<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 14/05/15 13:54, Remigio Moncayo
Serrano wrote:<br>
</div>
<blockquote
cite="mid:0A2A5163954B3342B82944846B7FD995149055@lexus.ingenia.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML con formato previo Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.EstiloCorreo17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLconformatoprevioCar
{mso-style-name:"HTML con formato previo Car";
mso-style-priority:99;
mso-style-link:"HTML con formato previo";
font-family:"Consolas",serif;
color:black;
mso-fareast-language:EN-US;}
span.EstiloCorreo20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">I
fail to see the problem in the logs so I’m attaching the
file here
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="color:windowtext;mso-fareast-language:ES">De:</span></b><span
style="color:windowtext;mso-fareast-language:ES"> Martin
Basti [<a class="moz-txt-link-freetext" href="mailto:mbasti@redhat.com">mailto:mbasti@redhat.com</a>]
<br>
<b>Enviado el:</b> jueves, 14 de mayo de 2015 13:05<br>
<b>Para:</b> Remigio Moncayo Serrano;
<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Asunto:</b> Re: [Freeipa-users] Configuration of CA
failed<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 14/05/15 11:58, Remigio Moncayo
Serrano wrote:<span
style="font-size:12.0pt;mso-fareast-language:ES"><o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">I’ve been put in
charge of implementing a solution that uses LDAP and
kerberos authentication. At first thought I should use
openLDAP and Kerberos but found freeIPA and looks really
cool, however, when trying to install I keep getting this
error about configuration of CA:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">The following
operations may take some minutes to complete.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Please wait until the
prompt is returned.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Configuring NTP daemon
(ntpd)</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> [1/4]: stopping ntpd</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> [2/4]: writing
configuration</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> [3/4]: configuring
ntpd to start on boot</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> [4/4]: starting ntpd</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Done configuring NTP
daemon (ntpd).</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Configuring directory
server for the CA (pkids): Estimated time 30 seconds</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> [1/3]: creating
directory server user</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> [2/3]: creating
directory server instance</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> [3/3]: restarting
directory server</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">ipa : CRITICAL
Failed to restart the directory server. See the
installation log for details.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Done configuring
directory server for the CA (pkids).</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Configuring
certificate server (pki-cad): Estimated time 3 minutes 30
seconds</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> [1/20]: creating
certificate server user</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> [2/20]: configuring
certificate server instance</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">ipa : CRITICAL
failed to configure ca instance Command '/usr/bin/perl
/usr/bin/pkisilent ConfigureCA -cs_hostname
ipatest.ingenia.local -cs_port 9445 -client_certdb_dir
/tmp/tmp-ARezzO -client_certdb_pwd XXXXXXXX -preop_pin
f0dLhx9bLX5qWHYx50h6 -domain_name IPA -admin_user admin
-admin_email root@localhost -admin_password XXXXXXXX
-agent_name ipa-ca-agent -agent_key_size 2048
-agent_key_type rsa -agent_cert_subject
CN=ipa-ca-agent,O=INGENIA.LOCAL -ldap_host
ipatest.ingenia.local -ldap_port 7389 -bind_dn
cn=Directory Manager -bind_password XXXXXXXX -base_dn
o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
-key_algorithm SHA256withRSA -save_p12 true -backup_pwd
XXXXXXXX -subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name CN=CA
Subsystem,O=INGENIA.LOCAL -ca_subsystem_cert_subject_name
CN=CA Subsystem,O=INGENIA.LOCAL -ca_ocsp_cert_subject_name
CN=OCSP Subsystem,O=INGENIA.LOCAL
-ca_server_cert_subject_name
CN=ipatest.ingenia.local,O=INGENIA.LOCAL
-ca_audit_signing_cert_subject_name CN=CA
Audit,O=INGENIA.LOCAL -ca_sign_cert_subject_name
CN=Certificate Authority,O=INGENIA.LOCAL -external false
-clone false' returned non-zero exit status 255</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Configuration of CA
failed</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">I’m including two
install logs, one with dns-setup and the other without it.
Don’t really know what I’m doing wrong, thought maybe I
should allow connections to certain ports in ip tables or
something but have no clue really and I’m quite new to
this, help please..</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Regards,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Remigio</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:ES"><br>
<br>
<o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:ES">Hello,<br>
<br>
can you please check error logs of DS?<br>
/var/log/dirsrv/slapd-*/errors<br>
<br>
And please post here an error why DS restart failed.<br>
<br>
Martin<br>
<br>
<o:p></o:p></span></p>
<pre>-- <o:p></o:p></pre>
<pre>Martin Basti<o:p></o:p></pre>
</div>
</blockquote>
indeed, log looks good.<br>
There is some issue that IPA cannot verify DS on port 7389.<br>
<br>
Can you answer the questions asked by Martin Kosek, please?<br>
Martin<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
</body>
</html>