<div style="font-family: Helvetica; font-size: 13px;"> +1 for `ipa force-delete client` script.<br></div>
                <div><div><br></div><br>Kind regards,<br>
<br>
Will Sheldon<br>+1.778-689-1244<div><br></div></div>
                 
                <p style="color: #A0A0A8;">On Friday, February 21, 2014 at 1:47 PM, Dmitri Pal wrote:</p>
                <blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px;">
                    <span><div><div><div>On 02/21/2014 03:07 PM, Todd Maugh wrote:</div><blockquote type="cite"><div><div>thanks Rob! the main issue I am having is that the install is not completing and setting this ubuntu host up as a client.</div><div><br></div><div>I cleared out the old cert as you suggested, the ssh keys were copied over from a previous attempt. IM not using IPA as DNS and I understand the ntp part.</div><div><br></div><div><br></div><div>so now my install finishes up like this:</div><div><br></div><div>Forwarding 'host_mod' to server u'<a href="https://se-idm-01.boingo.com/ipa/xml'">https://se-idm-01.boingo.com/ipa/xml'</a></div><div>NSSConnection init <a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a></div><div>Connecting: 66.103.90.130:0</div><div>handshake complete, peer = 66.103.90.130:443</div><div>received Set-Cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b; Domain=<a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a>; Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT; Secure; HttpOnly'</div><div>storing cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b; Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT; Secure; HttpOnly' for principal host/<a href="mailto:se-idm-ubuntu-client-01.boingo.com@BOINGO.COM">se-idm-ubuntu-client-01.boingo.com@BOINGO.COM</a></div><div>Starting external process</div><div>args=keyctl search @s user ipa_session_cookie:host/<a href="mailto:se-idm-ubuntu-client-01.boingo.com@BOINGO.COM">se-idm-ubuntu-client-01.boingo.com@BOINGO.COM</a></div><div>Process finished, return code=1</div><div>stdout=</div><div>stderr=keyctl_search: Required key not available</div><div><br></div><div>Starting external process</div><div>args=keyctl search @s user ipa_session_cookie:host/<a href="mailto:se-idm-ubuntu-client-01.boingo.com@BOINGO.COM">se-idm-ubuntu-client-01.boingo.com@BOINGO.COM</a></div><div>Process finished, return code=1</div><div>stdout=</div><div>stderr=keyctl_search: Required key not available</div><div><br></div><div>Starting external process</div><div>args=keyctl padd user ipa_session_cookie:host/<a href="mailto:se-idm-ubuntu-client-01.boingo.com@BOINGO.COM">se-idm-ubuntu-client-01.boingo.com@BOINGO.COM</a> @s</div><div>Process finished, return code=0</div><div>stdout=700576616</div><div><br></div><div>stderr=</div><div>Caught fault 4202 from server <a href="https://se-idm-01.boingo.com/ipa/xml">https://se-idm-01.boingo.com/ipa/xml</a>: no modifications to be performed</div><div>Writing nsupdate commands to /etc/ipa/.dns_update.txt:</div><div>zone <a href="http://boingo.com">boingo.com</a>.</div><div>update delete <a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a>. IN SSHFP</div><div>send</div><div>update add <a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a>. 1200 IN SSHFP 1 1 AD5C9E4F7AEA55418455D54D84862A2B6EC16AB4</div><div>update add <a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a>. 1200 IN SSHFP 1 2 B1BE4E3E3B4A79CFFCE5B3BBCC31DFB9979F6A1D97EF4E3EF8F8295C2595033A</div><div>update add <a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a>. 1200 IN SSHFP 2 1 D456E5C237736406CB5F4B4C24C836217B6D977E</div><div>update add <a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a>. 1200 IN SSHFP 2 2 8125272934E18BFDDA77D5B03BBBF600A0833C37669C568A3476D623A191C457</div><div>update add <a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a>. 1200 IN SSHFP 3 1 270551D349212B7112D4A9079FF490C8D6733041</div><div>update add <a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a>. 1200 IN SSHFP 3 2 0BC5F5FA7155A03BD9B05DDD5882FD907A0FC8C6D6F6F3341521D4F7B57D3662</div><div>send</div><div><br></div><div>Starting external process</div><div>args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt</div><div>Process finished, return code=1</div><div>stdout=</div><div>stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server DNS/<a href="mailto:ns-1454.awsdns-53.org@BOINGO.COM">ns-1454.awsdns-53.org@BOINGO.COM</a> not found in Kerberos database.</div><div><br></div><div>nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1</div><div>Could not update DNS SSHFP records.</div><div>Starting external process</div><div>args=/usr/sbin/service nscd status</div><div>Process finished, return code=1</div><div>stdout=</div><div>stderr=nscd: unrecognized service</div><div><br></div><div>Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'</div><div>Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'</div><div><br></div><div><br></div><div><br></div><div>thanks in advance for any help</div><div><br></div><div>-Todd</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div>________________________________________</div><div>From: <a href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a> [<a href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>] on behalf of Rob Crittenden [<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>]</div><div>Sent: Friday, February 21, 2014 11:57 AM</div><div>To: freeipa-users</div><div>Subject: Re: [Freeipa-users] Ubuntu Client HELL</div><div><br></div><div>Todd Maugh wrote:</div><blockquote type="cite"><div>IM in limbo here trying to solve this issue</div></blockquote><div>It would help if you said what issue you were having...</div><div><br></div><div>And what version of the client you are running.</div><div><br></div><div>Trolling through the log I see a couple of things:</div><div><br></div><div>ntpdate failed, but that can happen if you already have ntpd configured</div><div>on your client. We have a ticket open on that.</div><div><br></div><div>The DNS update failed, presumably because you aren't using IPA for DNS.</div><div>Not a big deal.</div><div><br></div><div>The certmonger failure is due to a bad uninstall in the past. It is</div><div>still tracking an old cert. You can clear it with:</div><div><br></div><div># ipa-getcert list</div><div># ipa-getcert stop-tracking -i<request id></div><div><br></div><div>The SSH keys are failing to load because they already exist in the host</div><div>entry. I guess it was pre-created, or left over from a previous attempt?</div><div>It doesn't appear to be a fatal error.</div><div><br></div><div>rob</div><div><br></div><blockquote type="cite"><div><div>here is my out put with the debug</div><div><br></div><div>root@se-idm-ubuntu-client-01:/var/lib/ipa-client/sysrestore#</div><div>ipa-client-install -d --no-dns-sshfp</div><div>--hostname=<a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a> --force-join</div><div>--domain=<a href="http://boingo.com">boingo.com</a> --server=<a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a></div><div>/usr/sbin/ipa-client-install was invoked with options: {'domain':</div><div>'<a href="http://boingo.com">boingo.com</a>', 'force': False, 'krb5_offline_passwords': True, 'primary':</div><div>False, 'realm_name': None, 'force_ntpd': False, 'create_sshfp': False,</div><div>'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server':</div><div>None, 'ca_cert_file': None, 'principal': None, 'keytab': None,</div><div>'hostname': '<a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a>', 'no_ac': False,</div><div>'unattended': None, 'sssd': True, 'trust_sshfp': False, 'dns_updates':</div><div>False, 'mkhomedir': False, 'conf_ssh': True, 'force_join': True,</div><div>'server': ['<a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a>'], 'prompt_password': False, 'permit':</div><div>False, 'debug': True, 'preserve_sssd': False, 'uninstall': False}</div><div>missing options might be asked for interactively later</div><div>Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'</div><div>Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'</div><div>WARNING: ntpd time&date synchronization service will not be configured as</div><div>conflicting service (chronyd) is enabled</div><div>Use --force-ntpd option to disable it and force configuration of ntpd</div><div><br></div><div>[IPA Discovery]</div><div>Starting IPA discovery with domain=<a href="http://boingo.com">boingo.com</a>,</div><div>servers=['<a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a>'],</div><div>hostname=<a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a></div><div>Server and domain forced</div><div>[Kerberos realm search]</div><div>Search DNS for TXT record of <a href="http://_kerberos.boingo.com">_kerberos.boingo.com</a></div><div>DNS record not found: NXDOMAIN</div><div>[LDAP server check]</div><div>Verifying that <a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a> (realm None) is an IPA server</div><div>Init LDAP connection to: <a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a></div><div>Search LDAP server for IPA base DN</div><div>Check if naming context 'dc=boingo,dc=com' is for IPA</div><div>Naming context 'dc=boingo,dc=com' is a valid IPA context</div><div>Search for (objectClass=krbRealmContainer) in dc=boingo,dc=com (sub)</div><div>Found: cn=BOINGO.COM,cn=kerberos,dc=boingo,dc=com</div><div>Discovery result: Success; server=<a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a>,</div><div>domain=<a href="http://boingo.com">boingo.com</a>, kdc=None, basedn=dc=boingo,dc=com</div><div>Validated servers: <a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a></div><div>will use discovered domain: <a href="http://boingo.com">boingo.com</a></div><div>Using servers from command line, disabling DNS discovery</div><div>will use provided server: <a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a></div><div>Autodiscovery of servers for failover cannot work with this configuration.</div><div>If you proceed with the installation, services will be configured to</div><div>always access the discovered server for all operations and will not fail</div><div>over to other servers in case of failure.</div><div>Proceed with fixed values and no DNS discovery? [no]: yes</div><div>will use discovered realm: BOINGO.COM</div><div>will use discovered basedn: dc=boingo,dc=com</div><div>Hostname: <a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a></div><div>Hostname source: Provided as option</div><div>Realm: BOINGO.COM</div><div>Realm source: Discovered from LDAP DNS records in <a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a></div><div>DNS Domain: <a href="http://boingo.com">boingo.com</a></div><div>DNS Domain source: Forced</div><div>IPA Server: <a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a></div><div>IPA Server source: Provided as option</div><div>BaseDN: dc=boingo,dc=com</div><div>BaseDN source: From IPA server ldap://<a href="http://se-idm-01.boingo.com:389">se-idm-01.boingo.com:389</a></div><div><br></div><div>Continue to configure the system with these values? [no]: yes</div><div>Starting external process</div><div>args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r BOINGO.COM</div><div>Process finished, return code=0</div><div>stdout=</div><div>stderr=Removing principal host/<a href="mailto:se-idm-ubuntu-client-01.boingo.com@BOINGO.COM">se-idm-ubuntu-client-01.boingo.com@BOINGO.COM</a></div><div><br></div><div>Removed old keys for realm BOINGO.COM from /etc/krb5.keytab</div><div>Starting external process</div><div>args=/bin/hostname <a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a></div><div>Process finished, return code=0</div><div>stdout=</div><div>stderr=</div><div>Backing up system configuration file '/etc/hostname'</div><div>Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'</div><div>Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'</div><div>User authorized to enroll computers: admin</div><div>will use principal provided as option: admin</div><div>Synchronizing time with KDC...</div><div>Search DNS for SRV record of <a href="http://_ntp._udp.boingo.com">_ntp._udp.boingo.com</a></div><div>DNS record not found: NXDOMAIN</div><div>Starting external process</div><div>args=/usr/sbin/ntpdate -s -b -v <a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a></div><div>Process finished, return code=1</div><div>stdout=</div><div>stderr=</div><div>Starting external process</div><div>args=/usr/sbin/ntpdate -s -b -v <a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a></div><div>Process finished, return code=1</div><div>stdout=</div><div>stderr=</div><div>Starting external process</div><div>args=/usr/sbin/ntpdate -s -b -v <a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a></div><div>Process finished, return code=1</div><div>stdout=</div><div>stderr=</div><div>Unable to sync time with IPA NTP server, assuming the time is in sync.</div><div>Please check that 123 UDP port is opened.</div><div>Writing Kerberos configuration to /tmp/tmpBuP7iE:</div><div>#File modified by ipa-client-install</div><div><br></div><div>includedir /var/lib/sss/pubconf/krb5.include.d/</div><div><br></div><div>[libdefaults]</div><div>    default_realm = BOINGO.COM</div><div>    dns_lookup_realm = false</div><div>    dns_lookup_kdc = false</div><div>    rdns = false</div><div>    ticket_lifetime = 24h</div><div>    forwardable = yes</div><div><br></div><div>[realms]</div><div>    BOINGO.COM = {</div><div>      kdc = <a href="http://se-idm-01.boingo.com:88">se-idm-01.boingo.com:88</a></div><div>      master_kdc = <a href="http://se-idm-01.boingo.com:88">se-idm-01.boingo.com:88</a></div><div>      admin_server = <a href="http://se-idm-01.boingo.com:749">se-idm-01.boingo.com:749</a></div><div>      default_domain = <a href="http://boingo.com">boingo.com</a></div><div>      pkinit_anchors = <a href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a></div><div>    }</div><div><br></div><div>[domain_realm]</div><div>    .<a href="http://boingo.com">boingo.com</a> = BOINGO.COM</div><div>    <a href="http://boingo.com">boingo.com</a> = BOINGO.COM</div><div><br></div><div>Password for <a href="mailto:admin@BOINGO.COM">admin@BOINGO.COM</a>:</div><div>Starting external process</div><div>args=kinit <a href="mailto:admin@BOINGO.COM">admin@BOINGO.COM</a></div><div>Process finished, return code=0</div><div>stdout=Password for <a href="mailto:admin@BOINGO.COM">admin@BOINGO.COM</a>:</div><div><br></div><div>stderr=</div><div>trying to retrieve CA cert via LDAP from <a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a></div><div>flushing ldap://<a href="http://se-idm-01.boingo.com:389">se-idm-01.boingo.com:389</a> from SchemaCache</div><div>retrieving schema for SchemaCache url=ldap://<a href="http://se-idm-01.boingo.com:389">se-idm-01.boingo.com:389</a></div><div>conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x140ff80></div><div>Existing CA cert and Retrieved CA cert are identical</div><div>Starting external process</div><div>args=/usr/sbin/ipa-join -s <a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a> -b dc=boingo,dc=com -d</div><div>-h <a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a> -f</div><div>Process finished, return code=0</div><div>stdout=</div><div>stderr=XML-RPC CALL:</div><div><br></div><div><?xml version="1.0" encoding="UTF-8"?>\r\n</div><div><methodCall>\r\n</div><div><methodName>join</methodName>\r\n</div><div><params>\r\n</div><div><param><value><array><data>\r\n</div><div><value><string><a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a></string></value>\r\n</div><div></data></array></value></param>\r\n</div><div><param><value><struct>\r\n</div><div><member><name>nsosversion</name>\r\n</div><div><value><string>3.2.0-58-generic</string></value></member>\r\n</div><div><member><name>nshardwareplatform</name>\r\n</div><div><value><string>x86_64</string></value></member>\r\n</div><div></struct></value></param>\r\n</div><div></params>\r\n</div><div></methodCall>\r\n</div><div><br></div><div>XML-RPC RESPONSE:</div><div><br></div><div><?xml version='1.0' encoding='UTF-8'?>\n</div><div><methodResponse>\n</div><div><params>\n</div><div><param>\n</div><div><value><array><data>\n</div><div><value><string>fqdn=<a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a>,cn=computers,cn=accounts,dc=boingo,dc=com</string></value>\n</div><div><value><struct>\n</div><div><member>\n</div><div><name>sshpubkeyfp</name>\n</div><div><value><array><data>\n</div><div><value><string>F9:63:24:7C:AF:AF:10:F8:1E:C2:16:69:FE:EF:57:18</div><div>root@1204base (ssh-dss)</string></value>\n</div><div><value><string>85:E8:4E:22:E6:7E:73:0D:10:5C:CB:1A:FC:8B:DE:5C</div><div>root@1204base (ssh-rsa)</string></value>\n</div><div><value><string>B8:BF:50:00:03:BF:AD:71:34:28:CE:83:0A:74:5E:8A</div><div>root@1204base (ecdsa-sha2-nistp256)</string></value>\n</div><div></data></array></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>has_keytab</name>\n</div><div><value><boolean>1</boolean></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>ipasshpubkey</name>\n</div><div><value><array><data>\n</div><div><value><string>ssh-dss</div><div>AAAAB3NzaC1kc3MAAACBAPC0DSpZuBTz08MTehuPVq2IDPZMjSpmZz+zuQ9UbAb2yzWspsUfH3FRXMsp5M/NjKjZEUt+f5u24Q6D20Puo1qlhSW6KZv9xtx3Az/zWskvyE5XltCarOjokyjIdF4tcdlpI2onXKJBcUatZI1P9PHe+zEWMY+kbPmQ1R8h2mJTAAAAFQC1Xlgau1z17rjf5HkIBBk+d5WHJQAAAIEAut8bZLpXb1oKCQnTPV4PTXI0bAdIJWHf/4H1HN3E3rUwWwnGY/JiABBDxBJwdGnuYA9EpHZqx9+zkE86XS64Oh48VLvoVKmzMjALKnsMRDe4T5RUkxmOul36Iv+ughRNBRdO013N/j6ABj/6je73AYUGz3mKrWB+tz/szUZMAcsAAACAF73ttJiAMtcydaa63zCD+XldAk6jQwXgz0kBNTVq/n4CdFK4M+NxpH4YN93g5BQZ2IsfOlUUqrZiNy/BLrvqLBJJS+nhyLLKYEyBeiP6dnmVWw7R7A4ZX8osd4PyEAcCcfdzYGxvOJ8x5PdGu8ev8ytVEluxeHyW59vEvKlHBM0=</div><div>root@1204base</string></value>\n</div><div><value><string>ssh-rsa</div><div>AAAAB3NzaC1yc2EAAAADAQABAAABAQCsoydbxu62xM4SHZbrPpPg95+iFLft7NnVvxPXr4rSQTUzrb+yUE1Eas5+/2wuyO3cYFPLVEe0hPF+7UHfRS7O/PiAZKvz7dSklt16lkq3BuHKi52IVwNgxsQfbD84FDCY1CaGeUScpAIVZ6JVc6D4+JM/INPsvStqreegqUy/bZRZ+YuT11AdxVTsOCwfCJWgyBPL5yDb11VfFglLm/8KnZ6asgyDeuaLNxwBySnifICX0WTx7VoQ1w8p+5Ncf7VAO8fojOZ/SwMqqP9ym7JT6OJvKL/ROd/5yZ/F21bmjZ/wKSrZDuhpZa+t6Qfn+ImrQm19VPhgdQsNZPhlE5Lv</div><div>root@1204base</string></value>\n</div><div><value><string>ecdsa-sha2-nistp256</div><div>AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK3ijpgDWM3+GwSGZrRIr5pXPfjJB+BXtUubwAebdVsXjgQPfD0lUjyF8jsn4Znz2PV8TFTJeCY9Nsg57aRcMmw=</div><div>root@1204base</string></value>\n</div><div></data></array></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>cn</name>\n</div><div><value><array><data>\n</div><div><value><string><a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a></string></value>\n</div><div></data></array></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>usercertificate</name>\n</div><div><value><array><data>\n</div><div><value><base64>\n</div><div>MIIDqTCCApGgAwIBAgIBGjANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpCT0lOR08uQ09NMR4w\n</div><div>HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTQwMjIxMTc1MzI5WhcNMTYwMjIyMTc1\n</div><div>MzI5WjBCMRMwEQYDVQQKEwpCT0lOR08uQ09NMSswKQYDVQQDEyJzZS1pZG0tdWJ1bnR1LWNsaWVu\n</div><div>dC0wMS5ib2luZ28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2f//2Wz6UwUp\n</div><div>EErhWDHE+maebFuN82TQnYoAkrDGkebMOmtbLIy8fa7BdY5VNf+bJrLZkoGVq5us9aTc+s1YX63P\n</div><div>rmbPjFbO8+vL9I8IVIUutkUTNEhpVm0xiFe+n6jF7OXnjo/sfYZ1zT2QUyLN3TMF97hU2+QBItuJ\n</div><div>XY7ChOWk++YeYjgPK0xkcjbMZkNGKxKFF1qURmZVvj0VLgUxX8UwwFQZZK2XEg1Iexa+4SsKhdJN\n</div><div>wNagw1x99CiUXChn7V4lYZe8Uk7QDalGrgQTCVAIT+/9IpR94H6N68bHYA/hdBmV1JshTrL2Uhr0\n</div><div>Z2eNSjv3bpHC7BqeyWLllLw55wIDAQABo4G2MIGzMB8GA1UdIwQYMBaAFC53PmsjH7HOB4yeCQkD\n</div><div>z3yaIEbNMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL3NlLWlkbS0wMS5ib2lu\n</div><div>Z28uY29tOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr\n</div><div>BgEFBQcDAjAdBgNVHQ4EFgQU7XOSHg+lb/Yizi5G81VQAT0VPQswDQYJKoZIhvcNAQELBQADggEB\n</div><div>AGL9mbEyxQSv9d1dbMIW1V4NOBOJFKYmEXKxuQtrOEUDTN7H7IGNm7grMgOMYzrLYs1ftRxXrySF\n</div><div>d8k/B3q8LBV2RQ7d0pT67cRH+YV6csmtpZ+YSOYSR+0e6F6BIsMCAU8lsjA7qvVYuaFCc+wvdiIp\n</div><div>rea4piqV+lxWp1m0b/mdFuCbLyXao+pr2F5JhCHueHnn14I3k+E78f07hQUccOuS0BELWo9chy+l\n</div><div>co7djPuzeG8MKTTr7+9L47dqhKhrY4sHyS+LhaUf3Y+irbLxgeqiBIjkV4TVkfZNZg4b6NvajgKM\n</div><div>L9bj5XRwrSAhv1YccwzE1GDOOrp2j3LRYIcEUok=\n</div><div></base64></value>\n</div><div></data></array></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>krbextradata</name>\n</div><div><value><array><data>\n</div><div><value><base64>\n</div><div>AAKVkgdTaG9zdC9zZS1pZG0tdWJ1bnR1LWNsaWVudC0wMS5ib2luZ28uY29tQEJPSU5HTy5DT00A\n</div><div></base64></value>\n</div><div></data></array></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>has_password</name>\n</div><div><value><boolean>0</boolean></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>subject</name>\n</div><div><value><string>CN=<a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a>,O=BOINGO.COM</string></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>ipacertificatesubjectbase</name>\n</div><div><value><array><data>\n</div><div><value><string>O=BOINGO.COM</string></value>\n</div><div></data></array></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>sha1_fingerprint</name>\n</div><div><value><string>60:5c:7f:f5:e7:77:b7:3c:0c:c8:c0:07:3f:c3:00:18:c1:dd:9d:af</string></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>krblastsuccessfulauth</name>\n</div><div><value><array><data>\n</div><div><value><string>20140221181453Z</string></value>\n</div><div></data></array></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>serial_number</name>\n</div><div><value><string>26</string></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>managedby_host</name>\n</div><div><value><array><data>\n</div><div><value><string><a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a></string></value>\n</div><div></data></array></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>enrolledby_user</name>\n</div><div><value><array><data>\n</div><div><value><string>admin</string></value>\n</div><div></data></array></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>dn</name>\n</div><div><value><string>fqdn=<a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a>,cn=computers,cn=accounts,dc=boingo,dc=com</string></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>issuer</name>\n</div><div><value><string>CN=Certificate Authority,O=BOINGO.COM</string></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>ipauniqueid</name>\n</div><div><value><array><data>\n</div><div><value><string>459b077c-9b20-11e3-89c9-782bcb03bc6d</string></value>\n</div><div></data></array></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>krbprincipalname</name>\n</div><div><value><array><data>\n</div><div><value><string>host/<a href="mailto:se-idm-ubuntu-client-01.boingo.com@BOINGO.COM">se-idm-ubuntu-client-01.boingo.com@BOINGO.COM</a></string></value>\n</div><div></data></array></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>serverhostname</name>\n</div><div><value><array><data>\n</div><div><value><string>se-idm-ubuntu-client-01</string></value>\n</div><div></data></array></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>objectclass</name>\n</div><div><value><array><data>\n</div><div><value><string>ipaobject</string></value>\n</div><div><value><string>nshost</string></value>\n</div><div><value><string>ipahost</string></value>\n</div><div><value><string>pkiuser</string></value>\n</div><div><value><string>ipaservice</string></value>\n</div><div><value><string>krbprincipalaux</string></value>\n</div><div><value><string>krbprincipal</string></value>\n</div><div><value><string>ieee802device</string></value>\n</div><div><value><string>ipasshhost</string></value>\n</div><div><value><string>top</string></value>\n</div><div><value><string>ipaSshGroupOfPubKeys</string></value>\n</div><div></data></array></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>valid_not_before</name>\n</div><div><value><string>Fri Feb 21 17:53:29 2014 UTC</string></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>valid_not_after</name>\n</div><div><value><string>Mon Feb 22 17:53:29 2016 UTC</string></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>fqdn</name>\n</div><div><value><array><data>\n</div><div><value><string><a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a></string></value>\n</div><div></data></array></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>managing_host</name>\n</div><div><value><array><data>\n</div><div><value><string><a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a></string></value>\n</div><div></data></array></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>md5_fingerprint</name>\n</div><div><value><string>bb:dc:38:b3:19:ab:7c:07:27:31:f9:a7:78:a4:98:16</string></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>serial_number_hex</name>\n</div><div><value><string>0x1A</string></value>\n</div><div></member>\n</div><div><member>\n</div><div><name>krblastpwdchange</name>\n</div><div><value><array><data>\n</div><div><value><string>20140221175325Z</string></value>\n</div><div></data></array></value>\n</div><div></member>\n</div><div></struct></value>\n</div><div></data></array></value>\n</div><div></param>\n</div><div></params>\n</div><div></methodResponse>\n</div><div><br></div><div>Keytab successfully retrieved and stored in: /etc/krb5.keytab</div><div>Certificate subject base is: O=BOINGO.COM</div><div><br></div><div>Enrolled in IPA realm BOINGO.COM</div><div>Starting external process</div><div>args=kdestroy</div><div>Process finished, return code=0</div><div>stdout=</div><div>stderr=</div><div>Starting external process</div><div>args=/usr/bin/kinit -k -t /etc/krb5.keytab</div><div>host/<a href="mailto:se-idm-ubuntu-client-01.boingo.com@BOINGO.COM">se-idm-ubuntu-client-01.boingo.com@BOINGO.COM</a></div><div>Process finished, return code=0</div><div>stdout=</div><div>stderr=</div><div>Backing up system configuration file '/etc/ipa/default.conf'</div><div>    ->  Not backing up - '/etc/ipa/default.conf' doesn't exist</div><div>Created /etc/ipa/default.conf</div><div>importing all plugin modules in</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins'...</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/aci.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/automember.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/automount.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/baseldap.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/batch.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/config.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/delegation.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/dns.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/entitle.py'</div><div>skipping plugin module ipalib.plugins.entitle: No module named</div><div>rhsm.connection</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/group.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacrule.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacsvc.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacsvcgroup.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/hbactest.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/host.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/hostgroup.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/idrange.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/internal.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/kerberos.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/krbtpolicy.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/migration.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/misc.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/netgroup.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/passwd.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/permission.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/ping.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/pkinit.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/privilege.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/pwpolicy.py'</div><div>Starting external process</div><div>args=klist -V</div><div>Process finished, return code=0</div><div>stdout=Kerberos 5 version 1.10-beta1</div><div><br></div><div>stderr=</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/realmdomains.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/role.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/selfservice.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/selinuxusermap.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/service.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/sudocmd.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/sudocmdgroup.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/sudorule.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/trust.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/user.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/virtual.py'</div><div>importing plugin module</div><div>'/usr/lib/python2.7/dist-packages/ipalib/plugins/xmlclient.py'</div><div>Backing up system configuration file '/etc/sssd/sssd.conf'</div><div>Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'</div><div>Domain <a href="http://boingo.com">boingo.com</a> is already configured in existing SSSD config,</div><div>creating a new one.</div><div>The old /etc/sssd/sssd.conf is backed up and will be restored during</div><div>uninstall.</div><div>Configured /etc/sssd/sssd.conf</div><div>Starting external process</div><div>args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i</div><div>/etc/ipa/ca.crt</div><div>Process finished, return code=0</div><div>stdout=</div><div>stderr=</div><div>Backing up system configuration file '/etc/krb5.conf'</div><div>Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'</div><div>Writing Kerberos configuration to /etc/krb5.conf:</div><div>#File modified by ipa-client-install</div><div><br></div><div>includedir /var/lib/sss/pubconf/krb5.include.d/</div><div><br></div><div>[libdefaults]</div><div>    default_realm = BOINGO.COM</div><div>    dns_lookup_realm = false</div><div>    dns_lookup_kdc = false</div><div>    rdns = false</div><div>    ticket_lifetime = 24h</div><div>    forwardable = yes</div><div><br></div><div>[realms]</div><div>    BOINGO.COM = {</div><div>      kdc = <a href="http://se-idm-01.boingo.com:88">se-idm-01.boingo.com:88</a></div><div>      master_kdc = <a href="http://se-idm-01.boingo.com:88">se-idm-01.boingo.com:88</a></div><div>      admin_server = <a href="http://se-idm-01.boingo.com:749">se-idm-01.boingo.com:749</a></div><div>      default_domain = <a href="http://boingo.com">boingo.com</a></div><div>      pkinit_anchors = <a href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a></div><div>    }</div><div><br></div><div>[domain_realm]</div><div>    .<a href="http://boingo.com">boingo.com</a> = BOINGO.COM</div><div>    <a href="http://boingo.com">boingo.com</a> = BOINGO.COM</div><div><br></div><div>Configured /etc/krb5.conf for IPA realm BOINGO.COM</div><div>Starting external process</div><div>args=keyctl search @s user</div><div>ipa_session_cookie:host/<a href="mailto:se-idm-ubuntu-client-01.boingo.com@BOINGO.COM">se-idm-ubuntu-client-01.boingo.com@BOINGO.COM</a></div><div>Process finished, return code=1</div><div>stdout=</div><div>stderr=keyctl_search: Required key not available</div><div><br></div><div>Starting external process</div><div>args=keyctl search @s user</div><div>ipa_session_cookie:host/<a href="mailto:se-idm-ubuntu-client-01.boingo.com@BOINGO.COM">se-idm-ubuntu-client-01.boingo.com@BOINGO.COM</a></div><div>Process finished, return code=1</div><div>stdout=</div><div>stderr=keyctl_search: Required key not available</div><div><br></div><div>failed to find session_cookie in persistent storage for principal</div><div>'host/<a href="mailto:se-idm-ubuntu-client-01.boingo.com@BOINGO.COM">se-idm-ubuntu-client-01.boingo.com@BOINGO.COM</a>'</div><div>trying <a href="https://se-idm-01.boingo.com/ipa/xml">https://se-idm-01.boingo.com/ipa/xml</a></div><div>Created connection context.xmlclient</div><div>raw: env(None, server=True)</div><div>env(None, server=True, all=True)</div><div>Forwarding 'env' to server u'<a href="https://se-idm-01.boingo.com/ipa/xml'">https://se-idm-01.boingo.com/ipa/xml'</a></div><div>NSSConnection init <a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a></div><div>Connecting: 66.103.90.130:0</div><div>auth_certificate_callback: check_sig=True is_server=False</div><div>Data:</div><div>          Version: 3 (0x2)</div><div>          Serial Number: 10 (0xa)</div><div>          Signature Algorithm:</div><div>              Algorithm: PKCS #1 SHA-256 With RSA Encryption</div><div>          Issuer: CN=Certificate Authority,O=BOINGO.COM</div><div>          Validity:</div><div>              Not Before: Wed Jan 22 23:22:58 2014 UTC</div><div>              Not After : Sat Jan 23 23:22:58 2016 UTC</div><div>          Subject: CN=<a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a>,O=BOINGO.COM</div><div>          Subject Public Key Info:</div><div>              Public Key Algorithm:</div><div>                  Algorithm: PKCS #1 RSA Encryption</div><div>              RSA Public Key:</div><div>                  Modulus:</div><div>                      da:61:36:ca:15:d7:7f:e1:8d:6d:8b:16:f1:36:66:db:</div><div>                      52:77:cb:54:45:24:70:ec:fb:f7:e9:3b:65:e3:39:65:</div><div>                      fe:56:90:8c:f6:6c:da:2c:7e:e4:96:6d:f8:60:57:02:</div><div>                      93:db:91:7e:96:d1:03:03:34:ab:0a:90:39:6d:8a:e0:</div><div>                      92:a1:1c:62:3c:61:24:51:b8:e0:87:96:5f:a0:24:85:</div><div>                      2b:c5:43:4e:52:fd:a8:f9:28:25:00:84:53:31:51:e0:</div><div>                      01:02:57:3d:48:26:b4:99:c4:aa:5a:51:36:f6:0f:14:</div><div>                      b2:ad:f1:15:10:05:86:ee:d1:d0:32:5b:c4:7b:4c:db:</div><div>                      82:28:3d:62:36:43:e0:c3:7b:ed:c9:b9:c4:58:34:a1:</div><div>                      be:c5:1e:c0:b6:c7:9c:5b:1e:1d:48:b6:22:41:0e:e2:</div><div>                      4f:43:e0:1b:e2:64:f4:57:69:67:10:64:04:7a:a4:0a:</div><div>                      73:c5:6e:39:28:0b:76:9b:2b:b8:36:6a:59:e3:5e:84:</div><div>                      50:ce:b6:e3:19:43:c0:f4:85:02:81:39:74:91:f5:22:</div><div>                      04:c3:1f:49:64:39:b9:29:64:de:c4:69:76:56:a1:78:</div><div>                      58:fd:33:28:62:77:1f:4a:3f:9d:8d:11:d2:00:0a:c0:</div><div>                      73:1f:4f:42:89:26:a5:f2:93:a3:07:ef:3e:80:50:45</div><div>                  Exponent: 65537 (0x10001)</div><div>      Signed Extensions: (5)</div><div>          Name: Certificate Authority Key Identifier</div><div>          Critical: False</div><div>          Key ID:</div><div>              2e:77:3e:6b:23:1f:b1:ce:07:8c:9e:09:09:03:cf:7c:</div><div>              9a:20:46:cd</div><div>          Serial Number: None</div><div>          General Names: [0 total]</div><div><br></div><div>          Name: Authority Information Access</div><div>          Critical: False</div><div><br></div><div>          Name: Certificate Key Usage</div><div>          Critical: True</div><div>          Usages:</div><div>              Digital Signature</div><div>              Non-Repudiation</div><div>              Key Encipherment</div><div>              Data Encipherment</div><div><br></div><div>          Name: Extended Key Usage</div><div>          Critical: False</div><div>          Usages:</div><div>              TLS Web Server Authentication Certificate</div><div>              TLS Web Client Authentication Certificate</div><div><br></div><div>          Name: Certificate Subject Key ID</div><div>          Critical: False</div><div>          Data:</div><div>              c5:83:cc:e3:c4:64:6f:f1:67:47:f3:cd:6a:bd:f5:2c:</div><div>              ac:91:1e:0c</div><div><br></div><div>      Signature:</div><div>          Signature Algorithm:</div><div>              Algorithm: PKCS #1 SHA-256 With RSA Encryption</div><div>          Signature:</div><div>              b1:5d:69:6a:52:2a:42:4c:f7:4c:1e:f5:6e:4c:87:30:</div><div>              f5:f5:ab:9c:ad:e5:7e:8c:e1:54:95:1d:53:56:8f:8f:</div><div>              fc:a7:de:f2:61:f7:cd:a9:79:a7:a2:53:dd:8d:19:89:</div><div>              ce:fb:92:bb:ca:d7:4f:84:e2:63:9b:b6:b6:a0:aa:24:</div><div>              10:ac:7c:ce:17:09:d1:4e:2a:8e:ae:55:fc:0a:11:52:</div><div>              ab:23:8b:25:85:15:3c:f3:bb:0a:51:11:4f:fc:87:e1:</div><div>              0e:ca:12:cc:15:d4:36:57:a8:a4:db:42:0e:d1:1e:dc:</div><div>              1f:64:33:34:da:58:4d:a6:39:ff:b5:2c:50:6c:99:67:</div><div>              ff:af:c0:65:d1:f6:d9:33:d5:a8:c9:9c:e3:6e:fa:b7:</div><div>              96:09:cd:73:eb:80:21:7d:04:af:ce:fb:76:d8:b1:ef:</div><div>              b0:23:50:85:1c:34:9c:a2:9c:d7:c2:fd:0d:f0:bd:1f:</div><div>              98:ec:19:03:00:47:17:9b:a2:1d:09:3f:04:3c:59:4c:</div><div>              81:51:38:f0:e8:1e:74:49:5e:76:a1:d6:9a:9b:3d:fe:</div><div>              85:12:37:6b:3f:c7:a7:62:ce:ea:68:d8:ff:47:5a:74:</div><div>              41:ab:ea:0c:6a:35:e9:57:a6:3b:1f:c9:e1:12:87:8b:</div><div>              81:eb:c4:73:c8:a9:4d:88:a9:40:22:f9:66:06:70:b4</div><div>          Fingerprint (MD5):</div><div>              43:6b:f7:a8:12:d6:72:2f:3c:36:60:ff:ea:6b:53:a9</div><div>          Fingerprint (SHA1):</div><div>              91:b6:61:43:5d:0b:d0:14:cf:71:c8:c6:20:88:74:be:</div><div>              ce:ad:a0:53</div><div>approved_usage = SSLServer intended_usage = SSLServer</div><div>cert valid True for "CN=<a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a>,O=BOINGO.COM"</div><div>handshake complete, peer = 66.103.90.130:443</div><div>received Set-Cookie 'ipa_session=feebdfa3447e7a8bdae71ad28871835e;</div><div>Domain=<a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a>; Path=/ipa; Expires=Fri, 21 Feb 2014</div><div>19:47:41 GMT; Secure; HttpOnly'</div><div>storing cookie 'ipa_session=feebdfa3447e7a8bdae71ad28871835e;</div><div>Domain=<a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a>; Path=/ipa; Expires=Fri, 21 Feb 2014</div><div>19:47:41 GMT; Secure; HttpOnly' for principal</div><div>host/<a href="mailto:se-idm-ubuntu-client-01.boingo.com@BOINGO.COM">se-idm-ubuntu-client-01.boingo.com@BOINGO.COM</a></div><div>Starting external process</div><div>args=keyctl search @s user</div><div>ipa_session_cookie:host/<a href="mailto:se-idm-ubuntu-client-01.boingo.com@BOINGO.COM">se-idm-ubuntu-client-01.boingo.com@BOINGO.COM</a></div><div>Process finished, return code=1</div><div>stdout=</div><div>stderr=keyctl_search: Required key not available</div><div><br></div><div>Starting external process</div><div>args=keyctl search @s user</div><div>ipa_session_cookie:host/<a href="mailto:se-idm-ubuntu-client-01.boingo.com@BOINGO.COM">se-idm-ubuntu-client-01.boingo.com@BOINGO.COM</a></div><div>Process finished, return code=1</div><div>stdout=</div><div>stderr=keyctl_search: Required key not available</div><div><br></div><div>Starting external process</div><div>args=keyctl padd user</div><div>ipa_session_cookie:host/<a href="mailto:se-idm-ubuntu-client-01.boingo.com@BOINGO.COM">se-idm-ubuntu-client-01.boingo.com@BOINGO.COM</a> @s</div><div>Process finished, return code=0</div><div>stdout=546101869</div><div><br></div><div>stderr=</div><div>Hostname (<a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a>) not found in DNS</div><div>Writing nsupdate commands to /etc/ipa/.dns_update.txt:</div><div><br></div><div>zone <a href="http://boingo.com">boingo.com</a>.</div><div>update delete <a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a>. IN A</div><div>send</div><div>update add <a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a>. 1200 IN A 23.253.21.58</div><div>send</div><div><br></div><div>Starting external process</div><div>args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt</div><div>Process finished, return code=1</div><div>stdout=</div><div>stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS</div><div>failure.  Minor code may provide more information, Minor = Server</div><div>DNS/<a href="mailto:ns-1454.awsdns-53.org@BOINGO.COM">ns-1454.awsdns-53.org@BOINGO.COM</a> not found in Kerberos database.</div><div><br></div><div>nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt'</div><div>returned non-zero exit status 1</div><div>Failed to update DNS records.</div><div>Starting external process</div><div>args=/usr/sbin/service dbus status</div><div>Process finished, return code=0</div><div>stdout=dbus start/running, process 1004</div><div><br></div><div>stderr=</div><div>Starting external process</div><div>args=/usr/sbin/service certmonger restart</div><div>Process finished, return code=0</div><div>stdout=certmonger stop/waiting</div><div>certmonger start/running</div><div><br></div><div>stderr=</div><div>Starting external process</div><div>args=/usr/sbin/service certmonger status</div><div>Process finished, return code=0</div><div>stdout=certmonger start/running</div><div><br></div><div>stderr=</div><div>Starting external process</div><div>args=/usr/sbin/service certmonger stop</div><div>Process finished, return code=0</div><div>stdout=certmonger stop/waiting</div><div><br></div><div>stderr=</div><div>certmonger failed to stop: [Errno 2] No such file or directory:</div><div>'/var/run/ipa/services.list'</div><div>Starting external process</div><div>args=/usr/sbin/service certmonger restart</div><div>Process finished, return code=0</div><div>stdout=certmonger start/running</div><div><br></div><div>stderr=stop: Unknown instance:</div><div><br></div><div>Starting external process</div><div>args=/usr/sbin/service certmonger status</div><div>Process finished, return code=0</div><div>stdout=certmonger start/running</div><div><br></div><div>stderr=</div><div>Starting external process</div><div>args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate -</div><div><a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a> -N</div><div>CN=<a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a>,O=BOINGO.COM -K</div><div>host/<a href="mailto:se-idm-ubuntu-client-01.boingo.com@BOINGO.COM">se-idm-ubuntu-client-01.boingo.com@BOINGO.COM</a></div><div>Process finished, return code=1</div><div>stdout=Certificate at same location is already used by request with</div><div>nickname "20140221175328".</div><div><br></div><div>stderr=</div><div>certmonger request for host certificate failed</div><div>Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub</div><div>Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub</div><div>Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub</div><div>raw: host_mod(u'<a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a>',</div><div>ipasshpubkey=[u'ssh-rsa</div><div>AAAAB3NzaC1yc2EAAAADAQABAAABAQCsoydbxu62xM4SHZbrPpPg95+iFLft7NnVvxPXr4rSQTUzrb+yUE1Eas5+/2wuyO3cYFPLVEe0hPF+7UHfRS7O/PiAZKvz7dSklt16lkq3BuHKi52IVwNgxsQfbD84FDCY1CaGeUScpAIVZ6JVc6D4+JM/INPsvStqreegqUy/bZRZ+YuT11AdxVTsOCwfCJWgyBPL5yDb11VfFglLm/8KnZ6asgyDeuaLNxwBySnifICX0WTx7VoQ1w8p+5Ncf7VAO8fojOZ/SwMqqP9ym7JT6OJvKL/ROd/5yZ/F21bmjZ/wKSrZDuhpZa+t6Qfn+ImrQm19VPhgdQsNZPhlE5Lv</div><div>root@1204base', u'ssh-dss</div><div>AAAAB3NzaC1kc3MAAACBAPC0DSpZuBTz08MTehuPVq2IDPZMjSpmZz+zuQ9UbAb2yzWspsUfH3FRXMsp5M/NjKjZEUt+f5u24Q6D20Puo1qlhSW6KZv9xtx3Az/zWskvyE5XltCarOjokyjIdF4tcdlpI2onXKJBcUatZI1P9PHe+zEWMY+kbPmQ1R8h2mJTAAAAFQC1Xlgau1z17rjf5HkIBBk+d5WHJQAAAIEAut8bZLpXb1oKCQnTPV4PTXI0bAdIJWHf/4H1HN3E3rUwWwnGY/JiABBDxBJwdGnuYA9EpHZqx9+zkE86XS64Oh48VLvoVKmzMjALKnsMRDe4T5RUkxmOul36Iv+ughRNBRdO013N/j6ABj/6je73AYUGz3mKrWB+tz/szUZMAcsAAACAF73ttJiAMtcydaa63zCD+XldAk6jQwXgz0kBNTVq/n4CdFK4M+NxpH4YN93g5BQZ2IsfOlUUqrZiNy/BLrvqLBJJS+nhyLLKYEyBeiP6dnmVWw7R7A4ZX8osd4PyEAcCcfdzYGxvOJ8x5PdGu8ev8ytVEluxeHyW59vEvKlHBM0=</div><div>root@1204base', u'ecdsa-sha2-nistp256</div><div>AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK3ijpgDWM3+GwSGZrRIr5pXPfjJB+BXtUubwAebdVsXjgQPfD0lUjyF8jsn4Znz2PV8TFTJeCY9Nsg57aRcMmw=</div><div>root@1204base'], updatedns=False)</div><div>host_mod(u'<a href="http://se-idm-ubuntu-client-01.boingo.com">se-idm-ubuntu-client-01.boingo.com</a>', random=False,</div><div>ipasshpubkey=(u'ssh-rsa</div><div>AAAAB3NzaC1yc2EAAAADAQABAAABAQCsoydbxu62xM4SHZbrPpPg95+iFLft7NnVvxPXr4rSQTUzrb+yUE1Eas5+/2wuyO3cYFPLVEe0hPF+7UHfRS7O/PiAZKvz7dSklt16lkq3BuHKi52IVwNgxsQfbD84FDCY1CaGeUScpAIVZ6JVc6D4+JM/INPsvStqreegqUy/bZRZ+YuT11AdxVTsOCwfCJWgyBPL5yDb11VfFglLm/8KnZ6asgyDeuaLNxwBySnifICX0WTx7VoQ1w8p+5Ncf7VAO8fojOZ/SwMqqP9ym7JT6OJvKL/ROd/5yZ/F21bmjZ/wKSrZDuhpZa+t6Qfn+ImrQm19VPhgdQsNZPhlE5Lv</div><div>root@1204base', u'ssh-dss</div><div>AAAAB3NzaC1kc3MAAACBAPC0DSpZuBTz08MTehuPVq2IDPZMjSpmZz+zuQ9UbAb2yzWspsUfH3FRXMsp5M/NjKjZEUt+f5u24Q6D20Puo1qlhSW6KZv9xtx3Az/zWskvyE5XltCarOjokyjIdF4tcdlpI2onXKJBcUatZI1P9PHe+zEWMY+kbPmQ1R8h2mJTAAAAFQC1Xlgau1z17rjf5HkIBBk+d5WHJQAAAIEAut8bZLpXb1oKCQnTPV4PTXI0bAdIJWHf/4H1HN3E3rUwWwnGY/JiABBDxBJwdGnuYA9EpHZqx9+zkE86XS64Oh48VLvoVKmzMjALKnsMRDe4T5RUkxmOul36Iv+ughRNBRdO013N/j6ABj/6je73AYUGz3mKrWB+tz/szUZMAcsAAACAF73ttJiAMtcydaa63zCD+XldAk6jQwXgz0kBNTVq/n4CdFK4M+NxpH4YN93g5BQZ2IsfOlUUqrZiNy/BLrvqLBJJS+nhyLLKYEyBeiP6dnmVWw7R7A4ZX8osd4PyEAcCcfdzYGxvOJ8x5PdGu8ev8ytVEluxeHyW59vEvKlHBM0=</div><div>root@1204base', u'ecdsa-sha2-nistp256</div><div>AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK3ijpgDWM3+GwSGZrRIr5pXPfjJB+BXtUubwAebdVsXjgQPfD0lUjyF8jsn4Znz2PV8TFTJeCY9Nsg57aRcMmw=</div><div>root@1204base'), rights=False, updatedns=False, all=False, raw=False)</div><div>Forwarding 'host_mod' to server u'<a href="https://se-idm-01.boingo.com/ipa/xml'">https://se-idm-01.boingo.com/ipa/xml'</a></div><div>NSSConnection init <a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a></div><div>Connecting: 66.103.90.130:0</div><div>handshake complete, peer = 66.103.90.130:443</div><div>received Set-Cookie 'ipa_session=19d25037e9a9416d6201a0fbd3faaccb;</div><div>Domain=<a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a>; Path=/ipa; Expires=Fri, 21 Feb 2014</div><div>19:47:43 GMT; Secure; HttpOnly'</div><div>storing cookie 'ipa_session=19d25037e9a9416d6201a0fbd3faaccb;</div><div>Domain=<a href="http://se-idm-01.boingo.com">se-idm-01.boingo.com</a>; Path=/ipa; Expires=Fri, 21 Feb 2014</div><div>19:47:43 GMT; Secure; HttpOnly' for principal</div><div>host/<a href="mailto:se-idm-ubuntu-client-01.boingo.com@BOINGO.COM">se-idm-ubuntu-client-01.boingo.com@BOINGO.COM</a></div><div>Starting external process</div><div>args=keyctl search @s user</div><div>ipa_session_cookie:host/<a href="mailto:se-idm-ubuntu-client-01.boingo.com@BOINGO.COM">se-idm-ubuntu-client-01.boingo.com@BOINGO.COM</a></div><div>Process finished, return code=1</div><div>stdout=</div><div>stderr=keyctl_search: Required key not available</div><div><br></div><div>Starting external process</div><div>args=keyctl search @s user</div><div>ipa_session_cookie:host/<a href="mailto:se-idm-ubuntu-client-01.boingo.com@BOINGO.COM">se-idm-ubuntu-client-01.boingo.com@BOINGO.COM</a></div><div>Process finished, return code=1</div><div>stdout=</div><div>stderr=keyctl_search: Required key not available</div><div><br></div><div>Starting external process</div><div>args=keyctl padd user</div><div>ipa_session_cookie:host/<a href="mailto:se-idm-ubuntu-client-01.boingo.com@BOINGO.COM">se-idm-ubuntu-client-01.boingo.com@BOINGO.COM</a> @s</div><div>Process finished, return code=0</div><div>stdout=1008872903</div><div><br></div><div>stderr=</div><div>Caught fault 4202 from server <a href="https://se-idm-01.boingo.com/ipa/xml">https://se-idm-01.boingo.com/ipa/xml</a>: no</div><div>modifications to be performed</div><div>Starting external process</div><div>args=/usr/sbin/service nscd status</div><div>Process finished, return code=1</div><div>stdout=</div><div>stderr=nscd: unrecognized service</div><div><br></div><div>Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'</div><div>Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'</div><div><br></div><div><br></div><div><br></div><div><br></div><div>_______________________________________________</div><div>Freeipa-users mailing list</div><div><a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a></div><div><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div></div></blockquote><div>_______________________________________________</div><div>Freeipa-users mailing list</div><div><a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a></div><div><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div><div><br></div><div>_______________________________________________</div><div>Freeipa-users mailing list</div><div><a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a></div><div><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div></div></blockquote><div><br></div><div><br></div><div>Does the host have the old kerberos key?</div><div>If you go to the IPA UI for the host does it still show that the host </div><div>has the key and the cert?</div><div>I bet it is. Clean both. Or remove and recreate the host entry that </div><div>might be even cleaner but you need to think about all the host </div><div>membership entries that would be deleted with this operation so use caution.</div><div><br></div><div>The whole situation points to the following:</div><div>1) Client system was once provisioned</div><div>2) System was reimaged/reprovisioned but the unistall did not complete </div><div>or was not run or was run offline so server still thinks that the client </div><div>is still around a healthy but old instance and its keys are gone.</div><div><br></div><div>To clean this situation the host entry and related certs should be clean </div><div>both on the client and server side.</div><div><br></div><div>Do we have a how to about that? IMO it would be handy to have a HOWTO </div><div>that would tell "What should one do to reinstall the client if you wiped </div><div>client without doing anything on the server".</div><div><br></div><div><br></div><div><br></div><div>-- </div><div>Thank you,</div><div>Dmitri Pal</div><div><br></div><div>Sr. Engineering Manager for IdM portfolio</div><div>Red Hat Inc.</div><div><br></div><div><br></div><div>-------------------------------</div><div>Looking to carve out IT costs?</div><div><a href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a></div><div><br></div><div><br></div><div><br></div><div>_______________________________________________</div><div>Freeipa-users mailing list</div><div><a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a></div><div><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div></div></div></span>
                 
                 
                 
                 
                </blockquote>
                 
                <div>
                    <br>
                </div>