On 16/12/2020 17:29, Rob Crittenden wrote:
lejeczek via FreeIPA-users wrote:
> Hi guys.
>
> I'm trying to spin up a new replica:
>
> ...
>
> [25/41]: restarting directory server
> [26/41]: creating DS keytab
> [error] CalledProcessError: CalledProcessError(Command
> ['/usr/sbin/ipa-getkeytab', '-k', '/etc/dirsrv/ds.keytab',
'-p',
> 'ldap/sucker.ccnr.ceb.private.cam.ac.uk(a)CCN.DOMAIN.MINE', '-H',
> 'ldaps://drunk.ccn.domain.mine'] returned non-zero exit status 9:
> 'Failed to parse result: Insufficient access rights\n\nRetrying with
> pre-4.0 keytab retrieval method...\nFailed to parse result: Insufficient
> access rights\n\nFailed to get keytab!\nFailed to get keytab\n')
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> CalledProcessError(Command ['/usr/sbin/ipa-getkeytab', '-k',
> '/etc/dirsrv/ds.keytab', '-p',
> 'ldap/sucker.ccn.domain.mine(a)CCNR.CEB.PRIVATE.CAM.AC.UK', '-H',
> 'ldaps://drunk.ccn.domain.mine'] returned non-zero exit status 9:
> 'Failed to parse result: Insufficient access rights\n\nRetrying with
> pre-4.0 keytab retrieval method...\nFailed to parse result: Insufficient
> access rights\n\nFailed to get keytab!\nFailed to get keytab\n')
>
>
> So I do:
>
> ~]$ ipa-server-install --uninstall
>
> This is a NON REVERSIBLE operation and will delete all data and
> configuration!
> It is highly recommended to take a backup of existing data and
> configuration using ipa-backup utility before proceeding.
>
> Are you sure you want to continue with the uninstall procedure? [no]: yes
> Shutting down all IPA services
> Unconfiguring directory server
> [Errno 2] No such file or directory:
> '/etc/dirsrv/slapd-CCN-DOMAIN-MINE/dse.ldif'
>
> And from here on it's practically a small mayhem. '--uninstall' no
> matter how many times does not help.
>
> I see that 'systemctl status -l dirsrv@my-instance' is till up. So
> obviously:
>
> ~]$ ipa-replica-install --setup-dns --no-forwarders --admin-password=ccn
> --principal=admin
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> IPA requires ports 389 and 636 for the Directory Server.
> These are currently in use:
> 389
> 636
>
> ...
>
> One more time?
>
> ~]$ ipa-server-install --uninstall
> WARNING:
> IPA server is not configured on this system. If you want to install the
> IPA server, please install it using 'ipa-server-install'.
>
> This is a NON REVERSIBLE operation and will delete all data and
> configuration!
> It is highly recommended to take a backup of existing data and
> configuration using ipa-backup utility before proceeding.
>
> ... and like I vicious circle.
>
> Seems to me that this simple case is what IPA devel guys could look into
> and then hopefully improve and harden un/installation process.
>
> ipa-client-4.8.7-12.module_el8.3.0+511+8a502f20.x86_64
> ipa-client-common-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
> ipa-common-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
> ipa-healthcheck-core-0.4-6.module_el8.3.0+482+9e103aab.noarch
> ipa-selinux-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
> ipa-server-4.8.7-12.module_el8.3.0+511+8a502f20.x86_64
> ipa-server-common-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
> ipa-server-dns-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
dirsrv may be wedged. If you don't want to determine why you can kill it
with:
# kill -9 `pidof ns-slapd`
Bugs and feature requests can be created at
https://pagure.io/freeipa/new_issue
rob
Thanks, I'll drop a new report there.
At the same time, this seems more puzzling, namely:
----
[25/41]: restarting directory server
[26/41]: creating DS keytab
[error] CalledProcessError: CalledProcessError(Command
['/usr/sbin/ipa-getkeytab', '-k', '/etc/dirsrv/ds.keytab',
'-p',
'ldap/sucker.ccnr.ceb.private.cam.ac.uk(a)CCN.DOMAIN.MINE',
'-H', 'ldaps://drunk.ccn.domain.mine'] returned non-zero
exit status 9: 'Failed to parse result: Insufficient access
rights\n\nRetrying with pre-4.0 keytab retrieval
method...\nFailed to parse result: Insufficient access
rights\n\nFailed to get keytab!\nFailed to get keytab\n')
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
CalledProcessError(Command ['/usr/sbin/ipa-getkeytab', '-k',
'/etc/dirsrv/ds.keytab', '-p',
'ldap/sucker.ccn.domain.mine(a)CCNR.CEB.PRIVATE.CAM.AC.UK',
'-H', 'ldaps://drunk.ccn.domain.mine'] returned non-zero
exit status 9: 'Failed to parse result: Insufficient access
rights\n\nRetrying with pre-4.0 keytab retrieval
method...\nFailed to parse result: Insufficient access
rights\n\nFailed to get keytab!\nFailed to get keytab\n')
----
I thought it was one-off type of glitch, but now I did
uninstall & "cleanup", now ipa-client-install on that
replica candidate works fine, but ipa-replica-install fails
each time just like here above. I'm on might seventh attempt.
Any idea and thoughts as to what might be the problem and
how to troubleshot are greatly appreciated.
L.