[Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7
Robert L. Harris
robert.l.harris at gmail.com
Tue May 16 15:16:54 UTC 2017
Last night I rolled back my snapshot. Here's what I have after the yum
install
"minimal" install of Centos7 + basic build.
{0}:/var/log>cat /etc/*elease
CentOS Linux release 7.3.1611 (Core)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
CentOS Linux release 7.3.1611 (Core)
CentOS Linux release 7.3.1611 (Core)
{0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb'
sssd-krb5-common-1.14.0-43.el7_3.14.x86_64
python2-ipaclient-4.4.0-14.el7.centos.7.noarch
ipa-common-4.4.0-14.el7.centos.7.noarch
perl-HTTP-Tiny-0.033-3.el7.noarch
python-iniparse-0.4-9.el7.noarch
ipa-client-common-4.4.0-14.el7.centos.7.noarch
pam_krb5-2.4.8-6.el7.x86_64
sssd-krb5-1.14.0-43.el7_3.14.x86_64
python-ipaddress-1.0.16-2.el7.noarch
python2-ipalib-4.4.0-14.el7.centos.7.noarch
krb5-libs-1.14.1-27.el7_3.x86_64
libipa_hbac-1.14.0-43.el7_3.14.x86_64
python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
sssd-ipa-1.14.0-43.el7_3.14.x86_64
krb5-workstation-1.14.1-27.el7_3.x86_64
ipa-client-4.4.0-14.el7.centos.7.x86_64
Tried to pull an exact client. The "yum install ipa-server" went fine:
{0}:/var/log/httpd>rpm -a -q | grep -i ipa-server
ipa-server-4.4.0-14.el7.centos.7.x86_64
ipa-server-common-4.4.0-14.el7.centos.7.noarch
"ipa-server-install" ran clean but has been stuck for 2 days:
Restarting the directory server
Restarting the KDC
Please add records in this file to your DNS system:
/tmp/ipa.system.records.qLsLyx.db
Restarting the web server
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: ipa.rdlg.net
Realm: RDLG.NET
DNS Domain: rdlg.net
IPA Server: ipa.rdlg.net
BaseDN: dc=rdlg,dc=net
Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://ipa.rdlg.net/ipa/json
Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'
Checking the /var/log/httpd/error.log has 2 days of just this:
[Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize
failed. Certificate database: /etc/httpd/alias.
[Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library Error:
-8038 SEC_ERROR_NOT_INITIALIZED
[Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS database
exist?
Robert
On Fri, May 12, 2017 at 11:14 AM Rob Crittenden <rcritten at redhat.com> wrote:
> Robert L. Harris wrote:
> >
> > Hmmm
> >
> > {0}:/var/log>ls
> > anaconda btmp dmesg grubby maillog ppp secure
> > tallylog wtmp
> > audit cron dmesg.old grubby_prune_debug messages rhsm spooler
> > tuned yum.log
> > boot.log cups firewalld lastlog ntpstats samba sssd
> > vmware-vmsvc.log
> >
> >
> > root at ipa
> > {1}:/var/log>rpm -q -l http
> > package http is not installed
> >
> > root at ipa
> > {1}:/var/log>rpm -q -a | grep -i http
> > perl-HTTP-Tiny-0.033-3.el7.noarch
> >
> > root at ipa
> > {0}:/var/log>rpm -q -a | grep -i tomcat
> >
> >
> > Doesn't look like an httpd was installed as a dependancy?
>
> I find this very hard to believe given that it go so far as to configure
> things in Apache, restart it, etc. What version of [free]ipa-server is
> installed? How did you install it and from what repo?
>
> rob
>
> >
> >
> >
> >
> >
> > On Fri, May 12, 2017 at 1:17 AM Martin Bašti <mbasti at redhat.com
> > <mailto:mbasti at redhat.com>> wrote:
> >
> > That's weird, it should be super fast, anything in
> > /var/log/httpd/error_log?
> >
> >
> > On 11.05.2017 22:23, Robert L. Harris wrote:
> >>
> >> Odd, must have clicked reply instead of reply-all.
> >>
> >> Anyway, I did the revert and re-install. Actual install went
> >> through fine then the "ipa-server-install" ran until this:
> >>
> >> [8/9]: restoring configuration
> >> [9/9]: starting directory server
> >> Done.
> >> Restarting the directory server
> >> Restarting the KDC
> >> Please add records in this file to your DNS system:
> >> /tmp/ipa.system.records.v5Jwrt.db
> >> Restarting the web server
> >> Configuring client side components
> >> Using existing certificate '/etc/ipa/ca.crt'.
> >> Client hostname: ipa.rdlg.net <http://ipa.rdlg.net>
> >> Realm: RDLG.NET <http://RDLG.NET>
> >> DNS Domain: rdlg.net <http://rdlg.net>
> >> IPA Server: ipa.rdlg.net <http://ipa.rdlg.net>
> >> BaseDN: dc=rdlg,dc=net
> >>
> >> Skipping synchronizing time with NTP server.
> >> New SSSD config will be created
> >> Configured sudoers in /etc/nsswitch.conf
> >> Configured /etc/sssd/sssd.conf
> >> trying https://ipa.rdlg.net/ipa/json
> >> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'
> >>
> >>
> >> It's been sitting there for a while ( 4 hours? ) I don't see
> >> anyting in the ipaserver-install.log, but it's here:
> >> https://pastebin.com/biK1Dmv7
> >>
> >>
> >>
> >> On Thu, May 11, 2017 at 8:12 AM Martin Bašti <mbasti at redhat.com
> >> <mailto:mbasti at redhat.com>> wrote:
> >>
> >> Please keep freeipa-users in CC
> >>
> >> Snapshot is always better, so I suggest to use it. Otherwise
> >> there is an option --ignore-last-of-role to unblock
> >> uninstallation.
> >>
> >> Martin
> >>
> >>
> >> On 11.05.2017 16:00, Robert L. Harris wrote:
> >>>
> >>> Looks like you hit it, apache didn't have a group:
> >>>
> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu
> >>> 2017-05-11 07:48:27 MDT. --
> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
> >>> systemd[1]: Starting The Apache HTTP Server...
> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC proxy
> >>> enabled
> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
> >>> httpd[28809]: AH00544: httpd: bad group name apache
> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
> >>> systemd[1]: httpd.service: main process exited, code=exited,
> >>> status=1/FAILURE
> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
> >>> kill[28812]: kill: cannot find process ""
> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
> >>> systemd[1]: httpd.service: control process exited,
> >>> code=exited status=1
> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
> >>> systemd[1]: Failed to start The Apache HTTP Server.
> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
> >>> systemd[1]: Unit httpd.service entered failed state.
> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
> >>> systemd[1]: httpd.service failed.
> >>>
> >>> Thanks, didn't know that command. I tried to continue the
> >>> process:
> >>>
> >>> {0}:/root>ipa-server-install
> >>>
> >>> The log file for this installation can be found in
> >>> /var/log/ipaserver-install.log
> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR IPA
> >>> server is already configured on this system.
> >>> If you want to reinstall the IPA server, please uninstall it
> >>> first using 'ipa-server-install --uninstall'.
> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR The
> >>> ipa-server-install command failed. See
> >>> /var/log/ipaserver-install.log for more information
> >>>
> >>> root at ipa
> >>> {1}:/root>ipa-server-install --uninstall
> >>>
> >>> This is a NON REVERSIBLE operation and will delete all data
> >>> and configuration!
> >>>
> >>> Are you sure you want to continue with the uninstall
> >>> procedure? [no]: yes
> >>> ipa : ERROR Server removal aborted: Deleting this
> >>> server is not allowed as it would leave your installation
> >>> without a CA..
> >>>
> >>>
> >>>
> >>> This is a VM and I took a snapshot right before I started the
> >>> install, so I can revert, just make sure ti add the apache
> >>> user before starting the install. Or if you have a better
> >>> command to continue the clean-up/install.....
> >>>
> >>>
> >>> On Thu, May 11, 2017 at 2:19 AM Martin Bašti
> >>> <mbasti at redhat.com <mailto:mbasti at redhat.com>> wrote:
> >>>
> >>> Hello,
> >>>
> >>> comments inline
> >>>
> >>>
> >>> On 11.05.2017 06:06, Robert L. Harris wrote:
> >>>>
> >>>> Sigh... Sorry, it's been a long day, I thought I put
> >>>> that log in the first pastebin. It's in this one:
> >>>> https://pastebin.com/18PAXXNS
> >>>
> >>> Could you please provide journalctl -u httpd and
> >>> /var/log/httpd/error_log ?
> >>>
> >>>
> >>>
> >>>>
> >>>> Also,
> >>>> Anyone else get the constant spam when mailing this
> >>>> list? Got an address to block for it?
> >>>
> >>> Sorry for that, there is a bot mining public archives. We
> >>> plan to resolve this issue but it may take time as we are
> >>> not maintaining our mailman.
> >>>
> >>> Martin
> >>>
> >>>
> >>>>
> >>>> Robert
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman
> >>>> <datakid at gmail.com <mailto:datakid at gmail.com>> wrote:
> >>>>
> >>>> Robert, did you look in
> >>>> /var/log/ipaserver-install.log as it says?
> >>>>
> >>>> Was there any other information?
> >>>>
> >>>> cheers
> >>>> L.
> >>>>
> >>>> ------
> >>>> "Mission Statement: To provide hope and inspiration
> >>>> for collective action, to build collective power, to
> >>>> achieve collective transformation, rooted in grief
> >>>> and rage but pointed towards vision and dreams."
> >>>>
> >>>> - Patrice Cullors, /Black Lives Matter founder/
> >>>>
> >>>> On 11 May 2017 at 13:24, Robert L. Harris
> >>>> <robert.l.harris at gmail.com
> >>>> <mailto:robert.l.harris at gmail.com>> wrote:
> >>>>
> >>>> Ok, I gave up on Ubuntu. I'm now trying the
> >>>> latest CentOS7. I built out a "minimal server"
> >>>> with some normal base packages which did include
> >>>> the freeipa-client but otherwise, just standard
> >>>> tools. Here's a pastebin of the output of the
> >>>> install: https://pastebin.com/zAWCgkUU
> >>>>
> >>>> Robert
> >>>>
> >>>>
> >>>> --
> >>>> Manage your subscription for the Freeipa-users
> >>>> mailing list:
> >>>>
> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>> Go to http://freeipa.org for more info on the
> >>>> project
> >>>>
> >>>>
> >>>> --
> >>>> Manage your subscription for the Freeipa-users
> >>>> mailing list:
> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>> Go to http://freeipa.org for more info on the project
> >>>>
> >>>>
> >>>>
> >>>
> >>> --
> >>> Martin Bašti
> >>> Software Engineer
> >>> Red Hat Czech
> >>>
> >>
> >> --
> >> Martin Bašti
> >> Software Engineer
> >> Red Hat Czech
> >>
> >
> > --
> > Martin Bašti
> > Software Engineer
> > Red Hat Czech
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170516/2faf75b1/attachment.htm>
More information about the Freeipa-users
mailing list