Figured it out. Missing apache modules (not loaded). One of the following....
LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule auth_digest_module modules/mod_auth_digest.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_alias_module modules/mod_authn_alias.so LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule authn_default_module modules/mod_authn_default.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_owner_module modules/mod_authz_owner.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_dbm_module modules/mod_authz_dbm.so LoadModule authz_default_module modules/mod_authz_default.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so I'm not sure which one, i just matched what was on the master and reinstalled the replica - no errors. Been a long day so i don't feel like going through one by one, uninstalling/reinstalling etc. I imagine its probably mod_authz_groupfile.so, but others are probably needed too. Regards, Les ________________________________________ From: Les Stott Sent: Monday, December 16, 2013 11:44 PM To: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Trouble with replica install Petr, The below was the error from apache error logs.... > Apache logs the following error at the same time... > > [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: > couldn't check access. No groups file?: /ipa/xml, referer: > https://replica.mydomain.com/ipa/xml Other lines in the /var/log/httpd/error log at the same time... [Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START *** [Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START *** [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: couldn't check access. No groups file?: /ipa/xml, referer: https://replica.mydomain.com/ipa/xml [Mon Dec 16 04:29:01 2013] [notice] caught SIGTERM, shutting down [Mon Dec 16 04:29:02 2013] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 Regards, Les ________________________________________ From: Petr Spacek [pspa...@redhat.com] Sent: Monday, December 16, 2013 10:38 PM To: Les Stott; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Trouble with replica install On 16.12.2013 10:55, Les Stott wrote: > Sorry, when I said "selinux is in permissive mode, but it's the same as on > the master server, so it should be the issue." It should have read as > "selinux is in permissive mode, but it's the same as on the master server, so > it should NOT be the issue." > > Les > > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott > Sent: Monday, 16 December 2013 8:47 PM > To: freeipa-users@redhat.com > Subject: [Freeipa-users] Trouble with replica install > > Hi, > > Running ipa-server-3.0.0-37.el6.x86_64 on rhel6. > Already setup master server, now trying to install replica (which I've done > before and its worked fine). > > The replica install gets all the way to the end but errors out. For the most > part, it looks like it is complete, but I want to be sure there are no > lingering issues. > > The error I see in the log is...(domain and ip's changed) > > ------------------------ > 2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com > Realm: MYDOMAIN.COM > DNS Domain: mydomain.com > IPA Server: replica.mydomain.com > BaseDN: dc=mydomain,dc=com > Domain mydomain.com is already configured in existing SSSD config, creating a > new one. > The old /etc/sssd/sssd.conf is backed up and will be restored during > uninstall. > Configured /etc/sssd/sssd.conf > trying https://replica.mydomain.com/ipa/xml > Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml' > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 2377, in <module> > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 2363, in main > rval = install(options, env, fstore, statestore) > File "/usr/sbin/ipa-client-install", line 2167, in install > remote_env = api.Command['env'](server=True)['result'] > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in > __call__ > ret = self.run(*args, **options) > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1073, in > run > return self.forward(*args, **options) > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 769, in > forward > return self.Backend.xmlclient.forward(self.name, *args, **kw) > File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 776, in forward > raise NetworkError(uri=server, error=e.errmsg) > ipalib.errors.NetworkError: cannot connect to > u'https://replica.mydomain.com/ipa/xml': Internal Server Error Please look into /var/log/httpd/errors.log on server replica.mydomain.com and check error messages there. Petr^2 Spacek > > 2013-12-16T09:26:50Z INFO File > "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line > 614, in run_script > return_value = main_function() > > File "/usr/sbin/ipa-replica-install", line 527, in main > raise RuntimeError("Failed to configure the client") > > 2013-12-16T09:26:50Z INFO The ipa-replica-install command failed, exception: > RuntimeError: Failed to configure the client > ------------------- > > Apache logs the following error at the same time... > > [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: > couldn't check access. No groups file?: /ipa/xml, referer: > https://replica.mydomain.com/ipa/xml > > I can login to the gui and it seems ok, but I'm rolling this into production > so I've got to get it right. > > I'm hoping this is just some bug because its an older freeipa on redhat > (minimal install) etc. selinux is in permissive mode, but it's the same as on > the master server, so it should be the issue. > > Is this error critical? How can I fix it? > > Thanks in advance, > > Les _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
