Bug 458978 - ipa-server-install fails if RHDS was previously installed (permissions issue)
ipa-server-install fails if RHDS was previously installed (permissions issue)
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise IPA
Classification: Retired
Component: misc (Show other bugs)
1.0
All Linux
medium Severity medium
: v2 release
: ---
Assigned To: Simo Sorce
Chandrasekar Kannan
: EasyFix
Depends On:
Blocks: 431020
  Show dependency treegraph
 
Reported: 2008-08-13 11:30 EDT by Guil Barros
Modified: 2015-01-04 18:33 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-10-14 16:41:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Guil Barros 2008-08-13 11:30:01 EDT
Description of problem:
If installing ipa on a system that previously had RHDS installed (and has old data files laying around), the ipa-server-install script fails when it attempts to create data files for the new DS instances. This occurs because the original RHDS has nobody.nobody owning some of its data, while IPA uses dirsrv.dirsrv.


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Remove old RHDS with rpm -e
2. install IPA rpms
3. run ipa-server-install
  
Actual results:
[root@ds101-dev yum.repos.d]# ipa-server-install 

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup the IPA Server.

This includes:
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure TurboGears

To accept the default shown in brackets, press the Enter key.


An existing Directory Server has been detected.
Do you wish to remove it and create a new one? [no]: yes
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [ds101-dev.sec.tds.net]: 

The domain name has been calculated based on the host name.

Please confirm the domain name [sec.tds.net]: 

The IPA Master Server will be configured with
Hostname:    ds101-dev.sec.tds.net
IP address:  192.168.221.97
Domain name: sec.tds.net

The server must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user).  The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.

A user account named 'dirsrv' already exists. This is the user id
that the Directory Server will run as.

Do you want to use the existing 'dirsrv' account? [yes]: 

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [SEC.TDS.NET]: TDS.NET

Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: 
Password (confirm): 

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: 
Password (confirm): 


The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server:
  [1/16]: creating directory server user
  [2/16]: creating directory server instance
root        : CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmptqSDQB' returned non-zero exit status 1
  [3/16]: adding default schema
  [4/16]: enabling memberof plugin
root        : CRITICAL Failed to load memberof-conf.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpx3usFw -f /usr/share/ipa/memberof-conf.ldif' returned non-zero exit status 1
  [5/16]: enabling referential integrity plugin
root        : CRITICAL Failed to load referint-conf.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp3oNfyc -f /usr/share/ipa/referint-conf.ldif' returned non-zero exit status 1
  [6/16]: enabling distributed numeric assignment plugin
root        : CRITICAL Failed to load dna-conf.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp-ljITT -f /usr/share/ipa/dna-conf.ldif' returned non-zero exit status 1
  [7/16]: configuring uniqueness plugin
root        : CRITICAL Failed to load unique-attributes.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp6kYAZJ -f /tmp/tmpL2mrpM' returned non-zero exit status 1
  [8/16]: creating indices
root        : CRITICAL Failed to load indices.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpAViPtl -f /usr/share/ipa/indices.ldif' returned non-zero exit status 1
  [9/16]: configuring ssl for ds instance
Unexpected error - see ipaserver-install.log for details:
 {'desc': "Can't contact LDAP server"}



Expected results:
Success :)

Additional info:
The issue is ownership of /var/lib/dirsrv and can be solved by giving ownership of that dir to dirsrv and restarting ipa-server-install
Comment 1 Guil Barros 2008-08-13 12:06:34 EDT
original perms were nobody.nobody 664 on /var/lib/dirsrv (im pretty sure...) I might get a chance to create a new RHDS box and migrate it to RHIPA again sometime and will confirm.
Comment 4 Rob Crittenden 2010-09-09 13:59:14 EDT
https://fedorahosted.org/freeipa/ticket/200
Comment 5 Rob Crittenden 2010-10-14 16:41:48 EDT
I can't reproduce this in Fedora. 

I tried reproducing this by setting up a DS instance as nobody.nobody, then using remove-ds.pl to remove it, then I did an IPA installation and it succeeded.

rpm -V 389-ds-base returns ok for /var/lib/dirsrv and it is owned and provided by root.

It could be that the DS package or installer has been modified in the interm so this is no longer a problem. Closing for now.

Note You need to log in before you can comment on or make changes to this bug.