[Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7
Robert L. Harris
robert.l.harris at gmail.com
Tue May 16 20:37:50 UTC 2017
I left SELinux enabled, no change, still streaming the same error:
[Tue May 16 14:36:48.957848 2017] [:error] [pid 10780] NSS_Initialize
failed. Certificate database: /etc/httpd/alias.
[Tue May 16 14:36:48.957883 2017] [:error] [pid 10780] SSL Library Error:
-8038 SEC_ERROR_NOT_INITIALIZED
[Tue May 16 14:36:48.957886 2017] [:error] [pid 10780] Does the NSS
database exist?
On Tue, May 16, 2017 at 2:12 PM Andrew Holway <andrew.holway at gmail.com>
wrote:
> Yea, I would try installing IPA then making the changes that you want. I
> think SELinux should be left enabled however. It makes admin super fun! :)
>
>
> On 16 May 2017 at 21:57, Robert L. Harris <robert.l.harris at gmail.com>
> wrote:
>
>>
>> I did disable selinux as it gave errors setting up my standard users,
>> etc. I can roll back the snapshot, set it at 4Gigs of RAM and re-enable
>> selinux and then try again.
>>
>>
>> On Tue, May 16, 2017 at 1:52 PM Andrew Holway <andrew.holway at gmail.com>
>> wrote:
>>
>>> This is pretty weird. FreeIPA installation normally works.
>>>
>>> Has the operating system image been changed or optimised somehow?
>>> Perhaps SELinux has been disabled? Have you tried installing Centos7 from
>>> the ISO?
>>>
>>> On 16 May 2017 at 21:48, Robert L. Harris <robert.l.harris at gmail.com>
>>> wrote:
>>>
>>>>
>>>> 2 Gigs, it's a VM. The VM didn't report any memory issues ( no
>>>> alarms on VMWare )
>>>>
>>>>
>>>> On Tue, May 16, 2017 at 12:29 PM Andrew Holway <andrew.holway at gmail.com>
>>>> wrote:
>>>>
>>>>> Hallo,
>>>>>
>>>>> How much memory do you have on the machine. I have a sneaking
>>>>> suspicion that you're running out.
>>>>>
>>>>> Ta,
>>>>>
>>>>> Andrew
>>>>>
>>>>> On 16 May 2017 at 17:16, Robert L. Harris <robert.l.harris at gmail.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> Last night I rolled back my snapshot. Here's what I have after the
>>>>>> yum install
>>>>>>
>>>>>> "minimal" install of Centos7 + basic build.
>>>>>> {0}:/var/log>cat /etc/*elease
>>>>>> CentOS Linux release 7.3.1611 (Core)
>>>>>> NAME="CentOS Linux"
>>>>>> VERSION="7 (Core)"
>>>>>> ID="centos"
>>>>>> ID_LIKE="rhel fedora"
>>>>>> VERSION_ID="7"
>>>>>> PRETTY_NAME="CentOS Linux 7 (Core)"
>>>>>> ANSI_COLOR="0;31"
>>>>>> CPE_NAME="cpe:/o:centos:centos:7"
>>>>>> HOME_URL="https://www.centos.org/"
>>>>>> BUG_REPORT_URL="https://bugs.centos.org/"
>>>>>>
>>>>>> CENTOS_MANTISBT_PROJECT="CentOS-7"
>>>>>> CENTOS_MANTISBT_PROJECT_VERSION="7"
>>>>>> REDHAT_SUPPORT_PRODUCT="centos"
>>>>>> REDHAT_SUPPORT_PRODUCT_VERSION="7"
>>>>>>
>>>>>> CentOS Linux release 7.3.1611 (Core)
>>>>>> CentOS Linux release 7.3.1611 (Core)
>>>>>>
>>>>>>
>>>>>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb'
>>>>>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64
>>>>>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch
>>>>>> ipa-common-4.4.0-14.el7.centos.7.noarch
>>>>>> perl-HTTP-Tiny-0.033-3.el7.noarch
>>>>>> python-iniparse-0.4-9.el7.noarch
>>>>>> ipa-client-common-4.4.0-14.el7.centos.7.noarch
>>>>>> pam_krb5-2.4.8-6.el7.x86_64
>>>>>> sssd-krb5-1.14.0-43.el7_3.14.x86_64
>>>>>> python-ipaddress-1.0.16-2.el7.noarch
>>>>>> python2-ipalib-4.4.0-14.el7.centos.7.noarch
>>>>>> krb5-libs-1.14.1-27.el7_3.x86_64
>>>>>> libipa_hbac-1.14.0-43.el7_3.14.x86_64
>>>>>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
>>>>>> sssd-ipa-1.14.0-43.el7_3.14.x86_64
>>>>>> krb5-workstation-1.14.1-27.el7_3.x86_64
>>>>>> ipa-client-4.4.0-14.el7.centos.7.x86_64
>>>>>>
>>>>>> Tried to pull an exact client. The "yum install ipa-server" went
>>>>>> fine:
>>>>>>
>>>>>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server
>>>>>> ipa-server-4.4.0-14.el7.centos.7.x86_64
>>>>>> ipa-server-common-4.4.0-14.el7.centos.7.noarch
>>>>>>
>>>>>>
>>>>>> "ipa-server-install" ran clean but has been stuck for 2 days:
>>>>>>
>>>>>> Restarting the directory server
>>>>>> Restarting the KDC
>>>>>> Please add records in this file to your DNS system:
>>>>>> /tmp/ipa.system.records.qLsLyx.db
>>>>>> Restarting the web server
>>>>>> Configuring client side components
>>>>>> Using existing certificate '/etc/ipa/ca.crt'.
>>>>>> Client hostname: ipa.rdlg.net
>>>>>> Realm: RDLG.NET
>>>>>> DNS Domain: rdlg.net
>>>>>> IPA Server: ipa.rdlg.net
>>>>>> BaseDN: dc=rdlg,dc=net
>>>>>>
>>>>>> Skipping synchronizing time with NTP server.
>>>>>> New SSSD config will be created
>>>>>> Configured sudoers in /etc/nsswitch.conf
>>>>>> Configured /etc/sssd/sssd.conf
>>>>>> trying https://ipa.rdlg.net/ipa/json
>>>>>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'
>>>>>>
>>>>>> Checking the /var/log/httpd/error.log has 2 days of just this:
>>>>>>
>>>>>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize
>>>>>> failed. Certificate database: /etc/httpd/alias.
>>>>>> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library
>>>>>> Error: -8038 SEC_ERROR_NOT_INITIALIZED
>>>>>> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS
>>>>>> database exist?
>>>>>>
>>>>>>
>>>>>> Robert
>>>>>>
>>>>>> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden <rcritten at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Robert L. Harris wrote:
>>>>>>> >
>>>>>>> > Hmmm
>>>>>>> >
>>>>>>> > {0}:/var/log>ls
>>>>>>> > anaconda btmp dmesg grubby maillog ppp
>>>>>>> secure
>>>>>>> > tallylog wtmp
>>>>>>> > audit cron dmesg.old grubby_prune_debug messages rhsm
>>>>>>> spooler
>>>>>>> > tuned yum.log
>>>>>>> > boot.log cups firewalld lastlog ntpstats samba
>>>>>>> sssd
>>>>>>> > vmware-vmsvc.log
>>>>>>> >
>>>>>>> >
>>>>>>> > root at ipa
>>>>>>> > {1}:/var/log>rpm -q -l http
>>>>>>> > package http is not installed
>>>>>>> >
>>>>>>> > root at ipa
>>>>>>> > {1}:/var/log>rpm -q -a | grep -i http
>>>>>>> > perl-HTTP-Tiny-0.033-3.el7.noarch
>>>>>>> >
>>>>>>> > root at ipa
>>>>>>> > {0}:/var/log>rpm -q -a | grep -i tomcat
>>>>>>> >
>>>>>>> >
>>>>>>> > Doesn't look like an httpd was installed as a dependancy?
>>>>>>>
>>>>>>> I find this very hard to believe given that it go so far as to
>>>>>>> configure
>>>>>>> things in Apache, restart it, etc. What version of [free]ipa-server
>>>>>>> is
>>>>>>> installed? How did you install it and from what repo?
>>>>>>>
>>>>>>> rob
>>>>>>>
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>> > On Fri, May 12, 2017 at 1:17 AM Martin Bašti <mbasti at redhat.com
>>>>>>> > <mailto:mbasti at redhat.com>> wrote:
>>>>>>> >
>>>>>>> > That's weird, it should be super fast, anything in
>>>>>>> > /var/log/httpd/error_log?
>>>>>>> >
>>>>>>> >
>>>>>>> > On 11.05.2017 22:23, Robert L. Harris wrote:
>>>>>>> >>
>>>>>>> >> Odd, must have clicked reply instead of reply-all.
>>>>>>> >>
>>>>>>> >> Anyway, I did the revert and re-install. Actual install went
>>>>>>> >> through fine then the "ipa-server-install" ran until this:
>>>>>>> >>
>>>>>>> >> [8/9]: restoring configuration
>>>>>>> >> [9/9]: starting directory server
>>>>>>> >> Done.
>>>>>>> >> Restarting the directory server
>>>>>>> >> Restarting the KDC
>>>>>>> >> Please add records in this file to your DNS system:
>>>>>>> >> /tmp/ipa.system.records.v5Jwrt.db
>>>>>>> >> Restarting the web server
>>>>>>> >> Configuring client side components
>>>>>>> >> Using existing certificate '/etc/ipa/ca.crt'.
>>>>>>> >> Client hostname: ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>> >> Realm: RDLG.NET <http://RDLG.NET>
>>>>>>> >> DNS Domain: rdlg.net <http://rdlg.net>
>>>>>>> >> IPA Server: ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>> >> BaseDN: dc=rdlg,dc=net
>>>>>>> >>
>>>>>>> >> Skipping synchronizing time with NTP server.
>>>>>>> >> New SSSD config will be created
>>>>>>> >> Configured sudoers in /etc/nsswitch.conf
>>>>>>> >> Configured /etc/sssd/sssd.conf
>>>>>>> >> trying https://ipa.rdlg.net/ipa/json
>>>>>>> >> Forwarding 'schema' to json server '
>>>>>>> https://ipa.rdlg.net/ipa/json'
>>>>>>> >>
>>>>>>> >>
>>>>>>> >> It's been sitting there for a while ( 4 hours? ) I don't see
>>>>>>> >> anyting in the ipaserver-install.log, but it's here:
>>>>>>> >> https://pastebin.com/biK1Dmv7
>>>>>>> >>
>>>>>>> >>
>>>>>>> >>
>>>>>>> >> On Thu, May 11, 2017 at 8:12 AM Martin Bašti <
>>>>>>> mbasti at redhat.com
>>>>>>> >> <mailto:mbasti at redhat.com>> wrote:
>>>>>>> >>
>>>>>>> >> Please keep freeipa-users in CC
>>>>>>> >>
>>>>>>> >> Snapshot is always better, so I suggest to use it.
>>>>>>> Otherwise
>>>>>>> >> there is an option --ignore-last-of-role to unblock
>>>>>>> >> uninstallation.
>>>>>>> >>
>>>>>>> >> Martin
>>>>>>> >>
>>>>>>> >>
>>>>>>> >> On 11.05.2017 16:00, Robert L. Harris wrote:
>>>>>>> >>>
>>>>>>> >>> Looks like you hit it, apache didn't have a group:
>>>>>>> >>>
>>>>>>> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu
>>>>>>> >>> 2017-05-11 07:48:27 MDT. --
>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>> >>> systemd[1]: Starting The Apache HTTP Server...
>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC
>>>>>>> proxy
>>>>>>> >>> enabled
>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>> >>> httpd[28809]: AH00544: httpd: bad group name apache
>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>> >>> systemd[1]: httpd.service: main process exited,
>>>>>>> code=exited,
>>>>>>> >>> status=1/FAILURE
>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>> >>> kill[28812]: kill: cannot find process ""
>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>> >>> systemd[1]: httpd.service: control process exited,
>>>>>>> >>> code=exited status=1
>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>> >>> systemd[1]: Failed to start The Apache HTTP Server.
>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>> >>> systemd[1]: Unit httpd.service entered failed state.
>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>> >>> systemd[1]: httpd.service failed.
>>>>>>> >>>
>>>>>>> >>> Thanks, didn't know that command. I tried to continue
>>>>>>> the
>>>>>>> >>> process:
>>>>>>> >>>
>>>>>>> >>> {0}:/root>ipa-server-install
>>>>>>> >>>
>>>>>>> >>> The log file for this installation can be found in
>>>>>>> >>> /var/log/ipaserver-install.log
>>>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR
>>>>>>> IPA
>>>>>>> >>> server is already configured on this system.
>>>>>>> >>> If you want to reinstall the IPA server, please
>>>>>>> uninstall it
>>>>>>> >>> first using 'ipa-server-install --uninstall'.
>>>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR
>>>>>>> The
>>>>>>> >>> ipa-server-install command failed. See
>>>>>>> >>> /var/log/ipaserver-install.log for more information
>>>>>>> >>>
>>>>>>> >>> root at ipa
>>>>>>> >>> {1}:/root>ipa-server-install --uninstall
>>>>>>> >>>
>>>>>>> >>> This is a NON REVERSIBLE operation and will delete all
>>>>>>> data
>>>>>>> >>> and configuration!
>>>>>>> >>>
>>>>>>> >>> Are you sure you want to continue with the uninstall
>>>>>>> >>> procedure? [no]: yes
>>>>>>> >>> ipa : ERROR Server removal aborted: Deleting
>>>>>>> this
>>>>>>> >>> server is not allowed as it would leave your installation
>>>>>>> >>> without a CA..
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>> This is a VM and I took a snapshot right before I
>>>>>>> started the
>>>>>>> >>> install, so I can revert, just make sure ti add the
>>>>>>> apache
>>>>>>> >>> user before starting the install. Or if you have a
>>>>>>> better
>>>>>>> >>> command to continue the clean-up/install.....
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>> On Thu, May 11, 2017 at 2:19 AM Martin Bašti
>>>>>>> >>> <mbasti at redhat.com <mailto:mbasti at redhat.com>> wrote:
>>>>>>> >>>
>>>>>>> >>> Hello,
>>>>>>> >>>
>>>>>>> >>> comments inline
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>> On 11.05.2017 06:06, Robert L. Harris wrote:
>>>>>>> >>>>
>>>>>>> >>>> Sigh... Sorry, it's been a long day, I thought I put
>>>>>>> >>>> that log in the first pastebin. It's in this one:
>>>>>>> >>>> https://pastebin.com/18PAXXNS
>>>>>>> >>>
>>>>>>> >>> Could you please provide journalctl -u httpd and
>>>>>>> >>> /var/log/httpd/error_log ?
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>>>
>>>>>>> >>>> Also,
>>>>>>> >>>> Anyone else get the constant spam when mailing
>>>>>>> this
>>>>>>> >>>> list? Got an address to block for it?
>>>>>>> >>>
>>>>>>> >>> Sorry for that, there is a bot mining public
>>>>>>> archives. We
>>>>>>> >>> plan to resolve this issue but it may take time as
>>>>>>> we are
>>>>>>> >>> not maintaining our mailman.
>>>>>>> >>>
>>>>>>> >>> Martin
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>>>
>>>>>>> >>>> Robert
>>>>>>> >>>>
>>>>>>> >>>>
>>>>>>> >>>>
>>>>>>> >>>>
>>>>>>> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman
>>>>>>> >>>> <datakid at gmail.com <mailto:datakid at gmail.com>>
>>>>>>> wrote:
>>>>>>> >>>>
>>>>>>> >>>> Robert, did you look in
>>>>>>> >>>> /var/log/ipaserver-install.log as it says?
>>>>>>> >>>>
>>>>>>> >>>> Was there any other information?
>>>>>>> >>>>
>>>>>>> >>>> cheers
>>>>>>> >>>> L.
>>>>>>> >>>>
>>>>>>> >>>> ------
>>>>>>> >>>> "Mission Statement: To provide hope and
>>>>>>> inspiration
>>>>>>> >>>> for collective action, to build collective
>>>>>>> power, to
>>>>>>> >>>> achieve collective transformation, rooted in
>>>>>>> grief
>>>>>>> >>>> and rage but pointed towards vision and dreams."
>>>>>>> >>>>
>>>>>>> >>>> - Patrice Cullors, /Black Lives Matter founder/
>>>>>>> >>>>
>>>>>>> >>>> On 11 May 2017 at 13:24, Robert L. Harris
>>>>>>> >>>> <robert.l.harris at gmail.com
>>>>>>> >>>> <mailto:robert.l.harris at gmail.com>> wrote:
>>>>>>> >>>>
>>>>>>> >>>> Ok, I gave up on Ubuntu. I'm now trying
>>>>>>> the
>>>>>>> >>>> latest CentOS7. I built out a "minimal
>>>>>>> server"
>>>>>>> >>>> with some normal base packages which did
>>>>>>> include
>>>>>>> >>>> the freeipa-client but otherwise, just
>>>>>>> standard
>>>>>>> >>>> tools. Here's a pastebin of the output of
>>>>>>> the
>>>>>>> >>>> install: https://pastebin.com/zAWCgkUU
>>>>>>> >>>>
>>>>>>> >>>> Robert
>>>>>>> >>>>
>>>>>>> >>>>
>>>>>>> >>>> --
>>>>>>> >>>> Manage your subscription for the
>>>>>>> Freeipa-users
>>>>>>> >>>> mailing list:
>>>>>>> >>>>
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> >>>> Go to http://freeipa.org for more info on
>>>>>>> the
>>>>>>> >>>> project
>>>>>>> >>>>
>>>>>>> >>>>
>>>>>>> >>>> --
>>>>>>> >>>> Manage your subscription for the Freeipa-users
>>>>>>> >>>> mailing list:
>>>>>>> >>>>
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> >>>> Go to http://freeipa.org for more info on the
>>>>>>> project
>>>>>>> >>>>
>>>>>>> >>>>
>>>>>>> >>>>
>>>>>>> >>>
>>>>>>> >>> --
>>>>>>> >>> Martin Bašti
>>>>>>> >>> Software Engineer
>>>>>>> >>> Red Hat Czech
>>>>>>> >>>
>>>>>>> >>
>>>>>>> >> --
>>>>>>> >> Martin Bašti
>>>>>>> >> Software Engineer
>>>>>>> >> Red Hat Czech
>>>>>>> >>
>>>>>>> >
>>>>>>> > --
>>>>>>> > Martin Bašti
>>>>>>> > Software Engineer
>>>>>>> > Red Hat Czech
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>
>>>>>
>>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170516/712048b5/attachment.htm>
More information about the Freeipa-users
mailing list