-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/09/2014 03:22 PM, Martin Kosek wrote: > On 12/09/2014 10:48 AM, Niranjan M.R wrote: >> On 12/09/2014 02:57 PM, thierry bordaz wrote: >>> Hello, >> >>> Niranjan, may I have access to your test machine. >> >> It's a vm on my laptop. I am trying to reproduce on another VM >> to which i can give access. I will provide the details of this VM as soon >> as possible. >> >> Mean while i am providing ns-slapd access logs, ipa-logs and pkispawn logs. > > Thanks. I see no related errors in the DS errors log, I wonder if the > suggested > > # systemctl status dirsrv@EXAMPLE-ORG.service > > would show anything interesting. > >> >> >> >>> thanks >>> theirry >> >> >>> On 12/09/2014 10:01 AM, Martin Kosek wrote: >>>> On 12/07/2014 03:01 PM, Niranjan M.R wrote: >>>>> On 12/06/2014 12:24 AM, Dmitri Pal wrote: >>>>>> Hello, >>>>>> WE NEED HELP! >>>>>> The biggest and the most interesting feature of FreeIPA 4.1.2 is support >>>>>> for the two factor authentication using HOTP/TOTP compatible software >>>>>> tokens like FreeOTP (open source compatible alternative to Google >>>>>> Authenticator) and hardware tokens like Yubikeys. This feature allows >>>>>> Kerberos and LDAP clients of a FreeIPA server to authenticate using the >>>>>> normal account password as the first factor and an OTP token as a second >>>>>> factor. For those environments where a 2FA solution is already in place, >>>>>> FreeIPA can act as a proxy via RADIUS. More about this feature can be >>>>>> read here. >>>>>> http://www.freeipa.org/page/V4/OTP >>>>>> If you want to see this feature in downstream distros sooner rather than >>>>>> later we need your help! >>>>>> Please give it a try and provide feedback. We really, really need it! >>>>> I am unable to configure ipa-server with >>>>> freeipa-server-4.1.2-1.fc20.x86_64, ipa-server-install fails with below >>>>> error: >>>>> >>>>> Done configuring certificate server (pki-tomcatd). >>>>> Configuring directory server (dirsrv): Estimated time 10 seconds >>>>> [1/3]: configuring ssl for ds instance >>>>> [2/3]: restarting directory server >>>>> ipa : CRITICAL Failed to restart the directory server ([Errno 2] >>>>> No such file or directory: >>>>> '/etc/systemd/system/dirsrv.target.wants/dirsrv@EXAMPLE-ORG.service'). >>>>> See the installation log for details. >>>>> [3/3]: adding CA certificate entry >>>>> Done configuring directory server (dirsrv). >>>>> CA did not start in 300.0s >>>>> >>>>> >>>>> Versions used: >>>>> ============== >>>>> freeipa-client-4.1.2-1.fc20.x86_64 >>>>> freeipa-server-4.1.2-1.fc20.x86_64 >>>>> libipa_hbac-1.12.2-2.fc20.x86_64 >>>>> libipa_hbac-python-1.12.2-2.fc20.x86_64 >>>>> sssd-ipa-1.12.2-2.fc20.x86_64 >>>>> device-mapper-multipath-0.4.9-56.fc20.x86_64 >>>>> python-iniparse-0.4-9.fc20.noarch >>>>> freeipa-admintools-4.1.2-1.fc20.x86_64 >>>>> freeipa-python-4.1.2-1.fc20.x86_64 >>>>> 389-ds-base-libs-1.3.3.5-1.fc20.x86_64 >>>>> 389-ds-base-1.3.3.5-1.fc20.x86_64 >>>>> >>>>> BaseOS:Fedora release 20 (Heisenbug) >>>>> >>>>> >>>>> Steps to reproduce: >>>>> --------------- >>>>> >>>>> 1. On Fedora-20 system, Used mkosek freeipa repo: >>>>> [mkosek-freeipa] >>>>> name=Copr repo for freeipa owned by mkosek >>>>> baseurl=http://copr-be.cloud.fedoraproject.org/results/mkosek/freeipa/fedora-$releasever-$basearch/ >>>>> skip_if_unavailable=True >>>>> gpgcheck=0 >>>>> enabled=1 >>>>> >>>>> 2. Install freeipa-server packages from the above repo >>>>> >>>>> 3. Issue ipa-server-install >>>>> >>>>> [root@pkiserver1 ~]# ipa-server-install >>>>> >>>>> The log file for this installation can be found in >>>>> /var/log/ipaserver-install.log >>>>> ============================================================================== >>>>> This program will set up the FreeIPA Server. >>>>> >>>>> This includes: >>>>> * Configure a stand-alone CA (dogtag) for certificate management >>>>> * Configure the Network Time Daemon (ntpd) >>>>> * Create and configure an instance of Directory Server >>>>> * Create and configure a Kerberos Key Distribution Center (KDC) >>>>> * Configure Apache (httpd) >>>>> >>>>> To accept the default shown in brackets, press the Enter key. >>>>> >>>>> WARNING: conflicting time&date synchronization service 'chronyd' will be >>>>> disabled >>>>> in favor of ntpd >>>>> >>>>> Do you want to configure integrated DNS (BIND)? [no]: yes >>>>> >>>>> Existing BIND configuration detected, overwrite? [no]: yes >>>>> Enter the fully qualified domain name of the computer >>>>> on which you're setting up server software. Using the form >>>>> <hostname>.<domainname> >>>>> Example: master.example.com. >>>>> >>>>> >>>>> Server host name [pkiserver1.example.org]: >>>>> >>>>> Warning: skipping DNS resolution of host pkiserver1.example.org >>>>> The domain name has been determined based on the host name. >>>>> >>>>> Please confirm the domain name [example.org]: >>>>> >>>>> The kerberos protocol requires a Realm name to be defined. >>>>> This is typically the domain name converted to uppercase. >>>>> >>>>> Please provide a realm name [EXAMPLE.ORG]: >>>>> Certain directory server operations require an administrative user. >>>>> This user is referred to as the Directory Manager and has full access >>>>> to the Directory for system management tasks and will be added to the >>>>> >>>>> The IPA server requires an administrative user, named 'admin'. >>>>> This user is a regular system account used for IPA server administration. >>>>> >>>>> IPA admin password: >>>>> Password (confirm): >>>>> >>>>> Do you want to configure DNS forwarders? [yes]: no >>>>> No DNS forwarders configured >>>>> Do you want to configure the reverse zone? [yes]: >>>>> Please specify the reverse zone name [122.168.192.in-addr.arpa.]: >>>>> Using reverse zone(s) 122.168.192.in-addr.arpa. >>>>> >>>>> The IPA Master Server will be configured with: >>>>> Hostname: pkiserver1.example.org >>>>> IP address(es): 192.168.122.246 >>>>> Domain name: example.org >>>>> Realm name: EXAMPLE.ORG >>>>> >>>>> BIND DNS server will be configured to serve IPA domain with: >>>>> Forwarders: No forwarders >>>>> Reverse zone(s): 122.168.192.in-addr.arpa. >>>>> >>>>> Continue to configure the system with these values? [no]: yes >>>>> >>>>> The following operations may take some minutes to complete. >>>>> Please wait until the prompt is returned. >>>>> >>>>> >>>>> instance of directory server created for IPA. >>>>> The password must be at least 8 characters long. >>>>> >>>>> Directory Manager password: >>>>> Password (confirm): >>>>> Configuring NTP daemon (ntpd) >>>>> [1/4]: stopping ntpd >>>>> [2/4]: writing configuration >>>>> [3/4]: configuring ntpd to start on boot >>>>> [4/4]: starting ntpd >>>>> Done configuring NTP daemon (ntpd). >>>>> Configuring directory server (dirsrv): Estimated time 1 minute >>>>> [1/38]: creating directory server user >>>>> [2/38]: creating directory server instance >>>>> [3/38]: adding default schema >>>>> [4/38]: enabling memberof plugin >>>>> [5/38]: enabling winsync plugin >>>>> [6/38]: configuring replication version plugin >>>>> [7/38]: enabling IPA enrollment plugin >>>>> [8/38]: enabling ldapi >>>>> [9/38]: configuring uniqueness plugin >>>>> [10/38]: configuring uuid plugin >>>>> [11/38]: configuring modrdn plugin >>>>> [12/38]: configuring DNS plugin >>>>> [13/38]: enabling entryUSN plugin >>>>> [14/38]: configuring lockout plugin >>>>> [15/38]: creating indices >>>>> [16/38]: enabling referential integrity plugin >>>>> [17/38]: configuring certmap.conf >>>>> [18/38]: configure autobind for root >>>>> [19/38]: configure new location for managed entries >>>>> [20/38]: configure dirsrv ccache >>>>> [21/38]: enable SASL mapping fallback >>>>> [22/38]: restarting directory server >>>>> [23/38]: adding default layout >>>>> [24/38]: adding delegation layout >>>>> [25/38]: creating container for managed entries >>>>> [26/38]: configuring user private groups >>>>> [27/38]: configuring netgroups from hostgroups >>>>> [28/38]: creating default Sudo bind user >>>>> [29/38]: creating default Auto Member layout >>>>> [30/38]: adding range check plugin >>>>> [31/38]: creating default HBAC rule allow_all >>>>> [32/38]: initializing group membership >>>>> [33/38]: adding master entry >>>>> [34/38]: configuring Posix uid/gid generation >>>>> [35/38]: adding replication acis >>>>> [36/38]: enabling compatibility plugin >>>>> [37/38]: tuning directory server >>>>> [38/38]: configuring directory to start on boot >>>>> Done configuring directory server (dirsrv). >>>>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 >>>>> seconds >>>>> [1/27]: creating certificate server user >>>>> [2/27]: configuring certificate server instance >>>>> [3/27]: stopping certificate server instance to update CS.cfg >>>>> [4/27]: backing up CS.cfg >>>>> [5/27]: disabling nonces >>>>> [6/27]: set up CRL publishing >>>>> [7/27]: enable PKIX certificate path discovery and validation >>>>> [8/27]: starting certificate server instance >>>>> [9/27]: creating RA agent certificate database >>>>> [10/27]: importing CA chain to RA certificate database >>>>> [11/27]: fixing RA database permissions >>>>> [12/27]: setting up signing cert profile >>>>> [13/27]: set certificate subject base >>>>> [14/27]: enabling Subject Key Identifier >>>>> [15/27]: enabling Subject Alternative Name >>>>> [16/27]: enabling CRL and OCSP extensions for certificates >>>>> [17/27]: setting audit signing renewal to 2 years >>>>> [18/27]: configuring certificate server to start on boot >>>>> [19/27]: restarting certificate server >>>>> [20/27]: requesting RA certificate from CA >>>>> [21/27]: issuing RA agent certificate >>>>> [22/27]: adding RA agent as a trusted user >>>>> [23/27]: configure certmonger for renewals >>>>> [24/27]: configure certificate renewals >>>>> [25/27]: configure RA certificate renewal >>>>> [26/27]: configure Server-Cert certificate renewal >>>>> [27/27]: Configure HTTP to proxy connections >>>>> Done configuring certificate server (pki-tomcatd). >>>>> Configuring directory server (dirsrv): Estimated time 10 seconds >>>>> [1/3]: configuring ssl for ds instance >>>>> [2/3]: restarting directory server >>>>> ipa : CRITICAL Failed to restart the directory server ([Errno 2] >>>>> No such file or directory: >>>>> '/etc/systemd/system/dirsrv.target.wants/dirsrv@EXAMPLE-ORG.service'). >>>>> See the installation log for details. >>>>> [3/3]: adding CA certificate entry >>>>> Done configuring directory server (dirsrv). >>>>> >>>>> CA did not start in 300.0s >>>>> >>>>> Attaching ipaserver-install.log, pkispawn logs >>>>> >>>>> Any hints on how to overcome the above error. >>>> The error is obviously in Directory Server restart. I am not sure what >>>> causes >>>> >>>> 2014-12-07T11:16:25Z DEBUG [2/3]: restarting directory server >>>> 2014-12-07T11:16:25Z CRITICAL Failed to restart the directory server >>>> ([Errno 2] >>>> No such file or directory: >>>> '/etc/systemd/system/dirsrv.target.wants/dirsrv@EXAMPLE-ORG.service'). See >>>> the >>>> installation log for details. >>>> >>>> The first restart worked and it uses the same call, AFAIK. It would be >>>> interesting to see the latest logs of the instance after ipa-server-install >>>> crashes: >>>> >>>> # systemctl status dirsrv@EXAMPLE-ORG.service
[root@pkiserver1 ~]# systemctl status dirsrv@EXAMPLE-ORG.service dirsrv@EXAMPLE-ORG.service - 389 Directory Server EXAMPLE-ORG. Loaded: loaded (/etc/systemd/system/dirsrv@.service; enabled) Active: active (running) since Tue 2014-12-09 04:33:56 EST; 23min ago Main PID: 2535 (ns-slapd) CGroup: /system.slice/system-dirsrv.slice/dirsrv@EXAMPLE-ORG.service ??2535 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-EXAMPLE-ORG -i /var/run/dirsrv/slapd-EXAMPLE-ORG.pid -w /var/run/dirsrv/slapd-EXAMPLE-ORG.startpid Dec 09 04:33:56 pkiserver1.example.org systemd[1]: Started 389 Directory Server EXAMPLE-ORG.. >>>> >>>> It may have some useful logs that would reveal what happened. >>>> >>>> Martin >> >> >> >> > > > - -- Niranjan irc: mrniranjan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iKYEARECAGYFAlSGx7NfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEY3OTE3QTg3ODE0RkVCQ0YyNjgyOTRENjJF RURDNTVGNjA0N0M3QzcACgkQLu3FX2BHx8eV+ACfZ5YZL9lUgV1qKH7GH498RybK FS4An1DU7wkpfe4kO5BymIAs9e9UthuX =Axen -----END PGP SIGNATURE-----
0x6047C7C7.asc
Description: application/pgp-keys
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project