On 12/16/20 7:18 PM, lejeczek via FreeIPA-users wrote:
On 16/12/2020 17:29, Rob Crittenden wrote:
lejeczek via FreeIPA-users wrote:
Hi guys.
I'm trying to spin up a new replica:
...
[25/41]: restarting directory server
[26/41]: creating DS keytab
[error] CalledProcessError: CalledProcessError(Command
['/usr/sbin/ipa-getkeytab', '-k', '/etc/dirsrv/ds.keytab', '-p',
'ldap/sucker.ccnr.ceb.private.cam.ac...@ccn.domain.mine', '-H',
'ldaps://drunk.ccn.domain.mine'] returned non-zero exit status 9:
'Failed to parse result: Insufficient access rights\n\nRetrying with
pre-4.0 keytab retrieval method...\nFailed to parse result: Insufficient
access rights\n\nFailed to get keytab!\nFailed to get keytab\n')
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
CalledProcessError(Command ['/usr/sbin/ipa-getkeytab', '-k',
'/etc/dirsrv/ds.keytab', '-p',
'ldap/sucker.ccn.domain.m...@ccnr.ceb.private.cam.ac.uk', '-H',
'ldaps://drunk.ccn.domain.mine'] returned non-zero exit status 9:
'Failed to parse result: Insufficient access rights\n\nRetrying with
pre-4.0 keytab retrieval method...\nFailed to parse result: Insufficient
access rights\n\nFailed to get keytab!\nFailed to get keytab\n')
So I do:
~]$ ipa-server-install --uninstall
This is a NON REVERSIBLE operation and will delete all data and
configuration!
It is highly recommended to take a backup of existing data and
configuration using ipa-backup utility before proceeding.
Are you sure you want to continue with the uninstall procedure? [no]:
yes
Shutting down all IPA services
Unconfiguring directory server
[Errno 2] No such file or directory:
'/etc/dirsrv/slapd-CCN-DOMAIN-MINE/dse.ldif'
And from here on it's practically a small mayhem. '--uninstall' no
matter how many times does not help.
I see that 'systemctl status -l dirsrv@my-instance' is till up. So
obviously:
~]$ ipa-replica-install --setup-dns --no-forwarders --admin-password=ccn
--principal=admin
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
IPA requires ports 389 and 636 for the Directory Server.
These are currently in use:
389
636
...
One more time?
~]$ ipa-server-install --uninstall
WARNING:
IPA server is not configured on this system. If you want to install the
IPA server, please install it using 'ipa-server-install'.
This is a NON REVERSIBLE operation and will delete all data and
configuration!
It is highly recommended to take a backup of existing data and
configuration using ipa-backup utility before proceeding.
... and like I vicious circle.
Seems to me that this simple case is what IPA devel guys could look into
and then hopefully improve and harden un/installation process.
ipa-client-4.8.7-12.module_el8.3.0+511+8a502f20.x86_64
ipa-client-common-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-common-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-healthcheck-core-0.4-6.module_el8.3.0+482+9e103aab.noarch
ipa-selinux-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-server-4.8.7-12.module_el8.3.0+511+8a502f20.x86_64
ipa-server-common-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-server-dns-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
dirsrv may be wedged. If you don't want to determine why you can kill it
with:
# kill -9 `pidof ns-slapd`
Bugs and feature requests can be created at
https://pagure.io/freeipa/new_issue
rob
Thanks, I'll drop a new report there.
At the same time, this seems more puzzling, namely:
----
[25/41]: restarting directory server
[26/41]: creating DS keytab
[error] CalledProcessError: CalledProcessError(Command
['/usr/sbin/ipa-getkeytab', '-k', '/etc/dirsrv/ds.keytab', '-p',
'ldap/sucker.ccnr.ceb.private.cam.ac...@ccn.domain.mine', '-H',
'ldaps://drunk.ccn.domain.mine'] returned non-zero exit status 9:
'Failed to parse result: Insufficient access rights\n\nRetrying with
pre-4.0 keytab retrieval method...\nFailed to parse result: Insufficient
access rights\n\nFailed to get keytab!\nFailed to get keytab\n')
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
CalledProcessError(Command ['/usr/sbin/ipa-getkeytab', '-k',
'/etc/dirsrv/ds.keytab', '-p',
'ldap/sucker.ccn.domain.m...@ccnr.ceb.private.cam.ac.uk', '-H',
'ldaps://drunk.ccn.domain.mine'] returned non-zero exit status 9:
'Failed to parse result: Insufficient access rights\n\nRetrying with
pre-4.0 keytab retrieval method...\nFailed to parse result: Insufficient
access rights\n\nFailed to get keytab!\nFailed to get keytab\n')
----
I thought it was one-off type of glitch, but now I did uninstall &
"cleanup", now ipa-client-install on that replica candidate works fine,
but ipa-replica-install fails each time just like here above. I'm on
might seventh attempt.
Any idea and thoughts as to what might be the problem and how to
troubleshot are greatly appreciated.
Hi,
there may be some leftover references to the replica you are trying to
install. I would try to do:
[master]# ipa-replica-manage del <replica> --clean --force
and also make sure to call "kdestroy -A" before ipa-replica-install.
flo
L.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
