Re: [Freeipa-users] RHEL 7 Upgrade experience so far
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/26/2014 07:12 PM, Erinn Looney-Triggs wrote: On 07/26/2014 05:25 PM, Erinn Looney-Triggs wrote: Well it hasn't been all the pretty trying to move from RHEL 6.5 to RHEL 7. I have two servers providing my ipa instances ipa and ipa2. Given that I don't have a great deal of spare capacity the plan was to remove ipa2 from the replication agreement, modify DNS so that only IPA was available in SRV logs (IPA does not manage DNS at this point, was waiting for DNSSEC). As well, I would change my sudo-ldap config files to point to ipa and remove ipa2. Well that all worked well, installed RHEL 7 on the system and began working through the steps in the upgrade guide. First major problem was running into this bug: https://fedorahosted.org/freeipa/ticket/4375 ValueError: nsDS5ReplicaId has 2 values, one expected. Went and patched the replication.py file to get around that issue, and we moved on. Next up is my current issue: Exception from Java Configuration Servlet: Clone does not have all the required certificates. I suspect this is because I am running the CA as a subordinate to an AD CS instance, but I am unsure at this point. It has been a haul to get here, despite the short explanation. It seems that my primary ipa instance is working on only a hit or miss basis for kerberos tickets which has made all this a bit of a pain. You can kinit as admin once it will fail unable to find KDC, try again another three times, it will work. I have even modified the krb5.conf file to point directly at the server, thus bypassing DNS SRV lookups, however, that hasn't worked. Point is, any help would be appreciated on the aforementioned error. -Erinn To reply to myself here, I believe the problem may be that I had to renew the CA certificates and as such the certificates in /root/cacert.p12 are no longer valid. It is this file that gets bundled up with whatever else using ipa-replica-prepare, so I will have to create a new one that has the valid certificates in it. One way or another though, if it isn't already documented, during a CA renewal this file should probably be updated with the correct certificates. -Erinn -Erinn Well thanks to this: http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password I have gotten a little further down the road an created a new cacert.p12 which looks to be complete. However, installation still fails in the same place: 2014-07-27T06:33:04Z DEBUG Starting external process 2014-07-27T06:33:04Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp5QGhUx 2014-07-27T06:33:25Z DEBUG Process finished, return code=1 2014-07-27T06:33:25Z DEBUG stdout=Loading deployment configuration from /tmp/tmp5QGhUx. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2014-07-27T06:33:25Z DEBUG stderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Clone does not have all the required certificates 2014-07-27T06:33:25Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp5QGhUx' returned non-zero exit status 1 2014-07-27T06:33:25Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 638, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 667, in main CA = cainstance.install_replica_ca(config) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1678, in install_replica_ca subject_base=config.subject_base) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 604, in __spawn_instance raise RuntimeError('Configuration of CA failed') 2014-07-27T06:33:25Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Configuration of CA failed So some of the required certificates must be missing still. Unhelpfully, the ipa-server-install --uninstall process is not cleaning up everything after this failure, it leaves the CA intact and the next run through the installer believes the CA is working so it does not configure it. As such, I guess a re-install is necessary or some other steps to truly clean everything that I haven't found yet. - -Erinn -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBCAAGBQJT1KQNAAoJEFg7BmJL2iPOeBIH/AyqKoybrpbt/k3E6HgE9YJB 5zEzSxnKCax52PYqLEg3h5CkBFmHsmIblTeM6pKhqCed6fheGTZeTpUYjwrsQfjC h7PTyX8ymc0FVMhmCDSNEufOerV9UKXfV8yCta4dfo3ei4lv76mI4R7/rJLM3urL
Re: [Freeipa-users] RHEL 7 Upgrade experience so far
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/27/2014 12:02 AM, Erinn Looney-Triggs wrote: On 07/26/2014 07:12 PM, Erinn Looney-Triggs wrote: On 07/26/2014 05:25 PM, Erinn Looney-Triggs wrote: Well it hasn't been all the pretty trying to move from RHEL 6.5 to RHEL 7. I have two servers providing my ipa instances ipa and ipa2. Given that I don't have a great deal of spare capacity the plan was to remove ipa2 from the replication agreement, modify DNS so that only IPA was available in SRV logs (IPA does not manage DNS at this point, was waiting for DNSSEC). As well, I would change my sudo-ldap config files to point to ipa and remove ipa2. Well that all worked well, installed RHEL 7 on the system and began working through the steps in the upgrade guide. First major problem was running into this bug: https://fedorahosted.org/freeipa/ticket/4375 ValueError: nsDS5ReplicaId has 2 values, one expected. Went and patched the replication.py file to get around that issue, and we moved on. Next up is my current issue: Exception from Java Configuration Servlet: Clone does not have all the required certificates. I suspect this is because I am running the CA as a subordinate to an AD CS instance, but I am unsure at this point. It has been a haul to get here, despite the short explanation. It seems that my primary ipa instance is working on only a hit or miss basis for kerberos tickets which has made all this a bit of a pain. You can kinit as admin once it will fail unable to find KDC, try again another three times, it will work. I have even modified the krb5.conf file to point directly at the server, thus bypassing DNS SRV lookups, however, that hasn't worked. Point is, any help would be appreciated on the aforementioned error. -Erinn To reply to myself here, I believe the problem may be that I had to renew the CA certificates and as such the certificates in /root/cacert.p12 are no longer valid. It is this file that gets bundled up with whatever else using ipa-replica-prepare, so I will have to create a new one that has the valid certificates in it. One way or another though, if it isn't already documented, during a CA renewal this file should probably be updated with the correct certificates. -Erinn -Erinn Well thanks to this: http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password I have gotten a little further down the road an created a new cacert.p12 which looks to be complete. However, installation still fails in the same place: 2014-07-27T06:33:04Z DEBUG Starting external process 2014-07-27T06:33:04Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp5QGhUx 2014-07-27T06:33:25Z DEBUG Process finished, return code=1 2014-07-27T06:33:25Z DEBUG stdout=Loading deployment configuration from /tmp/tmp5QGhUx. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2014-07-27T06:33:25Z DEBUG stderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Clone does not have all the required certificates 2014-07-27T06:33:25Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp5QGhUx' returned non-zero exit status 1 2014-07-27T06:33:25Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 638, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 667, in main CA = cainstance.install_replica_ca(config) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1678, in install_replica_ca subject_base=config.subject_base) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 604, in __spawn_instance raise RuntimeError('Configuration of CA failed') 2014-07-27T06:33:25Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Configuration of CA failed So some of the required certificates must be missing still. Unhelpfully, the ipa-server-install --uninstall process is not cleaning up everything after this failure, it leaves the CA intact and the next run through the installer believes the CA is working so it does not configure it. As such, I guess a re-install is necessary or some other steps to truly clean everything that I haven't found yet. -Erinn Continuing on, in order to remove the CA I am manually running: pkidestroy -s CA -i pki-tomcat And indeed there is a bug:
[Freeipa-users] SSSD startup failures on ipa clients
Folks, I just stumbled on an odd issue. I have an OpenShift deployment with 2 brokers, 2 nodes, 1 rhc client all running RHEL 6.5. I also have 2 IPA servers (1 server, 1 replica), 1 IPA admin (tools) client all running RHEL 7.0. All OpenShift hosts, client and IPA client are members of IPA domain 'interop.example.com'. After creating ssh public keys on the IPA admin client for user 'ose-admin1' and uploading them into IPA, I am able to ssh with the key to all IPA domain hosts as user 'ose-admin1' except the 2 node hosts. In looking closer at the 2 node hosts I noticed that SSSD keeps failing on start: # service sssd restart Stopping sssd: cat: /var/run/sssd.pid: No such file or directory[FAILED] Starting sssd: [FAILED] Starting with debug mode shows: [root@node1/2 ~]# sssd -d9 (Sun Jul 27 22:12:29:527689 2014) [sssd] [check_file] (0x0400): lstat for [/var/run/nscd/socket] failed: [2][No such file or directory]. (Sun Jul 27 22:12:29:529293 2014) [sssd] [ldb] (0x0400): server_sort:Unable to register control with rootdse! (Sun Jul 27 22:12:29:529596 2014) [sssd] [confdb_get_domain_internal] (0x0400): No enumeration for [interop.example.com]! (Sun Jul 27 22:12:29:529646 2014) [sssd] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1 (Sun Jul 27 22:12:29:529686 2014) [sssd] [server_setup] (0x0040): Becoming a daemon. The logs show show nothing useful but this problem started during the ipa-client-install - the log shows: 2014-07-23T18:40:22Z DEBUG args=/usr/sbin/authconfig --enablesssdauth --enablemkhomedir --update --enablesssd 2014-07-23T18:40:22Z DEBUG stdout=Starting oddjobd:[ OK ] 2014-07-23T18:40:22Z DEBUG stderr= 2014-07-23T18:40:22Z INFO SSSD enabled 2014-07-23T18:40:29Z DEBUG args=/sbin/service sssd restart 2014-07-23T18:40:29Z DEBUG stdout=Stopping sssd: [FAILED] Starting sssd:[FAILED] 2014-07-23T18:40:29Z DEBUG stderr=cat: /var/run/sssd.pid: No such file or directory 2014-07-23T18:40:29Z WARNING SSSD service restart was unsuccessful. 2014-07-23T18:40:29Z DEBUG args=/sbin/chkconfig sssd on 2014-07-23T18:40:29Z DEBUG stdout= Any ideas? Have we seen this before? I suppose I could uninstall the ipa client and re-install but I didn't want to touch anything until I hear back. Thanks! -m btw - All systems have been updated as of this evening. Kerberos works fine but anything requiring lookups is toast. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project