<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 12/09/2014 11:15 AM, thierry bordaz
wrote:<br>
</div>
<blockquote cite="mid:5486CBDF.7050606@redhat.com" type="cite">On
12/09/2014 10:48 AM, Niranjan M.R wrote:
<br>
<blockquote type="cite">-----BEGIN PGP SIGNED MESSAGE-----
<br>
Hash: SHA1
<br>
<br>
On 12/09/2014 02:57 PM, thierry bordaz wrote:
<br>
<blockquote type="cite">Hello,
<br>
<br>
Niranjan, may I have access to your test machine.
<br>
<br>
</blockquote>
It's a vm on my laptop. I am trying to reproduce on another VM
<br>
to which i can give access. I will provide the details of this
VM as soon
<br>
as possible.
<br>
<br>
Mean while i am providing ns-slapd access logs, ipa-logs and
pkispawn logs.
<br>
</blockquote>
<br>
Something curious is that the installer is waiting for DS to
restart but it is looking like DS has not received the terminaison
signal.
<br>
<br>
2014-12-09T09:37:49Z DEBUG Waiting for CA to start...
<br>
...
<br>
2014-12-09T09:42:45Z DEBUG Waiting for CA to start...
<br>
<br>
<br>
[09/Dec/2014:04:37:41 -0500] - Warning: Adding configuration
attribute "nsslapd-security"
<br>
<br>
<< here we should expect a restart of DS >>
<br>
<br>
First why DS did not receive the restart order and then as it is
still running (DS looks idle) what does the install is waiting
for.
<br>
</blockquote>
<br>
<blockquote>At the end of the CS configuration, the installer
configure ssl DS, restart DS it and then reach the ldap to
retrieve the CA status. It fails<br>
</blockquote>
<blockquote><tt>pki/pki-tomcat/localhost.2014-12-09.log</tt><br>
<tt>Dec 09, 2014 4:37:49 AM
org.apache.catalina.core.StandardWrapperValve invoke</tt><br>
<tt>SEVERE: Servlet.service() for servlet [caGetStatus] in context
with path [/ca] threw exception</tt><br>
<tt>java.io.IOException: CS server is not ready to serve.</tt><br>
<tt> at
com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443)</tt><br>
<tt> at
javax.servlet.http.HttpServlet.service(HttpServlet.java:728)</tt><br>
<tt> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)</tt><br>
<tt> at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)</tt><br>
<tt> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</tt><br>
<tt> at java.lang.reflect.Method.invoke(Method.java:606)</tt><br>
<tt> at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)</tt><br>
<tt> at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)</tt><br>
<tt> at java.security.AccessController.doPrivileged(Native
Method)</tt><br>
<tt> at
javax.security.auth.Subject.doAsPrivileged(Subject.java:536)</tt><br>
<tt> at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)</tt><br>
<tt> at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)</tt><br>
<tt> at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:299)</tt><br>
<tt> at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:57)</tt><br>
<tt> at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:193)</tt><br>
<tt> at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189)</tt><br>
<tt> at java.security.AccessController.doPrivileged(Native
Method)</tt><br>
<tt> at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)</tt><br>
<tt> at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)</tt><br>
<tt> at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)</tt><br>
<tt> at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)</tt><br>
<tt> at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)</tt><br>
<tt> at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)</tt><br>
<tt> at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)</tt><br>
<tt> at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)</tt><br>
<tt> at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)</tt><br>
<tt> at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)</tt><br>
<tt> at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)</tt><br>
<tt> at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)</tt><br>
<tt> at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)</tt><br>
<tt> at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)</tt><br>
<tt> at java.lang.Thread.run(Thread.java:745)</tt><br>
<br>
Its fails to reach DS because:<br>
<tt>0.localhost-startStop-1 - [09/Dec/2014:04:37:49 EST] [8] [3]
In Ldap (bound) connection pool to host xxxx port 636, Cannot
connect to LDAP server. Error: netscape.ldap.LDAPException: IO
Error creating JSS SSL Socket (-1)</tt><br>
<br>
Having not been able to restart DS, the secure port is not enabled
so the CA failure after 5min was normal.<br>
</blockquote>
<blockquote>So the remaining question was why the DS service restart
failed.<br>
The systemd file was <a class="moz-txt-link-abbreviated" href="mailto:dirsrv@dir.service">dirsrv@dir.service</a> ->
/usr/lib/systemd/system/dirsrv@.service.<br>
<br>
</blockquote>
<br>
<blockquote cite="mid:5486CBDF.7050606@redhat.com" type="cite">
<br>
<br>
<br>
<blockquote type="cite">
<br>
<br>
<blockquote type="cite">thanks
<br>
theirry
<br>
<br>
<br>
On 12/09/2014 10:01 AM, Martin Kosek wrote:
<br>
<blockquote type="cite">On 12/07/2014 03:01 PM, Niranjan M.R
wrote:
<br>
<blockquote type="cite">On 12/06/2014 12:24 AM, Dmitri Pal
wrote:
<br>
<blockquote type="cite">Hello,
<br>
WE NEED HELP!
<br>
The biggest and the most interesting feature of FreeIPA
4.1.2 is support for the two factor authentication using
HOTP/TOTP compatible software tokens like FreeOTP (open
source compatible alternative to Google Authenticator)
and hardware tokens like Yubikeys. This feature allows
Kerberos and LDAP clients of a FreeIPA server to
authenticate using the normal account password as the
first factor and an OTP token as a second factor. For
those environments where a 2FA solution is already in
place, FreeIPA can act as a proxy via RADIUS. More about
this feature can be read here.
<br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/V4/OTP">http://www.freeipa.org/page/V4/OTP</a>
<br>
If you want to see this feature in downstream distros
sooner rather than later we need your help!
<br>
Please give it a try and provide feedback. We really,
really need it!
<br>
</blockquote>
I am unable to configure ipa-server with
freeipa-server-4.1.2-1.fc20.x86_64, ipa-server-install
fails with below error:
<br>
<br>
Done configuring certificate server (pki-tomcatd).
<br>
Configuring directory server (dirsrv): Estimated time 10
seconds
<br>
[1/3]: configuring ssl for ds instance
<br>
[2/3]: restarting directory server
<br>
ipa : CRITICAL Failed to restart the directory
server ([Errno 2] No such file or directory:
<br>
'/etc/systemd/system/dirsrv.target.wants/dirsrv@EXAMPLE-ORG.service').
See the installation log for details.
<br>
[3/3]: adding CA certificate entry
<br>
Done configuring directory server (dirsrv).
<br>
CA did not start in 300.0s
<br>
<br>
<br>
Versions used:
<br>
==============
<br>
freeipa-client-4.1.2-1.fc20.x86_64
<br>
freeipa-server-4.1.2-1.fc20.x86_64
<br>
libipa_hbac-1.12.2-2.fc20.x86_64
<br>
libipa_hbac-python-1.12.2-2.fc20.x86_64
<br>
sssd-ipa-1.12.2-2.fc20.x86_64
<br>
device-mapper-multipath-0.4.9-56.fc20.x86_64
<br>
python-iniparse-0.4-9.fc20.noarch
<br>
freeipa-admintools-4.1.2-1.fc20.x86_64
<br>
freeipa-python-4.1.2-1.fc20.x86_64
<br>
389-ds-base-libs-1.3.3.5-1.fc20.x86_64
<br>
389-ds-base-1.3.3.5-1.fc20.x86_64
<br>
<br>
BaseOS:Fedora release 20 (Heisenbug)
<br>
<br>
<br>
Steps to reproduce:
<br>
---------------
<br>
<br>
1. On Fedora-20 system, Used mkosek freeipa repo:
<br>
[mkosek-freeipa]
<br>
name=Copr repo for freeipa owned by mkosek
<br>
baseurl=<a class="moz-txt-link-freetext" href="http://copr-be.cloud.fedoraproject.org/results/mkosek/freeipa/fedora-$releasever-$basearch/">http://copr-be.cloud.fedoraproject.org/results/mkosek/freeipa/fedora-$releasever-$basearch/</a>
<br>
skip_if_unavailable=True
<br>
gpgcheck=0
<br>
enabled=1
<br>
<br>
2. Install freeipa-server packages from the above repo
<br>
<br>
3. Issue ipa-server-install
<br>
<br>
[root@pkiserver1 ~]# ipa-server-install
<br>
<br>
The log file for this installation can be found in
/var/log/ipaserver-install.log
<br>
==============================================================================
<br>
This program will set up the FreeIPA Server.
<br>
<br>
This includes:
<br>
* Configure a stand-alone CA (dogtag) for certificate
management
<br>
* Configure the Network Time Daemon (ntpd)
<br>
* Create and configure an instance of Directory Server
<br>
* Create and configure a Kerberos Key Distribution
Center (KDC)
<br>
* Configure Apache (httpd)
<br>
<br>
To accept the default shown in brackets, press the Enter
key.
<br>
<br>
WARNING: conflicting time&date synchronization service
'chronyd' will be disabled
<br>
in favor of ntpd
<br>
<br>
Do you want to configure integrated DNS (BIND)? [no]: yes
<br>
<br>
Existing BIND configuration detected, overwrite? [no]: yes
<br>
Enter the fully qualified domain name of the computer
<br>
on which you're setting up server software. Using the form
<br>
<hostname>.<domainname>
<br>
Example: master.example.com.
<br>
<br>
<br>
Server host name [pkiserver1.example.org]:
<br>
<br>
Warning: skipping DNS resolution of host
pkiserver1.example.org
<br>
The domain name has been determined based on the host
name.
<br>
<br>
Please confirm the domain name [example.org]:
<br>
<br>
The kerberos protocol requires a Realm name to be defined.
<br>
This is typically the domain name converted to uppercase.
<br>
<br>
Please provide a realm name [EXAMPLE.ORG]:
<br>
Certain directory server operations require an
administrative user.
<br>
This user is referred to as the Directory Manager and has
full access
<br>
to the Directory for system management tasks and will be
added to the
<br>
<br>
The IPA server requires an administrative user, named
'admin'.
<br>
This user is a regular system account used for IPA server
administration.
<br>
<br>
IPA admin password:
<br>
Password (confirm):
<br>
<br>
Do you want to configure DNS forwarders? [yes]: no
<br>
No DNS forwarders configured
<br>
Do you want to configure the reverse zone? [yes]:
<br>
Please specify the reverse zone name
[122.168.192.in-addr.arpa.]:
<br>
Using reverse zone(s) 122.168.192.in-addr.arpa.
<br>
<br>
The IPA Master Server will be configured with:
<br>
Hostname: pkiserver1.example.org
<br>
IP address(es): 192.168.122.246
<br>
Domain name: example.org
<br>
Realm name: EXAMPLE.ORG
<br>
<br>
BIND DNS server will be configured to serve IPA domain
with:
<br>
Forwarders: No forwarders
<br>
Reverse zone(s): 122.168.192.in-addr.arpa.
<br>
<br>
Continue to configure the system with these values? [no]:
yes
<br>
<br>
The following operations may take some minutes to
complete.
<br>
Please wait until the prompt is returned.
<br>
<br>
<br>
instance of directory server created for IPA.
<br>
The password must be at least 8 characters long.
<br>
<br>
Directory Manager password:
<br>
Password (confirm):
<br>
Configuring NTP daemon (ntpd)
<br>
[1/4]: stopping ntpd
<br>
[2/4]: writing configuration
<br>
[3/4]: configuring ntpd to start on boot
<br>
[4/4]: starting ntpd
<br>
Done configuring NTP daemon (ntpd).
<br>
Configuring directory server (dirsrv): Estimated time 1
minute
<br>
[1/38]: creating directory server user
<br>
[2/38]: creating directory server instance
<br>
[3/38]: adding default schema
<br>
[4/38]: enabling memberof plugin
<br>
[5/38]: enabling winsync plugin
<br>
[6/38]: configuring replication version plugin
<br>
[7/38]: enabling IPA enrollment plugin
<br>
[8/38]: enabling ldapi
<br>
[9/38]: configuring uniqueness plugin
<br>
[10/38]: configuring uuid plugin
<br>
[11/38]: configuring modrdn plugin
<br>
[12/38]: configuring DNS plugin
<br>
[13/38]: enabling entryUSN plugin
<br>
[14/38]: configuring lockout plugin
<br>
[15/38]: creating indices
<br>
[16/38]: enabling referential integrity plugin
<br>
[17/38]: configuring certmap.conf
<br>
[18/38]: configure autobind for root
<br>
[19/38]: configure new location for managed entries
<br>
[20/38]: configure dirsrv ccache
<br>
[21/38]: enable SASL mapping fallback
<br>
[22/38]: restarting directory server
<br>
[23/38]: adding default layout
<br>
[24/38]: adding delegation layout
<br>
[25/38]: creating container for managed entries
<br>
[26/38]: configuring user private groups
<br>
[27/38]: configuring netgroups from hostgroups
<br>
[28/38]: creating default Sudo bind user
<br>
[29/38]: creating default Auto Member layout
<br>
[30/38]: adding range check plugin
<br>
[31/38]: creating default HBAC rule allow_all
<br>
[32/38]: initializing group membership
<br>
[33/38]: adding master entry
<br>
[34/38]: configuring Posix uid/gid generation
<br>
[35/38]: adding replication acis
<br>
[36/38]: enabling compatibility plugin
<br>
[37/38]: tuning directory server
<br>
[38/38]: configuring directory to start on boot
<br>
Done configuring directory server (dirsrv).
<br>
Configuring certificate server (pki-tomcatd): Estimated
time 3 minutes 30 seconds
<br>
[1/27]: creating certificate server user
<br>
[2/27]: configuring certificate server instance
<br>
[3/27]: stopping certificate server instance to update
CS.cfg
<br>
[4/27]: backing up CS.cfg
<br>
[5/27]: disabling nonces
<br>
[6/27]: set up CRL publishing
<br>
[7/27]: enable PKIX certificate path discovery and
validation
<br>
[8/27]: starting certificate server instance
<br>
[9/27]: creating RA agent certificate database
<br>
[10/27]: importing CA chain to RA certificate database
<br>
[11/27]: fixing RA database permissions
<br>
[12/27]: setting up signing cert profile
<br>
[13/27]: set certificate subject base
<br>
[14/27]: enabling Subject Key Identifier
<br>
[15/27]: enabling Subject Alternative Name
<br>
[16/27]: enabling CRL and OCSP extensions for
certificates
<br>
[17/27]: setting audit signing renewal to 2 years
<br>
[18/27]: configuring certificate server to start on
boot
<br>
[19/27]: restarting certificate server
<br>
[20/27]: requesting RA certificate from CA
<br>
[21/27]: issuing RA agent certificate
<br>
[22/27]: adding RA agent as a trusted user
<br>
[23/27]: configure certmonger for renewals
<br>
[24/27]: configure certificate renewals
<br>
[25/27]: configure RA certificate renewal
<br>
[26/27]: configure Server-Cert certificate renewal
<br>
[27/27]: Configure HTTP to proxy connections
<br>
Done configuring certificate server (pki-tomcatd).
<br>
Configuring directory server (dirsrv): Estimated time 10
seconds
<br>
[1/3]: configuring ssl for ds instance
<br>
[2/3]: restarting directory server
<br>
ipa : CRITICAL Failed to restart the directory
server ([Errno 2] No such file or directory:
<br>
'/etc/systemd/system/dirsrv.target.wants/dirsrv@EXAMPLE-ORG.service').
See the installation log for details.
<br>
[3/3]: adding CA certificate entry
<br>
Done configuring directory server (dirsrv).
<br>
<br>
CA did not start in 300.0s
<br>
<br>
Attaching ipaserver-install.log, pkispawn logs
<br>
<br>
Any hints on how to overcome the above error.
<br>
</blockquote>
The error is obviously in Directory Server restart. I am not
sure what causes
<br>
<br>
2014-12-07T11:16:25Z DEBUG [2/3]: restarting directory
server
<br>
2014-12-07T11:16:25Z CRITICAL Failed to restart the
directory server ([Errno 2]
<br>
No such file or directory:
<br>
'/etc/systemd/system/dirsrv.target.wants/dirsrv@EXAMPLE-ORG.service').
See the
<br>
installation log for details.
<br>
<br>
The first restart worked and it uses the same call, AFAIK.
It would be
<br>
interesting to see the latest logs of the instance after
ipa-server-install
<br>
crashes:
<br>
<br>
# systemctl status <a class="moz-txt-link-abbreviated" href="mailto:dirsrv@EXAMPLE-ORG.service">dirsrv@EXAMPLE-ORG.service</a>
<br>
<br>
It may have some useful logs that would reveal what
happened.
<br>
<br>
Martin
<br>
</blockquote>
</blockquote>
<br>
- -- Niranjan
<br>
irc: mrniranjan
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v1
<br>
<br>
iKYEARECAGYFAlSGxYFfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
<br>
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEY3OTE3QTg3ODE0RkVCQ0YyNjgyOTRENjJF
<br>
RURDNTVGNjA0N0M3QzcACgkQLu3FX2BHx8e61wCgtCSWtdpOMWVP+Pr7fPmoXiPC
<br>
DAsAoI0phFg3dtQJNRvpm8YCjLEs9r66
<br>
=1MYR
<br>
-----END PGP SIGNATURE-----
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>