Seeking URLs/docs/tips on handling UPN change in a complex already-trusted AD topology
by Chris Dagdigian
Hi folks,
Environment: AWS-based FreeIPA cluster with it's own unique
realm/domain that is bound to the AD domain of the real COMPANY.COM and
a fairly complex forest
We have a functional FreeIPA system at the moment where AD users from
COMPANY.COM can login
- via <crypticshortname>@CHILD-DOMAIN.COMPANY.COM on older systems
- via <crypticshortname>@COMPANY.COM on newer systems with fresh SSSD
(thank you AD search domains, heh!)
But we've gotten word from AD admins that they want to change the UPN
from <crypticshortname> to "<firstname>.<lastname>@company.com" and
although I did not witness it supposedly when they made the change, all
SSH logins to our FreeIPA managed systems broke.
I'm still not 100% convinced that things broke and we'll be testing more
this week --- but now I'm motivated to try to get ahead of any
potential problems ...
Looking for documentation and URLS to read or general tips and advice
regarding any impact or changes needed on FreeIPA when the UPN on Active
Directory changes format.
In particular:
- What happens to existing IPA user groups of type "external" when we've
listed those AD usernames via their
<shortname>@CHILD-DOMAIN.COMPANY.COM and the UPN is now different? Do
we have to go update/change/fix all of our external users? If so, do
those changes propagate into all of the other RBAC rules or are we
looking at an entire rebuild/reset of our RBAC and user environment?
- Any FreeIPA changes or settings to look at or alter when UPN changes
format?
I'm probably missing other major questions to ask so any other tips or
advice would be appreciated.
Regards
Chris
4 years, 9 months
FreeIPA & Puppet
by Christian Reiss
Hey folks,
I read it's possible to attach Puppet CA to the FreeIPA CA.
The only howtos our there were pretty dated; they either state super old
Puppetserver components (puppet server, which was abolished in like
3.x), CentOS5 or even FreeIPAs inability to run more than one CA.
For the lack of any good/recent howto out there, here are my assumptions:
- I should create a CA for Puppet in FreeIPA. This can be trivially
done via the gui.
Q: It would ask me for a DN on the CA. I would put my FQDN of the
PuppetServer there?
- Create the puppetserver certificate on any node with admin rights:
ipa service-add puppetmaster/$(hostname -f)
ipa service-add puppet/$(hostname -f)
Q: I found the puppet*/* descriptors in some ancient document. I am
unsure if they are still needed or if they are the right ones
for Puppet 6.x+.
Q: How can I request a certificate from a specific CA?
- Then I found this tidbit:
--- 8< --- --- 8< --- --- 8< --- --- 8< --- --- 8< --- --- 8< ---
yum --nogpgcheck --localinstall
http://passenger.stealthymonkeys.com/fedora/16/passenger-release.noarch.rpm
yum install mod_nss mod_passenger
ipa-client-install --password=secret
systemctl stop puppetmaster.service
ipa-getcert -K puppetmaster/puppet.example.com
-d /etc/httpd/alias
-n puppetmaster/puppet.example.com
ipa-getcert -K puppet/puppet.example.com
-D puppet.example.com
-k /etc/puppet/ssl/private_keys/puppet.example.com.pem
-f /etc/puppet/ssl/public_keys/puppet.example.com.pem
mkdir -p /var/www/puppet/public
cp /usr/share/puppet/ext/rack/files/config.ru /var/www/puppet
--- 8< --- --- 8< --- --- 8< --- --- 8< --- --- 8< --- --- 8< ---
(https://jca.pe/2012/01/16/using-the-freeipa-pki-with-puppet/) from 2012.
Those paths still check out. I would adapt those with the certificate I
got earlier.
Am I on the right track here?
-Chris.
--
Christian Reiss - email(a)christian-reiss.de /"\ ASCII Ribbon
support(a)alpha-labs.net \ / Campaign
X against HTML
WEB alpha-labs.net / \ in eMails
GPG Retrieval https://gpg.christian-reiss.de
GPG ID ABCD43C5, 0x44E29126ABCD43C5
GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5
"It's better to reign in hell than to serve in heaven.",
John Milton, Paradise lost.
4 years, 9 months
basic docker deploy failing
by Conley, Sean L. - US
Hello,
I need some assistance getting a basic functional docker-based FreeIPA server deploy working. I am not sure what I am missing, but the install is consistently failing on the client setup portion at the end. I have tried a number of variations for install options, but always end up with the same result. Any assistance would be much appreciated.
This is a good example of how I am bootstrapping the container:
host=ipa
domain=example.com
realm=EXAMPLE.COM
password=Secret123
rm -rf /data/ipa/*
cat << EOF > /data/ipa/ipa-server-install-options
--setup-dns \
--forwarder=10.2.0.2 \
--allow-zone-overlap \
--domain=${domain} \
--realm=${realm} \
--hostname=${host}.${domain} \
--ds-password=${password} \
--admin-password=${password} \
--no-ntp \
--verbose \
--unattended
EOF
docker run -it --rm -e DEBUG_TRACE=1 -e DEBUG_NO_EXIT=1 --name ${host} -h ${host}.${domain} \
-e PASSWORD=$password \
-v /data/ipa:/data:Z -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp \
-p 53:53/udp -p 53:53 -p 80:80 -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 \
-p 88:88/udp -p 464:464/udp -p 123:123/udp -p 7389:7389 -p 9443:9443 -p 9444:9444 -p 9445:9445 \
--privileged --userns=host freeipa/freeipa-server
It appears that most of the install runs as expected, but this is what I get in the end:
No valid Negotiate header in server response
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
Here are some additional details from the ipaclient-install.log:
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/ipaclient/remote_plugins/__init__.py", line 126, in get_package
plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 726, in single_request
if not self._auth_complete(response):
File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 679, in _auth_complete
message=u"No valid Negotiate header in server response")
ipalib.errors.KerberosError: No valid Negotiate header in server response
2019-06-28T17:01:04Z DEBUG Destroyed connection context.rpcclient_140381178350560
4 years, 9 months
Upgrade path in CentOS 7
by Christophe TREFOIS
Hi,
Is it required to upgrade via every minor release of CentOS, say 7.2,7.3,7.4 etc to have a successful IPA upgrade, or can one also go from 7.2 to 7.6 directly?
Any advice will be appreciated,
Thanks,
Chris
4 years, 9 months
freeipa-server failied to install - Debian9
by 1292865949@qq.com
hello all:
I am trying to install the freeipa-server(4.7.1) package on Debian9, which is
now failing, the failed message is pkispawn failed. The installation output is as follows, after running apt install
freeipa-server. I want to know the effective way of installation freeipa-server
on debian. Can you provide the way of compile the freeipa project?
1. Debian9 system info.
Linux root 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1 (2019-04-12) x86_64 GNU/Linux
2. Freeipa-server deb info.
freeipa-admintools_4.7.1-3_amd64.deb freeipa-tests_4.7.1-3_all.deb
freeipa-client_4.7.1-3_amd64.deb pki-tools_10.6.8-2_amd64.deb
freeipa-common_4.7.1-3_all.deb python-ipaclient_4.7.1-3_all.deb
freeipa-server_4.7.1-3_amd64.deb python-ipalib_4.7.1-3_all.deb
freeipa-server-dns_4.7.1-3_all.deb python-ipaserver_4.7.1-3_all.deb
freeipa-server-trust-ad_4.7.1-3_amd64.deb python-ipatests_4.7.1-3_all.deb
3. The error log as follows.
ipa-server-install
2019-07-11T11:33:19Z DEBUG Starting external process
2019-07-11T11:33:19Z DEBUG args=['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpYHBX9A']
2019-07-11T11:34:20Z DEBUG Process finished, return code=1
2019-07-11T11:34:20Z DEBUG stdout=Starting pki-tomcatd (via systemctl): pki-tomcatd.service.
Log file: /var/log/pki/pki-ca-spawn.20190711073319.log
Loading deployment configuration from /tmp/tmpYHBX9A.
WARNING: The 'pki_pin' in [CA] has been deprecated. Use 'pki_server_database_password' instead.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/dogtag/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed: server failed to restart
2019-07-11T11:34:20Z DEBUG stderr=pkispawn : ERROR Server did not start after 60s
configuration : ERROR Server failed to restart
2019-07-11T11:34:20Z CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbi
n/pkispawn', '-s', 'CA', '-f', '/tmp/tmpYHBX9A'] returned non-zero exit status 1: u'pkispawn :
ERROR Server did not start after 60s\nconfiguration : ERROR Server failed to restart\n')
2019-07-11T11:34:20Z CRITICAL See the installation logs and the following files/directories for more
information:
2019-07-11T11:34:20Z CRITICAL /var/log/pki/pki-tomcat
2019-07-11T11:34:20Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 605, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 591, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 669, in __spawn_inst
ance
pki_pin)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dogtaginstance.py", line 166, in spawn_in
stance
self.handle_setup_error(e)
[2019/7/12 16:01] wangyaliang (13985, Cloud):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/...
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dogtaginstance.py", line 407, in handle_s
etup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
2019-07-11T11:34:20Z DEBUG [error] RuntimeError: CA configuration failed.
2019-07-11T11:34:20Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 17
9, in execute
return_value = self.run()
File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line 347, in run
return cfgr.run()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_ex
ception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_
yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_
yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_ex
ception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_
yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_
yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/dist-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/__init__.py", line 550, in main
master_install(self)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 253, in decorate
d
func(installer)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 842, in install
ca.install_step_0(False, None, options, custodia=custodia)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/ca.py", line 318, in install_step_0
use_ldaps=standalone)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 484, in configure_in
stance
self.start_creation(runtime=runtime)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 605, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 591, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 669, in __spawn_inst
ance
pki_pin)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dogtaginstance.py", line 166, in spawn_in
stance
self.handle_setup_error(e)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dogtaginstance.py", line 407, in handle_s
etup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
2019-07-11T11:34:20Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA config
uration failed.
2019-07-11T11:34:20Z ERROR CA configuration failed.
2019-07-11T11:34:20Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log
for more information
4. Pkispawn error info.
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 660 /etc/pki/pki-tomcat/ca/caAuditSigningCert.profile
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 111:117 /etc/pki/pki-tomcat/ca/caAuditSigningCert.profile
2019-07-08 03:58:07 pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/caCert.profile /etc/pki/pki-tomcat/ca/caCert.profile
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 660 /etc/pki/pki-tomcat/ca/caCert.profile
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 111:117 /etc/pki/pki-tomcat/ca/caCert.profile
2019-07-08 03:58:07 pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/caOCSPCert.profile /etc/pki/pki-tomcat/ca/caOCSPCert.profile
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 660 /etc/pki/pki-tomcat/ca/caOCSPCert.profile
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 111:117 /etc/pki/pki-tomcat/ca/caOCSPCert.profile
2019-07-08 03:58:07 pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/rsaServerCert.profile /etc/pki/pki-tomcat/ca/serverCert.profile
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 660 /etc/pki/pki-tomcat/ca/serverCert.profile
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 111:117 /etc/pki/pki-tomcat/ca/serverCert.profile
2019-07-08 03:58:07 pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/rsaSubsystemCert.profile /etc/pki/pki-tomcat/ca/subsystemCert.profile
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 660 /etc/pki/pki-tomcat/ca/subsystemCert.profile
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 111:117 /etc/pki/pki-tomcat/ca/subsystemCert.profile
2019-07-08 03:58:07 pkispawn : INFO ....... copying '/usr/share/pki/ca/conf/proxy.conf' --> '/etc/pki/pki-tomcat/ca/proxy.conf' with slot substitution
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 660 /etc/pki/pki-tomcat/ca/proxy.conf
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 111:117 /etc/pki/pki-tomcat/ca/proxy.conf
2019-07-08 03:58:07 pkispawn : INFO ....... ln -s /var/lib/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/ca/alias
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown -h 111:117 /var/lib/pki/pki-tomcat/ca/alias
2019-07-08 03:58:07 pkispawn : INFO ....... ln -s /etc/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/conf
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown -h 111:117 /var/lib/pki/pki-tomcat/ca/conf
2019-07-08 03:58:07 pkispawn : INFO ....... ln -s /var/log/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/logs
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown -h 111:117 /var/lib/pki/pki-tomcat/ca/logs
2019-07-08 03:58:07 webapp : INFO Creating webapp
2019-07-08 03:58:07 pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/ca/webapps
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 770 /var/lib/pki/pki-tomcat/ca/webapps
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 111:117 /var/lib/pki/pki-tomcat/ca/webapps
2019-07-08 03:58:07 pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/webapps'
2019-07-08 03:58:07 nssdb : INFO Creating NSS database
2019-07-08 03:58:07 pki.server : INFO Loading instance: pki-tomcat
2019-07-08 03:58:07 pki.server : INFO Loading instance registry: /etc/dogtag/tomcat/pki-tomcat/pki-tomcat
2019-07-08 03:58:07 pki.server : INFO Loading subsystem: ca
2019-07-08 03:58:07 pki.server : INFO Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
2019-07-08 03:58:07 nssdb : INFO Creating password config: /etc/pki/pki-tomcat/password.conf
2019-07-08 03:58:07 nssdb : INFO Creating password file: /etc/pki/pki-tomcat/pfile
2019-07-08 03:58:07 pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/password.conf'
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 660 /etc/pki/pki-tomcat/password.conf
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 111:117 /etc/pki/pki-tomcat/password.conf
2019-07-08 03:58:07 pkispawn : INFO ....... executing 'certutil -N -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile'
2019-07-08 03:58:07 pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile
2019-07-08 03:58:07 pki.server : INFO Getting signing cert info for ca from CS.cfg
2019-07-08 03:58:07 pki.server : INFO Getting ocsp_signing cert info for ca from CS.cfg
2019-07-08 03:58:07 pki.server : INFO Getting sslserver cert info for ca from CS.cfg
2019-07-08 03:58:07 pki.server : INFO Getting subsystem cert info for ca from CS.cfg
2019-07-08 03:58:07 pki.server : INFO Getting audit_signing cert info for ca from CS.cfg
2019-07-08 03:58:07 pkispawn : INFO ....... mkdir -p /root/.dogtag/pki-tomcat/ca
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 755 /root/.dogtag/pki-tomcat/ca
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 0:0 /root/.dogtag/pki-tomcat/ca
2019-07-08 03:58:07 nssdb : INFO Creating password file: /root/.dogtag/pki-tomcat/ca/password.conf
2019-07-08 03:58:07 pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/ca/password.conf'
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 660 /root/.dogtag/pki-tomcat/ca/password.conf
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 0:0 /root/.dogtag/pki-tomcat/ca/password.conf
2019-07-08 03:58:07 pkispawn : INFO ....... generating '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
2019-07-08 03:58:07 pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 660 /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 111:117 /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2019-07-08 03:58:07 pkispawn : INFO ....... mkdir -p /root/.dogtag/pki-tomcat/ca/alias
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 770 /root/.dogtag/pki-tomcat/ca/alias
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 0:0 /root/.dogtag/pki-tomcat/ca/alias
2019-07-08 03:58:07 pkispawn : INFO ....... executing 'certutil -N -d /root/.dogtag/pki-tomcat/ca/alias -f /root/.dogtag/pki-tomcat/ca/password.conf'
2019-07-08 03:58:07 selinux : INFO SELinux disabled
2019-07-08 03:58:07 keygen : INFO Generating keys
2019-07-08 03:58:07 pki.server : INFO Loading instance: pki-tomcat
2019-07-08 03:58:07 pki.server : INFO Loading instance registry: /etc/dogtag/tomcat/pki-tomcat/pki-tomcat
2019-07-08 03:58:07 pki.server : INFO Loading password config: /etc/pki/pki-tomcat/password.conf
2019-07-08 03:58:07 pki.server : INFO Loading subsystem: ca
2019-07-08 03:58:07 pki.server : INFO Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
2019-07-08 03:58:07 pki.server : INFO Getting signing cert info for ca from CS.cfg
2019-07-08 03:58:07 pki.server : INFO Getting signing cert info for ca from NSS database
2019-07-08 03:58:07 pki.nssdb : DEBUG Command: certutil -L -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmpQ8ZCeb/password.txt -n caSigningCert cert-pki-ca -a
2019-07-08 03:58:07 keygen : INFO Generating ca_signing CSR in /root/ipa.csr
2019-07-08 03:58:07 pki.nssdb : DEBUG Command: openssl rand -out /tmp/tmpv1RVD7/noise.bin 2048
2019-07-08 03:58:07 pki.nssdb : DEBUG Command: certutil -R -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmpv1RVD7/password.txt -s CN=Certificate Authority,O=EXAMPLE.COM -o /tmp/tmpv1RVD7/request.bin -z /tmp/tmpv1RVD7/noise.bin -k rsa -g 2048 -Z SHA256 --keyUsage certSigning,crlSigning,critical,digitalSignature,nonRepudiation -2
2019-07-08 03:58:07 pkispawn : DEBUG ....... Error Type: CalledProcessError
2019-07-08 03:58:07 pkispawn : DEBUG ....... Error Message: Command '['BtoA', '/tmp/tmpv1RVD7/request.bin', '/tmp/tmpv1RVD7/request.b64']' returned non-zero exit status 1
2019-07-08 03:58:07 pkispawn : DEBUG ....... File "/usr/lib/python2.7/dist-packages/pki/server/pkispawn.py", line 546, in main
scriptlet.spawn(deployer)
File "/usr/lib/python2.7/dist-packages/pki/server/deployment/scriptlets/keygen.py", line 468, in spawn
self.generate_system_cert_requests(deployer, subsystem)
File "/usr/lib/python2.7/dist-packages/pki/server/deployment/scriptlets/keygen.py", line 433, in generate_system_cert_requests
self.generate_ca_signing_csr(deployer, subsystem)
File "/usr/lib/python2.7/dist-packages/pki/server/deployment/scriptlets/keygen.py", line 176, in generate_ca_signing_csr
generic_exts=generic_exts
File "/usr/lib/python2.7/dist-packages/pki/server/deployment/scriptlets/keygen.py", line 113, in generate_csr
generic_exts=generic_exts)
File "/usr/lib/python2.7/dist-packages/pki/nssdb.py", line 613, in create_request
'BtoA', binary_request_file, b64_request_file])
File "/usr/lib/python2.7/subprocess.py", line 190, in check_call
raise CalledProcessError(retcode, cmd)
Thanks.
4 years, 9 months
freeipa-server failied to instal - Debian
by Milos Cuculovic
I am trying to install after an uninstall the freeipa-server package on Debian, which is now failing. I normally removed all packages and config files, something seems to still cause issues. The installation output is as follows, after running apt install freeipa-server (I^m first extracting main warning and failure lines I identified).
—————
Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode
Warning failed to create cache: usr.sbin.sssd
—————
Failed to preset unit: Unit file /etc/systemd/system/bind9.service is masked.
/usr/bin/deb-systemd-helper: error: systemctl preset failed on bind9.service: No such file or directory
—————
ob for krb5-kdc.service failed because the control process exited with error code.
See "systemctl status krb5-kdc.service" and "journalctl -xe" for details.
invoke-rc.d: initscript krb5-kdc, action "start" failed.
● krb5-kdc.service - Kerberos 5 Key Distribution Center
Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/krb5-kdc.service.d
└─slapd-before-kdc.conf
Active: failed (Result: exit-code) since Mon 2018-10-15 14:24:00 CEST; 16ms ago
Process: 17099 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARGS (code=exited, status=1/FAILURE)
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: Starting Kerberos 5 Key Distribution Center...
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: Server error - while fetching master key K/M for realm IPA.MDPI.COM
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: krb5kdc: cannot initialize realm IPA.MDPI.COM - see log file for details
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: krb5-kdc.service: Control process exited, code=exited status=1
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: krb5-kdc.service: Failed with result 'exit-code'.
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: Failed to start Kerberos 5 Key Distribution Center.
—————
pki-tomcatd-nuxwdog.target is a disabled or a static unit, not starting it.
Job for pki-tomcatd.service failed because the control process exited with error code.
See "systemctl status pki-tomcatd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript pki-tomcatd, action "start" failed.
● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
Loaded: loaded (/etc/init.d/pki-tomcatd; generated)
Active: failed (Result: exit-code) since Mon 2018-10-15 14:24:03 CEST; 17ms ago
Docs: man:systemd-sysv-generator(8)
Process: 17421 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, status=1/FAILURE)
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: Starting LSB: Start pki-tomcatd at boot time...
Oct 15 14:24:03 freeipa.mdpi.com pki-tomcatd[17421]: /usr/share/pki/scripts/config: line 41: break: only meaningful in a `for', `while', or `until' loop
Oct 15 14:24:03 freeipa.mdpi.com pki-tomcatd[17421]: ERROR: No 'tomcat' instances installed!
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: pki-tomcatd.service: Control process exited, code=exited status=1
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: pki-tomcatd.service: Failed with result 'exit-code'.
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: Failed to start LSB: Start pki-tomcatd at boot time.
—————
Setting up freeipa-server (4.7.0~pre1+git20180411-2ubuntu2) ...
dpkg: error processing package freeipa-server (--configure):
installed freeipa-server package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of freeipa-server-dns:
freeipa-server-dns depends on freeipa-server (>= 4.7.0~pre1+git20180411-2ubuntu2); however:
Package freeipa-server is not configured yet.
dpkg: error processing package freeipa-server-dns (--configure):
dependency problems - leaving unconfigured
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Processing triggers for dbus (1.12.2-1ubuntu1) ...
No apport report written because the error message indicates its a followup error from a previous failure.
Processing triggers for oddjob (0.34.3-4) ...
Errors were encountered while processing:
freeipa-server
freeipa-server-dns
E: Sub-process /usr/bin/dpkg returned an error code (1)
—————
FULL OUTPUT:
Setting up libsymkey-jni (10.6.0-1ubuntu2) ...
Setting up python-dnspython (1.15.0-1) ...
Setting up libxcb-present0:amd64 (1.13-1) ...
Setting up libslf4j-java (1.7.25-3) ...
Setting up libglvnd0:amd64 (1.0.0-2ubuntu2.2) ...
Setting up oddjob (0.34.3-4) ...
Setting up libxinerama1:amd64 (2:1.1.3-1) ...
Setting up libplexus-classworlds-java (2.5.2-2) ...
Processing triggers for ufw (0.35-5) ...
Setting up libxcb-dri2-0:amd64 (1.13-1) ...
Setting up libsss-idmap0 (1.16.1-1ubuntu1) ...
Setting up libhttp-parser2.7.1:amd64 (2.7.1-2) ...
Setting up libxcb-dri3-0:amd64 (1.13-1) ...
Setting up libxcb-glx0:amd64 (1.13-1) ...
Setting up libcommons-io-java (2.6-2) ...
Setting up libstax-java (1.2.0-4) ...
Setting up libargs4j-java (2.33-1) ...
Setting up python-urllib3 (1.22-1) ...
Setting up libapache2-mod-lookup-identity (1.0.0-1) ...
apache2_invoke: Enable module lookup_identity
Setting up libpath-utils1:amd64 (0.6.1-1) ...
Setting up libjettison-java (1.4.0-1) ...
Setting up libsocket-getaddrinfo-perl (0.22-3) ...
Setting up libknopflerfish-osgi-framework-java (6.1.1-2) ...
Setting up libperl4-corelibs-perl (0.004-1) ...
Setting up libsss-nss-idmap0 (1.16.1-1ubuntu1) ...
Setting up libnfsidmap2:amd64 (0.25-5.1) ...
Setting up python-usb (1.0.0-1) ...
Setting up libxdamage1:amd64 (1:1.1.4-3) ...
Setting up libhawtjni-runtime-java (1.15-2) ...
Setting up libhttpcore-java (4.4.9-1) ...
Setting up libjackson2-core-java (2.9.4-1) ...
Setting up ieee-data (20180204.1) ...
Setting up libjsr311-api-java (1.1.1-1) ...
Setting up python-yubico (1.3.2-1) ...
Setting up libyaml-snake-java (1.20-1) ...
Setting up libxfixes3:amd64 (1:5.0.3-1) ...
Setting up oddjob-mkhomedir (0.34.3-4) ...
Processing triggers for ureadahead (0.100.0-20) ...
Setting up libdrm-amdgpu1:amd64 (2.4.91-2) ...
Setting up libllvm6.0:amd64 (1:6.0-1ubuntu2) ...
Setting up chrony (3.2-4ubuntu4.2) ...
Setting up libisorelax-java (20041111-10) ...
Setting up python-openssl (17.5.0-1ubuntu1) ...
Setting up libplexus-cipher-java (1.7-3) ...
Setting up python-ply (3.11-1) ...
Setting up python-kdcproxy (0.3.2-5) ...
Setting up python-netaddr (0.7.19-1) ...
Setting up python-jwcrypto (0.4.2-1) ...
Setting up libatspi2.0-0:amd64 (2.28.0-1) ...
Setting up libdtd-parser-java (1.2~svn20110404-1) ...
Setting up libsvrcore0:amd64 (1:4.1.2+dfsg1-3) ...
Setting up at-spi2-core (2.28.0-1) ...
Setting up libsss-certmap0 (1.16.1-1ubuntu1) ...
Setting up libxshmfence1:amd64 (1.3-1) ...
Setting up libjaxb-api-java (2.2.9-1) ...
Setting up krb5-pkinit:amd64 (1.16-2build1) ...
Setting up libstax2-api-java (3.1.1-1) ...
Setting up python-certifi (2018.1.18-2) ...
Setting up libstax-ex-java (1.7.8-1) ...
Setting up libipa-hbac0 (1.16.1-1ubuntu1) ...
Setting up dogtag-pki-server-theme (10.6.0-1ubuntu2) ...
Setting up libplexus-interpolation-java (1.24-1) ...
Setting up libnl-route-3-200:amd64 (3.2.29-0ubuntu3) ...
Setting up libglapi-mesa:amd64 (18.0.5-0ubuntu0~18.04.1) ...
Setting up fonts-open-sans (1.11-1) ...
Setting up python-sss (1.16.1-1ubuntu1) ...
Setting up libplexus-component-annotations-java (1.7.1-7) ...
Setting up python-pkg-resources (39.0.1-2) ...
Setting up freeipa-common (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up opendnssec-common (1:2.1.3-0.2build1) ...
Setting up libmaven-shared-utils-java (3.1.0-2) ...
Setting up python-pyasn1-modules (0.2.1-0.2) ...
Setting up libdhash1:amd64 (0.6.1-1) ...
Setting up python-nss (1.0.0-1build3) ...
Setting up python-markupsafe (1.0-1build1) ...
Setting up fonts-font-awesome (4.7.0~dfsg-3) ...
Setting up python-netifaces (0.10.4-0.1build4) ...
Setting up libjackson2-annotations-java (2.9.4-1) ...
Setting up libldns2:amd64 (1.7.0-3ubuntu4) ...
Setting up sqlite3 (3.22.0-1) ...
Setting up libjoda-time-java (2.9.9-1) ...
Setting up libplexus-utils2-java (3.0.24-3) ...
Setting up libjackson2-dataformat-cbor (2.7.8-3) ...
Setting up libcollection4:amd64 (0.6.1-1) ...
Setting up libwagon-provider-api-java (3.0.0-2) ...
Setting up libxcb-sync1:amd64 (1.13-1) ...
Setting up libjsr305-java (0.1~+svn49-10) ...
Setting up python-dateutil (2.6.1-1) ...
Setting up ldap-utils (2.4.45+dfsg-1ubuntu1) ...
Setting up libatk1.0-data (2.28.1-1) ...
Setting up libjackson2-databind-java (2.9.5-1) ...
Setting up libjackson2-dataformat-yaml (2.8.10-3) ...
Setting up libx11-xcb1:amd64 (2:1.6.4-3ubuntu0.1) ...
Setting up libnetaddr-ip-perl (4.079+dfsg-1build2) ...
Setting up python-gi (3.26.1-2) ...
Setting up libmozilla-ldap-perl (1.5.3-2build4) ...
Setting up libservlet3.1-java (8.5.30-1ubuntu1.4) ...
Setting up libjboss-jdeparser2-java (2.0.2-1) ...
Setting up libjavassist-java (1:3.21.0-2) ...
Setting up p11-kit-modules:amd64 (0.23.9-2) ...
Setting up libnss-sss:amd64 (1.16.1-1ubuntu1) ...
Setting up softhsm2-common (2.2.0-3.1build1) ...
Setting up libhsm-bin (1:2.1.3-0.2build1) ...
Setting up python3-sss (1.16.1-1ubuntu1) ...
Setting up libjackson2-module-jaxb-annotations-java (2.8.10-2) ...
Setting up libxmlrpc-core-c3 (1.33.14-8build1) ...
Setting up libxxf86dga1:amd64 (2:1.1.4-1) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Setting up libjackson-json-java (1.9.2-9) ...
Setting up python-bs4 (4.6.0-1) ...
Setting up python-selinux (2.7-2build2) ...
Setting up libgeronimo-interceptor-3.0-spec-java (1.0.1-4fakesync) ...
Setting up libmaven-resolver-java (1.1.0-3) ...
Setting up libsocket6-perl (0.27-1build2) ...
Setting up libnsspem:amd64 (1.0.3-0ubuntu2) ...
Setting up 389-ds-base-libs (1.3.7.10-1ubuntu1) ...
Setting up libplexus-utils-java (1:1.5.15-5) ...
Setting up libnss3-tools (2:3.35-2ubuntu2) ...
Setting up python-libipa-hbac (1.16.1-1ubuntu1) ...
Setting up libnuxwdog0 (1.0.3-4) ...
Setting up libjackson2-dataformat-xml-java (2.9.4-1) ...
Setting up libcommons-compress-java (1.13-2) ...
Setting up libatk1.0-0:amd64 (2.28.1-1) ...
Setting up libcommons-lang3-java (3.5-2ubuntu1) ...
Setting up libjaxen-java (1.1.6-3) ...
Setting up libwebpmux3:amd64 (0.6.1-2) ...
Setting up libsnappy1v5:amd64 (1.1.7-1) ...
Setting up libjansi-native-java (1.7-1) ...
Setting up python-systemd (234-1build1) ...
Processing triggers for systemd (237-3ubuntu10.3) ...
Setting up libpwquality-common (1.4.0-2) ...
Setting up augeas-lenses (1.10.1-2) ...
Setting up python-lxml:amd64 (4.2.1-1) ...
Setting up libatk-bridge2.0-0:amd64 (2.26.2-1) ...
Setting up libjaxrs-api-java (2.1-1) ...
Setting up libice6:amd64 (2:1.0.9-2) ...
Setting up libasm-java (6.0-1) ...
Setting up libfontenc1:amd64 (1:1.1.3-1) ...
Setting up libxcomposite1:amd64 (1:0.4.4-2) ...
Setting up libcrack2:amd64 (2.9.2-5build1) ...
Setting up python-olefile (0.45.1-1) ...
Setting up libwebpdemux2:amd64 (0.6.1-2) ...
Setting up libxcb-shape0:amd64 (1.13-1) ...
Setting up libpciaccess0:amd64 (0.14-1) ...
Setting up libstreambuffer-java (1.5.4-1) ...
Setting up libxv1:amd64 (2:1.0.11-1) ...
Processing triggers for man-db (2.8.3-2) ...
Setting up libatinject-jsr330-api-java (1.0+ds1-5) ...
Setting up libjboss-logging-tools-java (2.1.0-2) ...
Setting up libbasicobjects0:amd64 (0.6.1-1) ...
Setting up libmaven-parent-java (27-2) ...
Setting up python3-ply (3.11-1) ...
Setting up libdrm-radeon1:amd64 (2.4.91-2) ...
Setting up libref-array1:amd64 (0.6.1-1) ...
Processing triggers for dbus (1.12.2-1ubuntu1) ...
Setting up libxxf86vm1:amd64 (1:1.1.4-1) ...
Setting up libdrm-nouveau2:amd64 (2.4.91-2) ...
Setting up libxft2:amd64 (2.3.2-1) ...
Setting up python-dbus (1.2.6-1) ...
Setting up libcommons-codec-java (1.11-1) ...
Setting up libjss-java (4.4.3-1) ...
Setting up libjackson2-dataformat-smile (2.7.8-3) ...
Setting up slapi-nis (0.56.1-1build1) ...
Setting up libcommons-lang-java (2.6-8) ...
Setting up libcurl3-nss:amd64 (7.58.0-2ubuntu3.3) ...
Setting up python-pil:amd64 (5.1.0-1) ...
Setting up libcommons-httpclient-java (3.1-14) ...
Setting up libaopalliance-java (20070526-6) ...
Setting up libc-ares2:amd64 (1.14.0-1) ...
Setting up libjs-dojo-core (1.11.0+dfsg-1) ...
Setting up python-webencodings (0.5-2) ...
Setting up libgeronimo-annotation-1.3-spec-java (1.0-1) ...
Setting up libdbi-perl (1.640-1) ...
Setting up libjboss-logging-java (3.3.2-1) ...
Setting up libsss-sudo (1.16.1-1ubuntu1) ...
Checking NSS setup...
Setting up libxrandr2:amd64 (2:1.5.1-1) ...
Setting up librelaxng-datatype-java (1.0+ds1-3) ...
Setting up libcommons-cli-java (1.4-1) ...
Setting up libini-config5:amd64 (0.6.1-1) ...
Setting up libplexus-sec-dispatcher-java (1.4-3) ...
Setting up sssd-common (1.16.1-1ubuntu1) ...
Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode
Warning failed to create cache: usr.sbin.sssd
sssd-secrets.service is a disabled or a static unit not running, not starting it.
Setting up python-ldap (3.0.0-1) ...
Setting up 389-ds-base (1.3.7.10-1ubuntu1) ...
dirsrv-snmp.service is a disabled or a static unit, not starting it.
dirsrv.target is a disabled or a static unit, not starting it.
Setting up bind9utils (1:9.11.3+dfsg-1ubuntu1.2) ...
Setting up libdom4j-java (2.1.0-2) ...
Setting up python-setuptools (39.0.1-2) ...
Setting up libsm6:amd64 (2:1.2.2-1) ...
Setting up libplexus-io-java (3.0.0-1) ...
Setting up libscannotation-java (1.0.2+svn20110812-3) ...
Setting up libsymkey-java (10.6.0-1ubuntu2) ...
Setting up python-libsss-nss-idmap (1.16.1-1ubuntu1) ...
Setting up sssd-krb5-common (1.16.1-1ubuntu1) ...
Setting up python-chardet (3.0.4-1) ...
Setting up libdbd-sqlite3-perl (1.56-1) ...
Setting up python-pycparser (2.18-2) ...
Setting up libnuxwdog-java (1.0.3-4) ...
Setting up libjs-dojo-dijit (1.11.0+dfsg-1) ...
Setting up libsofthsm2 (2.2.0-3.1build1) ...
Setting up libcglib-java (3.2.6-2) ...
Setting up opendnssec-signer (1:2.1.3-0.2build1) ...
Setting up python-jinja2 (2.10-1) ...
Setting up libtomcatjss-java (7.3.0~rc-1) ...
Setting up cracklib-runtime (2.9.2-5build1) ...
Setting up libjs-dojo-dojox (1.11.0+dfsg-1) ...
Setting up libsnappy-jni (1.1.4-1) ...
Setting up libldap-java (4.19+dfsg1-1) ...
Setting up libjansi-java (1.16-1) ...
Setting up p11-kit (0.23.9-2) ...
Setting up libaugeas0:amd64 (1.10.1-2) ...
Setting up libxsom-java (2.3.0-3) ...
Setting up bind9 (1:9.11.3+dfsg-1ubuntu1.2) ...
Failed to preset unit: Unit file /etc/systemd/system/bind9.service is masked.
/usr/bin/deb-systemd-helper: error: systemctl preset failed on bind9.service: No such file or directory
bind9-pkcs11.service is a disabled or a static unit not running, not starting it.
bind9-resolvconf.service is a disabled or a static unit not running, not starting it.
Setting up libguava-java (19.0-1) ...
Setting up python-qrcode (5.3-1) ...
update-alternatives: using /usr/bin/python2-qr to provide /usr/bin/qr (qr) in auto mode
Setting up sssd-ad-common (1.16.1-1ubuntu1) ...
Setting up libfastinfoset-java (1.2.12-3) ...
Setting up velocity (1.7-5) ...
Setting up sssd-krb5 (1.16.1-1ubuntu1) ...
Setting up libmsv-java (2009.1+dfsg1-5) ...
Setting up sssd-ldap (1.16.1-1ubuntu1) ...
Setting up sssd-proxy (1.16.1-1ubuntu1) ...
Setting up libcdi-api-java (1.2-2) ...
Setting up libpwquality1:amd64 (1.4.0-2) ...
Setting up libdrm-intel1:amd64 (2.4.91-2) ...
Setting up python-augeas (0.5.0-1) ...
Setting up sssd-dbus (1.16.1-1ubuntu1) ...
Setting up certmonger (0.79.5-3ubuntu1) ...
Setting up libsnappy-java (1.1.4-1) ...
Setting up libplexus-archiver-java (3.5-2) ...
Setting up libhttpclient-java (4.5.5-1) ...
Setting up softhsm2 (2.2.0-3.1build1) ...
Setting up bind9-dyndb-ldap (11.1-3ubuntu1) ...
Setting up librngom-java (2.3.0-3) ...
Setting up python-cffi (1.11.5-1) ...
Setting up libxt6:amd64 (1:1.1.5-1) ...
Setting up python-requests (2.18.4-2) ...
Setting up python-ipalib (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up libsisu-guice-java (4.2.0-1) ...
Setting up python-html5lib (0.999999999-1) ...
Setting up libsisu-ioc-java (2.3.0-11) ...
Setting up opendnssec-enforcer-sqlite3 (1:2.1.3-0.2build1) ...
Setting up sssd-ad (1.16.1-1ubuntu1) ...
Setting up python-custodia (0.5.0-3) ...
Setting up libpam-pwquality:amd64 (1.4.0-2) ...
Setting up libguice-java (4.0-4) ...
Setting up pki-base (10.6.0-1ubuntu2) ...
Setting up sssd-ipa (1.16.1-1ubuntu1) ...
Setting up sssd (1.16.1-1ubuntu1) ...
Setting up libgl1-mesa-dri:amd64 (18.0.5-0ubuntu0~18.04.1) ...
Setting up libpam-sss:amd64 (1.16.1-1ubuntu1) ...
Setting up libwoodstox-java (1:4.1.3-1) ...
Setting up libxmu6:amd64 (2:1.1.2-2) ...
Setting up libjackson2-jaxrs-providers-java (2.9.4-1) ...
Setting up python-ipaclient (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up opendnssec-enforcer (1:2.1.3-0.2build1) ...
Setting up libsisu-inject-java (0.3.2-2) ...
Setting up pki-tools (10.6.0-1ubuntu2) ...
Setting up libglx-mesa0:amd64 (18.0.5-0ubuntu0~18.04.1) ...
Setting up opendnssec (1:2.1.3-0.2build1) ...
Setting up libxaw7:amd64 (2:1.0.13-1) ...
Setting up custodia (0.5.0-3) ...
Setting up freeipa-client (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up libsisu-plexus-java (0.3.3-3) ...
Setting up libglx0:amd64 (1.0.0-2ubuntu2.2) ...
Setting up libmaven3-core-java (3.5.2-2) ...
Setting up libmaven-shared-io-java (3.0.0-3) ...
Setting up libgl1:amd64 (1.0.0-2ubuntu2.2) ...
Setting up libmaven-file-management-java (3.0.0-1) ...
Setting up x11-utils (7.7+3build1) ...
Setting up libgl1-mesa-glx:amd64 (18.0.5-0ubuntu0~18.04.1) ...
Setting up libatk-wrapper-java (0.33.3-20ubuntu0.1) ...
Setting up libatk-wrapper-java-jni:amd64 (0.33.3-20ubuntu0.1) ...
Setting up libistack-commons-java (3.0.6-1) ...
Setting up libcodemodel-java (2.6+jaxb2.3.0-3) ...
Setting up libtxw2-java (2.3.0-3) ...
Setting up libverto-libevent1:amd64 (0.2.4-2.1ubuntu3) ...
Setting up libverto1:amd64 (0.2.4-2.1ubuntu3) ...
Setting up libjaxb-java (2.3.0-3) ...
Setting up gssproxy (0.8.0-1) ...
Setting up libresteasy3.0-java (3.0.19-2) ...
Setting up krb5-kdc (1.16-2build1) ...
Job for krb5-kdc.service failed because the control process exited with error code.
See "systemctl status krb5-kdc.service" and "journalctl -xe" for details.
invoke-rc.d: initscript krb5-kdc, action "start" failed.
● krb5-kdc.service - Kerberos 5 Key Distribution Center
Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/krb5-kdc.service.d
└─slapd-before-kdc.conf
Active: failed (Result: exit-code) since Mon 2018-10-15 14:24:00 CEST; 16ms ago
Process: 17099 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARGS (code=exited, status=1/FAILURE)
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: Starting Kerberos 5 Key Distribution Center...
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: Server error - while fetching master key K/M for realm IPA.MDPI.COM
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: krb5kdc: cannot initialize realm IPA.MDPI.COM - see log file for details
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: krb5-kdc.service: Control process exited, code=exited status=1
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: krb5-kdc.service: Failed with result 'exit-code'.
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: Failed to start Kerberos 5 Key Distribution Center.
Setting up libkrad0:amd64 (1.16-2build1) ...
Setting up krb5-kdc-ldap (1.16-2build1) ...
Setting up krb5-admin-server (1.16-2build1) ...
Setting up pki-base-java (10.6.0-1ubuntu2) ...
Setting up krb5-otp:amd64 (1.16-2build1) ...
Setting up pki-server (10.6.0-1ubuntu2) ...
pki-tomcatd-nuxwdog.target is a disabled or a static unit, not starting it.
Job for pki-tomcatd.service failed because the control process exited with error code.
See "systemctl status pki-tomcatd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript pki-tomcatd, action "start" failed.
● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
Loaded: loaded (/etc/init.d/pki-tomcatd; generated)
Active: failed (Result: exit-code) since Mon 2018-10-15 14:24:03 CEST; 17ms ago
Docs: man:systemd-sysv-generator(8)
Process: 17421 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, status=1/FAILURE)
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: Starting LSB: Start pki-tomcatd at boot time...
Oct 15 14:24:03 freeipa.mdpi.com pki-tomcatd[17421]: /usr/share/pki/scripts/config: line 41: break: only meaningful in a `for', `while', or `until' loop
Oct 15 14:24:03 freeipa.mdpi.com pki-tomcatd[17421]: ERROR: No 'tomcat' instances installed!
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: pki-tomcatd.service: Control process exited, code=exited status=1
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: pki-tomcatd.service: Failed with result 'exit-code'.
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: Failed to start LSB: Start pki-tomcatd at boot time.
pki-tomcatd start failed because no instance has been configured yet
Setting up python-ipaserver (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up pki-kra (10.6.0-1ubuntu2) ...
Setting up pki-ca (10.6.0-1ubuntu2) ...
Setting up freeipa-server (4.7.0~pre1+git20180411-2ubuntu2) ...
dpkg: error processing package freeipa-server (--configure):
installed freeipa-server package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of freeipa-server-dns:
freeipa-server-dns depends on freeipa-server (>= 4.7.0~pre1+git20180411-2ubuntu2); however:
Package freeipa-server is not configured yet.
dpkg: error processing package freeipa-server-dns (--configure):
dependency problems - leaving unconfigured
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Processing triggers for dbus (1.12.2-1ubuntu1) ...
No apport report written because the error message indicates its a followup error from a previous failure.
Processing triggers for oddjob (0.34.3-4) ...
Errors were encountered while processing:
freeipa-server
freeipa-server-dns
E: Sub-process /usr/bin/dpkg returned an error code (1)
Thank you!
Milos
4 years, 9 months
IPA's CA - from its own to an external
by lejeczek
hi guys,
I'm starting to look more thoroughly into CA and something I'm not sure
is possible, and hoping you could shed more light onto, is - having IPA
deployed with own CA is it possible to then, at a later point,
move/migrate/change IPA to subordinate type of CA with AD's CA as root?
Is such a change a SOP or rather something undocumented-unsupported but
possible & risky?
many thanks, L.
4 years, 9 months
Session Recording on RHEL/OL8
by Ronald Wimmer
What I did on an OracleLinux 8 beta system (which is an IPA client) was
installing the packages tlog and cockpit-session-recording. I do not
want to use the cockpit web interface. What are the next steps in order
to get session recording working?
Cheers,
Ronald
4 years, 9 months
ipa-replica install failed
by Dirk Streubel
Hello,
i've got a little Problem with ipa-replica install
After the following command: ipa-replica-install --setup-ca --setup-dns --forwarder=9.9.9.9
--skip-conncheck
the replica install interrupt with the following comment:
Starting replication, please wait until this has completed.
Update in progress, 14 seconds elapsed
[ldap://ipaserver1.linuxtest.gonicus.de:389] reports: Update failed! Status: [Error (-1) - LDAP
error: Can't contact LDAP server - no response received]
I have tested the IPA Replica with Fedora 30 and Rawhide, the error is the same.
Here comes the last entries of the /var/log/ipareplica-install.log, i think this may help.
[root@ipaserver2 ~]# tail -n +1846 /var/log/ipareplica-install.log
2019-07-17T10:51:15Z DEBUG stderr=ldap_initialize(
ldapi://%2Fvar%2Frun%2Fslapd-LINUXTEST-GONICUS-DE.socket/??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
2019-07-17T10:51:15Z DEBUG step duration: dirsrv __enable_sasl_mapping_fallback 0.02 sec
2019-07-17T10:51:15Z DEBUG [25/41]: restarting directory server
2019-07-17T10:51:15Z DEBUG Destroyed connection context.ldap2_140587719084688
2019-07-17T10:51:15Z DEBUG Starting external process
2019-07-17T10:51:15Z DEBUG args=['/bin/systemctl', '--system', 'daemon-reload']
2019-07-17T10:51:15Z DEBUG Process finished, return code=0
2019-07-17T10:51:15Z DEBUG stdout=
2019-07-17T10:51:15Z DEBUG stderr=
2019-07-17T10:51:15Z DEBUG Starting external process
2019-07-17T10:51:15Z DEBUG args=['/bin/systemctl', 'restart', 'dirsrv(a)LINUXTEST-GONICUS-DE.service']
2019-07-17T10:51:18Z DEBUG Process finished, return code=0
2019-07-17T10:51:18Z DEBUG stdout=
2019-07-17T10:51:18Z DEBUG stderr=
2019-07-17T10:51:18Z DEBUG Starting external process
2019-07-17T10:51:18Z DEBUG args=['/bin/systemctl', 'is-active', 'dirsrv(a)LINUXTEST-GONICUS-DE.service']
2019-07-17T10:51:18Z DEBUG Process finished, return code=0
2019-07-17T10:51:18Z DEBUG stdout=active
2019-07-17T10:51:18Z DEBUG stderr=
2019-07-17T10:51:18Z DEBUG wait_for_open_ports: localhost [389] timeout 120
2019-07-17T10:51:18Z DEBUG waiting for port: 389
2019-07-17T10:51:18Z DEBUG SUCCESS: port: 389
2019-07-17T10:51:18Z DEBUG Restart of dirsrv(a)LINUXTEST-GONICUS-DE.service complete
2019-07-17T10:51:18Z DEBUG Starting external process
2019-07-17T10:51:18Z DEBUG args=['/bin/systemctl', 'is-active', 'dirsrv(a)LINUXTEST-GONICUS-DE.service']
2019-07-17T10:51:18Z DEBUG Process finished, return code=0
2019-07-17T10:51:18Z DEBUG stdout=active
2019-07-17T10:51:18Z DEBUG stderr=
2019-07-17T10:51:18Z DEBUG Created connection context.ldap2_140587719084688
2019-07-17T10:51:18Z DEBUG step duration: dirsrv __restart_instance 3.15 sec
2019-07-17T10:51:18Z DEBUG [26/41]: creating DS keytab
2019-07-17T10:51:18Z DEBUG raw:
service_add('ldap/ipaserver2.linuxtest.gonicus.de(a)LINUXTEST.GONICUS.DE', force=True, version='2.233')
2019-07-17T10:51:18Z DEBUG
service_add(ipapython.kerberos.Principal('ldap/ipaserver2.linuxtest.gonicus.de(a)LINUXTEST.GONICUS.DE'),
force=True, skip_host_check=False, all=False, raw=False, version='2.233', no_members=False)
2019-07-17T10:51:18Z DEBUG raw: host_show('ipaserver2.linuxtest.gonicus.de', version='2.233')
2019-07-17T10:51:18Z DEBUG host_show('ipaserver2.linuxtest.gonicus.de', rights=False, all=False,
raw=False, version='2.233', no_members=False)
2019-07-17T10:51:18Z DEBUG Backing up system configuration file '/etc/dirsrv/ds.keytab'
2019-07-17T10:51:18Z DEBUG -> Not backing up - '/etc/dirsrv/ds.keytab' doesn't exist
2019-07-17T10:51:18Z DEBUG Starting external process
2019-07-17T10:51:18Z DEBUG args=['/usr/sbin/ipa-getkeytab', '-k', '/etc/dirsrv/ds.keytab', '-p',
'ldap/ipaserver2.linuxtest.gonicus.de(a)LINUXTEST.GONICUS.DE', '-H',
'ldaps://ipaserver1.linuxtest.gonicus.de']
2019-07-17T10:51:18Z DEBUG Process finished, return code=0
2019-07-17T10:51:18Z DEBUG stdout=
2019-07-17T10:51:18Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/dirsrv/ds.keytab
2019-07-17T10:51:18Z DEBUG step duration: dirsrv request_service_keytab 0.08 sec
2019-07-17T10:51:18Z DEBUG [27/41]: ignore time skew for initial replication
2019-07-17T10:51:18Z DEBUG Starting external process
2019-07-17T10:51:18Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpijxp8wcg', '-H',
'ldapi://%2Fvar%2Frun%2Fslapd-LINUXTEST-GONICUS-DE.socket', '-Y', 'EXTERNAL']
2019-07-17T10:51:18Z DEBUG Process finished, return code=0
2019-07-17T10:51:18Z DEBUG stdout=replace nsslapd-ignore-time-skew:
on
modifying entry "cn=config"
modify complete
2019-07-17T10:51:18Z DEBUG stderr=ldap_initialize(
ldapi://%2Fvar%2Frun%2Fslapd-LINUXTEST-GONICUS-DE.socket/??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
2019-07-17T10:51:18Z DEBUG step duration: dirsrv __replica_ignore_initial_time_skew 0.04 sec
2019-07-17T10:51:18Z DEBUG [28/41]: setting up initial replication
2019-07-17T10:51:18Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2Fvar%2Frun%2Fslapd-LINUXTEST-GONICUS-DE.socket conn=<ldap.ldapobject.SimpleLDAPObject
object at 0x7fdd1e59a690>
2019-07-17T10:51:19Z DEBUG Destroyed connection context.ldap2_140587719084688
2019-07-17T10:51:19Z DEBUG Starting external process
2019-07-17T10:51:19Z DEBUG args=['/bin/systemctl', '--system', 'daemon-reload']
2019-07-17T10:51:19Z DEBUG Process finished, return code=0
2019-07-17T10:51:19Z DEBUG stdout=
2019-07-17T10:51:19Z DEBUG stderr=
2019-07-17T10:51:19Z DEBUG Starting external process
2019-07-17T10:51:19Z DEBUG args=['/bin/systemctl', 'restart', 'dirsrv(a)LINUXTEST-GONICUS-DE.service']
2019-07-17T10:51:22Z DEBUG Process finished, return code=0
2019-07-17T10:51:22Z DEBUG stdout=
2019-07-17T10:51:22Z DEBUG stderr=
2019-07-17T10:51:22Z DEBUG Restart of dirsrv(a)LINUXTEST-GONICUS-DE.service complete
2019-07-17T10:51:22Z DEBUG Created connection context.ldap2_140587719084688
2019-07-17T10:51:22Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5]
2019-07-17T10:51:22Z DEBUG retrieving schema for SchemaCache
url=ldap://ipaserver1.linuxtest.gonicus.de:389 conn=<ldap.ldapobject.SimpleLDAPObject object at
0x7fdd1e3f5710>
2019-07-17T10:51:22Z DEBUG Successfully updated nsDS5ReplicaId.
2019-07-17T10:51:22Z DEBUG Add or update replica config
cn=replica,cn=dc\=linuxtest\,dc\=gonicus\,dc\=de,cn=mapping tree,cn=config
2019-07-17T10:51:22Z DEBUG Added replica config
cn=replica,cn=dc\=linuxtest\,dc\=gonicus\,dc\=de,cn=mapping tree,cn=config
2019-07-17T10:51:22Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5]
2019-07-17T10:51:22Z DEBUG Successfully updated nsDS5ReplicaId.
2019-07-17T10:51:22Z DEBUG Add or update replica config
cn=replica,cn=dc\=linuxtest\,dc\=gonicus\,dc\=de,cn=mapping tree,cn=config
2019-07-17T10:51:22Z DEBUG Added replica config
cn=replica,cn=dc\=linuxtest\,dc\=gonicus\,dc\=de,cn=mapping tree,cn=config
2019-07-17T10:51:22Z DEBUG Waiting for replication (ldap://ipaserver1.linuxtest.gonicus.de:389)
cn=meToipaserver2.linuxtest.gonicus.de,cn=replica,cn=dc\=linuxtest\,dc\=gonicus\,dc\=de,cn=mapping
tree,cn=config (objectclass=*)
2019-07-17T10:51:22Z DEBUG Entry found
[LDAPEntry(ipapython.dn.DN('cn=meToipaserver2.linuxtest.gonicus.de,cn=replica,cn=dc\=linuxtest\,dc\=gonicus\,dc\=de,cn=mapping
tree,cn=config'), {'objectClass': [b'nsds5replicationagreement', b'top'], 'cn':
[b'meToipaserver2.linuxtest.gonicus.de'], 'nsDS5ReplicaHost': [b'ipaserver2.linuxtest.gonicus.de'],
'nsDS5ReplicaPort': [b'389'], 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot':
[b'dc=linuxtest,dc=gonicus,dc=de'], 'description': [b'me to ipaserver2.linuxtest.gonicus.de'],
'nsDS5ReplicatedAttributeList': [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn
krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], 'nsDS5ReplicaTransportInfo':
[b'LDAP'], 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs': [b'modifiersName
modifyTimestamp internalModifiersName internalModifyTimestamp'],
'nsDS5ReplicatedAttributeListTotal': [b'(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth
krblastfailedauth krbloginfailedcount'], 'nsds5replicareapactive': [b'0'],
'nsds5replicaLastUpdateStart': [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd':
[b'19700101000000Z'], 'nsds5replicaChangesSentSinceStartup': [b''], 'nsds5replicaLastUpdateStatus':
[b"Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection
error)"], 'nsds5replicaLastUpdateStatusJSON': [b'{"state": "red", "ldap_rc": "-1", "ldap_rc_text":
"Can\'t contact LDAP server", "repl_rc": "16", "repl_rc_text": "connection error", "date":
"2019-07-17T10:51:22Z", "message": "Error (-1) Problem connecting to replica - LDAP error: Can\'t
contact LDAP server (connection error)"}'], 'nsds5replicaUpdateInProgress': [b'FALSE'],
'nsds5replicaLastInitStart': [b'19700101000000Z'], 'nsds5replicaLastInitEnd': [b'19700101000000Z']})]
2019-07-17T10:51:22Z DEBUG Waiting for replication
(ldapi://%2Fvar%2Frun%2Fslapd-LINUXTEST-GONICUS-DE.socket)
cn=meToipaserver1.linuxtest.gonicus.de,cn=replica,cn=dc\=linuxtest\,dc\=gonicus\,dc\=de,cn=mapping
tree,cn=config (objectclass=*)
2019-07-17T10:51:22Z DEBUG Entry found
[LDAPEntry(ipapython.dn.DN('cn=meToipaserver1.linuxtest.gonicus.de,cn=replica,cn=dc\=linuxtest\,dc\=gonicus\,dc\=de,cn=mapping
tree,cn=config'), {'objectClass': [b'nsds5replicationagreement', b'top'], 'cn':
[b'meToipaserver1.linuxtest.gonicus.de'], 'nsDS5ReplicaHost': [b'ipaserver1.linuxtest.gonicus.de'],
'nsDS5ReplicaPort': [b'389'], 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot':
[b'dc=linuxtest,dc=gonicus,dc=de'], 'description': [b'me to ipaserver1.linuxtest.gonicus.de'],
'nsDS5ReplicatedAttributeList': [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn
krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], 'nsDS5ReplicaTransportInfo':
[b'LDAP'], 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs': [b'modifiersName
modifyTimestamp internalModifiersName internalModifyTimestamp'],
'nsDS5ReplicatedAttributeListTotal': [b'(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth
krblastfailedauth krbloginfailedcount'], 'nsds5replicareapactive': [b'0'],
'nsds5replicaLastUpdateStart': [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd':
[b'19700101000000Z'], 'nsds5replicaChangesSentSinceStartup': [b''], 'nsds5replicaLastUpdateStatus':
[b'Error (0) No replication sessions started since server startup'],
'nsds5replicaLastUpdateStatusJSON': [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success",
"repl_rc": "0", "repl_rc_text": "replica acquired", "date": "2019-07-17T10:51:22Z", "message":
"Error (0) No replication sessions started since server startup"}'], 'nsds5replicaUpdateInProgress':
[b'FALSE'], 'nsds5replicaLastInitStart': [b'19700101000000Z'], 'nsds5replicaLastInitEnd':
[b'19700101000000Z']})]
2019-07-17T10:51:38Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 603, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 589, in run_step
method()
File "/usr/lib/python3.7/site-packages/ipaserver/install/dsinstance.py", line 427, in __setup_replica
cacert=self.ca_file
File "/usr/lib/python3.7/site-packages/ipaserver/install/replication.py", line 1860, in
setup_promote_replication
raise RuntimeError("Failed to start replication")
RuntimeError: Failed to start replication
2019-07-17T10:51:38Z DEBUG [error] RuntimeError: Failed to start replication
2019-07-17T10:51:38Z DEBUG Destroyed connection context.ldap2_140587706624720
2019-07-17T10:51:38Z DEBUG Backing up system configuration file '/etc/ipa/default.conf'
2019-07-17T10:51:38Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
2019-07-17T10:51:38Z DEBUG Writing configuration file /etc/ipa/default.conf
2019-07-17T10:51:38Z DEBUG [global]
basedn = dc=linuxtest,dc=gonicus,dc=de
host = ipaserver2.linuxtest.gonicus.de
realm = LINUXTEST.GONICUS.DE
domain = linuxtest.gonicus.de
xmlrpc_uri = https://ipaserver2.linuxtest.gonicus.de/ipa/xml
ldap_uri = ldapi://%2Fvar%2Frun%2Fslapd-LINUXTEST-GONICUS-DE.socket
mode = production
enable_ra = True
ra_plugin = dogtag
dogtag_version = 10
2019-07-17T10:51:38Z DEBUG File "/usr/lib/python3.7/site-packages/ipapython/admintool.py", line
179, in execute
return_value = self.run()
File "/usr/lib/python3.7/site-packages/ipapython/install/cli.py", line 340, in run
return cfgr.run()
File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 460, in
_handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 81, in
run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 59, in
run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 460, in
_handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 81, in
run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 59, in
run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.7/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.7/site-packages/ipaserver/install/server/__init__.py", line 590, in main
replica_install(self)
File "/usr/lib/python3.7/site-packages/ipaserver/install/server/replicainstall.py", line 402, in
decorated
func(installer)
File "/usr/lib/python3.7/site-packages/ipaserver/install/server/replicainstall.py", line 1207, in
install
fstore=fstore)
File "/usr/lib/python3.7/site-packages/ipaserver/install/server/replicainstall.py", line 112, in
install_replica_ds
setup_pkinit=not options.no_pkinit,
File "/usr/lib/python3.7/site-packages/ipaserver/install/dsinstance.py", line 391, in create_replica
self.start_creation(runtime=30)
File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 603, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 589, in run_step
method()
File "/usr/lib/python3.7/site-packages/ipaserver/install/dsinstance.py", line 427, in __setup_replica
cacert=self.ca_file
File "/usr/lib/python3.7/site-packages/ipaserver/install/replication.py", line 1860, in
setup_promote_replication
raise RuntimeError("Failed to start replication")
2019-07-17T10:51:38Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Failed
to start replication
2019-07-17T10:51:38Z ERROR Failed to start replication
2019-07-17T10:51:38Z ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
For me it is interesting to see that the Replica does not work with Fedora 30 and Rawhide, always
the same error.
And no, firewalld is masked and not in use.
Have somebody any ideas for me?
Regards
Dirk
4 years, 9 months
SASL Bind failed Can't contact LDAP server
by Deepak Subhramanian
I am getting this error when key tabs are generated for my Hadoop Cluster.
I am getting an access error when I create key tabs with IPA commands -
User has these permissions
ipa role-add hadoopadminrole
ipa role-add-privilege hadoopadminrole --privileges="User Administrators"
ipa role-add-privilege hadoopadminrole --privileges="Service Administrators"
root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa-getkeytab -s
dev8-ipa-server.mia.cloud.net -p test(a)MIA.CLOUD.NET -k /tmp/ipa.keytab
Failed to parse result: Insufficient access rights
2019-07-15 04:39:33,221 - Failed to create keytab file for kafka/
hdp31ipa37bp-hdp-masternode-03.mia.cloud.net(a)MIA.CLOUD.NET - Failed to
export the keytab file for kafka/
hdp31ipa37bp-hdp-masternode-03.mia.cloud.net(a)MIA.CLOUD.NET:
ExitCode: 9
STDOUT:
STDERR: SASL Bind failed Can't contact LDAP server (-1) !
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
SASL Bind failed Can't contact LDAP server (-1) !
Failed to bind to server!
Failed to get keytab
root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa user-add test
First name: Test
Last name: Test
-----------------
Added user "test"
-----------------
User login: test
First name: Test
Last name: Test
Full name: Test Test
Display name: Test Test
Initials: TT
Home directory: /home/test
GECOS: Test Test
Login shell: /bin/sh
Kerberos principal: test(a)MIA.CLOUD.NET
Email address: test(a)mia.cloud.net
UID: 1818200036
GID: 1818200036
Password: False
Member of groups: ipausers
Kerberos keys available: False
root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa-getkeytab -s
dev8-ipa-server.mia.cloud.net -p test(a)MIA.CLOUD.NET -k /tmp/ipa.keytab
Failed to parse result: Insufficient access rights
Retrying with pre-4.0 keytab retrieval method...
Keytab successfully retrieved and stored in: /tmp/ipa.keytab
--
Deepak Subhramanian
4 years, 9 months