Re: [Freeipa-users] Unable to Install IPA
Hi Rob, In this node we have disabled SELinux. Is it cusing this error??? Thanks, Shaik On 28 February 2015 at 14:18, Rob Crittenden rcrit...@redhat.com wrote: Hadoop Solutions wrote: Hi Rob, please find the attached log of /var/log/ipaserver-install.log kindly let me know the solution for this.. Can you see if you have any SElinux failures? # ausearch -m AVC -ts recent I see some SELinux errors in the log. Not sure if this is it or not but for some reason the dogtag SELinux policy doesn't always install correctly. The fix seems to be to re-install the pki-selinux package. You'll also need to run pkiremove manually after running ipa-server-install --uninstall. It doesn't always record the fact that a service install is attempted and fails. # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force rob Thanks, Shaik On 28 February 2015 at 11:29, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Hadoop Solutions wrote: Hi, i am trying to install IPA on RHEL 6, but i am getting following errors while installing the IPA. Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname sv2lxdpdsedi02.corp.equinix.com http://sv2lxdpdsedi02.corp.equinix.com http://sv2lxdpdsedi02.corp.equinix.com -cs_port 9445 -client_certdb_dir /tmp/tmp-ipQMeE -client_certdb_pwd -preop_pin rYjqarUHssRQtfthaFFT -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LAB.BDP -ldap_host sv2lxdpdsedi02.corp.equinix.com http://sv2lxdpdsedi02.corp.equinix.com http://sv2lxdpdsedi02.corp.equinix.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LAB.BDP -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LAB.BDP -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LAB.BDP -ca_server_cert_subject_name CN=sv2lxdpdsedi02.corp.equinix.com http://sv2lxdpdsedi02.corp.equinix.com http://sv2lxdpdsedi02.corp.equinix.com,O=LAB.BDP -ca_audit_signing_cert_subject_name CN=CA Audit,O=LAB.BDP -ca_sign_cert_subject_name CN=Certificate Authority,O=LAB.BDP -external false -clone false' returned non-zero exit status 255 Configuration of CA failed You'll find more relevant error messages in the full /var/log/ipaserver-install.log and /var/log/pki-ca/debug rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] issues with secondary groups? (sssd)
Hello, I was wondering - I have searched around and seen a few questions and solutions, but nothing I try is fixing my environment. Things have been working quite well with IPA 4.0.5, simple things with auth and logins - some with full ipa-client-install configured, others just using LDAP and that is where the strangeness comes from. with full IPA client integration, secondary groups work just find, as do base commands like id and getent. However, the ldap users, never show the secondary group for their uid? Any pointers you might suggest? I have tried the sssd.conf of ldap_group_member = uniqeMember - no change. a simple secondary group is defined: dn: cn=web_users,cn=groups,cn=accounts,dc=example,dc=com cn: web_users objectClass: ipaobject objectClass: extensibleobject objectClass: top objectClass: ipausergroup objectClass: posixgroup objectClass: groupofnames objectClass: nestedgroup memberUid: user1 memberUid: user2 memberUid: user3 memberUid: user4 memberUid: user5 member: uid=user1,cn=users,cn=accounts,dc=example,dc=com member: uid=user2,cn=users,cn=accounts,dc=example,dc=com member: uid=user3,cn=users,cn=accounts,dc=example,dc=com member: uid=user4,cn=users,cn=accounts,dc=example,dc=com member: uid=user5,cn=users,cn=accounts,dc=example,dc=com and yet with debug_level = 7 -- sssd still says: [sdap_process_ghost_members] (0x0400): Group has 0 members and id or getent of any of user1..5 just returns the primary GID. Any ideas? Tips? What else might you want to see? ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to Install IPA
Hi, IPA required SELinux enabled on the system? Thanks, Shaik On 28 February 2015 at 16:49, Hadoop Solutions munna.had...@gmail.com wrote: Hi Rob, In this node we have disabled SELinux. Is it cusing this error??? Thanks, Shaik On 28 February 2015 at 14:18, Rob Crittenden rcrit...@redhat.com wrote: Hadoop Solutions wrote: Hi Rob, please find the attached log of /var/log/ipaserver-install.log kindly let me know the solution for this.. Can you see if you have any SElinux failures? # ausearch -m AVC -ts recent I see some SELinux errors in the log. Not sure if this is it or not but for some reason the dogtag SELinux policy doesn't always install correctly. The fix seems to be to re-install the pki-selinux package. You'll also need to run pkiremove manually after running ipa-server-install --uninstall. It doesn't always record the fact that a service install is attempted and fails. # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force rob Thanks, Shaik On 28 February 2015 at 11:29, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Hadoop Solutions wrote: Hi, i am trying to install IPA on RHEL 6, but i am getting following errors while installing the IPA. Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname sv2lxdpdsedi02.corp.equinix.com http://sv2lxdpdsedi02.corp.equinix.com http://sv2lxdpdsedi02.corp.equinix.com -cs_port 9445 -client_certdb_dir /tmp/tmp-ipQMeE -client_certdb_pwd -preop_pin rYjqarUHssRQtfthaFFT -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LAB.BDP -ldap_host sv2lxdpdsedi02.corp.equinix.com http://sv2lxdpdsedi02.corp.equinix.com http://sv2lxdpdsedi02.corp.equinix.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LAB.BDP -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LAB.BDP -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LAB.BDP -ca_server_cert_subject_name CN=sv2lxdpdsedi02.corp.equinix.com http://sv2lxdpdsedi02.corp.equinix.com http://sv2lxdpdsedi02.corp.equinix.com,O=LAB.BDP -ca_audit_signing_cert_subject_name CN=CA Audit,O=LAB.BDP -ca_sign_cert_subject_name CN=Certificate Authority,O=LAB.BDP -external false -clone false' returned non-zero exit status 255 Configuration of CA failed You'll find more relevant error messages in the full /var/log/ipaserver-install.log and /var/log/pki-ca/debug rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project