[Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7
Andrew Holway
andrew.holway at gmail.com
Tue May 16 20:40:08 UTC 2017
I have a feeling that there is something broken with your image. Could you
try installing Centos from ISO?
On 16 May 2017 at 22:37, Robert L. Harris <robert.l.harris at gmail.com> wrote:
>
> I left SELinux enabled, no change, still streaming the same error:
>
> [Tue May 16 14:36:48.957848 2017] [:error] [pid 10780] NSS_Initialize
> failed. Certificate database: /etc/httpd/alias.
> [Tue May 16 14:36:48.957883 2017] [:error] [pid 10780] SSL Library Error:
> -8038 SEC_ERROR_NOT_INITIALIZED
> [Tue May 16 14:36:48.957886 2017] [:error] [pid 10780] Does the NSS
> database exist?
>
>
>
> On Tue, May 16, 2017 at 2:12 PM Andrew Holway <andrew.holway at gmail.com>
> wrote:
>
>> Yea, I would try installing IPA then making the changes that you want. I
>> think SELinux should be left enabled however. It makes admin super fun! :)
>>
>>
>> On 16 May 2017 at 21:57, Robert L. Harris <robert.l.harris at gmail.com>
>> wrote:
>>
>>>
>>> I did disable selinux as it gave errors setting up my standard users,
>>> etc. I can roll back the snapshot, set it at 4Gigs of RAM and re-enable
>>> selinux and then try again.
>>>
>>>
>>> On Tue, May 16, 2017 at 1:52 PM Andrew Holway <andrew.holway at gmail.com>
>>> wrote:
>>>
>>>> This is pretty weird. FreeIPA installation normally works.
>>>>
>>>> Has the operating system image been changed or optimised somehow?
>>>> Perhaps SELinux has been disabled? Have you tried installing Centos7 from
>>>> the ISO?
>>>>
>>>> On 16 May 2017 at 21:48, Robert L. Harris <robert.l.harris at gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>> 2 Gigs, it's a VM. The VM didn't report any memory issues ( no
>>>>> alarms on VMWare )
>>>>>
>>>>>
>>>>> On Tue, May 16, 2017 at 12:29 PM Andrew Holway <
>>>>> andrew.holway at gmail.com> wrote:
>>>>>
>>>>>> Hallo,
>>>>>>
>>>>>> How much memory do you have on the machine. I have a sneaking
>>>>>> suspicion that you're running out.
>>>>>>
>>>>>> Ta,
>>>>>>
>>>>>> Andrew
>>>>>>
>>>>>> On 16 May 2017 at 17:16, Robert L. Harris <robert.l.harris at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>> Last night I rolled back my snapshot. Here's what I have after the
>>>>>>> yum install
>>>>>>>
>>>>>>> "minimal" install of Centos7 + basic build.
>>>>>>> {0}:/var/log>cat /etc/*elease
>>>>>>> CentOS Linux release 7.3.1611 (Core)
>>>>>>> NAME="CentOS Linux"
>>>>>>> VERSION="7 (Core)"
>>>>>>> ID="centos"
>>>>>>> ID_LIKE="rhel fedora"
>>>>>>> VERSION_ID="7"
>>>>>>> PRETTY_NAME="CentOS Linux 7 (Core)"
>>>>>>> ANSI_COLOR="0;31"
>>>>>>> CPE_NAME="cpe:/o:centos:centos:7"
>>>>>>> HOME_URL="https://www.centos.org/"
>>>>>>> BUG_REPORT_URL="https://bugs.centos.org/"
>>>>>>>
>>>>>>> CENTOS_MANTISBT_PROJECT="CentOS-7"
>>>>>>> CENTOS_MANTISBT_PROJECT_VERSION="7"
>>>>>>> REDHAT_SUPPORT_PRODUCT="centos"
>>>>>>> REDHAT_SUPPORT_PRODUCT_VERSION="7"
>>>>>>>
>>>>>>> CentOS Linux release 7.3.1611 (Core)
>>>>>>> CentOS Linux release 7.3.1611 (Core)
>>>>>>>
>>>>>>>
>>>>>>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb'
>>>>>>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64
>>>>>>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch
>>>>>>> ipa-common-4.4.0-14.el7.centos.7.noarch
>>>>>>> perl-HTTP-Tiny-0.033-3.el7.noarch
>>>>>>> python-iniparse-0.4-9.el7.noarch
>>>>>>> ipa-client-common-4.4.0-14.el7.centos.7.noarch
>>>>>>> pam_krb5-2.4.8-6.el7.x86_64
>>>>>>> sssd-krb5-1.14.0-43.el7_3.14.x86_64
>>>>>>> python-ipaddress-1.0.16-2.el7.noarch
>>>>>>> python2-ipalib-4.4.0-14.el7.centos.7.noarch
>>>>>>> krb5-libs-1.14.1-27.el7_3.x86_64
>>>>>>> libipa_hbac-1.14.0-43.el7_3.14.x86_64
>>>>>>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
>>>>>>> sssd-ipa-1.14.0-43.el7_3.14.x86_64
>>>>>>> krb5-workstation-1.14.1-27.el7_3.x86_64
>>>>>>> ipa-client-4.4.0-14.el7.centos.7.x86_64
>>>>>>>
>>>>>>> Tried to pull an exact client. The "yum install ipa-server" went
>>>>>>> fine:
>>>>>>>
>>>>>>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server
>>>>>>> ipa-server-4.4.0-14.el7.centos.7.x86_64
>>>>>>> ipa-server-common-4.4.0-14.el7.centos.7.noarch
>>>>>>>
>>>>>>>
>>>>>>> "ipa-server-install" ran clean but has been stuck for 2 days:
>>>>>>>
>>>>>>> Restarting the directory server
>>>>>>> Restarting the KDC
>>>>>>> Please add records in this file to your DNS system:
>>>>>>> /tmp/ipa.system.records.qLsLyx.db
>>>>>>> Restarting the web server
>>>>>>> Configuring client side components
>>>>>>> Using existing certificate '/etc/ipa/ca.crt'.
>>>>>>> Client hostname: ipa.rdlg.net
>>>>>>> Realm: RDLG.NET
>>>>>>> DNS Domain: rdlg.net
>>>>>>> IPA Server: ipa.rdlg.net
>>>>>>> BaseDN: dc=rdlg,dc=net
>>>>>>>
>>>>>>> Skipping synchronizing time with NTP server.
>>>>>>> New SSSD config will be created
>>>>>>> Configured sudoers in /etc/nsswitch.conf
>>>>>>> Configured /etc/sssd/sssd.conf
>>>>>>> trying https://ipa.rdlg.net/ipa/json
>>>>>>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'
>>>>>>>
>>>>>>> Checking the /var/log/httpd/error.log has 2 days of just this:
>>>>>>>
>>>>>>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize
>>>>>>> failed. Certificate database: /etc/httpd/alias.
>>>>>>> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library
>>>>>>> Error: -8038 SEC_ERROR_NOT_INITIALIZED
>>>>>>> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS
>>>>>>> database exist?
>>>>>>>
>>>>>>>
>>>>>>> Robert
>>>>>>>
>>>>>>> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden <rcritten at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Robert L. Harris wrote:
>>>>>>>> >
>>>>>>>> > Hmmm
>>>>>>>> >
>>>>>>>> > {0}:/var/log>ls
>>>>>>>> > anaconda btmp dmesg grubby maillog ppp
>>>>>>>> secure
>>>>>>>> > tallylog wtmp
>>>>>>>> > audit cron dmesg.old grubby_prune_debug messages rhsm
>>>>>>>> spooler
>>>>>>>> > tuned yum.log
>>>>>>>> > boot.log cups firewalld lastlog ntpstats samba
>>>>>>>> sssd
>>>>>>>> > vmware-vmsvc.log
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > root at ipa
>>>>>>>> > {1}:/var/log>rpm -q -l http
>>>>>>>> > package http is not installed
>>>>>>>> >
>>>>>>>> > root at ipa
>>>>>>>> > {1}:/var/log>rpm -q -a | grep -i http
>>>>>>>> > perl-HTTP-Tiny-0.033-3.el7.noarch
>>>>>>>> >
>>>>>>>> > root at ipa
>>>>>>>> > {0}:/var/log>rpm -q -a | grep -i tomcat
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > Doesn't look like an httpd was installed as a dependancy?
>>>>>>>>
>>>>>>>> I find this very hard to believe given that it go so far as to
>>>>>>>> configure
>>>>>>>> things in Apache, restart it, etc. What version of [free]ipa-server
>>>>>>>> is
>>>>>>>> installed? How did you install it and from what repo?
>>>>>>>>
>>>>>>>> rob
>>>>>>>>
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > On Fri, May 12, 2017 at 1:17 AM Martin Bašti <mbasti at redhat.com
>>>>>>>> > <mailto:mbasti at redhat.com>> wrote:
>>>>>>>> >
>>>>>>>> > That's weird, it should be super fast, anything in
>>>>>>>> > /var/log/httpd/error_log?
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > On 11.05.2017 22:23, Robert L. Harris wrote:
>>>>>>>> >>
>>>>>>>> >> Odd, must have clicked reply instead of reply-all.
>>>>>>>> >>
>>>>>>>> >> Anyway, I did the revert and re-install. Actual install went
>>>>>>>> >> through fine then the "ipa-server-install" ran until this:
>>>>>>>> >>
>>>>>>>> >> [8/9]: restoring configuration
>>>>>>>> >> [9/9]: starting directory server
>>>>>>>> >> Done.
>>>>>>>> >> Restarting the directory server
>>>>>>>> >> Restarting the KDC
>>>>>>>> >> Please add records in this file to your DNS system:
>>>>>>>> >> /tmp/ipa.system.records.v5Jwrt.db
>>>>>>>> >> Restarting the web server
>>>>>>>> >> Configuring client side components
>>>>>>>> >> Using existing certificate '/etc/ipa/ca.crt'.
>>>>>>>> >> Client hostname: ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>>> >> Realm: RDLG.NET <http://RDLG.NET>
>>>>>>>> >> DNS Domain: rdlg.net <http://rdlg.net>
>>>>>>>> >> IPA Server: ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>>> >> BaseDN: dc=rdlg,dc=net
>>>>>>>> >>
>>>>>>>> >> Skipping synchronizing time with NTP server.
>>>>>>>> >> New SSSD config will be created
>>>>>>>> >> Configured sudoers in /etc/nsswitch.conf
>>>>>>>> >> Configured /etc/sssd/sssd.conf
>>>>>>>> >> trying https://ipa.rdlg.net/ipa/json
>>>>>>>> >> Forwarding 'schema' to json server '
>>>>>>>> https://ipa.rdlg.net/ipa/json'
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >> It's been sitting there for a while ( 4 hours? ) I don't see
>>>>>>>> >> anyting in the ipaserver-install.log, but it's here:
>>>>>>>> >> https://pastebin.com/biK1Dmv7
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >> On Thu, May 11, 2017 at 8:12 AM Martin Bašti <
>>>>>>>> mbasti at redhat.com
>>>>>>>> >> <mailto:mbasti at redhat.com>> wrote:
>>>>>>>> >>
>>>>>>>> >> Please keep freeipa-users in CC
>>>>>>>> >>
>>>>>>>> >> Snapshot is always better, so I suggest to use it.
>>>>>>>> Otherwise
>>>>>>>> >> there is an option --ignore-last-of-role to unblock
>>>>>>>> >> uninstallation.
>>>>>>>> >>
>>>>>>>> >> Martin
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >> On 11.05.2017 16:00, Robert L. Harris wrote:
>>>>>>>> >>>
>>>>>>>> >>> Looks like you hit it, apache didn't have a group:
>>>>>>>> >>>
>>>>>>>> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu
>>>>>>>> >>> 2017-05-11 07:48:27 MDT. --
>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>>> >>> systemd[1]: Starting The Apache HTTP Server...
>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>>> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC
>>>>>>>> proxy
>>>>>>>> >>> enabled
>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>>> >>> httpd[28809]: AH00544: httpd: bad group name apache
>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>>> >>> systemd[1]: httpd.service: main process exited,
>>>>>>>> code=exited,
>>>>>>>> >>> status=1/FAILURE
>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>>> >>> kill[28812]: kill: cannot find process ""
>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>>> >>> systemd[1]: httpd.service: control process exited,
>>>>>>>> >>> code=exited status=1
>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>>> >>> systemd[1]: Failed to start The Apache HTTP Server.
>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>>> >>> systemd[1]: Unit httpd.service entered failed state.
>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net>
>>>>>>>> >>> systemd[1]: httpd.service failed.
>>>>>>>> >>>
>>>>>>>> >>> Thanks, didn't know that command. I tried to continue
>>>>>>>> the
>>>>>>>> >>> process:
>>>>>>>> >>>
>>>>>>>> >>> {0}:/root>ipa-server-install
>>>>>>>> >>>
>>>>>>>> >>> The log file for this installation can be found in
>>>>>>>> >>> /var/log/ipaserver-install.log
>>>>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR
>>>>>>>> IPA
>>>>>>>> >>> server is already configured on this system.
>>>>>>>> >>> If you want to reinstall the IPA server, please
>>>>>>>> uninstall it
>>>>>>>> >>> first using 'ipa-server-install --uninstall'.
>>>>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR
>>>>>>>> The
>>>>>>>> >>> ipa-server-install command failed. See
>>>>>>>> >>> /var/log/ipaserver-install.log for more information
>>>>>>>> >>>
>>>>>>>> >>> root at ipa
>>>>>>>> >>> {1}:/root>ipa-server-install --uninstall
>>>>>>>> >>>
>>>>>>>> >>> This is a NON REVERSIBLE operation and will delete all
>>>>>>>> data
>>>>>>>> >>> and configuration!
>>>>>>>> >>>
>>>>>>>> >>> Are you sure you want to continue with the uninstall
>>>>>>>> >>> procedure? [no]: yes
>>>>>>>> >>> ipa : ERROR Server removal aborted: Deleting
>>>>>>>> this
>>>>>>>> >>> server is not allowed as it would leave your
>>>>>>>> installation
>>>>>>>> >>> without a CA..
>>>>>>>> >>>
>>>>>>>> >>>
>>>>>>>> >>>
>>>>>>>> >>> This is a VM and I took a snapshot right before I
>>>>>>>> started the
>>>>>>>> >>> install, so I can revert, just make sure ti add the
>>>>>>>> apache
>>>>>>>> >>> user before starting the install. Or if you have a
>>>>>>>> better
>>>>>>>> >>> command to continue the clean-up/install.....
>>>>>>>> >>>
>>>>>>>> >>>
>>>>>>>> >>> On Thu, May 11, 2017 at 2:19 AM Martin Bašti
>>>>>>>> >>> <mbasti at redhat.com <mailto:mbasti at redhat.com>> wrote:
>>>>>>>> >>>
>>>>>>>> >>> Hello,
>>>>>>>> >>>
>>>>>>>> >>> comments inline
>>>>>>>> >>>
>>>>>>>> >>>
>>>>>>>> >>> On 11.05.2017 06:06, Robert L. Harris wrote:
>>>>>>>> >>>>
>>>>>>>> >>>> Sigh... Sorry, it's been a long day, I thought I
>>>>>>>> put
>>>>>>>> >>>> that log in the first pastebin. It's in this one:
>>>>>>>> >>>> https://pastebin.com/18PAXXNS
>>>>>>>> >>>
>>>>>>>> >>> Could you please provide journalctl -u httpd and
>>>>>>>> >>> /var/log/httpd/error_log ?
>>>>>>>> >>>
>>>>>>>> >>>
>>>>>>>> >>>
>>>>>>>> >>>>
>>>>>>>> >>>> Also,
>>>>>>>> >>>> Anyone else get the constant spam when mailing
>>>>>>>> this
>>>>>>>> >>>> list? Got an address to block for it?
>>>>>>>> >>>
>>>>>>>> >>> Sorry for that, there is a bot mining public
>>>>>>>> archives. We
>>>>>>>> >>> plan to resolve this issue but it may take time as
>>>>>>>> we are
>>>>>>>> >>> not maintaining our mailman.
>>>>>>>> >>>
>>>>>>>> >>> Martin
>>>>>>>> >>>
>>>>>>>> >>>
>>>>>>>> >>>>
>>>>>>>> >>>> Robert
>>>>>>>> >>>>
>>>>>>>> >>>>
>>>>>>>> >>>>
>>>>>>>> >>>>
>>>>>>>> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman
>>>>>>>> >>>> <datakid at gmail.com <mailto:datakid at gmail.com>>
>>>>>>>> wrote:
>>>>>>>> >>>>
>>>>>>>> >>>> Robert, did you look in
>>>>>>>> >>>> /var/log/ipaserver-install.log as it says?
>>>>>>>> >>>>
>>>>>>>> >>>> Was there any other information?
>>>>>>>> >>>>
>>>>>>>> >>>> cheers
>>>>>>>> >>>> L.
>>>>>>>> >>>>
>>>>>>>> >>>> ------
>>>>>>>> >>>> "Mission Statement: To provide hope and
>>>>>>>> inspiration
>>>>>>>> >>>> for collective action, to build collective
>>>>>>>> power, to
>>>>>>>> >>>> achieve collective transformation, rooted in
>>>>>>>> grief
>>>>>>>> >>>> and rage but pointed towards vision and
>>>>>>>> dreams."
>>>>>>>> >>>>
>>>>>>>> >>>> - Patrice Cullors, /Black Lives Matter
>>>>>>>> founder/
>>>>>>>> >>>>
>>>>>>>> >>>> On 11 May 2017 at 13:24, Robert L. Harris
>>>>>>>> >>>> <robert.l.harris at gmail.com
>>>>>>>> >>>> <mailto:robert.l.harris at gmail.com>> wrote:
>>>>>>>> >>>>
>>>>>>>> >>>> Ok, I gave up on Ubuntu. I'm now trying
>>>>>>>> the
>>>>>>>> >>>> latest CentOS7. I built out a "minimal
>>>>>>>> server"
>>>>>>>> >>>> with some normal base packages which did
>>>>>>>> include
>>>>>>>> >>>> the freeipa-client but otherwise, just
>>>>>>>> standard
>>>>>>>> >>>> tools. Here's a pastebin of the output of
>>>>>>>> the
>>>>>>>> >>>> install: https://pastebin.com/zAWCgkUU
>>>>>>>> >>>>
>>>>>>>> >>>> Robert
>>>>>>>> >>>>
>>>>>>>> >>>>
>>>>>>>> >>>> --
>>>>>>>> >>>> Manage your subscription for the
>>>>>>>> Freeipa-users
>>>>>>>> >>>> mailing list:
>>>>>>>> >>>> https://www.redhat.com/
>>>>>>>> mailman/listinfo/freeipa-users
>>>>>>>> >>>> Go to http://freeipa.org for more info on
>>>>>>>> the
>>>>>>>> >>>> project
>>>>>>>> >>>>
>>>>>>>> >>>>
>>>>>>>> >>>> --
>>>>>>>> >>>> Manage your subscription for the Freeipa-users
>>>>>>>> >>>> mailing list:
>>>>>>>> >>>> https://www.redhat.com/
>>>>>>>> mailman/listinfo/freeipa-users
>>>>>>>> >>>> Go to http://freeipa.org for more info on the
>>>>>>>> project
>>>>>>>> >>>>
>>>>>>>> >>>>
>>>>>>>> >>>>
>>>>>>>> >>>
>>>>>>>> >>> --
>>>>>>>> >>> Martin Bašti
>>>>>>>> >>> Software Engineer
>>>>>>>> >>> Red Hat Czech
>>>>>>>> >>>
>>>>>>>> >>
>>>>>>>> >> --
>>>>>>>> >> Martin Bašti
>>>>>>>> >> Software Engineer
>>>>>>>> >> Red Hat Czech
>>>>>>>> >>
>>>>>>>> >
>>>>>>>> > --
>>>>>>>> > Martin Bašti
>>>>>>>> > Software Engineer
>>>>>>>> > Red Hat Czech
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>>
>>>>>>>>
>>>>>>> --
>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>
>>>>>>
>>>>>>
>>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170516/606aa991/attachment.htm>
More information about the Freeipa-users
mailing list