As admin, I just have installed ipa-server from CentOS 7.6.
ipa-server-upgrade Missing version: no platform stored Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/9]: saving configuration [2/9]: disabling listeners [3/9]: enabling DS global lock [4/9]: disabling Schema Compat [5/9]: starting directory server [6/9]: updating schema [7/9]: upgrading server Unparseable ACI (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Allow trust agents to retrieve keytab keys for cross realm principals"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";): malformed ACI, match for version and bind rule failed (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Allow trust agents to retrieve keytab keys for cross realm principals"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";) (at cn=trusts,dc=local) Unparseable ACI (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Allow trust agents to retrieve keytab keys for cross realm principals"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";): malformed ACI, match for version and bind rule failed (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Allow trust agents to retrieve keytab keys for cross realm principals"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";) (at cn=trusts,dc=local) [8/9]: stopping directory server [9/9]: restoring configuration Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] Publish directory already set to new location [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] [Removing RA cert from DS NSS database] [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] Nothing to do for configure_httpd_wsgi_conf [Updating mod_nss protocol versions] [Updating mod_nss cipher suite] [Updating mod_nss enabling OCSP] [Fixing trust flags in /etc/httpd/alias] [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Add missing CA DNS records] DNS is not configured [Removing deprecated DNS configuration options] DNS is not configured [Ensuring minimal number of connections] DNS is not configured [Updating GSSAPI configuration in DNS] DNS is not configured [Updating pid-file configuration in DNS] DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured [Upgrading CA schema] CA schema update complete (no changes) [Verifying that CA audit signing cert has 2 year validity] [Update certmonger certificate renewal configuration] Certmonger certificate renewal configuration already up-to-date [Enable PKIX certificate path discovery and validation] [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] [Ensuring presence of included profiles] [Add default CA ACL] [Set up lightweight CA key retrieval] Creating principal Retrieving keytab Creating Custodia keys Configuring key retriever IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: IOError: [Errno 2] No such file or directory: '/etc/sssd/sssd.conf' The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
<img alt="ipaupgrade.log" src="/freeipa/issue/raw/files/a89e8af5c993fda136dce9422b2abf6cd0836cdd518a86d7e03724d8d1e12c26-ipaupgrade.log" />
That's the output of ipa-server-upgrade and not ipa-server-install. Your SSSD main configuration is missing. How did you install the server?
ipa-server-upgrade
ipa-server-install
2019-01-17T11:04:26Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2019-01-17T11:04:26Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2085, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1966, in upgrade_configuration set_sssd_domain_option('ipa_server_mode', 'True') File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1388, in set_sssd_domain_option sssdconfig.import_config() File "/usr/lib/python2.7/site-packages/SSSDConfig/__init__.py", line 1455, in import_config fd = open(configfile, 'r') 2019-01-17T11:04:26Z DEBUG The ipa-server-upgrade command failed, exception: IOError: [Errno 2] No such file or directory: '/etc/sssd/sssd.conf'
Here is the install log from the second attempt, the error is same
<img alt="ipaserver-install.log" src="/freeipa/issue/raw/files/edf20d6531fd287c5d5b49eed67335ee849e55c608c8b54dcbbbb8a57a5c12bb-ipaserver-install.log" />
There are a bunch of errors during ipa-server-install when trying to write to the LDAP server, for instance:
2019-01-17T11:22:40Z ERROR Parent DN of cn=anonymous-limits,cn=etc,dc=centos75,dc=local may not exist, cannot create the entry
Can you provide the LDAP server access log from /var/log/dirsrv/slapd-<DOMAIN>/access and the error log from /var/log/dirsrv/slapd-<DOMAIN>/errors?
/var/log/dirsrv/slapd-<DOMAIN>/access
/var/log/dirsrv/slapd-<DOMAIN>/errors
<img alt="slapd-CENTOS70-LOCAL.tar.gz" src="/freeipa/issue/raw/files/d9130b0c92360756cf44ba80000c9d23b701bf21a246de83564acfdd054313dc-slapd-CENTOS70-LOCAL.tar.gz" />
Sorry for delay, here are the logs.
There is something wrong with 389-DS on your machine. At one point, ADD operations start to fail with error code 32 (NO_SUCH_OBJECT).
[17/Jan/2019:14:23:51.282927228 +0100] conn=4 op=13 SRCH base="cn=anonymous-limits,cn=etc,dc=centos70,dc=local" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses" [17/Jan/2019:14:23:51.283045763 +0100] conn=4 op=13 RESULT err=32 tag=101 nentries=0 etime=0.0000270429 [17/Jan/2019:14:23:51.284502300 +0100] conn=4 op=14 ADD dn="cn=anonymous-limits,cn=etc,dc=centos70,dc=local" [17/Jan/2019:14:23:51.286866803 +0100] conn=4 op=14 RESULT err=32 tag=105 nentries=0 etime=0.0002471763 ... [17/Jan/2019:14:25:00.092773069 +0100] conn=4 op=570 SRCH base="cn=certmap,dc=centos70,dc=local" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses" [17/Jan/2019:14:25:00.092881983 +0100] conn=4 op=570 RESULT err=32 tag=101 nentries=0 etime=0.0000155495 [17/Jan/2019:14:25:00.098444906 +0100] conn=4 op=571 ADD dn="cn=certmap,dc=centos70,dc=local" [17/Jan/2019:14:25:00.099180980 +0100] conn=4 op=571 RESULT err=32 tag=105 nentries=0 etime=0.0001312053
The message Suffix "dc=centos70,dc=local" not found: BDB0073 DB_NOTFOUND: No matching key/data pair found(-30988) in error log point to a problem with the database, too.
Suffix "dc=centos70,dc=local" not found: BDB0073 DB_NOTFOUND: No matching key/data pair found(-30988)
[17/Jan/2019:14:23:48.432244190 +0100] - INFO - slapd_daemon - slapd started. Listening on /var/run/slapd-CENTOS70-LOCAL.socket for LDAPI requests [17/Jan/2019:14:23:51.813293173 +0100] - ERR - _entryrdn_insert_key - Suffix "dc=centos70,dc=local" not found: BDB0073 DB_NOTFOUND: No matching key/data pair found(-30988) [17/Jan/2019:14:23:51.887826477 +0100] - ERR - index_addordel_entry - database index operation failed BAD 1031, err=-30988 BDB0073 DB_NOTFOUND: No matching key/data pair found [17/Jan/2019:14:23:52.051026419 +0100] - ERR - slapi_entry_schema_check_ext - Entry "cn=ng,cn=alt,dc=centos70,dc=local" required attribute "objectclass" missing [17/Jan/2019:14:23:52.058281930 +0100] - ERR - slapi_entry_schema_check_ext - Entry "cn=accounts,dc=centos70,dc=local" required attribute "objectclass" missing [17/Jan/2019:14:23:52.073104092 +0100] - ERR - slapi_entry_schema_check_ext - Entry "cn=computers,cn=accounts,dc=centos70,dc=local" required attribute "objectclass" missing [17/Jan/2019:14:23:52.091421152 +0100] - ERR - slapi_entry_schema_check_ext - Entry "cn=computers,cn=accounts,dc=centos70,dc=local" required attribute "objectclass" missing [17/Jan/2019:14:23:52.167522069 +0100] - ERR - slapi_entry_schema_check_ext - Entry "dc=centos70,dc=local" required attribute "objectclass" missing
Well, it's the point. The system was installed from ISO on the virtual host -> IPA server install was ran and fail.
How much RAM does this VM have? IPA needs at least 2GB. I've never seen an failure due to low memory result in DB errors though.
Since there was no activity in over a month, I'm closing this issue. The problem is likely caused by lack of resources. Please make sure that the machine has a sufficient amount of RAM and disk space.
Metadata Update from @cheimes: - Issue close_status updated to: insufficientinfo - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.