Yea, I would try installing IPA then making the changes that you want. I think SELinux should be left enabled however. It makes admin super fun! :)
On 16 May 2017 at 21:57, Robert L. Harris <robert.l.har...@gmail.com> wrote: > > I did disable selinux as it gave errors setting up my standard users, > etc. I can roll back the snapshot, set it at 4Gigs of RAM and re-enable > selinux and then try again. > > > On Tue, May 16, 2017 at 1:52 PM Andrew Holway <andrew.hol...@gmail.com> > wrote: > >> This is pretty weird. FreeIPA installation normally works. >> >> Has the operating system image been changed or optimised somehow? Perhaps >> SELinux has been disabled? Have you tried installing Centos7 from the ISO? >> >> On 16 May 2017 at 21:48, Robert L. Harris <robert.l.har...@gmail.com> >> wrote: >> >>> >>> 2 Gigs, it's a VM. The VM didn't report any memory issues ( no >>> alarms on VMWare ) >>> >>> >>> On Tue, May 16, 2017 at 12:29 PM Andrew Holway <andrew.hol...@gmail.com> >>> wrote: >>> >>>> Hallo, >>>> >>>> How much memory do you have on the machine. I have a sneaking suspicion >>>> that you're running out. >>>> >>>> Ta, >>>> >>>> Andrew >>>> >>>> On 16 May 2017 at 17:16, Robert L. Harris <robert.l.har...@gmail.com> >>>> wrote: >>>> >>>>> >>>>> Last night I rolled back my snapshot. Here's what I have after the >>>>> yum install >>>>> >>>>> "minimal" install of Centos7 + basic build. >>>>> {0}:/var/log>cat /etc/*elease >>>>> CentOS Linux release 7.3.1611 (Core) >>>>> NAME="CentOS Linux" >>>>> VERSION="7 (Core)" >>>>> ID="centos" >>>>> ID_LIKE="rhel fedora" >>>>> VERSION_ID="7" >>>>> PRETTY_NAME="CentOS Linux 7 (Core)" >>>>> ANSI_COLOR="0;31" >>>>> CPE_NAME="cpe:/o:centos:centos:7" >>>>> HOME_URL="https://www.centos.org/" >>>>> BUG_REPORT_URL="https://bugs.centos.org/" >>>>> >>>>> CENTOS_MANTISBT_PROJECT="CentOS-7" >>>>> CENTOS_MANTISBT_PROJECT_VERSION="7" >>>>> REDHAT_SUPPORT_PRODUCT="centos" >>>>> REDHAT_SUPPORT_PRODUCT_VERSION="7" >>>>> >>>>> CentOS Linux release 7.3.1611 (Core) >>>>> CentOS Linux release 7.3.1611 (Core) >>>>> >>>>> >>>>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb' >>>>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64 >>>>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch >>>>> ipa-common-4.4.0-14.el7.centos.7.noarch >>>>> perl-HTTP-Tiny-0.033-3.el7.noarch >>>>> python-iniparse-0.4-9.el7.noarch >>>>> ipa-client-common-4.4.0-14.el7.centos.7.noarch >>>>> pam_krb5-2.4.8-6.el7.x86_64 >>>>> sssd-krb5-1.14.0-43.el7_3.14.x86_64 >>>>> python-ipaddress-1.0.16-2.el7.noarch >>>>> python2-ipalib-4.4.0-14.el7.centos.7.noarch >>>>> krb5-libs-1.14.1-27.el7_3.x86_64 >>>>> libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>>> sssd-ipa-1.14.0-43.el7_3.14.x86_64 >>>>> krb5-workstation-1.14.1-27.el7_3.x86_64 >>>>> ipa-client-4.4.0-14.el7.centos.7.x86_64 >>>>> >>>>> Tried to pull an exact client. The "yum install ipa-server" went fine: >>>>> >>>>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server >>>>> ipa-server-4.4.0-14.el7.centos.7.x86_64 >>>>> ipa-server-common-4.4.0-14.el7.centos.7.noarch >>>>> >>>>> >>>>> "ipa-server-install" ran clean but has been stuck for 2 days: >>>>> >>>>> Restarting the directory server >>>>> Restarting the KDC >>>>> Please add records in this file to your DNS system: >>>>> /tmp/ipa.system.records.qLsLyx.db >>>>> Restarting the web server >>>>> Configuring client side components >>>>> Using existing certificate '/etc/ipa/ca.crt'. >>>>> Client hostname: ipa.rdlg.net >>>>> Realm: RDLG.NET >>>>> DNS Domain: rdlg.net >>>>> IPA Server: ipa.rdlg.net >>>>> BaseDN: dc=rdlg,dc=net >>>>> >>>>> Skipping synchronizing time with NTP server. >>>>> New SSSD config will be created >>>>> Configured sudoers in /etc/nsswitch.conf >>>>> Configured /etc/sssd/sssd.conf >>>>> trying https://ipa.rdlg.net/ipa/json >>>>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json' >>>>> >>>>> Checking the /var/log/httpd/error.log has 2 days of just this: >>>>> >>>>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize >>>>> failed. Certificate database: /etc/httpd/alias. >>>>> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library >>>>> Error: -8038 SEC_ERROR_NOT_INITIALIZED >>>>> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS >>>>> database exist? >>>>> >>>>> >>>>> Robert >>>>> >>>>> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden <rcrit...@redhat.com> >>>>> wrote: >>>>> >>>>>> Robert L. Harris wrote: >>>>>> > >>>>>> > Hmmm >>>>>> > >>>>>> > {0}:/var/log>ls >>>>>> > anaconda btmp dmesg grubby maillog ppp >>>>>> secure >>>>>> > tallylog wtmp >>>>>> > audit cron dmesg.old grubby_prune_debug messages rhsm >>>>>> spooler >>>>>> > tuned yum.log >>>>>> > boot.log cups firewalld lastlog ntpstats samba sssd >>>>>> > vmware-vmsvc.log >>>>>> > >>>>>> > >>>>>> > root@ipa >>>>>> > {1}:/var/log>rpm -q -l http >>>>>> > package http is not installed >>>>>> > >>>>>> > root@ipa >>>>>> > {1}:/var/log>rpm -q -a | grep -i http >>>>>> > perl-HTTP-Tiny-0.033-3.el7.noarch >>>>>> > >>>>>> > root@ipa >>>>>> > {0}:/var/log>rpm -q -a | grep -i tomcat >>>>>> > >>>>>> > >>>>>> > Doesn't look like an httpd was installed as a dependancy? >>>>>> >>>>>> I find this very hard to believe given that it go so far as to >>>>>> configure >>>>>> things in Apache, restart it, etc. What version of [free]ipa-server is >>>>>> installed? How did you install it and from what repo? >>>>>> >>>>>> rob >>>>>> >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > On Fri, May 12, 2017 at 1:17 AM Martin Bašti <mba...@redhat.com >>>>>> > <mailto:mba...@redhat.com>> wrote: >>>>>> > >>>>>> > That's weird, it should be super fast, anything in >>>>>> > /var/log/httpd/error_log? >>>>>> > >>>>>> > >>>>>> > On 11.05.2017 22:23, Robert L. Harris wrote: >>>>>> >> >>>>>> >> Odd, must have clicked reply instead of reply-all. >>>>>> >> >>>>>> >> Anyway, I did the revert and re-install. Actual install went >>>>>> >> through fine then the "ipa-server-install" ran until this: >>>>>> >> >>>>>> >> [8/9]: restoring configuration >>>>>> >> [9/9]: starting directory server >>>>>> >> Done. >>>>>> >> Restarting the directory server >>>>>> >> Restarting the KDC >>>>>> >> Please add records in this file to your DNS system: >>>>>> >> /tmp/ipa.system.records.v5Jwrt.db >>>>>> >> Restarting the web server >>>>>> >> Configuring client side components >>>>>> >> Using existing certificate '/etc/ipa/ca.crt'. >>>>>> >> Client hostname: ipa.rdlg.net <http://ipa.rdlg.net> >>>>>> >> Realm: RDLG.NET <http://RDLG.NET> >>>>>> >> DNS Domain: rdlg.net <http://rdlg.net> >>>>>> >> IPA Server: ipa.rdlg.net <http://ipa.rdlg.net> >>>>>> >> BaseDN: dc=rdlg,dc=net >>>>>> >> >>>>>> >> Skipping synchronizing time with NTP server. >>>>>> >> New SSSD config will be created >>>>>> >> Configured sudoers in /etc/nsswitch.conf >>>>>> >> Configured /etc/sssd/sssd.conf >>>>>> >> trying https://ipa.rdlg.net/ipa/json >>>>>> >> Forwarding 'schema' to json server ' >>>>>> https://ipa.rdlg.net/ipa/json' >>>>>> >> >>>>>> >> >>>>>> >> It's been sitting there for a while ( 4 hours? ) I don't see >>>>>> >> anyting in the ipaserver-install.log, but it's here: >>>>>> >> https://pastebin.com/biK1Dmv7 >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> On Thu, May 11, 2017 at 8:12 AM Martin Bašti < >>>>>> mba...@redhat.com >>>>>> >> <mailto:mba...@redhat.com>> wrote: >>>>>> >> >>>>>> >> Please keep freeipa-users in CC >>>>>> >> >>>>>> >> Snapshot is always better, so I suggest to use it. >>>>>> Otherwise >>>>>> >> there is an option --ignore-last-of-role to unblock >>>>>> >> uninstallation. >>>>>> >> >>>>>> >> Martin >>>>>> >> >>>>>> >> >>>>>> >> On 11.05.2017 16:00, Robert L. Harris wrote: >>>>>> >>> >>>>>> >>> Looks like you hit it, apache didn't have a group: >>>>>> >>> >>>>>> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu >>>>>> >>> 2017-05-11 07:48:27 MDT. -- >>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net> >>>>>> >>> systemd[1]: Starting The Apache HTTP Server... >>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net> >>>>>> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC >>>>>> proxy >>>>>> >>> enabled >>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net> >>>>>> >>> httpd[28809]: AH00544: httpd: bad group name apache >>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net> >>>>>> >>> systemd[1]: httpd.service: main process exited, >>>>>> code=exited, >>>>>> >>> status=1/FAILURE >>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net> >>>>>> >>> kill[28812]: kill: cannot find process "" >>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net> >>>>>> >>> systemd[1]: httpd.service: control process exited, >>>>>> >>> code=exited status=1 >>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net> >>>>>> >>> systemd[1]: Failed to start The Apache HTTP Server. >>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net> >>>>>> >>> systemd[1]: Unit httpd.service entered failed state. >>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net> >>>>>> >>> systemd[1]: httpd.service failed. >>>>>> >>> >>>>>> >>> Thanks, didn't know that command. I tried to continue the >>>>>> >>> process: >>>>>> >>> >>>>>> >>> {0}:/root>ipa-server-install >>>>>> >>> >>>>>> >>> The log file for this installation can be found in >>>>>> >>> /var/log/ipaserver-install.log >>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>>>> IPA >>>>>> >>> server is already configured on this system. >>>>>> >>> If you want to reinstall the IPA server, please uninstall >>>>>> it >>>>>> >>> first using 'ipa-server-install --uninstall'. >>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>>>> The >>>>>> >>> ipa-server-install command failed. See >>>>>> >>> /var/log/ipaserver-install.log for more information >>>>>> >>> >>>>>> >>> root@ipa >>>>>> >>> {1}:/root>ipa-server-install --uninstall >>>>>> >>> >>>>>> >>> This is a NON REVERSIBLE operation and will delete all >>>>>> data >>>>>> >>> and configuration! >>>>>> >>> >>>>>> >>> Are you sure you want to continue with the uninstall >>>>>> >>> procedure? [no]: yes >>>>>> >>> ipa : ERROR Server removal aborted: Deleting >>>>>> this >>>>>> >>> server is not allowed as it would leave your installation >>>>>> >>> without a CA.. >>>>>> >>> >>>>>> >>> >>>>>> >>> >>>>>> >>> This is a VM and I took a snapshot right before I started >>>>>> the >>>>>> >>> install, so I can revert, just make sure ti add the apache >>>>>> >>> user before starting the install. Or if you have a better >>>>>> >>> command to continue the clean-up/install..... >>>>>> >>> >>>>>> >>> >>>>>> >>> On Thu, May 11, 2017 at 2:19 AM Martin Bašti >>>>>> >>> <mba...@redhat.com <mailto:mba...@redhat.com>> wrote: >>>>>> >>> >>>>>> >>> Hello, >>>>>> >>> >>>>>> >>> comments inline >>>>>> >>> >>>>>> >>> >>>>>> >>> On 11.05.2017 06:06, Robert L. Harris wrote: >>>>>> >>>> >>>>>> >>>> Sigh... Sorry, it's been a long day, I thought I put >>>>>> >>>> that log in the first pastebin. It's in this one: >>>>>> >>>> https://pastebin.com/18PAXXNS >>>>>> >>> >>>>>> >>> Could you please provide journalctl -u httpd and >>>>>> >>> /var/log/httpd/error_log ? >>>>>> >>> >>>>>> >>> >>>>>> >>> >>>>>> >>>> >>>>>> >>>> Also, >>>>>> >>>> Anyone else get the constant spam when mailing >>>>>> this >>>>>> >>>> list? Got an address to block for it? >>>>>> >>> >>>>>> >>> Sorry for that, there is a bot mining public >>>>>> archives. We >>>>>> >>> plan to resolve this issue but it may take time as we >>>>>> are >>>>>> >>> not maintaining our mailman. >>>>>> >>> >>>>>> >>> Martin >>>>>> >>> >>>>>> >>> >>>>>> >>>> >>>>>> >>>> Robert >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman >>>>>> >>>> <data...@gmail.com <mailto:data...@gmail.com>> >>>>>> wrote: >>>>>> >>>> >>>>>> >>>> Robert, did you look in >>>>>> >>>> /var/log/ipaserver-install.log as it says? >>>>>> >>>> >>>>>> >>>> Was there any other information? >>>>>> >>>> >>>>>> >>>> cheers >>>>>> >>>> L. >>>>>> >>>> >>>>>> >>>> ------ >>>>>> >>>> "Mission Statement: To provide hope and >>>>>> inspiration >>>>>> >>>> for collective action, to build collective >>>>>> power, to >>>>>> >>>> achieve collective transformation, rooted in >>>>>> grief >>>>>> >>>> and rage but pointed towards vision and dreams." >>>>>> >>>> >>>>>> >>>> - Patrice Cullors, /Black Lives Matter founder/ >>>>>> >>>> >>>>>> >>>> On 11 May 2017 at 13:24, Robert L. Harris >>>>>> >>>> <robert.l.har...@gmail.com >>>>>> >>>> <mailto:robert.l.har...@gmail.com>> wrote: >>>>>> >>>> >>>>>> >>>> Ok, I gave up on Ubuntu. I'm now trying the >>>>>> >>>> latest CentOS7. I built out a "minimal >>>>>> server" >>>>>> >>>> with some normal base packages which did >>>>>> include >>>>>> >>>> the freeipa-client but otherwise, just >>>>>> standard >>>>>> >>>> tools. Here's a pastebin of the output of >>>>>> the >>>>>> >>>> install: https://pastebin.com/zAWCgkUU >>>>>> >>>> >>>>>> >>>> Robert >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> -- >>>>>> >>>> Manage your subscription for the >>>>>> Freeipa-users >>>>>> >>>> mailing list: >>>>>> >>>> https://www.redhat.com/ >>>>>> mailman/listinfo/freeipa-users >>>>>> >>>> Go to http://freeipa.org for more info on >>>>>> the >>>>>> >>>> project >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> -- >>>>>> >>>> Manage your subscription for the Freeipa-users >>>>>> >>>> mailing list: >>>>>> >>>> https://www.redhat.com/ >>>>>> mailman/listinfo/freeipa-users >>>>>> >>>> Go to http://freeipa.org for more info on the >>>>>> project >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>> >>>>>> >>> -- >>>>>> >>> Martin Bašti >>>>>> >>> Software Engineer >>>>>> >>> Red Hat Czech >>>>>> >>> >>>>>> >> >>>>>> >> -- >>>>>> >> Martin Bašti >>>>>> >> Software Engineer >>>>>> >> Red Hat Czech >>>>>> >> >>>>>> > >>>>>> > -- >>>>>> > Martin Bašti >>>>>> > Software Engineer >>>>>> > Red Hat Czech >>>>>> > >>>>>> > >>>>>> > >>>>>> >>>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>> >>>> >>
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project