On 9/11/19 10:53 PM, danielle lampert wrote:
When creating the file manually and running the command, this seems to
work. Later I have other problems : when stopping the main server and
running only a replica and a client, the client cannot add any user.
Restarting the main server, everything goes back working, this means my
lab is not resilient. I'm almost sure to have followed the documentation ()
Here's the error message
# ipa user-add jdalton --first=Joe --last=Dalton
ipa: ERROR: Operations error: Allocation of a new value for range
cn=posix ids,cn=distributed numeric assignment
plugin,cn=plugins,cn=config failed! Unable to proceed.
I don't know if this is related to this version (4.5.0-20) or if I need
to look further what's wrong.
Hi,
this is a known issue already tracked by ticket 5070 [1]
The workaround is the following:
when the first master is still up and running, run ipa user-add on the
replica. This operation will trigger the allocation of a range on the
replica. Any subsequent user-add will succeed even if the master is stopped.
HTH,
flo
[1] https://pagure.io/freeipa/issue/5070
Le mar. 10 sept. 2019 à 21:07, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> a écrit :
danielle lampert wrote:
>
> There's no such file as /usr/lib/tmpfiles.d/ipa.conf
>
> # ls -l /usr/lib/tmpfiles.d/ipa.conf
> ls: cannot access /usr/lib/tmpfiles.d/ipa.conf: No such file or
directory
>
> I only find this one
>
> # cat /usr/share/ipa/ipa.conf.tmpfiles
> d /var/run/ipa 0711 root root
> d /var/run/ipa/ccaches 0770 ipaapi ipaapi
>
> I re-installed my VMs more than 20 times, the replica never works
after
> reboot with the version I'm using.
So create the file using those values and run the systemd command...
rob
>
>
>
> Le mar. 10 sept. 2019 à 16:48, Rob Crittenden
<rcrit...@redhat.com <mailto:rcrit...@redhat.com>
> <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> a écrit :
>
> danielle lampert wrote:
> >
> > Hello,
> >
> >> Assuming you have:
> >
> >> # cat /usr/lib/tmpfiles.d/ipa.conf
> >
> > I don't have this file, it's not created during the replica
install.
> > This log ipareplica-install.log shows :
> >
> > 2019-09-10T06:43:40Z DEBUG Backing up system configuration file
> > '/etc/httpd/conf.d/ipa.conf'
> > 2019-09-10T06:43:40Z DEBUG -> Not backing up -
> > '/etc/httpd/conf.d/ipa.conf' doesn't exist
> > 2019-09-10T06:43:40Z DEBUG Backing up system configuration file
> > '/etc/httpd/conf.d/ipa-rewrite.conf'
> > 2019-09-10T06:43:40Z DEBUG -> Not backing up -
> > '/etc/httpd/conf.d/ipa-rewrite.conf' doesn't exist
>
> Ok, those are unrelated.
>
> /usr/lib/tmpfiles.d/ipa.conf should contain:
>
> d /var/run/ipa 0711 root root
> d /var/run/ipa/ccaches 0770 ipaapi ipaapi
>
> then run: systemd-tmpfiles --create ipa.conf
>
> rob
>
> >
> >
> >
> > Le ven. 6 sept. 2019 à 19:36, Rob Crittenden
<rcrit...@redhat.com <mailto:rcrit...@redhat.com>
> <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>
<mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>> a écrit :
> >
> > danielle lampert via FreeIPA-users wrote:
> > >
> > > I think I'm just facing Bug 1469246 - Replica
install fails to
> > > configure IPA-specific temporary files/directories
> > > (https://bugzilla.redhat.com/show_bug.cgi?id=1469246)
> > >
> > > The bug doesn't provide any solution other than
upgrading.
> > > Thanks for your help anyway.
> >
> > Assuming you have:
> >
> > # cat /usr/lib/tmpfiles.d/ipa.conf
> > d /run/ipa 0711 root root
> > d /run/ipa/ccaches 0770 ipaapi ipaapi
> >
> > run
> >
> > # systemd-tmpfiles --create ipa.conf
> >
> > rob
> >
> > >
> > >
> > >
> > >
> > >
> > > Le mer. 4 sept. 2019 à 23:43, danielle lampert
> > > <danielle55.lamp...@gmail.com
<mailto:danielle55.lamp...@gmail.com>
> <mailto:danielle55.lamp...@gmail.com
<mailto:danielle55.lamp...@gmail.com>>
> > <mailto:danielle55.lamp...@gmail.com
<mailto:danielle55.lamp...@gmail.com>
> <mailto:danielle55.lamp...@gmail.com
<mailto:danielle55.lamp...@gmail.com>>>
> > <mailto:danielle55.lamp...@gmail.com
<mailto:danielle55.lamp...@gmail.com>
> <mailto:danielle55.lamp...@gmail.com
<mailto:danielle55.lamp...@gmail.com>>
> > <mailto:danielle55.lamp...@gmail.com
<mailto:danielle55.lamp...@gmail.com>
> <mailto:danielle55.lamp...@gmail.com
<mailto:danielle55.lamp...@gmail.com>>>>> a
> > > écrit :
> > >
> > > Hello,
> > >
> > > OK I now understand that it's ipa service which
is not
> > starting at boot.
> > >
> > > The service status gives :
> > >
> > > # service ipa status
> > > Redirecting to /bin/systemctl status ipa.service
> > > ● ipa.service - Identity, Policy, Audit
> > > Loaded: loaded
(/usr/lib/systemd/system/ipa.service;
> enabled;
> > > vendor preset: disabled)
> > > Active: failed (Result: exit-code) since Wed
2019-09-04
> > 23:34:20
> > > CEST; 6min ago
> > > Process: 990 ExecStart=/usr/sbin/ipactl start
> (code=exited,
> > > status=1/FAILURE)
> > > Main PID: 990 (code=exited, status=1/FAILURE)
> > >
> > > Sep 04 23:33:36 srv2.rhce.local systemd[1]: Starting
> Identity,
> > > Policy, Audit...
> > > Sep 04 23:34:20 srv2.rhce.local ipactl[990]:
Failed to start
> > > Directory Service: [Errno 2] No such file or
directory:
> > > '/var/run/ipa/services.list'
> > > Sep 04 23:34:20 srv2.rhce.local ipactl[990]: Starting
> > Directory Service
> > > Sep 04 23:34:20 srv2.rhce.local systemd[1]:
ipa.service:
> main
> > > process exited, code=exited, status=1/FAILURE
> > > Sep 04 23:34:20 srv2.rhce.local systemd[1]:
Failed to start
> > > Identity, Policy, Audit.
> > > Sep 04 23:34:20 srv2.rhce.local systemd[1]: Unit
ipa.service
> > entered
> > > failed state.
> > > Sep 04 23:34:20 srv2.rhce.local systemd[1]:
ipa.service
> failed.
> > >
> > > Shouldn't /var/run/ipa/services.list be created
during
> the replica
> > > installation ?
> > >
> > >
> > >
> > >
> > > Le mer. 4 sept. 2019 à 17:53, Florence Blanc-Renaud
> > <f...@redhat.com <mailto:f...@redhat.com>
<mailto:f...@redhat.com <mailto:f...@redhat.com>>
<mailto:f...@redhat.com <mailto:f...@redhat.com>
> <mailto:f...@redhat.com <mailto:f...@redhat.com>>>
> > > <mailto:f...@redhat.com <mailto:f...@redhat.com>
<mailto:f...@redhat.com <mailto:f...@redhat.com>>
> <mailto:f...@redhat.com <mailto:f...@redhat.com>
<mailto:f...@redhat.com <mailto:f...@redhat.com>>>>> a écrit :
> > >
> > > On 9/4/19 12:02 AM, danielle lampert via
> FreeIPA-users wrote:
> > > >
> > > > Hello,
> > > >
> > > > I'm running freeipa 4.5.0-20 on CentOS
Linux release
> > 7.4.1708
> > > (Core)
> > > >
> > > > I've noticed that when rebooting my replica,
> things are not
> > > working
> > > > anymore on this replica, as I can't get a kinit
> work for
> > example.
> > > > It seems that services are disabled by
default and I
> > wonder if
> > > this is
> > > > normal ? Should we enable these services
manually ?
> > > > After restarting everything with an ipactl
command, it
> > then is
> > > working.
> > > >
> > > Hi,
> > >
> > > it's normal that kadmin.service is disabled
because
> it will be
> > > started
> > > as part of the ipa.service unit.
> > >
> > > You will probably find the reason why kadmin
failed
> to start
> > > after the
> > > reboot in the journal, or in
/var/log/kadmind.log.
> There was a
> > > known
> > > issue if rpcbind service is already taking
the 749 port
> > >
(https://bugzilla.redhat.com/show_bug.cgi?id=1592883)
> > >
> > > flo
> > >
> > > > Thanks in advance for your answers, below
are my
> > commands and
> > > their results.
> > > >
> > > > D.L.
> > > >
> > > >
> > > > # kinit admin
> > > > kinit: Cannot contact any KDC for realm
> 'IPB.RHCE.LOCAL'
> > while
> > > getting
> > > > initial credentials
> > > >
> > > > # systemctl status kadmin.service
> > > > ● kadmin.service - Kerberos 5
Password-changing and
> > Administration
> > > > Loaded: loaded
> (/usr/lib/systemd/system/kadmin.service;
> > > disabled;
> > > > vendor preset: disabled)
> > > > Active: inactive (dead)
> > > >
> > > > # ipactl status
> > > > Directory Service: RUNNING
> > > > krb5kdc Service: STOPPED
> > > > kadmin Service: STOPPED
> > > > httpd Service: STOPPED
> > > > ipa-custodia Service: STOPPED
> > > > ntpd Service: STOPPED
> > > > pki-tomcatd Service: STOPPED
> > > > ipa-otpd Service: STOPPED
> > > > ipa: INFO: The ipactl command was successful
> > > >
> > > > # ipactl restart
> > > > Failed to get service list from file: Unknown
> error when
> > > retrieving list
> > > > of services from file: [Errno 2] No such
file or
> directory:
> > > > '/var/run/ipa/services.list'
> > > > Restarting Directory Service
> > > > Restarting krb5kdc Service
> > > > Restarting kadmin Service
> > > > Restarting httpd Service
> > > > Restarting ipa-custodia Service
> > > > Restarting ntpd Service
> > > > Restarting pki-tomcatd Service
> > > > Restarting ipa-otpd Service
> > > > ipa: INFO: The ipactl command was successful
> > > >
> > > > # kinit admin
> > > > Password for ad...@ipb.rhce.LOCAL:
> > > >
> > > > # klist
> > > > Ticket cache: KEYRING:persistent:0:0
> > > > Default principal: ad...@ipb.rhce.LOCAL
> > > >
> > > > Valid starting Expires Service
> principal
> > > > 03/09/19 23:55:09 04/09/19 23:55:08
> > > krbtgt/ipb.rhce.lo...@ipb.rhce.LOCAL
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > FreeIPA-users mailing list --
> > > freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
> > <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
> > <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>>>
> > > > To unsubscribe send an email to
> > > freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
> <mailto:freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>>
> > <mailto:freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
> <mailto:freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>>>
> > >
<mailto:freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
> <mailto:freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>>
> > <mailto:freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
> <mailto:freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>>>>
> > > > Fedora Code of Conduct:
> > >
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines:
> > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > >
> >
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > > >
> > >
> > >
> > >
> > > _______________________________________________
> > > FreeIPA-users mailing list --
> freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
> > <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>>
> > > To unsubscribe send an email to
> > freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
> <mailto:freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>>
> > <mailto:freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
> <mailto:freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>>>
> > > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> >
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > >
> >
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
