[Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7
Robert L. Harris
robert.l.harris at gmail.com
Tue May 16 19:48:53 UTC 2017
2 Gigs, it's a VM. The VM didn't report any memory issues ( no alarms
on VMWare )
On Tue, May 16, 2017 at 12:29 PM Andrew Holway <andrew.holway at gmail.com>
wrote:
> Hallo,
>
> How much memory do you have on the machine. I have a sneaking suspicion
> that you're running out.
>
> Ta,
>
> Andrew
>
> On 16 May 2017 at 17:16, Robert L. Harris <robert.l.harris at gmail.com>
> wrote:
>
>>
>> Last night I rolled back my snapshot. Here's what I have after the yum
>> install
>>
>> "minimal" install of Centos7 + basic build.
>> {0}:/var/log>cat /etc/*elease
>> CentOS Linux release 7.3.1611 (Core)
>> NAME="CentOS Linux"
>> VERSION="7 (Core)"
>> ID="centos"
>> ID_LIKE="rhel fedora"
>> VERSION_ID="7"
>> PRETTY_NAME="CentOS Linux 7 (Core)"
>> ANSI_COLOR="0;31"
>> CPE_NAME="cpe:/o:centos:centos:7"
>> HOME_URL="https://www.centos.org/"
>> BUG_REPORT_URL="https://bugs.centos.org/"
>>
>> CENTOS_MANTISBT_PROJECT="CentOS-7"
>> CENTOS_MANTISBT_PROJECT_VERSION="7"
>> REDHAT_SUPPORT_PRODUCT="centos"
>> REDHAT_SUPPORT_PRODUCT_VERSION="7"
>>
>> CentOS Linux release 7.3.1611 (Core)
>> CentOS Linux release 7.3.1611 (Core)
>>
>>
>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb'
>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64
>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch
>> ipa-common-4.4.0-14.el7.centos.7.noarch
>> perl-HTTP-Tiny-0.033-3.el7.noarch
>> python-iniparse-0.4-9.el7.noarch
>> ipa-client-common-4.4.0-14.el7.centos.7.noarch
>> pam_krb5-2.4.8-6.el7.x86_64
>> sssd-krb5-1.14.0-43.el7_3.14.x86_64
>> python-ipaddress-1.0.16-2.el7.noarch
>> python2-ipalib-4.4.0-14.el7.centos.7.noarch
>> krb5-libs-1.14.1-27.el7_3.x86_64
>> libipa_hbac-1.14.0-43.el7_3.14.x86_64
>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
>> sssd-ipa-1.14.0-43.el7_3.14.x86_64
>> krb5-workstation-1.14.1-27.el7_3.x86_64
>> ipa-client-4.4.0-14.el7.centos.7.x86_64
>>
>> Tried to pull an exact client. The "yum install ipa-server" went fine:
>>
>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server
>> ipa-server-4.4.0-14.el7.centos.7.x86_64
>> ipa-server-common-4.4.0-14.el7.centos.7.noarch
>>
>>
>> "ipa-server-install" ran clean but has been stuck for 2 days:
>>
>> Restarting the directory server
>> Restarting the KDC
>> Please add records in this file to your DNS system:
>> /tmp/ipa.system.records.qLsLyx.db
>> Restarting the web server
>> Configuring client side components
>> Using existing certificate '/etc/ipa/ca.crt'.
>> Client hostname: ipa.rdlg.net
>> Realm: RDLG.NET
>> DNS Domain: rdlg.net
>> IPA Server: ipa.rdlg.net
>> BaseDN: dc=rdlg,dc=net
>>
>> Skipping synchronizing time with NTP server.
>> New SSSD config will be created
>> Configured sudoers in /etc/nsswitch.conf
>> Configured /etc/sssd/sssd.conf
>> trying https://ipa.rdlg.net/ipa/json
>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'
>>
>> Checking the /var/log/httpd/error.log has 2 days of just this:
>>
>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize
>> failed. Certificate database: /etc/httpd/alias.
>> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library Error:
>> -8038 SEC_ERROR_NOT_INITIALIZED
>> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS
>> database exist?
>>
>>
>> Robert
>>
>> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden <rcritten at redhat.com>
>> wrote:
>>
>>> Robert L. Harris wrote:
>>> >
>>> > Hmmm
>>> >
>>> > {0}:/var/log>ls
>>> > anaconda btmp dmesg grubby maillog ppp secure
>>> > tallylog wtmp
>>> > audit cron dmesg.old grubby_prune_debug messages rhsm spooler
>>> > tuned yum.log
>>> > boot.log cups firewalld lastlog ntpstats samba sssd
>>> > vmware-vmsvc.log
>>> >
>>> >
>>> > root at ipa
>>> > {1}:/var/log>rpm -q -l http
>>> > package http is not installed
>>> >
>>> > root at ipa
>>> > {1}:/var/log>rpm -q -a | grep -i http
>>> > perl-HTTP-Tiny-0.033-3.el7.noarch
>>> >
>>> > root at ipa
>>> > {0}:/var/log>rpm -q -a | grep -i tomcat
>>> >
>>> >
>>> > Doesn't look like an httpd was installed as a dependancy?
>>>
>>> I find this very hard to believe given that it go so far as to configure
>>> things in Apache, restart it, etc. What version of [free]ipa-server is
>>> installed? How did you install it and from what repo?
>>>
>>> rob
>>>
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > On Fri, May 12, 2017 at 1:17 AM Martin Bašti <mbasti at redhat.com
>>> > <mailto:mbasti at redhat.com>> wrote:
>>> >
>>> > That's weird, it should be super fast, anything in
>>> > /var/log/httpd/error_log?
>>> >
>>> >
>>> > On 11.05.2017 22:23, Robert L. Harris wrote:
>>> >>
>>> >> Odd, must have clicked reply instead of reply-all.
>>> >>
>>> >> Anyway, I did the revert and re-install. Actual install went
>>> >> through fine then the "ipa-server-install" ran until this:
>>> >>
>>> >> [8/9]: restoring configuration
>>> >> [9/9]: starting directory server
>>> >> Done.
>>> >> Restarting the directory server
>>> >> Restarting the KDC
>>> >> Please add records in this file to your DNS system:
>>> >> /tmp/ipa.system.records.v5Jwrt.db
>>> >> Restarting the web server
>>> >> Configuring client side components
>>> >> Using existing certificate '/etc/ipa/ca.crt'.
>>> >> Client hostname: ipa.rdlg.net <http://ipa.rdlg.net>
>>> >> Realm: RDLG.NET <http://RDLG.NET>
>>> >> DNS Domain: rdlg.net <http://rdlg.net>
>>> >> IPA Server: ipa.rdlg.net <http://ipa.rdlg.net>
>>> >> BaseDN: dc=rdlg,dc=net
>>> >>
>>> >> Skipping synchronizing time with NTP server.
>>> >> New SSSD config will be created
>>> >> Configured sudoers in /etc/nsswitch.conf
>>> >> Configured /etc/sssd/sssd.conf
>>> >> trying https://ipa.rdlg.net/ipa/json
>>> >> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json
>>> '
>>> >>
>>> >>
>>> >> It's been sitting there for a while ( 4 hours? ) I don't see
>>> >> anyting in the ipaserver-install.log, but it's here:
>>> >> https://pastebin.com/biK1Dmv7
>>> >>
>>> >>
>>> >>
>>> >> On Thu, May 11, 2017 at 8:12 AM Martin Bašti <mbasti at redhat.com
>>> >> <mailto:mbasti at redhat.com>> wrote:
>>> >>
>>> >> Please keep freeipa-users in CC
>>> >>
>>> >> Snapshot is always better, so I suggest to use it. Otherwise
>>> >> there is an option --ignore-last-of-role to unblock
>>> >> uninstallation.
>>> >>
>>> >> Martin
>>> >>
>>> >>
>>> >> On 11.05.2017 16:00, Robert L. Harris wrote:
>>> >>>
>>> >>> Looks like you hit it, apache didn't have a group:
>>> >>>
>>> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu
>>> >>> 2017-05-11 07:48:27 MDT. --
>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>> >>> systemd[1]: Starting The Apache HTTP Server...
>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC proxy
>>> >>> enabled
>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>> >>> httpd[28809]: AH00544: httpd: bad group name apache
>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>> >>> systemd[1]: httpd.service: main process exited, code=exited,
>>> >>> status=1/FAILURE
>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>> >>> kill[28812]: kill: cannot find process ""
>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>> >>> systemd[1]: httpd.service: control process exited,
>>> >>> code=exited status=1
>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>> >>> systemd[1]: Failed to start The Apache HTTP Server.
>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>> >>> systemd[1]: Unit httpd.service entered failed state.
>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>> >>> systemd[1]: httpd.service failed.
>>> >>>
>>> >>> Thanks, didn't know that command. I tried to continue the
>>> >>> process:
>>> >>>
>>> >>> {0}:/root>ipa-server-install
>>> >>>
>>> >>> The log file for this installation can be found in
>>> >>> /var/log/ipaserver-install.log
>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR IPA
>>> >>> server is already configured on this system.
>>> >>> If you want to reinstall the IPA server, please uninstall it
>>> >>> first using 'ipa-server-install --uninstall'.
>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR The
>>> >>> ipa-server-install command failed. See
>>> >>> /var/log/ipaserver-install.log for more information
>>> >>>
>>> >>> root at ipa
>>> >>> {1}:/root>ipa-server-install --uninstall
>>> >>>
>>> >>> This is a NON REVERSIBLE operation and will delete all data
>>> >>> and configuration!
>>> >>>
>>> >>> Are you sure you want to continue with the uninstall
>>> >>> procedure? [no]: yes
>>> >>> ipa : ERROR Server removal aborted: Deleting this
>>> >>> server is not allowed as it would leave your installation
>>> >>> without a CA..
>>> >>>
>>> >>>
>>> >>>
>>> >>> This is a VM and I took a snapshot right before I started the
>>> >>> install, so I can revert, just make sure ti add the apache
>>> >>> user before starting the install. Or if you have a better
>>> >>> command to continue the clean-up/install.....
>>> >>>
>>> >>>
>>> >>> On Thu, May 11, 2017 at 2:19 AM Martin Bašti
>>> >>> <mbasti at redhat.com <mailto:mbasti at redhat.com>> wrote:
>>> >>>
>>> >>> Hello,
>>> >>>
>>> >>> comments inline
>>> >>>
>>> >>>
>>> >>> On 11.05.2017 06:06, Robert L. Harris wrote:
>>> >>>>
>>> >>>> Sigh... Sorry, it's been a long day, I thought I put
>>> >>>> that log in the first pastebin. It's in this one:
>>> >>>> https://pastebin.com/18PAXXNS
>>> >>>
>>> >>> Could you please provide journalctl -u httpd and
>>> >>> /var/log/httpd/error_log ?
>>> >>>
>>> >>>
>>> >>>
>>> >>>>
>>> >>>> Also,
>>> >>>> Anyone else get the constant spam when mailing this
>>> >>>> list? Got an address to block for it?
>>> >>>
>>> >>> Sorry for that, there is a bot mining public archives. We
>>> >>> plan to resolve this issue but it may take time as we are
>>> >>> not maintaining our mailman.
>>> >>>
>>> >>> Martin
>>> >>>
>>> >>>
>>> >>>>
>>> >>>> Robert
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman
>>> >>>> <datakid at gmail.com <mailto:datakid at gmail.com>> wrote:
>>> >>>>
>>> >>>> Robert, did you look in
>>> >>>> /var/log/ipaserver-install.log as it says?
>>> >>>>
>>> >>>> Was there any other information?
>>> >>>>
>>> >>>> cheers
>>> >>>> L.
>>> >>>>
>>> >>>> ------
>>> >>>> "Mission Statement: To provide hope and inspiration
>>> >>>> for collective action, to build collective power, to
>>> >>>> achieve collective transformation, rooted in grief
>>> >>>> and rage but pointed towards vision and dreams."
>>> >>>>
>>> >>>> - Patrice Cullors, /Black Lives Matter founder/
>>> >>>>
>>> >>>> On 11 May 2017 at 13:24, Robert L. Harris
>>> >>>> <robert.l.harris at gmail.com
>>> >>>> <mailto:robert.l.harris at gmail.com>> wrote:
>>> >>>>
>>> >>>> Ok, I gave up on Ubuntu. I'm now trying the
>>> >>>> latest CentOS7. I built out a "minimal server"
>>> >>>> with some normal base packages which did include
>>> >>>> the freeipa-client but otherwise, just standard
>>> >>>> tools. Here's a pastebin of the output of the
>>> >>>> install: https://pastebin.com/zAWCgkUU
>>> >>>>
>>> >>>> Robert
>>> >>>>
>>> >>>>
>>> >>>> --
>>> >>>> Manage your subscription for the Freeipa-users
>>> >>>> mailing list:
>>> >>>>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> >>>> Go to http://freeipa.org for more info on the
>>> >>>> project
>>> >>>>
>>> >>>>
>>> >>>> --
>>> >>>> Manage your subscription for the Freeipa-users
>>> >>>> mailing list:
>>> >>>>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> >>>> Go to http://freeipa.org for more info on the
>>> project
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>
>>> >>> --
>>> >>> Martin Bašti
>>> >>> Software Engineer
>>> >>> Red Hat Czech
>>> >>>
>>> >>
>>> >> --
>>> >> Martin Bašti
>>> >> Software Engineer
>>> >> Red Hat Czech
>>> >>
>>> >
>>> > --
>>> > Martin Bašti
>>> > Software Engineer
>>> > Red Hat Czech
>>> >
>>> >
>>> >
>>>
>>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170516/4ee91a75/attachment.htm>
More information about the Freeipa-users
mailing list