September 2017 - FreeIPA-users - Fedora Mailing-Lists

Cannot access Web UI after IPA upgrade to 4.5

by Gustavo Berman

Hi there, Today we upgraded to the latest IPA 4.5, log says it upgraded just fine, ipa seems to authenticate allright, but web ui fails with: Operations ErrorSome operations failed.an internal error has occurred And the details it shows when I press the OK button are: Runtime error Web UI got in unrecoverable state during "profile" phase. Technical details: t.metadata is undefined update_logged_in@https://ipaserver.fisica.cabib/ipa/ui/ js/freeipa/app.js?40500:1:18156 choose_profile@https:// ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:16651 register_phases/ <https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:16651regi...> <@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:1181 _run_phase/ <https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:1181_run_...> <@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3476 forEach@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/ dojo.js?v=40500:1:29752 _run_phase@https://ipaserver.fisica.cabib/ipa/ui/js/ freeipa/app.js?40500:1:3440 next_phase@https://ipaserver. fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899 _run_phase/ <https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899_run_...> <@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3626 c@ https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960 d/t.then@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/ dojo.js?v=40500:1:62246 <https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960d/t....> _run_phase@https://ipaserver.fisica.cabib/ipa/ui/js/ freeipa/app.js?40500:1:3548 next_phase@https://ipaserver. fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899 _run_phase/ <https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899_run_...> <@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3626 c@ https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960 l@ https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886 d/this.resolve@https://ipaserver.fisica.cabib/ipa/ui/ js/dojo/dojo.js?v=40500:1:61873 dojo/promise/all/ <https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886d/th...> </</</<@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1: 85255 c@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js? v=40500:1:60960 l@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886 d/this.resolve@https://ipaserver.fisica.cabib/ipa/ui/ js/dojo/dojo.js?v=40500:1:61873 register_phases/ <https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886d/th...> </<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:1092 on_success@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:34431 freeipa/rpc/ <https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:34431free...> </a.concurrent_command/t.on_success_all@https://ipaserver.fisica.cabib/ipa/ ui/js/freeipa/app.js?40500:1:57160 freeipa/rpc/ <https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:57160free...> </a.concurrent_command/t.command_completed@https://ipaserver.fisica.cabib/ ipa/ui/js/freeipa/app.js?40500:1:56953 freeipa/rpc/ <https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56953free...> </a.concurrent_command/t.success_handler@https://ipaserver.fisica.cabib/ ipa/ui/js/freeipa/app.js?40500:1:56790 freeipa/rpc/ <https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56790free...> </a.concurrent_command/t.execute/n.on_success</<@https://ipaserver. fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56340 freeipa/rpc/ <https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56340free...> </a.command/l.register_handlers/<@https://ipaserver.fisica.cabib/ipa/ui/ js/freeipa/app.js?40500:1:53786 f@https://ipaserver.fisica. cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:49586 dojo/on/ <https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:49586dojo...> </i.emit@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:45192 dojo/on/ <https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:45192dojo...> </i.emit@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1: 45808 emit@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js? v=40500:1:48712 c@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app. js?40500:1:52429 l@https://ipaserver.fisica.cabib/ipa/ui/js/libs/jquery. js?v=40500:4:24877 fireWith@https://ipaserver.fisica.cabib/ipa/ui/js/libs/ jquery.js?v=40500:4:25702 k@https://ipaserver.fisica. cabib/ipa/ui/js/libs/jquery.js?v=40500:6:5346 t/ <https://ipaserver.fisica.cabib/ipa/ui/js/libs/jquery.js?v=40500:6:5346t/><@ https://ipaserver.fisica.cabib/ipa/ui/js/libs/jquery.js?v=40500:6:9152 Apache error logs shows: [Mon Aug 07 11:04:32.078630 2017] [:warn] [pid 11845] [client ##.##.##.##:45938] failed to set perms (3140) on file (/var/run/ipa/ccaches/tavo(a)FISICA.CABIB)!, referer: https://ipaserver.fisica.cabib/ipa/ui/ [Mon Aug 07 11:04:32.079589 2017] [:error] [pid 11839] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Mon Aug 07 11:04:32.079709 2017] [:error] [pid 11839] ipa: DEBUG: WSGI jsonserver_session.__call__: [Mon Aug 07 11:04:32.160389 2017] [:error] [pid 11839] ipa: DEBUG: Created connection context.ldap2_94603036533520 [Mon Aug 07 11:04:32.160485 2017] [:error] [pid 11839] ipa: DEBUG: WSGI jsonserver.__call__: [Mon Aug 07 11:04:32.160577 2017] [:error] [pid 11839] ipa: DEBUG: WSGI WSGIExecutioner.__call__: [Mon Aug 07 11:04:32.170494 2017] [:error] [pid 11839] ipa: DEBUG: raw: batch(({u'params': ([], {}), u'method': u'i18n_messages'}, {u'params': ([], {}), u'method': u'config_show'}, {u'params': ([], {}), u'method': u'whoami'}, {u'params': ([], {}), u'method': u'env'}, {u'params': ([], {}), u'method': u'dns_is_enabled'}, {u'params': ([], {}), u'method': u'trustconfig_show'}, {u'params': ([], {}), u'method': u'domainlevel_get'}, {u'params': ([], {}), u'method': u'ca_is_enabled'}, {u'params': ([], {}), u'method': u'vaultconfig_show'}), version=u'2.228') [Mon Aug 07 11:04:32.170764 2017] [:error] [pid 11839] ipa: DEBUG: batch(({u'params': ([], {}), u'method': u'i18n_messages'}, {u'params': ([], {}), u'method': u'config_show'}, {u'params': ([], {}), u'method': u'whoami'}, {u'params': ([], {}), u'method': u'env'}, {u'params': ([], {}), u'method': u'dns_is_enabled'}, {u'params': ([], {}), u'method': u'trustconfig_show'}, {u'params': ([], {}), u'method': u'domainlevel_get'}, {u'params': ([], {}), u'method': u'ca_is_enabled'}, {u'params': ([], {}), u'method': u'vaultconfig_show'}), version=u'2.228') [Mon Aug 07 11:04:32.171033 2017] [:error] [pid 11839] ipa: DEBUG: raw: i18n_messages(version=u'2.228') [Mon Aug 07 11:04:32.171215 2017] [:error] [pid 11839] ipa: DEBUG: i18n_messages(version=u'2.228') [Mon Aug 07 11:04:32.178630 2017] [:error] [pid 11839] ipa: INFO: tavo(a)FISICA.CABIB: batch: i18n_messages(): SUCCESS [Mon Aug 07 11:04:32.178857 2017] [:error] [pid 11839] ipa: DEBUG: raw: config_show(version=u'2.228') [Mon Aug 07 11:04:32.179094 2017] [:error] [pid 11839] ipa: DEBUG: config_show(rights=False, all=False, raw=False, version=u'2.228') [Mon Aug 07 11:04:32.181775 2017] [:error] [pid 11839] ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-FISICA-CABIB.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x560a7e36a0e0> [Mon Aug 07 11:04:32.548227 2017] [:error] [pid 11839] ipa: INFO: tavo(a)FISICA.CABIB: batch: config_show(): SUCCESS [Mon Aug 07 11:04:32.548454 2017] [:error] [pid 11839] ipa: DEBUG: raw: whoami(version=u'2.228') [Mon Aug 07 11:04:32.548625 2017] [:error] [pid 11839] ipa: DEBUG: whoami(version=u'2.228') [Mon Aug 07 11:04:32.549205 2017] [:error] [pid 11839] ipa: INFO: tavo(a)FISICA.CABIB: batch: whoami(): PROTOCOL_ERROR [Mon Aug 07 11:04:32.549456 2017] [:error] [pid 11839] ipa: DEBUG: raw: env(None, version=u'2.228') [Mon Aug 07 11:04:32.549700 2017] [:error] [pid 11839] ipa: DEBUG: env(None, server=False, all=True, version=u'2.228') [Mon Aug 07 11:04:32.550139 2017] [:error] [pid 11839] ipa: INFO: tavo(a)FISICA.CABIB: batch: env(None): SUCCESS [Mon Aug 07 11:04:32.550350 2017] [:error] [pid 11839] ipa: DEBUG: raw: dns_is_enabled(version=u'2.228') [Mon Aug 07 11:04:32.550520 2017] [:error] [pid 11839] ipa: DEBUG: dns_is_enabled(version=u'2.228') [Mon Aug 07 11:04:32.552209 2017] [:error] [pid 11839] ipa: INFO: tavo(a)FISICA.CABIB: batch: dns_is_enabled(): SUCCESS [Mon Aug 07 11:04:32.552435 2017] [:error] [pid 11839] ipa: DEBUG: raw: trustconfig_show(version=u'2.228') [Mon Aug 07 11:04:32.552742 2017] [:error] [pid 11839] ipa: DEBUG: trustconfig_show(rights=False, trust_type=u'ad', all=False, raw=False, version=u'2.228') [Mon Aug 07 11:04:32.558903 2017] [:error] [pid 11839] ipa: INFO: tavo(a)FISICA.CABIB: batch: trustconfig_show(): SUCCESS [Mon Aug 07 11:04:32.559101 2017] [:error] [pid 11839] ipa: DEBUG: raw: domainlevel_get(version=u'2.228') [Mon Aug 07 11:04:32.559292 2017] [:error] [pid 11839] ipa: DEBUG: domainlevel_get(version=u'2.228') [Mon Aug 07 11:04:32.560543 2017] [:error] [pid 11839] ipa: INFO: tavo(a)FISICA.CABIB: batch: domainlevel_get(): SUCCESS [Mon Aug 07 11:04:32.560753 2017] [:error] [pid 11839] ipa: DEBUG: raw: ca_is_enabled(version=u'2.228') [Mon Aug 07 11:04:32.560924 2017] [:error] [pid 11839] ipa: DEBUG: ca_is_enabled(version=u'2.228') [Mon Aug 07 11:04:32.562484 2017] [:error] [pid 11839] ipa: INFO: tavo(a)FISICA.CABIB: batch: ca_is_enabled(): SUCCESS [Mon Aug 07 11:04:32.562694 2017] [:error] [pid 11839] ipa: DEBUG: raw: vaultconfig_show(version=u'2.228') [Mon Aug 07 11:04:32.562880 2017] [:error] [pid 11839] ipa: DEBUG: vaultconfig_show(all=False, raw=False, version=u'2.228') [Mon Aug 07 11:04:32.563089 2017] [:error] [pid 11839] ipa: DEBUG: raw: kra_is_enabled(version=u'2.228') [Mon Aug 07 11:04:32.563209 2017] [:error] [pid 11839] ipa: DEBUG: kra_is_enabled(version=u'2.228') [Mon Aug 07 11:04:32.564192 2017] [:error] [pid 11839] ipa: INFO: tavo(a)FISICA.CABIB: batch: vaultconfig_show(): InvocationError [Mon Aug 07 11:04:32.564462 2017] [:error] [pid 11839] ipa: INFO: [jsonserver_session] tavo(a)FISICA.CABIB: batch(({u'params': ([], {}), u'method': u'i18n_messages'}, {u'params': ([], {}), u'method': u'config_show'}, {u'params': ([], {}), u'method': u'whoami'}, {u'params': ([], {}), u'method': u'env'}, {u'params': ([], {}), u'method': u'dns_is_enabled'}, {u'params': ([], {}), u'method': u'trustconfig_show'}, {u'params': ([], {}), u'method': u'domainlevel_get'}, {u'params': ([], {}), u'method': u'ca_is_enabled'}, {u'params': ([], {}), u'method': u'vaultconfig_show'}), version=u'2.228'): SUCCESS [Mon Aug 07 11:04:32.567156 2017] [:error] [pid 11839] ipa: DEBUG: Destroyed connection context.ldap2_94603036533520 From the first line of apache log the file it refers to has this attributes: stat /var/run/ipa/ccaches/tavo(a)FISICA.CABIB File: ‘/var/run/ipa/ccaches/tavo(a)FISICA.xn--cabib-3v3b Size: 4596 Blocks: 16 IO Block: 4096 regular file Device: 12h/18d Inode: 37651 Links: 1 Access: (0600/-rw-------) Uid: ( 989/ ipaapi) Gid: ( 985/ ipaapi) Context: system_u:object_r:ipa_var_run_t:s0 Access: 2017-08-07 11:09:56.260676960 -0300 Modify: 2017-08-07 09:58:09.367597633 -0300 Change: 2017-08-07 09:58:09.367597633 -0300 Birth: - This are the ipa packages I have: rpm -qa | grep ipa python2-ipaclient-4.5.0-21.el7.noarch python-iniparse-0.4-9.el7.noarch sssd-ipa-1.15.2-50.el7.x86_64 ipa-client-4.5.0-21.el7.x86_64 python2-ipaserver-4.5.0-21.el7.noarch python-libipa_hbac-1.15.2-50.el7.x86_64 ipa-common-4.5.0-21.el7.noarch ipa-server-4.5.0-21.el7.x86_64 ipa-server-common-4.5.0-21.el7.noarch ipa-server-dns-4.5.0-21.el7.noarch python-ipaddress-1.0.16-2.el7.noarch ipa-python-compat-4.5.0-21.el7.noarch ipa-client-common-4.5.0-21.el7.noarch libipa_hbac-1.15.2-50.el7.x86_64 python2-ipalib-4.5.0-21.el7.noarch Any ideas? Thanks! -- Gustavo Berman Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA

6 years, 7 months

3
7
0 / 0

Use TLD or not for freeipa

by Wanderley Teixeira

I have control of a domain for example example.com I am designing envs that have a few private zones with dns such as int.example.com, dev.example.com, stage.example.com and I will control all these environments from int.example.com Should I create ipa servers as int.example.com and have ipa servers in ipa1.int.example.com, ipa2.int.example.com and set domain to example.com and realm EXAMPLE.com. This way I can add the SRV and TXT entries to my public DNS records and use domain=example.com and realm=EXAMPLE.com Is this a good strategy or is there a better way to do this?

6 years, 7 months

1
0
0 / 0

Route53 private dns zone, _srv_ lookup issue for failover

by Wanderley Teixeira

I am running into an issue with FreeIPA and DNS. Perhaps, you guys could point me to a better realm/domain solution. - I run a private DNS zone on AWS, called "int.example.com" (with ptr and srv, etc) - I have 3 master-master-master IPAs called ipa1, ipa2, and ip3 xxx.int.example.com - Realm is EXAMPLE.COM - Domain is example.com - example.com records are hosted in a different service (i.e. hover or godaddy) When I try to install a client I get: Discovery was successful! Client hostname: ipaclient.int.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: ipa2.int.example.com BaseDN: dc=example,dc=com … Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf ... Configured /etc/krb5.conf for IPA realm EXAMPLE.COM trying https://ipa2.int.example.com/ipa/json Traceback (most recent call last): File "/sbin/ipa-client-install", line 3128, in <module> sys.exit(main()) ... File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 931, in create_connection raise errors.KerberosError(message=unicode(krberr)) ipalib.errors.KerberosError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639066): Cannot find KDC for realm “EXAMPLE.COM" Any idea how I can overcome this issue? I would like my LDAP basedn to be dc=example,dc=com. I don't want it to take the value of dc=int,dc=example,dc=com if I used private domain int.example.com instead of example.com I was thinking of using a private zone just example.com instead of int.example.com but I will have issues since my TLD is on an external service (i.e. hover.com). In this case, I wouldn't be able to resolve test.example.com within the private zone since AWS Route53 wouldn't resolve outside the zone. I would need to install a DNS forwarder somewhere else and I don't want to manage it. I can manually install the client and specify the domain and realm fine but I am unable to use DNS _srv_ for failover if ipa1 goes down, for example. Clients are unable to login with a similar KDC error. And even installing is causing issues as the output show "Cannot find KDC for realm..." Any recommendation or help would be appreciated. I am not sure what is the best solution.

6 years, 7 months

2
1
0 / 0

IPA Server down after system update

by Gady Notrica

Hello, Please HELP After upgrading my server, IPA is not running any more. Here is the error I am getting and I can't seem to find any solution on the web. All services are stopped except the directory service # ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED named Service: STOPPED httpd Service: STOPPED ipa-custodia Service: STOPPED ntpd Service: STOPPED pki-tomcatd Service: STOPPED ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED ipa: INFO: The ipactl command was successful And here is the error from /var/log/ipaupgrade.log 2017-09-15T15:30:22Z DEBUG stderr= 2017-09-15T15:30:22Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2017-09-15T15:35:23Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2017-09-15T15:35:23Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1913, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1585, in upgrade_configuration ds.start(ds_serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 627, in start super(DsInstance, self).start(*args, **kwargs) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 401, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 157, in start instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 300, in start self.wait_for_open_ports(self.service_instance(instance_name)) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 270, in wait_for_open_ports self.api.env.startup_timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1227, in wait_for_open_ports raise socket.timeout("Timeout exceeded") 2017-09-15T15:35:23Z DEBUG The ipa-server-upgrade command failed, exception: timeout: Timeout exceeded 2017-09-15T15:35:23Z ERROR Timeout exceeded 2017-09-15T15:35:23Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information Thank you, Gady

6 years, 7 months

4
7
0 / 0

Radius authentication trouble

by Steve Weeks

We are running FreeIPA 4.4 on Centos 7 and trying to use radius authentication. Using radtest and radclient work fine and we can authenticate a user. The radius proxy and secret are set to match the values from radclient. The user has the radius check box checked and the other two fields set to appropriate values. hbactest shows that the user has permission for any host. When I do " su -l rsa-user", I'm requested for the first and second factors. After I enter them, I get "su: Authentication failure". Using a non-radius user works fine. The sssd_pam log has [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [17 (Failure setting user credentials)][idm.bbn.com] [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [17]: Failure setting user credentials. Unchecking the radius checkbox and the account works fine. Any ideas what to try or look at next?

6 years, 7 months

3
2
0 / 0

Problem with ipa restore

by xattab＠syneforge.com

Hi. I have tried to restore freeipa. But all time have an error ERROR Command ''tar' '--xattrs' '--selinux' '-xzf' '/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/ipa-full.tar' '.'' returned non-zero exit status 2 My actions : 1. run ipa-backup 2 Copy backup to another server 3. Install freeipa as yum install freeipa-* 4 then ipa-restore backup dir My environment : Fedora 21 freeipa 4.1.4 In log i sow message like "Cannot write: No space left on device" but i have enough space All untar backup near 20 GB on device near 100 GB Can you help me ) ? Log iparestore.log 2017-09-15T13:04:02Z DEBUG Logging to /var/log/iparestore.log 2017-09-15T13:04:02Z DEBUG ipa-restore was invoked with arguments ['/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/'] and options: {'log_file': None, 'data_only': False, 'verbose': False, 'gpg_keyring': None, 'quiet': False, 'instance': None, 'no_logs': False, 'online': False, 'password': None, 'unattended': False, 'backend': None} 2017-09-15T13:04:02Z DEBUG IPA version 4.1.4-1.fc21 2017-09-15T13:04:02Z INFO Preparing restore from /var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/ on ldap.sf 2017-09-15T13:04:02Z INFO Performing FULL restore from FULL backup 2017-09-15T13:04:02Z DEBUG group dirsrv exists 2017-09-15T13:04:02Z DEBUG user dirsrv exists 2017-09-15T13:04:02Z DEBUG Starting external process 2017-09-15T13:04:02Z DEBUG args='tar' '--xattrs' '--selinux' '-xzf' '/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/ipa-full.tar' '.' 2017-09-15T13:04:51Z DEBUG Process finished, return code=2 2017-09-15T13:04:51Z DEBUG stdout= 2017-09-15T13:04:51Z DEBUG stderr=tar: ./SF/changelog/id2entry.db: Wrote only 7168 of 10240 bytes tar: ./SF/changelog/targetuniqueid.db: Cannot write: No space left on device tar: ./SF/changelog/member.db: Cannot write: No space left on device tar: ./SF/changelog/numsubordinates.db: Cannot write: No space left on device tar: ./SF/changelog/uniquemember.db: Cannot write: No space left on device tar: ./SF/changelog/aci.db: Cannot write: No space left on device tar: ./SF/changelog/objectclass.db: Cannot write: No space left on device tar: ./SF/changelog/DBVERSION: Cannot write: No space left on device tar: ./SF/changelog/parentid.db: Cannot write: No space left on device tar: ./SF/changelog/cn.db: Cannot write: No space left on device tar: ./SF/changelog/nsuniqueid.db: Cannot write: No space left on device tar: ./SF/changelog/ancestorid.db: Cannot write: No space left on device tar: ./SF/changelog/seeAlso.db: Cannot write: No space left on device tar: ./SF/changelog/entryrdn.db: Cannot write: No space left on device tar: ./SF/changelog/changenumber.db: Cannot write: No space left on device tar: ./SF/changelog/entryusn.db: Cannot write: No space left on device tar: ./SF/dse_index.ldif: Cannot write: No space left on device tar: ./SF/log.0000095525: Cannot write: No space left on device tar: ./SF/userRoot/sourcehost.db: Cannot write: No space left on device tar: ./SF/userRoot/krbPrincipalName.db: Cannot write: No space left on device tar: ./SF/userRoot/ipakrbprincipalalias.db: Cannot write: No space left on device tar: ./SF/userRoot/macAddress.db: Cannot write: No space left on device tar: ./SF/userRoot/id2entry.db: Cannot write: No space left on device tar: ./SF/userRoot/memberOf.db: Cannot write: No space left on device tar: ./SF/userRoot/member.db: Cannot write: No space left on device tar: ./SF/userRoot/mail.db: Cannot write: No space left on device tar: ./SF/userRoot/memberHost.db: Cannot write: No space left on device tar: ./SF/userRoot/numsubordinates.db: Cannot write: No space left on device tar: ./SF/userRoot/uniquemember.db: Cannot write: No space left on device tar: ./SF/userRoot/managedby.db: Cannot write: No space left on device tar: ./SF/userRoot/ipasudorunas.db: Cannot write: No space left on device tar: ./SF/userRoot/givenName.db: Cannot write: No space left on device tar: ./SF/userRoot/uidnumber.db: Cannot write: No space left on device tar: ./SF/userRoot/uid.db: Cannot write: No space left on device tar: ./SF/userRoot/automountkey.db: Cannot write: No space left on device tar: ./SF/userRoot/aci.db: Cannot write: No space left on device tar: ./SF/userRoot/owner.db: Cannot write: No space left on device tar: ./SF/userRoot/ipaassignedidview.db: Cannot write: No space left on device tar: ./SF/userRoot/manager.db: Cannot write: No space left on device tar: ./SF/userRoot/displayname.db: Cannot write: No space left on device tar: ./SF/userRoot/fqdn.db: Cannot write: No space left on device tar: ./SF/userRoot/objectclass.db: Cannot write: No space left on device tar: ./SF/userRoot/telephoneNumber.db: Cannot write: No space left on device tar: ./SF/userRoot/DBVERSION: Cannot write: No space left on device tar: ./SF/userRoot/title.db: Cannot write: No space left on device tar: ./SF/userRoot/memberallowcmd.db: Cannot write: No space left on device tar: ./SF/userRoot/parentid.db: Cannot write: No space left on device tar: ./SF/userRoot/cn.db: Cannot write: No space left on device tar: ./SF/userRoot/nscpEntryDN.db: Cannot write: No space left on device tar: ./SF/userRoot/ipauniqueid.db: Cannot write: No space left on device tar: ./SF/userRoot/memberdenycmd.db: Cannot write: No space left on device tar: ./SF/userRoot/ipasudorunasgroup.db: Cannot write: No space left on device tar: ./SF/userRoot/ipatokenradiusconfiglink.db: Cannot write: No space left on device tar: ./SF/userRoot/memberUser.db: Cannot write: No space left on device tar: ./SF/userRoot/nsuniqueid.db: Cannot write: No space left on device tar: ./SF/userRoot/sn.db: Cannot write: No space left on device tar: ./SF/userRoot/memberservice.db: Cannot write: No space left on device tar: ./SF/userRoot/ancestorid.db: Cannot write: No space left on device tar: ./SF/userRoot/seeAlso.db: Cannot write: No space left on device tar: ./SF/userRoot/entryrdn.db: Cannot write: No space left on device tar: ./SF/userRoot/secretary.db: Cannot write: No space left on device tar: ./SF/userRoot/memberuid.db: Cannot write: No space left on device tar: ./SF/userRoot/ou.db: Cannot write: No space left on device tar: ./SF/userRoot/entryusn.db: Cannot write: No space left on device tar: ./SF/userRoot/gidnumber.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#allvalidcertsnotafterpkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/id2entry.db: Cannot write: No space left on device tar: ./SF/ipaca/member.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#allvalidorrevokedcertspkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/revokedOn.db: Cannot write: No space left on device tar: ./SF/ipaca/mail.db: Cannot write: No space left on device tar: ./SF/ipaca/notbefore.db: Cannot write: No space left on device tar: ./SF/ipaca/numsubordinates.db: Cannot write: No space left on device tar: ./SF/ipaca/duration.db: Cannot write: No space left on device tar: ./SF/ipaca/uniquemember.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#allexpiredcertspkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/publicKeyData.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#capendingpkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/dateOfCreate.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#allinvalidcertspkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/metaInfo.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#allvalidcertspkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/extension.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#cacompleterenewalpkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#capendingenrollmentpkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/uid.db: Cannot write: No space left on device tar: ./SF/ipaca/subjectname.db: Cannot write: No space left on device tar: ./SF/ipaca/aci.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#caenrollmentpkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/owner.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#allrevokedcertspkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#allrevokedcertsnotafterpkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#cacompleteenrollmentpkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/objectclass.db: Cannot write: No space left on device tar: ./SF/ipaca/serialno.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#carenewalpkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/revInfo.db: Cannot write: No space left on device tar: ./SF/ipaca/DBVERSION: Cannot write: No space left on device tar: ./SF/ipaca/revokedby.db: Cannot write: No space left on device tar: ./SF/ipaca/parentid.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#allcertspkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#cacompletepkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#capendingrenewalpkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/cn.db: Cannot write: No space left on device tar: ./SF/ipaca/certstatus.db: Cannot write: No space left on device tar: ./SF/ipaca/issuedby.db: Cannot write: No space left on device tar: ./SF/ipaca/requeststate.db: Cannot write: No space left on device tar: ./SF/ipaca/nsuniqueid.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#allinvalidcertsnotbeforepkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/sn.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#allrevokedorrevokedexpiredcertspkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/requesttype.db: Cannot write: No space left on device tar: ./SF/ipaca/ancestorid.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#allrevokedexpiredcertspkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#cacompleterevocationpkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/seeAlso.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#carevocationpkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/entryrdn.db: Cannot write: No space left on device tar: ./SF/ipaca/notafter.db: Cannot write: No space left on device tar: ./SF/ipaca/description.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#caallpkitomcatindex.db: Cannot write: No space left on device tar: ./SF/ipaca/requestid.db: Cannot write: No space left on device tar: ./SF/ipaca/entryusn.db: Cannot write: No space left on device tar: ./SF/ipaca/vlv#allnonrevokedcertspkitomcatindex.db: Cannot write: No space left on device tar: ./SF-userRoot.ldif: Cannot write: No space left on device tar: ./SF-ipaca.ldif: Cannot write: No space left on device tar: Exiting with failure status due to previous errors 2017-09-15T13:04:51Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py", line 305, in run self.extract_backup(options.gpg_keyring) File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py", line 712, in extract_backup run(args) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 356, in run raise CalledProcessError(p.returncode, arg_string, stdout) 2017-09-15T13:04:51Z DEBUG The ipa-restore command failed, exception: CalledProcessError: Command ''tar' '--xattrs' '--selinux' '-xzf' '/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/ipa-full.tar' '.'' returned non-zero exit status 2 2017-09-15T13:04:51Z ERROR Command ''tar' '--xattrs' '--selinux' '-xzf' '/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/ipa-full.tar' '.'' returned non-zero exit status 2

6 years, 7 months

2
1
0 / 0

IPA sudo rules CentOS 6 vs CentOS 7

by Mark Haney

One of my biggest projects is to use ansible to kill OpenLDAP clients on our production servers and install ipa-client and configured. I'm probably 95% there with automating the process (still trying to figure out what pam_ldap crap is floating around after uninstalling those packages and such) but I've got a weird issue that appears to be related to the C6 ipa-client setup. After installing the ipa-client and configuring, I can login as my ipa user account, but, even though I have SUDO rules in place, I'm getting a 'user is not in sudoers file...etc, etc' on CentOS 6, but /not/ on a CentOS 7 client I have tested on. I've tried two different C6 boxes with the same result. The SSSD/nsswitch/pam.d config files are all identical between the C6 and C7 servers. The C7 box did not have a previous OpenLDAP client on it, and neither did one of the C6 boxes, so it doesn't appear to be a problem/conflict with remnants of OpenLDAP/PAM causing the problem. Sudoers on all the boxes I'm testing is out-of-the-box vanilla and there are no sudoers.d/ files either. I'm an IPA newbie, and I gave up on OpenLDAP and PAM (god, what a cockup that is) almost two decades ago, so I'm not as familiar with it as some people might be. Here are the package versions for the IPA clients: C7: ipa-client-4.5.0-21.el7.centos.1.2.x86_64 C6: ipa-client-3.0.0-51.el6.centos.x86_64 The only other thing I can think of to mention is that in /var/log/secure on the C6 boxes I'm getting a pam_unix.so authentication failure (obviously since my user isn't on that box) prior to sssd authenticating me successfully when trying to sudo su. I do not see that problem on the C7 box. Any ideas? -- Mark Haney Network Engineer at NeoNova 919-460-3330 option 1 mark.haney(a)neonova.net www.neonova.net

6 years, 7 months

5
11
0 / 0

Nginx in front of IPA?

by doug.kelly＠wipro.com

Hi, We have an "interesting" set up here and ultimately it means that some of our users are on a network that can't access the domain that the IPA servers are on so can't reset their passwords. However, they do have access to a domain that we can proxy requests through to get to IPA. Through googling a bit I saw people mention changing 'xmlrpc_uri' in /etc/ipa/default.conf along with some proxy settings for nginx but couldn't really see anything "official". Has anyone successfully put nginx in front of a cluster of IPA servers? Is there any documentation to detail the steps involved? Thanks, Doug Wipro Limited (Company Regn No in UK FC 019088) Address: Level 2, West wing, 3 Sheldon Square, London W2 6PS, United Kingdom. Tel +44 20 7432 8500 Fax: +44 20 7286 5703 VAT Number: 563 1964 27 (Branch of Wipro Limited (Incorporated in India at Bangalore with limited liability vide Reg no L99999KA1945PLC02800 with Registrar of Companies at Bangalore, India. Authorized share capital Rs 5550 mn)) Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________

6 years, 7 months

2
2
0 / 0

Request failed with status 500: Non-2xx response from CA REST API: 500. - pki-tomcatd fails to start

by Winfried de Heiden

6 years, 7 months

3
8
0 / 0

ipa-replica-install command failed, exception: NotFound: ldap service not found

by shahriar52＠gmail.com

Trying to create a replica server with ipa-replica-install, but it breaks during installation while restarting the directory service saying that LDAP service not found. But I can see LDAP server is running. I have created around 3 replicas using the same procedure about 4 months ago, but now it is failing. I cannot find any obvious reason for this issue. All the machines are on CentOS 7.x. Master ipa package versions: ipa-common-4.4.0-14.el7.centos.6.noarch ipa-client-common-4.4.0-14.el7.centos.6.noarch ipa-server-dns-4.4.0-14.el7.centos.6.noarch ipa-admintools-4.4.0-14.el7.centos.6.noarch ipa-server-4.4.0-14.el7.centos.6.x86_64 Also tried after updating above to el7.centos.7 packages Replica ipa package versions: ipa-common-4.4.0-14.el7.centos.7.noarch ipa-server-4.4.0-14.el7.centos.7.x86_64 ipa-client-4.4.0-14.el7.centos.7.x86_64 ipa-server-common-4.4.0-14.el7.centos.7.noarch ipa-admintools-4.4.0-14.el7.centos.7.noarch ipa-client-common-4.4.0-14.el7.centos.7.noarch ipa-server-dns-4.4.0-14.el7.centos.7.noarch Actual results: [root@auth03-esy1 ~]# ipa-replica-install --principal admin --admin-password XXXXXXXX --server=auth02-esy1.srv.symbionetworks.com --domain=auth.mnfgroup.limited --setup-ca Configuring client side components Client hostname: auth03-esy1.srv.symbionetworks.com Realm: AUTH.MNFGROUP.LIMITED DNS Domain: auth.mnfgroup.limited IPA Server: auth02-esy1.srv.symbionetworks.com BaseDN: dc=auth,dc=mnfgroup,dc=limited Skipping synchronizing time with NTP server. Successfully retrieved CA cert Subject: CN=Certificate Authority,O=AUTH.MNFGROUP.LIMITED Issuer: CN=Certificate Authority,O=AUTH.MNFGROUP.LIMITED Valid From: Wed Mar 15 01:04:16 2017 UTC Valid Until: Sun Mar 15 01:04:16 2037 UTC Enrolled in IPA realm AUTH.MNFGROUP.LIMITED Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm AUTH.MNFGROUP.LIMITED trying https://auth02-esy1.srv.symbionetworks.com/ipa/json Forwarding 'ping' to json server 'https://auth02-esy1.srv.symbionetworks.com/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://auth02-esy1.srv.symbionetworks.com/ipa/json' Systemwide CA database updated. Hostname (auth03-esy1.srv.symbionetworks.com) does not have A/AAAA record. Failed to update DNS records. Missing A/AAAA record(s) for host auth03-esy1.srv.symbionetworks.com: 10.53.1.3. Missing reverse record(s) for address(es): 10.53.1.3. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to json server 'https://auth02-esy1.srv.symbionetworks.com/ipa/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring auth.mnfgroup.limited as NIS domain. Client configuration complete. WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd ipa : ERROR Could not resolve hostname auth02-esy1.srv.symbionetworks.com using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: yes Run connection check to master Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/44]: creating directory server user [2/44]: creating directory server instance [3/44]: updating configuration in dse.ldif [4/44]: restarting directory server [5/44]: adding default schema [6/44]: enabling memberof plugin [7/44]: enabling winsync plugin [8/44]: configuring replication version plugin [9/44]: enabling IPA enrollment plugin [10/44]: enabling ldapi [11/44]: configuring uniqueness plugin [12/44]: configuring uuid plugin [13/44]: configuring modrdn plugin [14/44]: configuring DNS plugin [15/44]: enabling entryUSN plugin [16/44]: configuring lockout plugin [17/44]: configuring topology plugin [18/44]: creating indices [19/44]: enabling referential integrity plugin [20/44]: configuring certmap.conf [21/44]: configure autobind for root [22/44]: configure new location for managed entries [23/44]: configure dirsrv ccache [24/44]: enabling SASL mapping fallback [25/44]: restarting directory server [26/44]: creating DS keytab [error] NotFound: ldap/auth03-esy1.srv.symbionetworks.com(a)AUTH.MNFGROUP.LIMITED: service not found Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR ldap/auth03-esy1.srv.symbionetworks.com(a)AUTH.MNFGROUP.LIMITED: service not found ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Additional Infomation: Form /var/log/ipareplica-install.log, 2017-09-12T01:36:13Z DEBUG stderr=ldap_initialize( ldap://auth03-esy1.srv.symbionetworks.com:389/??base ) 2017-09-12T01:36:13Z DEBUG duration: 0 seconds 2017-09-12T01:36:13Z DEBUG [23/44]: configure dirsrv ccache 2017-09-12T01:36:13Z DEBUG Backing up system configuration file '/etc/sysconfig/dirsrv' 2017-09-12T01:36:13Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2017-09-12T01:36:13Z DEBUG Starting external process 2017-09-12T01:36:13Z DEBUG args=/usr/sbin/selinuxenabled 2017-09-12T01:36:13Z DEBUG Process finished, return code=1 2017-09-12T01:36:13Z DEBUG stdout= 2017-09-12T01:36:13Z DEBUG stderr= 2017-09-12T01:36:13Z DEBUG duration: 0 seconds 2017-09-12T01:36:13Z DEBUG [24/44]: enabling SASL mapping fallback 2017-09-12T01:36:13Z DEBUG Starting external process 2017-09-12T01:36:13Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpEjW0XE -H ldap://auth03-esy1.srv.symbionetworks.com:389 -x -D cn=Directory Manager -y /tmp/tmpED2rPP 2017-09-12T01:36:13Z DEBUG Process finished, return code=0 2017-09-12T01:36:13Z DEBUG stdout=replace nsslapd-sasl-mapping-fallback: on modifying entry "cn=config" modify complete 2017-09-12T01:36:13Z DEBUG stderr=ldap_initialize( ldap://auth03-esy1.srv.symbionetworks.com:389/??base ) 2017-09-12T01:36:13Z DEBUG duration: 0 seconds 2017-09-12T01:36:13Z DEBUG [25/44]: restarting directory server 2017-09-12T01:36:13Z DEBUG Starting external process 2017-09-12T01:36:13Z DEBUG args=/bin/systemctl --system daemon-reload 2017-09-12T01:36:13Z DEBUG Process finished, return code=0 2017-09-12T01:36:13Z DEBUG stdout= 2017-09-12T01:36:13Z DEBUG stderr= 2017-09-12T01:36:13Z DEBUG Starting external process 2017-09-12T01:36:13Z DEBUG args=/bin/systemctl restart dirsrv(a)AUTH-MNFGROUP-LIMITED.service 2017-09-12T01:36:14Z DEBUG Process finished, return code=0 2017-09-12T01:36:14Z DEBUG stdout= 2017-09-12T01:36:14Z DEBUG stderr= 2017-09-12T01:36:14Z DEBUG Starting external process 2017-09-12T01:36:14Z DEBUG args=/bin/systemctl is-active dirsrv(a)AUTH-MNFGROUP-LIMITED.service 2017-09-12T01:36:14Z DEBUG Process finished, return code=0 2017-09-12T01:36:14Z DEBUG stdout=active 2017-09-12T01:36:14Z DEBUG stderr= 2017-09-12T01:36:14Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2017-09-12T01:36:14Z DEBUG Starting external process 2017-09-12T01:36:14Z DEBUG args=/bin/systemctl is-active dirsrv(a)AUTH-MNFGROUP-LIMITED.service 2017-09-12T01:36:14Z DEBUG Process finished, return code=0 2017-09-12T01:36:14Z DEBUG stdout=active 2017-09-12T01:36:14Z DEBUG stderr= 2017-09-12T01:36:14Z DEBUG duration: 0 seconds 2017-09-12T01:36:14Z DEBUG [26/44]: creating DS keytab 2017-09-12T01:36:14Z DEBUG Backing up system configuration file '/etc/dirsrv/ds.keytab' 2017-09-12T01:36:14Z DEBUG -> Not backing up - '/etc/dirsrv/ds.keytab' doesn't exist 2017-09-12T01:36:14Z DEBUG raw: service_add(u'ldap/auth03-esy1.srv.symbionetworks.com(a)AUTH.MNFGROUP.LIMITED', force=True, version=u'2.213') 2017-09-12T01:36:14Z DEBUG service_add(<ipapython.kerberos.Principal object at 0x794e7d0>, force=True, all=False, raw=False, version=u'2.213', no_members=False) 2017-09-12T01:36:14Z DEBUG flushing ldaps://auth02-esy1.srv.symbionetworks.com from SchemaCache 2017-09-12T01:36:14Z DEBUG retrieving schema for SchemaCache url=ldaps://auth02-esy1.srv.symbionetworks.com conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x76610e0> 2017-09-12T01:36:15Z DEBUG raw: host_show(u'auth03-esy1.srv.symbionetworks.com', version=u'2.213') 2017-09-12T01:36:15Z DEBUG host_show(u'auth03-esy1.srv.symbionetworks.com', rights=False, all=False, raw=False, version=u'2.213', no_members=False) 2017-09-12T01:36:15Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1230, in __get_ds_keytab force_service_add=True) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 1129, in install_service_keytab api.Command.service_add(principal, force=force_service_add) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in __do_call ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run return self.execute(*args, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1221, in execute self.obj.handle_not_found(*keys) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 759, in handle_not_found 'pkey': pkey, 'oname': self.object_name, NotFound: ldap/auth03-esy1.srv.symbionetworks.com(a)AUTH.MNFGROUP.LIMITED: service not found 2017-09-12T01:36:15Z DEBUG [error] NotFound: ldap/auth03-esy1.srv.symbionetworks.com(a)AUTH.MNFGROUP.LIMITED: service not found 2017-09-12T01:36:15Z DEBUG Destroyed connection context.ldap2_89533776 2017-09-12T01:36:15Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1722, in main promote(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1423, in promote promote=True, pkcs12_info=dirsrv_pkcs12_info) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 135, in install_replica_ds api=remote_api, File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 401, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1230, in __get_ds_keytab force_service_add=True) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 1129, in install_service_keytab api.Command.service_add(principal, force=force_service_add) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in __do_call ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run return self.execute(*args, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1221, in execute self.obj.handle_not_found(*keys) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 759, in handle_not_found 'pkey': pkey, 'oname': self.object_name, 2017-09-12T01:36:15Z DEBUG The ipa-replica-install command failed, exception: NotFound: ldap/auth03-esy1.srv.symbionetworks.com(a)AUTH.MNFGROUP.LIMITED: service not found 2017-09-12T01:36:15Z ERROR ldap/auth03-esy1.srv.symbionetworks.com(a)AUTH.MNFGROUP.LIMITED: service not found 2017-09-12T01:36:15Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Can anyone please help with this issue? Regards Shahriar Rahman Systems Engineer MNF Group Limited

6 years, 7 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users September 2017