freeIPA installation issues (and fixes)

Support
1

Hi. I just wanted to report that the freeIPA installation seems quite broken for Alma linux (9.5) (and I’m guessing every other distro that uses the .el9.5.4 version)

I was performing an install using Alma Linux (9.5) of the free-ipa-server package, and had some issues. (Fixes for these issues below.)

Out of curiosity I wanted to test against another similar distro, so I used Oracle linux (9.5) and ultimately I had zero trouble installing freeIPA server using the oracle linux (9.5) distro.

I did some digging to find out why.
As an FYI, both distros needed the following line to succeed.

sysctl net.ipv6.conf.all.disable_ipv6=0

The difference with Alma’s install however, is as follows, so here are the items needed to make Alma 9.5 successfully install freeIPA server.

Make directories and create files in these directories. I didnt have to add anything to any of these files. But they needed to be there for installation to succeed.

sudo mkdir -p /etc/ipa/custodia
sudo touch /etc/ipa/custodia/custodia.conf

sudo mkdir -p /var/lib/ipa/sysupgrade
sudo touch /var/lib/ipa/sysupgrade/sysupgrade.state

sudo mkdir -p /var/lib/ipa/sysrestore
sudo touch /var/lib/ipa/sysrestore/sysrestore.state

sudo mkdir -p /var/lib/ipa/pki-ca/publish

sudo mkdir /var/lib/ipa/gssproxy/

sudo mkdir /var/lib/ipa/passwds
sudo touch /var/lib/ipa/passwds/ipa.wlcomm.net-443-RSA

mkdir /var/lib/ipa/certs
mkdir /var/lib/ipa/private

mkdir /etc/ipa/kdcproxy
touch /etc/ipa/kdcproxy/ipa-kdc-proxy.conf

Just to reiterate, I needed to do this on Alma, but not Oracle9.
It looks like oracle 9 was micro patched to fix this, as you can see below.

When I looked at the following on the 2 different servers…

dnf list installed | grep ipa

I see the following…

alma linux 9.5 (and im sure others using the same enterprise kernel)

ipa-server.x86_64 – 4.12.2-1.el9.5.4

– vs–
Oracle linux 9.5 (UEK-5.15 Kernel)

ipa-server.x86_64 – 4.12.2-1.0.1.el9.5.4

The install on Alma worked fine after these folder/file additions.

Thanks all.

2

Please explain the rationale.

# dnf -q rq --requires --resolve ipa-server | grep ipa
ipa-client-0:4.12.2-1.el9_5.4.x86_64
ipa-common-0:4.12.2-1.el9_5.4.noarch
ipa-server-common-0:4.12.2-1.el9_5.4.noarch
python3-ipaserver-0:4.12.2-1.el9_5.4.noarch

You should not be able to install ipa-server package without ipa-server-common and:

# dnf -q rq -l ipa-server-common | grep -E '/var/lib|/etc/ipa'
/etc/ipa
/etc/ipa/custodia
/etc/ipa/html
/etc/ipa/html/ssbrowser.html
/etc/ipa/html/unauthorized.html
/etc/ipa/kdcproxy
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf
/etc/ipa/kdcproxy/kdcproxy.conf
/var/lib/ipa
/var/lib/ipa/backup
/var/lib/ipa/certs
/var/lib/ipa/gssproxy
/var/lib/ipa/passwds
/var/lib/ipa/pki-ca
/var/lib/ipa/pki-ca/publish
/var/lib/ipa/private
/var/lib/ipa/sysrestore
/var/lib/ipa/sysupgrade
/var/lib/kdcproxy

the ipa-server-common package should create all those directories.

The /etc/ipa/custodia/custodia.conf seems to be something to create, but
I bet that the /usr/share/ipa/custodia.conf.template in ipa-server-common is the intended starting point.

I’d expect a service to create on first start the sysupgrade.state and sysrestore.state files.

4

IPv6: Ill try and find info on the ipv6 issue. But that line was the resolution in both cases.

I agree totally with you ipa-server-common. I just checked what was installed again. It seems (unless im reading it wrong) that ipa-server-common was installed. Not sure why it didn’t do what it should have been doing.

dnf list installed | grep ipa

almalinux-logos-ipa.noarch                     90.5.1-1.1.el9                             
device-mapper-multipath.x86_64                 0.8.7-32.el9                                
device-mapper-multipath-libs.x86_64            0.8.7-32.el9                                
ipa-client.x86_64                              4.12.2-1.el9_5.4                         
ipa-client-common.noarch                       4.12.2-1.el9_5.4                          
ipa-common.noarch                              4.12.2-1.el9_5.4                
ipa-healthcheck.noarch                         0.16-4.el9                               
ipa-healthcheck-core.noarch                    0.16-4.el9                                
ipa-selinux.noarch                             4.12.2-1.el9_5.4                           
ipa-server.x86_64                              4.12.2-1.el9_5.4                           
**ipa-server-common.noarch                       4.12.2-1.el9_5.4**                          
libipa_hbac.x86_64                             2.9.5-4.el9_5.4                            
python3-ipaclient.noarch                       4.12.2-1.el9_5.4                           
python3-ipalib.noarch                          4.12.2-1.el9_5.4                         
python3-ipaserver.noarch                       4.12.2-1.el9_5.4                          
python3-libipa_hbac.x86_64                     2.9.5-4.el9_5.4                          
sssd-ipa.x86_64                                2.9.5-4.el9_5.4
5

Here is the exact error for the IPv6 mention. Its more to just how the server is created/kickstarted than anything else I believe.

IPv6 stack is enabled in the kernel but there is no interface that has ::1 address assigned. Add ::1 address resolution to ‘lo’ interface. You might need to enable IPv6 on the interface ‘lo’ in sysctl.conf.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

6

Here is a sample of what the error looks like for the missing folder/files

  [9/43]: configuring uniqueness plugin
  [10/43]: configuring uuid plugin
  [11/43]: configuring modrdn plugin
  [12/43]: configuring DNS plugin
  [13/43]: enabling entryUSN plugin
  [14/43]: configuring lockout plugin
  [15/43]: configuring graceperiod plugin
  [16/43]: configuring topology plugin
  [17/43]: creating indices
  [18/43]: enabling referential integrity plugin
  [19/43]: configuring certmap.conf
  [error] FileNotFoundError: [Errno 2] No such file or directory: '/var/lib/ipa/sysupgrade/sysupgrade.state'
[Errno 2] No such file or directory: '/var/lib/ipa/sysupgrade/sysupgrade.state'
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

and more verbose version…

  File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 663, in _configure
    next(executor)
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 435, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 526, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
    raise value
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 523, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
    raise value
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 425, in __runner
    step()
  File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 419, in step_next
    return next(self.__gen)
  File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
    raise value
  File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", line 608, in main
    master_install(self)
  File "/usr/lib/python3.9/site-packages/ipaserver/install/server/install.py", line 278, in decorated
    func(installer)
  File "/usr/lib/python3.9/site-packages/ipaserver/install/server/install.py", line 866, in install
    sstore.backup_state('installation', 'complete', False)
  File "/usr/lib/python3.9/site-packages/ipalib/sysrestore.py", line 404, in backup_state
    self.save()
  File "/usr/lib/python3.9/site-packages/ipalib/sysrestore.py", line 384, in save
    with open(self._path, "w") as f:

The ipa-server-install command failed, exception: FileNotFoundError: [Errno 2] No such file or directory: '/var/lib/ipa/sysrestore/sysrestore.state'
[Errno 2] No such file or directory: '/var/lib/ipa/sysrestore/sysrestore.state'
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
7

The IPv6 is enabled by default in AlmaLinux 9.
Nothing in default sysctl config touches IPv6 settings.
The ‘lo’ interface is up – with ::1/128 – practically always. NetworkManager does not have persistent config file for it like it has for all other interfaces.

Why does your system lack the ::1 ?

Installing Identity Management | Red Hat Product Documentation writes:

The IdM system must have the IPv6 protocol enabled in the kernel.

8

The server was built the way its built. Ill have to check the Kickstart files. That change stopped that error however.

I have just checked the server and unless im reading it wrong, I see the following.

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever

As a side note, I am not sure why IDM needs ipv6 and cant survive without it. But that’s out of my control.

9

I tacked down this in the kickstart file used
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf

So that will explain the need to use
sysctl net.ipv6.conf.all.disable_ipv6=0

As another side note, If its not doing anything by being in the sysctl.conf file, how does it work then? it “Seems” to be affecting the install? (I could be wrong however).

10

But was this after the:

If you remove the net.ipv6.conf.all.disable_ipv6 from the configs and reboot, do you still get IPv6 address on the ‘lo’?

If you don’t want IPv6 on some interface, then add ipv6.method disabled to the config of the relevant NetworkManager connection. You can do this already in the network kickstart directive.

To summarize:

  • The IPv6 issue was due to your very custom config and therefore the
    sysctl net.ipv6.conf.all.disable_ipv6=0 is not a generic solution for all

The freeIPa has multiple services that have to communicate. Apparently, they have been configured to use IPv6 within localhost. Some of those services may also now default to listen on both IPv4 and IPv6 and would require custom config to not require both protocols.

One can check rpm -V ipa-server-common
that should list missing/changed files, if something has removed them after install of that package. (No use to do that on system, where you have manually created them.)

11 
rpm -V ipa-server-common
missing     /etc/ipa/custodia
missing     /etc/ipa/html
missing   c /etc/ipa/html/ssbrowser.html
missing   c /etc/ipa/html/unauthorized.html
missing     /etc/ipa/kdcproxy
missing   c /etc/ipa/kdcproxy/kdcproxy.conf
missing     /var/lib/ipa/backup
missing     /var/lib/ipa/certs
missing     /var/lib/ipa/gssproxy
missing     /var/lib/ipa/passwds
missing     /var/lib/ipa/pki-ca
missing     /var/lib/ipa/private
missing     /var/lib/ipa/sysrestore
missing     /var/lib/ipa/sysupgrade

:slight_smile:

12

Let me try:

# dnf install ipa-server-common
...
Installed:
  almalinux-logos-httpd-90.5.1-1.1.el9.noarch              almalinux-logos-ipa-90.5.1-1.1.el9.noarch             
  apr-1.7.0-12.el9_3.x86_64                                apr-util-1.6.1-23.el9.x86_64                          
  apr-util-bdb-1.6.1-23.el9.x86_64                         apr-util-openssl-1.6.1-23.el9.x86_64                  
  httpd-2.4.62-1.el9_5.2.x86_64                            httpd-core-2.4.62-1.el9_5.2.x86_64                    
  httpd-filesystem-2.4.62-1.el9_5.2.noarch                 httpd-tools-2.4.62-1.el9_5.2.x86_64                   
  ipa-client-common-4.12.2-1.el9_5.4.noarch                ipa-server-common-4.12.2-1.el9_5.4.noarch             
  mod_http2-2.0.26-2.el9_4.1.x86_64                        mod_lua-2.4.62-1.el9_5.2.x86_64                       

Complete!
# rpm -V ipa-server-common
# ls /etc/ipa /var/lib/ipa
/etc/ipa:
custodia  html  kdcproxy  nssdb

/var/lib/ipa:
backup  certs  gssproxy  passwds  pki-ca  private  sysrestore  sysupgrade

AlmaLinux 9 seems to install the package as expected.

Something in your system differs. Why?

The dnf keeps history of transactions:

# dnf history list ipa-server-common
ID     | Command line                                                | Date and time    | Action(s)      | Altered
------------------------------------------------------------------------------------------------------------------
    20 | install ipa-server-common                                   | 2025-04-11 10:21 | Install        |   14 EE

and therefore one can get details, for example to check what the “EE” was about:

# dnf history info 20
Transaction ID : 20
...
Command Line   : install ipa-server-common
Comment        : 
Packages Altered:
   ...
Scriptlet output:
   1 /usr/lib/sysusers.d/libvirt-qemu.conf:1: Conflict with earlier configuration for group 'kvm', ignoring line.

It is also possible to dnf reinstall ipa-server-common

13

Why would I reinstall ipa-server-common and not just dnf reinstall -y freeipa-server? (like all parts of it) – is it ok to install just one of the components?

Im not sure what. Its a VM on ESXi host. the kickstart was the exact same for both.
It wouldnt perhaps be the ipapython I saw in the error I pasted a few replies back? (python --version was the same for my 2 test Vms.)

14

I created a new VM. I did the following.

pxeboot/kickstart
dnf updated it (kernel is now 5.14.0-503.35.1.el9_5.x86_64 #1 SMP PREEMPT_DYNAMIC)
rebooted
dnf install freeipa-server (283 packages)
rebooted
ipa-server-install

it all installed with no issues this time. :slight_smile: – So im even more confused now. The only difference was I didnt have the line sysctl net.ipv6.conf.all.disable_ipv6=1 in kickstart to change the /etc/sysctl.conf (as mentioned back a few replies ago)

1 Like
15

A reinstall only reinstalls the listed packages, not the dependencies (unless a dependency is missing, ie not installed).

You can check with dnf history info ipa-server-common what has happened during the original installation. It should show some errors if those directories are missing.

You can also verify all installed packages with rpm -Va to see if more packages have missing directories or files. However this also lists all modified configuration files which is to be expected. Thus the list gets lengthy…

2 Likes
16

Alma 8 is also broken… nothing working. server getting crashed every couple of hours.

17

Anup, please open up a separate post for this. This is not in the scope of the post you have added this to.

1 Like