Re: [Freeipa-users] i could use some help with installing FreeIPA
On Mon, 2013-12-16 at 22:30 -0500, Rob Crittenden wrote:
Dmitri Pal wrote:
On 12/16/2013 06:46 PM, Galen Brownsmith wrote:
My install fails on the invocation of pkispawn with a Socket Error in
the pki-ca-spawn log ; anyone have any ideas? (It isn't the issue
with special characters in the DM's password, as my Directory Manager
and IPA Admin passwords may be 32 characters long, but only contain
[A-Za-z0-9_] )
Configuration and Error Messages follow.
Target System: Fedora19 64bit LXC Container running on top of a
Fedora19 64bit host. Kernel 3.11.10, Q9550 Intel CPU.
Attempting to install freeipa server 3.3.3 . SEllinux has been set to
'disabled' on the host and container.
/etc/hosts:
# IPFQDNAlias(es)
127.0.0.1 localhost.localdomain localhost localhost4
192.168.253.94 woeg.marphod.net http://woeg.marphod.net woeg
# Peers
192.168.253.99 skete.marphod.net http://skete.marphod.net skete
wiki.marphod.net http://wiki.marphod.net wiki www.marphod.net
http://www.marphod.net www
[... several more machines]
/etc/resolv.conf
; generated by /usr/sbin/dhclient-script
search marphod.net http://marphod.net
nameserver 192.168.253.1
/etc/sysconfig/network:
NETWORKING=yes
HOSTNAME=woeg.marphod.net http://woeg.marphod.net
No software firewall on the Container:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Not using NetworkManager. The machine has a virtual nic, and is
connected to the bridge on the host, and can interact with the outside
world.
Installation commands:
# ipa-server-install --uninstall -U
# pkidestroy -s CA -i pki-tomcat
# ipa-server-install -N -d --no-host-dns
I select the defaults during the interactive install.
During installation, everything seems to run fine up to the invocation
of pkispawn. I then get the errors:
text
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
ipa : DEBUGstderr=Job for pki-tomcatd@pki-tomcat.service
failed. See 'systemctl status pki-tomcatd@pki-tomcat.service' and
'journalctl -xn' for details.
pkispawn: ERROR... server failed to restart
ipa : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpwNB5bU' returned non-zero exit
status 1
ipa : DEBUG File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
line 622, in run_script
return_value = main_function()
File /usr/sbin/ipa-server-install, line 1074, in main
dm_password, subject_base=options.subject)
File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py,
line 478, in configure_instance
self.start_creation(runtime=210)
File
/usr/lib/python2.7/site-packages/ipaserver/install/service.py, line
364, in start_creation
method()
File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py,
line 604, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
ipa : DEBUGThe ipa-server-install command failed,
exception: RuntimeError: Configuration of CA failed
Configuration of CA failed
/text
the relevant errors from /var/log/pki/pki-ca-spawn.timestamp.log: (the
... skipping... is from the file)
text
...skipping...
y still be down
2013-12-16 18:12:23 pkispawn: DEBUG... No connection -
exception thrown: Cannot connect to proxy. Socket error: [Errno 111]
Connection refused.
2013-12-16 18:12:24 pkispawn: DEBUG... No connection -
server may still be down
2013-12-16 18:12:24 pkispawn: DEBUG... No connection -
exception thrown: Cannot connect to proxy. Socket error: [Errno 111]
Connection refused.
2013-12-16 18:12:25 pkispawn: DEBUG... No connection -
server may still be down
...
(error repeated 12 more times)
...
2013-12-16 18:12:39 pkispawn: ERROR... server failed to
restart
2013-12-16 18:12:39 pkispawn: DEBUG... Error Type: SystemExit
2013-12-16 18:12:39 pkispawn: DEBUG... Error Message: 1
2013-12-16 18:12:39 pkispawn: DEBUG... File
/usr/sbin/pkispawn, line 374, in main
rv = instance.spawn()
File
/usr/lib/python2.7/site-packages/pki/deployment/configuration.py,
line 102, in spawn
sys.exit(1)
/text
You are trying it in a container. I do not know whether this makes a
difference.
It might be due to the fact that underlying directory server has not
started.
Please look at the pki instance DS logs to determine whether the DS
instance was
Re: [Freeipa-users] i could use some help with installing FreeIPA
On Wed, 18 Dec 2013, Nathaniel McCallum wrote:
On Mon, 2013-12-16 at 22:30 -0500, Rob Crittenden wrote:
Dmitri Pal wrote:
On 12/16/2013 06:46 PM, Galen Brownsmith wrote:
My install fails on the invocation of pkispawn with a Socket Error in
the pki-ca-spawn log ; anyone have any ideas? (It isn't the issue
with special characters in the DM's password, as my Directory Manager
and IPA Admin passwords may be 32 characters long, but only contain
[A-Za-z0-9_] )
Configuration and Error Messages follow.
Target System: Fedora19 64bit LXC Container running on top of a
Fedora19 64bit host. Kernel 3.11.10, Q9550 Intel CPU.
Attempting to install freeipa server 3.3.3 . SEllinux has been set to
'disabled' on the host and container.
/etc/hosts:
# IPFQDNAlias(es)
127.0.0.1 localhost.localdomain localhost localhost4
192.168.253.94 woeg.marphod.net http://woeg.marphod.net woeg
# Peers
192.168.253.99 skete.marphod.net http://skete.marphod.net skete
wiki.marphod.net http://wiki.marphod.net wiki www.marphod.net
http://www.marphod.net www
[... several more machines]
/etc/resolv.conf
; generated by /usr/sbin/dhclient-script
search marphod.net http://marphod.net
nameserver 192.168.253.1
/etc/sysconfig/network:
NETWORKING=yes
HOSTNAME=woeg.marphod.net http://woeg.marphod.net
No software firewall on the Container:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Not using NetworkManager. The machine has a virtual nic, and is
connected to the bridge on the host, and can interact with the outside
world.
Installation commands:
# ipa-server-install --uninstall -U
# pkidestroy -s CA -i pki-tomcat
# ipa-server-install -N -d --no-host-dns
I select the defaults during the interactive install.
During installation, everything seems to run fine up to the invocation
of pkispawn. I then get the errors:
text
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
ipa : DEBUGstderr=Job for pki-tomcatd@pki-tomcat.service
failed. See 'systemctl status pki-tomcatd@pki-tomcat.service' and
'journalctl -xn' for details.
pkispawn: ERROR... server failed to restart
ipa : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpwNB5bU' returned non-zero exit
status 1
ipa : DEBUG File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
line 622, in run_script
return_value = main_function()
File /usr/sbin/ipa-server-install, line 1074, in main
dm_password, subject_base=options.subject)
File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py,
line 478, in configure_instance
self.start_creation(runtime=210)
File
/usr/lib/python2.7/site-packages/ipaserver/install/service.py, line
364, in start_creation
method()
File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py,
line 604, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
ipa : DEBUGThe ipa-server-install command failed,
exception: RuntimeError: Configuration of CA failed
Configuration of CA failed
/text
the relevant errors from /var/log/pki/pki-ca-spawn.timestamp.log: (the
... skipping... is from the file)
text
...skipping...
y still be down
2013-12-16 18:12:23 pkispawn: DEBUG... No connection -
exception thrown: Cannot connect to proxy. Socket error: [Errno 111]
Connection refused.
2013-12-16 18:12:24 pkispawn: DEBUG... No connection -
server may still be down
2013-12-16 18:12:24 pkispawn: DEBUG... No connection -
exception thrown: Cannot connect to proxy. Socket error: [Errno 111]
Connection refused.
2013-12-16 18:12:25 pkispawn: DEBUG... No connection -
server may still be down
...
(error repeated 12 more times)
...
2013-12-16 18:12:39 pkispawn: ERROR... server failed to
restart
2013-12-16 18:12:39 pkispawn: DEBUG... Error Type: SystemExit
2013-12-16 18:12:39 pkispawn: DEBUG... Error Message: 1
2013-12-16 18:12:39 pkispawn: DEBUG... File
/usr/sbin/pkispawn, line 374, in main
rv = instance.spawn()
File
/usr/lib/python2.7/site-packages/pki/deployment/configuration.py,
line 102, in spawn
sys.exit(1)
/text
You are trying it in a container. I do not know whether this makes a
difference.
It might be due to the fact that underlying directory server has not
started.
Please look at the pki instance DS logs to determine whether the DS
instance was installed and configured correctly.
[Freeipa-users] IPA replica directory server hung
I have a broken IPA replica that appears to be suffering from a hung
directory server. The master seems to be working fine, but LDAP requests to
the replica hang indefinitely. I attached gdb to ns-slapd and suspect a
deadlock in cos_cache.c.
Thread 7 seems to be hung on an LDAP delete for a user account that we
recently removed. Every time the directory server is started, it tries to
issue this delete, apparently to sync the replica.
I have been unsuccessful in trying to remove the offending replica because
ipa-replica-manage seems to need to make LDAP requests against the replica.
For example:
$ ipa-replica-manage del p-ipa-wd02.prod.the.flatiron.com
^CConnection to 'p-ipa-wd02.prod.the.flatiron.com' failed: Insufficient
access: SASL(0): successful result:
Unable to delete replica 'p-ipa-wd02.prod.the.flatiron.com'
^CTraceback (most recent call last):
File /usr/sbin/ipa-replica-manage, line 1252, in module
main()
KeyboardInterrupt
Backtraces of the suspicious threads and log excerpts are at
http://p.flatiron.com/~jmou/ipa/ . I was only able to install a limited set
of debugging symbols; let me know if I can be of more help.
Any help in fixing this replica or even just removing it would be greatly
appreciated!
Joe
Thread 41 (Thread 0x7f0f6353b700 (LWP 1127)):
#0 0x7f0f72f11565 in pthread_cond_wait@@GLIBC_2.3.2 () from
/lib64/libpthread.so.0
No symbol table info available.
#1 0x7f0f6dc9bf63 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so
No symbol table info available.
#2 0x7f0f6dc9b440 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so
No symbol table info available.
#3 0x7f0f6dd4085a in __lock_get_internal () from /lib64/libdb-5.3.so
No symbol table info available.
#4 0x7f0f6dd41460 in __lock_get () from /lib64/libdb-5.3.so
No symbol table info available.
#5 0x7f0f6dd6bc2a in __db_lget () from /lib64/libdb-5.3.so
No symbol table info available.
#6 0x7f0f6dcb84f4 in __bam_search () from /lib64/libdb-5.3.so
No symbol table info available.
#7 0x7f0f6dca3996 in __bamc_search () from /lib64/libdb-5.3.so
No symbol table info available.
#8 0x7f0f6dca53af in __bamc_get () from /lib64/libdb-5.3.so
No symbol table info available.
#9 0x7f0f6dd58ff6 in __dbc_iget () from /lib64/libdb-5.3.so
No symbol table info available.
#10 0x7f0f6dd67704 in __dbc_get_pp () from /lib64/libdb-5.3.so
No symbol table info available.
#11 0x7f0f69c9c740 in idl_new_fetch (be=0x7f0f75e1e750, db=optimized out,
inkey=0x7f0f6352dca0, txn=0x0, a=0x7f0f75ee68d0, flag_err=0x7f0f6353466c,
allidslimit=10) at ldap/servers/slapd/back-ldbm/idl_new.c:231
ret = 0
idl_rc = 0
cursor = 0x7f0f75fa5ce0
idl = 0x0
key = {data = 0x7f0f6352de00, size = 10, ulen = 10, dlen = 0, doff = 0,
app_data = 0x0, flags = 2056}
data = {data = 0x7f0f6352bbb0, size = 8192, ulen = 8192, dlen = 0, doff
= 0, app_data = 0x0, flags = 2048}
id = 0
count = 0
buffer = memberOf-default, '\000' repeats 5416 times...
ptr = optimized out
dataret = {data = 0x0, size = 0, ulen = 0, dlen = 0, doff = 0, app_data
= 0x0, flags = 0}
s_txn = {back_txn_txn = 0x0}
li = optimized out
#12 0x7f0f69c9c3cd in idl_fetch_ext (be=be@entry=0x7f0f75e1e750,
db=optimized out, key=key@entry=0x7f0f6352dca0, txn=txn@entry=0x0,
a=optimized out, err=err@entry=0x7f0f6353466c,
allidslimit=allidslimit@entry=10) at
ldap/servers/slapd/back-ldbm/idl_shim.c:130
No locals.
#13 0x7f0f69caa451 in index_read_ext_allids (pb=pb@entry=0x7f0f54079140,
be=be@entry=0x7f0f75e1e750, type=type@entry=0x7f0f54075910 objectclass,
indextype=indextype@entry=0x7f0f69ceb937 eq, val=optimized out,
txn=txn@entry=0x7f0f63531f50, err=err@entry=0x7f0f6353466c,
unindexed=unindexed@entry=0x7f0f63531f44, allidslimit=allidslimit@entry=10)
at ldap/servers/slapd/back-ldbm/index.c:1048
db = 0x7f0f75fa5720
db_txn = 0x0
key = {data = 0x7f0f6352de00, size = 10, ulen = 10, dlen = 0, doff = 0,
app_data = 0x0, flags = 2048}
idl = 0x0
prefix = optimized out
tmpbuf = 0x0
buf =
=referral\000\377\377\000\000\000\000\344\337Rc\017\177\000\000\020\062\aT\017\177\000\000\000\000\000\000\000\000\000\000\331\022\367t\017\177,
'\000' repeats 14 times,
\002\000\000\000\300\347\341u\017\177\000\000\230\336Rc\017\177\000\000\020\062\aT\017\177\000\000\000\000\000\000\000\000\000\000\020\062\aT\017\177\000\000\200\216\303u\017\177,
'\000' repeats 18 times, \006, '\000' repeats 23 times,
\060\000\000\000\000\000\000\000\017\001\000\000\000\000\000\000\336\002\365t\017\177\000\000\320\336Rc\017\177\000\000\370\305\002T\017\177\000\000\001,
'\000' repeats 23 times...
typebuf =
Re: [Freeipa-users] IPA replica directory server hung
On 12/18/2013 12:43 PM, Joe Mou wrote: I have a broken IPA replica that appears to be suffering from a hung directory server. The master seems to be working fine, but LDAP requests to the replica hang indefinitely. I attached gdb to ns-slapd and suspect a deadlock in cos_cache.c. Thread 7 seems to be hung on an LDAP delete for a user account that we recently removed. Every time the directory server is started, it tries to issue this delete, apparently to sync the replica. I have been unsuccessful in trying to remove the offending replica because ipa-replica-manage seems to need to make LDAP requests against the replica. For example: $ ipa-replica-manage del p-ipa-wd02.prod.the.flatiron.com http://p-ipa-wd02.prod.the.flatiron.com ^CConnection to 'p-ipa-wd02.prod.the.flatiron.com http://p-ipa-wd02.prod.the.flatiron.com' failed: Insufficient access: SASL(0): successful result: Unable to delete replica 'p-ipa-wd02.prod.the.flatiron.com http://p-ipa-wd02.prod.the.flatiron.com' ^CTraceback (most recent call last): File /usr/sbin/ipa-replica-manage, line 1252, in module main() KeyboardInterrupt Backtraces of the suspicious threads and log excerpts are at http://p.flatiron.com/~jmou/ipa/ http://p.flatiron.com/%7Ejmou/ipa/ . I was only able to install a limited set of debugging symbols; let me know if I can be of more help. Any help in fixing this replica or even just removing it would be greatly appreciated! What is your platform? rpm -q 389-ds-base There were some hangs with rhel 6.4.z. Please update to the latest 389-ds-base (1.2.11.15-30 or later) and nss 3.15.3 or later. Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question: re replica install
Les Stott wrote: Hi All, (RHEL 6.4, FreeIPA 3.0.0-37) Say I want to install a replica server in a restricted network, but I don’t want to enable http management on the replica. I am pretty sure the following is true, but ask the question just to be sure…. Can a replica work (for authentication and replication) without http? I cant see a switch on ipa-replica-install to not setup http, so I imagine if the above was possible I could… 1.Install the replica 2.Let it configure http 3.Turn off http You'd probably run into wierd corner-case problems, and how DNS is configured might work around some of them, until it doesn't. I think the most likely pain points would be the ipa tool and certmonger. certmonger will use the IPA configured in /etc/ipa/default.conf, so as long as you ensure that points to one of the other masters you'll probably be ok. But that is only on the clients. On the master itself renewal of the IPA server certs will likely fail. The ipa tool, which by default also uses default.conf, will fail over to other masters, but you might notice a delay. What might be a better idea would be to firewall it rather than shutting down the service. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question: re replica install
Thanks Rob. -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, 19 December 2013 12:08 PM To: Les Stott; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Question: re replica install Les Stott wrote: Hi All, (RHEL 6.4, FreeIPA 3.0.0-37) Say I want to install a replica server in a restricted network, but I don't want to enable http management on the replica. I am pretty sure the following is true, but ask the question just to be sure Can a replica work (for authentication and replication) without http? I cant see a switch on ipa-replica-install to not setup http, so I imagine if the above was possible I could... 1.Install the replica 2.Let it configure http 3.Turn off http You'd probably run into wierd corner-case problems, and how DNS is configured might work around some of them, until it doesn't. I think the most likely pain points would be the ipa tool and certmonger. certmonger will use the IPA configured in /etc/ipa/default.conf, so as long as you ensure that points to one of the other masters you'll probably be ok. But that is only on the clients. On the master itself renewal of the IPA server certs will likely fail. The ipa tool, which by default also uses default.conf, will fail over to other masters, but you might notice a delay. What might be a better idea would be to firewall it rather than shutting down the service. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
