freeipa-server failied to instal - Debian
by Milos Cuculovic
I am trying to install after an uninstall the freeipa-server package on Debian, which is now failing. I normally removed all packages and config files, something seems to still cause issues. The installation output is as follows, after running apt install freeipa-server (I^m first extracting main warning and failure lines I identified).
—————
Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode
Warning failed to create cache: usr.sbin.sssd
—————
Failed to preset unit: Unit file /etc/systemd/system/bind9.service is masked.
/usr/bin/deb-systemd-helper: error: systemctl preset failed on bind9.service: No such file or directory
—————
ob for krb5-kdc.service failed because the control process exited with error code.
See "systemctl status krb5-kdc.service" and "journalctl -xe" for details.
invoke-rc.d: initscript krb5-kdc, action "start" failed.
● krb5-kdc.service - Kerberos 5 Key Distribution Center
Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/krb5-kdc.service.d
└─slapd-before-kdc.conf
Active: failed (Result: exit-code) since Mon 2018-10-15 14:24:00 CEST; 16ms ago
Process: 17099 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARGS (code=exited, status=1/FAILURE)
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: Starting Kerberos 5 Key Distribution Center...
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: Server error - while fetching master key K/M for realm IPA.MDPI.COM
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: krb5kdc: cannot initialize realm IPA.MDPI.COM - see log file for details
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: krb5-kdc.service: Control process exited, code=exited status=1
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: krb5-kdc.service: Failed with result 'exit-code'.
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: Failed to start Kerberos 5 Key Distribution Center.
—————
pki-tomcatd-nuxwdog.target is a disabled or a static unit, not starting it.
Job for pki-tomcatd.service failed because the control process exited with error code.
See "systemctl status pki-tomcatd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript pki-tomcatd, action "start" failed.
● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
Loaded: loaded (/etc/init.d/pki-tomcatd; generated)
Active: failed (Result: exit-code) since Mon 2018-10-15 14:24:03 CEST; 17ms ago
Docs: man:systemd-sysv-generator(8)
Process: 17421 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, status=1/FAILURE)
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: Starting LSB: Start pki-tomcatd at boot time...
Oct 15 14:24:03 freeipa.mdpi.com pki-tomcatd[17421]: /usr/share/pki/scripts/config: line 41: break: only meaningful in a `for', `while', or `until' loop
Oct 15 14:24:03 freeipa.mdpi.com pki-tomcatd[17421]: ERROR: No 'tomcat' instances installed!
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: pki-tomcatd.service: Control process exited, code=exited status=1
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: pki-tomcatd.service: Failed with result 'exit-code'.
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: Failed to start LSB: Start pki-tomcatd at boot time.
—————
Setting up freeipa-server (4.7.0~pre1+git20180411-2ubuntu2) ...
dpkg: error processing package freeipa-server (--configure):
installed freeipa-server package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of freeipa-server-dns:
freeipa-server-dns depends on freeipa-server (>= 4.7.0~pre1+git20180411-2ubuntu2); however:
Package freeipa-server is not configured yet.
dpkg: error processing package freeipa-server-dns (--configure):
dependency problems - leaving unconfigured
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Processing triggers for dbus (1.12.2-1ubuntu1) ...
No apport report written because the error message indicates its a followup error from a previous failure.
Processing triggers for oddjob (0.34.3-4) ...
Errors were encountered while processing:
freeipa-server
freeipa-server-dns
E: Sub-process /usr/bin/dpkg returned an error code (1)
—————
FULL OUTPUT:
Setting up libsymkey-jni (10.6.0-1ubuntu2) ...
Setting up python-dnspython (1.15.0-1) ...
Setting up libxcb-present0:amd64 (1.13-1) ...
Setting up libslf4j-java (1.7.25-3) ...
Setting up libglvnd0:amd64 (1.0.0-2ubuntu2.2) ...
Setting up oddjob (0.34.3-4) ...
Setting up libxinerama1:amd64 (2:1.1.3-1) ...
Setting up libplexus-classworlds-java (2.5.2-2) ...
Processing triggers for ufw (0.35-5) ...
Setting up libxcb-dri2-0:amd64 (1.13-1) ...
Setting up libsss-idmap0 (1.16.1-1ubuntu1) ...
Setting up libhttp-parser2.7.1:amd64 (2.7.1-2) ...
Setting up libxcb-dri3-0:amd64 (1.13-1) ...
Setting up libxcb-glx0:amd64 (1.13-1) ...
Setting up libcommons-io-java (2.6-2) ...
Setting up libstax-java (1.2.0-4) ...
Setting up libargs4j-java (2.33-1) ...
Setting up python-urllib3 (1.22-1) ...
Setting up libapache2-mod-lookup-identity (1.0.0-1) ...
apache2_invoke: Enable module lookup_identity
Setting up libpath-utils1:amd64 (0.6.1-1) ...
Setting up libjettison-java (1.4.0-1) ...
Setting up libsocket-getaddrinfo-perl (0.22-3) ...
Setting up libknopflerfish-osgi-framework-java (6.1.1-2) ...
Setting up libperl4-corelibs-perl (0.004-1) ...
Setting up libsss-nss-idmap0 (1.16.1-1ubuntu1) ...
Setting up libnfsidmap2:amd64 (0.25-5.1) ...
Setting up python-usb (1.0.0-1) ...
Setting up libxdamage1:amd64 (1:1.1.4-3) ...
Setting up libhawtjni-runtime-java (1.15-2) ...
Setting up libhttpcore-java (4.4.9-1) ...
Setting up libjackson2-core-java (2.9.4-1) ...
Setting up ieee-data (20180204.1) ...
Setting up libjsr311-api-java (1.1.1-1) ...
Setting up python-yubico (1.3.2-1) ...
Setting up libyaml-snake-java (1.20-1) ...
Setting up libxfixes3:amd64 (1:5.0.3-1) ...
Setting up oddjob-mkhomedir (0.34.3-4) ...
Processing triggers for ureadahead (0.100.0-20) ...
Setting up libdrm-amdgpu1:amd64 (2.4.91-2) ...
Setting up libllvm6.0:amd64 (1:6.0-1ubuntu2) ...
Setting up chrony (3.2-4ubuntu4.2) ...
Setting up libisorelax-java (20041111-10) ...
Setting up python-openssl (17.5.0-1ubuntu1) ...
Setting up libplexus-cipher-java (1.7-3) ...
Setting up python-ply (3.11-1) ...
Setting up python-kdcproxy (0.3.2-5) ...
Setting up python-netaddr (0.7.19-1) ...
Setting up python-jwcrypto (0.4.2-1) ...
Setting up libatspi2.0-0:amd64 (2.28.0-1) ...
Setting up libdtd-parser-java (1.2~svn20110404-1) ...
Setting up libsvrcore0:amd64 (1:4.1.2+dfsg1-3) ...
Setting up at-spi2-core (2.28.0-1) ...
Setting up libsss-certmap0 (1.16.1-1ubuntu1) ...
Setting up libxshmfence1:amd64 (1.3-1) ...
Setting up libjaxb-api-java (2.2.9-1) ...
Setting up krb5-pkinit:amd64 (1.16-2build1) ...
Setting up libstax2-api-java (3.1.1-1) ...
Setting up python-certifi (2018.1.18-2) ...
Setting up libstax-ex-java (1.7.8-1) ...
Setting up libipa-hbac0 (1.16.1-1ubuntu1) ...
Setting up dogtag-pki-server-theme (10.6.0-1ubuntu2) ...
Setting up libplexus-interpolation-java (1.24-1) ...
Setting up libnl-route-3-200:amd64 (3.2.29-0ubuntu3) ...
Setting up libglapi-mesa:amd64 (18.0.5-0ubuntu0~18.04.1) ...
Setting up fonts-open-sans (1.11-1) ...
Setting up python-sss (1.16.1-1ubuntu1) ...
Setting up libplexus-component-annotations-java (1.7.1-7) ...
Setting up python-pkg-resources (39.0.1-2) ...
Setting up freeipa-common (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up opendnssec-common (1:2.1.3-0.2build1) ...
Setting up libmaven-shared-utils-java (3.1.0-2) ...
Setting up python-pyasn1-modules (0.2.1-0.2) ...
Setting up libdhash1:amd64 (0.6.1-1) ...
Setting up python-nss (1.0.0-1build3) ...
Setting up python-markupsafe (1.0-1build1) ...
Setting up fonts-font-awesome (4.7.0~dfsg-3) ...
Setting up python-netifaces (0.10.4-0.1build4) ...
Setting up libjackson2-annotations-java (2.9.4-1) ...
Setting up libldns2:amd64 (1.7.0-3ubuntu4) ...
Setting up sqlite3 (3.22.0-1) ...
Setting up libjoda-time-java (2.9.9-1) ...
Setting up libplexus-utils2-java (3.0.24-3) ...
Setting up libjackson2-dataformat-cbor (2.7.8-3) ...
Setting up libcollection4:amd64 (0.6.1-1) ...
Setting up libwagon-provider-api-java (3.0.0-2) ...
Setting up libxcb-sync1:amd64 (1.13-1) ...
Setting up libjsr305-java (0.1~+svn49-10) ...
Setting up python-dateutil (2.6.1-1) ...
Setting up ldap-utils (2.4.45+dfsg-1ubuntu1) ...
Setting up libatk1.0-data (2.28.1-1) ...
Setting up libjackson2-databind-java (2.9.5-1) ...
Setting up libjackson2-dataformat-yaml (2.8.10-3) ...
Setting up libx11-xcb1:amd64 (2:1.6.4-3ubuntu0.1) ...
Setting up libnetaddr-ip-perl (4.079+dfsg-1build2) ...
Setting up python-gi (3.26.1-2) ...
Setting up libmozilla-ldap-perl (1.5.3-2build4) ...
Setting up libservlet3.1-java (8.5.30-1ubuntu1.4) ...
Setting up libjboss-jdeparser2-java (2.0.2-1) ...
Setting up libjavassist-java (1:3.21.0-2) ...
Setting up p11-kit-modules:amd64 (0.23.9-2) ...
Setting up libnss-sss:amd64 (1.16.1-1ubuntu1) ...
Setting up softhsm2-common (2.2.0-3.1build1) ...
Setting up libhsm-bin (1:2.1.3-0.2build1) ...
Setting up python3-sss (1.16.1-1ubuntu1) ...
Setting up libjackson2-module-jaxb-annotations-java (2.8.10-2) ...
Setting up libxmlrpc-core-c3 (1.33.14-8build1) ...
Setting up libxxf86dga1:amd64 (2:1.1.4-1) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Setting up libjackson-json-java (1.9.2-9) ...
Setting up python-bs4 (4.6.0-1) ...
Setting up python-selinux (2.7-2build2) ...
Setting up libgeronimo-interceptor-3.0-spec-java (1.0.1-4fakesync) ...
Setting up libmaven-resolver-java (1.1.0-3) ...
Setting up libsocket6-perl (0.27-1build2) ...
Setting up libnsspem:amd64 (1.0.3-0ubuntu2) ...
Setting up 389-ds-base-libs (1.3.7.10-1ubuntu1) ...
Setting up libplexus-utils-java (1:1.5.15-5) ...
Setting up libnss3-tools (2:3.35-2ubuntu2) ...
Setting up python-libipa-hbac (1.16.1-1ubuntu1) ...
Setting up libnuxwdog0 (1.0.3-4) ...
Setting up libjackson2-dataformat-xml-java (2.9.4-1) ...
Setting up libcommons-compress-java (1.13-2) ...
Setting up libatk1.0-0:amd64 (2.28.1-1) ...
Setting up libcommons-lang3-java (3.5-2ubuntu1) ...
Setting up libjaxen-java (1.1.6-3) ...
Setting up libwebpmux3:amd64 (0.6.1-2) ...
Setting up libsnappy1v5:amd64 (1.1.7-1) ...
Setting up libjansi-native-java (1.7-1) ...
Setting up python-systemd (234-1build1) ...
Processing triggers for systemd (237-3ubuntu10.3) ...
Setting up libpwquality-common (1.4.0-2) ...
Setting up augeas-lenses (1.10.1-2) ...
Setting up python-lxml:amd64 (4.2.1-1) ...
Setting up libatk-bridge2.0-0:amd64 (2.26.2-1) ...
Setting up libjaxrs-api-java (2.1-1) ...
Setting up libice6:amd64 (2:1.0.9-2) ...
Setting up libasm-java (6.0-1) ...
Setting up libfontenc1:amd64 (1:1.1.3-1) ...
Setting up libxcomposite1:amd64 (1:0.4.4-2) ...
Setting up libcrack2:amd64 (2.9.2-5build1) ...
Setting up python-olefile (0.45.1-1) ...
Setting up libwebpdemux2:amd64 (0.6.1-2) ...
Setting up libxcb-shape0:amd64 (1.13-1) ...
Setting up libpciaccess0:amd64 (0.14-1) ...
Setting up libstreambuffer-java (1.5.4-1) ...
Setting up libxv1:amd64 (2:1.0.11-1) ...
Processing triggers for man-db (2.8.3-2) ...
Setting up libatinject-jsr330-api-java (1.0+ds1-5) ...
Setting up libjboss-logging-tools-java (2.1.0-2) ...
Setting up libbasicobjects0:amd64 (0.6.1-1) ...
Setting up libmaven-parent-java (27-2) ...
Setting up python3-ply (3.11-1) ...
Setting up libdrm-radeon1:amd64 (2.4.91-2) ...
Setting up libref-array1:amd64 (0.6.1-1) ...
Processing triggers for dbus (1.12.2-1ubuntu1) ...
Setting up libxxf86vm1:amd64 (1:1.1.4-1) ...
Setting up libdrm-nouveau2:amd64 (2.4.91-2) ...
Setting up libxft2:amd64 (2.3.2-1) ...
Setting up python-dbus (1.2.6-1) ...
Setting up libcommons-codec-java (1.11-1) ...
Setting up libjss-java (4.4.3-1) ...
Setting up libjackson2-dataformat-smile (2.7.8-3) ...
Setting up slapi-nis (0.56.1-1build1) ...
Setting up libcommons-lang-java (2.6-8) ...
Setting up libcurl3-nss:amd64 (7.58.0-2ubuntu3.3) ...
Setting up python-pil:amd64 (5.1.0-1) ...
Setting up libcommons-httpclient-java (3.1-14) ...
Setting up libaopalliance-java (20070526-6) ...
Setting up libc-ares2:amd64 (1.14.0-1) ...
Setting up libjs-dojo-core (1.11.0+dfsg-1) ...
Setting up python-webencodings (0.5-2) ...
Setting up libgeronimo-annotation-1.3-spec-java (1.0-1) ...
Setting up libdbi-perl (1.640-1) ...
Setting up libjboss-logging-java (3.3.2-1) ...
Setting up libsss-sudo (1.16.1-1ubuntu1) ...
Checking NSS setup...
Setting up libxrandr2:amd64 (2:1.5.1-1) ...
Setting up librelaxng-datatype-java (1.0+ds1-3) ...
Setting up libcommons-cli-java (1.4-1) ...
Setting up libini-config5:amd64 (0.6.1-1) ...
Setting up libplexus-sec-dispatcher-java (1.4-3) ...
Setting up sssd-common (1.16.1-1ubuntu1) ...
Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode
Warning failed to create cache: usr.sbin.sssd
sssd-secrets.service is a disabled or a static unit not running, not starting it.
Setting up python-ldap (3.0.0-1) ...
Setting up 389-ds-base (1.3.7.10-1ubuntu1) ...
dirsrv-snmp.service is a disabled or a static unit, not starting it.
dirsrv.target is a disabled or a static unit, not starting it.
Setting up bind9utils (1:9.11.3+dfsg-1ubuntu1.2) ...
Setting up libdom4j-java (2.1.0-2) ...
Setting up python-setuptools (39.0.1-2) ...
Setting up libsm6:amd64 (2:1.2.2-1) ...
Setting up libplexus-io-java (3.0.0-1) ...
Setting up libscannotation-java (1.0.2+svn20110812-3) ...
Setting up libsymkey-java (10.6.0-1ubuntu2) ...
Setting up python-libsss-nss-idmap (1.16.1-1ubuntu1) ...
Setting up sssd-krb5-common (1.16.1-1ubuntu1) ...
Setting up python-chardet (3.0.4-1) ...
Setting up libdbd-sqlite3-perl (1.56-1) ...
Setting up python-pycparser (2.18-2) ...
Setting up libnuxwdog-java (1.0.3-4) ...
Setting up libjs-dojo-dijit (1.11.0+dfsg-1) ...
Setting up libsofthsm2 (2.2.0-3.1build1) ...
Setting up libcglib-java (3.2.6-2) ...
Setting up opendnssec-signer (1:2.1.3-0.2build1) ...
Setting up python-jinja2 (2.10-1) ...
Setting up libtomcatjss-java (7.3.0~rc-1) ...
Setting up cracklib-runtime (2.9.2-5build1) ...
Setting up libjs-dojo-dojox (1.11.0+dfsg-1) ...
Setting up libsnappy-jni (1.1.4-1) ...
Setting up libldap-java (4.19+dfsg1-1) ...
Setting up libjansi-java (1.16-1) ...
Setting up p11-kit (0.23.9-2) ...
Setting up libaugeas0:amd64 (1.10.1-2) ...
Setting up libxsom-java (2.3.0-3) ...
Setting up bind9 (1:9.11.3+dfsg-1ubuntu1.2) ...
Failed to preset unit: Unit file /etc/systemd/system/bind9.service is masked.
/usr/bin/deb-systemd-helper: error: systemctl preset failed on bind9.service: No such file or directory
bind9-pkcs11.service is a disabled or a static unit not running, not starting it.
bind9-resolvconf.service is a disabled or a static unit not running, not starting it.
Setting up libguava-java (19.0-1) ...
Setting up python-qrcode (5.3-1) ...
update-alternatives: using /usr/bin/python2-qr to provide /usr/bin/qr (qr) in auto mode
Setting up sssd-ad-common (1.16.1-1ubuntu1) ...
Setting up libfastinfoset-java (1.2.12-3) ...
Setting up velocity (1.7-5) ...
Setting up sssd-krb5 (1.16.1-1ubuntu1) ...
Setting up libmsv-java (2009.1+dfsg1-5) ...
Setting up sssd-ldap (1.16.1-1ubuntu1) ...
Setting up sssd-proxy (1.16.1-1ubuntu1) ...
Setting up libcdi-api-java (1.2-2) ...
Setting up libpwquality1:amd64 (1.4.0-2) ...
Setting up libdrm-intel1:amd64 (2.4.91-2) ...
Setting up python-augeas (0.5.0-1) ...
Setting up sssd-dbus (1.16.1-1ubuntu1) ...
Setting up certmonger (0.79.5-3ubuntu1) ...
Setting up libsnappy-java (1.1.4-1) ...
Setting up libplexus-archiver-java (3.5-2) ...
Setting up libhttpclient-java (4.5.5-1) ...
Setting up softhsm2 (2.2.0-3.1build1) ...
Setting up bind9-dyndb-ldap (11.1-3ubuntu1) ...
Setting up librngom-java (2.3.0-3) ...
Setting up python-cffi (1.11.5-1) ...
Setting up libxt6:amd64 (1:1.1.5-1) ...
Setting up python-requests (2.18.4-2) ...
Setting up python-ipalib (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up libsisu-guice-java (4.2.0-1) ...
Setting up python-html5lib (0.999999999-1) ...
Setting up libsisu-ioc-java (2.3.0-11) ...
Setting up opendnssec-enforcer-sqlite3 (1:2.1.3-0.2build1) ...
Setting up sssd-ad (1.16.1-1ubuntu1) ...
Setting up python-custodia (0.5.0-3) ...
Setting up libpam-pwquality:amd64 (1.4.0-2) ...
Setting up libguice-java (4.0-4) ...
Setting up pki-base (10.6.0-1ubuntu2) ...
Setting up sssd-ipa (1.16.1-1ubuntu1) ...
Setting up sssd (1.16.1-1ubuntu1) ...
Setting up libgl1-mesa-dri:amd64 (18.0.5-0ubuntu0~18.04.1) ...
Setting up libpam-sss:amd64 (1.16.1-1ubuntu1) ...
Setting up libwoodstox-java (1:4.1.3-1) ...
Setting up libxmu6:amd64 (2:1.1.2-2) ...
Setting up libjackson2-jaxrs-providers-java (2.9.4-1) ...
Setting up python-ipaclient (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up opendnssec-enforcer (1:2.1.3-0.2build1) ...
Setting up libsisu-inject-java (0.3.2-2) ...
Setting up pki-tools (10.6.0-1ubuntu2) ...
Setting up libglx-mesa0:amd64 (18.0.5-0ubuntu0~18.04.1) ...
Setting up opendnssec (1:2.1.3-0.2build1) ...
Setting up libxaw7:amd64 (2:1.0.13-1) ...
Setting up custodia (0.5.0-3) ...
Setting up freeipa-client (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up libsisu-plexus-java (0.3.3-3) ...
Setting up libglx0:amd64 (1.0.0-2ubuntu2.2) ...
Setting up libmaven3-core-java (3.5.2-2) ...
Setting up libmaven-shared-io-java (3.0.0-3) ...
Setting up libgl1:amd64 (1.0.0-2ubuntu2.2) ...
Setting up libmaven-file-management-java (3.0.0-1) ...
Setting up x11-utils (7.7+3build1) ...
Setting up libgl1-mesa-glx:amd64 (18.0.5-0ubuntu0~18.04.1) ...
Setting up libatk-wrapper-java (0.33.3-20ubuntu0.1) ...
Setting up libatk-wrapper-java-jni:amd64 (0.33.3-20ubuntu0.1) ...
Setting up libistack-commons-java (3.0.6-1) ...
Setting up libcodemodel-java (2.6+jaxb2.3.0-3) ...
Setting up libtxw2-java (2.3.0-3) ...
Setting up libverto-libevent1:amd64 (0.2.4-2.1ubuntu3) ...
Setting up libverto1:amd64 (0.2.4-2.1ubuntu3) ...
Setting up libjaxb-java (2.3.0-3) ...
Setting up gssproxy (0.8.0-1) ...
Setting up libresteasy3.0-java (3.0.19-2) ...
Setting up krb5-kdc (1.16-2build1) ...
Job for krb5-kdc.service failed because the control process exited with error code.
See "systemctl status krb5-kdc.service" and "journalctl -xe" for details.
invoke-rc.d: initscript krb5-kdc, action "start" failed.
● krb5-kdc.service - Kerberos 5 Key Distribution Center
Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/krb5-kdc.service.d
└─slapd-before-kdc.conf
Active: failed (Result: exit-code) since Mon 2018-10-15 14:24:00 CEST; 16ms ago
Process: 17099 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARGS (code=exited, status=1/FAILURE)
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: Starting Kerberos 5 Key Distribution Center...
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: Server error - while fetching master key K/M for realm IPA.MDPI.COM
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: krb5kdc: cannot initialize realm IPA.MDPI.COM - see log file for details
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: krb5-kdc.service: Control process exited, code=exited status=1
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: krb5-kdc.service: Failed with result 'exit-code'.
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: Failed to start Kerberos 5 Key Distribution Center.
Setting up libkrad0:amd64 (1.16-2build1) ...
Setting up krb5-kdc-ldap (1.16-2build1) ...
Setting up krb5-admin-server (1.16-2build1) ...
Setting up pki-base-java (10.6.0-1ubuntu2) ...
Setting up krb5-otp:amd64 (1.16-2build1) ...
Setting up pki-server (10.6.0-1ubuntu2) ...
pki-tomcatd-nuxwdog.target is a disabled or a static unit, not starting it.
Job for pki-tomcatd.service failed because the control process exited with error code.
See "systemctl status pki-tomcatd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript pki-tomcatd, action "start" failed.
● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
Loaded: loaded (/etc/init.d/pki-tomcatd; generated)
Active: failed (Result: exit-code) since Mon 2018-10-15 14:24:03 CEST; 17ms ago
Docs: man:systemd-sysv-generator(8)
Process: 17421 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, status=1/FAILURE)
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: Starting LSB: Start pki-tomcatd at boot time...
Oct 15 14:24:03 freeipa.mdpi.com pki-tomcatd[17421]: /usr/share/pki/scripts/config: line 41: break: only meaningful in a `for', `while', or `until' loop
Oct 15 14:24:03 freeipa.mdpi.com pki-tomcatd[17421]: ERROR: No 'tomcat' instances installed!
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: pki-tomcatd.service: Control process exited, code=exited status=1
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: pki-tomcatd.service: Failed with result 'exit-code'.
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: Failed to start LSB: Start pki-tomcatd at boot time.
pki-tomcatd start failed because no instance has been configured yet
Setting up python-ipaserver (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up pki-kra (10.6.0-1ubuntu2) ...
Setting up pki-ca (10.6.0-1ubuntu2) ...
Setting up freeipa-server (4.7.0~pre1+git20180411-2ubuntu2) ...
dpkg: error processing package freeipa-server (--configure):
installed freeipa-server package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of freeipa-server-dns:
freeipa-server-dns depends on freeipa-server (>= 4.7.0~pre1+git20180411-2ubuntu2); however:
Package freeipa-server is not configured yet.
dpkg: error processing package freeipa-server-dns (--configure):
dependency problems - leaving unconfigured
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Processing triggers for dbus (1.12.2-1ubuntu1) ...
No apport report written because the error message indicates its a followup error from a previous failure.
Processing triggers for oddjob (0.34.3-4) ...
Errors were encountered while processing:
freeipa-server
freeipa-server-dns
E: Sub-process /usr/bin/dpkg returned an error code (1)
Thank you!
Milos
4 years, 8 months
FreeIPA Client AD Trust user look-up latencies and results
by John Desantis
Hello all,
I've pretty much exhausted my searching in order to find a solution to
a problem I've been working on for about a week now, and now I find
myself grasping at straws.
Basically, AD trust user lookups on IPA clients fail several times in
a row before finally returning results (after 8-20 seconds). However,
this does not happen on the IPA servers - even after clearing caches.
Furthermore, querying the same list of users against a non IPA Linux
client that connects directly to our AD domain using nslcd has no
issues querying the same list of users.
From what I understand regarding the anatomy of the FreeIPA - AD Trust
relationship, the FreeIPA servers' sssd caches are queried first by
FreeIPA clients and if there is no result, then the FreeIPA server
queries the AD domain controllers, receives results, caches them, and
then provides the results to the FreeIPA client.
I've tried adjusting the sssd.conf file on both the server and the
client, without any expected results:
ignore_group_members = True
ldap_purge_cache_timeout = (various values)
memcache_timeout = (various values)
cache_first = (various values)
ldap_opt_timeout = (various values)
ldap_search_timeout = (various values)
The trust was established using the range type of "ipa-ad-trust-posix"
since each user has a unique Posix UID and a shared unique Posix GID
(no AD groups are returned).
I've attached logs (dirsrv and sssd) from the IPA server I directly
specified via the client sssd.conf and logs from the client itself.
Any pointers and/or suggestions would be extremely helpful!
Thank you,
John DeSantis
4 years, 9 months
IPA users and local groups question
by Jeff Goddard
First off thanks to everyone who makes FreeIPA. Its an awesome product that
we love.
We're working at breaking our application up into micro services and using
docker containers and deployment automation. As part of this I have a
deploy user in IPA and a rundeck server that performs tasks as this user.
However, we need this user to be part of the local docker hosts "docker"
group. Is this something I have to do manually per host? Is it possible to
create a docker IPA group that will substitute for the local docker group
and do it all in IPA? Our IPA version is 4.4. The servers are Centos 7.2
and the clients are ubuntu 16.04 LTS.
Thanks for the insight, references and help,
Jeff
4 years, 9 months
Smartcard host login w/ Third-Party CA and PKINIT
by Khurrum Maqb
We're running IPA 4.6.4-10.el7 with a CA over 4 replicas on Centos7 and would like to properly configure smartcard authentication. The smartcards that we're using have been signed by an External CA controlled by a different entity. So to get that working, I've added the required CA certs using
ipa-cacert-manage -n "SmartCard CA #1" -t CT,C,C install <CA>.pem
and then ran ipa-certupdate on all replicas, and restarted httpd. I associated the card authentication cert from the user's smartcard to the Identity using the GUI. I am able to search using the cert, and it retrieves the user correctly.
I also used ipa-advise config-client-for-smart-card-auth > client_smart_card_script.sh to create the script, ran it on a client host with the correct CA files. On the client side I had to edit sssd.conf and add a
[pam]
p11_child_timeout = 15
and it worked and the user was able to log in to the desktop. However, it was taking 40 seconds for the login which sounded like something was timing out. I checked the krb log and found
(Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [krb5_child_timeout] (0x0040): Timeout for child [9822] reached. In case KDC is distant or network is slow you may consider increasing value of krb5_auth_timeout.
(Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [krb5_auth_done] (0x0020): child timed out!
(Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [child_sig_handler] (0x0020): child [9822] was terminated by signal [9].
And it reported that the backend was offline
So I added
[domain/dom.ain.com]
krb5_auth_timeout = 15
and which point, I noticed I didn't have pkinit running on the servers. So I ran ipa-pkinit-manage enable on all the replicas with a CA and soon
ipa pkiinit-status showed that PKINIT status: enabled. and Backend stopped showing as offline.
However, that does not solve the issue, and if I have krb5_auth_timeout = 15 in sssd, the login stops working and instead I get a pre-auth issue: Additional pre-authentication requird / Matching credential not found
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204427: Getting initial credentials for user@REALM
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204428: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_REALM
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204429: Retrieving host/gs6069-ld-i014.dom.ain.com@REALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM
.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_REALM with result: -1765328243/Matching credential not found
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204431: Sending unauthenticated request
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204432: Sending request (172 bytes) to REALM
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204433: Initiating TCP connection to stream 192.168.162.11:88
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204434: Sending TCP request to stream 192.168.162.11:88
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204435: Received answer (299 bytes) from stream 192.168.162.11:88
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204436: Terminating TCP connection to stream 192.168.162.11:88
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204437: Response was from master KDC
But if I REMOVE krb5_auth_timeout = 15 then it probably times out, and it logs the user in with the smart card + pin but klist shows NO kerberos tickets.
So my question is, do I have to add the external CA certificates to the KDC separately? They aren't really for our REALM so I don't know how that would help.
Running
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' username
prompts the user for the PIN, but after the PIN is entered, it immiediately asks for the password. So it looks like the part that is failing is the KRB authentication.
Any suggestions would be very appreciated. Ideally I'd like for the smartcard auth to let the users in in a timely manner (ie ~5-15 seconds) and also give the users a kerberos ticket.
Thanks!
4 years, 9 months
deploying Freeipa ith script
by Boudjoudad Abdelkader
Hello,
I'm trying to automate freeipa-client installation on Ubuntu with custom
script using MAAS as follow :
HOSTNAME=$(hostname)
IP=$(hostname -i | awk '{print $1}')
echo "$HOSTNAME.example.com" > /etc/hostname
FQDN="$HOSTNAME.example.com"
echo "FQDN is: $FQDN"
sed -i "1 i\
$IP $FQDN $HOSTNAME" /etc/hosts
apt-get -y update
apt-get install -y nfs-kernel-server nfs-common
DEBIAN_FRONTEND=noninteractive apt-get -y install freeipa-client
ipa-client-install --hostname=$(hostname -f) --server=freeipa.example.com
--domain example.com --no-ntp --unattended --principal admin --password
'Deep201qa' --realm EXAMPLE.COM --enable-dns-updates
sed -i '/ticket_lifetime/a renew_lifetime = 28d' /etc/krb5.conf
service sssd restart
After the deployment i can do kinit domain_user and ipa user-show without
any problem, but when i tried to mount an nfs in /ec/fstab with the
following options i get an error:
The mount in /etc/fstab: nfs4
rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none
0 0
The error:
mount -av
/ : ignored
none : ignored
mount.nfs4: timeout set for Wed May 29 20:04:29 2019
mount.nfs4: trying text-based options
'vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none,addr=172.16.2.11,clientaddr=IP_ADDR0ESS
I tried to install freeipa-client manually and the nfs mount works:
ipa-client-install
What i'm missing?
Thanks,
4 years, 10 months
Windows Integration - Using SSH Without Passwords
by lejeczek
hi guys,
reading official guide one may assume - I do - that "Using SSH Without
Passwords" should work out-of-box (centos 7.6) - is such assumption valid?
For me this does not work - ssh still asks for passwords.
If this is due to some failure/problem, then where to look and how to
troubleshoot?
many thanks, L.
4 years, 10 months
IPA-Backup fails
by Dirk Streubel
Hello,
have a little Problem with a full backup of my IPA Server.
The command : ipa-backup -d, doesn't work, the output is this:
papython.ipautil: DEBUG: stderr=ipa: INFO: The ipactl command was successful
ipaserver.install.ipa_backup: INFO: Backing up ipaca in LINUXTEST-INTRANET-FRITZ-DE to LDIF
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/sbin/db2ldif', '-Z', 'LINUXTEST-INTRANET-FRITZ-DE', '-r', '-n', 'ipaca', '-a', '/var/lib/dirsrv/slapd-LINUXTEST-INTRANET-FRITZ-DE/ldif/LINUXTEST-INTRANET-FRITZ-DE-ipaca.ldif']
ipapython.ipautil: DEBUG: Process finished, return code=1
ipapython.ipautil: DEBUG: stdout=Usage: db2ldif [-Z serverID] {-n backend_instance}* | {-s includesuffix}* [{-x excludesuffix}*] [-a outputfile]
[-E] [-r] [-u] [-U] [-m] [-1] [-q] [-V] [-v] [-h]
Note: either "-n backend" or "-s includesuffix" is required.
Options:
-Z serverID - Server instance identifier
-n backend - Backend database name. Example: userRoot
-s inclduesuffix - Suffix to include
-x - Suffix to exclude
-a outputfile - Name of the exported LDIF file
-r - Include replication data
-E - Decrypt attributes
-u - Do not export the nsUniqueId attribute
-U - Do not wrap long lines
-m - Do not base64 encode values
-1 - Do not include version text
-q - Quiet mode - suppresses output
-V - Verbose output
-v - Display version
-h - Display usage
You must supply a valid server instance identifier. Use -Z to specify instance name
Available instances: <none>
ipapython.ipautil: DEBUG: stderr=
ipaserver.install.ipa_backup: CRITICAL: db2ldif failed:
ipapython.admintool: DEBUG: File "/usr/lib/python3.7/site-packages/ipapython/admintool.py", line 179, in execute
return_value = self.run()
File "/usr/lib/python3.7/site-packages/ipaserver/install/ipa_backup.py", line 329, in run
self.db2ldif(instance, 'ipaca', online=options.online)
File "/usr/lib/python3.7/site-packages/ipaserver/install/ipa_backup.py", line 461, in db2ldif
shutil.move(ldiffile, os.path.join(self.dir, ldifname))
File "/usr/lib64/python3.7/shutil.py", line 577, in move
copy_function(src, real_dst)
File "/usr/lib64/python3.7/shutil.py", line 263, in copy2
copyfile(src, dst, follow_symlinks=follow_symlinks)
File "/usr/lib64/python3.7/shutil.py", line 120, in copyfile
with open(src, 'rb') as fsrc:
ipapython.admintool: DEBUG: The ipa-backup command failed, exception: FileNotFoundError: [Errno 2] No such file or directory: '/var/lib/dirsrv/slapd-LINUXTEST-INTRANET-FRITZ-DE/ldif/LINUXTEST-INTRANET-FRITZ-DE-ipaca.ldif'
ipapython.admintool: ERROR: [Errno 2] No such file or directory: '/var/lib/dirsrv/slapd-LINUXTEST-INTRANET-FRITZ-DE/ldif/LINUXTEST-INTRANET-FRITZ-DE-ipaca.ldif'
ipapython.admintool: ERROR: The ipa-backup command failed. See /var/log/ipabackup.log for more information
[root@ipaserver1 ipa-data-2019-05-31-10-23-30]# man ipa-backup
I have tested the command in two different machines, the result and the error log is the same, ipa-backup --data --online works fine.
Did i miss a subcommand for an fully backup or where is my fault?
My OS is Fedora Rawhide with the last IPA Version.
Dirk
4 years, 10 months
What is transient error?
by Andrey Bondarenko
https://pagure.io/389-ds-base/pull-request/50072
says: "Transient errors are temporary conditions that usually resolve
themselves."
What are actually that errors are? We have some amount of them spreading
somtimes. What causes them and what they actually affect or may affect in
future?
Can I ignore them in my automated checks at all?
--
With best regards,
Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com
skype:andrey.bondarenko
phone, Telegram, WhatsApp, etc:+420-773-591-443
7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B
4 years, 10 months
ipa server upgrade fails - dirsrv complains about Unknown attribute syntax OID
by Darac Marjal
Hello good people,
Due to being unfamiliar with Fedora, my home FreeIPA server has been
languishing on Fedora version 25 for ages. I recently twigged that it
hadn't been updated in ages to upgraded to Fedora version 30. That
seemed to go OK, but now, when I try to run ipactl start, I get the
following:
# ipactl start
IPA version error: data needs to be upgraded (expected version
'4.7.90.pre1-4.fc30', current version '4.4.4-1.fc25')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Be patient, this may take a few minutes.
Automatic upgrade failed: IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl',
'start', 'dirsrv(a)GHIBLI-DARAC-ORG-UK.service'] returned non-zero exit
status 1: 'Job for dirsrv(a)GHIBLI-DARAC-ORG-UK.service failed because the
control process exited with error code.\nSee "systemctl status
dirsrv(a)GHIBLI-DARAC-ORG-UK.service" and "journalctl -xe" for details.\n')
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information
See the upgrade log for more details and/or run
/usr/sbin/ipa-server-upgrade again
Aborting ipactl
Looking into the logs for dirsrv@<REALM>, I see the following:
May 29 20:30:52 yubaba.ghibli.darac.org.uk ns-slapd[9839]:
[29/May/2019:20:30:52.917492045 +0100] - ERR - dse_read_one_file - The
entry cn=schema in file /usr/share/dirsrv/schema/00core.ldif (lineno: 1)
is invalid, error code >
May 29 20:30:52 yubaba.ghibli.darac.org.uk ns-slapd[9839]:
[29/May/2019:20:30:52.989705116 +0100] - ERR - setup_internal_backends -
Please edit the file to correct the reported problems and then restart
the server.
May 29 20:30:53 yubaba.ghibli.darac.org.uk systemd[1]:
dirsrv(a)GHIBLI-DARAC-ORG-UK.service: Main process exited, code=exited,
status=1/FAILURE
May 29 20:30:53 yubaba.ghibli.darac.org.uk systemd[1]:
dirsrv(a)GHIBLI-DARAC-ORG-UK.service: Failed with result 'exit-code'.
May 29 20:30:53 yubaba.ghibli.darac.org.uk systemd[1]: Failed to start
389 Directory Server GHIBLI-DARAC-ORG-UK..
Now, in an attempt to fix this, I spun up a new VM, installed
freeipa-server and then copied /usr/share/dirsrv/schema/*.ldif over, but
that doesn't seem do have had any effect.
Can anyone assist in pointing me in a direction to fixing this?
Many thanks!
4 years, 10 months
ECC keypair generation failed with `ipa-server-instal` on HSM
by チョーチュアン
Hello,
Recently I've been experimenting on HSM with FreeIPA, I got stuck at the CA
generation, but it's a separate issue. I somehow achieve a successful key
generation on HSM with default key_algorimth/size/ settings. RSA 3072/2048
keys showed up on the HSM even after a failed CA installation but not the
case with ECC keys.
The error was:
Failed to configure CA instance: CalledProcessError(Command
['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp877ip58a'] returned
non-zero exit status 1:
pkihelper : ERROR Server unreachable due to SSL error:
[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE]
sslv3 alert handshake failure (_ssl.c:1056)
configuration : ERROR Server failed to restart
pkispawn : ERROR Exception: server failed to restart
File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line 547,
in main
scriptlet.spawn(deployer)
File
"/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 670, in spawn
raise Exception("server failed to restart")
')
See the installation logs and the following files/directories for more
information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.
and configuration was:
```
[DEFAULT]
ipa_key_algorithm=SHA256withEC
ipa_key_size=nistp384
ipa_key_type=ecc
ipa_signing_algorithm=SHA256withEC
pki_ca_signing_key_size=nistp384
pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so
pki_hsm_modulename=nitrohsm
pki_token_name=UserPIN (SmartCard-HSM)
pki_token_password=648219
pki_random_serial_numbers_enable=True
```
--
Regards,
Quan Zhou
F2999657195657205828D56F35F9E5CDBD86324B
quanzhou822(a)gmail.com
4 years, 10 months