Re: [Freeipa-users] i could use some help with installing FreeIPA
On Mon, 2013-12-16 at 22:30 -0500, Rob Crittenden wrote: Dmitri Pal wrote: On 12/16/2013 06:46 PM, Galen Brownsmith wrote: My install fails on the invocation of pkispawn with a Socket Error in the pki-ca-spawn log ; anyone have any ideas? (It isn't the issue with special characters in the DM's password, as my Directory Manager and IPA Admin passwords may be 32 characters long, but only contain [A-Za-z0-9_] ) Configuration and Error Messages follow. Target System: Fedora19 64bit LXC Container running on top of a Fedora19 64bit host. Kernel 3.11.10, Q9550 Intel CPU. Attempting to install freeipa server 3.3.3 . SEllinux has been set to 'disabled' on the host and container. /etc/hosts: # IPFQDNAlias(es) 127.0.0.1 localhost.localdomain localhost localhost4 192.168.253.94 woeg.marphod.net http://woeg.marphod.net woeg # Peers 192.168.253.99 skete.marphod.net http://skete.marphod.net skete wiki.marphod.net http://wiki.marphod.net wiki www.marphod.net http://www.marphod.net www [... several more machines] /etc/resolv.conf ; generated by /usr/sbin/dhclient-script search marphod.net http://marphod.net nameserver 192.168.253.1 /etc/sysconfig/network: NETWORKING=yes HOSTNAME=woeg.marphod.net http://woeg.marphod.net No software firewall on the Container: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Not using NetworkManager. The machine has a virtual nic, and is connected to the bridge on the host, and can interact with the outside world. Installation commands: # ipa-server-install --uninstall -U # pkidestroy -s CA -i pki-tomcat # ipa-server-install -N -d --no-host-dns I select the defaults during the interactive install. During installation, everything seems to run fine up to the invocation of pkispawn. I then get the errors: text Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUGstderr=Job for pki-tomcatd@pki-tomcat.service failed. See 'systemctl status pki-tomcatd@pki-tomcat.service' and 'journalctl -xn' for details. pkispawn: ERROR... server failed to restart ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpwNB5bU' returned non-zero exit status 1 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1074, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 604, in __spawn_instance raise RuntimeError('Configuration of CA failed') ipa : DEBUGThe ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed Configuration of CA failed /text the relevant errors from /var/log/pki/pki-ca-spawn.timestamp.log: (the ... skipping... is from the file) text ...skipping... y still be down 2013-12-16 18:12:23 pkispawn: DEBUG... No connection - exception thrown: Cannot connect to proxy. Socket error: [Errno 111] Connection refused. 2013-12-16 18:12:24 pkispawn: DEBUG... No connection - server may still be down 2013-12-16 18:12:24 pkispawn: DEBUG... No connection - exception thrown: Cannot connect to proxy. Socket error: [Errno 111] Connection refused. 2013-12-16 18:12:25 pkispawn: DEBUG... No connection - server may still be down ... (error repeated 12 more times) ... 2013-12-16 18:12:39 pkispawn: ERROR... server failed to restart 2013-12-16 18:12:39 pkispawn: DEBUG... Error Type: SystemExit 2013-12-16 18:12:39 pkispawn: DEBUG... Error Message: 1 2013-12-16 18:12:39 pkispawn: DEBUG... File /usr/sbin/pkispawn, line 374, in main rv = instance.spawn() File /usr/lib/python2.7/site-packages/pki/deployment/configuration.py, line 102, in spawn sys.exit(1) /text You are trying it in a container. I do not know whether this makes a difference. It might be due to the fact that underlying directory server has not started. Please look at the pki instance DS logs to determine whether the DS instance was
Re: [Freeipa-users] i could use some help with installing FreeIPA
On Wed, 18 Dec 2013, Nathaniel McCallum wrote: On Mon, 2013-12-16 at 22:30 -0500, Rob Crittenden wrote: Dmitri Pal wrote: On 12/16/2013 06:46 PM, Galen Brownsmith wrote: My install fails on the invocation of pkispawn with a Socket Error in the pki-ca-spawn log ; anyone have any ideas? (It isn't the issue with special characters in the DM's password, as my Directory Manager and IPA Admin passwords may be 32 characters long, but only contain [A-Za-z0-9_] ) Configuration and Error Messages follow. Target System: Fedora19 64bit LXC Container running on top of a Fedora19 64bit host. Kernel 3.11.10, Q9550 Intel CPU. Attempting to install freeipa server 3.3.3 . SEllinux has been set to 'disabled' on the host and container. /etc/hosts: # IPFQDNAlias(es) 127.0.0.1 localhost.localdomain localhost localhost4 192.168.253.94 woeg.marphod.net http://woeg.marphod.net woeg # Peers 192.168.253.99 skete.marphod.net http://skete.marphod.net skete wiki.marphod.net http://wiki.marphod.net wiki www.marphod.net http://www.marphod.net www [... several more machines] /etc/resolv.conf ; generated by /usr/sbin/dhclient-script search marphod.net http://marphod.net nameserver 192.168.253.1 /etc/sysconfig/network: NETWORKING=yes HOSTNAME=woeg.marphod.net http://woeg.marphod.net No software firewall on the Container: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Not using NetworkManager. The machine has a virtual nic, and is connected to the bridge on the host, and can interact with the outside world. Installation commands: # ipa-server-install --uninstall -U # pkidestroy -s CA -i pki-tomcat # ipa-server-install -N -d --no-host-dns I select the defaults during the interactive install. During installation, everything seems to run fine up to the invocation of pkispawn. I then get the errors: text Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUGstderr=Job for pki-tomcatd@pki-tomcat.service failed. See 'systemctl status pki-tomcatd@pki-tomcat.service' and 'journalctl -xn' for details. pkispawn: ERROR... server failed to restart ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpwNB5bU' returned non-zero exit status 1 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1074, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 604, in __spawn_instance raise RuntimeError('Configuration of CA failed') ipa : DEBUGThe ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed Configuration of CA failed /text the relevant errors from /var/log/pki/pki-ca-spawn.timestamp.log: (the ... skipping... is from the file) text ...skipping... y still be down 2013-12-16 18:12:23 pkispawn: DEBUG... No connection - exception thrown: Cannot connect to proxy. Socket error: [Errno 111] Connection refused. 2013-12-16 18:12:24 pkispawn: DEBUG... No connection - server may still be down 2013-12-16 18:12:24 pkispawn: DEBUG... No connection - exception thrown: Cannot connect to proxy. Socket error: [Errno 111] Connection refused. 2013-12-16 18:12:25 pkispawn: DEBUG... No connection - server may still be down ... (error repeated 12 more times) ... 2013-12-16 18:12:39 pkispawn: ERROR... server failed to restart 2013-12-16 18:12:39 pkispawn: DEBUG... Error Type: SystemExit 2013-12-16 18:12:39 pkispawn: DEBUG... Error Message: 1 2013-12-16 18:12:39 pkispawn: DEBUG... File /usr/sbin/pkispawn, line 374, in main rv = instance.spawn() File /usr/lib/python2.7/site-packages/pki/deployment/configuration.py, line 102, in spawn sys.exit(1) /text You are trying it in a container. I do not know whether this makes a difference. It might be due to the fact that underlying directory server has not started. Please look at the pki instance DS logs to determine whether the DS instance was installed and configured correctly.
[Freeipa-users] IPA replica directory server hung
I have a broken IPA replica that appears to be suffering from a hung directory server. The master seems to be working fine, but LDAP requests to the replica hang indefinitely. I attached gdb to ns-slapd and suspect a deadlock in cos_cache.c. Thread 7 seems to be hung on an LDAP delete for a user account that we recently removed. Every time the directory server is started, it tries to issue this delete, apparently to sync the replica. I have been unsuccessful in trying to remove the offending replica because ipa-replica-manage seems to need to make LDAP requests against the replica. For example: $ ipa-replica-manage del p-ipa-wd02.prod.the.flatiron.com ^CConnection to 'p-ipa-wd02.prod.the.flatiron.com' failed: Insufficient access: SASL(0): successful result: Unable to delete replica 'p-ipa-wd02.prod.the.flatiron.com' ^CTraceback (most recent call last): File /usr/sbin/ipa-replica-manage, line 1252, in module main() KeyboardInterrupt Backtraces of the suspicious threads and log excerpts are at http://p.flatiron.com/~jmou/ipa/ . I was only able to install a limited set of debugging symbols; let me know if I can be of more help. Any help in fixing this replica or even just removing it would be greatly appreciated! Joe Thread 41 (Thread 0x7f0f6353b700 (LWP 1127)): #0 0x7f0f72f11565 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x7f0f6dc9bf63 in __db_hybrid_mutex_suspend () from /lib64/libdb-5.3.so No symbol table info available. #2 0x7f0f6dc9b440 in __db_tas_mutex_lock () from /lib64/libdb-5.3.so No symbol table info available. #3 0x7f0f6dd4085a in __lock_get_internal () from /lib64/libdb-5.3.so No symbol table info available. #4 0x7f0f6dd41460 in __lock_get () from /lib64/libdb-5.3.so No symbol table info available. #5 0x7f0f6dd6bc2a in __db_lget () from /lib64/libdb-5.3.so No symbol table info available. #6 0x7f0f6dcb84f4 in __bam_search () from /lib64/libdb-5.3.so No symbol table info available. #7 0x7f0f6dca3996 in __bamc_search () from /lib64/libdb-5.3.so No symbol table info available. #8 0x7f0f6dca53af in __bamc_get () from /lib64/libdb-5.3.so No symbol table info available. #9 0x7f0f6dd58ff6 in __dbc_iget () from /lib64/libdb-5.3.so No symbol table info available. #10 0x7f0f6dd67704 in __dbc_get_pp () from /lib64/libdb-5.3.so No symbol table info available. #11 0x7f0f69c9c740 in idl_new_fetch (be=0x7f0f75e1e750, db=optimized out, inkey=0x7f0f6352dca0, txn=0x0, a=0x7f0f75ee68d0, flag_err=0x7f0f6353466c, allidslimit=10) at ldap/servers/slapd/back-ldbm/idl_new.c:231 ret = 0 idl_rc = 0 cursor = 0x7f0f75fa5ce0 idl = 0x0 key = {data = 0x7f0f6352de00, size = 10, ulen = 10, dlen = 0, doff = 0, app_data = 0x0, flags = 2056} data = {data = 0x7f0f6352bbb0, size = 8192, ulen = 8192, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} id = 0 count = 0 buffer = memberOf-default, '\000' repeats 5416 times... ptr = optimized out dataret = {data = 0x0, size = 0, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 0} s_txn = {back_txn_txn = 0x0} li = optimized out #12 0x7f0f69c9c3cd in idl_fetch_ext (be=be@entry=0x7f0f75e1e750, db=optimized out, key=key@entry=0x7f0f6352dca0, txn=txn@entry=0x0, a=optimized out, err=err@entry=0x7f0f6353466c, allidslimit=allidslimit@entry=10) at ldap/servers/slapd/back-ldbm/idl_shim.c:130 No locals. #13 0x7f0f69caa451 in index_read_ext_allids (pb=pb@entry=0x7f0f54079140, be=be@entry=0x7f0f75e1e750, type=type@entry=0x7f0f54075910 objectclass, indextype=indextype@entry=0x7f0f69ceb937 eq, val=optimized out, txn=txn@entry=0x7f0f63531f50, err=err@entry=0x7f0f6353466c, unindexed=unindexed@entry=0x7f0f63531f44, allidslimit=allidslimit@entry=10) at ldap/servers/slapd/back-ldbm/index.c:1048 db = 0x7f0f75fa5720 db_txn = 0x0 key = {data = 0x7f0f6352de00, size = 10, ulen = 10, dlen = 0, doff = 0, app_data = 0x0, flags = 2048} idl = 0x0 prefix = optimized out tmpbuf = 0x0 buf = =referral\000\377\377\000\000\000\000\344\337Rc\017\177\000\000\020\062\aT\017\177\000\000\000\000\000\000\000\000\000\000\331\022\367t\017\177, '\000' repeats 14 times, \002\000\000\000\300\347\341u\017\177\000\000\230\336Rc\017\177\000\000\020\062\aT\017\177\000\000\000\000\000\000\000\000\000\000\020\062\aT\017\177\000\000\200\216\303u\017\177, '\000' repeats 18 times, \006, '\000' repeats 23 times, \060\000\000\000\000\000\000\000\017\001\000\000\000\000\000\000\336\002\365t\017\177\000\000\320\336Rc\017\177\000\000\370\305\002T\017\177\000\000\001, '\000' repeats 23 times... typebuf =
Re: [Freeipa-users] IPA replica directory server hung
On 12/18/2013 12:43 PM, Joe Mou wrote: I have a broken IPA replica that appears to be suffering from a hung directory server. The master seems to be working fine, but LDAP requests to the replica hang indefinitely. I attached gdb to ns-slapd and suspect a deadlock in cos_cache.c. Thread 7 seems to be hung on an LDAP delete for a user account that we recently removed. Every time the directory server is started, it tries to issue this delete, apparently to sync the replica. I have been unsuccessful in trying to remove the offending replica because ipa-replica-manage seems to need to make LDAP requests against the replica. For example: $ ipa-replica-manage del p-ipa-wd02.prod.the.flatiron.com http://p-ipa-wd02.prod.the.flatiron.com ^CConnection to 'p-ipa-wd02.prod.the.flatiron.com http://p-ipa-wd02.prod.the.flatiron.com' failed: Insufficient access: SASL(0): successful result: Unable to delete replica 'p-ipa-wd02.prod.the.flatiron.com http://p-ipa-wd02.prod.the.flatiron.com' ^CTraceback (most recent call last): File /usr/sbin/ipa-replica-manage, line 1252, in module main() KeyboardInterrupt Backtraces of the suspicious threads and log excerpts are at http://p.flatiron.com/~jmou/ipa/ http://p.flatiron.com/%7Ejmou/ipa/ . I was only able to install a limited set of debugging symbols; let me know if I can be of more help. Any help in fixing this replica or even just removing it would be greatly appreciated! What is your platform? rpm -q 389-ds-base There were some hangs with rhel 6.4.z. Please update to the latest 389-ds-base (1.2.11.15-30 or later) and nss 3.15.3 or later. Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question: re replica install
Les Stott wrote: Hi All, (RHEL 6.4, FreeIPA 3.0.0-37) Say I want to install a replica server in a restricted network, but I don’t want to enable http management on the replica. I am pretty sure the following is true, but ask the question just to be sure…. Can a replica work (for authentication and replication) without http? I cant see a switch on ipa-replica-install to not setup http, so I imagine if the above was possible I could… 1.Install the replica 2.Let it configure http 3.Turn off http You'd probably run into wierd corner-case problems, and how DNS is configured might work around some of them, until it doesn't. I think the most likely pain points would be the ipa tool and certmonger. certmonger will use the IPA configured in /etc/ipa/default.conf, so as long as you ensure that points to one of the other masters you'll probably be ok. But that is only on the clients. On the master itself renewal of the IPA server certs will likely fail. The ipa tool, which by default also uses default.conf, will fail over to other masters, but you might notice a delay. What might be a better idea would be to firewall it rather than shutting down the service. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question: re replica install
Thanks Rob. -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, 19 December 2013 12:08 PM To: Les Stott; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Question: re replica install Les Stott wrote: Hi All, (RHEL 6.4, FreeIPA 3.0.0-37) Say I want to install a replica server in a restricted network, but I don't want to enable http management on the replica. I am pretty sure the following is true, but ask the question just to be sure Can a replica work (for authentication and replication) without http? I cant see a switch on ipa-replica-install to not setup http, so I imagine if the above was possible I could... 1.Install the replica 2.Let it configure http 3.Turn off http You'd probably run into wierd corner-case problems, and how DNS is configured might work around some of them, until it doesn't. I think the most likely pain points would be the ipa tool and certmonger. certmonger will use the IPA configured in /etc/ipa/default.conf, so as long as you ensure that points to one of the other masters you'll probably be ok. But that is only on the clients. On the master itself renewal of the IPA server certs will likely fail. The ipa tool, which by default also uses default.conf, will fail over to other masters, but you might notice a delay. What might be a better idea would be to firewall it rather than shutting down the service. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users