Discussion:
Difficulty installing freeipa
(too old to reply)
Stamper, Brian P. (ARC-D)[Logyx LLC]
2011-06-03 21:09:38 UTC
Permalink
I initially started testing with FreeIPA on Fedora 15, using ipa 2.x. The server install went smoothly, however I was unable to add clients due to lack of backward compatibility, since ipa 2.x isn't available for most of the systems I manage.

I decided to rebuild the test ipa server. I build a fresh Fedora 13 system and installed the yum packages. Initially the ipa server installed without errors. However they were some issues. It hadn't configured httpd to autostart, and when I did start httpd, I was unable to get to the management UI. Attempting to kinit would pause for ~10-15 seconds before requesting a password. I was able to get the ticket. Attempting to then reach the website, after configuring firefox and importing the certs, resulted in the "Service temporarily unavailable" error. All of this seemed to indicate a problem with the hosts file, but checking it multiple times, as well as checking all variations of name resolution indicated nothing.

I decided to reinstall to try to fix the kerb oddness and hopefully get to the website gui. I ran ipa-server-install -uninstall and attempted to reinstall, and got the following error:

CRITICAL Failed to load bootstrap-template.ldif: Command
'/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -w password -f /tmp/tmpe1aE3t' returned non-zero exit status 32

Which led me to this bug, which was reported fixed in 2008:
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=448287

Here is an excerpt from the install log:

2011-06-02 12:40:02,619 DEBUG calling setup-ds.pl
2011-06-02 12:40:09,869 INFO [11/06/02:12:40:09] - [Setup] Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ...
[02/Jun/2011:12:40:03 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
[02/Jun/2011:12:40:03 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 49464
[02/Jun/2011:12:40:03 -0700] - Import allocates 1595728KB import cache.
[02/Jun/2011:12:40:03 -0700] - import userRoot: Beginning import job...
[02/Jun/2011:12:40:03 -0700] - import userRoot: Index buffering enabled with bucket size 100
[02/Jun/2011:12:40:04 -0700] - import userRoot: Could not open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
[02/Jun/2011:12:40:04 -0700] - import userRoot: Aborting all Import threads...
[02/Jun/2011:12:40:09 -0700] - import userRoot: Import threads aborted.
[02/Jun/2011:12:40:09 -0700] - import userRoot: Closing files...
/var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory
[02/Jun/2011:12:40:09 -0700] - All database threads now stopped
[02/Jun/2011:12:40:09 -0700] - import userRoot: Import failed.

Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ...
[02/Jun/2011:12:40:03 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
[02/Jun/2011:12:40:03 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 49464
[02/Jun/2011:12:40:03 -0700] - Import allocates 1595728KB import cache.
[02/Jun/2011:12:40:03 -0700] - import userRoot: Beginning import job...
[02/Jun/2011:12:40:03 -0700] - import userRoot: Index buffering enabled with bucket size 100
[02/Jun/2011:12:40:04 -0700] - import userRoot: Could not open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
[02/Jun/2011:12:40:04 -0700] - import userRoot: Aborting all Import threads...
[02/Jun/2011:12:40:09 -0700] - import userRoot: Import threads aborted.
[02/Jun/2011:12:40:09 -0700] - import userRoot: Closing files...
/var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory
[02/Jun/2011:12:40:09 -0700] - All database threads now stopped
[02/Jun/2011:12:40:09 -0700] - import userRoot: Import failed.

[11/06/02:12:40:09] - [Setup] Fatal Error: Could not create directory server instance 'ARC-NASA-GOV'.
Error: Could not create directory server instance 'ARC-NASA-GOV'.
[11/06/02:12:40:09] - [Setup] Fatal Exiting . . .
Log file is '-'

Exiting . . .
Log file is '-'

2011-06-02 12:40:09,870 INFO
2011-06-02 12:40:09,870 CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpLtRn9j' returned non-zero exit status 1
2011-06-02 12:40:09,870 DEBUG restarting ds instance
2011-06-02 12:40:12,030 INFO Shutting down dirsrv:
ARC-NASA-GOV... server already stopped[FAILED]
*** Error: 1 instance(s) unsuccessfully stopped[FAILED]
Starting dirsrv:
ARC-NASA-GOV...[ OK ]

All my attempts to re-install ipa-server now fail. I've tried removing all 51 packages associated with ipa-server and re-installing them. I've removed all 51 packages and deleted every file I could find associated with nscd, 389, ipa, sssd, etc. I have been unable to return the system to a state that will allow a reinstall of ipa-server. I upgraded the OS on the test system to Fedora 14 and reinstalled the packages, no change.

Any advice would be appreciated.

-Brian
Dmitri Pal
2011-06-03 21:30:50 UTC
Permalink
On 06/03/2011 05:09 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
> I initially started testing with FreeIPA on Fedora 15, using ipa 2.x.
> The server install went smoothly, however I was unable to add clients
> due to lack of backward compatibility, since ipa 2.x isn't available
> for most of the systems I manage.
>
> I decided to rebuild the test ipa server. I build a fresh Fedora 13
> system and installed the yum packages. Initially the ipa server
> installed without errors. However they were some issues. It hadn't
> configured httpd to autostart, and when I did start httpd, I was
> unable to get to the management UI. Attempting to kinit would pause
> for ~10-15 seconds before requesting a password. I was able to get
> the ticket. Attempting to then reach the website, after configuring
> firefox and importing the certs, resulted in the "Service temporarily
> unavailable" error. All of this seemed to indicate a problem with the
> hosts file, but checking it multiple times, as well as checking all
> variations of name resolution indicated nothing.
>
> I decided to reinstall to try to fix the kerb oddness and hopefully
> get to the website gui. I ran ipa-server-install ---uninstall and
> attempted to reinstall, and got the following error:
>
> CRITICAL Failed to load bootstrap-template.ldif: Command
> '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -w
> password --f /tmp/tmpe1aE3t' returned non-zero exit status 32
>
> Which led me to this bug, which was reported fixed in 2008:
> https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=448287
> <https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=448287>
>
> Here is an excerpt from the install log:
>
> 2011-06-02 12:40:02,619 DEBUG calling setup-ds.pl
> 2011-06-02 12:40:09,869 INFO [11/06/02:12:40:09] - [Setup] Info Could
> not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648.
> Output: importing data ...
> [02/Jun/2011:12:40:03 -0700] - WARNING: Import is running with
> nsslapd-db-private-import-mem on; No other process is allowed to
> access the database
> [02/Jun/2011:12:40:03 -0700] - check_and_set_import_cache: pagesize:
> 4096, pages: 997331, procpages: 49464
> [02/Jun/2011:12:40:03 -0700] - Import allocates 1595728KB import cache.
> [02/Jun/2011:12:40:03 -0700] - import userRoot: Beginning import job...
> [02/Jun/2011:12:40:03 -0700] - import userRoot: Index buffering
> enabled with bucket size 100
> [02/Jun/2011:12:40:04 -0700] - import userRoot: Could not open LDIF
> file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
> [02/Jun/2011:12:40:04 -0700] - import userRoot: Aborting all Import
> threads...
> [02/Jun/2011:12:40:09 -0700] - import userRoot: Import threads aborted.
> [02/Jun/2011:12:40:09 -0700] - import userRoot: Closing files...
> /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory
> [02/Jun/2011:12:40:09 -0700] - All database threads now stopped
> [02/Jun/2011:12:40:09 -0700] - import userRoot: Import failed.
>
> Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648.
> Output: importing data ...
> [02/Jun/2011:12:40:03 -0700] - WARNING: Import is running with
> nsslapd-db-private-import-mem on; No other process is allowed to
> access the database
> [02/Jun/2011:12:40:03 -0700] - check_and_set_import_cache: pagesize:
> 4096, pages: 997331, procpages: 49464
> [02/Jun/2011:12:40:03 -0700] - Import allocates 1595728KB import cache.
> [02/Jun/2011:12:40:03 -0700] - import userRoot: Beginning import job...
> [02/Jun/2011:12:40:03 -0700] - import userRoot: Index buffering
> enabled with bucket size 100
> [02/Jun/2011:12:40:04 -0700] - import userRoot: Could not open LDIF
> file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
> [02/Jun/2011:12:40:04 -0700] - import userRoot: Aborting all Import
> threads...
> [02/Jun/2011:12:40:09 -0700] - import userRoot: Import threads aborted.
> [02/Jun/2011:12:40:09 -0700] - import userRoot: Closing files...
> /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory
> [02/Jun/2011:12:40:09 -0700] - All database threads now stopped
> [02/Jun/2011:12:40:09 -0700] - import userRoot: Import failed.
>
> [11/06/02:12:40:09] - [Setup] Fatal Error: Could not create directory
> server instance 'ARC-NASA-GOV'.
> Error: Could not create directory server instance 'ARC-NASA-GOV'.
> [11/06/02:12:40:09] - [Setup] Fatal Exiting . . .
> Log file is '-'
>
> Exiting . . .
> Log file is '-'
>
> 2011-06-02 12:40:09,870 INFO
> 2011-06-02 12:40:09,870 CRITICAL failed to restart ds instance Command
> '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpLtRn9j'
> returned non-zero exit status 1
> 2011-06-02 12:40:09,870 DEBUG restarting ds instance
> 2011-06-02 12:40:12,030 INFO Shutting down dirsrv:
> ARC-NASA-GOV... server already stopped[FAILED]
> *** Error: 1 instance(s) unsuccessfully stopped[FAILED]
> Starting dirsrv:
> ARC-NASA-GOV...[ OK ]
>
> All my attempts to re-install ipa-server now fail. I've tried
> removing all 51 packages associated with ipa-server and re-installing
> them. I've removed all 51 packages and deleted every file I could
> find associated with nscd, 389, ipa, sssd, etc. I have been unable to
> return the system to a state that will allow a reinstall of
> ipa-server. I upgraded the OS on the test system to Fedora 14 and
> reinstalled the packages, no change.
>
> Any advice would be appreciated.
Is it all on F13?
The IPA v2 can't be built on F13 as there are many dependencies missing
that we rely on. There are two many parts this is why we had to move to
the later versions of F15. We just did not have any options. So the
server you built might in fact be completely broken. I do not know how
to fix it. It looks like you have some instances of the DS left over in
a misconfigured state.

You can try running ipa-server-install --uninstall 4-5 times. That might
clear things a bit.

But let us get back to the original problem.
Freeipa can be used with the LDAP+Kerberos configuration on the clients.
You do not need to have latest and greatest.
There was a nice article referenced in some of the earlier threads on
the list:

http://www.aput.net/~jheiss/krbldap/howto.html

You can configure very old clients to use IPA as NIS server.
Let us know how else we can help.

Thanks
Dmitri

>
> -Brian
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
Stamper, Brian P. (ARC-D)[Logyx LLC]
2011-06-03 21:38:43 UTC
Permalink
I've given up on freeipa v2 due to lack of compatibility with hosts I manage. This is all on freeipa v1. The server started as Fedora 13, and I upgraded to Fedora 14 in an attempt to fix the problems.

[***@freeipa ~]# uname -r
2.6.35.13-91.fc14.x86_64
[***@freeipa ~]# rpm -qa 'ipa*'
ipa-client-1.2.2-6.fc14.x86_64
ipa-server-selinux-1.2.2-6.fc14.x86_64
ipa-python-1.2.2-6.fc14.x86_64
ipa-admintools-1.2.2-6.fc14.x86_64
ipa-server-1.2.2-6.fc14.x86_64
[***@freeipa ~]#

I'm not doing anything special at this point. I'm not even trying to get clients added. I'm trying to do a basic install of ipa-server, with no extra arguments. That claimed to succeed but wouldn't work, I tried to fix it, uninstalled, any attempts to reinstall failed. So right now I'm simply trying to get the ipa service back to any kind of functioning status without re-installing the OS.

-Brian

On 6/3/11 2:30 PM, "Dmitri Pal" <***@redhat.com> wrote:

Is it all on F13?
The IPA v2 can't be built on F13 as there are many dependencies missing that we rely on. There are two many parts this is why we had to move to the later versions of F15. We just did not have any options. So the server you built might in fact be completely broken. I do not know how to fix it. It looks like you have some instances of the DS left over in a misconfigured state.

You can try running ipa-server-install --uninstall 4-5 times. That might clear things a bit.

But let us get back to the original problem.
Freeipa can be used with the LDAP+Kerberos configuration on the clients. You do not need to have latest and greatest.
There was a nice article referenced in some of the earlier threads on the list:

http://www.aput.net/~jheiss/krbldap/howto.html <http://www.aput.net/%7Ejheiss/krbldap/howto.html>

You can configure very old clients to use IPA as NIS server.
Let us know how else we can help.
Thanks
Dmitri



-Brian
Simo Sorce
2011-06-03 21:45:33 UTC
Permalink
On Fri, 2011-06-03 at 16:38 -0500, Stamper, Brian P. (ARC-D)[Logyx LLC]
wrote:
>
> I've given up on freeipa v2 due to lack of compatibility with hosts I
> manage. This is all on freeipa v1. The server started as Fedora 13,
> and I upgraded to Fedora 14 in an attempt to fix the problems.

Brian, I am curious, what compatibility are you lacking ?
I can't think any difference in the supported list of clients, with v2
we have native sssd support that was not available in v1, but the legacy
support is basically identical.

Can you elaborate on which problem you found on which clients ?


Thanks,
Simo

--
Simo Sorce * Red Hat, Inc * New York
Dmitri Pal
2011-06-03 21:53:41 UTC
Permalink
On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
>
> I've given up on freeipa v2 due to lack of compatibility with hosts I
> manage. This is all on freeipa v1. The server started as Fedora 13,
> and I upgraded to Fedora 14 in an attempt to fix the problems.
>
> [***@freeipa ~]# uname -r
> 2.6.35.13-91.fc14.x86_64
> [***@freeipa ~]# rpm -qa 'ipa*'
> ipa-client-1.2.2-6.fc14.x86_64
> ipa-server-selinux-1.2.2-6.fc14.x86_64
> ipa-python-1.2.2-6.fc14.x86_64
> ipa-admintools-1.2.2-6.fc14.x86_64
> ipa-server-1.2.2-6.fc14.x86_64
> [***@freeipa ~]#
>
> I'm not doing anything special at this point. I'm not even trying to
> get clients added. I'm trying to do a basic install of ipa-server,
> with no extra arguments. That claimed to succeed but wouldn't work, I
> tried to fix it, uninstalled, any attempts to reinstall failed. So
> right now I'm simply trying to get the ipa service back to any kind of
> functioning status without re-installing the OS.
>

Ah this is all old 1.2 IPA.
Have you tried
ipa-server-install --uninstall

Might require several attempts until all the errors are cleared.

> -Brian
>
> On 6/3/11 2:30 PM, "Dmitri Pal" <***@redhat.com> wrote:
>
>
> Is it all on F13?
> The IPA v2 can't be built on F13 as there are many dependencies
> missing that we rely on. There are two many parts this is why we
> had to move to the later versions of F15. We just did not have any
> options. So the server you built might in fact be completely
> broken. I do not know how to fix it. It looks like you have some
> instances of the DS left over in a misconfigured state.
>
> You can try running ipa-server-install --uninstall 4-5 times.
> That might clear things a bit.
>
> But let us get back to the original problem.
> Freeipa can be used with the LDAP+Kerberos configuration on the
> clients. You do not need to have latest and greatest.
> There was a nice article referenced in some of the earlier
> threads on the list:
>
> http://www.aput.net/~jheiss/krbldap/howto.html
> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
>
> You can configure very old clients to use IPA as NIS server.
> Let us know how else we can help.
> Thanks
> Dmitri
>
>
>
>
> -Brian
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
Stamper, Brian P. (ARC-D)[Logyx LLC]
2011-06-03 22:14:20 UTC
Permalink
Yes, I mentioned in the first email I had attempted that. I just ran the uninstall 10 times in a row. Same errors:

Configuring directory server:
[1/17]: creating directory server user
[2/17]: creating directory server instance
root : CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpYwtW2p' returned non-zero exit status 1
[3/17]: adding default schema
[4/17]: enabling memberof plugin
[5/17]: enabling referential integrity plugin
[6/17]: enabling distributed numeric assignment plugin
[7/17]: enabling winsync plugin
[8/17]: configuring uniqueness plugin
[9/17]: creating indices
[10/17]: configuring ssl for ds instance
[11/17]: configuring certmap.conf
[12/17]: restarting directory server
[13/17]: adding default layout
root : CRITICAL Failed to load bootstrap-template.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048' returned non-zero exit status 32
[14/17]: configuring Posix uid/gid generation as first master
[15/17]: adding master entry as first master
root : CRITICAL Failed to load master-entry.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned non-zero exit status 32
[16/17]: initializing group membership
[17/17]: configuring directory to start on boot
done configuring dirsrv.

As a test I've manually run setup-ds.pl accepting all of the defaults. It works fine and installs successfully, creating the slapd-freeipa (which is the hostname) instance. I then ran remove-ds.pl on the slapd-freeipa instance and re-ran the ipa uninstall. When I attempted to reinstall ipa, it detected an existing ds. I did a locate for dirsrv and found logfiles from an instance called slapd-ARC-NASA-GOV, which should be my default freeipa dirsrv instance. To try to clean this up, I ran setup-ds.pl and chose custom and created a slapd-ARC-NASA-GOV instance, and then immediately removed it with remove-ds.pl. I then re-ran ipa-server-install, which this time did not detect an existing directory server. However, the ipa-server-install again failed in the same location.

[2/17]: creating directory server instance
root : CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp77JJv1' returned non-zero exit status 1


And from the log:

2011-06-03 15:12:41,540 DEBUG Configuring directory server:
2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory server user
2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists
2011-06-03 15:12:41,541 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2011-06-03 15:12:41,541 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory server instance
2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances configured

2011-06-03 15:12:41,567 INFO
2011-06-03 15:12:41,567 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2011-06-03 15:12:41,568 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2011-06-03 15:12:41,568 DEBUG
dn: dc=arc,dc=nasa,dc=gov
objectClass: top
objectClass: domain
objectClass: pilotObject
dc: arc
info: IPA V1.0

2011-06-03 15:12:41,569 DEBUG writing inf template
2011-06-03 15:12:41,570 DEBUG
[General]
FullMachineName= freeipa.arc.nasa.gov
SuiteSpotUserID= dirsrv
ServerRoot= /usr/lib64/dirsrv
[slapd]
ServerPort= 389
ServerIdentifier= ARC-NASA-GOV
Suffix= dc=arc,dc=nasa,dc=gov
RootDN= cn=Directory Manager
InstallLdifFile= /var/lib/dirsrv/boot.ldif

2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl
2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup] Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ...
[03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
[03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 48998
[03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import cache.
[03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import job...
[03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering enabled with bucket size 100
[03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
[03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all Import threads...
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads aborted.
[03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
/var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory
[03/Jun/2011:15:12:48 -0700] - All database threads now stopped
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.

Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ...
[03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
[03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 48998
[03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import cache.
[03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import job...
[03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering enabled with bucket size 100
[03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
[03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all Import threads...
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads aborted.
[03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
/var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory
[03/Jun/2011:15:12:48 -0700] - All database threads now stopped
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.

[11/06/03:15:12:48] - [Setup] Fatal Error: Could not create directory server instance 'ARC-NASA-GOV'.
Error: Could not create directory server instance 'ARC-NASA-GOV'.
[11/06/03:15:12:48] - [Setup] Fatal Exiting . . .


-Brian

On 6/3/11 2:53 PM, "Dmitri Pal" <***@redhat.com> wrote:

On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
Re: [Freeipa-users] Difficulty installing freeipa
I've given up on freeipa v2 due to lack of compatibility with hosts I manage. This is all on freeipa v1. The server started as Fedora 13, and I upgraded to Fedora 14 in an attempt to fix the problems.

[***@freeipa ~]# uname -r
2.6.35.13-91.fc14.x86_64
[***@freeipa ~]# rpm -qa 'ipa*'
ipa-client-1.2.2-6.fc14.x86_64
ipa-server-selinux-1.2.2-6.fc14.x86_64
ipa-python-1.2.2-6.fc14.x86_64
ipa-admintools-1.2.2-6.fc14.x86_64
ipa-server-1.2.2-6.fc14.x86_64
[***@freeipa ~]#

I'm not doing anything special at this point. I'm not even trying to get clients added. I'm trying to do a basic install of ipa-server, with no extra arguments. That claimed to succeed but wouldn't work, I tried to fix it, uninstalled, any attempts to reinstall failed. So right now I'm simply trying to get the ipa service back to any kind of functioning status without re-installing the OS.



Ah this is all old 1.2 IPA.
Have you tried
ipa-server-install --uninstall

Might require several attempts until all the errors are cleared.


-Brian

On 6/3/11 2:30 PM, "Dmitri Pal" <***@redhat.com> wrote:




Is it all on F13?
The IPA v2 can't be built on F13 as there are many dependencies missing that we rely on. There are two many parts this is why we had to move to the later versions of F15. We just did not have any options. So the server you built might in fact be completely broken. I do not know how to fix it. It looks like you have some instances of the DS left over in a misconfigured state.

You can try running ipa-server-install --uninstall 4-5 times. That might clear things a bit.

But let us get back to the original problem.
Freeipa can be used with the LDAP+Kerberos configuration on the clients. You do not need to have latest and greatest.
There was a nice article referenced in some of the earlier threads on the list:

http://www.aput.net/~jheiss/krbldap/howto.html <http://www.aput.net/%7Ejheiss/krbldap/howto.html> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>

You can configure very old clients to use IPA as NIS server.
Let us know how else we can help.
Thanks
Dmitri




-Brian


_______________________________________________
Freeipa-users mailing list
Freeipa-***@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Stamper, Brian P. (ARC-D)[Logyx LLC]
2011-06-03 22:44:29 UTC
Permalink
I have resolved the install issue.

The installer is a bit sloppy and makes some bad assumptions. The problem turns out to be that the directory server setup seems to be running as dirsrv, not root. Ipa-server-install (more specifically dsinstance.py) writes out the file /var/lib/dirsrv/boot.ldif. But it does so as root, using root's umask. It doesn't do a check to make sure dirsrv can read this file before spawning an external process to create the directory server. Part of security best practices recommended by the CIS group as well as others is to set root's umask to 0077. With this setting in place, dirsrv is unable to read /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when executed from ipa-server-install. I modified dsinstance.py to not remove the file and checked it after a failed install. It was written properly, so I changed the permission on it to 666 and re-ran the install. It succeeded.

I'm now back to where I started, which is a partly working ipa install. Kinit takes 75 seconds to complete. I still can't get to the UI. I'm now going to uninstall again, change root's umask to 022, and see if that fixes any more of the problems.

-Brian



On 6/3/11 3:14 PM, "Brian Stamper" <***@nasa.gov> wrote:


Yes, I mentioned in the first email I had attempted that. I just ran the uninstall 10 times in a row. Same errors:

Configuring directory server:
[1/17]: creating directory server user
[2/17]: creating directory server instance
root : CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpYwtW2p' returned non-zero exit status 1
[3/17]: adding default schema
[4/17]: enabling memberof plugin
[5/17]: enabling referential integrity plugin
[6/17]: enabling distributed numeric assignment plugin
[7/17]: enabling winsync plugin
[8/17]: configuring uniqueness plugin
[9/17]: creating indices
[10/17]: configuring ssl for ds instance
[11/17]: configuring certmap.conf
[12/17]: restarting directory server
[13/17]: adding default layout
root : CRITICAL Failed to load bootstrap-template.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048' returned non-zero exit status 32
[14/17]: configuring Posix uid/gid generation as first master
[15/17]: adding master entry as first master
root : CRITICAL Failed to load master-entry.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned non-zero exit status 32
[16/17]: initializing group membership
[17/17]: configuring directory to start on boot
done configuring dirsrv.

As a test I've manually run setup-ds.pl accepting all of the defaults. It works fine and installs successfully, creating the slapd-freeipa (which is the hostname) instance. I then ran remove-ds.pl on the slapd-freeipa instance and re-ran the ipa uninstall. When I attempted to reinstall ipa, it detected an existing ds. I did a locate for dirsrv and found logfiles from an instance called slapd-ARC-NASA-GOV, which should be my default freeipa dirsrv instance. To try to clean this up, I ran setup-ds.pl and chose custom and created a slapd-ARC-NASA-GOV instance, and then immediately removed it with remove-ds.pl. I then re-ran ipa-server-install, which this time did not detect an existing directory server. However, the ipa-server-install again failed in the same location.

[2/17]: creating directory server instance
root : CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp77JJv1' returned non-zero exit status 1


And from the log:

2011-06-03 15:12:41,540 DEBUG Configuring directory server:
2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory server user
2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists
2011-06-03 15:12:41,541 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2011-06-03 15:12:41,541 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory server instance
2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances configured

2011-06-03 15:12:41,567 INFO
2011-06-03 15:12:41,567 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2011-06-03 15:12:41,568 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2011-06-03 15:12:41,568 DEBUG
dn: dc=arc,dc=nasa,dc=gov
objectClass: top
objectClass: domain
objectClass: pilotObject
dc: arc
info: IPA V1.0

2011-06-03 15:12:41,569 DEBUG writing inf template
2011-06-03 15:12:41,570 DEBUG
[General]
FullMachineName= freeipa.arc.nasa.gov
SuiteSpotUserID= dirsrv
ServerRoot= /usr/lib64/dirsrv
[slapd]
ServerPort= 389
ServerIdentifier= ARC-NASA-GOV
Suffix= dc=arc,dc=nasa,dc=gov
RootDN= cn=Directory Manager
InstallLdifFile= /var/lib/dirsrv/boot.ldif

2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl
2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup] Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ...
[03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
[03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 48998
[03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import cache.
[03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import job...
[03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering enabled with bucket size 100
[03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
[03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all Import threads...
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads aborted.
[03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
/var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory
[03/Jun/2011:15:12:48 -0700] - All database threads now stopped
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.

Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ...
[03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
[03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 48998
[03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import cache.
[03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import job...
[03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering enabled with bucket size 100
[03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
[03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all Import threads...
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads aborted.
[03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
/var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory
[03/Jun/2011:15:12:48 -0700] - All database threads now stopped
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.

[11/06/03:15:12:48] - [Setup] Fatal Error: Could not create directory server instance 'ARC-NASA-GOV'.
Error: Could not create directory server instance 'ARC-NASA-GOV'.
[11/06/03:15:12:48] - [Setup] Fatal Exiting . . .


-Brian

On 6/3/11 2:53 PM, "Dmitri Pal" <***@redhat.com> wrote:

On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
Re: [Freeipa-users] Difficulty installing freeipa
I've given up on freeipa v2 due to lack of compatibility with hosts I manage. This is all on freeipa v1. The server started as Fedora 13, and I upgraded to Fedora 14 in an attempt to fix the problems.

[***@freeipa ~]# uname -r
2.6.35.13-91.fc14.x86_64
[***@freeipa ~]# rpm -qa 'ipa*'
ipa-client-1.2.2-6.fc14.x86_64
ipa-server-selinux-1.2.2-6.fc14.x86_64
ipa-python-1.2.2-6.fc14.x86_64
ipa-admintools-1.2.2-6.fc14.x86_64
ipa-server-1.2.2-6.fc14.x86_64
[***@freeipa ~]#

I'm not doing anything special at this point. I'm not even trying to get clients added. I'm trying to do a basic install of ipa-server, with no extra arguments. That claimed to succeed but wouldn't work, I tried to fix it, uninstalled, any attempts to reinstall failed. So right now I'm simply trying to get the ipa service back to any kind of functioning status without re-installing the OS.



Ah this is all old 1.2 IPA.
Have you tried
ipa-server-install --uninstall

Might require several attempts until all the errors are cleared.


-Brian

On 6/3/11 2:30 PM, "Dmitri Pal" <***@redhat.com> wrote:




Is it all on F13?
The IPA v2 can't be built on F13 as there are many dependencies missing that we rely on. There are two many parts this is why we had to move to the later versions of F15. We just did not have any options. So the server you built might in fact be completely broken. I do not know how to fix it. It looks like you have some instances of the DS left over in a misconfigured state.

You can try running ipa-server-install --uninstall 4-5 times. That might clear things a bit.

But let us get back to the original problem.
Freeipa can be used with the LDAP+Kerberos configuration on the clients. You do not need to have latest and greatest.
There was a nice article referenced in some of the earlier threads on the list:

http://www.aput.net/~jheiss/krbldap/howto.html <http://www.aput.net/%7Ejheiss/krbldap/howto.html> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>

You can configure very old clients to use IPA as NIS server.
Let us know how else we can help.
Thanks
Dmitri




-Brian


_______________________________________________
Freeipa-users mailing list
Freeipa-***@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Dmitri Pal
2011-06-03 22:58:48 UTC
Permalink
On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
>
> I have resolved the install issue.

Great!

>
> The installer is a bit sloppy and makes some bad assumptions. The
> problem turns out to be that the directory server setup seems to be
> running as dirsrv, not root. Ipa-server-install (more specifically
> dsinstance.py) writes out the file /var/lib/dirsrv/boot.ldif. But it
> does so as root, using root's umask. It doesn't do a check to make
> sure dirsrv can read this file before spawning an external process to
> create the directory server. Part of security best practices
> recommended by the CIS group as well as others is to set root's umask
> to 0077. With this setting in place, dirsrv is unable to read
> /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when
> executed from ipa-server-install. I modified dsinstance.py to not
> remove the file and checked it after a failed install. It was written
> properly, so I changed the permission on it to 666 and re-ran the
> install. It succeeded.

Opened https://fedorahosted.org/freeipa/ticket/1282

>
> I'm now back to where I started, which is a partly working ipa
> install. Kinit takes 75 seconds to complete.

Seems like a DNS timeout or something related to the name resolution.

> I still can't get to the UI. I'm now going to uninstall again,
> change root's umask to 022, and see if that fixes any more of the
> problems.

The UI does not start for me if you try to run FF from the root shell. I
forget about this frequently and just upgraded to F15 and hit it again.

If you have a normal user shell, kinit from that shell as admin and
start browser from it you should have all the right context to access UI.


>
> -Brian
>
>
>
> On 6/3/11 3:14 PM, "Brian Stamper" <***@nasa.gov> wrote:
>
>
> Yes, I mentioned in the first email I had attempted that. I just
> ran the uninstall 10 times in a row. Same errors:
>
> Configuring directory server:
> [1/17]: creating directory server user
> [2/17]: creating directory server instance
> root : CRITICAL failed to restart ds instance Command
> '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpYwtW2p'
> returned non-zero exit status 1
> [3/17]: adding default schema
> [4/17]: enabling memberof plugin
> [5/17]: enabling referential integrity plugin
> [6/17]: enabling distributed numeric assignment plugin
> [7/17]: enabling winsync plugin
> [8/17]: configuring uniqueness plugin
> [9/17]: creating indices
> [10/17]: configuring ssl for ds instance
> [11/17]: configuring certmap.conf
> [12/17]: restarting directory server
> [13/17]: adding default layout
> root : CRITICAL Failed to load bootstrap-template.ldif:
> Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory
> Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048' returned non-zero
> exit status 32
> [14/17]: configuring Posix uid/gid generation as first master
> [15/17]: adding master entry as first master
> root : CRITICAL Failed to load master-entry.ldif: Command
> '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y
> /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned non-zero exit status 32
> [16/17]: initializing group membership
> [17/17]: configuring directory to start on boot
> done configuring dirsrv.
>
> As a test I've manually run setup-ds.pl accepting all of the
> defaults. It works fine and installs successfully, creating the
> slapd-freeipa (which is the hostname) instance. I then ran
> remove-ds.pl on the slapd-freeipa instance and re-ran the ipa
> uninstall. When I attempted to reinstall ipa, it detected an
> existing ds. I did a locate for dirsrv and found logfiles from an
> instance called slapd-ARC-NASA-GOV, which should be my default
> freeipa dirsrv instance. To try to clean this up, I ran
> setup-ds.pl and chose custom and created a slapd-ARC-NASA-GOV
> instance, and then immediately removed it with remove-ds.pl. I
> then re-ran ipa-server-install, which this time did not detect an
> existing directory server. However, the ipa-server-install again
> failed in the same location.
>
> [2/17]: creating directory server instance
> root : CRITICAL failed to restart ds instance Command
> '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp77JJv1'
> returned non-zero exit status 1
>
>
> And from the log:
>
> 2011-06-03 15:12:41,540 DEBUG Configuring directory server:
> 2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory server user
> 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists
> 2011-06-03 15:12:41,541 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,541 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory server
> instance
> 2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances
> configured
>
> 2011-06-03 15:12:41,567 INFO
> 2011-06-03 15:12:41,567 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,568 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,568 DEBUG
> dn: dc=arc,dc=nasa,dc=gov
> objectClass: top
> objectClass: domain
> objectClass: pilotObject
> dc: arc
> info: IPA V1.0
>
> 2011-06-03 15:12:41,569 DEBUG writing inf template
> 2011-06-03 15:12:41,570 DEBUG
> [General]
> FullMachineName= freeipa.arc.nasa.gov
> SuiteSpotUserID= dirsrv
> ServerRoot= /usr/lib64/dirsrv
> [slapd]
> ServerPort= 389
> ServerIdentifier= ARC-NASA-GOV
> Suffix= dc=arc,dc=nasa,dc=gov
> RootDN= cn=Directory Manager
> InstallLdifFile= /var/lib/dirsrv/boot.ldif
>
> 2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl
> 2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup] Info
> Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error:
> 59648. Output: importing data ...
> [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with
> nsslapd-db-private-import-mem on; No other process is allowed to
> access the database
> [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache:
> pagesize: 4096, pages: 997331, procpages: 48998
> [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import
> cache.
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import
> job...
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering
> enabled with bucket size 100
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open
> LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all
> Import threads..
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads
> aborted.
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
> /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or
> directory
> [03/Jun/2011:15:12:48 -0700] - All database threads now stopped
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.
>
> Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error:
> 59648. Output: importing data ...
> [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with
> nsslapd-db-private-import-mem on; No other process is allowed to
> access the database
> [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache:
> pagesize: 4096, pages: 997331, procpages: 48998
> [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import
> cache.
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import
> job...
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering
> enabled with bucket size 100
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open
> LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all
> Import threads..
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads
> aborted.
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
> /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or
> directory
> [03/Jun/2011:15:12:48 -0700] - All database threads now stopped
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.
>
> [11/06/03:15:12:48] - [Setup] Fatal Error: Could not create
> directory server instance 'ARC-NASA-GOV'.
> Error: Could not create directory server instance 'ARC-NASA-GOV'.
> [11/06/03:15:12:48] - [Setup] Fatal Exiting . . .
>
>
> -Brian
>
> On 6/3/11 2:53 PM, "Dmitri Pal" <***@redhat.com> wrote:
>
> On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx LLC]
> wrote:
>
> Re: [Freeipa-users] Difficulty installing freeipa
> I've given up on freeipa v2 due to lack of compatibility
> with hosts I manage. This is all on freeipa v1. The
> server started as Fedora 13, and I upgraded to Fedora 14
> in an attempt to fix the problems.
>
> [***@freeipa ~]# uname -r
> 2.6.35.13-91.fc14.x86_64
> [***@freeipa ~]# rpm -qa 'ipa*'
> ipa-client-1.2.2-6.fc14.x86_64
> ipa-server-selinux-1.2.2-6.fc14.x86_64
> ipa-python-1.2.2-6.fc14.x86_64
> ipa-admintools-1.2.2-6.fc14.x86_64
> ipa-server-1.2.2-6.fc14.x86_64
> [***@freeipa ~]#
>
> I'm not doing anything special at this point. I'm not
> even trying to get clients added. I'm trying to do a
> basic install of ipa-server, with no extra arguments.
> That claimed to succeed but wouldn't work, I tried to fix
> it, uninstalled, any attempts to reinstall failed. So
> right now I'm simply trying to get the ipa service back to
> any kind of functioning status without re-installing the OS.
>
>
>
>
> Ah this is all old 1.2 IPA.
> Have you tried
> ipa-server-install --uninstall
>
> Might require several attempts until all the errors are cleared.
>
>
>
> -Brian
>
> On 6/3/11 2:30 PM, "Dmitri Pal" <***@redhat.com> wrote:
>
>
>
>
>
>
> Is it all on F13?
> The IPA v2 can't be built on F13 as there are many
> dependencies missing that we rely on. There are two
> many parts this is why we had to move to the later
> versions of F15. We just did not have any options. So
> the server you built might in fact be completely
> broken. I do not know how to fix it. It looks like you
> have some instances of the DS left over in a
> misconfigured state.
>
> You can try running ipa-server-install --uninstall
> 4-5 times. That might clear things a bit.
>
> But let us get back to the original problem.
> Freeipa can be used with the LDAP+Kerberos
> configuration on the clients. You do not need to have
> latest and greatest.
> There was a nice article referenced in some of the
> earlier threads on the list:
>
> http://www.aput.net/~jheiss/krbldap/howto.html
> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
>
> You can configure very old clients to use IPA as NIS
> server.
> Let us know how else we can help.
> Thanks
> Dmitri
>
>
>
>
>
> -Brian
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
Stamper, Brian P. (ARC-D)[Logyx LLC]
2011-06-03 23:14:03 UTC
Permalink
I'm closer. I was able to get logged into the UI. It wasn't that I was running firefox from root, but that I had inited as root. Same problem really. Dropping back to my own shell and initing I was able to reach the GUI. The next problem I need to tackle is the slowness. Ipa-finduser admin does return results, but it takes 2m43s.

[***@freeipa ~]# egrep "freeipa|local" /etc/hosts
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
1.2.3.4 freeipa.arc.nasa.gov freeipa

[***@freeipa ~]# grep host /etc/nsswitch.conf
#hosts: db files nisplus nis dns
hosts: files dns

[***@freeipa ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:10:18:2D:E6:93
inet addr:1.2.3.4

I don't see any issues with the configuration there. There are no conflicting "freeipa" hosts in dns. Looks pretty much in compliance with the guide:

Configuring /etc/hosts
You need to ensure that your /etc/hosts file is configured correctly, or the ipa-* commands may not work correctly.

The /etc/hosts file should list the FQDN for your IPA server before any aliases. You should also ensure that the hostname is not part of the localhost entry. The following is an example of a valid hosts file:
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.1.1 ipaserver.example.com ipaserver


-Brian



On 6/3/11 3:58 PM, "Dmitri Pal" <***@redhat.com> wrote:

On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
Re: [Freeipa-users] Difficulty installing freeipa
I have resolved the install issue.


Great!



The installer is a bit sloppy and makes some bad assumptions. The problem turns out to be that the directory server setup seems to be running as dirsrv, not root. Ipa-server-install (more specifically dsinstance.py) writes out the file /var/lib/dirsrv/boot.ldif. But it does so as root, using root's umask. It doesn't do a check to make sure dirsrv can read this file before spawning an external process to create the directory server. Part of security best practices recommended by the CIS group as well as others is to set root's umask to 0077. With this setting in place, dirsrv is unable to read /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when executed from ipa-server-install. I modified dsinstance.py to not remove the file and checked it after a failed install. It was written properly, so I changed the permission on it to 666 and re-ran the install. It succeeded.


Opened https://fedorahosted.org/freeipa/ticket/1282



I'm now back to where I started, which is a partly working ipa install. Kinit takes 75 seconds to complete.

Seems like a DNS timeout or something related to the name resolution.


I still can't get to the UI. I'm now going to uninstall again, change root's umask to 022, and see if that fixes any more of the problems.


The UI does not start for me if you try to run FF from the root shell. I forget about this frequently and just upgraded to F15 and hit it again.

If you have a normal user shell, kinit from that shell as admin and start browser from it you should have all the right context to access UI.




-Brian



On 6/3/11 3:14 PM, "Brian Stamper" <***@nasa.gov> wrote:



Yes, I mentioned in the first email I had attempted that. I just ran the uninstall 10 times in a row. Same errors:

Configuring directory server:
[1/17]: creating directory server user
[2/17]: creating directory server instance
root : CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpYwtW2p' returned non-zero exit status 1
[3/17]: adding default schema
[4/17]: enabling memberof plugin
[5/17]: enabling referential integrity plugin
[6/17]: enabling distributed numeric assignment plugin
[7/17]: enabling winsync plugin
[8/17]: configuring uniqueness plugin
[9/17]: creating indices
[10/17]: configuring ssl for ds instance
[11/17]: configuring certmap.conf
[12/17]: restarting directory server
[13/17]: adding default layout
root : CRITICAL Failed to load bootstrap-template.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048' returned non-zero exit status 32
[14/17]: configuring Posix uid/gid generation as first master
[15/17]: adding master entry as first master
root : CRITICAL Failed to load master-entry.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned non-zero exit status 32
[16/17]: initializing group membership
[17/17]: configuring directory to start on boot
done configuring dirsrv.

As a test I've manually run setup-ds.pl accepting all of the defaults. It works fine and installs successfully, creating the slapd-freeipa (which is the hostname) instance. I then ran remove-ds.pl on the slapd-freeipa instance and re-ran the ipa uninstall. When I attempted to reinstall ipa, it detected an existing ds. I did a locate for dirsrv and found logfiles from an instance called slapd-ARC-NASA-GOV, which should be my default freeipa dirsrv instance. To try to clean this up, I ran setup-ds.pl and chose custom and created a slapd-ARC-NASA-GOV instance, and then immediately removed it with remove-ds.pl. I then re-ran ipa-server-install, which this time did not detect an existing directory server. However, the ipa-server-install again failed in the same location.

[2/17]: creating directory server instance
root : CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp77JJv1' returned non-zero exit status 1


And from the log:

2011-06-03 15:12:41,540 DEBUG Configuring directory server:
2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory server user
2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists
2011-06-03 15:12:41,541 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2011-06-03 15:12:41,541 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory server instance
2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances configured

2011-06-03 15:12:41,567 INFO
2011-06-03 15:12:41,567 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2011-06-03 15:12:41,568 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2011-06-03 15:12:41,568 DEBUG
dn: dc=arc,dc=nasa,dc=gov
objectClass: top
objectClass: domain
objectClass: pilotObject
dc: arc
info: IPA V1.0

2011-06-03 15:12:41,569 DEBUG writing inf template
2011-06-03 15:12:41,570 DEBUG
[General]
FullMachineName= freeipa.arc.nasa.gov
SuiteSpotUserID= dirsrv
ServerRoot= /usr/lib64/dirsrv
[slapd]
ServerPort= 389
ServerIdentifier= ARC-NASA-GOV
Suffix= dc=arc,dc=nasa,dc=gov
RootDN= cn=Directory Manager
InstallLdifFile= /var/lib/dirsrv/boot.ldif

2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl
2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup] Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ...
[03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
[03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 48998
[03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import cache.
[03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import job...
[03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering enabled with bucket size 100
[03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
[03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all Import threads..
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads aborted.
[03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
/var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory
[03/Jun/2011:15:12:48 -0700] - All database threads now stopped
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.

Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ...
[03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
[03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 48998
[03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import cache.
[03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import job...
[03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering enabled with bucket size 100
[03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
[03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all Import threads..
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads aborted.
[03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
/var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory
[03/Jun/2011:15:12:48 -0700] - All database threads now stopped
[03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.

[11/06/03:15:12:48] - [Setup] Fatal Error: Could not create directory server instance 'ARC-NASA-GOV'.
Error: Could not create directory server instance 'ARC-NASA-GOV'.
[11/06/03:15:12:48] - [Setup] Fatal Exiting . . .


-Brian

On 6/3/11 2:53 PM, "Dmitri Pal" <***@redhat.com> wrote:


On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:

Re: [Freeipa-users] Difficulty installing freeipa
I've given up on freeipa v2 due to lack of compatibility with hosts I manage. This is all on freeipa v1. The server started as Fedora 13, and I upgraded to Fedora 14 in an attempt to fix the problems.

[***@freeipa ~]# uname -r
2.6.35.13-91.fc14.x86_64
[***@freeipa ~]# rpm -qa 'ipa*'
ipa-client-1.2.2-6.fc14.x86_64
ipa-server-selinux-1.2.2-6.fc14.x86_64
ipa-python-1.2.2-6.fc14.x86_64
ipa-admintools-1.2.2-6.fc14.x86_64
ipa-server-1.2.2-6.fc14.x86_64
[***@freeipa ~]#

I'm not doing anything special at this point. I'm not even trying to get clients added. I'm trying to do a basic install of ipa-server, with no extra arguments. That claimed to succeed but wouldn't work, I tried to fix it, uninstalled, any attempts to reinstall failed. So right now I'm simply trying to get the ipa service back to any kind of functioning status without re-installing the OS.




Ah this is all old 1.2 IPA.
Have you tried
ipa-server-install --uninstall

Might require several attempts until all the errors are cleared.



-Brian

On 6/3/11 2:30 PM, "Dmitri Pal" <***@redhat.com> wrote:







Is it all on F13?
The IPA v2 can't be built on F13 as there are many dependencies missing that we rely on. There are two many parts this is why we had to move to the later versions of F15. We just did not have any options. So the server you built might in fact be completely broken. I do not know how to fix it. It looks like you have some instances of the DS left over in a misconfigured state.

You can try running ipa-server-install --uninstall 4-5 times. That might clear things a bit.

But let us get back to the original problem.
Freeipa can be used with the LDAP+Kerberos configuration on the clients. You do not need to have latest and greatest.
There was a nice article referenced in some of the earlier threads on the list:

http://www.aput.net/~jheiss/krbldap/howto.html <http://www.aput.net/%7Ejheiss/krbldap/howto.html> <http://www.aput.net/%7Ejheiss/krbldap/howto.html> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>

You can configure very old clients to use IPA as NIS server.
Let us know how else we can help.
Thanks
Dmitri





-Brian


_______________________________________________
Freeipa-users mailing list
Freeipa-***@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users











_______________________________________________
Freeipa-users mailing list
Freeipa-***@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Rob Crittenden
2011-06-06 14:56:41 UTC
Permalink
Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
>
> I’m closer. I was able to get logged into the UI. It wasn’t that I was
> running firefox from root, but that I had inited as root. Same problem
> really. Dropping back to my own shell and initing I was able to reach
> the GUI. The next problem I need to tackle is the slowness. Ipa-finduser
> admin does return results, but it takes 2m43s.

Definitely getting hung up somewhere. I'd try the -v option to
ipa-finduser to get a bit more detail on the request. The client will
attempt to find the right IPA Apache server to connect to, make a
kerberos connection. Apache will then handle the request and collect any
data needed from 389-ds and return it. There are a lot of places things
can break down. By examining the server logs you may be able to discern
where the logjam is.

rob

>
> [***@freeipa ~]# egrep "freeipa|local" /etc/hosts
> 127.0.0.1 localhost.localdomain localhost
> ::1 localhost6.localdomain6 localhost6
> 1.2.3.4 freeipa.arc.nasa.gov freeipa
>
> [***@freeipa ~]# grep host /etc/nsswitch.conf
> #hosts: db files nisplus nis dns
> hosts: files dns
>
> [***@freeipa ~]# ifconfig eth0
> eth0 Link encap:Ethernet HWaddr 00:10:18:2D:E6:93
> inet addr:1.2.3.4
>
> I don’t see any issues with the configuration there. There are no
> conflicting “freeipa” hosts in dns. Looks pretty much in compliance with
> the guide:
>
> */Configuring /etc/hosts
> /*/You need to ensure that your ///etc/hosts file is configured
> correctly, or the *ipa-** commands may not work correctly.
>
> The /etc/hosts file should list the FQDN for your IPA server before any
> aliases. You should also ensure that the hostname is not part of the
> localhost entry. The following is an example of a valid hosts file:
> 127.0.0.1 localhost.localdomain localhost
> ::1 localhost6.localdomain6 localhost6
> 192.168.1.1 ipaserver.example.com ipaserver
> /
>
> -Brian
>
>
>
> On 6/3/11 3:58 PM, "Dmitri Pal" <***@redhat.com> wrote:
>
> On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
>
> Re: [Freeipa-users] Difficulty installing freeipa
> I have resolved the install issue.
>
>
> Great!
>
>
>
> The installer is a bit sloppy and makes some bad assumptions.
> The problem turns out to be that the directory server setup
> seems to be running as dirsrv, not root. Ipa-server-install
> (more specifically dsinstance.py) writes out the file
> /var/lib/dirsrv/boot.ldif. But it does so as root, using root’s
> umask. It doesn’t do a check to make sure dirsrv can read this
> file before spawning an external process to create the directory
> server. Part of security best practices recommended by the CIS
> group as well as others is to set root’s umask to 0077. With
> this setting in place, dirsrv is unable to read
> /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when
> executed from ipa-server-install. I modified dsinstance.py to
> not remove the file and checked it after a failed install. It
> was written properly, so I changed the permission on it to 666
> and re-ran the install. It succeeded.
>
>
> Opened https://fedorahosted.org/freeipa/ticket/1282
>
>
>
> I’m now back to where I started, which is a partly working ipa
> install. Kinit takes 75 seconds to complete.
>
>
> Seems like a DNS timeout or something related to the name resolution.
>
>
> I still can’t get to the UI. I’m now going to uninstall again,
> change root’s umask to 022, and see if that fixes any more of
> the problems.
>
>
> The UI does not start for me if you try to run FF from the root
> shell. I forget about this frequently and just upgraded to F15 and
> hit it again.
>
> If you have a normal user shell, kinit from that shell as admin and
> start browser from it you should have all the right context to
> access UI.
>
>
>
>
> -Brian
>
>
>
> On 6/3/11 3:14 PM, "Brian Stamper" <***@nasa.gov> wrote:
>
>
>
> Yes, I mentioned in the first email I had attempted that. I
> just ran the uninstall 10 times in a row. Same errors:
>
> Configuring directory server:
> [1/17]: creating directory server user
> [2/17]: creating directory server instance
> root : CRITICAL failed to restart ds instance Command
> '/usr/sbin/setup-ds.pl --silent --logfile - -f
> /tmp/tmpYwtW2p' returned non-zero exit status 1
> [3/17]: adding default schema
> [4/17]: enabling memberof plugin
> [5/17]: enabling referential integrity plugin
> [6/17]: enabling distributed numeric assignment plugin
> [7/17]: enabling winsync plugin
> [8/17]: configuring uniqueness plugin
> [9/17]: creating indices
> [10/17]: configuring ssl for ds instance
> [11/17]: configuring certmap.conf
> [12/17]: restarting directory server
> [13/17]: adding default layout
> root : CRITICAL Failed to load bootstrap-template.ldif:
> Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D
> cn=Directory Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048'
> returned non-zero exit status 32
> [14/17]: configuring Posix uid/gid generation as first master
> [15/17]: adding master entry as first master
> root : CRITICAL Failed to load master-entry.ldif: Command
> '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory
> Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned
> non-zero exit status 32
> [16/17]: initializing group membership
> [17/17]: configuring directory to start on boot
> done configuring dirsrv.
>
> As a test I’ve manually run setup-ds.pl accepting all of the
> defaults. It works fine and installs successfully, creating
> the slapd-freeipa (which is the hostname) instance. I then
> ran remove-ds.pl on the slapd-freeipa instance and re-ran
> the ipa uninstall. When I attempted to reinstall ipa, it
> detected an existing ds. I did a locate for dirsrv and found
> logfiles from an instance called slapd-ARC-NASA-GOV, which
> should be my default freeipa dirsrv instance. To try to
> clean this up, I ran setup-ds.pl and chose custom and
> created a slapd-ARC-NASA-GOV instance, and then immediately
> removed it with remove-ds.pl. I then re-ran
> ipa-server-install, which this time did not detect an
> existing directory server. However, the ipa-server-install
> again failed in the same location.
>
> [2/17]: creating directory server instance
> root : CRITICAL failed to restart ds instance Command
> '/usr/sbin/setup-ds.pl --silent --logfile - -f
> /tmp/tmp77JJv1' returned non-zero exit status 1
>
>
> And from the log:
>
> 2011-06-03 15:12:41,540 DEBUG Configuring directory server:
> 2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory
> server user
> 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists
> 2011-06-03 15:12:41,541 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,541 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory
> server instance
> 2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances
> configured
>
> 2011-06-03 15:12:41,567 INFO
> 2011-06-03 15:12:41,567 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,568 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,568 DEBUG
> dn: dc=arc,dc=nasa,dc=gov
> objectClass: top
> objectClass: domain
> objectClass: pilotObject
> dc: arc
> info: IPA V1.0
>
> 2011-06-03 15:12:41,569 DEBUG writing inf template
> 2011-06-03 15:12:41,570 DEBUG
> [General]
> FullMachineName= freeipa.arc.nasa.gov
> SuiteSpotUserID= dirsrv
> ServerRoot= /usr/lib64/dirsrv
> [slapd]
> ServerPort= 389
> ServerIdentifier= ARC-NASA-GOV
> Suffix= dc=arc,dc=nasa,dc=gov
> RootDN= cn=Directory Manager
> InstallLdifFile= /var/lib/dirsrv/boot.ldif
>
> 2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl
> 2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup]
> Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'.
> Error: 59648. Output: importing data ...
> [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running
> with nsslapd-db-private-import-mem on; No other process is
> allowed to access the database
> [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache:
> pagesize: 4096, pages: 997331, procpages: 48998
> [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB
> import cache.
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning
> import job...
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Index
> buffering enabled with bucket size 100
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not
> open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13
> (Permission denied)
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all
> Import threads..
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import
> threads aborted.
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
> /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file
> or directory
> [03/Jun/2011:15:12:48 -0700] - All database threads now stopped
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.
>
> Could not import LDIF file '/var/lib/dirsrv/boot.ldif'.
> Error: 59648. Output: importing data ...
> [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running
> with nsslapd-db-private-import-mem on; No other process is
> allowed to access the database
> [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache:
> pagesize: 4096, pages: 997331, procpages: 48998
> [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB
> import cache.
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning
> import job...
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Index
> buffering enabled with bucket size 100
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not
> open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13
> (Permission denied)
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all
> Import threads..
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import
> threads aborted.
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
> /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file
> or directory
> [03/Jun/2011:15:12:48 -0700] - All database threads now stopped
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.
>
> [11/06/03:15:12:48] - [Setup] Fatal Error: Could not create
> directory server instance 'ARC-NASA-GOV'.
> Error: Could not create directory server instance
> 'ARC-NASA-GOV'.
> [11/06/03:15:12:48] - [Setup] Fatal Exiting . . .
>
>
> -Brian
>
> On 6/3/11 2:53 PM, "Dmitri Pal" <***@redhat.com> wrote:
>
>
> On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx
> LLC] wrote:
>
> Re: [Freeipa-users] Difficulty installing freeipa
> I’ve given up on freeipa v2 due to lack of
> compatibility with hosts I manage. This is all on
> freeipa v1. The server started as Fedora 13, and I
> upgraded to Fedora 14 in an attempt to fix the problems.
>
> [***@freeipa ~]# uname -r
> 2.6.35.13-91.fc14.x86_64
> [***@freeipa ~]# rpm -qa 'ipa*'
> ipa-client-1.2.2-6.fc14.x86_64
> ipa-server-selinux-1.2.2-6.fc14.x86_64
> ipa-python-1.2.2-6.fc14.x86_64
> ipa-admintools-1.2.2-6.fc14.x86_64
> ipa-server-1.2.2-6.fc14.x86_64
> [***@freeipa ~]#
>
> I’m not doing anything special at this point. I’m
> not even trying to get clients added. I’m trying to
> do a basic install of ipa-server, with no extra
> arguments. That claimed to succeed but wouldn’t
> work, I tried to fix it, uninstalled, any attempts
> to reinstall failed. So right now I’m simply trying
> to get the ipa service back to any kind of
> functioning status without re-installing the OS.
>
>
>
>
> Ah this is all old 1.2 IPA.
> Have you tried
> ipa-server-install --uninstall
>
> Might require several attempts until all the errors are
> cleared.
>
>
>
> -Brian
>
> On 6/3/11 2:30 PM, "Dmitri Pal" <***@redhat.com> wrote:
>
>
>
>
>
>
>
> Is it all on F13?
> The IPA v2 can't be built on F13 as there are
> many dependencies missing that we rely on. There
> are two many parts this is why we had to move to
> the later versions of F15. We just did not have
> any options. So the server you built might in
> fact be completely broken. I do not know how to
> fix it. It looks like you have some instances of
> the DS left over in a misconfigured state.
>
> You can try running ipa-server-install
> --uninstall 4-5 times. That might clear things a
> bit.
>
> But let us get back to the original problem.
> Freeipa can be used with the LDAP+Kerberos
> configuration on the clients. You do not need to
> have latest and greatest.
> There was a nice article referenced in some of
> the earlier threads on the list:
>
> http://www.aput.net/~jheiss/krbldap/howto.html
> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
>
> You can configure very old clients to use IPA as
> NIS server.
> Let us know how else we can help.
> Thanks
> Dmitri
>
>
>
>
>
> -Brian
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Stamper, Brian P. (ARC-D)[Logyx LLC]
2011-06-06 19:31:05 UTC
Permalink
This is what I get. I'm not sure which logfiles would be useful at this point.

-brian

time ipa-finduser -v admin

Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml
Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml
send: "POST /ipa/xml HTTP/1.1\r\nHost: freeipa.arc.nasa.gov\r\nAccept-Encoding: gzip\r\nAuthorization: negotiate YIIFCAYJKoZIhvcSAQICAQBuggT3MIIE86ADAgEFoQMCAQ6iBwMFACAAAACjggFeYYIBWjCCAVagAwIBBaEOGwxBUkMuTkFTQS5HT1aiJzAloAMCAQOhHjAcGwRIVFRQGxRmcmVlaXBhLmFyYy5uYXNhLmdvdqOCARQwggEQoAMCARKhAwIBAqKCAQIEgf9q+QJ59aomNKqyY70zeReIT3azmhvBUenVUlqCtdUChD1EKroAUMynyQTHH7c4WQHoY3GqUDtQOUutqaZiOIpO/j2Hirn+c6v3sXg7214KUNfZ2MIZ2vpNwwNtpOGqnmQ5rwGKnyVA8aB4cK/TOqdu7r0nPmADviKplvdFst68lqzSunZ7OwrUxOa0rGVdbJS5fmCVwOPDHtDJy3j3kARCZUa+jJA4ZmAb4Wn4lvYckoHDxhc/R1mXTSr4NXjqnphoKCR1XcU9b4ng0h336yzlq4d9YwRSR/oBL6ZB1LAgZJrXpWSXAxnCXljOWx4mbnpcD9EFblyH2Mzx7jR56nykggN6MIIDdqADAgESooIDbQSCA2mDC1egtsyNS30+guxSWB4HfXVr5RneyGkI+fb6WttuAaPA2XQwZSY8M52SCH8eEfmtycHwZdcfurVpfYGpLTZuJQ/yRlw2meGOtf2NggwqyPyUiYhZ7s+6gg3rvvDSDsg/Mr4txHZ/V30Zk4cjTrQRmUqzWfMf+0ZtmzGo19oRn1vijXbs3CIsiwER3Zi28qYZYgViqFQghIHm5DKoyIQglR0rjt7iEDJtBF8nxVm7lzXuz7lqKIl/QXAbTVzm6gqwtzjPIb2hLtKdF3QY2q7Kba8LbqV2AOrPPPjh/QsU2cGdxZBTiGR05ggSr3D8PPBqlfQxwvnu2b0QgiWWFEgavawTIE7DDkMZDD8C7I/gmQUHV/0kAHizivGNbuHmklXg/KRUkVS5p7AlnJSv5kYtIjMLbXxX7tKxIy9zzPPrliJDp2fr3ER7iKDVALdLPZ5Htlin0ZnD5H6g6qx3kDPV4PeVAx30qqv0UG/45x/uJEC9/3H3Alt7pF/d0xPOWTXho+tGwRcO1gkb0ygIndDIleDEo9CQh+aNsvUxa4UhgzftpACPIwp39nGk+V+7ajY2Tzb2qaKrt6L2q8lqeFxYZ8bcSxDvNgem3ENpL/6FWb+oi86w5JV5OQm7ECJ7js0PJ4DDqgTsyOcDrKhW1l8xHiJkOgxjg0F3+JwCXY0AWIYPNTNdEoXS5T1yGbCLqSL8PevL/obMUHWZiQxzCiN0oA5NQHWoPZ9l7ScHHpxwds5S6Ze1OLV+JRk0aU7Hj7VSJx9irDaAHkXB4PPwyUCOmLl/cF3hxvsYXoEe8j3yQlEE0GV7a3LIhH1mH66byATeSkDv8Ji6LATdtmVUZYI0KLb6oaZKAjn6Pg19mn1hW7GC6WZSzJvSt01uO7XFjsgDz45hKGMevls3GKEM8wAkiiuVaZ/Oq8zkRaf84DmzyYtOHnoyYUzZ9t4FyG4PcU+DVotcBiFLFk5Q9+BxGRVHZGV2K0tz2UyaI8PtIb2AyMdhyj9dCQrFPbZ5d5iOVeMGhutwGQjC8goPP2Bcz2o28hLv+d7qH5PXlcUeeeRTTk1hvkzAv7dtXIoTxWqaot5qNclXsFf7kiYy6I2dWjMKbjL3Nwyyuf3LO+AVRfB3+qhqKAAquQ0IkRL1lblKVEXvufqKF5Z3YPA=\r\nUser-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: text/xml\r\nContent-Length: 515\r\n\r\n<?xml version='1.0'?>\n<methodCall>\n<methodName>find_users</methodName>\n<params>\n<param>\n<value><string>admin</string></value>\n</param>\n<param>\n<value><array><data>\n<value><string>uid</string></value>\n<value><string>givenname</string></value>\n<value><string>sn</string></value>\n<value><string>homeDirectory</string></value>\n<value><string>loginshell</string></value>\n</data></array></value>\n</param>\n<param>\n<value><int>-1</int></value>\n</param>\n<param>\n<value><int>-1</int></value>\n</param>\n</params>\n</methodCall>\n"
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Mon, 06 Jun 2011 19:25:47 GMT
header: Server: Apache/2.2.17 (Fedora)
header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvgT/A5n14nLzBVzpFQFm8lIUc1dZmoma0UuzN9dxD7ykRe/S6rTZJnlroYZG9cmHK9WmIZX5eg/zThvgz/QVvVufnzTbihT3lUDFa4ING9mtCpigZoTnLWGcIRLKddjFHammKG6SjMU29YgwHIZ2D
header: Content-Length: 650
header: Connection: close
header: Content-Type: text/xml
body: "<?xml version='1.0'?>\n<methodResponse>\n<params>\n<param>\n<value><array><data>\n<value><int>1</int></value>\n<value><struct>\n<member>\n<name>dn</name>\n<value><string>uid=admin,cn=users,cn=accounts,dc=arc,dc=nasa,dc=gov</string></value>\n</member>\n<member>\n<name>loginshell</name>\n<value><string>/bin/bash</string></value>\n</member>\n<member>\n<name>uid</name>\n<value><string>admin</string></value>\n</member>\n<member>\n<name>sn</name>\n<value><string>Administrator</string></value>\n</member>\n<member>\n<name>homedirectory</name>\n<value><string>/home/admin</string></value>\n</member>\n</struct></value>\n</data></array></value>\n</param>\n</params>\n</methodResponse>\n"
Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml
send: "POST /ipa/xml HTTP/1.1\r\nHost: freeipa.arc.nasa.gov\r\nAccept-Encoding: gzip\r\nAuthorization: negotiate YIIFCAYJKoZIhvcSAQICAQBuggT3MIIE86ADAgEFoQMCAQ6iBwMFACAAAACjggFeYYIBWjCCAVagAwIBBaEOGwxBUkMuTkFTQS5HT1aiJzAloAMCAQOhHjAcGwRIVFRQGxRmcmVlaXBhLmFyYy5uYXNhLmdvdqOCARQwggEQoAMCARKhAwIBAqKCAQIEgf9q+QJ59aomNKqyY70zeReIT3azmhvBUenVUlqCtdUChD1EKroAUMynyQTHH7c4WQHoY3GqUDtQOUutqaZiOIpO/j2Hirn+c6v3sXg7214KUNfZ2MIZ2vpNwwNtpOGqnmQ5rwGKnyVA8aB4cK/TOqdu7r0nPmADviKplvdFst68lqzSunZ7OwrUxOa0rGVdbJS5fmCVwOPDHtDJy3j3kARCZUa+jJA4ZmAb4Wn4lvYckoHDxhc/R1mXTSr4NXjqnphoKCR1XcU9b4ng0h336yzlq4d9YwRSR/oBL6ZB1LAgZJrXpWSXAxnCXljOWx4mbnpcD9EFblyH2Mzx7jR56nykggN6MIIDdqADAgESooIDbQSCA2k1cPNHqqzr20sQC7iXZ6xc2wfb2DYmkqQBNTrXT33fcXYjo1Bw/Z/jc3pj4ohHrLbnkBe9fYNzaKRy7UXjnydOjKeZv3/7FgxJabRb907+4JojogcUxHR+14wQSW0TBPRvaqBrgkYfbfLXsfJm+yTUIH+GlI2VCkerZM2mbpTD3OU2traM2P8NDYfuJ6Bj23rgMg5Bo8+419npiUtFzOL/6bUeY9WmqDYwHsP4YT47vetLraoLeQckNqZ2D5eZwoUV9dNL485v40OZNInte4UwZoQ3xEygxvAM4Wf26CBzTToo+4hAbd7AhJXGTGguEdi7fx7lQqBSYWjkykFNwGndHWTpxm0Y2k3hU+GDoUzMIgFzMmZjALe1oJQFt0Hpv5Qx1NINDAevbYbdSYtajPQnF4//zwOdC5DGkCDqRyztpU0/4esushEXQkTgGVKZTigcahXtYBRX7qZGkveFhq2nBxIZwlqsv+uu5+GwrLNmm/tiH9ahW+9eyCu6uzQzXp4RqmnFGbjrCdVzDsH8nb2d/ul+l/vVUXguglfkEaRCDYhqusFIAvEVHiVeSD0Lmgoew87XvJ/kKNH3zen0tCofGrNtZ6tc62HOi2pod+TGezOp/f6HBeDKG4csuj3OM+/Li2LvwwfurogJW+N/CU0ilrLt5UaKiaeN+Pw81GQCrZ4575SzN8Y3RUFWPLxvVH/vGiaEHG9Nv3KdnpDREAJDAGSEwLSJYtAFcwMnqsezkrYtFd7DmNvb1DyjAXpOfe6SjYLa0DBHLM2RJ/Ico8HJ1LyXUSex3v4hp8ap0JMdc4nUKzsSFrG0TsPKu/+89tphlQkCN91THQ+QNr03kbGUfsf1LpeeYgf+7lFKU5hrsuUJZgBtAVT6l3KQEco0xe9IDNlJLogeKL9X9cPCa3e4XAUVCJdg8pNVScubTXo41EK6zzPAnvPxxgNprZzrhQtkBEedLYNHNICBsutH9ELtZcSDDYxwFyLFKrOb0p9maZL0Z9VmaqBl43h4QcqLXOJcOmjk0jkXufM5VMJdvjHlkXBS9bkAjRKpdq8jXu4gVdh7nxCAxdw9mLww1VvFLbGB6DxQNNP9ZmSgjbJ1LxvxEqguZh9fAhzY3kEQrjPHa7mT6Vc0xosMAux31K07E7uUcylW38V3+Og=\r\nUser-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: text/xml\r\nContent-Length: 331\r\n\r\n<?xml version='1.0'?>\n<methodCall>\n<methodName>attrs_to_labels</methodName>\n<params>\n<param>\n<value><array><data>\n<value><string>homedirectory</string></value>\n<value><string>loginshell</string></value>\n<value><string>sn</string></value>\n<value><string>uid</string></value>\n</data></array></value>\n</param>\n</params>\n</methodCall>\n"
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Mon, 06 Jun 2011 19:26:18 GMT
header: Server: Apache/2.2.17 (Fedora)
header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv14HufxqWTyNzhsD9xAxrBN5L7jejiqPqHum3FjYTKc2xIrC1ONAloxDyxcOV0isynFIw6/NwpXJKHfzfDbiFPiYjF3xrOakeGDiiVSCL7G12ZNdqErNfP1GVBU5yVg+vIDI+HxfzRa29Gl9eIu1J
header: Content-Length: 458
header: Connection: close
header: Content-Type: text/xml
body: "<?xml version='1.0'?>\n<methodResponse>\n<params>\n<param>\n<value><struct>\n<member>\n<name>loginshell</name>\n<value><string>Login Shell</string></value>\n</member>\n<member>\n<name>homedirectory</name>\n<value><string>Home Directory</string></value>\n</member>\n<member>\n<name>uid</name>\n<value><string>Login</string></value>\n</member>\n<member>\n<name>sn</name>\n<value><string>Last Name</string></value>\n</member>\n</struct></value>\n</param>\n</params>\n</methodResponse>\n"
Home Directory: /home/admin
Login Shell: /bin/bash
Last Name: Administrator
Login: admin


real 1m50.460s
user 0m0.083s
sys 0m0.017s

[***@freeipa ~]# time wget https://freeipa.arc.nasa.gov/ipa/xml
--2011-06-06 12:29:40-- https://freeipa.arc.nasa.gov/ipa/xml
Resolving freeipa.arc.nasa.gov... 143.232.152.197
Connecting to freeipa.arc.nasa.gov|143.232.152.197|:443... connected.
ERROR: cannot verify freeipa.arc.nasa.gov's certificate, issued by "/CN=IPA Test Certificate Authority":
Self-signed certificate encountered.
To connect to freeipa.arc.nasa.gov insecurely, use '--no-check-certificate'.

real 0m0.015s
user 0m0.011s
sys 0m0.002s
[***@freeipa ~]#


On 6/6/11 7:56 AM, "Rob Crittenden" <***@redhat.com> wrote:

Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
>
> I'm closer. I was able to get logged into the UI. It wasn't that I was
> running firefox from root, but that I had inited as root. Same problem
> really. Dropping back to my own shell and initing I was able to reach
> the GUI. The next problem I need to tackle is the slowness. Ipa-finduser
> admin does return results, but it takes 2m43s.

Definitely getting hung up somewhere. I'd try the -v option to
ipa-finduser to get a bit more detail on the request. The client will
attempt to find the right IPA Apache server to connect to, make a
kerberos connection. Apache will then handle the request and collect any
data needed from 389-ds and return it. There are a lot of places things
can break down. By examining the server logs you may be able to discern
where the logjam is.

rob

>
> [***@freeipa ~]# egrep "freeipa|local" /etc/hosts
> 127.0.0.1 localhost.localdomain localhost
> ::1 localhost6.localdomain6 localhost6
> 1.2.3.4 freeipa.arc.nasa.gov freeipa
>
> [***@freeipa ~]# grep host /etc/nsswitch.conf
> #hosts: db files nisplus nis dns
> hosts: files dns
>
> [***@freeipa ~]# ifconfig eth0
> eth0 Link encap:Ethernet HWaddr 00:10:18:2D:E6:93
> inet addr:1.2.3.4
>
> I don't see any issues with the configuration there. There are no
> conflicting "freeipa" hosts in dns. Looks pretty much in compliance with
> the guide:
>
> */Configuring /etc/hosts
> /*/You need to ensure that your ///etc/hosts file is configured
> correctly, or the *ipa-** commands may not work correctly.
>
> The /etc/hosts file should list the FQDN for your IPA server before any
> aliases. You should also ensure that the hostname is not part of the
> localhost entry. The following is an example of a valid hosts file:
> 127.0.0.1 localhost.localdomain localhost
> ::1 localhost6.localdomain6 localhost6
> 192.168.1.1 ipaserver.example.com ipaserver
> /
>
> -Brian
>
>
>
> On 6/3/11 3:58 PM, "Dmitri Pal" <***@redhat.com> wrote:
>
> On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
>
> Re: [Freeipa-users] Difficulty installing freeipa
> I have resolved the install issue.
>
>
> Great!
>
>
>
> The installer is a bit sloppy and makes some bad assumptions.
> The problem turns out to be that the directory server setup
> seems to be running as dirsrv, not root. Ipa-server-install
> (more specifically dsinstance.py) writes out the file
> /var/lib/dirsrv/boot.ldif. But it does so as root, using root's
> umask. It doesn't do a check to make sure dirsrv can read this
> file before spawning an external process to create the directory
> server. Part of security best practices recommended by the CIS
> group as well as others is to set root's umask to 0077. With
> this setting in place, dirsrv is unable to read
> /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when
> executed from ipa-server-install. I modified dsinstance.py to
> not remove the file and checked it after a failed install. It
> was written properly, so I changed the permission on it to 666
> and re-ran the install. It succeeded.
>
>
> Opened https://fedorahosted.org/freeipa/ticket/1282
>
>
>
> I'm now back to where I started, which is a partly working ipa
> install. Kinit takes 75 seconds to complete.
>
>
> Seems like a DNS timeout or something related to the name resolution.
>
>
> I still can't get to the UI. I'm now going to uninstall again,
> change root's umask to 022, and see if that fixes any more of
> the problems.
>
>
> The UI does not start for me if you try to run FF from the root
> shell. I forget about this frequently and just upgraded to F15 and
> hit it again.
>
> If you have a normal user shell, kinit from that shell as admin and
> start browser from it you should have all the right context to
> access UI.
>
>
>
>
> -Brian
>
>
>
> On 6/3/11 3:14 PM, "Brian Stamper" <***@nasa.gov> wrote:
>
>
>
> Yes, I mentioned in the first email I had attempted that. I
> just ran the uninstall 10 times in a row. Same errors:
>
> Configuring directory server:
> [1/17]: creating directory server user
> [2/17]: creating directory server instance
> root : CRITICAL failed to restart ds instance Command
> '/usr/sbin/setup-ds.pl --silent --logfile - -f
> /tmp/tmpYwtW2p' returned non-zero exit status 1
> [3/17]: adding default schema
> [4/17]: enabling memberof plugin
> [5/17]: enabling referential integrity plugin
> [6/17]: enabling distributed numeric assignment plugin
> [7/17]: enabling winsync plugin
> [8/17]: configuring uniqueness plugin
> [9/17]: creating indices
> [10/17]: configuring ssl for ds instance
> [11/17]: configuring certmap.conf
> [12/17]: restarting directory server
> [13/17]: adding default layout
> root : CRITICAL Failed to load bootstrap-template.ldif:
> Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D
> cn=Directory Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048'
> returned non-zero exit status 32
> [14/17]: configuring Posix uid/gid generation as first master
> [15/17]: adding master entry as first master
> root : CRITICAL Failed to load master-entry.ldif: Command
> '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory
> Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned
> non-zero exit status 32
> [16/17]: initializing group membership
> [17/17]: configuring directory to start on boot
> done configuring dirsrv.
>
> As a test I've manually run setup-ds.pl accepting all of the
> defaults. It works fine and installs successfully, creating
> the slapd-freeipa (which is the hostname) instance. I then
> ran remove-ds.pl on the slapd-freeipa instance and re-ran
> the ipa uninstall. When I attempted to reinstall ipa, it
> detected an existing ds. I did a locate for dirsrv and found
> logfiles from an instance called slapd-ARC-NASA-GOV, which
> should be my default freeipa dirsrv instance. To try to
> clean this up, I ran setup-ds.pl and chose custom and
> created a slapd-ARC-NASA-GOV instance, and then immediately
> removed it with remove-ds.pl. I then re-ran
> ipa-server-install, which this time did not detect an
> existing directory server. However, the ipa-server-install
> again failed in the same location.
>
> [2/17]: creating directory server instance
> root : CRITICAL failed to restart ds instance Command
> '/usr/sbin/setup-ds.pl --silent --logfile - -f
> /tmp/tmp77JJv1' returned non-zero exit status 1
>
>
> And from the log:
>
> 2011-06-03 15:12:41,540 DEBUG Configuring directory server:
> 2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory
> server user
> 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists
> 2011-06-03 15:12:41,541 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,541 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory
> server instance
> 2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances
> configured
>
> 2011-06-03 15:12:41,567 INFO
> 2011-06-03 15:12:41,567 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,568 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,568 DEBUG
> dn: dc=arc,dc=nasa,dc=gov
> objectClass: top
> objectClass: domain
> objectClass: pilotObject
> dc: arc
> info: IPA V1.0
>
> 2011-06-03 15:12:41,569 DEBUG writing inf template
> 2011-06-03 15:12:41,570 DEBUG
> [General]
> FullMachineName= freeipa.arc.nasa.gov
> SuiteSpotUserID= dirsrv
> ServerRoot= /usr/lib64/dirsrv
> [slapd]
> ServerPort= 389
> ServerIdentifier= ARC-NASA-GOV
> Suffix= dc=arc,dc=nasa,dc=gov
> RootDN= cn=Directory Manager
> InstallLdifFile= /var/lib/dirsrv/boot.ldif
>
> 2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl
> 2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup]
> Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'.
> Error: 59648. Output: importing data ...
> [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running
> with nsslapd-db-private-import-mem on; No other process is
> allowed to access the database
> [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache:
> pagesize: 4096, pages: 997331, procpages: 48998
> [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB
> import cache.
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning
> import job...
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Index
> buffering enabled with bucket size 100
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not
> open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13
> (Permission denied)
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all
> Import threads..
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import
> threads aborted.
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
> /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file
> or directory
> [03/Jun/2011:15:12:48 -0700] - All database threads now stopped
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.
>
> Could not import LDIF file '/var/lib/dirsrv/boot.ldif'.
> Error: 59648. Output: importing data ...
> [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running
> with nsslapd-db-private-import-mem on; No other process is
> allowed to access the database
> [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache:
> pagesize: 4096, pages: 997331, procpages: 48998
> [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB
> import cache.
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning
> import job...
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Index
> buffering enabled with bucket size 100
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not
> open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13
> (Permission denied)
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all
> Import threads..
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import
> threads aborted.
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
> /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file
> or directory
> [03/Jun/2011:15:12:48 -0700] - All database threads now stopped
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.
>
> [11/06/03:15:12:48] - [Setup] Fatal Error: Could not create
> directory server instance 'ARC-NASA-GOV'.
> Error: Could not create directory server instance
> 'ARC-NASA-GOV'.
> [11/06/03:15:12:48] - [Setup] Fatal Exiting . . .
>
>
> -Brian
>
> On 6/3/11 2:53 PM, "Dmitri Pal" <***@redhat.com> wrote:
>
>
> On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx
> LLC] wrote:
>
> Re: [Freeipa-users] Difficulty installing freeipa
> I've given up on freeipa v2 due to lack of
> compatibility with hosts I manage. This is all on
> freeipa v1. The server started as Fedora 13, and I
> upgraded to Fedora 14 in an attempt to fix the problems.
>
> [***@freeipa ~]# uname -r
> 2.6.35.13-91.fc14.x86_64
> [***@freeipa ~]# rpm -qa 'ipa*'
> ipa-client-1.2.2-6.fc14.x86_64
> ipa-server-selinux-1.2.2-6.fc14.x86_64
> ipa-python-1.2.2-6.fc14.x86_64
> ipa-admintools-1.2.2-6.fc14.x86_64
> ipa-server-1.2.2-6.fc14.x86_64
> [***@freeipa ~]#
>
> I'm not doing anything special at this point. I'm
> not even trying to get clients added. I'm trying to
> do a basic install of ipa-server, with no extra
> arguments. That claimed to succeed but wouldn't
> work, I tried to fix it, uninstalled, any attempts
> to reinstall failed. So right now I'm simply trying
> to get the ipa service back to any kind of
> functioning status without re-installing the OS.
>
>
>
>
> Ah this is all old 1.2 IPA.
> Have you tried
> ipa-server-install --uninstall
>
> Might require several attempts until all the errors are
> cleared.
>
>
>
> -Brian
>
> On 6/3/11 2:30 PM, "Dmitri Pal" <***@redhat.com> wrote:
>
>
>
>
>
>
>
> Is it all on F13?
> The IPA v2 can't be built on F13 as there are
> many dependencies missing that we rely on. There
> are two many parts this is why we had to move to
> the later versions of F15. We just did not have
> any options. So the server you built might in
> fact be completely broken. I do not know how to
> fix it. It looks like you have some instances of
> the DS left over in a misconfigured state.
>
> You can try running ipa-server-install
> --uninstall 4-5 times. That might clear things a
> bit.
>
> But let us get back to the original problem.
> Freeipa can be used with the LDAP+Kerberos
> configuration on the clients. You do not need to
> have latest and greatest.
> There was a nice article referenced in some of
> the earlier threads on the list:
>
> http://www.aput.net/~jheiss/krbldap/howto.html
> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
>
> You can configure very old clients to use IPA as
> NIS server.
> Let us know how else we can help.
> Thanks
> Dmitri
>
>
>
>
>
> -Brian
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Stamper, Brian P. (ARC-D)[Logyx LLC]
2011-06-07 21:17:10 UTC
Permalink
I continue to work with performance issues. I went into the krb5.conf and changed dns_lookup_kdc from true to false. Kinit now responds immediately. It's cut the time on "ipa-finduser admin" from 2m30s down to 18-20s. How fast "should" this respond?

-Brian

On 6/6/11 12:31 PM, "Brian Stamper" <***@nasa.gov> wrote:

This is what I get. I'm not sure which logfiles would be useful at this point.

-brian

time ipa-finduser -v admin

Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml
Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml
send: "POST /ipa/xml HTTP/1.1\r\nHost: freeipa.arc.nasa.gov\r\nAccept-Encoding: gzip\r\nAuthorization: negotiate YIIFCAYJKoZIhvcSAQICAQBuggT3MIIE86ADAgEFoQMCAQ6iBwMFACAAAACjggFeYYIBWjCCAVagAwIBBaEOGwxBUkMuTkFTQS5HT1aiJzAloAMCAQOhHjAcGwRIVFRQGxRmcmVlaXBhLmFyYy5uYXNhLmdvdqOCARQwggEQoAMCARKhAwIBAqKCAQIEgf9q+QJ59aomNKqyY70zeReIT3azmhvBUenVUlqCtdUChD1EKroAUMynyQTHH7c4WQHoY3GqUDtQOUutqaZiOIpO/j2Hirn+c6v3sXg7214KUNfZ2MIZ2vpNwwNtpOGqnmQ5rwGKnyVA8aB4cK/TOqdu7r0nPmADviKplvdFst68lqzSunZ7OwrUxOa0rGVdbJS5fmCVwOPDHtDJy3j3kARCZUa+jJA4ZmAb4Wn4lvYckoHDxhc/R1mXTSr4NXjqnphoKCR1XcU9b4ng0h336yzlq4d9YwRSR/oBL6ZB1LAgZJrXpWSXAxnCXljOWx4mbnpcD9EFblyH2Mzx7jR56nykggN6MIIDdqADAgESooIDbQSCA2mDC1egtsyNS30+guxSWB4HfXVr5RneyGkI+fb6WttuAaPA2XQwZSY8M52SCH8eEfmtycHwZdcfurVpfYGpLTZuJQ/yRlw2meGOtf2NggwqyPyUiYhZ7s+6gg3rvvDSDsg/Mr4txHZ/V30Zk4cjTrQRmUqzWfMf+0ZtmzGo19oRn1vijXbs3CIsiwER3Zi28qYZYgViqFQghIHm5DKoyIQglR0rjt7iEDJtBF8nxVm7lzXuz7lqKIl/QXAbTVzm6gqwtzjPIb2hLtKdF3QY2q7Kba8LbqV2AOrPPPjh/QsU2cGdxZBTiGR05ggSr3D8PPBqlfQxwvnu2b0QgiWWFEgavawTIE7DDkMZDD8C7I/gmQUHV/0kAHizivGNbuHmklXg/KRUkVS5p7AlnJSv5kYtIjMLbXxX7tKxIy9zzPPrliJDp2fr3ER7iKDVALdLPZ5Htlin0ZnD5H6g6qx3kDPV4PeVAx30qqv0UG/45x/uJEC9/3H3Alt7pF/d0xPOWTXho+tGwRcO1gkb0ygIndDIleDEo9CQh+aNsvUxa4UhgzftpACPIwp39nGk+V+7ajY2Tzb2qaKrt6L2q8lqeFxYZ8bcSxDvNgem3ENpL/6FWb+oi86w5JV5OQm7ECJ7js0PJ4DDqgTsyOcDrKhW1l8xHiJkOgxjg0F3+JwCXY0AWIYPNTNdEoXS5T1yGbCLqSL8PevL/obMUHWZiQxzCiN0oA5NQHWoPZ9l7ScHHpxwds5S6Ze1OLV+JRk0aU7Hj7VSJx9irDaAHkXB4PPwyUCOmLl/cF3hxvsYXoEe8j3yQlEE0GV7a3LIhH1mH66byATeSkDv8Ji6LATdtmVUZYI0KLb6oaZKAjn6Pg19mn1hW7GC6WZSzJvSt01uO7XFjsgDz45hKGMevls3GKEM8wAkiiuVaZ/Oq8zkRaf84DmzyYtOHnoyYUzZ9t4FyG4PcU+DVotcBiFLFk5Q9+BxGRVHZGV2K0tz2UyaI8PtIb2AyMdhyj9dCQrFPbZ5d5iOVeMGhutwGQjC8goPP2Bcz2o28hLv+d7qH5PXlcUeeeRTTk1hvkzAv7dtXIoTxWqaot5qNclXsFf7kiYy6I2dWjMKbjL3Nwyyuf3LO+AVRfB3+qhqKAAquQ0IkRL1lblKVEXvufqKF5Z3YPA=\r\nUser-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: text/xml\r\nContent-Length: 515\r\n\r\n<?xml version='1.0'?>\n<methodCall>\n<methodName>find_users</methodName>\n<params>\n<param>\n<value><string>admin</string></value>\n</param>\n<param>\n<value><array><data>\n<value><string>uid</string></value>\n<value><string>givenname</string></value>\n<value><string>sn</string></value>\n<value><string>homeDirectory</string></value>\n<value><string>loginshell</string></value>\n</data></array></value>\n</param>\n<param>\n<value><int>-1</int></value>\n</param>\n<param>\n<value><int>-1</int></value>\n</param>\n</params>\n</methodCall>\n"
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Mon, 06 Jun 2011 19:25:47 GMT
header: Server: Apache/2.2.17 (Fedora)
header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvgT/A5n14nLzBVzpFQFm8lIUc1dZmoma0UuzN9dxD7ykRe/S6rTZJnlroYZG9cmHK9WmIZX5eg/zThvgz/QVvVufnzTbihT3lUDFa4ING9mtCpigZoTnLWGcIRLKddjFHammKG6SjMU29YgwHIZ2D
header: Content-Length: 650
header: Connection: close
header: Content-Type: text/xml
body: "<?xml version='1.0'?>\n<methodResponse>\n<params>\n<param>\n<value><array><data>\n<value><int>1</int></value>\n<value><struct>\n<member>\n<name>dn</name>\n<value><string>uid=admin,cn=users,cn=accounts,dc=arc,dc=nasa,dc=gov</string></value>\n</member>\n<member>\n<name>loginshell</name>\n<value><string>/bin/bash</string></value>\n</member>\n<member>\n<name>uid</name>\n<value><string>admin</string></value>\n</member>\n<member>\n<name>sn</name>\n<value><string>Administrator</string></value>\n</member>\n<member>\n<name>homedirectory</name>\n<value><string>/home/admin</string></value>\n</member>\n</struct></value>\n</data></array></value>\n</param>\n</params>\n</methodResponse>\n"
Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml
send: "POST /ipa/xml HTTP/1.1\r\nHost: freeipa.arc.nasa.gov\r\nAccept-Encoding: gzip\r\nAuthorization: negotiate YIIFCAYJKoZIhvcSAQICAQBuggT3MIIE86ADAgEFoQMCAQ6iBwMFACAAAACjggFeYYIBWjCCAVagAwIBBaEOGwxBUkMuTkFTQS5HT1aiJzAloAMCAQOhHjAcGwRIVFRQGxRmcmVlaXBhLmFyYy5uYXNhLmdvdqOCARQwggEQoAMCARKhAwIBAqKCAQIEgf9q+QJ59aomNKqyY70zeReIT3azmhvBUenVUlqCtdUChD1EKroAUMynyQTHH7c4WQHoY3GqUDtQOUutqaZiOIpO/j2Hirn+c6v3sXg7214KUNfZ2MIZ2vpNwwNtpOGqnmQ5rwGKnyVA8aB4cK/TOqdu7r0nPmADviKplvdFst68lqzSunZ7OwrUxOa0rGVdbJS5fmCVwOPDHtDJy3j3kARCZUa+jJA4ZmAb4Wn4lvYckoHDxhc/R1mXTSr4NXjqnphoKCR1XcU9b4ng0h336yzlq4d9YwRSR/oBL6ZB1LAgZJrXpWSXAxnCXljOWx4mbnpcD9EFblyH2Mzx7jR56nykggN6MIIDdqADAgESooIDbQSCA2k1cPNHqqzr20sQC7iXZ6xc2wfb2DYmkqQBNTrXT33fcXYjo1Bw/Z/jc3pj4ohHrLbnkBe9fYNzaKRy7UXjnydOjKeZv3/7FgxJabRb907+4JojogcUxHR+14wQSW0TBPRvaqBrgkYfbfLXsfJm+yTUIH+GlI2VCkerZM2mbpTD3OU2traM2P8NDYfuJ6Bj23rgMg5Bo8+419npiUtFzOL/6bUeY9WmqDYwHsP4YT47vetLraoLeQckNqZ2D5eZwoUV9dNL485v40OZNInte4UwZoQ3xEygxvAM4Wf26CBzTToo+4hAbd7AhJXGTGguEdi7fx7lQqBSYWjkykFNwGndHWTpxm0Y2k3hU+GDoUzMIgFzMmZjALe1oJQFt0Hpv5Qx1NINDAevbYbdSYtajPQnF4//zwOdC5DGkCDqRyztpU0/4esushEXQkTgGVKZTigcahXtYBRX7qZGkveFhq2nBxIZwlqsv+uu5+GwrLNmm/tiH9ahW+9eyCu6uzQzXp4RqmnFGbjrCdVzDsH8nb2d/ul+l/vVUXguglfkEaRCDYhqusFIAvEVHiVeSD0Lmgoew87XvJ/kKNH3zen0tCofGrNtZ6tc62HOi2pod+TGezOp/f6HBeDKG4csuj3OM+/Li2LvwwfurogJW+N/CU0ilrLt5UaKiaeN+Pw81GQCrZ4575SzN8Y3RUFWPLxvVH/vGiaEHG9Nv3KdnpDREAJDAGSEwLSJYtAFcwMnqsezkrYtFd7DmNvb1DyjAXpOfe6SjYLa0DBHLM2RJ/Ico8HJ1LyXUSex3v4hp8ap0JMdc4nUKzsSFrG0TsPKu/+89tphlQkCN91THQ+QNr03kbGUfsf1LpeeYgf+7lFKU5hrsuUJZgBtAVT6l3KQEco0xe9IDNlJLogeKL9X9cPCa3e4XAUVCJdg8pNVScubTXo41EK6zzPAnvPxxgNprZzrhQtkBEedLYNHNICBsutH9ELtZcSDDYxwFyLFKrOb0p9maZL0Z9VmaqBl43h4QcqLXOJcOmjk0jkXufM5VMJdvjHlkXBS9bkAjRKpdq8jXu4gVdh7nxCAxdw9mLww1VvFLbGB6DxQNNP9ZmSgjbJ1LxvxEqguZh9fAhzY3kEQrjPHa7mT6Vc0xosMAux31K07E7uUcylW38V3+Og=\r\nUser-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: text/xml\r\nContent-Length: 331\r\n\r\n<?xml version='1.0'?>\n<methodCall>\n<methodName>attrs_to_labels</methodName>\n<params>\n<param>\n<value><array><data>\n<value><string>homedirectory</string></value>\n<value><string>loginshell</string></value>\n<value><string>sn</string></value>\n<value><string>uid</string></value>\n</data></array></value>\n</param>\n</params>\n</methodCall>\n"
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Mon, 06 Jun 2011 19:26:18 GMT
header: Server: Apache/2.2.17 (Fedora)
header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv14HufxqWTyNzhsD9xAxrBN5L7jejiqPqHum3FjYTKc2xIrC1ONAloxDyxcOV0isynFIw6/NwpXJKHfzfDbiFPiYjF3xrOakeGDiiVSCL7G12ZNdqErNfP1GVBU5yVg+vIDI+HxfzRa29Gl9eIu1J
header: Content-Length: 458
header: Connection: close
header: Content-Type: text/xml
body: "<?xml version='1.0'?>\n<methodResponse>\n<params>\n<param>\n<value><struct>\n<member>\n<name>loginshell</name>\n<value><string>Login Shell</string></value>\n</member>\n<member>\n<name>homedirectory</name>\n<value><string>Home Directory</string></value>\n</member>\n<member>\n<name>uid</name>\n<value><string>Login</string></value>\n</member>\n<member>\n<name>sn</name>\n<value><string>Last Name</string></value>\n</member>\n</struct></value>\n</param>\n</params>\n</methodResponse>\n"
Home Directory: /home/admin
Login Shell: /bin/bash
Last Name: Administrator
Login: admin


real 1m50.460s
user 0m0.083s
sys 0m0.017s

[***@freeipa ~]# time wget https://freeipa.arc.nasa.gov/ipa/xml
--2011-06-06 12:29:40-- https://freeipa.arc.nasa.gov/ipa/xml
Resolving freeipa.arc.nasa.gov... 143.232.152.197
Connecting to freeipa.arc.nasa.gov|143.232.152.197|:443... connected.
ERROR: cannot verify freeipa.arc.nasa.gov's certificate, issued by "/CN=IPA Test Certificate Authority":
Self-signed certificate encountered.
To connect to freeipa.arc.nasa.gov insecurely, use '--no-check-certificate'.

real 0m0.015s
user 0m0.011s
sys 0m0.002s
[***@freeipa ~]#


On 6/6/11 7:56 AM, "Rob Crittenden" <***@redhat.com> wrote:

Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
>
> I'm closer. I was able to get logged into the UI. It wasn't that I was
> running firefox from root, but that I had inited as root. Same problem
> really. Dropping back to my own shell and initing I was able to reach
> the GUI. The next problem I need to tackle is the slowness. Ipa-finduser
> admin does return results, but it takes 2m43s.

Definitely getting hung up somewhere. I'd try the -v option to
ipa-finduser to get a bit more detail on the request. The client will
attempt to find the right IPA Apache server to connect to, make a
kerberos connection. Apache will then handle the request and collect any
data needed from 389-ds and return it. There are a lot of places things
can break down. By examining the server logs you may be able to discern
where the logjam is.

rob

>
> [***@freeipa ~]# egrep "freeipa|local" /etc/hosts
> 127.0.0.1 localhost.localdomain localhost
> ::1 localhost6.localdomain6 localhost6
> 1.2.3.4 freeipa.arc.nasa.gov freeipa
>
> [***@freeipa ~]# grep host /etc/nsswitch.conf
> #hosts: db files nisplus nis dns
> hosts: files dns
>
> [***@freeipa ~]# ifconfig eth0
> eth0 Link encap:Ethernet HWaddr 00:10:18:2D:E6:93
> inet addr:1.2.3.4
>
> I don't see any issues with the configuration there. There are no
> conflicting "freeipa" hosts in dns. Looks pretty much in compliance with
> the guide:
>
> */Configuring /etc/hosts
> /*/You need to ensure that your ///etc/hosts file is configured
> correctly, or the *ipa-** commands may not work correctly.
>
> The /etc/hosts file should list the FQDN for your IPA server before any
> aliases. You should also ensure that the hostname is not part of the
> localhost entry. The following is an example of a valid hosts file:
> 127.0.0.1 localhost.localdomain localhost
> ::1 localhost6.localdomain6 localhost6
> 192.168.1.1 ipaserver.example.com ipaserver
> /
>
> -Brian
>
>
>
> On 6/3/11 3:58 PM, "Dmitri Pal" <***@redhat.com> wrote:
>
> On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
>
> Re: [Freeipa-users] Difficulty installing freeipa
> I have resolved the install issue.
>
>
> Great!
>
>
>
> The installer is a bit sloppy and makes some bad assumptions.
> The problem turns out to be that the directory server setup
> seems to be running as dirsrv, not root. Ipa-server-install
> (more specifically dsinstance.py) writes out the file
> /var/lib/dirsrv/boot.ldif. But it does so as root, using root's
> umask. It doesn't do a check to make sure dirsrv can read this
> file before spawning an external process to create the directory
> server. Part of security best practices recommended by the CIS
> group as well as others is to set root's umask to 0077. With
> this setting in place, dirsrv is unable to read
> /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when
> executed from ipa-server-install. I modified dsinstance.py to
> not remove the file and checked it after a failed install. It
> was written properly, so I changed the permission on it to 666
> and re-ran the install. It succeeded.
>
>
> Opened https://fedorahosted.org/freeipa/ticket/1282
>
>
>
> I'm now back to where I started, which is a partly working ipa
> install. Kinit takes 75 seconds to complete.
>
>
> Seems like a DNS timeout or something related to the name resolution.
>
>
> I still can't get to the UI. I'm now going to uninstall again,
> change root's umask to 022, and see if that fixes any more of
> the problems.
>
>
> The UI does not start for me if you try to run FF from the root
> shell. I forget about this frequently and just upgraded to F15 and
> hit it again.
>
> If you have a normal user shell, kinit from that shell as admin and
> start browser from it you should have all the right context to
> access UI.
>
>
>
>
> -Brian
>
>
>
> On 6/3/11 3:14 PM, "Brian Stamper" <***@nasa.gov> wrote:
>
>
>
> Yes, I mentioned in the first email I had attempted that. I
> just ran the uninstall 10 times in a row. Same errors:
>
> Configuring directory server:
> [1/17]: creating directory server user
> [2/17]: creating directory server instance
> root : CRITICAL failed to restart ds instance Command
> '/usr/sbin/setup-ds.pl --silent --logfile - -f
> /tmp/tmpYwtW2p' returned non-zero exit status 1
> [3/17]: adding default schema
> [4/17]: enabling memberof plugin
> [5/17]: enabling referential integrity plugin
> [6/17]: enabling distributed numeric assignment plugin
> [7/17]: enabling winsync plugin
> [8/17]: configuring uniqueness plugin
> [9/17]: creating indices
> [10/17]: configuring ssl for ds instance
> [11/17]: configuring certmap.conf
> [12/17]: restarting directory server
> [13/17]: adding default layout
> root : CRITICAL Failed to load bootstrap-template.ldif:
> Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D
> cn=Directory Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048'
> returned non-zero exit status 32
> [14/17]: configuring Posix uid/gid generation as first master
> [15/17]: adding master entry as first master
> root : CRITICAL Failed to load master-entry.ldif: Command
> '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory
> Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned
> non-zero exit status 32
> [16/17]: initializing group membership
> [17/17]: configuring directory to start on boot
> done configuring dirsrv.
>
> As a test I've manually run setup-ds.pl accepting all of the
> defaults. It works fine and installs successfully, creating
> the slapd-freeipa (which is the hostname) instance. I then
> ran remove-ds.pl on the slapd-freeipa instance and re-ran
> the ipa uninstall. When I attempted to reinstall ipa, it
> detected an existing ds. I did a locate for dirsrv and found
> logfiles from an instance called slapd-ARC-NASA-GOV, which
> should be my default freeipa dirsrv instance. To try to
> clean this up, I ran setup-ds.pl and chose custom and
> created a slapd-ARC-NASA-GOV instance, and then immediately
> removed it with remove-ds.pl. I then re-ran
> ipa-server-install, which this time did not detect an
> existing directory server. However, the ipa-server-install
> again failed in the same location.
>
> [2/17]: creating directory server instance
> root : CRITICAL failed to restart ds instance Command
> '/usr/sbin/setup-ds.pl --silent --logfile - -f
> /tmp/tmp77JJv1' returned non-zero exit status 1
>
>
> And from the log:
>
> 2011-06-03 15:12:41,540 DEBUG Configuring directory server:
> 2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory
> server user
> 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists
> 2011-06-03 15:12:41,541 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,541 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory
> server instance
> 2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances
> configured
>
> 2011-06-03 15:12:41,567 INFO
> 2011-06-03 15:12:41,567 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,568 DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-06-03 15:12:41,568 DEBUG
> dn: dc=arc,dc=nasa,dc=gov
> objectClass: top
> objectClass: domain
> objectClass: pilotObject
> dc: arc
> info: IPA V1.0
>
> 2011-06-03 15:12:41,569 DEBUG writing inf template
> 2011-06-03 15:12:41,570 DEBUG
> [General]
> FullMachineName= freeipa.arc.nasa.gov
> SuiteSpotUserID= dirsrv
> ServerRoot= /usr/lib64/dirsrv
> [slapd]
> ServerPort= 389
> ServerIdentifier= ARC-NASA-GOV
> Suffix= dc=arc,dc=nasa,dc=gov
> RootDN= cn=Directory Manager
> InstallLdifFile= /var/lib/dirsrv/boot.ldif
>
> 2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl
> 2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup]
> Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'.
> Error: 59648. Output: importing data ...
> [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running
> with nsslapd-db-private-import-mem on; No other process is
> allowed to access the database
> [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache:
> pagesize: 4096, pages: 997331, procpages: 48998
> [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB
> import cache.
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning
> import job...
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Index
> buffering enabled with bucket size 100
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not
> open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13
> (Permission denied)
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all
> Import threads..
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import
> threads aborted.
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
> /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file
> or directory
> [03/Jun/2011:15:12:48 -0700] - All database threads now stopped
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.
>
> Could not import LDIF file '/var/lib/dirsrv/boot.ldif'.
> Error: 59648. Output: importing data ...
> [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running
> with nsslapd-db-private-import-mem on; No other process is
> allowed to access the database
> [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache:
> pagesize: 4096, pages: 997331, procpages: 48998
> [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB
> import cache.
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning
> import job...
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Index
> buffering enabled with bucket size 100
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not
> open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13
> (Permission denied)
> [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all
> Import threads..
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import
> threads aborted.
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files...
> /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file
> or directory
> [03/Jun/2011:15:12:48 -0700] - All database threads now stopped
> [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed.
>
> [11/06/03:15:12:48] - [Setup] Fatal Error: Could not create
> directory server instance 'ARC-NASA-GOV'.
> Error: Could not create directory server instance
> 'ARC-NASA-GOV'.
> [11/06/03:15:12:48] - [Setup] Fatal Exiting . . .
>
>
> -Brian
>
> On 6/3/11 2:53 PM, "Dmitri Pal" <***@redhat.com> wrote:
>
>
> On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx
> LLC] wrote:
>
> Re: [Freeipa-users] Difficulty installing freeipa
> I've given up on freeipa v2 due to lack of
> compatibility with hosts I manage. This is all on
> freeipa v1. The server started as Fedora 13, and I
> upgraded to Fedora 14 in an attempt to fix the problems.
>
> [***@freeipa ~]# uname -r
> 2.6.35.13-91.fc14.x86_64
> [***@freeipa ~]# rpm -qa 'ipa*'
> ipa-client-1.2.2-6.fc14.x86_64
> ipa-server-selinux-1.2.2-6.fc14.x86_64
> ipa-python-1.2.2-6.fc14.x86_64
> ipa-admintools-1.2.2-6.fc14.x86_64
> ipa-server-1.2.2-6.fc14.x86_64
> [***@freeipa ~]#
>
> I'm not doing anything special at this point. I'm
> not even trying to get clients added. I'm trying to
> do a basic install of ipa-server, with no extra
> arguments. That claimed to succeed but wouldn't
> work, I tried to fix it, uninstalled, any attempts
> to reinstall failed. So right now I'm simply trying
> to get the ipa service back to any kind of
> functioning status without re-installing the OS.
>
>
>
>
> Ah this is all old 1.2 IPA.
> Have you tried
> ipa-server-install --uninstall
>
> Might require several attempts until all the errors are
> cleared.
>
>
>
> -Brian
>
> On 6/3/11 2:30 PM, "Dmitri Pal" <***@redhat.com> wrote:
>
>
>
>
>
>
>
> Is it all on F13?
> The IPA v2 can't be built on F13 as there are
> many dependencies missing that we rely on. There
> are two many parts this is why we had to move to
> the later versions of F15. We just did not have
> any options. So the server you built might in
> fact be completely broken. I do not know how to
> fix it. It looks like you have some instances of
> the DS left over in a misconfigured state.
>
> You can try running ipa-server-install
> --uninstall 4-5 times. That might clear things a
> bit.
>
> But let us get back to the original problem.
> Freeipa can be used with the LDAP+Kerberos
> configuration on the clients. You do not need to
> have latest and greatest.
> There was a nice article referenced in some of
> the earlier threads on the list:
>
> http://www.aput.net/~jheiss/krbldap/howto.html
> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
> <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
>
> You can configure very old clients to use IPA as
> NIS server.
> Let us know how else we can help.
> Thanks
> Dmitri
>
>
>
>
>
> -Brian
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Dmitri Pal
2011-06-07 21:33:03 UTC
Permalink
On 06/07/2011 05:17 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
>
> I continue to work with performance issues. I went into the krb5.conf
> and changed dns_lookup_kdc from true to false. Kinit now responds
> immediately. It's cut the time on "ipa-finduser admin" from 2m30s
> down to 18-20s. How fast "should" this respond?

It should be a matter of less than a second.
Are you using a VM to test? Does it have enough memory?
It is really hard to say what exactly is causing your delays.
IPA does a lot of name resolution. Delays usually related to that. By
turning off the name resolution against DNS in Kerberos you reduced
number of the lookups but probably not eliminated all of them. I suggest
you continue looking into the name resolution more.
This is the best we can say without any logs or specific configurations.
Sorry.

Thanks
Dmitri

>
> -Brian
>
> On 6/6/11 12:31 PM, "Brian Stamper" <***@nasa.gov> wrote:
>
> This is what I get. I'm not sure which logfiles would be useful
> at this point.
>
> -brian
>
> time ipa-finduser -v admin
>
> Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml
> Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml
> send: "POST /ipa/xml HTTP/1.1\r\nHost:
> freeipa.arc.nasa.gov\r\nAccept-Encoding: gzip\r\nAuthorization:
> negotiate
> YIIFCAYJKoZIhvcSAQICAQBuggT3MIIE86ADAgEFoQMCAQ6iBwMFACAAAACjggFeYYIBWjCCAVagAwIBBaEOGwxBUkMuTkFTQS5HT1aiJzAloAMCAQOhHjAcGwRIVFRQGxRmcmVlaXBhLmFyYy5uYXNhLmdvdqOCARQwggEQoAMCARKhAwIBAqKCAQIEgf9q+QJ59aomNKqyY70zeReIT3azmhvBUenVUlqCtdUChD1EKroAUMynyQTHH7c4WQHoY3GqUDtQOUutqaZiOIpO/j2Hirn+c6v3sXg7214KUNfZ2MIZ2vpNwwNtpOGqnmQ5rwGKnyVA8aB4cK/TOqdu7r0nPmADviKplvdFst68lqzSunZ7OwrUxOa0rGVdbJS5fmCVwOPDHtDJy3j3kARCZUa+jJA4ZmAb4Wn4lvYckoHDxhc/R1mXTSr4NXjqnphoKCR1XcU9b4ng0h336yzlq4d9YwRSR/oBL6ZB1LAgZJrXpWSXAxnCXljOWx4mbnpcD9EFblyH2Mzx7jR56nykggN6MIIDdqADAgESooIDbQSCA2mDC1egtsyNS30+guxSWB4HfXVr5RneyGkI+fb6WttuAaPA2XQwZSY8M52SCH8eEfmtycHwZdcfurVpfYGpLTZuJQ/yRlw2meGOtf2NggwqyPyUiYhZ7s+6gg3rvvDSDsg/Mr4txHZ/V30Zk4cjTrQRmUqzWfMf+0ZtmzGo19oRn1vijXbs3CIsiwER3Zi28qYZYgViqFQghIHm5DKoyIQglR0rjt7iEDJtBF8nxVm7lzXuz7lqKIl/QXAbTVzm6gqwtzjPIb2hLtKdF3QY2q7Kba8LbqV2AOrPPPjh/QsU2cGdxZBTiGR05ggSr3D8PPBqlfQxwvnu2b0QgiWWFEgavawTIE7DDkMZDD8C7I/gmQUHV/0kAHizivGNbuHmklXg/KRUkVS5p7AlnJSv5kYtIjMLbXxX7tKxIy9zzPPrliJDp2fr3ER7iKDVALdLPZ5Htlin0ZnD5H6g6qx3kDPV4PeVAx30qqv0UG/45x/uJEC9/3H3Alt7pF/d0xPOWTXho+tGwRcO1gkb0ygIndDIleDEo9CQh+aNsvUxa4UhgzftpACPIwp39nGk+V+7ajY2Tzb2qaKrt6L2q8lqeFxYZ8bcSxDvNgem3ENpL/6FWb+oi86w5JV5OQm7ECJ7js0PJ4DDqgTsyOcDrKhW1l8xHiJkOgxjg0F3+JwCXY0AWIYPNTNdEoXS5T1yGbCLqSL8PevL/obMUHWZiQxzCiN0oA5NQHWoPZ9l7ScHHpxwds5S6Ze1OLV+JRk0aU7Hj7VSJx9irDaAHkXB4PPwyUCOmLl/cF3hxvsYXoEe8j3yQlEE0GV7a3LIhH1mH66byATeSkDv8Ji6LATdtmVUZYI0KLb6oaZKAjn6Pg19mn1hW7GC6WZSzJvSt01uO7XFjsgDz45hKGMevls3GKEM8wAkiiuVaZ/Oq8zkRaf84DmzyYtOHnoyYUzZ9t4FyG4PcU+DVotcBiFLFk5Q9+BxGRVHZGV2K0tz2UyaI8PtIb2AyMdhyj9dCQrFPbZ5d5iOVeMGhutwGQjC8goPP2Bcz2o28hLv+d7qH5PXlcUeeeRTTk1hvkzAv7dtXIoTxWqaot5qNclXsFf7kiYy6I2dWjMKbjL3Nwyyuf3LO+AVRfB3+qhqKAAquQ0IkRL1lblKVEXvufqKF5Z3YPA=\r\nUser-Agent:
> xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type:
> text/xml\r\nContent-Length: 515\r\n\r\n<?xml
> version='1.0'?>\n<methodCall>\n<methodName>find_users</methodName>\n<params>\n<param>\n<value><string>admin</string></value>\n</param>\n<param>\n<value><array><data>\n<value><string>uid</string></value>\n<value><string>givenname</string></value>\n<value><string>sn</string></value>\n<value><string>homeDirectory</string></value>\n<value><string>loginshell</string></value>\n</data></array></value>\n</param>\n<param>\n<value><int>-1</int></value>\n</param>\n<param>\n<value><int>-1</int></value>\n</param>\n</params>\n</methodCall>\n"
> reply: 'HTTP/1.1 200 OK\r\n'
> header: Date: Mon, 06 Jun 2011 19:25:47 GMT
> header: Server: Apache/2.2.17 (Fedora)
> header: WWW-Authenticate: Negotiate
> YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvgT/A5n14nLzBVzpFQFm8lIUc1dZmoma0UuzN9dxD7ykRe/S6rTZJnlroYZG9cmHK9WmIZX5eg/zThvgz/QVvVufnzTbihT3lUDFa4ING9mtCpigZoTnLWGcIRLKddjFHammKG6SjMU29YgwHIZ2D
> header: Content-Length: 650
> header: Connection: close
> header: Content-Type: text/xml
> body: "<?xml
> version='1.0'?>\n<methodResponse>\n<params>\n<param>\n<value><array><data>\n<value><int>1</int></value>\n<value><struct>\n<member>\n<name>dn</name>\n<value><string>uid=admin,cn=users,cn=accounts,dc=arc,dc=nasa,dc=gov</string></value>\n</member>\n<member>\n<name>loginshell</name>\n<value><string>/bin/bash</string></value>\n</member>\n<member>\n<name>uid</name>\n<value><string>admin</string></value>\n</member>\n<member>\n<name>sn</name>\n<value><string>Administrator</string></value>\n</member>\n<member>\n<name>homedirectory</name>\n<value><string>/home/admin</string></value>\n</member>\n</struct></value>\n</data></array></value>\n</param>\n</params>\n</methodResponse>\n"
> Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml
> send: "POST /ipa/xml HTTP/1.1\r\nHost:
> freeipa.arc.nasa.gov\r\nAccept-Encoding: gzip\r\nAuthorization:
> negotiate
> YIIFCAYJKoZIhvcSAQICAQBuggT3MIIE86ADAgEFoQMCAQ6iBwMFACAAAACjggFeYYIBWjCCAVagAwIBBaEOGwxBUkMuTkFTQS5HT1aiJzAloAMCAQOhHjAcGwRIVFRQGxRmcmVlaXBhLmFyYy5uYXNhLmdvdqOCARQwggEQoAMCARKhAwIBAqKCAQIEgf9q+QJ59aomNKqyY70zeReIT3azmhvBUenVUlqCtdUChD1EKroAUMynyQTHH7c4WQHoY3GqUDtQOUutqaZiOIpO/j2Hirn+c6v3sXg7214KUNfZ2MIZ2vpNwwNtpOGqnmQ5rwGKnyVA8aB4cK/TOqdu7r0nPmADviKplvdFst68lqzSunZ7OwrUxOa0rGVdbJS5fmCVwOPDHtDJy3j3kARCZUa+jJA4ZmAb4Wn4lvYckoHDxhc/R1mXTSr4NXjqnphoKCR1XcU9b4ng0h336yzlq4d9YwRSR/oBL6ZB1LAgZJrXpWSXAxnCXljOWx4mbnpcD9EFblyH2Mzx7jR56nykggN6MIIDdqADAgESooIDbQSCA2k1cPNHqqzr20sQC7iXZ6xc2wfb2DYmkqQBNTrXT33fcXYjo1Bw/Z/jc3pj4ohHrLbnkBe9fYNzaKRy7UXjnydOjKeZv3/7FgxJabRb907+4JojogcUxHR+14wQSW0TBPRvaqBrgkYfbfLXsfJm+yTUIH+GlI2VCkerZM2mbpTD3OU2traM2P8NDYfuJ6Bj23rgMg5Bo8+419npiUtFzOL/6bUeY9WmqDYwHsP4YT47vetLraoLeQckNqZ2D5eZwoUV9dNL485v40OZNInte4UwZoQ3xEygxvAM4Wf26CBzTToo+4hAbd7AhJXGTGguEdi7fx7lQqBSYWjkykFNwGndHWTpxm0Y2k3hU+GDoUzMIgFzMmZjALe1oJQFt0Hpv5Qx1NINDAevbYbdSYtajPQnF4//zwOdC5DGkCDqRyztpU0/4esushEXQkTgGVKZTigcahXtYBRX7qZGkveFhq2nBxIZwlqsv+uu5+GwrLNmm/tiH9ahW+9eyCu6uzQzXp4RqmnFGbjrCdVzDsH8nb2d/ul+l/vVUXguglfkEaRCDYhqusFIAvEVHiVeSD0Lmgoew87XvJ/kKNH3zen0tCofGrNtZ6tc62HOi2pod+TGezOp/f6HBeDKG4csuj3OM+/Li2LvwwfurogJW+N/CU0ilrLt5UaKiaeN+Pw81GQCrZ4575SzN8Y3RUFWPLxvVH/vGiaEHG9Nv3KdnpDREAJDAGSEwLSJYtAFcwMnqsezkrYtFd7DmNvb1DyjAXpOfe6SjYLa0DBHLM2RJ/Ico8HJ1LyXUSex3v4hp8ap0JMdc4nUKzsSFrG0TsPKu/+89tphlQkCN91THQ+QNr03kbGUfsf1LpeeYgf+7lFKU5hrsuUJZgBtAVT6l3KQEco0xe9IDNlJLogeKL9X9cPCa3e4XAUVCJdg8pNVScubTXo41EK6zzPAnvPxxgNprZzrhQtkBEedLYNHNICBsutH9ELtZcSDDYxwFyLFKrOb0p9maZL0Z9VmaqBl43h4QcqLXOJcOmjk0jkXufM5VMJdvjHlkXBS9bkAjRKpdq8jXu4gVdh7nxCAxdw9mLww1VvFLbGB6DxQNNP9ZmSgjbJ1LxvxEqguZh9fAhzY3kEQrjPHa7mT6Vc0xosMAux31K07E7uUcylW38V3+Og=\r\nUser-Agent:
> xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type:
> text/xml\r\nContent-Length: 331\r\n\r\n<?xml
> version='1.0'?>\n<methodCall>\n<methodName>attrs_to_labels</methodName>\n<params>\n<param>\n<value><array><data>\n<value><string>homedirectory</string></value>\n<value><string>loginshell</string></value>\n<value><string>sn</string></value>\n<value><string>uid</string></value>\n</data></array></value>\n</param>\n</params>\n</methodCall>\n"
> reply: 'HTTP/1.1 200 OK\r\n'
> header: Date: Mon, 06 Jun 2011 19:26:18 GMT
> header: Server: Apache/2.2.17 (Fedora)
> header: WWW-Authenticate: Negotiate
> YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv14HufxqWTyNzhsD9xAxrBN5L7jejiqPqHum3FjYTKc2xIrC1ONAloxDyxcOV0isynFIw6/NwpXJKHfzfDbiFPiYjF3xrOakeGDiiVSCL7G12ZNdqErNfP1GVBU5yVg+vIDI+HxfzRa29Gl9eIu1J
> header: Content-Length: 458
> header: Connection: close
> header: Content-Type: text/xml
> body: "<?xml
> version='1.0'?>\n<methodResponse>\n<params>\n<param>\n<value><struct>\n<member>\n<name>loginshell</name>\n<value><string>Login
> Shell</string></value>\n</member>\n<member>\n<name>homedirectory</name>\n<value><string>Home
> Directory</string></value>\n</member>\n<member>\n<name>uid</name>\n<value><string>Login</string></value>\n</member>\n<member>\n<name>sn</name>\n<value><string>Last
> Name</string></value>\n</member>\n</struct></value>\n</param>\n</params>\n</methodResponse>\n"
> Home Directory: /home/admin
> Login Shell: /bin/bash
> Last Name: Administrator
> Login: admin
>
>
> real 1m50.460s
> user 0m0.083s
> sys 0m0.017s
>
> [***@freeipa ~]# time wget https://freeipa.arc.nasa.gov/ipa/xml
> --2011-06-06 12:29:40-- https://freeipa.arc.nasa.gov/ipa/xml
> Resolving freeipa.arc.nasa.gov... 143.232.152.197
> Connecting to freeipa.arc.nasa.gov|143.232.152.197|:443... connected.
> ERROR: cannot verify freeipa.arc.nasa.gov's certificate, issued by
> "/CN=IPA Test Certificate Authority":
> Self-signed certificate encountered.
> To connect to freeipa.arc.nasa.gov insecurely, use
> '--no-check-certificate'.
>
> real 0m0.015s
> user 0m0.011s
> sys 0m0.002s
> [***@freeipa ~]#
>
>
> On 6/6/11 7:56 AM, "Rob Crittenden" <***@redhat.com> wrote:
>
> Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
> >
> > I'm closer. I was able to get logged into the UI. It wasn't
> that I was
> > running firefox from root, but that I had inited as root.
> Same problem
> > really. Dropping back to my own shell and initing I was able
> to reach
> > the GUI. The next problem I need to tackle is the slowness.
> Ipa-finduser
> > admin does return results, but it takes 2m43s.
>
> Definitely getting hung up somewhere. I'd try the -v option to
> ipa-finduser to get a bit more detail on the request. The
> client will
> attempt to find the right IPA Apache server to connect to, make a
> kerberos connection. Apache will then handle the request and
> collect any
> data needed from 389-ds and return it. There are a lot of
> places things
> can break down. By examining the server logs you may be able
> to discern
> where the logjam is.
>
> rob
>
> >
> > [***@freeipa ~]# egrep "freeipa|local" /etc/hosts
> > 127.0.0.1 localhost.localdomain localhost
> > ::1 localhost6.localdomain6 localhost6
> > 1.2.3.4 freeipa.arc.nasa.gov freeipa
> >
> > [***@freeipa ~]# grep host /etc/nsswitch.conf
> > #hosts: db files nisplus nis dns
> > hosts: files dns
> >
> > [***@freeipa ~]# ifconfig eth0
> > eth0 Link encap:Ethernet HWaddr 00:10:18:2D:E6:93
> > inet addr:1.2.3.4
> >
> > I don't see any issues with the configuration there. There are no
> > conflicting "freeipa" hosts in dns. Looks pretty much in
> compliance with
> > the guide:
> >
> > */Configuring /etc/hosts
> > /*/You need to ensure that your ///etc/hosts file is configured
> > correctly, or the *ipa-** commands may not work correctly.
> >
> > The /etc/hosts file should list the FQDN for your IPA server
> before any
> > aliases. You should also ensure that the hostname is not part
> of the
> > localhost entry. The following is an example of a valid hosts
> file:
> > 127.0.0.1 localhost.localdomain localhost
> > ::1 localhost6.localdomain6 localhost6
> > 192.168.1.1 ipaserver.example.com ipaserver
> > /
> >
> > -Brian
> >
> >
> >
> > On 6/3/11 3:58 PM, "Dmitri Pal" <***@redhat.com> wrote:
> >
> > On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx
> LLC] wrote:
> >
> > Re: [Freeipa-users] Difficulty installing freeipa
> > I have resolved the install issue.
> >
> >
> > Great!
> >
> >
> >
> > The installer is a bit sloppy and makes some bad
> assumptions.
> > The problem turns out to be that the directory server
> setup
> > seems to be running as dirsrv, not root.
> Ipa-server-install
> > (more specifically dsinstance.py) writes out the file
> > /var/lib/dirsrv/boot.ldif. But it does so as root,
> using root's
> > umask. It doesn't do a check to make sure dirsrv can
> read this
> > file before spawning an external process to create
> the directory
> > server. Part of security best practices recommended
> by the CIS
> > group as well as others is to set root's umask to
> 0077. With
> > this setting in place, dirsrv is unable to read
> > /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl
> to fail when
> > executed from ipa-server-install. I modified
> dsinstance.py to
> > not remove the file and checked it after a failed
> install. It
> > was written properly, so I changed the permission on
> it to 666
> > and re-ran the install. It succeeded.
> >
> >
> > Opened https://fedorahosted.org/freeipa/ticket/1282
> >
> >
> >
> > I'm now back to where I started, which is a partly
> working ipa
> > install. Kinit takes 75 seconds to complete.
> >
> >
> > Seems like a DNS timeout or something related to the name
> resolution.
> >
> >
> > I still can't get to the UI. I'm now going to
> uninstall again,
> > change root's umask to 022, and see if that fixes any
> more of
> > the problems.
> >
> >
> > The UI does not start for me if you try to run FF from
> the root
> > shell. I forget about this frequently and just upgraded
> to F15 and
> > hit it again.
> >
> > If you have a normal user shell, kinit from that shell as
> admin and
> > start browser from it you should have all the right
> context to
> > access UI.
> >
> >
> >
> >
> > -Brian
> >
> >
> >
> > On 6/3/11 3:14 PM, "Brian Stamper"
> <***@nasa.gov> wrote:
> >
> >
> >
> > Yes, I mentioned in the first email I had
> attempted that. I
> > just ran the uninstall 10 times in a row. Same
> errors:
> >
> > Configuring directory server:
> > [1/17]: creating directory server user
> > [2/17]: creating directory server instance
> > root : CRITICAL failed to restart ds instance Command
> > '/usr/sbin/setup-ds.pl --silent --logfile - -f
> > /tmp/tmpYwtW2p' returned non-zero exit status 1
> > [3/17]: adding default schema
> > [4/17]: enabling memberof plugin
> > [5/17]: enabling referential integrity plugin
> > [6/17]: enabling distributed numeric assignment
> plugin
> > [7/17]: enabling winsync plugin
> > [8/17]: configuring uniqueness plugin
> > [9/17]: creating indices
> > [10/17]: configuring ssl for ds instance
> > [11/17]: configuring certmap.conf
> > [12/17]: restarting directory server
> > [13/17]: adding default layout
> > root : CRITICAL Failed to load
> bootstrap-template.ldif:
> > Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D
> > cn=Directory Manager -y /tmp/tmp0AROuy -f
> /tmp/tmpPC4048'
> > returned non-zero exit status 32
> > [14/17]: configuring Posix uid/gid generation as
> first master
> > [15/17]: adding master entry as first master
> > root : CRITICAL Failed to load master-entry.ldif:
> Command
> > '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory
> > Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned
> > non-zero exit status 32
> > [16/17]: initializing group membership
> > [17/17]: configuring directory to start on boot
> > done configuring dirsrv.
> >
> > As a test I've manually run setup-ds.pl accepting
> all of the
> > defaults. It works fine and installs
> successfully, creating
> > the slapd-freeipa (which is the hostname)
> instance. I then
> > ran remove-ds.pl on the slapd-freeipa instance
> and re-ran
> > the ipa uninstall. When I attempted to reinstall
> ipa, it
> > detected an existing ds. I did a locate for
> dirsrv and found
> > logfiles from an instance called
> slapd-ARC-NASA-GOV, which
> > should be my default freeipa dirsrv instance. To
> try to
> > clean this up, I ran setup-ds.pl and chose custom and
> > created a slapd-ARC-NASA-GOV instance, and then
> immediately
> > removed it with remove-ds.pl. I then re-ran
> > ipa-server-install, which this time did not detect an
> > existing directory server. However, the
> ipa-server-install
> > again failed in the same location.
> >
> > [2/17]: creating directory server instance
> > root : CRITICAL failed to restart ds instance Command
> > '/usr/sbin/setup-ds.pl --silent --logfile - -f
> > /tmp/tmp77JJv1' returned non-zero exit status 1
> >
> >
> > And from the log:
> >
> > 2011-06-03 15:12:41,540 DEBUG Configuring
> directory server:
> > 2011-06-03 15:12:41,541 DEBUG [1/17]: creating
> directory
> > server user
> > 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists
> > 2011-06-03 15:12:41,541 DEBUG Saving StateFile to
> > '/var/lib/ipa/sysrestore/sysrestore.state'
> > 2011-06-03 15:12:41,541 DEBUG Saving StateFile to
> > '/var/lib/ipa/sysrestore/sysrestore.state'
> > 2011-06-03 15:12:41,542 DEBUG [2/17]: creating
> directory
> > server instance
> > 2011-06-03 15:12:41,567 INFO *** Error: no dirsrv
> instances
> > configured
> >
> > 2011-06-03 15:12:41,567 INFO
> > 2011-06-03 15:12:41,567 DEBUG Saving StateFile to
> > '/var/lib/ipa/sysrestore/sysrestore.state'
> > 2011-06-03 15:12:41,568 DEBUG Saving StateFile to
> > '/var/lib/ipa/sysrestore/sysrestore.state'
> > 2011-06-03 15:12:41,568 DEBUG
> > dn: dc=arc,dc=nasa,dc=gov
> > objectClass: top
> > objectClass: domain
> > objectClass: pilotObject
> > dc: arc
> > info: IPA V1.0
> >
> > 2011-06-03 15:12:41,569 DEBUG writing inf template
> > 2011-06-03 15:12:41,570 DEBUG
> > [General]
> > FullMachineName= freeipa.arc.nasa.gov
> > SuiteSpotUserID= dirsrv
> > ServerRoot= /usr/lib64/dirsrv
> > [slapd]
> > ServerPort= 389
> > ServerIdentifier= ARC-NASA-GOV
> > Suffix= dc=arc,dc=nasa,dc=gov
> > RootDN= cn=Directory Manager
> > InstallLdifFile= /var/lib/dirsrv/boot.ldif
> >
> > 2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl
> > 2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48]
> - [Setup]
> > Info Could not import LDIF file
> '/var/lib/dirsrv/boot.ldif'.
> > Error: 59648. Output: importing data ...
> > [03/Jun/2011:15:12:41 -0700] - WARNING: Import is
> running
> > with nsslapd-db-private-import-mem on; No other
> process is
> > allowed to access the database
> > [03/Jun/2011:15:12:42 -0700] -
> check_and_set_import_cache:
> > pagesize: 4096, pages: 997331, procpages: 48998
> > [03/Jun/2011:15:12:42 -0700] - Import allocates
> 1595728KB
> > import cache.
> > [03/Jun/2011:15:12:42 -0700] - import userRoot:
> Beginning
> > import job...
> > [03/Jun/2011:15:12:42 -0700] - import userRoot: Index
> > buffering enabled with bucket size 100
> > [03/Jun/2011:15:12:42 -0700] - import userRoot:
> Could not
> > open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13
> > (Permission denied)
> > [03/Jun/2011:15:12:42 -0700] - import userRoot:
> Aborting all
> > Import threads..
> > [03/Jun/2011:15:12:48 -0700] - import userRoot:
> Import
> > threads aborted.
> > [03/Jun/2011:15:12:48 -0700] - import userRoot:
> Closing files...
> > /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot:
> No such file
> > or directory
> > [03/Jun/2011:15:12:48 -0700] - All database
> threads now stopped
> > [03/Jun/2011:15:12:48 -0700] - import userRoot:
> Import failed.
> >
> > Could not import LDIF file
> '/var/lib/dirsrv/boot.ldif'.
> > Error: 59648. Output: importing data ...
> > [03/Jun/2011:15:12:41 -0700] - WARNING: Import is
> running
> > with nsslapd-db-private-import-mem on; No other
> process is
> > allowed to access the database
> > [03/Jun/2011:15:12:42 -0700] -
> check_and_set_import_cache:
> > pagesize: 4096, pages: 997331, procpages: 48998
> > [03/Jun/2011:15:12:42 -0700] - Import allocates
> 1595728KB
> > import cache.
> > [03/Jun/2011:15:12:42 -0700] - import userRoot:
> Beginning
> > import job...
> > [03/Jun/2011:15:12:42 -0700] - import userRoot: Index
> > buffering enabled with bucket size 100
> > [03/Jun/2011:15:12:42 -0700] - import userRoot:
> Could not
> > open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13
> > (Permission denied)
> > [03/Jun/2011:15:12:42 -0700] - import userRoot:
> Aborting all
> > Import threads..
> > [03/Jun/2011:15:12:48 -0700] - import userRoot:
> Import
> > threads aborted.
> > [03/Jun/2011:15:12:48 -0700] - import userRoot:
> Closing files...
> > /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot:
> No such file
> > or directory
> > [03/Jun/2011:15:12:48 -0700] - All database
> threads now stopped
> > [03/Jun/2011:15:12:48 -0700] - import userRoot:
> Import failed.
> >
> > [11/06/03:15:12:48] - [Setup] Fatal Error: Could
> not create
> > directory server instance 'ARC-NASA-GOV'.
> > Error: Could not create directory server instance
> > 'ARC-NASA-GOV'.
> > [11/06/03:15:12:48] - [Setup] Fatal Exiting . . .
> >
> >
> > -Brian
> >
> > On 6/3/11 2:53 PM, "Dmitri Pal" <***@redhat.com>
> wrote:
> >
> >
> > On 06/03/2011 05:38 PM, Stamper, Brian P.
> (ARC-D)[Logyx
> > LLC] wrote:
> >
> > Re: [Freeipa-users] Difficulty installing
> freeipa
> > I've given up on freeipa v2 due to lack of
> > compatibility with hosts I manage. This
> is all on
> > freeipa v1. The server started as Fedora
> 13, and I
> > upgraded to Fedora 14 in an attempt to
> fix the problems.
> >
> > [***@freeipa ~]# uname -r
> > 2.6.35.13-91.fc14.x86_64
> > [***@freeipa ~]# rpm -qa 'ipa*'
> > ipa-client-1.2.2-6.fc14.x86_64
> > ipa-server-selinux-1.2.2-6.fc14.x86_64
> > ipa-python-1.2.2-6.fc14.x86_64
> > ipa-admintools-1.2.2-6.fc14.x86_64
> > ipa-server-1.2.2-6.fc14.x86_64
> > [***@freeipa ~]#
> >
> > I'm not doing anything special at this
> point. I'm
> > not even trying to get clients added. I'm
> trying to
> > do a basic install of ipa-server, with no
> extra
> > arguments. That claimed to succeed but
> wouldn't
> > work, I tried to fix it, uninstalled, any
> attempts
> > to reinstall failed. So right now I'm
> simply trying
> > to get the ipa service back to any kind of
> > functioning status without re-installing
> the OS.
> >
> >
> >
> >
> > Ah this is all old 1.2 IPA.
> > Have you tried
> > ipa-server-install --uninstall
> >
> > Might require several attempts until all the
> errors are
> > cleared.
> >
> >
> >
> > -Brian
> >
> > On 6/3/11 2:30 PM, "Dmitri Pal"
> <***@redhat.com> wrote:
> >
> >
> >
> >
> >
> >
> >
> > Is it all on F13?
> > The IPA v2 can't be built on F13 as
> there are
> > many dependencies missing that we
> rely on. There
> > are two many parts this is why we had
> to move to
> > the later versions of F15. We just
> did not have
> > any options. So the server you built
> might in
> > fact be completely broken. I do not
> know how to
> > fix it. It looks like you have some
> instances of
> > the DS left over in a misconfigured
> state.
> >
> > You can try running ipa-server-install
> > --uninstall 4-5 times. That might
> clear things a
> > bit.
> >
> > But let us get back to the original
> problem.
> > Freeipa can be used with the
> LDAP+Kerberos
> > configuration on the clients. You do
> not need to
> > have latest and greatest.
> > There was a nice article referenced
> in some of
> > the earlier threads on the list:
> >
> > http://www.aput.net/~jheiss/krbldap/howto.html <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
> > <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
> > <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
> > <http://www.aput.net/%7Ejheiss/krbldap/howto.html>
> >
> > You can configure very old clients to
> use IPA as
> > NIS server.
> > Let us know how else we can help.
> > Thanks
> > Dmitri
> >
> >
> >
> >
> >
> > -Brian
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-***@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-***@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-***@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-***@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-***@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
Rob Crittenden
2011-06-08 14:25:21 UTC
Permalink
Dmitri Pal wrote:
> On 06/07/2011 05:17 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
>>
>> I continue to work with performance issues. I went into the krb5.conf
>> and changed dns_lookup_kdc from true to false. Kinit now responds
>> immediately. It’s cut the time on “ipa-finduser admin” from 2m30s down
>> to 18-20s. How fast “should” this respond?
>
> It should be a matter of less than a second.
> Are you using a VM to test? Does it have enough memory?
> It is really hard to say what exactly is causing your delays.
> IPA does a lot of name resolution. Delays usually related to that. By
> turning off the name resolution against DNS in Kerberos you reduced
> number of the lookups but probably not eliminated all of them. I suggest
> you continue looking into the name resolution more.
> This is the best we can say without any logs or specific configurations.
> Sorry.

Well, not quite sub-second processing. Two kerberos authentications have
to occur and those tend to be slow, 300ms or so each, plus processing
time and such. A typical v1 command will take 1-3 seconds. It seems
sometimes that the first execution is a bit slower as a lot of python
modules need to get loaded but subsequent runs tend to speed up a bit.
18-20 is still far out of line of what I'd expect.

The logs to look at on the server are:

/var/log/dirsrv/slapd-YOURINSTANCE/access

You'd need to find the BIND for your user to get the connection number,
then trace that through to see how long the LDAP part took. This is
likley to be very fast.

/var/log/httpd/error_log

This will show the XML-RPC handling time, any errors, etc.

rob
Stamper, Brian P. (ARC-D)[Logyx LLC]
2011-06-07 22:12:44 UTC
Permalink
I'm not using a VM, I'm using a workstation dedicated to just FreeIPA. It has 4GB memory.
Which logs are you interested in? I've been looking through all I can find and have seen nothing relevant.

-Brian

[***@freeipa ~]# free
total used free shared buffers cached
Mem: 3989324 2043720 1945604 0 219368 1202000
-/+ buffers/cache: 622352 3366972
Swap: 8191992 0 8191992
[***@freeipa ~]#

load average: 0.00, 0.05, 0.05


[***@freeipa ~]# date ; time ipa-finduser admin
Tue Jun 7 14:46:59 PDT 2011
Home Directory: /home/admin
Login Shell: /bin/bash
Last Name: Administrator
Login: admin

real 0m20.688s
user 0m0.072s
sys 0m0.022s


[***@freeipa ~]# tail -3 /var/log/ipa_error.log
2011-06-03 16:01:58,882 root INFO IPA: get_user_by_principal '***@ARC.NASA.GOV'
2011-06-03 16:02:19,254 root INFO IPA: get_user_by_principal '***@ARC.NASA.GOV'
2011-06-03 16:02:39,455 root INFO IPA: get_user_by_principal '***@ARC.NASA.GOV'

[***@freeipa ~]# tail -5 /var/log/krb5kdc.log
Jun 07 14:17:31 freeipa.arc.nasa.gov krb5kdc[7680](info): commencing operation
Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes {18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, ***@ARC.NASA.GOV for krbtgt/***@ARC.NASA.GOV
Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes {18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, ***@ARC.NASA.GOV for krbtgt/***@ARC.NASA.GOV
Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (4 etypes {18 17 16 23}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, ***@ARC.NASA.GOV for ldap/***@ARC.NASA.GOV
Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes {18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, ***@ARC.NASA.GOV for krbtgt/***@ARC.NASA.GOV

[***@freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/access
[07/Jun/2011:14:47:20 -0700] conn=20 op=14 RESULT err=0 tag=101 nentries=1 etime=0
[07/Jun/2011:14:47:20 -0700] conn=20 op=15 SRCH base="dc=arc,dc=nasa,dc=gov" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=***@ARC.NASA.GOV))" attrs="krbPrincipalName krbcanonicalname objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbExtraData krbObjectReferences krballowedtodelegateto"
[07/Jun/2011:14:47:20 -0700] conn=20 op=15 RESULT err=0 tag=101 nentries=1 etime=0

[***@freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors
[07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up
[07/Jun/2011:14:12:03 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests
[07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS requests

[***@freeipa ~]# tail -5 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors
[07/Jun/2011:14:12:02 -0700] - All database threads now stopped
[07/Jun/2011:14:12:02 -0700] - slapd stopped.
[07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up
[07/Jun/2011:14:12:03 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests
[07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS requests


On 6/7/11 2:33 PM, "Dmitri Pal" <***@redhat.com> wrote:

On 06/07/2011 05:17 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
Re: [Freeipa-users] Difficulty installing freeipa
I continue to work with performance issues. I went into the krb5.conf and changed dns_lookup_kdc from true to false. Kinit now responds immediately. It's cut the time on "ipa-finduser admin" from 2m30s down to 18-20s. How fast "should" this respond?


It should be a matter of less than a second.
Are you using a VM to test? Does it have enough memory?
It is really hard to say what exactly is causing your delays.
IPA does a lot of name resolution. Delays usually related to that. By turning off the name resolution against DNS in Kerberos you reduced number of the lookups but probably not eliminated all of them. I suggest you continue looking into the name resolution more.
This is the best we can say without any logs or specific configurations. Sorry.

Thanks
Dmitri
Steven Jones
2011-06-07 23:13:08 UTC
Permalink
Hi,

Where is DNS being done and how?

I tend to agree with Dmitri, it looks like DNS related issues.

regards


________________________________
From: freeipa-users-***@redhat.com [freeipa-users-***@redhat.com] on behalf of Stamper, Brian P. (ARC-D)[Logyx LLC] [***@nasa.gov]
Sent: Wednesday, 8 June 2011 10:12 a.m.
To: freeipa-***@redhat.com
Subject: Re: [Freeipa-users] Difficulty installing freeipa


I’m not using a VM, I’m using a workstation dedicated to just FreeIPA. It has 4GB memory.
Which logs are you interested in? I’ve been looking through all I can find and have seen nothing relevant.

-Brian

[***@freeipa ~]# free
total used free shared buffers cached
Mem: 3989324 2043720 1945604 0 219368 1202000
-/+ buffers/cache: 622352 3366972
Swap: 8191992 0 8191992
[***@freeipa ~]#

load average: 0.00, 0.05, 0.05


[***@freeipa ~]# date ; time ipa-finduser admin
Tue Jun 7 14:46:59 PDT 2011
Home Directory: /home/admin
Login Shell: /bin/bash
Last Name: Administrator
Login: admin

real 0m20.688s
user 0m0.072s
sys 0m0.022s


[***@freeipa ~]# tail -3 /var/log/ipa_error.log
2011-06-03 16:01:58,882 root INFO IPA: get_user_by_principal '***@ARC.NASA.GOV<UrlBlockedError.aspx>'
2011-06-03 16:02:19,254 root INFO IPA: get_user_by_principal '***@ARC.NASA.GOV<UrlBlockedError.aspx>'
2011-06-03 16:02:39,455 root INFO IPA: get_user_by_principal '***@ARC.NASA.GOV<UrlBlockedError.aspx>'

[***@freeipa ~]# tail -5 /var/log/krb5kdc.log
Jun 07 14:17:31 freeipa.arc.nasa.gov krb5kdc[7680](info): commencing operation
Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes {18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, ***@ARC.NASA.GOV<UrlBlockedError.aspx> for krbtgt/***@ARC.NASA.GOV<UrlBlockedError.aspx>
Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes {18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, ***@ARC.NASA.GOV<UrlBlockedError.aspx> for krbtgt/***@ARC.NASA.GOV<UrlBlockedError.aspx>
Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (4 etypes {18 17 16 23}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, ***@ARC.NASA.GOV<UrlBlockedError.aspx> for ldap/***@ARC.NASA.GOV<UrlBlockedError.aspx>
Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes {18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, ***@ARC.NASA.GOV<UrlBlockedError.aspx> for krbtgt/***@ARC.NASA.GOV<UrlBlockedError.aspx>

[***@freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/access
[07/Jun/2011:14:47:20 -0700] conn=20 op=14 RESULT err=0 tag=101 nentries=1 etime=0
[07/Jun/2011:14:47:20 -0700] conn=20 op=15 SRCH base="dc=arc,dc=nasa,dc=gov" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=***@ARC.NASA.GOV<UrlBlockedError.aspx>))" attrs="krbPrincipalName krbcanonicalname objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbExtraData krbObjectReferences krballowedtodelegateto"
[07/Jun/2011:14:47:20 -0700] conn=20 op=15 RESULT err=0 tag=101 nentries=1 etime=0

[***@freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors
[07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up
[07/Jun/2011:14:12:03 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests
[07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS requests

[***@freeipa ~]# tail -5 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors
[07/Jun/2011:14:12:02 -0700] - All database threads now stopped
[07/Jun/2011:14:12:02 -0700] - slapd stopped.
[07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up
[07/Jun/2011:14:12:03 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests
[07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS requests


On 6/7/11 2:33 PM, "Dmitri Pal" <***@redhat.com<UrlBlockedError.aspx>> wrote:

On 06/07/2011 05:17 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
Re: [Freeipa-users] Difficulty installing freeipa
I continue to work with performance issues. I went into the krb5.conf and changed dns_lookup_kdc from true to false. Kinit now responds immediately. It’s cut the time on “ipa-finduser admin” from 2m30s down to 18-20s. How fast “should” this respond?


It should be a matter of less than a second.
Are you using a VM to test? Does it have enough memory?
It is really hard to say what exactly is causing your delays.
IPA does a lot of name resolution. Delays usually related to that. By turning off the name resolution against DNS in Kerberos you reduced number of the lookups but probably not eliminated all of them. I suggest you continue looking into the name resolution more.
This is the best we can say without any logs or specific configurations. Sorry.

Thanks
Dmitri
Stamper, Brian P. (ARC-D)[Logyx LLC]
2011-06-08 05:49:42 UTC
Permalink
The short answer is, it's not. I don't really use DNS, I rely on hosts files, particularly in this test environment.

-brian
________________________________________
From: Steven Jones [***@vuw.ac.nz]
Sent: Tuesday, June 07, 2011 4:13 PM
To: Stamper, Brian P. (ARC-D)[Logyx LLC]; freeipa-***@redhat.com
Subject: RE: [Freeipa-users] Difficulty installing freeipa

Hi,

Where is DNS being done and how?

I tend to agree with Dmitri, it looks like DNS related issues.

regards


________________________________
From: freeipa-users-***@redhat.com [freeipa-users-***@redhat.com] on behalf of Stamper, Brian P. (ARC-D)[Logyx LLC] [***@nasa.gov]
Sent: Wednesday, 8 June 2011 10:12 a.m.
To: freeipa-***@redhat.com
Subject: Re: [Freeipa-users] Difficulty installing freeipa


I’m not using a VM, I’m using a workstation dedicated to just FreeIPA. It has 4GB memory.
Which logs are you interested in? I’ve been looking through all I can find and have seen nothing relevant.

-Brian

[***@freeipa ~]# free
total used free shared buffers cached
Mem: 3989324 2043720 1945604 0 219368 1202000
-/+ buffers/cache: 622352 3366972
Swap: 8191992 0 8191992
[***@freeipa ~]#

load average: 0.00, 0.05, 0.05


[***@freeipa ~]# date ; time ipa-finduser admin
Tue Jun 7 14:46:59 PDT 2011
Home Directory: /home/admin
Login Shell: /bin/bash
Last Name: Administrator
Login: admin

real 0m20.688s
user 0m0.072s
sys 0m0.022s


[***@freeipa ~]# tail -3 /var/log/ipa_error.log
2011-06-03 16:01:58,882 root INFO IPA: get_user_by_principal '***@ARC.NASA.GOV<UrlBlockedError.aspx>'
2011-06-03 16:02:19,254 root INFO IPA: get_user_by_principal '***@ARC.NASA.GOV<UrlBlockedError.aspx>'
2011-06-03 16:02:39,455 root INFO IPA: get_user_by_principal '***@ARC.NASA.GOV<UrlBlockedError.aspx>'

[***@freeipa ~]# tail -5 /var/log/krb5kdc.log
Jun 07 14:17:31 freeipa.arc.nasa.gov krb5kdc[7680](info): commencing operation
Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes {18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, ***@ARC.NASA.GOV<UrlBlockedError.aspx> for krbtgt/***@ARC.NASA.GOV<UrlBlockedError.aspx>
Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes {18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, ***@ARC.NASA.GOV<UrlBlockedError.aspx> for krbtgt/***@ARC.NASA.GOV<UrlBlockedError.aspx>
Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (4 etypes {18 17 16 23}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, ***@ARC.NASA.GOV<UrlBlockedError.aspx> for ldap/***@ARC.NASA.GOV<UrlBlockedError.aspx>
Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes {18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, ***@ARC.NASA.GOV<UrlBlockedError.aspx> for krbtgt/***@ARC.NASA.GOV<UrlBlockedError.aspx>

[***@freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/access
[07/Jun/2011:14:47:20 -0700] conn=20 op=14 RESULT err=0 tag=101 nentries=1 etime=0
[07/Jun/2011:14:47:20 -0700] conn=20 op=15 SRCH base="dc=arc,dc=nasa,dc=gov" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=***@ARC.NASA.GOV<UrlBlockedError.aspx>))" attrs="krbPrincipalName krbcanonicalname objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbExtraData krbObjectReferences krballowedtodelegateto"
[07/Jun/2011:14:47:20 -0700] conn=20 op=15 RESULT err=0 tag=101 nentries=1 etime=0

[***@freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors
[07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up
[07/Jun/2011:14:12:03 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests
[07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS requests

[***@freeipa ~]# tail -5 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors
[07/Jun/2011:14:12:02 -0700] - All database threads now stopped
[07/Jun/2011:14:12:02 -0700] - slapd stopped.
[07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up
[07/Jun/2011:14:12:03 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests
[07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS requests


On 6/7/11 2:33 PM, "Dmitri Pal" <***@redhat.com<UrlBlockedError.aspx>> wrote:

On 06/07/2011 05:17 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
Re: [Freeipa-users] Difficulty installing freeipa
I continue to work with performance issues. I went into the krb5.conf and changed dns_lookup_kdc from true to false. Kinit now responds immediately. It’s cut the time on “ipa-finduser admin” from 2m30s down to 18-20s. How fast “should” this respond?


It should be a matter of less than a second.
Are you using a VM to test? Does it have enough memory?
It is really hard to say what exactly is causing your delays.
IPA does a lot of name resolution. Delays usually related to that. By turning off the name resolution against DNS in Kerberos you reduced number of the lookups but probably not eliminated all of them. I suggest you continue looking into the name resolution more.
This is the best we can say without any logs or specific configurations. Sorry.

Thanks
Dmitri
Continue reading on narkive:
Loading...