Le jeu. 12 sept. 2019 à 13:38, Florence Blanc-Renaud <flo@redhat.com> a écrit :

On 9/11/19 10:53 PM, danielle lampert wrote:
>
> When creating the file manually and running the command, this seems to
> work. Later I have other problems : when stopping the main server and
> running only a replica and a client, the client cannot add any user.
> Restarting the main server, everything goes back working, this means my
> lab is not resilient. I'm almost sure to have followed the documentation ()
>
> Here's the error message
>
> # ipa user-add jdalton --first=Joe --last=Dalton
> ipa: ERROR: Operations error: Allocation of a new value for range
> cn=posix ids,cn=distributed numeric assignment
> plugin,cn=plugins,cn=config failed! Unable to proceed.
>
> I don't know if this is related to this version (4.5.0-20) or if I need
> to look further what's wrong.
>
>
Hi,

this is a known issue already tracked by ticket 5070 [1]
The workaround is the following:
when the first master is still up and running, run ipa user-add on the
replica. This operation will trigger the allocation of a range on the
replica. Any subsequent user-add will succeed even if the master is stopped.

HTH,
flo

[1] https://pagure.io/freeipa/issue/5070

>
> Le mar. 10 sept. 2019 à 21:07, Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> a écrit :
>
> danielle lampert wrote:
> >
> > There's no such file as /usr/lib/tmpfiles.d/ipa.conf
> >
> > # ls -l /usr/lib/tmpfiles.d/ipa.conf
> > ls: cannot access /usr/lib/tmpfiles.d/ipa.conf: No such file or
> directory
> >
> > I only find this one
> >
> > # cat /usr/share/ipa/ipa.conf.tmpfiles
> > d /var/run/ipa 0711 root root
> > d /var/run/ipa/ccaches 0770 ipaapi ipaapi
> >
> > I re-installed my VMs more than 20 times, the replica never works
> after
> > reboot with the version I'm using.
>
> So create the file using those values and run the systemd command...
>
> rob
>
> >
> >
> >
> > Le mar. 10 sept. 2019 à 16:48, Rob Crittenden
> <rcritten@redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> a écrit :
> >
> > danielle lampert wrote:
> > >
> > > Hello,
> > >
> > >> Assuming you have:
> > >
> > >> # cat /usr/lib/tmpfiles.d/ipa.conf
> > >
> > > I don't have this file, it's not created during the replica
> install.
> > > This log ipareplica-install.log shows :
> > >
> > > 2019-09-10T06:43:40Z DEBUG Backing up system configuration file
> > > '/etc/httpd/conf.d/ipa.conf'
> > > 2019-09-10T06:43:40Z DEBUG -> Not backing up -
> > > '/etc/httpd/conf.d/ipa.conf' doesn't exist
> > > 2019-09-10T06:43:40Z DEBUG Backing up system configuration file
> > > '/etc/httpd/conf.d/ipa-rewrite.conf'
> > > 2019-09-10T06:43:40Z DEBUG -> Not backing up -
> > > '/etc/httpd/conf.d/ipa-rewrite.conf' doesn't exist
> >
> > Ok, those are unrelated.
> >
> > /usr/lib/tmpfiles.d/ipa.conf should contain:
> >
> > d /var/run/ipa 0711 root root
> > d /var/run/ipa/ccaches 0770 ipaapi ipaapi
> >
> > then run: systemd-tmpfiles --create ipa.conf
> >
> > rob
> >
> > >
> > >
> > >
> > > Le ven. 6 sept. 2019 à 19:36, Rob Crittenden
> <rcritten@redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> a écrit :
> > >
> > > danielle lampert via FreeIPA-users wrote:
> > > >
> > > > I think I'm just facing Bug 1469246 - Replica
> install fails to
> > > > configure IPA-specific temporary files/directories
> > > > (https://bugzilla.redhat.com/show_bug.cgi?id=1469246)
> > > >
> > > > The bug doesn't provide any solution other than
> upgrading.
> > > > Thanks for your help anyway.
> > >
> > > Assuming you have:
> > >
> > > # cat /usr/lib/tmpfiles.d/ipa.conf
> > > d /run/ipa 0711 root root
> > > d /run/ipa/ccaches 0770 ipaapi ipaapi
> > >
> > > run
> > >
> > > # systemd-tmpfiles --create ipa.conf
> > >
> > > rob
> > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Le mer. 4 sept. 2019 à 23:43, danielle lampert
> > > > <danielle55.lampert@gmail.com
> <mailto:danielle55.lampert@gmail.com>
> > <mailto:danielle55.lampert@gmail.com
> <mailto:danielle55.lampert@gmail.com>>
> > > <mailto:danielle55.lampert@gmail.com
> <mailto:danielle55.lampert@gmail.com>
> > <mailto:danielle55.lampert@gmail.com
> <mailto:danielle55.lampert@gmail.com>>>
> > > <mailto:danielle55.lampert@gmail.com
> <mailto:danielle55.lampert@gmail.com>
> > <mailto:danielle55.lampert@gmail.com
> <mailto:danielle55.lampert@gmail.com>>
> > > <mailto:danielle55.lampert@gmail.com
> <mailto:danielle55.lampert@gmail.com>
> > <mailto:danielle55.lampert@gmail.com
> <mailto:danielle55.lampert@gmail.com>>>>> a
> > > > écrit :
> > > >
> > > > Hello,
> > > >
> > > > OK I now understand that it's ipa service which
> is not
> > > starting at boot.
> > > >
> > > > The service status gives :
> > > >
> > > > # service ipa status
> > > > Redirecting to /bin/systemctl status ipa.service
> > > > ● ipa.service - Identity, Policy, Audit
> > > >    Loaded: loaded
> (/usr/lib/systemd/system/ipa.service;
> > enabled;
> > > > vendor preset: disabled)
> > > >    Active: failed (Result: exit-code) since Wed
> 2019-09-04
> > > 23:34:20
> > > > CEST; 6min ago
> > > >    Process: 990 ExecStart=/usr/sbin/ipactl start
> > (code=exited,
> > > > status=1/FAILURE)
> > > >   Main PID: 990 (code=exited, status=1/FAILURE)
> > > >
> > > > Sep 04 23:33:36 srv2.rhce.local systemd[1]: Starting
> > Identity,
> > > > Policy, Audit...
> > > > Sep 04 23:34:20 srv2.rhce.local ipactl[990]:
> Failed to start
> > > > Directory Service: [Errno 2] No such file or
> directory:
> > > > '/var/run/ipa/services.list'
> > > > Sep 04 23:34:20 srv2.rhce.local ipactl[990]: Starting
> > > Directory Service
> > > > Sep 04 23:34:20 srv2.rhce.local systemd[1]:
> ipa.service:
> > main
> > > > process exited, code=exited, status=1/FAILURE
> > > > Sep 04 23:34:20 srv2.rhce.local systemd[1]:
> Failed to start
> > > > Identity, Policy, Audit.
> > > > Sep 04 23:34:20 srv2.rhce.local systemd[1]: Unit
> ipa.service
> > > entered
> > > > failed state.
> > > > Sep 04 23:34:20 srv2.rhce.local systemd[1]:
> ipa.service
> > failed.
> > > >
> > > > Shouldn't /var/run/ipa/services.list be created
> during
> > the replica
> > > > installation ?
> > > >
> > > >
> > > >
> > > >
> > > > Le mer. 4 sept. 2019 à 17:53, Florence Blanc-Renaud
> > > <flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>> a écrit :
> > > >
> > > > On 9/4/19 12:02 AM, danielle lampert via
> > FreeIPA-users wrote:
> > > > >
> > > > > Hello,
> > > > >
> > > > > I'm running freeipa 4.5.0-20 on CentOS
> Linux release
> > > 7.4.1708
> > > > (Core)
> > > > >
> > > > > I've noticed that when rebooting my replica,
> > things are not
> > > > working
> > > > > anymore on this replica, as I can't get a kinit
> > work for
> > > example.
> > > > > It seems that services are disabled by
> default and I
> > > wonder if
> > > > this is
> > > > > normal ? Should we enable these services
> manually ?
> > > > > After restarting everything with an ipactl
> command, it
> > > then is
> > > > working.
> > > > >
> > > > Hi,
> > > >
> > > > it's normal that kadmin.service is disabled
> because
> > it will be
> > > > started
> > > > as part of the ipa.service unit.
> > > >
> > > > You will probably find the reason why kadmin
> failed
> > to start
> > > > after the
> > > > reboot in the journal, or in
> /var/log/kadmind.log.
> > There was a
> > > > known
> > > > issue if rpcbind service is already taking
> the 749 port
> > > >
> (https://bugzilla.redhat.com/show_bug.cgi?id=1592883)
> > > >
> > > > flo
> > > >
> > > > > Thanks in advance for your answers, below
> are my
> > > commands and
> > > > their results.
> > > > >
> > > > > D.L.
> > > > >
> > > > >
> > > > > # kinit admin
> > > > > kinit: Cannot contact any KDC for realm
> > 'IPB.RHCE.LOCAL'
> > > while
> > > > getting
> > > > > initial credentials
> > > > >
> > > > > # systemctl status kadmin.service
> > > > > ● kadmin.service - Kerberos 5
> Password-changing and
> > > Administration
> > > > > Loaded: loaded
> > (/usr/lib/systemd/system/kadmin.service;
> > > > disabled;
> > > > > vendor preset: disabled)
> > > > > Active: inactive (dead)
> > > > >
> > > > > # ipactl status
> > > > > Directory Service: RUNNING
> > > > > krb5kdc Service: STOPPED
> > > > > kadmin Service: STOPPED
> > > > > httpd Service: STOPPED
> > > > > ipa-custodia Service: STOPPED
> > > > > ntpd Service: STOPPED
> > > > > pki-tomcatd Service: STOPPED
> > > > > ipa-otpd Service: STOPPED
> > > > > ipa: INFO: The ipactl command was successful
> > > > >
> > > > > # ipactl restart
> > > > > Failed to get service list from file: Unknown
> > error when
> > > > retrieving list
> > > > > of services from file: [Errno 2] No such
> file or
> > directory:
> > > > > '/var/run/ipa/services.list'
> > > > > Restarting Directory Service
> > > > > Restarting krb5kdc Service
> > > > > Restarting kadmin Service
> > > > > Restarting httpd Service
> > > > > Restarting ipa-custodia Service
> > > > > Restarting ntpd Service
> > > > > Restarting pki-tomcatd Service
> > > > > Restarting ipa-otpd Service
> > > > > ipa: INFO: The ipactl command was successful
> > > > >
> > > > > # kinit admin
> > > > > Password for admin@IPB.RHCE.LOCAL:
> > > > >
> > > > > # klist
> > > > > Ticket cache: KEYRING:persistent:0:0
> > > > > Default principal: admin@IPB.RHCE.LOCAL
> > > > >
> > > > > Valid starting Expires Service
> > principal
> > > > > 03/09/19 23:55:09 04/09/19 23:55:08
> > > >   krbtgt/IPB.RHCE.LOCAL@IPB.RHCE.LOCAL
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > FreeIPA-users mailing list --
> > > > freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>
> > > > > To unsubscribe send an email to
> > > > freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > >
> <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>
> > > > > Fedora Code of Conduct:
> > > >
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > List Guidelines:
> > > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > List Archives:
> > > >
> > >
> >
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > > > >
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > FreeIPA-users mailing list --
> > freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > To unsubscribe send an email to
> > > freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > > Fedora Code of Conduct:
> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines:
> > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > >
> >
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > > >
> > >
> >
>