Re: [Freeipa-users] Unable to Install IPA
Hi Rob,
In this node we have disabled SELinux. Is it cusing this error???
Thanks,
Shaik
On 28 February 2015 at 14:18, Rob Crittenden rcrit...@redhat.com wrote:
Hadoop Solutions wrote:
Hi Rob,
please find the attached log of /var/log/ipaserver-install.log
kindly let me know the solution for this..
Can you see if you have any SElinux failures?
# ausearch -m AVC -ts recent
I see some SELinux errors in the log. Not sure if this is it or not but
for some reason the dogtag SELinux policy doesn't always install
correctly. The fix seems to be to re-install the pki-selinux package.
You'll also need to run pkiremove manually after running
ipa-server-install --uninstall. It doesn't always record the fact that a
service install is attempted and fails.
# pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force
rob
Thanks,
Shaik
On 28 February 2015 at 11:29, Rob Crittenden rcrit...@redhat.com
mailto:rcrit...@redhat.com wrote:
Hadoop Solutions wrote:
Hi,
i am trying to install IPA on RHEL 6, but i am getting following
errors
while installing the IPA.
Configuring certificate server (pki-cad): Estimated time 3 minutes
30
seconds
[1/20]: creating certificate server user
[2/20]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
sv2lxdpdsedi02.corp.equinix.com
http://sv2lxdpdsedi02.corp.equinix.com
http://sv2lxdpdsedi02.corp.equinix.com
-cs_port 9445 -client_certdb_dir /tmp/tmp-ipQMeE -client_certdb_pwd
-preop_pin rYjqarUHssRQtfthaFFT -domain_name IPA
-admin_user
admin -admin_email root@localhost -admin_password
-agent_name
ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,O=LAB.BDP -ldap_host
sv2lxdpdsedi02.corp.equinix.com
http://sv2lxdpdsedi02.corp.equinix.com
http://sv2lxdpdsedi02.corp.equinix.com
-ldap_port 7389 -bind_dn cn=Directory Manager -bind_password
-base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
-key_algorithm SHA256withRSA -save_p12 true -backup_pwd
-subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=LAB.BDP
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=LAB.BDP
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LAB.BDP
-ca_server_cert_subject_name CN=sv2lxdpdsedi02.corp.equinix.com
http://sv2lxdpdsedi02.corp.equinix.com
http://sv2lxdpdsedi02.corp.equinix.com,O=LAB.BDP
-ca_audit_signing_cert_subject_name CN=CA Audit,O=LAB.BDP
-ca_sign_cert_subject_name CN=Certificate Authority,O=LAB.BDP
-external
false -clone false' returned non-zero exit status 255
Configuration of CA failed
You'll find more relevant error messages in the full
/var/log/ipaserver-install.log and /var/log/pki-ca/debug
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
[Freeipa-users] issues with secondary groups? (sssd)
Hello, I was wondering - I have searched around and seen a few questions and solutions, but nothing I try is fixing my environment. Things have been working quite well with IPA 4.0.5, simple things with auth and logins - some with full ipa-client-install configured, others just using LDAP and that is where the strangeness comes from. with full IPA client integration, secondary groups work just find, as do base commands like id and getent. However, the ldap users, never show the secondary group for their uid? Any pointers you might suggest? I have tried the sssd.conf of ldap_group_member = uniqeMember - no change. a simple secondary group is defined: dn: cn=web_users,cn=groups,cn=accounts,dc=example,dc=com cn: web_users objectClass: ipaobject objectClass: extensibleobject objectClass: top objectClass: ipausergroup objectClass: posixgroup objectClass: groupofnames objectClass: nestedgroup memberUid: user1 memberUid: user2 memberUid: user3 memberUid: user4 memberUid: user5 member: uid=user1,cn=users,cn=accounts,dc=example,dc=com member: uid=user2,cn=users,cn=accounts,dc=example,dc=com member: uid=user3,cn=users,cn=accounts,dc=example,dc=com member: uid=user4,cn=users,cn=accounts,dc=example,dc=com member: uid=user5,cn=users,cn=accounts,dc=example,dc=com and yet with debug_level = 7 -- sssd still says: [sdap_process_ghost_members] (0x0400): Group has 0 members and id or getent of any of user1..5 just returns the primary GID. Any ideas? Tips? What else might you want to see? ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to Install IPA
Hi,
IPA required SELinux enabled on the system?
Thanks,
Shaik
On 28 February 2015 at 16:49, Hadoop Solutions munna.had...@gmail.com
wrote:
Hi Rob,
In this node we have disabled SELinux. Is it cusing this error???
Thanks,
Shaik
On 28 February 2015 at 14:18, Rob Crittenden rcrit...@redhat.com wrote:
Hadoop Solutions wrote:
Hi Rob,
please find the attached log of /var/log/ipaserver-install.log
kindly let me know the solution for this..
Can you see if you have any SElinux failures?
# ausearch -m AVC -ts recent
I see some SELinux errors in the log. Not sure if this is it or not but
for some reason the dogtag SELinux policy doesn't always install
correctly. The fix seems to be to re-install the pki-selinux package.
You'll also need to run pkiremove manually after running
ipa-server-install --uninstall. It doesn't always record the fact that a
service install is attempted and fails.
# pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force
rob
Thanks,
Shaik
On 28 February 2015 at 11:29, Rob Crittenden rcrit...@redhat.com
mailto:rcrit...@redhat.com wrote:
Hadoop Solutions wrote:
Hi,
i am trying to install IPA on RHEL 6, but i am getting following
errors
while installing the IPA.
Configuring certificate server (pki-cad): Estimated time 3
minutes 30
seconds
[1/20]: creating certificate server user
[2/20]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
sv2lxdpdsedi02.corp.equinix.com
http://sv2lxdpdsedi02.corp.equinix.com
http://sv2lxdpdsedi02.corp.equinix.com
-cs_port 9445 -client_certdb_dir /tmp/tmp-ipQMeE
-client_certdb_pwd
-preop_pin rYjqarUHssRQtfthaFFT -domain_name IPA
-admin_user
admin -admin_email root@localhost -admin_password
-agent_name
ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,O=LAB.BDP -ldap_host
sv2lxdpdsedi02.corp.equinix.com
http://sv2lxdpdsedi02.corp.equinix.com
http://sv2lxdpdsedi02.corp.equinix.com
-ldap_port 7389 -bind_dn cn=Directory Manager -bind_password
-base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
-key_algorithm SHA256withRSA -save_p12 true -backup_pwd
-subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=LAB.BDP
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=LAB.BDP
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LAB.BDP
-ca_server_cert_subject_name CN=sv2lxdpdsedi02.corp.equinix.com
http://sv2lxdpdsedi02.corp.equinix.com
http://sv2lxdpdsedi02.corp.equinix.com,O=LAB.BDP
-ca_audit_signing_cert_subject_name CN=CA Audit,O=LAB.BDP
-ca_sign_cert_subject_name CN=Certificate Authority,O=LAB.BDP
-external
false -clone false' returned non-zero exit status 255
Configuration of CA failed
You'll find more relevant error messages in the full
/var/log/ipaserver-install.log and /var/log/pki-ca/debug
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
