Cannot access Web UI after IPA upgrade to 4.5
by Gustavo Berman
Hi there,
Today we upgraded to the latest IPA 4.5, log says it upgraded just fine,
ipa seems to authenticate allright, but web ui fails with:
Operations ErrorSome operations failed.an internal error has occurred
And the details it shows when I press the OK button are:
Runtime error
Web UI got in unrecoverable state during "profile" phase.
Technical details:
t.metadata is undefined
update_logged_in@https://ipaserver.fisica.cabib/ipa/ui/
js/freeipa/app.js?40500:1:18156 choose_profile@https://
ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:16651
register_phases/
<https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:16651regi...>
<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:1181
_run_phase/
<https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:1181_run_...>
<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3476
forEach@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/
dojo.js?v=40500:1:29752 _run_phase@https://ipaserver.fisica.cabib/ipa/ui/js/
freeipa/app.js?40500:1:3440 next_phase@https://ipaserver.
fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899 _run_phase/
<https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899_run_...>
<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3626 c@
https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960
d/t.then@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/
dojo.js?v=40500:1:62246
<https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960d/t....>
_run_phase@https://ipaserver.fisica.cabib/ipa/ui/js/
freeipa/app.js?40500:1:3548 next_phase@https://ipaserver.
fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899 _run_phase/
<https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899_run_...>
<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3626 c@
https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960 l@
https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886
d/this.resolve@https://ipaserver.fisica.cabib/ipa/ui/
js/dojo/dojo.js?v=40500:1:61873 dojo/promise/all/
<https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886d/th...>
</</</<@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:
85255 c@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?
v=40500:1:60960
l@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886
d/this.resolve@https://ipaserver.fisica.cabib/ipa/ui/
js/dojo/dojo.js?v=40500:1:61873 register_phases/
<https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886d/th...>
</<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:1092
on_success@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:34431
freeipa/rpc/
<https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:34431free...>
</a.concurrent_command/t.on_success_all@https://ipaserver.fisica.cabib/ipa/
ui/js/freeipa/app.js?40500:1:57160 freeipa/rpc/
<https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:57160free...>
</a.concurrent_command/t.command_completed@https://ipaserver.fisica.cabib/
ipa/ui/js/freeipa/app.js?40500:1:56953 freeipa/rpc/
<https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56953free...>
</a.concurrent_command/t.success_handler@https://ipaserver.fisica.cabib/
ipa/ui/js/freeipa/app.js?40500:1:56790 freeipa/rpc/
<https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56790free...>
</a.concurrent_command/t.execute/n.on_success</<@https://ipaserver.
fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56340 freeipa/rpc/
<https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56340free...>
</a.command/l.register_handlers/<@https://ipaserver.fisica.cabib/ipa/ui/
js/freeipa/app.js?40500:1:53786 f@https://ipaserver.fisica.
cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:49586 dojo/on/
<https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:49586dojo...>
</i.emit@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:45192
dojo/on/
<https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:45192dojo...>
</i.emit@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:
45808 emit@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?
v=40500:1:48712 c@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.
js?40500:1:52429 l@https://ipaserver.fisica.cabib/ipa/ui/js/libs/jquery.
js?v=40500:4:24877 fireWith@https://ipaserver.fisica.cabib/ipa/ui/js/libs/
jquery.js?v=40500:4:25702 k@https://ipaserver.fisica.
cabib/ipa/ui/js/libs/jquery.js?v=40500:6:5346 t/
<https://ipaserver.fisica.cabib/ipa/ui/js/libs/jquery.js?v=40500:6:5346t/><@
https://ipaserver.fisica.cabib/ipa/ui/js/libs/jquery.js?v=40500:6:9152
Apache error logs shows:
[Mon Aug 07 11:04:32.078630 2017] [:warn] [pid 11845] [client
##.##.##.##:45938] failed to set perms (3140) on file
(/var/run/ipa/ccaches/tavo(a)FISICA.CABIB)!, referer:
https://ipaserver.fisica.cabib/ipa/ui/
[Mon Aug 07 11:04:32.079589 2017] [:error] [pid 11839] ipa: DEBUG: WSGI
wsgi_dispatch.__call__:
[Mon Aug 07 11:04:32.079709 2017] [:error] [pid 11839] ipa: DEBUG: WSGI
jsonserver_session.__call__:
[Mon Aug 07 11:04:32.160389 2017] [:error] [pid 11839] ipa: DEBUG: Created
connection context.ldap2_94603036533520
[Mon Aug 07 11:04:32.160485 2017] [:error] [pid 11839] ipa: DEBUG: WSGI
jsonserver.__call__:
[Mon Aug 07 11:04:32.160577 2017] [:error] [pid 11839] ipa: DEBUG: WSGI
WSGIExecutioner.__call__:
[Mon Aug 07 11:04:32.170494 2017] [:error] [pid 11839] ipa: DEBUG: raw:
batch(({u'params': ([], {}), u'method': u'i18n_messages'}, {u'params': ([],
{}), u'method': u'config_show'}, {u'params': ([], {}), u'method':
u'whoami'}, {u'params': ([], {}), u'method': u'env'}, {u'params': ([], {}),
u'method': u'dns_is_enabled'}, {u'params': ([], {}), u'method':
u'trustconfig_show'}, {u'params': ([], {}), u'method': u'domainlevel_get'},
{u'params': ([], {}), u'method': u'ca_is_enabled'}, {u'params': ([], {}),
u'method': u'vaultconfig_show'}), version=u'2.228')
[Mon Aug 07 11:04:32.170764 2017] [:error] [pid 11839] ipa: DEBUG:
batch(({u'params': ([], {}), u'method': u'i18n_messages'}, {u'params': ([],
{}), u'method': u'config_show'}, {u'params': ([], {}), u'method':
u'whoami'}, {u'params': ([], {}), u'method': u'env'}, {u'params': ([], {}),
u'method': u'dns_is_enabled'}, {u'params': ([], {}), u'method':
u'trustconfig_show'}, {u'params': ([], {}), u'method': u'domainlevel_get'},
{u'params': ([], {}), u'method': u'ca_is_enabled'}, {u'params': ([], {}),
u'method': u'vaultconfig_show'}), version=u'2.228')
[Mon Aug 07 11:04:32.171033 2017] [:error] [pid 11839] ipa: DEBUG: raw:
i18n_messages(version=u'2.228')
[Mon Aug 07 11:04:32.171215 2017] [:error] [pid 11839] ipa: DEBUG:
i18n_messages(version=u'2.228')
[Mon Aug 07 11:04:32.178630 2017] [:error] [pid 11839] ipa: INFO:
tavo(a)FISICA.CABIB: batch: i18n_messages(): SUCCESS
[Mon Aug 07 11:04:32.178857 2017] [:error] [pid 11839] ipa: DEBUG: raw:
config_show(version=u'2.228')
[Mon Aug 07 11:04:32.179094 2017] [:error] [pid 11839] ipa: DEBUG:
config_show(rights=False, all=False, raw=False, version=u'2.228')
[Mon Aug 07 11:04:32.181775 2017] [:error] [pid 11839] ipa: DEBUG:
retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-FISICA-CABIB.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x560a7e36a0e0>
[Mon Aug 07 11:04:32.548227 2017] [:error] [pid 11839] ipa: INFO:
tavo(a)FISICA.CABIB: batch: config_show(): SUCCESS
[Mon Aug 07 11:04:32.548454 2017] [:error] [pid 11839] ipa: DEBUG: raw:
whoami(version=u'2.228')
[Mon Aug 07 11:04:32.548625 2017] [:error] [pid 11839] ipa: DEBUG:
whoami(version=u'2.228')
[Mon Aug 07 11:04:32.549205 2017] [:error] [pid 11839] ipa: INFO:
tavo(a)FISICA.CABIB: batch: whoami(): PROTOCOL_ERROR
[Mon Aug 07 11:04:32.549456 2017] [:error] [pid 11839] ipa: DEBUG: raw:
env(None, version=u'2.228')
[Mon Aug 07 11:04:32.549700 2017] [:error] [pid 11839] ipa: DEBUG:
env(None, server=False, all=True, version=u'2.228')
[Mon Aug 07 11:04:32.550139 2017] [:error] [pid 11839] ipa: INFO:
tavo(a)FISICA.CABIB: batch: env(None): SUCCESS
[Mon Aug 07 11:04:32.550350 2017] [:error] [pid 11839] ipa: DEBUG: raw:
dns_is_enabled(version=u'2.228')
[Mon Aug 07 11:04:32.550520 2017] [:error] [pid 11839] ipa: DEBUG:
dns_is_enabled(version=u'2.228')
[Mon Aug 07 11:04:32.552209 2017] [:error] [pid 11839] ipa: INFO:
tavo(a)FISICA.CABIB: batch: dns_is_enabled(): SUCCESS
[Mon Aug 07 11:04:32.552435 2017] [:error] [pid 11839] ipa: DEBUG: raw:
trustconfig_show(version=u'2.228')
[Mon Aug 07 11:04:32.552742 2017] [:error] [pid 11839] ipa: DEBUG:
trustconfig_show(rights=False, trust_type=u'ad', all=False, raw=False,
version=u'2.228')
[Mon Aug 07 11:04:32.558903 2017] [:error] [pid 11839] ipa: INFO:
tavo(a)FISICA.CABIB: batch: trustconfig_show(): SUCCESS
[Mon Aug 07 11:04:32.559101 2017] [:error] [pid 11839] ipa: DEBUG: raw:
domainlevel_get(version=u'2.228')
[Mon Aug 07 11:04:32.559292 2017] [:error] [pid 11839] ipa: DEBUG:
domainlevel_get(version=u'2.228')
[Mon Aug 07 11:04:32.560543 2017] [:error] [pid 11839] ipa: INFO:
tavo(a)FISICA.CABIB: batch: domainlevel_get(): SUCCESS
[Mon Aug 07 11:04:32.560753 2017] [:error] [pid 11839] ipa: DEBUG: raw:
ca_is_enabled(version=u'2.228')
[Mon Aug 07 11:04:32.560924 2017] [:error] [pid 11839] ipa: DEBUG:
ca_is_enabled(version=u'2.228')
[Mon Aug 07 11:04:32.562484 2017] [:error] [pid 11839] ipa: INFO:
tavo(a)FISICA.CABIB: batch: ca_is_enabled(): SUCCESS
[Mon Aug 07 11:04:32.562694 2017] [:error] [pid 11839] ipa: DEBUG: raw:
vaultconfig_show(version=u'2.228')
[Mon Aug 07 11:04:32.562880 2017] [:error] [pid 11839] ipa: DEBUG:
vaultconfig_show(all=False, raw=False, version=u'2.228')
[Mon Aug 07 11:04:32.563089 2017] [:error] [pid 11839] ipa: DEBUG: raw:
kra_is_enabled(version=u'2.228')
[Mon Aug 07 11:04:32.563209 2017] [:error] [pid 11839] ipa: DEBUG:
kra_is_enabled(version=u'2.228')
[Mon Aug 07 11:04:32.564192 2017] [:error] [pid 11839] ipa: INFO:
tavo(a)FISICA.CABIB: batch: vaultconfig_show(): InvocationError
[Mon Aug 07 11:04:32.564462 2017] [:error] [pid 11839] ipa: INFO:
[jsonserver_session] tavo(a)FISICA.CABIB: batch(({u'params': ([], {}),
u'method': u'i18n_messages'}, {u'params': ([], {}), u'method':
u'config_show'}, {u'params': ([], {}), u'method': u'whoami'}, {u'params':
([], {}), u'method': u'env'}, {u'params': ([], {}), u'method':
u'dns_is_enabled'}, {u'params': ([], {}), u'method': u'trustconfig_show'},
{u'params': ([], {}), u'method': u'domainlevel_get'}, {u'params': ([], {}),
u'method': u'ca_is_enabled'}, {u'params': ([], {}), u'method':
u'vaultconfig_show'}), version=u'2.228'): SUCCESS
[Mon Aug 07 11:04:32.567156 2017] [:error] [pid 11839] ipa: DEBUG:
Destroyed connection context.ldap2_94603036533520
From the first line of apache log the file it refers to has this attributes:
stat /var/run/ipa/ccaches/tavo(a)FISICA.CABIB
File: ‘/var/run/ipa/ccaches/tavo(a)FISICA.xn--cabib-3v3b
Size: 4596 Blocks: 16 IO Block: 4096 regular file
Device: 12h/18d Inode: 37651 Links: 1
Access: (0600/-rw-------) Uid: ( 989/ ipaapi) Gid: ( 985/ ipaapi)
Context: system_u:object_r:ipa_var_run_t:s0
Access: 2017-08-07 11:09:56.260676960 -0300
Modify: 2017-08-07 09:58:09.367597633 -0300
Change: 2017-08-07 09:58:09.367597633 -0300
Birth: -
This are the ipa packages I have:
rpm -qa | grep ipa
python2-ipaclient-4.5.0-21.el7.noarch
python-iniparse-0.4-9.el7.noarch
sssd-ipa-1.15.2-50.el7.x86_64
ipa-client-4.5.0-21.el7.x86_64
python2-ipaserver-4.5.0-21.el7.noarch
python-libipa_hbac-1.15.2-50.el7.x86_64
ipa-common-4.5.0-21.el7.noarch
ipa-server-4.5.0-21.el7.x86_64
ipa-server-common-4.5.0-21.el7.noarch
ipa-server-dns-4.5.0-21.el7.noarch
python-ipaddress-1.0.16-2.el7.noarch
ipa-python-compat-4.5.0-21.el7.noarch
ipa-client-common-4.5.0-21.el7.noarch
libipa_hbac-1.15.2-50.el7.x86_64
python2-ipalib-4.5.0-21.el7.noarch
Any ideas?
Thanks!
--
Gustavo Berman
Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
6 years, 7 months
Route53 private dns zone, _srv_ lookup issue for failover
by Wanderley Teixeira
I am running into an issue with FreeIPA and DNS. Perhaps, you guys could
point me to a better realm/domain solution.
- I run a private DNS zone on AWS, called "int.example.com" (with ptr and
srv, etc)
- I have 3 master-master-master IPAs called ipa1, ipa2, and ip3
xxx.int.example.com
- Realm is EXAMPLE.COM
- Domain is example.com
- example.com records are hosted in a different service (i.e. hover or
godaddy)
When I try to install a client I get:
Discovery was successful!
Client hostname: ipaclient.int.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipa2.int.example.com
BaseDN: dc=example,dc=com
…
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
...
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://ipa2.int.example.com/ipa/json
Traceback (most recent call last):
File "/sbin/ipa-client-install", line 3128, in <module>
sys.exit(main())
...
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 931, in
create_connection
raise errors.KerberosError(message=unicode(krberr))
ipalib.errors.KerberosError: Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (2529639066): Cannot find
KDC for realm “EXAMPLE.COM"
Any idea how I can overcome this issue?
I would like my LDAP basedn to be dc=example,dc=com. I don't want it to
take the value of dc=int,dc=example,dc=com if I used private domain
int.example.com instead of example.com
I was thinking of using a private zone just example.com instead of
int.example.com but I will have issues since my TLD is on an external
service (i.e. hover.com). In this case, I wouldn't be able to resolve
test.example.com within the private zone since AWS Route53 wouldn't resolve
outside the zone. I would need to install a DNS forwarder somewhere else
and I don't want to manage it.
I can manually install the client and specify the domain and realm fine but
I am unable to use DNS _srv_ for failover if ipa1 goes down, for example.
Clients are unable to login with a similar KDC error. And even installing
is causing issues as the output show "Cannot find KDC for realm..."
Any recommendation or help would be appreciated. I am not sure what is the
best solution.
6 years, 7 months
IPA Server down after system update
by Gady Notrica
Hello,
Please HELP
After upgrading my server, IPA is not running any more. Here is the error I am getting and I can't seem to find any solution on the web.
All services are stopped except the directory service
# ipactl status
Directory Service: RUNNING
krb5kdc Service: STOPPED
kadmin Service: STOPPED
named Service: STOPPED
httpd Service: STOPPED
ipa-custodia Service: STOPPED
ntpd Service: STOPPED
pki-tomcatd Service: STOPPED
ipa-otpd Service: STOPPED
ipa-dnskeysyncd Service: STOPPED
ipa: INFO: The ipactl command was successful
And here is the error from /var/log/ipaupgrade.log
2017-09-15T15:30:22Z DEBUG stderr=
2017-09-15T15:30:22Z DEBUG wait_for_open_ports: localhost [389] timeout 300
2017-09-15T15:35:23Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-09-15T15:35:23Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run
server.upgrade()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1913, in upgrade
upgrade_configuration()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1585, in upgrade_configuration
ds.start(ds_serverid)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 627, in start
super(DsInstance, self).start(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 401, in start
self.service.start(instance_name, capture_output=capture_output, wait=wait)
File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 157, in start
instance_name, capture_output=capture_output, wait=wait)
File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 300, in start
self.wait_for_open_ports(self.service_instance(instance_name))
File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 270, in wait_for_open_ports
self.api.env.startup_timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1227, in wait_for_open_ports
raise socket.timeout("Timeout exceeded")
2017-09-15T15:35:23Z DEBUG The ipa-server-upgrade command failed, exception: timeout: Timeout exceeded
2017-09-15T15:35:23Z ERROR Timeout exceeded
2017-09-15T15:35:23Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Thank you,
Gady
6 years, 7 months
Radius authentication trouble
by Steve Weeks
We are running FreeIPA 4.4 on Centos 7 and trying to use radius
authentication.
Using radtest and radclient work fine and we can authenticate a user.
The radius proxy and secret are set to match the values from radclient.
The user has the radius check box checked and the other two fields set to
appropriate values. hbactest shows that the user has permission for any
host.
When I do " su -l rsa-user", I'm requested for the first and second
factors. After I enter them, I get "su: Authentication failure". Using a
non-radius user works fine.
The sssd_pam log has
[sssd[pam]] [pam_dp_process_reply] (0x0200): received: [17 (Failure setting
user credentials)][idm.bbn.com]
[sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [17]:
Failure setting user credentials.
Unchecking the radius checkbox and the account works fine.
Any ideas what to try or look at next?
6 years, 7 months
Problem with ipa restore
by xattab@syneforge.com
Hi. I have tried to restore freeipa. But all time have an error ERROR
Command ''tar' '--xattrs' '--selinux' '-xzf'
'/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/ipa-full.tar' '.''
returned non-zero exit status 2
My actions :
1. run ipa-backup
2 Copy backup to another server
3. Install freeipa as yum install freeipa-*
4 then ipa-restore backup dir
My environment :
Fedora 21
freeipa 4.1.4
In log i sow message like "Cannot write: No space left on device" but i
have enough space
All untar backup near 20 GB on device near 100 GB
Can you help me ) ?
Log iparestore.log
2017-09-15T13:04:02Z DEBUG Logging to /var/log/iparestore.log
2017-09-15T13:04:02Z DEBUG ipa-restore was invoked with arguments
['/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/'] and options:
{'log_file': None, 'data_only': False, 'verbose': False, 'gpg_keyring':
None, 'quiet': False, 'instance': None, 'no_logs': False, 'online':
False, 'password': None, 'unattended': False, 'backend': None}
2017-09-15T13:04:02Z DEBUG IPA version 4.1.4-1.fc21
2017-09-15T13:04:02Z INFO Preparing restore from
/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/ on ldap.sf
2017-09-15T13:04:02Z INFO Performing FULL restore from FULL backup
2017-09-15T13:04:02Z DEBUG group dirsrv exists
2017-09-15T13:04:02Z DEBUG user dirsrv exists
2017-09-15T13:04:02Z DEBUG Starting external process
2017-09-15T13:04:02Z DEBUG args='tar' '--xattrs' '--selinux' '-xzf'
'/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/ipa-full.tar' '.'
2017-09-15T13:04:51Z DEBUG Process finished, return code=2
2017-09-15T13:04:51Z DEBUG stdout=
2017-09-15T13:04:51Z DEBUG stderr=tar: ./SF/changelog/id2entry.db: Wrote
only 7168 of 10240 bytes
tar: ./SF/changelog/targetuniqueid.db: Cannot write: No space left on device
tar: ./SF/changelog/member.db: Cannot write: No space left on device
tar: ./SF/changelog/numsubordinates.db: Cannot write: No space left on
device
tar: ./SF/changelog/uniquemember.db: Cannot write: No space left on device
tar: ./SF/changelog/aci.db: Cannot write: No space left on device
tar: ./SF/changelog/objectclass.db: Cannot write: No space left on device
tar: ./SF/changelog/DBVERSION: Cannot write: No space left on device
tar: ./SF/changelog/parentid.db: Cannot write: No space left on device
tar: ./SF/changelog/cn.db: Cannot write: No space left on device
tar: ./SF/changelog/nsuniqueid.db: Cannot write: No space left on device
tar: ./SF/changelog/ancestorid.db: Cannot write: No space left on device
tar: ./SF/changelog/seeAlso.db: Cannot write: No space left on device
tar: ./SF/changelog/entryrdn.db: Cannot write: No space left on device
tar: ./SF/changelog/changenumber.db: Cannot write: No space left on device
tar: ./SF/changelog/entryusn.db: Cannot write: No space left on device
tar: ./SF/dse_index.ldif: Cannot write: No space left on device
tar: ./SF/log.0000095525: Cannot write: No space left on device
tar: ./SF/userRoot/sourcehost.db: Cannot write: No space left on device
tar: ./SF/userRoot/krbPrincipalName.db: Cannot write: No space left on
device
tar: ./SF/userRoot/ipakrbprincipalalias.db: Cannot write: No space left
on device
tar: ./SF/userRoot/macAddress.db: Cannot write: No space left on device
tar: ./SF/userRoot/id2entry.db: Cannot write: No space left on device
tar: ./SF/userRoot/memberOf.db: Cannot write: No space left on device
tar: ./SF/userRoot/member.db: Cannot write: No space left on device
tar: ./SF/userRoot/mail.db: Cannot write: No space left on device
tar: ./SF/userRoot/memberHost.db: Cannot write: No space left on device
tar: ./SF/userRoot/numsubordinates.db: Cannot write: No space left on device
tar: ./SF/userRoot/uniquemember.db: Cannot write: No space left on device
tar: ./SF/userRoot/managedby.db: Cannot write: No space left on device
tar: ./SF/userRoot/ipasudorunas.db: Cannot write: No space left on device
tar: ./SF/userRoot/givenName.db: Cannot write: No space left on device
tar: ./SF/userRoot/uidnumber.db: Cannot write: No space left on device
tar: ./SF/userRoot/uid.db: Cannot write: No space left on device
tar: ./SF/userRoot/automountkey.db: Cannot write: No space left on device
tar: ./SF/userRoot/aci.db: Cannot write: No space left on device
tar: ./SF/userRoot/owner.db: Cannot write: No space left on device
tar: ./SF/userRoot/ipaassignedidview.db: Cannot write: No space left on
device
tar: ./SF/userRoot/manager.db: Cannot write: No space left on device
tar: ./SF/userRoot/displayname.db: Cannot write: No space left on device
tar: ./SF/userRoot/fqdn.db: Cannot write: No space left on device
tar: ./SF/userRoot/objectclass.db: Cannot write: No space left on device
tar: ./SF/userRoot/telephoneNumber.db: Cannot write: No space left on device
tar: ./SF/userRoot/DBVERSION: Cannot write: No space left on device
tar: ./SF/userRoot/title.db: Cannot write: No space left on device
tar: ./SF/userRoot/memberallowcmd.db: Cannot write: No space left on device
tar: ./SF/userRoot/parentid.db: Cannot write: No space left on device
tar: ./SF/userRoot/cn.db: Cannot write: No space left on device
tar: ./SF/userRoot/nscpEntryDN.db: Cannot write: No space left on device
tar: ./SF/userRoot/ipauniqueid.db: Cannot write: No space left on device
tar: ./SF/userRoot/memberdenycmd.db: Cannot write: No space left on device
tar: ./SF/userRoot/ipasudorunasgroup.db: Cannot write: No space left on
device
tar: ./SF/userRoot/ipatokenradiusconfiglink.db: Cannot write: No space
left on device
tar: ./SF/userRoot/memberUser.db: Cannot write: No space left on device
tar: ./SF/userRoot/nsuniqueid.db: Cannot write: No space left on device
tar: ./SF/userRoot/sn.db: Cannot write: No space left on device
tar: ./SF/userRoot/memberservice.db: Cannot write: No space left on device
tar: ./SF/userRoot/ancestorid.db: Cannot write: No space left on device
tar: ./SF/userRoot/seeAlso.db: Cannot write: No space left on device
tar: ./SF/userRoot/entryrdn.db: Cannot write: No space left on device
tar: ./SF/userRoot/secretary.db: Cannot write: No space left on device
tar: ./SF/userRoot/memberuid.db: Cannot write: No space left on device
tar: ./SF/userRoot/ou.db: Cannot write: No space left on device
tar: ./SF/userRoot/entryusn.db: Cannot write: No space left on device
tar: ./SF/userRoot/gidnumber.db: Cannot write: No space left on device
tar: ./SF/ipaca/vlv#allvalidcertsnotafterpkitomcatindex.db: Cannot
write: No space left on device
tar: ./SF/ipaca/id2entry.db: Cannot write: No space left on device
tar: ./SF/ipaca/member.db: Cannot write: No space left on device
tar: ./SF/ipaca/vlv#allvalidorrevokedcertspkitomcatindex.db: Cannot
write: No space left on device
tar: ./SF/ipaca/revokedOn.db: Cannot write: No space left on device
tar: ./SF/ipaca/mail.db: Cannot write: No space left on device
tar: ./SF/ipaca/notbefore.db: Cannot write: No space left on device
tar: ./SF/ipaca/numsubordinates.db: Cannot write: No space left on device
tar: ./SF/ipaca/duration.db: Cannot write: No space left on device
tar: ./SF/ipaca/uniquemember.db: Cannot write: No space left on device
tar: ./SF/ipaca/vlv#allexpiredcertspkitomcatindex.db: Cannot write: No
space left on device
tar: ./SF/ipaca/publicKeyData.db: Cannot write: No space left on device
tar: ./SF/ipaca/vlv#capendingpkitomcatindex.db: Cannot write: No space
left on device
tar: ./SF/ipaca/dateOfCreate.db: Cannot write: No space left on device
tar: ./SF/ipaca/vlv#allinvalidcertspkitomcatindex.db: Cannot write: No
space left on device
tar: ./SF/ipaca/metaInfo.db: Cannot write: No space left on device
tar: ./SF/ipaca/vlv#allvalidcertspkitomcatindex.db: Cannot write: No
space left on device
tar: ./SF/ipaca/extension.db: Cannot write: No space left on device
tar: ./SF/ipaca/vlv#cacompleterenewalpkitomcatindex.db: Cannot write: No
space left on device
tar: ./SF/ipaca/vlv#capendingenrollmentpkitomcatindex.db: Cannot write:
No space left on device
tar: ./SF/ipaca/uid.db: Cannot write: No space left on device
tar: ./SF/ipaca/subjectname.db: Cannot write: No space left on device
tar: ./SF/ipaca/aci.db: Cannot write: No space left on device
tar: ./SF/ipaca/vlv#caenrollmentpkitomcatindex.db: Cannot write: No
space left on device
tar: ./SF/ipaca/owner.db: Cannot write: No space left on device
tar: ./SF/ipaca/vlv#allrevokedcertspkitomcatindex.db: Cannot write: No
space left on device
tar: ./SF/ipaca/vlv#allrevokedcertsnotafterpkitomcatindex.db: Cannot
write: No space left on device
tar: ./SF/ipaca/vlv#cacompleteenrollmentpkitomcatindex.db: Cannot write:
No space left on device
tar: ./SF/ipaca/objectclass.db: Cannot write: No space left on device
tar: ./SF/ipaca/serialno.db: Cannot write: No space left on device
tar: ./SF/ipaca/vlv#carenewalpkitomcatindex.db: Cannot write: No space
left on device
tar: ./SF/ipaca/revInfo.db: Cannot write: No space left on device
tar: ./SF/ipaca/DBVERSION: Cannot write: No space left on device
tar: ./SF/ipaca/revokedby.db: Cannot write: No space left on device
tar: ./SF/ipaca/parentid.db: Cannot write: No space left on device
tar: ./SF/ipaca/vlv#allcertspkitomcatindex.db: Cannot write: No space
left on device
tar: ./SF/ipaca/vlv#cacompletepkitomcatindex.db: Cannot write: No space
left on device
tar: ./SF/ipaca/vlv#capendingrenewalpkitomcatindex.db: Cannot write: No
space left on device
tar: ./SF/ipaca/cn.db: Cannot write: No space left on device
tar: ./SF/ipaca/certstatus.db: Cannot write: No space left on device
tar: ./SF/ipaca/issuedby.db: Cannot write: No space left on device
tar: ./SF/ipaca/requeststate.db: Cannot write: No space left on device
tar: ./SF/ipaca/nsuniqueid.db: Cannot write: No space left on device
tar: ./SF/ipaca/vlv#allinvalidcertsnotbeforepkitomcatindex.db: Cannot
write: No space left on device
tar: ./SF/ipaca/sn.db: Cannot write: No space left on device
tar: ./SF/ipaca/vlv#allrevokedorrevokedexpiredcertspkitomcatindex.db:
Cannot write: No space left on device
tar: ./SF/ipaca/requesttype.db: Cannot write: No space left on device
tar: ./SF/ipaca/ancestorid.db: Cannot write: No space left on device
tar: ./SF/ipaca/vlv#allrevokedexpiredcertspkitomcatindex.db: Cannot
write: No space left on device
tar: ./SF/ipaca/vlv#cacompleterevocationpkitomcatindex.db: Cannot write:
No space left on device
tar: ./SF/ipaca/seeAlso.db: Cannot write: No space left on device
tar: ./SF/ipaca/vlv#carevocationpkitomcatindex.db: Cannot write: No
space left on device
tar: ./SF/ipaca/entryrdn.db: Cannot write: No space left on device
tar: ./SF/ipaca/notafter.db: Cannot write: No space left on device
tar: ./SF/ipaca/description.db: Cannot write: No space left on device
tar: ./SF/ipaca/vlv#caallpkitomcatindex.db: Cannot write: No space left
on device
tar: ./SF/ipaca/requestid.db: Cannot write: No space left on device
tar: ./SF/ipaca/entryusn.db: Cannot write: No space left on device
tar: ./SF/ipaca/vlv#allnonrevokedcertspkitomcatindex.db: Cannot write:
No space left on device
tar: ./SF-userRoot.ldif: Cannot write: No space left on device
tar: ./SF-ipaca.ldif: Cannot write: No space left on device
tar: Exiting with failure status due to previous errors
2017-09-15T13:04:51Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py",
line 305, in run
self.extract_backup(options.gpg_keyring)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py",
line 712, in extract_backup
run(args)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line
356, in run
raise CalledProcessError(p.returncode, arg_string, stdout)
2017-09-15T13:04:51Z DEBUG The ipa-restore command failed, exception:
CalledProcessError: Command ''tar' '--xattrs' '--selinux' '-xzf'
'/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/ipa-full.tar' '.''
returned non-zero exit status 2
2017-09-15T13:04:51Z ERROR Command ''tar' '--xattrs' '--selinux' '-xzf'
'/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/ipa-full.tar' '.''
returned non-zero exit status 2
6 years, 7 months
IPA sudo rules CentOS 6 vs CentOS 7
by Mark Haney
One of my biggest projects is to use ansible to kill OpenLDAP clients on
our production servers and install ipa-client and configured. I'm
probably 95% there with automating the process (still trying to figure
out what pam_ldap crap is floating around after uninstalling those
packages and such) but I've got a weird issue that appears to be related
to the C6 ipa-client setup.
After installing the ipa-client and configuring, I can login as my ipa
user account, but, even though I have SUDO rules in place, I'm getting a
'user is not in sudoers file...etc, etc' on CentOS 6, but /not/ on a
CentOS 7 client I have tested on. I've tried two different C6 boxes
with the same result. The SSSD/nsswitch/pam.d config files are all
identical between the C6 and C7 servers.
The C7 box did not have a previous OpenLDAP client on it, and neither
did one of the C6 boxes, so it doesn't appear to be a problem/conflict
with remnants of OpenLDAP/PAM causing the problem. Sudoers on all the
boxes I'm testing is out-of-the-box vanilla and there are no sudoers.d/
files either.
I'm an IPA newbie, and I gave up on OpenLDAP and PAM (god, what a cockup
that is) almost two decades ago, so I'm not as familiar with it as some
people might be. Here are the package versions for the IPA clients:
C7: ipa-client-4.5.0-21.el7.centos.1.2.x86_64
C6: ipa-client-3.0.0-51.el6.centos.x86_64
The only other thing I can think of to mention is that in
/var/log/secure on the C6 boxes I'm getting a pam_unix.so authentication
failure (obviously since my user isn't on that box) prior to sssd
authenticating me successfully when trying to sudo su. I do not see
that problem on the C7 box.
Any ideas?
--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.haney(a)neonova.net
www.neonova.net
6 years, 7 months
Nginx in front of IPA?
by doug.kelly@wipro.com
Hi,
We have an "interesting" set up here and ultimately it means that some of our users are on a network that can't access the domain that the IPA servers are on so can't reset their passwords. However, they do have access to a domain that we can proxy requests through to get to IPA.
Through googling a bit I saw people mention changing 'xmlrpc_uri' in /etc/ipa/default.conf along with some proxy settings for nginx but couldn't really see anything "official".
Has anyone successfully put nginx in front of a cluster of IPA servers? Is there any documentation to detail the steps involved?
Thanks,
Doug
Wipro Limited (Company Regn No in UK FC 019088) Address: Level 2, West wing, 3 Sheldon Square, London W2 6PS, United Kingdom. Tel +44 20 7432 8500 Fax: +44 20 7286 5703 VAT Number: 563 1964 27 (Branch of Wipro Limited (Incorporated in India at Bangalore with limited liability vide Reg no L99999KA1945PLC02800 with Registrar of Companies at Bangalore, India. Authorized share capital Rs 5550 mn)) Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
6 years, 7 months
ipa-replica-install command failed, exception: NotFound: ldap service not found
by shahriar52@gmail.com
Trying to create a replica server with ipa-replica-install, but it breaks during installation while restarting the directory service saying that LDAP service not found. But I can see LDAP server is running.
I have created around 3 replicas using the same procedure about 4 months ago, but now it is failing. I cannot find any obvious reason for this issue.
All the machines are on CentOS 7.x.
Master ipa package versions:
ipa-common-4.4.0-14.el7.centos.6.noarch
ipa-client-common-4.4.0-14.el7.centos.6.noarch
ipa-server-dns-4.4.0-14.el7.centos.6.noarch
ipa-admintools-4.4.0-14.el7.centos.6.noarch
ipa-server-4.4.0-14.el7.centos.6.x86_64
Also tried after updating above to el7.centos.7 packages
Replica ipa package versions:
ipa-common-4.4.0-14.el7.centos.7.noarch
ipa-server-4.4.0-14.el7.centos.7.x86_64
ipa-client-4.4.0-14.el7.centos.7.x86_64
ipa-server-common-4.4.0-14.el7.centos.7.noarch
ipa-admintools-4.4.0-14.el7.centos.7.noarch
ipa-client-common-4.4.0-14.el7.centos.7.noarch
ipa-server-dns-4.4.0-14.el7.centos.7.noarch
Actual results:
[root@auth03-esy1 ~]# ipa-replica-install --principal admin --admin-password XXXXXXXX --server=auth02-esy1.srv.symbionetworks.com --domain=auth.mnfgroup.limited --setup-ca
Configuring client side components
Client hostname: auth03-esy1.srv.symbionetworks.com
Realm: AUTH.MNFGROUP.LIMITED
DNS Domain: auth.mnfgroup.limited
IPA Server: auth02-esy1.srv.symbionetworks.com
BaseDN: dc=auth,dc=mnfgroup,dc=limited
Skipping synchronizing time with NTP server.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=AUTH.MNFGROUP.LIMITED
Issuer: CN=Certificate Authority,O=AUTH.MNFGROUP.LIMITED
Valid From: Wed Mar 15 01:04:16 2017 UTC
Valid Until: Sun Mar 15 01:04:16 2037 UTC
Enrolled in IPA realm AUTH.MNFGROUP.LIMITED
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm AUTH.MNFGROUP.LIMITED
trying https://auth02-esy1.srv.symbionetworks.com/ipa/json
Forwarding 'ping' to json server 'https://auth02-esy1.srv.symbionetworks.com/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://auth02-esy1.srv.symbionetworks.com/ipa/json'
Systemwide CA database updated.
Hostname (auth03-esy1.srv.symbionetworks.com) does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host auth03-esy1.srv.symbionetworks.com: 10.53.1.3.
Missing reverse record(s) for address(es): 10.53.1.3.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Forwarding 'host_mod' to json server 'https://auth02-esy1.srv.symbionetworks.com/ipa/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring auth.mnfgroup.limited as NIS domain.
Client configuration complete.
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd
ipa : ERROR Could not resolve hostname auth02-esy1.srv.symbionetworks.com using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.)
Continue? [no]: yes
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
[1/44]: creating directory server user
[2/44]: creating directory server instance
[3/44]: updating configuration in dse.ldif
[4/44]: restarting directory server
[5/44]: adding default schema
[6/44]: enabling memberof plugin
[7/44]: enabling winsync plugin
[8/44]: configuring replication version plugin
[9/44]: enabling IPA enrollment plugin
[10/44]: enabling ldapi
[11/44]: configuring uniqueness plugin
[12/44]: configuring uuid plugin
[13/44]: configuring modrdn plugin
[14/44]: configuring DNS plugin
[15/44]: enabling entryUSN plugin
[16/44]: configuring lockout plugin
[17/44]: configuring topology plugin
[18/44]: creating indices
[19/44]: enabling referential integrity plugin
[20/44]: configuring certmap.conf
[21/44]: configure autobind for root
[22/44]: configure new location for managed entries
[23/44]: configure dirsrv ccache
[24/44]: enabling SASL mapping fallback
[25/44]: restarting directory server
[26/44]: creating DS keytab
[error] NotFound: ldap/auth03-esy1.srv.symbionetworks.com(a)AUTH.MNFGROUP.LIMITED: service not found
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR ldap/auth03-esy1.srv.symbionetworks.com(a)AUTH.MNFGROUP.LIMITED: service not found
ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Additional Infomation:
Form /var/log/ipareplica-install.log,
2017-09-12T01:36:13Z DEBUG stderr=ldap_initialize( ldap://auth03-esy1.srv.symbionetworks.com:389/??base )
2017-09-12T01:36:13Z DEBUG duration: 0 seconds
2017-09-12T01:36:13Z DEBUG [23/44]: configure dirsrv ccache
2017-09-12T01:36:13Z DEBUG Backing up system configuration file '/etc/sysconfig/dirsrv'
2017-09-12T01:36:13Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
2017-09-12T01:36:13Z DEBUG Starting external process
2017-09-12T01:36:13Z DEBUG args=/usr/sbin/selinuxenabled
2017-09-12T01:36:13Z DEBUG Process finished, return code=1
2017-09-12T01:36:13Z DEBUG stdout=
2017-09-12T01:36:13Z DEBUG stderr=
2017-09-12T01:36:13Z DEBUG duration: 0 seconds
2017-09-12T01:36:13Z DEBUG [24/44]: enabling SASL mapping fallback
2017-09-12T01:36:13Z DEBUG Starting external process
2017-09-12T01:36:13Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpEjW0XE -H ldap://auth03-esy1.srv.symbionetworks.com:389 -x -D cn=Directory Manager -y /tmp/tmpED2rPP
2017-09-12T01:36:13Z DEBUG Process finished, return code=0
2017-09-12T01:36:13Z DEBUG stdout=replace nsslapd-sasl-mapping-fallback:
on
modifying entry "cn=config"
modify complete
2017-09-12T01:36:13Z DEBUG stderr=ldap_initialize( ldap://auth03-esy1.srv.symbionetworks.com:389/??base )
2017-09-12T01:36:13Z DEBUG duration: 0 seconds
2017-09-12T01:36:13Z DEBUG [25/44]: restarting directory server
2017-09-12T01:36:13Z DEBUG Starting external process
2017-09-12T01:36:13Z DEBUG args=/bin/systemctl --system daemon-reload
2017-09-12T01:36:13Z DEBUG Process finished, return code=0
2017-09-12T01:36:13Z DEBUG stdout=
2017-09-12T01:36:13Z DEBUG stderr=
2017-09-12T01:36:13Z DEBUG Starting external process
2017-09-12T01:36:13Z DEBUG args=/bin/systemctl restart dirsrv(a)AUTH-MNFGROUP-LIMITED.service
2017-09-12T01:36:14Z DEBUG Process finished, return code=0
2017-09-12T01:36:14Z DEBUG stdout=
2017-09-12T01:36:14Z DEBUG stderr=
2017-09-12T01:36:14Z DEBUG Starting external process
2017-09-12T01:36:14Z DEBUG args=/bin/systemctl is-active dirsrv(a)AUTH-MNFGROUP-LIMITED.service
2017-09-12T01:36:14Z DEBUG Process finished, return code=0
2017-09-12T01:36:14Z DEBUG stdout=active
2017-09-12T01:36:14Z DEBUG stderr=
2017-09-12T01:36:14Z DEBUG wait_for_open_ports: localhost [389] timeout 300
2017-09-12T01:36:14Z DEBUG Starting external process
2017-09-12T01:36:14Z DEBUG args=/bin/systemctl is-active dirsrv(a)AUTH-MNFGROUP-LIMITED.service
2017-09-12T01:36:14Z DEBUG Process finished, return code=0
2017-09-12T01:36:14Z DEBUG stdout=active
2017-09-12T01:36:14Z DEBUG stderr=
2017-09-12T01:36:14Z DEBUG duration: 0 seconds
2017-09-12T01:36:14Z DEBUG [26/44]: creating DS keytab
2017-09-12T01:36:14Z DEBUG Backing up system configuration file '/etc/dirsrv/ds.keytab'
2017-09-12T01:36:14Z DEBUG -> Not backing up - '/etc/dirsrv/ds.keytab' doesn't exist
2017-09-12T01:36:14Z DEBUG raw: service_add(u'ldap/auth03-esy1.srv.symbionetworks.com(a)AUTH.MNFGROUP.LIMITED', force=True, version=u'2.213')
2017-09-12T01:36:14Z DEBUG service_add(<ipapython.kerberos.Principal object at 0x794e7d0>, force=True, all=False, raw=False, version=u'2.213', no_members=False)
2017-09-12T01:36:14Z DEBUG flushing ldaps://auth02-esy1.srv.symbionetworks.com from SchemaCache
2017-09-12T01:36:14Z DEBUG retrieving schema for SchemaCache url=ldaps://auth02-esy1.srv.symbionetworks.com conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x76610e0>
2017-09-12T01:36:15Z DEBUG raw: host_show(u'auth03-esy1.srv.symbionetworks.com', version=u'2.213')
2017-09-12T01:36:15Z DEBUG host_show(u'auth03-esy1.srv.symbionetworks.com', rights=False, all=False, raw=False, version=u'2.213', no_members=False)
2017-09-12T01:36:15Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1230, in __get_ds_keytab
force_service_add=True)
File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 1129, in install_service_keytab
api.Command.service_add(principal, force=force_service_add)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__
return self.__do_call(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in __do_call
ret = self.run(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run
return self.execute(*args, **options)
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1221, in execute
self.obj.handle_not_found(*keys)
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 759, in handle_not_found
'pkey': pkey, 'oname': self.object_name,
NotFound: ldap/auth03-esy1.srv.symbionetworks.com(a)AUTH.MNFGROUP.LIMITED: service not found
2017-09-12T01:36:15Z DEBUG [error] NotFound: ldap/auth03-esy1.srv.symbionetworks.com(a)AUTH.MNFGROUP.LIMITED: service not found
2017-09-12T01:36:15Z DEBUG Destroyed connection context.ldap2_89533776
2017-09-12T01:36:15Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run
cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run
self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute
for nothing in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
for nothing in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1722, in main
promote(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1423, in promote
promote=True, pkcs12_info=dirsrv_pkcs12_info)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 135, in install_replica_ds
api=remote_api,
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 401, in create_replica
self.start_creation(runtime=60)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1230, in __get_ds_keytab
force_service_add=True)
File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 1129, in install_service_keytab
api.Command.service_add(principal, force=force_service_add)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__
return self.__do_call(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in __do_call
ret = self.run(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run
return self.execute(*args, **options)
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1221, in execute
self.obj.handle_not_found(*keys)
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 759, in handle_not_found
'pkey': pkey, 'oname': self.object_name,
2017-09-12T01:36:15Z DEBUG The ipa-replica-install command failed, exception: NotFound: ldap/auth03-esy1.srv.symbionetworks.com(a)AUTH.MNFGROUP.LIMITED: service not found
2017-09-12T01:36:15Z ERROR ldap/auth03-esy1.srv.symbionetworks.com(a)AUTH.MNFGROUP.LIMITED: service not found
2017-09-12T01:36:15Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Can anyone please help with this issue?
Regards
Shahriar Rahman
Systems Engineer
MNF Group Limited
6 years, 7 months