[Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7
Andrew Holway
andrew.holway at gmail.com
Tue May 16 20:12:05 UTC 2017
Yea, I would try installing IPA then making the changes that you want. I
think SELinux should be left enabled however. It makes admin super fun! :)
On 16 May 2017 at 21:57, Robert L. Harris <robert.l.harris at gmail.com> wrote:
>
> I did disable selinux as it gave errors setting up my standard users,
> etc. I can roll back the snapshot, set it at 4Gigs of RAM and re-enable
> selinux and then try again.
>
>
> On Tue, May 16, 2017 at 1:52 PM Andrew Holway <andrew.holway at gmail.com>
> wrote:
>
>> This is pretty weird. FreeIPA installation normally works.
>>
>> Has the operating system image been changed or optimised somehow? Perhaps
>> SELinux has been disabled? Have you tried installing Centos7 from the ISO?
>>
>> On 16 May 2017 at 21:48, Robert L. Harris <robert.l.harris at gmail.com>
>> wrote:
>>
>>>
>>> 2 Gigs, it's a VM. The VM didn't report any memory issues ( no
>>> alarms on VMWare )
>>>
>>>
>>> On Tue, May 16, 2017 at 12:29 PM Andrew Holway <andrew.holway at gmail.com>
>>> wrote:
>>>
>>>> Hallo,
>>>>
>>>> How much memory do you have on the machine. I have a sneaking suspicion
>>>> that you're running out.
>>>>
>>>> Ta,
>>>>
>>>> Andrew
>>>>
>>>> On 16 May 2017 at 17:16, Robert L. Harris <robert.l.harris at gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>> Last night I rolled back my snapshot. Here's what I have after the
>>>>> yum install
>>>>>
>>>>> "minimal" install of Centos7 + basic build.
>>>>> {0}:/var/log>cat /etc/*elease
>>>>> CentOS Linux release 7.3.1611 (Core)
>>>>> NAME="CentOS Linux"
>>>>> VERSION="7 (Core)"
>>>>> ID="centos"
>>>>> ID_LIKE="rhel fedora"
>>>>> VERSION_ID="7"
>>>>> PRETTY_NAME="CentOS Linux 7 (Core)"
>>>>> ANSI_COLOR="0;31"
>>>>> CPE_NAME="cpe:/o:centos:centos:7"
>>>>> HOME_URL="https://www.centos.org/"
>>>>> BUG_REPORT_URL="https://bugs.centos.org/"
>>>>>
>>>>> CENTOS_MANTISBT_PROJECT="CentOS-7"
>>>>> CENTOS_MANTISBT_PROJECT_VERSION="7"
>>>>> REDHAT_SUPPORT_PRODUCT="centos"
>>>>> REDHAT_SUPPORT_PRODUCT_VERSION="7"
>>>>>
>>>>> CentOS Linux release 7.3.1611 (Core)
>>>>> CentOS Linux release 7.3.1611 (Core)
>>>>>
>>>>>
>>>>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb'
>>>>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64
>>>>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch
>>>>> ipa-common-4.4.0-14.el7.centos.7.noarch
>>>>> perl-HTTP-Tiny-0.033-3.el7.noarch
>>>>> python-iniparse-0.4-9.el7.noarch
>>>>> ipa-client-common-4.4.0-14.el7.centos.7.noarch
>>>>> pam_krb5-2.4.8-6.el7.x86_64
>>>>> sssd-krb5-1.14.0-43.el7_3.14.x86_64
>>>>> python-ipaddress-1.0.16-2.el7.noarch
>>>>> python2-ipalib-4.4.0-14.el7.centos.7.noarch
>>>>> krb5-libs-1.14.1-27.el7_3.x86_64
>>>>> libipa_hbac-1.14.0-43.el7_3.14.x86_64
>>>>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
>>>>> sssd-ipa-1.14.0-43.el7_3.14.x86_64
>>>>> krb5-workstation-1.14.1-27.el7_3.x86_64
>>>>> ipa-client-4.4.0-14.el7.centos.7.x86_64
>>>>>
>>>>> Tried to pull an exact client. The "yum install ipa-server" went fine:
>>>>>
>>>>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server
>>>>> ipa-server-4.4.0-14.el7.centos.7.x86_64
>>>>> ipa-server-common-4.4.0-14.el7.centos.7.noarch
>>>>>
>>>>>
>>>>> "ipa-server-install" ran clean but has been stuck for 2 days:
>>>>>
>>>>> Restarting the directory server
>>>>> Restarting the KDC
>>>>> Please add records in this file to your DNS system:
>>>>> /tmp/ipa.system.records.qLsLyx.db
>>>>> Restarting the web server
>>>>> Configuring client side components
>>>>> Using existing certificate '/etc/ipa/ca.crt'.
>>>>> Client hostname: ipa.rdlg.net
>>>>> Realm: RDLG.NET
>>>>> DNS Domain: rdlg.net
>>>>> IPA Server: ipa.rdlg.net
>>>>> BaseDN: dc=rdlg,dc=net
>>>>>
>>>>> Skipping synchronizing time with NTP server.
>>>>> New SSSD config will be created
>>>>> Configured sudoers in /etc/nsswitch.conf
>>>>> Configured /etc/sssd/sssd.conf
>>>>> trying https://ipa.rdlg.net/ipa/json
>>>>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'
>>>>>
>>>>> Checking the /var/log/httpd/error.log has 2 days of just this:
>>>>>
>>>>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize
>>>>> failed. Certificate database: /etc/httpd/alias.
>>>>> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library
>>>>> Error: -8038 SEC_ERROR_NOT_INITIALIZED
>>>>> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS
>>>>> database exist?
>>>>>
>>>>>
>>>>> Robert
>>>>>
>>>>> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden <rcritten at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Robert L. Harris wrote:
>>>>>> >
>>>>>> > Hmmm
>>>>>> >
>>>>>> > {0}:/var/log>ls
>>>>>> > anaconda btmp dmesg grubby maillog ppp
>>>>>> secure
>>>>>> > tallylog wtmp
>>>>>> > audit cron dmesg.old grubby_prune_debug messages rhsm
>>>>>> spooler
>>>>>> > tuned yum.log
>>>>>> > boot.log cups firewalld lastlog ntpstats samba sssd
>>>>>> > vmware-vmsvc.log
>>>>>> >
>>>>>> >
>>>>>> > root at ipa
>>>>>> > {1}:/var/log>rpm -q -l http
>>>>>> > package http is not installed
>>>>>> >
>>>>>> > root at ipa
>>>>>> > {1}:/var/log>rpm -q -a | grep -i http
>>>>>> > perl-HTTP-Tiny-0.033-3.el7.noarch
>>>>>> >
>>>>>> > root at ipa
>>>>>> > {0}:/var/log>rpm -q -a | grep -i tomcat
>>>>>> >
>>>>>> >
>>>>>> > Doesn't look like an httpd was installed as a dependancy?
>>>>>>
>>>>>> I find this very hard to believe given that it go so far as to
>>>>>> configure
>>>>>> things in Apache, restart it, etc. What version of [free]ipa-server is
>>>>>> installed? How did you install it and from what repo?
>>>>>>
>>>>>> rob
>>>>>>
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > On Fri, May 12, 2017 at 1:17 AM Martin Bašti <mbasti at redhat.com
>>>>>> > <mailto:mbasti at redhat.com>> wrote:
>>>>>> >
>>>>>> > That's weird, it should be super fast, anything in
>>>>>> > /var/log/httpd/error_log?
>>>>>> >
>>>>>> >
>>>>>> > On 11.05.2017 22:23, Robert L. Harris wrote:
>>>>>> >>
>>>>>> >> Odd, must have clicked reply instead of reply-all.
>>>>>> >>
>>>>>> >> Anyway, I did the revert and re-install. Actual install went
>>>>>> >> through fine then the "ipa-server-install" ran until this:
>>>>>> >>
>>>>>> >> [8/9]: restoring configuration
>>>>>> >> [9/9]: starting directory server
>>>>>> >> Done.
>>>>>> >> Restarting the directory server
>>>>>> >> Restarting the KDC
>>>>>> >> Please add records in this file to your DNS system:
>>>>>> >> /tmp/ipa.system.records.v5Jwrt.db
>>>>>> >> Restarting the web server
>>>>>> >> Configuring client side components
>>>>>> >> Using existing certificate '/etc/ipa/ca.crt'.
>>>>>> >> Client hostname: ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>> >> Realm: RDLG.NET <http://RDLG.NET>
>>>>>> >> DNS Domain: rdlg.net <http://rdlg.net>
>>>>>> >> IPA Server: ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>> >> BaseDN: dc=rdlg,dc=net
>>>>>> >>
>>>>>> >> Skipping synchronizing time with NTP server.
>>>>>> >> New SSSD config will be created
>>>>>> >> Configured sudoers in /etc/nsswitch.conf
>>>>>> >> Configured /etc/sssd/sssd.conf
>>>>>> >> trying https://ipa.rdlg.net/ipa/json
>>>>>> >> Forwarding 'schema' to json server '
>>>>>> https://ipa.rdlg.net/ipa/json'
>>>>>> >>
>>>>>> >>
>>>>>> >> It's been sitting there for a while ( 4 hours? ) I don't see
>>>>>> >> anyting in the ipaserver-install.log, but it's here:
>>>>>> >> https://pastebin.com/biK1Dmv7
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >> On Thu, May 11, 2017 at 8:12 AM Martin Bašti <
>>>>>> mbasti at redhat.com
>>>>>> >> <mailto:mbasti at redhat.com>> wrote:
>>>>>> >>
>>>>>> >> Please keep freeipa-users in CC
>>>>>> >>
>>>>>> >> Snapshot is always better, so I suggest to use it.
>>>>>> Otherwise
>>>>>> >> there is an option --ignore-last-of-role to unblock
>>>>>> >> uninstallation.
>>>>>> >>
>>>>>> >> Martin
>>>>>> >>
>>>>>> >>
>>>>>> >> On 11.05.2017 16:00, Robert L. Harris wrote:
>>>>>> >>>
>>>>>> >>> Looks like you hit it, apache didn't have a group:
>>>>>> >>>
>>>>>> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu
>>>>>> >>> 2017-05-11 07:48:27 MDT. --
>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>> >>> systemd[1]: Starting The Apache HTTP Server...
>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC
>>>>>> proxy
>>>>>> >>> enabled
>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>> >>> httpd[28809]: AH00544: httpd: bad group name apache
>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>> >>> systemd[1]: httpd.service: main process exited,
>>>>>> code=exited,
>>>>>> >>> status=1/FAILURE
>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>> >>> kill[28812]: kill: cannot find process ""
>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>> >>> systemd[1]: httpd.service: control process exited,
>>>>>> >>> code=exited status=1
>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>> >>> systemd[1]: Failed to start The Apache HTTP Server.
>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>> >>> systemd[1]: Unit httpd.service entered failed state.
>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>> >>> systemd[1]: httpd.service failed.
>>>>>> >>>
>>>>>> >>> Thanks, didn't know that command. I tried to continue the
>>>>>> >>> process:
>>>>>> >>>
>>>>>> >>> {0}:/root>ipa-server-install
>>>>>> >>>
>>>>>> >>> The log file for this installation can be found in
>>>>>> >>> /var/log/ipaserver-install.log
>>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR
>>>>>> IPA
>>>>>> >>> server is already configured on this system.
>>>>>> >>> If you want to reinstall the IPA server, please uninstall
>>>>>> it
>>>>>> >>> first using 'ipa-server-install --uninstall'.
>>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR
>>>>>> The
>>>>>> >>> ipa-server-install command failed. See
>>>>>> >>> /var/log/ipaserver-install.log for more information
>>>>>> >>>
>>>>>> >>> root at ipa
>>>>>> >>> {1}:/root>ipa-server-install --uninstall
>>>>>> >>>
>>>>>> >>> This is a NON REVERSIBLE operation and will delete all
>>>>>> data
>>>>>> >>> and configuration!
>>>>>> >>>
>>>>>> >>> Are you sure you want to continue with the uninstall
>>>>>> >>> procedure? [no]: yes
>>>>>> >>> ipa : ERROR Server removal aborted: Deleting
>>>>>> this
>>>>>> >>> server is not allowed as it would leave your installation
>>>>>> >>> without a CA..
>>>>>> >>>
>>>>>> >>>
>>>>>> >>>
>>>>>> >>> This is a VM and I took a snapshot right before I started
>>>>>> the
>>>>>> >>> install, so I can revert, just make sure ti add the apache
>>>>>> >>> user before starting the install. Or if you have a better
>>>>>> >>> command to continue the clean-up/install.....
>>>>>> >>>
>>>>>> >>>
>>>>>> >>> On Thu, May 11, 2017 at 2:19 AM Martin Bašti
>>>>>> >>> <mbasti at redhat.com <mailto:mbasti at redhat.com>> wrote:
>>>>>> >>>
>>>>>> >>> Hello,
>>>>>> >>>
>>>>>> >>> comments inline
>>>>>> >>>
>>>>>> >>>
>>>>>> >>> On 11.05.2017 06:06, Robert L. Harris wrote:
>>>>>> >>>>
>>>>>> >>>> Sigh... Sorry, it's been a long day, I thought I put
>>>>>> >>>> that log in the first pastebin. It's in this one:
>>>>>> >>>> https://pastebin.com/18PAXXNS
>>>>>> >>>
>>>>>> >>> Could you please provide journalctl -u httpd and
>>>>>> >>> /var/log/httpd/error_log ?
>>>>>> >>>
>>>>>> >>>
>>>>>> >>>
>>>>>> >>>>
>>>>>> >>>> Also,
>>>>>> >>>> Anyone else get the constant spam when mailing
>>>>>> this
>>>>>> >>>> list? Got an address to block for it?
>>>>>> >>>
>>>>>> >>> Sorry for that, there is a bot mining public
>>>>>> archives. We
>>>>>> >>> plan to resolve this issue but it may take time as we
>>>>>> are
>>>>>> >>> not maintaining our mailman.
>>>>>> >>>
>>>>>> >>> Martin
>>>>>> >>>
>>>>>> >>>
>>>>>> >>>>
>>>>>> >>>> Robert
>>>>>> >>>>
>>>>>> >>>>
>>>>>> >>>>
>>>>>> >>>>
>>>>>> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman
>>>>>> >>>> <datakid at gmail.com <mailto:datakid at gmail.com>>
>>>>>> wrote:
>>>>>> >>>>
>>>>>> >>>> Robert, did you look in
>>>>>> >>>> /var/log/ipaserver-install.log as it says?
>>>>>> >>>>
>>>>>> >>>> Was there any other information?
>>>>>> >>>>
>>>>>> >>>> cheers
>>>>>> >>>> L.
>>>>>> >>>>
>>>>>> >>>> ------
>>>>>> >>>> "Mission Statement: To provide hope and
>>>>>> inspiration
>>>>>> >>>> for collective action, to build collective
>>>>>> power, to
>>>>>> >>>> achieve collective transformation, rooted in
>>>>>> grief
>>>>>> >>>> and rage but pointed towards vision and dreams."
>>>>>> >>>>
>>>>>> >>>> - Patrice Cullors, /Black Lives Matter founder/
>>>>>> >>>>
>>>>>> >>>> On 11 May 2017 at 13:24, Robert L. Harris
>>>>>> >>>> <robert.l.harris at gmail.com
>>>>>> >>>> <mailto:robert.l.harris at gmail.com>> wrote:
>>>>>> >>>>
>>>>>> >>>> Ok, I gave up on Ubuntu. I'm now trying the
>>>>>> >>>> latest CentOS7. I built out a "minimal
>>>>>> server"
>>>>>> >>>> with some normal base packages which did
>>>>>> include
>>>>>> >>>> the freeipa-client but otherwise, just
>>>>>> standard
>>>>>> >>>> tools. Here's a pastebin of the output of
>>>>>> the
>>>>>> >>>> install: https://pastebin.com/zAWCgkUU
>>>>>> >>>>
>>>>>> >>>> Robert
>>>>>> >>>>
>>>>>> >>>>
>>>>>> >>>> --
>>>>>> >>>> Manage your subscription for the
>>>>>> Freeipa-users
>>>>>> >>>> mailing list:
>>>>>> >>>> https://www.redhat.com/
>>>>>> mailman/listinfo/freeipa-users
>>>>>> >>>> Go to http://freeipa.org for more info on
>>>>>> the
>>>>>> >>>> project
>>>>>> >>>>
>>>>>> >>>>
>>>>>> >>>> --
>>>>>> >>>> Manage your subscription for the Freeipa-users
>>>>>> >>>> mailing list:
>>>>>> >>>> https://www.redhat.com/
>>>>>> mailman/listinfo/freeipa-users
>>>>>> >>>> Go to http://freeipa.org for more info on the
>>>>>> project
>>>>>> >>>>
>>>>>> >>>>
>>>>>> >>>>
>>>>>> >>>
>>>>>> >>> --
>>>>>> >>> Martin Bašti
>>>>>> >>> Software Engineer
>>>>>> >>> Red Hat Czech
>>>>>> >>>
>>>>>> >>
>>>>>> >> --
>>>>>> >> Martin Bašti
>>>>>> >> Software Engineer
>>>>>> >> Red Hat Czech
>>>>>> >>
>>>>>> >
>>>>>> > --
>>>>>> > Martin Bašti
>>>>>> > Software Engineer
>>>>>> > Red Hat Czech
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>>
>>>>>>
>>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>>
>>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170516/ef5a51cf/attachment.htm>
More information about the Freeipa-users
mailing list