[Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7
Andrew Holway
andrew.holway at gmail.com
Tue May 16 18:29:22 UTC 2017
Hallo,
How much memory do you have on the machine. I have a sneaking suspicion
that you're running out.
Ta,
Andrew
On 16 May 2017 at 17:16, Robert L. Harris <robert.l.harris at gmail.com> wrote:
>
> Last night I rolled back my snapshot. Here's what I have after the yum
> install
>
> "minimal" install of Centos7 + basic build.
> {0}:/var/log>cat /etc/*elease
> CentOS Linux release 7.3.1611 (Core)
> NAME="CentOS Linux"
> VERSION="7 (Core)"
> ID="centos"
> ID_LIKE="rhel fedora"
> VERSION_ID="7"
> PRETTY_NAME="CentOS Linux 7 (Core)"
> ANSI_COLOR="0;31"
> CPE_NAME="cpe:/o:centos:centos:7"
> HOME_URL="https://www.centos.org/"
> BUG_REPORT_URL="https://bugs.centos.org/"
>
> CENTOS_MANTISBT_PROJECT="CentOS-7"
> CENTOS_MANTISBT_PROJECT_VERSION="7"
> REDHAT_SUPPORT_PRODUCT="centos"
> REDHAT_SUPPORT_PRODUCT_VERSION="7"
>
> CentOS Linux release 7.3.1611 (Core)
> CentOS Linux release 7.3.1611 (Core)
>
>
> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb'
> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64
> python2-ipaclient-4.4.0-14.el7.centos.7.noarch
> ipa-common-4.4.0-14.el7.centos.7.noarch
> perl-HTTP-Tiny-0.033-3.el7.noarch
> python-iniparse-0.4-9.el7.noarch
> ipa-client-common-4.4.0-14.el7.centos.7.noarch
> pam_krb5-2.4.8-6.el7.x86_64
> sssd-krb5-1.14.0-43.el7_3.14.x86_64
> python-ipaddress-1.0.16-2.el7.noarch
> python2-ipalib-4.4.0-14.el7.centos.7.noarch
> krb5-libs-1.14.1-27.el7_3.x86_64
> libipa_hbac-1.14.0-43.el7_3.14.x86_64
> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
> sssd-ipa-1.14.0-43.el7_3.14.x86_64
> krb5-workstation-1.14.1-27.el7_3.x86_64
> ipa-client-4.4.0-14.el7.centos.7.x86_64
>
> Tried to pull an exact client. The "yum install ipa-server" went fine:
>
> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server
> ipa-server-4.4.0-14.el7.centos.7.x86_64
> ipa-server-common-4.4.0-14.el7.centos.7.noarch
>
>
> "ipa-server-install" ran clean but has been stuck for 2 days:
>
> Restarting the directory server
> Restarting the KDC
> Please add records in this file to your DNS system:
> /tmp/ipa.system.records.qLsLyx.db
> Restarting the web server
> Configuring client side components
> Using existing certificate '/etc/ipa/ca.crt'.
> Client hostname: ipa.rdlg.net
> Realm: RDLG.NET
> DNS Domain: rdlg.net
> IPA Server: ipa.rdlg.net
> BaseDN: dc=rdlg,dc=net
>
> Skipping synchronizing time with NTP server.
> New SSSD config will be created
> Configured sudoers in /etc/nsswitch.conf
> Configured /etc/sssd/sssd.conf
> trying https://ipa.rdlg.net/ipa/json
> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'
>
> Checking the /var/log/httpd/error.log has 2 days of just this:
>
> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize
> failed. Certificate database: /etc/httpd/alias.
> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library Error:
> -8038 SEC_ERROR_NOT_INITIALIZED
> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS
> database exist?
>
>
> Robert
>
> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden <rcritten at redhat.com>
> wrote:
>
>> Robert L. Harris wrote:
>> >
>> > Hmmm
>> >
>> > {0}:/var/log>ls
>> > anaconda btmp dmesg grubby maillog ppp secure
>> > tallylog wtmp
>> > audit cron dmesg.old grubby_prune_debug messages rhsm spooler
>> > tuned yum.log
>> > boot.log cups firewalld lastlog ntpstats samba sssd
>> > vmware-vmsvc.log
>> >
>> >
>> > root at ipa
>> > {1}:/var/log>rpm -q -l http
>> > package http is not installed
>> >
>> > root at ipa
>> > {1}:/var/log>rpm -q -a | grep -i http
>> > perl-HTTP-Tiny-0.033-3.el7.noarch
>> >
>> > root at ipa
>> > {0}:/var/log>rpm -q -a | grep -i tomcat
>> >
>> >
>> > Doesn't look like an httpd was installed as a dependancy?
>>
>> I find this very hard to believe given that it go so far as to configure
>> things in Apache, restart it, etc. What version of [free]ipa-server is
>> installed? How did you install it and from what repo?
>>
>> rob
>>
>> >
>> >
>> >
>> >
>> >
>> > On Fri, May 12, 2017 at 1:17 AM Martin Bašti <mbasti at redhat.com
>> > <mailto:mbasti at redhat.com>> wrote:
>> >
>> > That's weird, it should be super fast, anything in
>> > /var/log/httpd/error_log?
>> >
>> >
>> > On 11.05.2017 22:23, Robert L. Harris wrote:
>> >>
>> >> Odd, must have clicked reply instead of reply-all.
>> >>
>> >> Anyway, I did the revert and re-install. Actual install went
>> >> through fine then the "ipa-server-install" ran until this:
>> >>
>> >> [8/9]: restoring configuration
>> >> [9/9]: starting directory server
>> >> Done.
>> >> Restarting the directory server
>> >> Restarting the KDC
>> >> Please add records in this file to your DNS system:
>> >> /tmp/ipa.system.records.v5Jwrt.db
>> >> Restarting the web server
>> >> Configuring client side components
>> >> Using existing certificate '/etc/ipa/ca.crt'.
>> >> Client hostname: ipa.rdlg.net <http://ipa.rdlg.net>
>> >> Realm: RDLG.NET <http://RDLG.NET>
>> >> DNS Domain: rdlg.net <http://rdlg.net>
>> >> IPA Server: ipa.rdlg.net <http://ipa.rdlg.net>
>> >> BaseDN: dc=rdlg,dc=net
>> >>
>> >> Skipping synchronizing time with NTP server.
>> >> New SSSD config will be created
>> >> Configured sudoers in /etc/nsswitch.conf
>> >> Configured /etc/sssd/sssd.conf
>> >> trying https://ipa.rdlg.net/ipa/json
>> >> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'
>> >>
>> >>
>> >> It's been sitting there for a while ( 4 hours? ) I don't see
>> >> anyting in the ipaserver-install.log, but it's here:
>> >> https://pastebin.com/biK1Dmv7
>> >>
>> >>
>> >>
>> >> On Thu, May 11, 2017 at 8:12 AM Martin Bašti <mbasti at redhat.com
>> >> <mailto:mbasti at redhat.com>> wrote:
>> >>
>> >> Please keep freeipa-users in CC
>> >>
>> >> Snapshot is always better, so I suggest to use it. Otherwise
>> >> there is an option --ignore-last-of-role to unblock
>> >> uninstallation.
>> >>
>> >> Martin
>> >>
>> >>
>> >> On 11.05.2017 16:00, Robert L. Harris wrote:
>> >>>
>> >>> Looks like you hit it, apache didn't have a group:
>> >>>
>> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu
>> >>> 2017-05-11 07:48:27 MDT. --
>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>> >>> systemd[1]: Starting The Apache HTTP Server...
>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC proxy
>> >>> enabled
>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>> >>> httpd[28809]: AH00544: httpd: bad group name apache
>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>> >>> systemd[1]: httpd.service: main process exited, code=exited,
>> >>> status=1/FAILURE
>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>> >>> kill[28812]: kill: cannot find process ""
>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>> >>> systemd[1]: httpd.service: control process exited,
>> >>> code=exited status=1
>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>> >>> systemd[1]: Failed to start The Apache HTTP Server.
>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>> >>> systemd[1]: Unit httpd.service entered failed state.
>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>> >>> systemd[1]: httpd.service failed.
>> >>>
>> >>> Thanks, didn't know that command. I tried to continue the
>> >>> process:
>> >>>
>> >>> {0}:/root>ipa-server-install
>> >>>
>> >>> The log file for this installation can be found in
>> >>> /var/log/ipaserver-install.log
>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR IPA
>> >>> server is already configured on this system.
>> >>> If you want to reinstall the IPA server, please uninstall it
>> >>> first using 'ipa-server-install --uninstall'.
>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR The
>> >>> ipa-server-install command failed. See
>> >>> /var/log/ipaserver-install.log for more information
>> >>>
>> >>> root at ipa
>> >>> {1}:/root>ipa-server-install --uninstall
>> >>>
>> >>> This is a NON REVERSIBLE operation and will delete all data
>> >>> and configuration!
>> >>>
>> >>> Are you sure you want to continue with the uninstall
>> >>> procedure? [no]: yes
>> >>> ipa : ERROR Server removal aborted: Deleting this
>> >>> server is not allowed as it would leave your installation
>> >>> without a CA..
>> >>>
>> >>>
>> >>>
>> >>> This is a VM and I took a snapshot right before I started the
>> >>> install, so I can revert, just make sure ti add the apache
>> >>> user before starting the install. Or if you have a better
>> >>> command to continue the clean-up/install.....
>> >>>
>> >>>
>> >>> On Thu, May 11, 2017 at 2:19 AM Martin Bašti
>> >>> <mbasti at redhat.com <mailto:mbasti at redhat.com>> wrote:
>> >>>
>> >>> Hello,
>> >>>
>> >>> comments inline
>> >>>
>> >>>
>> >>> On 11.05.2017 06:06, Robert L. Harris wrote:
>> >>>>
>> >>>> Sigh... Sorry, it's been a long day, I thought I put
>> >>>> that log in the first pastebin. It's in this one:
>> >>>> https://pastebin.com/18PAXXNS
>> >>>
>> >>> Could you please provide journalctl -u httpd and
>> >>> /var/log/httpd/error_log ?
>> >>>
>> >>>
>> >>>
>> >>>>
>> >>>> Also,
>> >>>> Anyone else get the constant spam when mailing this
>> >>>> list? Got an address to block for it?
>> >>>
>> >>> Sorry for that, there is a bot mining public archives. We
>> >>> plan to resolve this issue but it may take time as we are
>> >>> not maintaining our mailman.
>> >>>
>> >>> Martin
>> >>>
>> >>>
>> >>>>
>> >>>> Robert
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman
>> >>>> <datakid at gmail.com <mailto:datakid at gmail.com>> wrote:
>> >>>>
>> >>>> Robert, did you look in
>> >>>> /var/log/ipaserver-install.log as it says?
>> >>>>
>> >>>> Was there any other information?
>> >>>>
>> >>>> cheers
>> >>>> L.
>> >>>>
>> >>>> ------
>> >>>> "Mission Statement: To provide hope and inspiration
>> >>>> for collective action, to build collective power, to
>> >>>> achieve collective transformation, rooted in grief
>> >>>> and rage but pointed towards vision and dreams."
>> >>>>
>> >>>> - Patrice Cullors, /Black Lives Matter founder/
>> >>>>
>> >>>> On 11 May 2017 at 13:24, Robert L. Harris
>> >>>> <robert.l.harris at gmail.com
>> >>>> <mailto:robert.l.harris at gmail.com>> wrote:
>> >>>>
>> >>>> Ok, I gave up on Ubuntu. I'm now trying the
>> >>>> latest CentOS7. I built out a "minimal server"
>> >>>> with some normal base packages which did include
>> >>>> the freeipa-client but otherwise, just standard
>> >>>> tools. Here's a pastebin of the output of the
>> >>>> install: https://pastebin.com/zAWCgkUU
>> >>>>
>> >>>> Robert
>> >>>>
>> >>>>
>> >>>> --
>> >>>> Manage your subscription for the Freeipa-users
>> >>>> mailing list:
>> >>>> https://www.redhat.com/
>> mailman/listinfo/freeipa-users
>> >>>> Go to http://freeipa.org for more info on the
>> >>>> project
>> >>>>
>> >>>>
>> >>>> --
>> >>>> Manage your subscription for the Freeipa-users
>> >>>> mailing list:
>> >>>> https://www.redhat.com/
>> mailman/listinfo/freeipa-users
>> >>>> Go to http://freeipa.org for more info on the
>> project
>> >>>>
>> >>>>
>> >>>>
>> >>>
>> >>> --
>> >>> Martin Bašti
>> >>> Software Engineer
>> >>> Red Hat Czech
>> >>>
>> >>
>> >> --
>> >> Martin Bašti
>> >> Software Engineer
>> >> Red Hat Czech
>> >>
>> >
>> > --
>> > Martin Bašti
>> > Software Engineer
>> > Red Hat Czech
>> >
>> >
>> >
>>
>>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170516/3902ee26/attachment.htm>
More information about the Freeipa-users
mailing list