Red Hat Bugzilla – Bug 458978
ipa-server-install fails if RHDS was previously installed (permissions issue)
Last modified: 2015-01-04 18:33:47 EST
Description of problem: If installing ipa on a system that previously had RHDS installed (and has old data files laying around), the ipa-server-install script fails when it attempts to create data files for the new DS instances. This occurs because the original RHDS has nobody.nobody owning some of its data, while IPA uses dirsrv.dirsrv. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Remove old RHDS with rpm -e 2. install IPA rpms 3. run ipa-server-install Actual results: [root@ds101-dev yum.repos.d]# ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup the IPA Server. This includes: * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure TurboGears To accept the default shown in brackets, press the Enter key. An existing Directory Server has been detected. Do you wish to remove it and create a new one? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [ds101-dev.sec.tds.net]: The domain name has been calculated based on the host name. Please confirm the domain name [sec.tds.net]: The IPA Master Server will be configured with Hostname: ds101-dev.sec.tds.net IP address: 192.168.221.97 Domain name: sec.tds.net The server must run as a specific user in a specific group. It is strongly recommended that this user should have no privileges on the computer (i.e. a non-root user). The setup procedure will give this user/group some permissions in specific paths/files to perform server-specific operations. A user account named 'dirsrv' already exists. This is the user id that the Directory Server will run as. Do you want to use the existing 'dirsrv' account? [yes]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [SEC.TDS.NET]: TDS.NET Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: [1/16]: creating directory server user [2/16]: creating directory server instance root : CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmptqSDQB' returned non-zero exit status 1 [3/16]: adding default schema [4/16]: enabling memberof plugin root : CRITICAL Failed to load memberof-conf.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpx3usFw -f /usr/share/ipa/memberof-conf.ldif' returned non-zero exit status 1 [5/16]: enabling referential integrity plugin root : CRITICAL Failed to load referint-conf.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp3oNfyc -f /usr/share/ipa/referint-conf.ldif' returned non-zero exit status 1 [6/16]: enabling distributed numeric assignment plugin root : CRITICAL Failed to load dna-conf.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp-ljITT -f /usr/share/ipa/dna-conf.ldif' returned non-zero exit status 1 [7/16]: configuring uniqueness plugin root : CRITICAL Failed to load unique-attributes.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp6kYAZJ -f /tmp/tmpL2mrpM' returned non-zero exit status 1 [8/16]: creating indices root : CRITICAL Failed to load indices.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpAViPtl -f /usr/share/ipa/indices.ldif' returned non-zero exit status 1 [9/16]: configuring ssl for ds instance Unexpected error - see ipaserver-install.log for details: {'desc': "Can't contact LDAP server"} Expected results: Success :) Additional info: The issue is ownership of /var/lib/dirsrv and can be solved by giving ownership of that dir to dirsrv and restarting ipa-server-install
original perms were nobody.nobody 664 on /var/lib/dirsrv (im pretty sure...) I might get a chance to create a new RHDS box and migrate it to RHIPA again sometime and will confirm.
https://fedorahosted.org/freeipa/ticket/200
I can't reproduce this in Fedora. I tried reproducing this by setting up a DS instance as nobody.nobody, then using remove-ds.pl to remove it, then I did an IPA installation and it succeeded. rpm -V 389-ds-base returns ok for /var/lib/dirsrv and it is owned and provided by root. It could be that the DS package or installer has been modified in the interm so this is no longer a problem. Closing for now.