I left SELinux enabled, no change, still streaming the same error: [Tue May 16 14:36:48.957848 2017] [:error] [pid 10780] NSS_Initialize failed. Certificate database: /etc/httpd/alias. [Tue May 16 14:36:48.957883 2017] [:error] [pid 10780] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Tue May 16 14:36:48.957886 2017] [:error] [pid 10780] Does the NSS database exist?
On Tue, May 16, 2017 at 2:12 PM Andrew Holway <andrew.hol...@gmail.com> wrote: > Yea, I would try installing IPA then making the changes that you want. I > think SELinux should be left enabled however. It makes admin super fun! :) > > > On 16 May 2017 at 21:57, Robert L. Harris <robert.l.har...@gmail.com> > wrote: > >> >> I did disable selinux as it gave errors setting up my standard users, >> etc. I can roll back the snapshot, set it at 4Gigs of RAM and re-enable >> selinux and then try again. >> >> >> On Tue, May 16, 2017 at 1:52 PM Andrew Holway <andrew.hol...@gmail.com> >> wrote: >> >>> This is pretty weird. FreeIPA installation normally works. >>> >>> Has the operating system image been changed or optimised somehow? >>> Perhaps SELinux has been disabled? Have you tried installing Centos7 from >>> the ISO? >>> >>> On 16 May 2017 at 21:48, Robert L. Harris <robert.l.har...@gmail.com> >>> wrote: >>> >>>> >>>> 2 Gigs, it's a VM. The VM didn't report any memory issues ( no >>>> alarms on VMWare ) >>>> >>>> >>>> On Tue, May 16, 2017 at 12:29 PM Andrew Holway <andrew.hol...@gmail.com> >>>> wrote: >>>> >>>>> Hallo, >>>>> >>>>> How much memory do you have on the machine. I have a sneaking >>>>> suspicion that you're running out. >>>>> >>>>> Ta, >>>>> >>>>> Andrew >>>>> >>>>> On 16 May 2017 at 17:16, Robert L. Harris <robert.l.har...@gmail.com> >>>>> wrote: >>>>> >>>>>> >>>>>> Last night I rolled back my snapshot. Here's what I have after the >>>>>> yum install >>>>>> >>>>>> "minimal" install of Centos7 + basic build. >>>>>> {0}:/var/log>cat /etc/*elease >>>>>> CentOS Linux release 7.3.1611 (Core) >>>>>> NAME="CentOS Linux" >>>>>> VERSION="7 (Core)" >>>>>> ID="centos" >>>>>> ID_LIKE="rhel fedora" >>>>>> VERSION_ID="7" >>>>>> PRETTY_NAME="CentOS Linux 7 (Core)" >>>>>> ANSI_COLOR="0;31" >>>>>> CPE_NAME="cpe:/o:centos:centos:7" >>>>>> HOME_URL="https://www.centos.org/" >>>>>> BUG_REPORT_URL="https://bugs.centos.org/" >>>>>> >>>>>> CENTOS_MANTISBT_PROJECT="CentOS-7" >>>>>> CENTOS_MANTISBT_PROJECT_VERSION="7" >>>>>> REDHAT_SUPPORT_PRODUCT="centos" >>>>>> REDHAT_SUPPORT_PRODUCT_VERSION="7" >>>>>> >>>>>> CentOS Linux release 7.3.1611 (Core) >>>>>> CentOS Linux release 7.3.1611 (Core) >>>>>> >>>>>> >>>>>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb' >>>>>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64 >>>>>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch >>>>>> ipa-common-4.4.0-14.el7.centos.7.noarch >>>>>> perl-HTTP-Tiny-0.033-3.el7.noarch >>>>>> python-iniparse-0.4-9.el7.noarch >>>>>> ipa-client-common-4.4.0-14.el7.centos.7.noarch >>>>>> pam_krb5-2.4.8-6.el7.x86_64 >>>>>> sssd-krb5-1.14.0-43.el7_3.14.x86_64 >>>>>> python-ipaddress-1.0.16-2.el7.noarch >>>>>> python2-ipalib-4.4.0-14.el7.centos.7.noarch >>>>>> krb5-libs-1.14.1-27.el7_3.x86_64 >>>>>> libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>>>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>>>> sssd-ipa-1.14.0-43.el7_3.14.x86_64 >>>>>> krb5-workstation-1.14.1-27.el7_3.x86_64 >>>>>> ipa-client-4.4.0-14.el7.centos.7.x86_64 >>>>>> >>>>>> Tried to pull an exact client. The "yum install ipa-server" went >>>>>> fine: >>>>>> >>>>>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server >>>>>> ipa-server-4.4.0-14.el7.centos.7.x86_64 >>>>>> ipa-server-common-4.4.0-14.el7.centos.7.noarch >>>>>> >>>>>> >>>>>> "ipa-server-install" ran clean but has been stuck for 2 days: >>>>>> >>>>>> Restarting the directory server >>>>>> Restarting the KDC >>>>>> Please add records in this file to your DNS system: >>>>>> /tmp/ipa.system.records.qLsLyx.db >>>>>> Restarting the web server >>>>>> Configuring client side components >>>>>> Using existing certificate '/etc/ipa/ca.crt'. >>>>>> Client hostname: ipa.rdlg.net >>>>>> Realm: RDLG.NET >>>>>> DNS Domain: rdlg.net >>>>>> IPA Server: ipa.rdlg.net >>>>>> BaseDN: dc=rdlg,dc=net >>>>>> >>>>>> Skipping synchronizing time with NTP server. >>>>>> New SSSD config will be created >>>>>> Configured sudoers in /etc/nsswitch.conf >>>>>> Configured /etc/sssd/sssd.conf >>>>>> trying https://ipa.rdlg.net/ipa/json >>>>>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json' >>>>>> >>>>>> Checking the /var/log/httpd/error.log has 2 days of just this: >>>>>> >>>>>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize >>>>>> failed. Certificate database: /etc/httpd/alias. >>>>>> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library >>>>>> Error: -8038 SEC_ERROR_NOT_INITIALIZED >>>>>> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS >>>>>> database exist? >>>>>> >>>>>> >>>>>> Robert >>>>>> >>>>>> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden <rcrit...@redhat.com> >>>>>> wrote: >>>>>> >>>>>>> Robert L. Harris wrote: >>>>>>> > >>>>>>> > Hmmm >>>>>>> > >>>>>>> > {0}:/var/log>ls >>>>>>> > anaconda btmp dmesg grubby maillog ppp >>>>>>> secure >>>>>>> > tallylog wtmp >>>>>>> > audit cron dmesg.old grubby_prune_debug messages rhsm >>>>>>> spooler >>>>>>> > tuned yum.log >>>>>>> > boot.log cups firewalld lastlog ntpstats samba >>>>>>> sssd >>>>>>> > vmware-vmsvc.log >>>>>>> > >>>>>>> > >>>>>>> > root@ipa >>>>>>> > {1}:/var/log>rpm -q -l http >>>>>>> > package http is not installed >>>>>>> > >>>>>>> > root@ipa >>>>>>> > {1}:/var/log>rpm -q -a | grep -i http >>>>>>> > perl-HTTP-Tiny-0.033-3.el7.noarch >>>>>>> > >>>>>>> > root@ipa >>>>>>> > {0}:/var/log>rpm -q -a | grep -i tomcat >>>>>>> > >>>>>>> > >>>>>>> > Doesn't look like an httpd was installed as a dependancy? >>>>>>> >>>>>>> I find this very hard to believe given that it go so far as to >>>>>>> configure >>>>>>> things in Apache, restart it, etc. What version of [free]ipa-server >>>>>>> is >>>>>>> installed? How did you install it and from what repo? >>>>>>> >>>>>>> rob >>>>>>> >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > On Fri, May 12, 2017 at 1:17 AM Martin Bašti <mba...@redhat.com >>>>>>> > <mailto:mba...@redhat.com>> wrote: >>>>>>> > >>>>>>> > That's weird, it should be super fast, anything in >>>>>>> > /var/log/httpd/error_log? >>>>>>> > >>>>>>> > >>>>>>> > On 11.05.2017 22:23, Robert L. Harris wrote: >>>>>>> >> >>>>>>> >> Odd, must have clicked reply instead of reply-all. >>>>>>> >> >>>>>>> >> Anyway, I did the revert and re-install. Actual install went >>>>>>> >> through fine then the "ipa-server-install" ran until this: >>>>>>> >> >>>>>>> >> [8/9]: restoring configuration >>>>>>> >> [9/9]: starting directory server >>>>>>> >> Done. >>>>>>> >> Restarting the directory server >>>>>>> >> Restarting the KDC >>>>>>> >> Please add records in this file to your DNS system: >>>>>>> >> /tmp/ipa.system.records.v5Jwrt.db >>>>>>> >> Restarting the web server >>>>>>> >> Configuring client side components >>>>>>> >> Using existing certificate '/etc/ipa/ca.crt'. >>>>>>> >> Client hostname: ipa.rdlg.net <http://ipa.rdlg.net> >>>>>>> >> Realm: RDLG.NET <http://RDLG.NET> >>>>>>> >> DNS Domain: rdlg.net <http://rdlg.net> >>>>>>> >> IPA Server: ipa.rdlg.net <http://ipa.rdlg.net> >>>>>>> >> BaseDN: dc=rdlg,dc=net >>>>>>> >> >>>>>>> >> Skipping synchronizing time with NTP server. >>>>>>> >> New SSSD config will be created >>>>>>> >> Configured sudoers in /etc/nsswitch.conf >>>>>>> >> Configured /etc/sssd/sssd.conf >>>>>>> >> trying https://ipa.rdlg.net/ipa/json >>>>>>> >> Forwarding 'schema' to json server ' >>>>>>> https://ipa.rdlg.net/ipa/json' >>>>>>> >> >>>>>>> >> >>>>>>> >> It's been sitting there for a while ( 4 hours? ) I don't see >>>>>>> >> anyting in the ipaserver-install.log, but it's here: >>>>>>> >> https://pastebin.com/biK1Dmv7 >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> >> On Thu, May 11, 2017 at 8:12 AM Martin Bašti < >>>>>>> mba...@redhat.com >>>>>>> >> <mailto:mba...@redhat.com>> wrote: >>>>>>> >> >>>>>>> >> Please keep freeipa-users in CC >>>>>>> >> >>>>>>> >> Snapshot is always better, so I suggest to use it. >>>>>>> Otherwise >>>>>>> >> there is an option --ignore-last-of-role to unblock >>>>>>> >> uninstallation. >>>>>>> >> >>>>>>> >> Martin >>>>>>> >> >>>>>>> >> >>>>>>> >> On 11.05.2017 16:00, Robert L. Harris wrote: >>>>>>> >>> >>>>>>> >>> Looks like you hit it, apache didn't have a group: >>>>>>> >>> >>>>>>> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu >>>>>>> >>> 2017-05-11 07:48:27 MDT. -- >>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net> >>>>>>> >>> systemd[1]: Starting The Apache HTTP Server... >>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net> >>>>>>> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC >>>>>>> proxy >>>>>>> >>> enabled >>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net> >>>>>>> >>> httpd[28809]: AH00544: httpd: bad group name apache >>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net> >>>>>>> >>> systemd[1]: httpd.service: main process exited, >>>>>>> code=exited, >>>>>>> >>> status=1/FAILURE >>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net> >>>>>>> >>> kill[28812]: kill: cannot find process "" >>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net> >>>>>>> >>> systemd[1]: httpd.service: control process exited, >>>>>>> >>> code=exited status=1 >>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net> >>>>>>> >>> systemd[1]: Failed to start The Apache HTTP Server. >>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net> >>>>>>> >>> systemd[1]: Unit httpd.service entered failed state. >>>>>>> >>> May 10 20:36:00 ipa.rdlg.net <http://ipa.rdlg.net> >>>>>>> >>> systemd[1]: httpd.service failed. >>>>>>> >>> >>>>>>> >>> Thanks, didn't know that command. I tried to continue >>>>>>> the >>>>>>> >>> process: >>>>>>> >>> >>>>>>> >>> {0}:/root>ipa-server-install >>>>>>> >>> >>>>>>> >>> The log file for this installation can be found in >>>>>>> >>> /var/log/ipaserver-install.log >>>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>>>>> IPA >>>>>>> >>> server is already configured on this system. >>>>>>> >>> If you want to reinstall the IPA server, please >>>>>>> uninstall it >>>>>>> >>> first using 'ipa-server-install --uninstall'. >>>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>>>>> The >>>>>>> >>> ipa-server-install command failed. See >>>>>>> >>> /var/log/ipaserver-install.log for more information >>>>>>> >>> >>>>>>> >>> root@ipa >>>>>>> >>> {1}:/root>ipa-server-install --uninstall >>>>>>> >>> >>>>>>> >>> This is a NON REVERSIBLE operation and will delete all >>>>>>> data >>>>>>> >>> and configuration! >>>>>>> >>> >>>>>>> >>> Are you sure you want to continue with the uninstall >>>>>>> >>> procedure? [no]: yes >>>>>>> >>> ipa : ERROR Server removal aborted: Deleting >>>>>>> this >>>>>>> >>> server is not allowed as it would leave your installation >>>>>>> >>> without a CA.. >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> This is a VM and I took a snapshot right before I >>>>>>> started the >>>>>>> >>> install, so I can revert, just make sure ti add the >>>>>>> apache >>>>>>> >>> user before starting the install. Or if you have a >>>>>>> better >>>>>>> >>> command to continue the clean-up/install..... >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> On Thu, May 11, 2017 at 2:19 AM Martin Bašti >>>>>>> >>> <mba...@redhat.com <mailto:mba...@redhat.com>> wrote: >>>>>>> >>> >>>>>>> >>> Hello, >>>>>>> >>> >>>>>>> >>> comments inline >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> On 11.05.2017 06:06, Robert L. Harris wrote: >>>>>>> >>>> >>>>>>> >>>> Sigh... Sorry, it's been a long day, I thought I put >>>>>>> >>>> that log in the first pastebin. It's in this one: >>>>>>> >>>> https://pastebin.com/18PAXXNS >>>>>>> >>> >>>>>>> >>> Could you please provide journalctl -u httpd and >>>>>>> >>> /var/log/httpd/error_log ? >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> >>>>>>> >>>> >>>>>>> >>>> Also, >>>>>>> >>>> Anyone else get the constant spam when mailing >>>>>>> this >>>>>>> >>>> list? Got an address to block for it? >>>>>>> >>> >>>>>>> >>> Sorry for that, there is a bot mining public >>>>>>> archives. We >>>>>>> >>> plan to resolve this issue but it may take time as >>>>>>> we are >>>>>>> >>> not maintaining our mailman. >>>>>>> >>> >>>>>>> >>> Martin >>>>>>> >>> >>>>>>> >>> >>>>>>> >>>> >>>>>>> >>>> Robert >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman >>>>>>> >>>> <data...@gmail.com <mailto:data...@gmail.com>> >>>>>>> wrote: >>>>>>> >>>> >>>>>>> >>>> Robert, did you look in >>>>>>> >>>> /var/log/ipaserver-install.log as it says? >>>>>>> >>>> >>>>>>> >>>> Was there any other information? >>>>>>> >>>> >>>>>>> >>>> cheers >>>>>>> >>>> L. >>>>>>> >>>> >>>>>>> >>>> ------ >>>>>>> >>>> "Mission Statement: To provide hope and >>>>>>> inspiration >>>>>>> >>>> for collective action, to build collective >>>>>>> power, to >>>>>>> >>>> achieve collective transformation, rooted in >>>>>>> grief >>>>>>> >>>> and rage but pointed towards vision and dreams." >>>>>>> >>>> >>>>>>> >>>> - Patrice Cullors, /Black Lives Matter founder/ >>>>>>> >>>> >>>>>>> >>>> On 11 May 2017 at 13:24, Robert L. Harris >>>>>>> >>>> <robert.l.har...@gmail.com >>>>>>> >>>> <mailto:robert.l.har...@gmail.com>> wrote: >>>>>>> >>>> >>>>>>> >>>> Ok, I gave up on Ubuntu. I'm now trying >>>>>>> the >>>>>>> >>>> latest CentOS7. I built out a "minimal >>>>>>> server" >>>>>>> >>>> with some normal base packages which did >>>>>>> include >>>>>>> >>>> the freeipa-client but otherwise, just >>>>>>> standard >>>>>>> >>>> tools. Here's a pastebin of the output of >>>>>>> the >>>>>>> >>>> install: https://pastebin.com/zAWCgkUU >>>>>>> >>>> >>>>>>> >>>> Robert >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> -- >>>>>>> >>>> Manage your subscription for the >>>>>>> Freeipa-users >>>>>>> >>>> mailing list: >>>>>>> >>>> >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> >>>> Go to http://freeipa.org for more info on >>>>>>> the >>>>>>> >>>> project >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> -- >>>>>>> >>>> Manage your subscription for the Freeipa-users >>>>>>> >>>> mailing list: >>>>>>> >>>> >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> >>>> Go to http://freeipa.org for more info on the >>>>>>> project >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>> >>>>>>> >>> -- >>>>>>> >>> Martin Bašti >>>>>>> >>> Software Engineer >>>>>>> >>> Red Hat Czech >>>>>>> >>> >>>>>>> >> >>>>>>> >> -- >>>>>>> >> Martin Bašti >>>>>>> >> Software Engineer >>>>>>> >> Red Hat Czech >>>>>>> >> >>>>>>> > >>>>>>> > -- >>>>>>> > Martin Bašti >>>>>>> > Software Engineer >>>>>>> > Red Hat Czech >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> >>>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>> >>>>> >>> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project