Hi there
I come from China
I'm trying to install FreeIPA on a fresh Amazon Linux 2 instance (Amazon Linux 2 AMI (HVM) - Kernel 4.14, SSD Volume Type)
I have the exact same problem as in this link:
https://forums.aws.amazon.com/thread.jspa?messageID=997191&tstart=0
Hope to get an answer,Thanks!
I'm trying to install FreeIPA on a fresh Amazon Linux 2 instance (ami-087c17d1fe0178315), reproducing steps that were successful a few months ago, but the installation fails during pki-tomcat setup. Details below, but a very similar bug is described here: https://bodhi.stg.fedoraproject.org/updates/FEDORA-2021-e55a8d7545
Has anyone found a workaround for this? Or do the RPMs in alinux2 need to be updated?
Details:
Configure Route53 for group-ipa.groupdev.local, ipa-ca.groupdev.local to resolve to instance's IP address.
hostnamectl set-hostname group-ipa.groupdev.local
yum update -y
yum install freeipa-server
ipa-server-install
... enter config info ...
... installation proceeds for quite a while, then ...
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
1/30: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpLuET89' returned non-zero exit status 1
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
error RuntimeError: CA configuration failed.
ipapython.admintool: ERROR CA configuration failed.
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
pkispawn logs note a connecton failure after:
2021-10-04 16:36:50 pkispawn : INFO ....... executing 'systemctl daemon-reload'
2021-10-04 16:36:50 pkispawn : INFO ....... executing 'systemctl start pki-tomcatd@pki-tomcat.service'
and the pki-tomcatd logs suggest an authentication problem between tomcat and the LDAP server:
$ journalctl -u pki-tomcatd@pki-tomcat.service
...
Oct 04 13:54:10 group-ipa.groupdev.local server: CMSEngine.initializePasswordStore() begins
Oct 04 13:54:10 group-ipa.groupdev.local server: CMSEngine.initializePasswordStore(): tag=internaldb
Oct 04 13:54:10 group-ipa.groupdev.local server: testLDAPConnection connecting to group-ipa.groupdev.local:389
Oct 04 13:54:11 group-ipa.groupdev.local server: CMSEngine.initializePasswordStore(): tag=replicationdb
Oct 04 13:54:11 group-ipa.groupdev.local server: testLDAPConnection connecting to group-ipa.groupdev.local:389
Oct 04 13:54:11 group-ipa.groupdev.local server: testLDAPConnection: Invalid Password
Oct 04 13:54:11 group-ipa.groupdev.local server: testLDAPConnection connecting to group-ipa.groupdev.local:389
Oct 04 13:54:11 group-ipa.groupdev.local server: testLDAPConnection: Invalid Password
Oct 04 13:54:11 group-ipa.groupdev.local server: testLDAPConnection connecting to group-ipa.groupdev.local:389
Oct 04 13:54:11 group-ipa.groupdev.local server: testLDAPConnection: Invalid Password
Oct 04 13:54:11 group-ipa.groupdev.local server: CMSEngine: init(): password test execution failed: 2
Oct 04 13:54:11 group-ipa.groupdev.local server: Password test execution failed. Is the database up?
Oct 04 13:54:11 group-ipa.groupdev.local server: Password test execution failed. Is the database up?
Oct 04 13:54:11 group-ipa.groupdev.local server: at com.netscape.cmscore.apps.CMSEngine.initializePasswordStore(CMSEngine.java:467)
Oct 04 13:54:11 group-ipa.groupdev.local server: at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:535)
Oct 04 13:54:11 group-ipa.groupdev.local server: at com.netscape.certsrv.apps.CMS.init(CMS.java:191)
Oct 04 13:54:11 group-ipa.groupdev.local server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1458)
Oct 04 13:54:11 group-ipa.groupdev.local server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
/var/log/dirsrv/slapd-GROUPDEV-LOCAL/access shows the successful bind for cn=Directory Manager, then three "Entry does not exist" results for "cn=Replication Manager mas ter Agreement1-...", which appear to be interpreted as "Invalid Password" on tomcat's side.