[Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7
Andrew Holway
andrew.holway at gmail.com
Tue May 16 19:52:06 UTC 2017
This is pretty weird. FreeIPA installation normally works.
Has the operating system image been changed or optimised somehow? Perhaps
SELinux has been disabled? Have you tried installing Centos7 from the ISO?
On 16 May 2017 at 21:48, Robert L. Harris <robert.l.harris at gmail.com> wrote:
>
> 2 Gigs, it's a VM. The VM didn't report any memory issues ( no alarms
> on VMWare )
>
>
> On Tue, May 16, 2017 at 12:29 PM Andrew Holway <andrew.holway at gmail.com>
> wrote:
>
>> Hallo,
>>
>> How much memory do you have on the machine. I have a sneaking suspicion
>> that you're running out.
>>
>> Ta,
>>
>> Andrew
>>
>> On 16 May 2017 at 17:16, Robert L. Harris <robert.l.harris at gmail.com>
>> wrote:
>>
>>>
>>> Last night I rolled back my snapshot. Here's what I have after the yum
>>> install
>>>
>>> "minimal" install of Centos7 + basic build.
>>> {0}:/var/log>cat /etc/*elease
>>> CentOS Linux release 7.3.1611 (Core)
>>> NAME="CentOS Linux"
>>> VERSION="7 (Core)"
>>> ID="centos"
>>> ID_LIKE="rhel fedora"
>>> VERSION_ID="7"
>>> PRETTY_NAME="CentOS Linux 7 (Core)"
>>> ANSI_COLOR="0;31"
>>> CPE_NAME="cpe:/o:centos:centos:7"
>>> HOME_URL="https://www.centos.org/"
>>> BUG_REPORT_URL="https://bugs.centos.org/"
>>>
>>> CENTOS_MANTISBT_PROJECT="CentOS-7"
>>> CENTOS_MANTISBT_PROJECT_VERSION="7"
>>> REDHAT_SUPPORT_PRODUCT="centos"
>>> REDHAT_SUPPORT_PRODUCT_VERSION="7"
>>>
>>> CentOS Linux release 7.3.1611 (Core)
>>> CentOS Linux release 7.3.1611 (Core)
>>>
>>>
>>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb'
>>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64
>>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch
>>> ipa-common-4.4.0-14.el7.centos.7.noarch
>>> perl-HTTP-Tiny-0.033-3.el7.noarch
>>> python-iniparse-0.4-9.el7.noarch
>>> ipa-client-common-4.4.0-14.el7.centos.7.noarch
>>> pam_krb5-2.4.8-6.el7.x86_64
>>> sssd-krb5-1.14.0-43.el7_3.14.x86_64
>>> python-ipaddress-1.0.16-2.el7.noarch
>>> python2-ipalib-4.4.0-14.el7.centos.7.noarch
>>> krb5-libs-1.14.1-27.el7_3.x86_64
>>> libipa_hbac-1.14.0-43.el7_3.14.x86_64
>>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
>>> sssd-ipa-1.14.0-43.el7_3.14.x86_64
>>> krb5-workstation-1.14.1-27.el7_3.x86_64
>>> ipa-client-4.4.0-14.el7.centos.7.x86_64
>>>
>>> Tried to pull an exact client. The "yum install ipa-server" went fine:
>>>
>>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server
>>> ipa-server-4.4.0-14.el7.centos.7.x86_64
>>> ipa-server-common-4.4.0-14.el7.centos.7.noarch
>>>
>>>
>>> "ipa-server-install" ran clean but has been stuck for 2 days:
>>>
>>> Restarting the directory server
>>> Restarting the KDC
>>> Please add records in this file to your DNS system:
>>> /tmp/ipa.system.records.qLsLyx.db
>>> Restarting the web server
>>> Configuring client side components
>>> Using existing certificate '/etc/ipa/ca.crt'.
>>> Client hostname: ipa.rdlg.net
>>> Realm: RDLG.NET
>>> DNS Domain: rdlg.net
>>> IPA Server: ipa.rdlg.net
>>> BaseDN: dc=rdlg,dc=net
>>>
>>> Skipping synchronizing time with NTP server.
>>> New SSSD config will be created
>>> Configured sudoers in /etc/nsswitch.conf
>>> Configured /etc/sssd/sssd.conf
>>> trying https://ipa.rdlg.net/ipa/json
>>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'
>>>
>>> Checking the /var/log/httpd/error.log has 2 days of just this:
>>>
>>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize
>>> failed. Certificate database: /etc/httpd/alias.
>>> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library Error:
>>> -8038 SEC_ERROR_NOT_INITIALIZED
>>> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS
>>> database exist?
>>>
>>>
>>> Robert
>>>
>>> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden <rcritten at redhat.com>
>>> wrote:
>>>
>>>> Robert L. Harris wrote:
>>>> >
>>>> > Hmmm
>>>> >
>>>> > {0}:/var/log>ls
>>>> > anaconda btmp dmesg grubby maillog ppp secure
>>>> > tallylog wtmp
>>>> > audit cron dmesg.old grubby_prune_debug messages rhsm
>>>> spooler
>>>> > tuned yum.log
>>>> > boot.log cups firewalld lastlog ntpstats samba sssd
>>>> > vmware-vmsvc.log
>>>> >
>>>> >
>>>> > root at ipa
>>>> > {1}:/var/log>rpm -q -l http
>>>> > package http is not installed
>>>> >
>>>> > root at ipa
>>>> > {1}:/var/log>rpm -q -a | grep -i http
>>>> > perl-HTTP-Tiny-0.033-3.el7.noarch
>>>> >
>>>> > root at ipa
>>>> > {0}:/var/log>rpm -q -a | grep -i tomcat
>>>> >
>>>> >
>>>> > Doesn't look like an httpd was installed as a dependancy?
>>>>
>>>> I find this very hard to believe given that it go so far as to configure
>>>> things in Apache, restart it, etc. What version of [free]ipa-server is
>>>> installed? How did you install it and from what repo?
>>>>
>>>> rob
>>>>
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > On Fri, May 12, 2017 at 1:17 AM Martin Bašti <mbasti at redhat.com
>>>> > <mailto:mbasti at redhat.com>> wrote:
>>>> >
>>>> > That's weird, it should be super fast, anything in
>>>> > /var/log/httpd/error_log?
>>>> >
>>>> >
>>>> > On 11.05.2017 22:23, Robert L. Harris wrote:
>>>> >>
>>>> >> Odd, must have clicked reply instead of reply-all.
>>>> >>
>>>> >> Anyway, I did the revert and re-install. Actual install went
>>>> >> through fine then the "ipa-server-install" ran until this:
>>>> >>
>>>> >> [8/9]: restoring configuration
>>>> >> [9/9]: starting directory server
>>>> >> Done.
>>>> >> Restarting the directory server
>>>> >> Restarting the KDC
>>>> >> Please add records in this file to your DNS system:
>>>> >> /tmp/ipa.system.records.v5Jwrt.db
>>>> >> Restarting the web server
>>>> >> Configuring client side components
>>>> >> Using existing certificate '/etc/ipa/ca.crt'.
>>>> >> Client hostname: ipa.rdlg.net <http://ipa.rdlg.net>
>>>> >> Realm: RDLG.NET <http://RDLG.NET>
>>>> >> DNS Domain: rdlg.net <http://rdlg.net>
>>>> >> IPA Server: ipa.rdlg.net <http://ipa.rdlg.net>
>>>> >> BaseDN: dc=rdlg,dc=net
>>>> >>
>>>> >> Skipping synchronizing time with NTP server.
>>>> >> New SSSD config will be created
>>>> >> Configured sudoers in /etc/nsswitch.conf
>>>> >> Configured /etc/sssd/sssd.conf
>>>> >> trying https://ipa.rdlg.net/ipa/json
>>>> >> Forwarding 'schema' to json server '
>>>> https://ipa.rdlg.net/ipa/json'
>>>> >>
>>>> >>
>>>> >> It's been sitting there for a while ( 4 hours? ) I don't see
>>>> >> anyting in the ipaserver-install.log, but it's here:
>>>> >> https://pastebin.com/biK1Dmv7
>>>> >>
>>>> >>
>>>> >>
>>>> >> On Thu, May 11, 2017 at 8:12 AM Martin Bašti <mbasti at redhat.com
>>>> >> <mailto:mbasti at redhat.com>> wrote:
>>>> >>
>>>> >> Please keep freeipa-users in CC
>>>> >>
>>>> >> Snapshot is always better, so I suggest to use it. Otherwise
>>>> >> there is an option --ignore-last-of-role to unblock
>>>> >> uninstallation.
>>>> >>
>>>> >> Martin
>>>> >>
>>>> >>
>>>> >> On 11.05.2017 16:00, Robert L. Harris wrote:
>>>> >>>
>>>> >>> Looks like you hit it, apache didn't have a group:
>>>> >>>
>>>> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu
>>>> >>> 2017-05-11 07:48:27 MDT. --
>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>> >>> systemd[1]: Starting The Apache HTTP Server...
>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC proxy
>>>> >>> enabled
>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>> >>> httpd[28809]: AH00544: httpd: bad group name apache
>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>> >>> systemd[1]: httpd.service: main process exited, code=exited,
>>>> >>> status=1/FAILURE
>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>> >>> kill[28812]: kill: cannot find process ""
>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>> >>> systemd[1]: httpd.service: control process exited,
>>>> >>> code=exited status=1
>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>> >>> systemd[1]: Failed to start The Apache HTTP Server.
>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>> >>> systemd[1]: Unit httpd.service entered failed state.
>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>> >>> systemd[1]: httpd.service failed.
>>>> >>>
>>>> >>> Thanks, didn't know that command. I tried to continue the
>>>> >>> process:
>>>> >>>
>>>> >>> {0}:/root>ipa-server-install
>>>> >>>
>>>> >>> The log file for this installation can be found in
>>>> >>> /var/log/ipaserver-install.log
>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR
>>>> IPA
>>>> >>> server is already configured on this system.
>>>> >>> If you want to reinstall the IPA server, please uninstall it
>>>> >>> first using 'ipa-server-install --uninstall'.
>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR
>>>> The
>>>> >>> ipa-server-install command failed. See
>>>> >>> /var/log/ipaserver-install.log for more information
>>>> >>>
>>>> >>> root at ipa
>>>> >>> {1}:/root>ipa-server-install --uninstall
>>>> >>>
>>>> >>> This is a NON REVERSIBLE operation and will delete all data
>>>> >>> and configuration!
>>>> >>>
>>>> >>> Are you sure you want to continue with the uninstall
>>>> >>> procedure? [no]: yes
>>>> >>> ipa : ERROR Server removal aborted: Deleting this
>>>> >>> server is not allowed as it would leave your installation
>>>> >>> without a CA..
>>>> >>>
>>>> >>>
>>>> >>>
>>>> >>> This is a VM and I took a snapshot right before I started
>>>> the
>>>> >>> install, so I can revert, just make sure ti add the apache
>>>> >>> user before starting the install. Or if you have a better
>>>> >>> command to continue the clean-up/install.....
>>>> >>>
>>>> >>>
>>>> >>> On Thu, May 11, 2017 at 2:19 AM Martin Bašti
>>>> >>> <mbasti at redhat.com <mailto:mbasti at redhat.com>> wrote:
>>>> >>>
>>>> >>> Hello,
>>>> >>>
>>>> >>> comments inline
>>>> >>>
>>>> >>>
>>>> >>> On 11.05.2017 06:06, Robert L. Harris wrote:
>>>> >>>>
>>>> >>>> Sigh... Sorry, it's been a long day, I thought I put
>>>> >>>> that log in the first pastebin. It's in this one:
>>>> >>>> https://pastebin.com/18PAXXNS
>>>> >>>
>>>> >>> Could you please provide journalctl -u httpd and
>>>> >>> /var/log/httpd/error_log ?
>>>> >>>
>>>> >>>
>>>> >>>
>>>> >>>>
>>>> >>>> Also,
>>>> >>>> Anyone else get the constant spam when mailing this
>>>> >>>> list? Got an address to block for it?
>>>> >>>
>>>> >>> Sorry for that, there is a bot mining public archives.
>>>> We
>>>> >>> plan to resolve this issue but it may take time as we
>>>> are
>>>> >>> not maintaining our mailman.
>>>> >>>
>>>> >>> Martin
>>>> >>>
>>>> >>>
>>>> >>>>
>>>> >>>> Robert
>>>> >>>>
>>>> >>>>
>>>> >>>>
>>>> >>>>
>>>> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman
>>>> >>>> <datakid at gmail.com <mailto:datakid at gmail.com>> wrote:
>>>> >>>>
>>>> >>>> Robert, did you look in
>>>> >>>> /var/log/ipaserver-install.log as it says?
>>>> >>>>
>>>> >>>> Was there any other information?
>>>> >>>>
>>>> >>>> cheers
>>>> >>>> L.
>>>> >>>>
>>>> >>>> ------
>>>> >>>> "Mission Statement: To provide hope and inspiration
>>>> >>>> for collective action, to build collective power,
>>>> to
>>>> >>>> achieve collective transformation, rooted in grief
>>>> >>>> and rage but pointed towards vision and dreams."
>>>> >>>>
>>>> >>>> - Patrice Cullors, /Black Lives Matter founder/
>>>> >>>>
>>>> >>>> On 11 May 2017 at 13:24, Robert L. Harris
>>>> >>>> <robert.l.harris at gmail.com
>>>> >>>> <mailto:robert.l.harris at gmail.com>> wrote:
>>>> >>>>
>>>> >>>> Ok, I gave up on Ubuntu. I'm now trying the
>>>> >>>> latest CentOS7. I built out a "minimal server"
>>>> >>>> with some normal base packages which did
>>>> include
>>>> >>>> the freeipa-client but otherwise, just standard
>>>> >>>> tools. Here's a pastebin of the output of the
>>>> >>>> install: https://pastebin.com/zAWCgkUU
>>>> >>>>
>>>> >>>> Robert
>>>> >>>>
>>>> >>>>
>>>> >>>> --
>>>> >>>> Manage your subscription for the Freeipa-users
>>>> >>>> mailing list:
>>>> >>>> https://www.redhat.com/
>>>> mailman/listinfo/freeipa-users
>>>> >>>> Go to http://freeipa.org for more info on the
>>>> >>>> project
>>>> >>>>
>>>> >>>>
>>>> >>>> --
>>>> >>>> Manage your subscription for the Freeipa-users
>>>> >>>> mailing list:
>>>> >>>> https://www.redhat.com/
>>>> mailman/listinfo/freeipa-users
>>>> >>>> Go to http://freeipa.org for more info on the
>>>> project
>>>> >>>>
>>>> >>>>
>>>> >>>>
>>>> >>>
>>>> >>> --
>>>> >>> Martin Bašti
>>>> >>> Software Engineer
>>>> >>> Red Hat Czech
>>>> >>>
>>>> >>
>>>> >> --
>>>> >> Martin Bašti
>>>> >> Software Engineer
>>>> >> Red Hat Czech
>>>> >>
>>>> >
>>>> > --
>>>> > Martin Bašti
>>>> > Software Engineer
>>>> > Red Hat Czech
>>>> >
>>>> >
>>>> >
>>>>
>>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170516/8a717d2e/attachment.htm>
More information about the Freeipa-users
mailing list