[Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7
Robert L. Harris
robert.l.harris at gmail.com
Tue May 16 19:57:46 UTC 2017
I did disable selinux as it gave errors setting up my standard users, etc.
I can roll back the snapshot, set it at 4Gigs of RAM and re-enable selinux
and then try again.
On Tue, May 16, 2017 at 1:52 PM Andrew Holway <andrew.holway at gmail.com>
wrote:
> This is pretty weird. FreeIPA installation normally works.
>
> Has the operating system image been changed or optimised somehow? Perhaps
> SELinux has been disabled? Have you tried installing Centos7 from the ISO?
>
> On 16 May 2017 at 21:48, Robert L. Harris <robert.l.harris at gmail.com>
> wrote:
>
>>
>> 2 Gigs, it's a VM. The VM didn't report any memory issues ( no alarms
>> on VMWare )
>>
>>
>> On Tue, May 16, 2017 at 12:29 PM Andrew Holway <andrew.holway at gmail.com>
>> wrote:
>>
>>> Hallo,
>>>
>>> How much memory do you have on the machine. I have a sneaking suspicion
>>> that you're running out.
>>>
>>> Ta,
>>>
>>> Andrew
>>>
>>> On 16 May 2017 at 17:16, Robert L. Harris <robert.l.harris at gmail.com>
>>> wrote:
>>>
>>>>
>>>> Last night I rolled back my snapshot. Here's what I have after the yum
>>>> install
>>>>
>>>> "minimal" install of Centos7 + basic build.
>>>> {0}:/var/log>cat /etc/*elease
>>>> CentOS Linux release 7.3.1611 (Core)
>>>> NAME="CentOS Linux"
>>>> VERSION="7 (Core)"
>>>> ID="centos"
>>>> ID_LIKE="rhel fedora"
>>>> VERSION_ID="7"
>>>> PRETTY_NAME="CentOS Linux 7 (Core)"
>>>> ANSI_COLOR="0;31"
>>>> CPE_NAME="cpe:/o:centos:centos:7"
>>>> HOME_URL="https://www.centos.org/"
>>>> BUG_REPORT_URL="https://bugs.centos.org/"
>>>>
>>>> CENTOS_MANTISBT_PROJECT="CentOS-7"
>>>> CENTOS_MANTISBT_PROJECT_VERSION="7"
>>>> REDHAT_SUPPORT_PRODUCT="centos"
>>>> REDHAT_SUPPORT_PRODUCT_VERSION="7"
>>>>
>>>> CentOS Linux release 7.3.1611 (Core)
>>>> CentOS Linux release 7.3.1611 (Core)
>>>>
>>>>
>>>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb'
>>>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64
>>>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch
>>>> ipa-common-4.4.0-14.el7.centos.7.noarch
>>>> perl-HTTP-Tiny-0.033-3.el7.noarch
>>>> python-iniparse-0.4-9.el7.noarch
>>>> ipa-client-common-4.4.0-14.el7.centos.7.noarch
>>>> pam_krb5-2.4.8-6.el7.x86_64
>>>> sssd-krb5-1.14.0-43.el7_3.14.x86_64
>>>> python-ipaddress-1.0.16-2.el7.noarch
>>>> python2-ipalib-4.4.0-14.el7.centos.7.noarch
>>>> krb5-libs-1.14.1-27.el7_3.x86_64
>>>> libipa_hbac-1.14.0-43.el7_3.14.x86_64
>>>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
>>>> sssd-ipa-1.14.0-43.el7_3.14.x86_64
>>>> krb5-workstation-1.14.1-27.el7_3.x86_64
>>>> ipa-client-4.4.0-14.el7.centos.7.x86_64
>>>>
>>>> Tried to pull an exact client. The "yum install ipa-server" went fine:
>>>>
>>>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server
>>>> ipa-server-4.4.0-14.el7.centos.7.x86_64
>>>> ipa-server-common-4.4.0-14.el7.centos.7.noarch
>>>>
>>>>
>>>> "ipa-server-install" ran clean but has been stuck for 2 days:
>>>>
>>>> Restarting the directory server
>>>> Restarting the KDC
>>>> Please add records in this file to your DNS system:
>>>> /tmp/ipa.system.records.qLsLyx.db
>>>> Restarting the web server
>>>> Configuring client side components
>>>> Using existing certificate '/etc/ipa/ca.crt'.
>>>> Client hostname: ipa.rdlg.net
>>>> Realm: RDLG.NET
>>>> DNS Domain: rdlg.net
>>>> IPA Server: ipa.rdlg.net
>>>> BaseDN: dc=rdlg,dc=net
>>>>
>>>> Skipping synchronizing time with NTP server.
>>>> New SSSD config will be created
>>>> Configured sudoers in /etc/nsswitch.conf
>>>> Configured /etc/sssd/sssd.conf
>>>> trying https://ipa.rdlg.net/ipa/json
>>>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'
>>>>
>>>> Checking the /var/log/httpd/error.log has 2 days of just this:
>>>>
>>>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize
>>>> failed. Certificate database: /etc/httpd/alias.
>>>> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library
>>>> Error: -8038 SEC_ERROR_NOT_INITIALIZED
>>>> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS
>>>> database exist?
>>>>
>>>>
>>>> Robert
>>>>
>>>> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden <rcritten at redhat.com>
>>>> wrote:
>>>>
>>>>> Robert L. Harris wrote:
>>>>> >
>>>>> > Hmmm
>>>>> >
>>>>> > {0}:/var/log>ls
>>>>> > anaconda btmp dmesg grubby maillog ppp
>>>>> secure
>>>>> > tallylog wtmp
>>>>> > audit cron dmesg.old grubby_prune_debug messages rhsm
>>>>> spooler
>>>>> > tuned yum.log
>>>>> > boot.log cups firewalld lastlog ntpstats samba sssd
>>>>> > vmware-vmsvc.log
>>>>> >
>>>>> >
>>>>> > root at ipa
>>>>> > {1}:/var/log>rpm -q -l http
>>>>> > package http is not installed
>>>>> >
>>>>> > root at ipa
>>>>> > {1}:/var/log>rpm -q -a | grep -i http
>>>>> > perl-HTTP-Tiny-0.033-3.el7.noarch
>>>>> >
>>>>> > root at ipa
>>>>> > {0}:/var/log>rpm -q -a | grep -i tomcat
>>>>> >
>>>>> >
>>>>> > Doesn't look like an httpd was installed as a dependancy?
>>>>>
>>>>> I find this very hard to believe given that it go so far as to
>>>>> configure
>>>>> things in Apache, restart it, etc. What version of [free]ipa-server is
>>>>> installed? How did you install it and from what repo?
>>>>>
>>>>> rob
>>>>>
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > On Fri, May 12, 2017 at 1:17 AM Martin Bašti <mbasti at redhat.com
>>>>> > <mailto:mbasti at redhat.com>> wrote:
>>>>> >
>>>>> > That's weird, it should be super fast, anything in
>>>>> > /var/log/httpd/error_log?
>>>>> >
>>>>> >
>>>>> > On 11.05.2017 22:23, Robert L. Harris wrote:
>>>>> >>
>>>>> >> Odd, must have clicked reply instead of reply-all.
>>>>> >>
>>>>> >> Anyway, I did the revert and re-install. Actual install went
>>>>> >> through fine then the "ipa-server-install" ran until this:
>>>>> >>
>>>>> >> [8/9]: restoring configuration
>>>>> >> [9/9]: starting directory server
>>>>> >> Done.
>>>>> >> Restarting the directory server
>>>>> >> Restarting the KDC
>>>>> >> Please add records in this file to your DNS system:
>>>>> >> /tmp/ipa.system.records.v5Jwrt.db
>>>>> >> Restarting the web server
>>>>> >> Configuring client side components
>>>>> >> Using existing certificate '/etc/ipa/ca.crt'.
>>>>> >> Client hostname: ipa.rdlg.net <http://ipa.rdlg.net>
>>>>> >> Realm: RDLG.NET <http://RDLG.NET>
>>>>> >> DNS Domain: rdlg.net <http://rdlg.net>
>>>>> >> IPA Server: ipa.rdlg.net <http://ipa.rdlg.net>
>>>>> >> BaseDN: dc=rdlg,dc=net
>>>>> >>
>>>>> >> Skipping synchronizing time with NTP server.
>>>>> >> New SSSD config will be created
>>>>> >> Configured sudoers in /etc/nsswitch.conf
>>>>> >> Configured /etc/sssd/sssd.conf
>>>>> >> trying https://ipa.rdlg.net/ipa/json
>>>>> >> Forwarding 'schema' to json server '
>>>>> https://ipa.rdlg.net/ipa/json'
>>>>> >>
>>>>> >>
>>>>> >> It's been sitting there for a while ( 4 hours? ) I don't see
>>>>> >> anyting in the ipaserver-install.log, but it's here:
>>>>> >> https://pastebin.com/biK1Dmv7
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> On Thu, May 11, 2017 at 8:12 AM Martin Bašti <mbasti at redhat.com
>>>>> >> <mailto:mbasti at redhat.com>> wrote:
>>>>> >>
>>>>> >> Please keep freeipa-users in CC
>>>>> >>
>>>>> >> Snapshot is always better, so I suggest to use it. Otherwise
>>>>> >> there is an option --ignore-last-of-role to unblock
>>>>> >> uninstallation.
>>>>> >>
>>>>> >> Martin
>>>>> >>
>>>>> >>
>>>>> >> On 11.05.2017 16:00, Robert L. Harris wrote:
>>>>> >>>
>>>>> >>> Looks like you hit it, apache didn't have a group:
>>>>> >>>
>>>>> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu
>>>>> >>> 2017-05-11 07:48:27 MDT. --
>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>> >>> systemd[1]: Starting The Apache HTTP Server...
>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC proxy
>>>>> >>> enabled
>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>> >>> httpd[28809]: AH00544: httpd: bad group name apache
>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>> >>> systemd[1]: httpd.service: main process exited,
>>>>> code=exited,
>>>>> >>> status=1/FAILURE
>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>> >>> kill[28812]: kill: cannot find process ""
>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>> >>> systemd[1]: httpd.service: control process exited,
>>>>> >>> code=exited status=1
>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>> >>> systemd[1]: Failed to start The Apache HTTP Server.
>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>> >>> systemd[1]: Unit httpd.service entered failed state.
>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>> >>> systemd[1]: httpd.service failed.
>>>>> >>>
>>>>> >>> Thanks, didn't know that command. I tried to continue the
>>>>> >>> process:
>>>>> >>>
>>>>> >>> {0}:/root>ipa-server-install
>>>>> >>>
>>>>> >>> The log file for this installation can be found in
>>>>> >>> /var/log/ipaserver-install.log
>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR
>>>>> IPA
>>>>> >>> server is already configured on this system.
>>>>> >>> If you want to reinstall the IPA server, please uninstall
>>>>> it
>>>>> >>> first using 'ipa-server-install --uninstall'.
>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR
>>>>> The
>>>>> >>> ipa-server-install command failed. See
>>>>> >>> /var/log/ipaserver-install.log for more information
>>>>> >>>
>>>>> >>> root at ipa
>>>>> >>> {1}:/root>ipa-server-install --uninstall
>>>>> >>>
>>>>> >>> This is a NON REVERSIBLE operation and will delete all data
>>>>> >>> and configuration!
>>>>> >>>
>>>>> >>> Are you sure you want to continue with the uninstall
>>>>> >>> procedure? [no]: yes
>>>>> >>> ipa : ERROR Server removal aborted: Deleting
>>>>> this
>>>>> >>> server is not allowed as it would leave your installation
>>>>> >>> without a CA..
>>>>> >>>
>>>>> >>>
>>>>> >>>
>>>>> >>> This is a VM and I took a snapshot right before I started
>>>>> the
>>>>> >>> install, so I can revert, just make sure ti add the apache
>>>>> >>> user before starting the install. Or if you have a better
>>>>> >>> command to continue the clean-up/install.....
>>>>> >>>
>>>>> >>>
>>>>> >>> On Thu, May 11, 2017 at 2:19 AM Martin Bašti
>>>>> >>> <mbasti at redhat.com <mailto:mbasti at redhat.com>> wrote:
>>>>> >>>
>>>>> >>> Hello,
>>>>> >>>
>>>>> >>> comments inline
>>>>> >>>
>>>>> >>>
>>>>> >>> On 11.05.2017 06:06, Robert L. Harris wrote:
>>>>> >>>>
>>>>> >>>> Sigh... Sorry, it's been a long day, I thought I put
>>>>> >>>> that log in the first pastebin. It's in this one:
>>>>> >>>> https://pastebin.com/18PAXXNS
>>>>> >>>
>>>>> >>> Could you please provide journalctl -u httpd and
>>>>> >>> /var/log/httpd/error_log ?
>>>>> >>>
>>>>> >>>
>>>>> >>>
>>>>> >>>>
>>>>> >>>> Also,
>>>>> >>>> Anyone else get the constant spam when mailing this
>>>>> >>>> list? Got an address to block for it?
>>>>> >>>
>>>>> >>> Sorry for that, there is a bot mining public archives.
>>>>> We
>>>>> >>> plan to resolve this issue but it may take time as we
>>>>> are
>>>>> >>> not maintaining our mailman.
>>>>> >>>
>>>>> >>> Martin
>>>>> >>>
>>>>> >>>
>>>>> >>>>
>>>>> >>>> Robert
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>>> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman
>>>>> >>>> <datakid at gmail.com <mailto:datakid at gmail.com>> wrote:
>>>>> >>>>
>>>>> >>>> Robert, did you look in
>>>>> >>>> /var/log/ipaserver-install.log as it says?
>>>>> >>>>
>>>>> >>>> Was there any other information?
>>>>> >>>>
>>>>> >>>> cheers
>>>>> >>>> L.
>>>>> >>>>
>>>>> >>>> ------
>>>>> >>>> "Mission Statement: To provide hope and
>>>>> inspiration
>>>>> >>>> for collective action, to build collective power,
>>>>> to
>>>>> >>>> achieve collective transformation, rooted in grief
>>>>> >>>> and rage but pointed towards vision and dreams."
>>>>> >>>>
>>>>> >>>> - Patrice Cullors, /Black Lives Matter founder/
>>>>> >>>>
>>>>> >>>> On 11 May 2017 at 13:24, Robert L. Harris
>>>>> >>>> <robert.l.harris at gmail.com
>>>>> >>>> <mailto:robert.l.harris at gmail.com>> wrote:
>>>>> >>>>
>>>>> >>>> Ok, I gave up on Ubuntu. I'm now trying the
>>>>> >>>> latest CentOS7. I built out a "minimal
>>>>> server"
>>>>> >>>> with some normal base packages which did
>>>>> include
>>>>> >>>> the freeipa-client but otherwise, just
>>>>> standard
>>>>> >>>> tools. Here's a pastebin of the output of the
>>>>> >>>> install: https://pastebin.com/zAWCgkUU
>>>>> >>>>
>>>>> >>>> Robert
>>>>> >>>>
>>>>> >>>>
>>>>> >>>> --
>>>>> >>>> Manage your subscription for the Freeipa-users
>>>>> >>>> mailing list:
>>>>> >>>>
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> >>>> Go to http://freeipa.org for more info on the
>>>>> >>>> project
>>>>> >>>>
>>>>> >>>>
>>>>> >>>> --
>>>>> >>>> Manage your subscription for the Freeipa-users
>>>>> >>>> mailing list:
>>>>> >>>>
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> >>>> Go to http://freeipa.org for more info on the
>>>>> project
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>>> >>>
>>>>> >>> --
>>>>> >>> Martin Bašti
>>>>> >>> Software Engineer
>>>>> >>> Red Hat Czech
>>>>> >>>
>>>>> >>
>>>>> >> --
>>>>> >> Martin Bašti
>>>>> >> Software Engineer
>>>>> >> Red Hat Czech
>>>>> >>
>>>>> >
>>>>> > --
>>>>> > Martin Bašti
>>>>> > Software Engineer
>>>>> > Red Hat Czech
>>>>> >
>>>>> >
>>>>> >
>>>>>
>>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170516/db788caa/attachment.htm>
More information about the Freeipa-users
mailing list