 15:38 schrieb Martin Basti:
>>>>>>>>>>
>>>>>>>>>> Hi, comments inline
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 26.10.2016 14:28, Jochen Demmer wrote:
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I've been running and using a single FreeIPA server 
>>>>>>>>>>> successfully, i.e.:
>>>>>>>>>>> Fedora 24
>>>>>>>>>>> freeipa-server-4.3.2-2.fc24.x86_64
>>>>>>>>>>> This server is only available via IPv6, because I can't get 
>>>>>>>>>>> public lPv4 addresses no more.
>>>>>>>>>>>
>>>>>>>>>>> Now I want to setup a FreeIPA replica at another site also 
>>>>>>>>>>> running IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64
>>>>>>>>>>> First I run "ipa-client-install" which succeeds without an 
>>>>>>>>>>> error.
>>>>>>>>>>> When I invoke "ipa-replica-install" I get this error:
>>>>>>>>>>> ipa         : ERROR    Could not resolve hostname 
>>>>>>>>>>> *hostname.mydoma.in* using DNS. Clients may not function 
>>>>>>>>>>> properly. Please check your DNS setup. (Note that this check 
>>>>>>>>>>> queries IPA DNS directly and ignores /etc/hosts.)
>>>>>>>>>>> LOG:
>>>>>>>>>>> 2016-10-26T12:14:39Z DEBUG Search DNS server 
>>>>>>>>>>> *hostname.mydoma.in* (['2a01:f11:1:1::1', '2a01:f11:1:1::1', 
>>>>>>>>>>> '2a01:f11:1:1::1']) for *hostname.mydoma.in*
>>>>>>>>>>
>>>>>>>>>> Can you check with dig or host command if the hostname is 
>>>>>>>>>> really resolvable on that machine? do you have proper 
>>>>>>>>>> resolver in /etc/resolv.conf?
>>>>>>>>> There is a resolver given in /etc/resolv.conf. When I do "host 
>>>>>>>>> <<hostname.mydoma.in>>" I get the right IPv6 back.
>>>>>>>> That is weird because IPA is doing basically the same.
>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> *hostname.mydoma.in* is actually the DNS entry for the old 
>>>>>>>>>>> FreeIPA server, which actually resolves, but only to an IPv6 
>>>>>>>>>>> address of course.
>>>>>>>>>>> I can continue the installation though by entering "yes".
>>>>>>>>>>>
>>>>>>>>>>> I then get asked:
>>>>>>>>>>> Enter the IP address to use, or press Enter to finish.
>>>>>>>>>>> Please provide the IP address to be used for this host name:
>>>>>>>>>>>
>>>>>>>>>>> When I enter the IPv6 address of the new replica host it 
>>>>>>>>>>> doesn't accept but infinitely asks this question instead.
>>>>>>>>>>
>>>>>>>>>> Have you pressed enter twice? It should end prompt and 
>>>>>>>>>> continue with installation
>>>>>>>>> Enter without an IP -> No usable IP address provided nor resolved.
>>>>>>>>> Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 
>>>>>>>>> cannot use IP network address 2a02:1:2:3::4 
>>>>>>>>
>>>>>>>> How do you have configured IP address on your interface? Does 
>>>>>>>> it have prefix /128?
>>>>>>> Yes, that's right. It's an IP being assigned statefully by a 
>>>>>>> DHCPv6 server.
>>>>>>> There is also another dynamic IP within the same prefix having 
>>>>>>> /64. I don't want to use this one of course, because its IID 
>>>>>>> changes.
>>>>>>>
>>>>>> Could you set (temporarily) prefix for that address to /64 and 
>>>>>> re-run installer? IPA 4.3 has check that prevents you to use /128 
>>>>>> prefix
>>>>> Well now I don't even get asked for the IP. The setup wizard 
>>>>> continues, but I now get this error:
>>>>>
>>>>>   [27/43]: restarting directory server
>>>>> ipa         : CRITICAL Failed to restart the directory server 
>>>>> (Command '/bin/systemctl restart dirsrv at MY-REALM.service' returned 
>>>>> non-zero exit status 1). See the installation log for details.
>>>>>   [28/43]: setting up initial replication
>>>>>   [error] error: [Errno 111] Connection refused
>>>>>
>>>>> LOG:
>>>>> 2016-10-26T15:14:46Z DEBUG Process finished, return code=1
>>>>> 2016-10-26T15:14:46Z DEBUG stdout=
>>>>> 2016-10-26T15:14:46Z DEBUG stderr=Job for dirsrv at MY-REALM.service 
>>>>> failed because the control process exited with error code. See 
>>>>> "systemctl status dirsrv at MY-REALM.service" and "journalctl -xe" 
>>>>> for details.
>>>>> 2016-10-26T15:14:46Z CRITICAL Failed to restart the directory 
>>>>> server (Command '/bin/systemctl restart dirsrv at MY-REALM.service' 
>>>>> returned non-zero exit status 1). See the installation log for 
>>>>> details.
>>>>> 2016-10-26T15:14:46Z DEBUG   duration: 1 seconds
>>>>> 2016-10-26T15:14:46Z DEBUG   [28/43]: setting up initial replication
>>>>> 2016-10-26T15:14:56Z DEBUG Traceback (most recent call last):
>>>>>
>>>>> When I try to restart manually with, "/bin/systemctl restart 
>>>>> dirsrv at MY-REALM.service"
>>>>>  this is what systemd logs:
>>>>> https://paste.fedoraproject.org/461439/raw/
>>>>>
>>>>>
>>>>
>>>> Could you please check /var/log/dirsrv/slapd-*/errors  there might 
>>>> be more details.
>>>>
>>>> Did you reused an old IPA server for this installation?
>>>>
>>>> Martin
>>> This is what the logfile says:
>>> https://paste.fedoraproject.org/461685/raw/
>>>
>>> I tried to install this server as a replica a couple of times, but I 
>>> even reinstalled all of the software and I keep using
>>> ipa-client-install --uninstall and
>>> ipa-server-install --uninstall
>>
>> It looks that DS database is somehow corrupted, is possible that 
>> there might be some leftovers from previous installations
>>
>> start: Failed to start databases, err=-1 BDB0092 Unknown error: -1
>>
>> I'm not sure what that error means, maybe DS guys will know
>>
>> Can you run server uninstall twice? It should remove all leftovers, 
>> and then check /var/lib/dirsrv/ if there are any slapd-* directories, 
>> if yes please remove them
>>
>> Martin
> I uninstalled freeipa-*, deleted /etc/dirsrv and /var/lib/dirsrv, 
> rebooted, reinstalled and ran into the exact same problem.
you get the failure because the certificate database cannot be read

[26/Oct/2016:17:17:58.018611176 +0200] Can't find certificate Server-Cert in attrcrypt_fetch_private_key: -8174 - security library: bad database.
[26/Oct/2016:17:17:58.104832444 +0200] Can't get private key from cert Server-Cert in attrcrypt_fetch_private_key: -8174 - security library: bad database.
[26/Oct/2016:17:17:58.112911216 +0200] Error: unable to initialize attrcrypt system for userRoot
[26/Oct/2016:17:17:58.116560926 +0200] start: Failed to start databases, err=-1 BDB0092 Unknown error: -1

Martin,
shouldn't ipa install create this, or can there be some leftovers ?


>>
>>>>
>>>>>>
>>>>>>
>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Honestly, I can't see what I might have done wrong.
>>>>>>>>>>> Old FreeIPA has hostname is in sync forward and reverse record.
>>>>>>>>>>> New FreeIPA host as well has hostname that symmetrically 
>>>>>>>>>>> resolves, even though the hostname is using another second 
>>>>>>>>>>> level domain.
>>>>>>>>>>>
>>>>>>>>>>> Any hints?
>>>>>>>>>>> Jochen Demmer
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Martin
>>>>>>>>> Jochen
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
>
>

-- 
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161027/b09f9b70/attachment.htm>

More information about the Freeipa-users mailing list