<div dir="ltr">







<p class="gmail-p1">Hi, I seem to having some issue trying to install the IPA client (version 4.4.0) on Centos 7 using DNS.</p>
<p class="gmail-p1">I can get a working install by issuing the —server flags, but I would rather do it using SRV so we can issue the command via salt to multiple servers, and should we add another replicant. We will only need to update the SRV records rather than updating all our client servers. </p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">I am running this command,</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">$>ipa-client-install --force-ntpd  --mkhomedir --principal admin --realm=<a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a> --domain <a href="http://uk.internal.mydomain.com">uk.internal.mydomain.com</a> --unattended -w superhard</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">But I keep getting this.</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">Discovery was successful!</p>
<p class="gmail-p1">Client hostname: <a href="http://portalwaf2.uk">portalwaf2.uk</a></p>
<p class="gmail-p1">Realm: <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">DNS Domain: <a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">IPA Server: <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">BaseDN: dc=uk,dc=internal,dc=mydomain,dc=com</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">Synchronizing time with KDC...</p>
<p class="gmail-p1">Attempting to sync time using ntpd.  Will timeout after 15 seconds</p>
<p class="gmail-p1">Successfully retrieved CA cert</p>
<p class="gmail-p1">    Subject:     CN=Certificate Authority,O=<a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">    Issuer:      CN=Certificate Authority,O=<a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">    Valid From:  Fri Feb 17 12:09:04 2017 UTC</p>
<p class="gmail-p1">    Valid Until: Tue Feb 17 12:09:04 2037 UTC</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">Enrolled in IPA realm <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">Created /etc/ipa/default.conf</p>
<p class="gmail-p1">New SSSD config will be created</p>
<p class="gmail-p1">Configured sudoers in /etc/nsswitch.conf</p>
<p class="gmail-p1">Configured /etc/sssd/sssd.conf</p>
<p class="gmail-p1">Configured /etc/krb5.conf for IPA realm <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">trying <a href="https://ipa1.uk.internal.mydomain.com/ipa/json">https://ipa1.uk.internal.mydomain.com/ipa/json</a></p>
<p class="gmail-p1">Traceback (most recent call last):</p>
<p class="gmail-p1">  File "/usr/sbin/ipa-client-install", line 3128, in <module></p>
<p class="gmail-p1">    sys.exit(main())</p>
<p class="gmail-p1">  File "/usr/sbin/ipa-client-install", line 3109, in main</p>
<p class="gmail-p1">    rval = install(options, env, fstore, statestore)</p>
<p class="gmail-p1">  File "/usr/sbin/ipa-client-install", line 2818, in install</p>
<p class="gmail-p1">    api.finalize()</p>
<p class="gmail-p1">  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in finalize</p>
<p class="gmail-p1">    self.__do_if_not_done('load_plugins')</p>
<p class="gmail-p1">  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in __do_if_not_done</p>
<p class="gmail-p1">    getattr(self, name)()</p>
<p class="gmail-p1">  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in load_plugins</p>
<p class="gmail-p1">    for package in self.packages:</p>
<p class="gmail-p1">  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in packages</p>
<p class="gmail-p1">    ipaclient.remote_plugins.get_package(self),</p>
<p class="gmail-p1">  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 118, in get_package</p>
<p class="gmail-p1">    plugins = schema.get_package(server_info, client)</p>
<p class="gmail-p1">  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 543, in get_package</p>
<p class="gmail-p1">    schema = Schema(client)</p>
<p class="gmail-p1">  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 387, in __init__</p>
<p class="gmail-p1">    fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)</p>
<p class="gmail-p1">  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 413, in _fetch</p>
<p class="gmail-p1">    client.connect(verbose=False)</p>
<p class="gmail-p1">  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect</p>
<p class="gmail-p1">    conn = self.create_connection(*args, **kw)</p>
<p class="gmail-p1">  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 931, in create_connection</p>
<p class="gmail-p1">    raise errors.KerberosError(message=unicode(krberr))</p>
<p class="gmail-p1">ipalib.errors.KerberosError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639066): Cannot find KDC for realm "<a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a>"</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">Installation log:</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': '<a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a>', 'force': False, 'krb5_offline_passwords': True, 'ip_addresses': [], 'configure_firefox': False, 'primary': False, 'realm_name': '<a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a>', 'force_ntpd': True, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'no_nisdomain': False, 'nisdomain': None, 'ca_cert_file': None, 'principal': 'admin', 'keytab': None, 'hostname': None, 'request_cert': False, 'trust_sshfp': False, 'no_ac': False, 'unattended': True, 'all_ip_addresses': False, 'location': None, 'sssd': True, 'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': True, 'firefox_dir': None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'mkhomedir': True, 'uninstall': False}</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG missing options might be asked for interactively later</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG IPA version 4.4.0-14.el7.centos.4</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG [IPA Discovery]</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting IPA discovery with domain=<a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a>, servers=None, hostname=<a href="http://portalwaf2.uk">portalwaf2.uk</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Search for LDAP SRV record in <a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _ldap._<a href="http://tcp.freeipa.uk.internal.mydomain.com">tcp.freeipa.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 389 <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a>.</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 389 <a href="http://ipa2.uk.internal.mydomain.com">ipa2.uk.internal.mydomain.com</a>.</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG [Kerberos realm search]</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Kerberos realm forced</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _kerberos._<a href="http://udp.freeipa.uk.internal.mydomain.com">udp.freeipa.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 88 <a href="http://ipa2.uk.internal.mydomain.com">ipa2.uk.internal.mydomain.com</a>.</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 88 <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a>.</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG [LDAP server check]</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Verifying that <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a> (realm <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a>) is an IPA server</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Init LDAP connection to: <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Search LDAP server for IPA base DN</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Check if naming context 'dc=uk,dc=internal,dc=mydomain,dc=com' is for IPA</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Naming context 'dc=uk,dc=internal,dc=mydomain,dc=com' is a valid IPA context</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Search for (objectClass=krbRealmContainer) in dc=uk,dc=internal,dc=mydomain,dc=com (sub)</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Found: cn=<a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a>,cn=kerberos,dc=uk,dc=internal,dc=mydomain,dc=com</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Discovery result: Success; server=<a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a>, domain=<a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a>, kdc=<a href="http://ipa2.uk.internal.mydomain.com">ipa2.uk.internal.mydomain.com</a>,<a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a>, basedn=dc=uk,dc=internal,dc=mydomain,dc=com</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Validated servers: <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG will use discovered domain: <a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Start searching for LDAP SRV record in "<a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a>" (Validating DNS Discovery) and its sub-domains</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _ldap._<a href="http://tcp.freeipa.uk.internal.mydomain.com">tcp.freeipa.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 389 <a href="http://ipa2.uk.internal.mydomain.com">ipa2.uk.internal.mydomain.com</a>.</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 389 <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a>.</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS validated, enabling discovery</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG will use discovered server: <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Discovery was successful!</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG will use discovered realm: <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG will use discovered basedn: dc=uk,dc=internal,dc=mydomain,dc=com</p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Client hostname: <a href="http://portalwaf2.uk">portalwaf2.uk</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Hostname source: Machine's FQDN</p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Realm: <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Realm source: Discovered from LDAP DNS records in <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO DNS Domain: <a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS Domain source: Discovered LDAP SRV records from <a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO IPA Server: <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG IPA Server source: Discovered from LDAP DNS records in <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO BaseDN: dc=uk,dc=internal,dc=mydomain,dc=com</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG BaseDN source: From IPA server ldap://<a href="http://ipa1.uk.internal.mydomain.com:389">ipa1.uk.internal.mydomain.com:389</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=5</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=realm not found</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Synchronizing time with KDC...</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _ntp._<a href="http://udp.freeipa.uk.internal.mydomain.com">udp.freeipa.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 123 <a href="http://ipa2.uk.internal.mydomain.com">ipa2.uk.internal.mydomain.com</a>.</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 123 <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a>.</p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Attempting to sync time using ntpd.  Will timeout after 15 seconds</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=/usr/bin/timeout 15 /usr/sbin/ntpd -qgc /tmp/tmplUZ6sG</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=ntpd: time set -1.083636s</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=keyctl get_persistent @s 0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=540282011</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Enabling persistent keyring CCACHE</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Writing Kerberos configuration to /tmp/tmpEVHPqI:</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG #File modified by ipa-client-install</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">includedir /etc/krb5.conf.d/</p>
<p class="gmail-p1">includedir /var/lib/sss/pubconf/krb5.include.d/</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">[libdefaults]</p>
<p class="gmail-p1">  default_realm = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  dns_lookup_realm = false</p>
<p class="gmail-p1">  dns_lookup_kdc = false</p>
<p class="gmail-p1">  rdns = false</p>
<p class="gmail-p1">  ticket_lifetime = 24h</p>
<p class="gmail-p1">  forwardable = true</p>
<p class="gmail-p1">  udp_preference_limit = 0</p>
<p class="gmail-p1">  default_ccache_name = KEYRING:persistent:%{uid}</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">[realms]</p>
<p class="gmail-p1">  <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a> = {</p>
<p class="gmail-p1">    kdc = <a href="http://ipa1.uk.internal.mydomain.com:88">ipa1.uk.internal.mydomain.com:88</a></p>
<p class="gmail-p1">    master_kdc = <a href="http://ipa1.uk.internal.mydomain.com:88">ipa1.uk.internal.mydomain.com:88</a></p>
<p class="gmail-p1">    admin_server = <a href="http://ipa1.uk.internal.mydomain.com:749">ipa1.uk.internal.mydomain.com:749</a></p>
<p class="gmail-p1">    kpasswd_server = <a href="http://ipa1.uk.internal.mydomain.com:464">ipa1.uk.internal.mydomain.com:464</a></p>
<p class="gmail-p1">    default_domain = <a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">    pkinit_anchors = FILE:/etc/ipa/ca.crt</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">  }</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">[domain_realm]</p>
<p class="gmail-p1">  .<a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a> = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  <a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a> = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  <a href="http://portalwaf2.uk">portalwaf2.uk</a> = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  .uk = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  uk = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Initializing principal <a href="mailto:admin@UK.INTERNAL.MYDOMAIN.COM">admin@UK.INTERNAL.MYDOMAIN.COM</a> using password</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=/usr/bin/kinit <a href="mailto:admin@UK.INTERNAL.MYDOMAIN.COM">admin@UK.INTERNAL.MYDOMAIN.COM</a> -c /tmp/krbccxpYNsC/ccache</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=Password for <a href="mailto:admin@UK.INTERNAL.MYDOMAIN.COM">admin@UK.INTERNAL.MYDOMAIN.COM</a>: </p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG trying to retrieve CA cert via LDAP from <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG flushing ldap://<a href="http://ipa1.uk.internal.mydomain.com:389">ipa1.uk.internal.mydomain.com:389</a> from SchemaCache</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG retrieving schema for SchemaCache url=ldap://<a href="http://ipa1.uk.internal.mydomain.com:389">ipa1.uk.internal.mydomain.com:389</a> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x1fb8ab8></p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Successfully retrieved CA cert</p>
<p class="gmail-p1">    Subject:     CN=Certificate Authority,O=<a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">    Issuer:      CN=Certificate Authority,O=<a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">    Valid From:  Fri Feb 17 12:09:04 2017 UTC</p>
<p class="gmail-p1">    Valid Until: Tue Feb 17 12:09:04 2037 UTC</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=/usr/sbin/ipa-join -s <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a> -b dc=uk,dc=internal,dc=mydomain,dc=com -h <a href="http://portalwaf2.uk">portalwaf2.uk</a> -f</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab</p>
<p class="gmail-p1">Certificate subject base is: O=<a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Enrolled in IPA realm <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=kdestroy</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Initializing principal host/<a href="mailto:portalwaf2.uk@UK.INTERNAL.MYDOMAIN.COM">portalwaf2.uk@UK.INTERNAL.MYDOMAIN.COM</a> using keytab /etc/krb5.keytab</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG using ccache /etc/ipa/.dns_ccache</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Attempt 1/5: success</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Backing up system configuration file '/etc/ipa/default.conf'</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG   -> Not backing up - '/etc/ipa/default.conf' doesn't exist</p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Created /etc/ipa/default.conf</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf'</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG   -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist</p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO New SSSD config will be created</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Backing up system configuration file '/etc/nsswitch.conf'</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'</p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Configured sudoers in /etc/nsswitch.conf</p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Configured /etc/sssd/sssd.conf</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Backing up system configuration file '/etc/krb5.conf'</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=keyctl get_persistent @s 0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=540282011</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Enabling persistent keyring CCACHE</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Writing Kerberos configuration to /etc/krb5.conf:</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG #File modified by ipa-client-install</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">includedir /etc/krb5.conf.d/</p>
<p class="gmail-p1">includedir /var/lib/sss/pubconf/krb5.include.d/</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">[libdefaults]</p>
<p class="gmail-p1">  default_realm = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  dns_lookup_realm = true</p>
<p class="gmail-p1">  dns_lookup_kdc = true</p>
<p class="gmail-p1">  rdns = false</p>
<p class="gmail-p1">  ticket_lifetime = 24h</p>
<p class="gmail-p1">  forwardable = true</p>
<p class="gmail-p1">  udp_preference_limit = 0</p>
<p class="gmail-p1">  default_ccache_name = KEYRING:persistent:%{uid}</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">[realms]</p>
<p class="gmail-p1">  <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a> = {</p>
<p class="gmail-p1">    pkinit_anchors = FILE:/etc/ipa/ca.crt</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">  }</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">[domain_realm]</p>
<p class="gmail-p1">  .<a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a> = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  <a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a> = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  <a href="http://portalwaf2.uk">portalwaf2.uk</a> = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  .uk = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  uk = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Configured /etc/krb5.conf for IPA realm <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=keyctl search @s user ipa_session_cookie:host/<a href="mailto:portalwaf2.uk@UK.INTERNAL.MYDOMAIN.COM">portalwaf2.uk@UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=1</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=keyctl_search: Required key not available</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=/usr/bin/certutil -d /tmp/tmpKqp0s3 -N -f /tmp/tmp8JvkBZ</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=/usr/bin/certutil -d /tmp/tmpKqp0s3 -A -n CA certificate 1 -t C,,</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=keyctl search @s user ipa_session_cookie:host/<a href="mailto:portalwaf2.uk@UK.INTERNAL.MYDOMAIN.COM">portalwaf2.uk@UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=1</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=keyctl_search: Required key not available</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG failed to find session_cookie in persistent storage for principal 'host/<a href="mailto:portalwaf2.uk@UK.INTERNAL.MYDOMAIN.COM">portalwaf2.uk@UK.INTERNAL.MYDOMAIN.COM</a>'</p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO trying <a href="https://ipa1.uk.internal.mydomain.com/ipa/json2017-03-02T15:38:32Z">https://ipa1.uk.internal.mydomain.com/ipa/json2017-03-02T15:38:32Z</a> DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': '<a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a>', 'force': False, 'krb5_offline_passwords': True, 'ip_addresses': [], 'configure_firefox': False, 'primary': False, 'realm_name': '<a href="http://UK.INTERNAL.mydomain.COM">UK.INTERNAL.mydomain.COM</a>', 'force_ntpd': True, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'no_nisdomain': False, 'nisdomain': None, 'ca_cert_file': None, 'principal': 'admin', 'keytab': None, 'hostname': None, 'request_cert': False, 'trust_sshfp': False, 'no_ac': False, 'unattended': True, 'all_ip_addresses': False, 'location': None, 'sssd': True, 'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': True, 'firefox_dir': None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'mkhomedir': True, 'uninstall': False}</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG missing options might be asked for interactively later</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG IPA version 4.4.0-14.el7.centos.4</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG [IPA Discovery]</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting IPA discovery with domain=<a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a>, servers=None, hostname=<a href="http://portalwaf2.uk">portalwaf2.uk</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Search for LDAP SRV record in <a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _ldap._<a href="http://tcp.freeipa.uk.internal.mydomain.com">tcp.freeipa.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 389 <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a>.</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 389 <a href="http://ipa2.uk.internal.mydomain.com">ipa2.uk.internal.mydomain.com</a>.</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG [Kerberos realm search]</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Kerberos realm forced</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _kerberos._<a href="http://udp.freeipa.uk.internal.mydomain.com">udp.freeipa.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 88 <a href="http://ipa2.uk.internal.mydomain.com">ipa2.uk.internal.mydomain.com</a>.</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 88 <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a>.</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG [LDAP server check]</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Verifying that <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a> (realm <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a>) is an IPA server</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Init LDAP connection to: <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Search LDAP server for IPA base DN</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Check if naming context 'dc=uk,dc=internal,dc=mydomain,dc=com' is for IPA</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Naming context 'dc=uk,dc=internal,dc=mydomain,dc=com' is a valid IPA context</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Search for (objectClass=krbRealmContainer) in dc=uk,dc=internal,dc=mydomain,dc=com (sub)</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Found: cn=<a href="http://UK.INTERNAL.mydomain.COM">UK.INTERNAL.mydomain.COM</a>,cn=kerberos,dc=uk,dc=internal,dc=mydomain,dc=com</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Discovery result: Success; server=<a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a>, domain=<a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a>, kdc=<a href="http://ipa2.uk.internal.mydomain.com">ipa2.uk.internal.mydomain.com</a>,<a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a>, basedn=dc=uk,dc=internal,dc=mydomain,dc=com</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Validated servers: <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG will use discovered domain: <a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Start searching for LDAP SRV record in "<a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a>" (Validating DNS Discovery) and its sub-domains</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _ldap._<a href="http://tcp.freeipa.uk.internal.mydomain.com">tcp.freeipa.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 389 <a href="http://ipa2.uk.internal.mydomain.com">ipa2.uk.internal.mydomain.com</a>.</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 389 <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a>.</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS validated, enabling discovery</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG will use discovered server: <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Discovery was successful!</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG will use discovered realm: <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG will use discovered basedn: dc=uk,dc=internal,dc=mydomain,dc=com</p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Client hostname: <a href="http://portalwaf2.uk">portalwaf2.uk</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Hostname source: Machine's FQDN</p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Realm: <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Realm source: Discovered from LDAP DNS records in <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO DNS Domain: <a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS Domain source: Discovered LDAP SRV records from <a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO IPA Server: <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG IPA Server source: Discovered from LDAP DNS records in <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO BaseDN: dc=uk,dc=internal,dc=mydomain,dc=com</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG BaseDN source: From IPA server ldap://<a href="http://ipa1.uk.internal.mydomain.com:389">ipa1.uk.internal.mydomain.com:389</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=5</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=realm not found</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Synchronizing time with KDC...</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _ntp._<a href="http://udp.freeipa.uk.internal.mydomain.com">udp.freeipa.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 123 <a href="http://ipa2.uk.internal.mydomain.com">ipa2.uk.internal.mydomain.com</a>.</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 123 <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a>.</p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Attempting to sync time using ntpd.  Will timeout after 15 seconds</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=/usr/bin/timeout 15 /usr/sbin/ntpd -qgc /tmp/tmplUZ6sG</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=ntpd: time set -1.083636s</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=keyctl get_persistent @s 0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=540282011</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Enabling persistent keyring CCACHE</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Writing Kerberos configuration to /tmp/tmpEVHPqI:</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG #File modified by ipa-client-install</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">includedir /etc/krb5.conf.d/</p>
<p class="gmail-p1">includedir /var/lib/sss/pubconf/krb5.include.d/</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">[libdefaults]</p>
<p class="gmail-p1">  default_realm = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  dns_lookup_realm = false</p>
<p class="gmail-p1">  dns_lookup_kdc = false</p>
<p class="gmail-p1">  rdns = false</p>
<p class="gmail-p1">  ticket_lifetime = 24h</p>
<p class="gmail-p1">  forwardable = true</p>
<p class="gmail-p1">  udp_preference_limit = 0</p>
<p class="gmail-p1">  default_ccache_name = KEYRING:persistent:%{uid}</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">[realms]</p>
<p class="gmail-p1">  <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a> = {</p>
<p class="gmail-p1">    kdc = <a href="http://ipa1.uk.internal.mydomain.com:88">ipa1.uk.internal.mydomain.com:88</a></p>
<p class="gmail-p1">    master_kdc = <a href="http://ipa1.uk.internal.mydomain.com:88">ipa1.uk.internal.mydomain.com:88</a></p>
<p class="gmail-p1">    admin_server = <a href="http://ipa1.uk.internal.mydomain.com:749">ipa1.uk.internal.mydomain.com:749</a></p>
<p class="gmail-p1">    kpasswd_server = <a href="http://ipa1.uk.internal.mydomain.com:464">ipa1.uk.internal.mydomain.com:464</a></p>
<p class="gmail-p1">    default_domain = <a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">    pkinit_anchors = FILE:/etc/ipa/ca.crt</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">  }</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">[domain_realm]</p>
<p class="gmail-p1">  .<a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a> = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  <a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a> = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  <a href="http://portalwaf2.uk">portalwaf2.uk</a> = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  .uk = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  uk = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Initializing principal <a href="mailto:admin@UK.INTERNAL.MYDOMAIN.COM">admin@UK.INTERNAL.MYDOMAIN.COM</a> using password</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=/usr/bin/kinit <a href="mailto:admin@UK.INTERNAL.MYDOMAIN.COM">admin@UK.INTERNAL.MYDOMAIN.COM</a> -c /tmp/krbccxpYNsC/ccache</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=Password for <a href="mailto:admin@UK.INTERNAL.MYDOMAIN.COM">admin@UK.INTERNAL.MYDOMAIN.COM</a>: </p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG trying to retrieve CA cert via LDAP from <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG flushing ldap://<a href="http://ipa1.uk.internal.mydomain.com:389">ipa1.uk.internal.mydomain.com:389</a> from SchemaCache</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG retrieving schema for SchemaCache url=ldap://<a href="http://ipa1.uk.internal.mydomain.com:389">ipa1.uk.internal.mydomain.com:389</a> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x1fb8ab8></p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Successfully retrieved CA cert</p>
<p class="gmail-p1">    Subject:     CN=Certificate Authority,O=<a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">    Issuer:      CN=Certificate Authority,O=<a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">    Valid From:  Fri Feb 17 12:09:04 2017 UTC</p>
<p class="gmail-p1">    Valid Until: Tue Feb 17 12:09:04 2037 UTC</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=/usr/sbin/ipa-join -s <a href="http://ipa1.uk.internal.mydomain.com">ipa1.uk.internal.mydomain.com</a> -b dc=uk,dc=internal,dc=mydomain,dc=com -h <a href="http://portalwaf2.uk">portalwaf2.uk</a> -f</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab</p>
<p class="gmail-p1">Certificate subject base is: O=<a href="http://UK.INTERNAL.mydomain.COM">UK.INTERNAL.mydomain.COM</a></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Enrolled in IPA realm <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=kdestroy</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Initializing principal host/<a href="mailto:portalwaf2.uk@UK.INTERNAL.MYDOMAIN.COM">portalwaf2.uk@UK.INTERNAL.MYDOMAIN.COM</a> using keytab /etc/krb5.keytab</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG using ccache /etc/ipa/.dns_ccache</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Attempt 1/5: success</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Backing up system configuration file '/etc/ipa/default.conf'</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG   -> Not backing up - '/etc/ipa/default.conf' doesn't exist</p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Created /etc/ipa/default.conf</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf'</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG   -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist</p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO New SSSD config will be created</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Backing up system configuration file '/etc/nsswitch.conf'</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'</p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Configured sudoers in /etc/nsswitch.conf</p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Configured /etc/sssd/sssd.conf</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Backing up system configuration file '/etc/krb5.conf'</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=keyctl get_persistent @s 0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=540282011</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Enabling persistent keyring CCACHE</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Writing Kerberos configuration to /etc/krb5.conf:</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG #File modified by ipa-client-install</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">includedir /etc/krb5.conf.d/</p>
<p class="gmail-p1">includedir /var/lib/sss/pubconf/krb5.include.d/</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">[libdefaults]</p>
<p class="gmail-p1">  default_realm = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  dns_lookup_realm = true</p>
<p class="gmail-p1">  dns_lookup_kdc = true</p>
<p class="gmail-p1">  rdns = false</p>
<p class="gmail-p1">  ticket_lifetime = 24h</p>
<p class="gmail-p1">  forwardable = true</p>
<p class="gmail-p1">  udp_preference_limit = 0</p>
<p class="gmail-p1">  default_ccache_name = KEYRING:persistent:%{uid}</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">[realms]</p>
<p class="gmail-p1">  <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a> = {</p>
<p class="gmail-p1">    pkinit_anchors = FILE:/etc/ipa/ca.crt</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">  }</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">[domain_realm]</p>
<p class="gmail-p1">  .<a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a> = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  <a href="http://freeipa.uk.internal.mydomain.com">freeipa.uk.internal.mydomain.com</a> = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  <a href="http://portalwaf2.uk">portalwaf2.uk</a> = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  .uk = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">  uk = <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO Configured /etc/krb5.conf for IPA realm <a href="http://UK.INTERNAL.MYDOMAIN.COM">UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=keyctl search @s user ipa_session_cookie:host/<a href="mailto:portalwaf2.uk@UK.INTERNAL.MYDOMAIN.COM">portalwaf2.uk@UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=1</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=keyctl_search: Required key not available</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=/usr/bin/certutil -d /tmp/tmpKqp0s3 -N -f /tmp/tmp8JvkBZ</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=/usr/bin/certutil -d /tmp/tmpKqp0s3 -A -n CA certificate 1 -t C,,</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=0</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Starting external process</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG args=keyctl search @s user ipa_session_cookie:host/<a href="mailto:portalwaf2.uk@UK.INTERNAL.MYDOMAIN.COM">portalwaf2.uk@UK.INTERNAL.MYDOMAIN.COM</a></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG Process finished, return code=1</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stdout=</p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG stderr=keyctl_search: Required key not available</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">2017-03-02T15:38:32Z DEBUG failed to find session_cookie in persistent storage for principal 'host/<a href="mailto:portalwaf2.uk@UK.INTERNAL.MYDOMAIN.COM">portalwaf2.uk@UK.INTERNAL.MYDOMAIN.COM</a>'</p>
<p class="gmail-p1">2017-03-02T15:38:32Z INFO trying <a href="https://ipa1.uk.internal.mydomain.com/ipa/json">https://ipa1.uk.internal.mydomain.com/ipa/json</a></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">Running ipa-getcert list returns: Number of certificates and requests being tracked: 0.</p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">DNS records:</p>
<p class="gmail-p1">SRV record for FreeIPA</p>
<p class="gmail-p1">_<a href="http://kerberos.freeipa.uk">kerberos.freeipa.uk</a>    IN      TXT     "<a href="http://FREEIPA.UK.INTERNAL.MYDOMAIN.COM">FREEIPA.UK.INTERNAL.MYDOMAIN.COM</a>"</p>
<p class="gmail-p1">_ldap._tcp              IN      SRV     60 0 389 <a href="http://ipa1.uk">ipa1.uk</a></p>
<p class="gmail-p1">                        IN      SRV     40 0 389 <a href="http://ipa2.uk">ipa2.uk</a></p>
<p class="gmail-p1">_ldap._<a href="http://tcp.freeipa.uk">tcp.freeipa.uk</a>   IN      SRV     60 0 389 <a href="http://ipa1.uk">ipa1.uk</a></p>
<p class="gmail-p1">                        IN      SRV     40 0 389 <a href="http://ipa2.uk">ipa2.uk</a></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">_ldaps._<a href="http://tcp.freeipa.uk">tcp.freeipa.uk</a>  IN      SRV     60 0 636 <a href="http://ipa1.uk">ipa1.uk</a></p>
<p class="gmail-p1">                        IN      SRV     40 0 636 <a href="http://ipa2.uk">ipa2.uk</a></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">_kerberos._<a href="http://tcp.freeipa.uk">tcp.freeipa.uk</a>  IN   SRV     60 0 464 <a href="http://ipa1.uk">ipa1.uk</a></p>
<p class="gmail-p1">                           IN   SRV     40 0 464 <a href="http://ipa2.uk">ipa2.uk</a></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">_http._<a href="http://tcp.freeipa.uk">tcp.freeipa.uk</a>      IN   SRV     60 0 80  <a href="http://ipa1.uk">ipa1.uk</a></p>
<p class="gmail-p1">                           IN   SRV     40 0 80  <a href="http://ipa2.uk">ipa2.uk</a></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">_https._<a href="http://tcp.freeipa.uk">tcp.freeipa.uk</a>     IN   SRV     60 0 443 <a href="http://ipa1.uk">ipa1.uk</a></p>
<p class="gmail-p1">                           IN   SRV     40 0 442 <a href="http://ipa2.uk">ipa2.uk</a></p>
<p class="gmail-p1">_kerberos-adm._<a href="http://tcp.freeipa.uk">tcp.freeipa.uk</a>  IN       SRV     60 0 749 <a href="http://ipa1.uk">ipa1.uk</a></p>
<p class="gmail-p1">                               IN       SRV     40 0 749 <a href="http://ipa2.uk">ipa2.uk</a></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">_kerberos-master._<a href="http://udp.freeipa.uk">udp.freeipa.uk</a>  IN    SRV     0 0 88 <a href="http://ipa1.uk">ipa1.uk</a></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">_kerberos._<a href="http://udp.freeipa.uk">udp.freeipa.uk</a>  IN   SRV     60 0 88  <a href="http://ipa1.uk">ipa1.uk</a></p>
<p class="gmail-p1">                           IN   SRV     40 0 88  <a href="http://ipa2.uk">ipa2.uk</a></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">_kpasswd._<a href="http://udp.freeipa.uk">udp.freeipa.uk</a>   IN   SRV     60 0 464 <a href="http://ipa1.uk">ipa1.uk</a></p>
<p class="gmail-p1">                           IN   SRV     40 0 464 <a href="http://ipa2.uk">ipa2.uk</a></p>
<p class="gmail-p2"><br></p>
<p class="gmail-p1">_ntp._<a href="http://udp.freeipa.uk">udp.freeipa.uk</a>       IN   SRV     60 0 123 <a href="http://ipa1.uk">ipa1.uk</a></p>
<p class="gmail-p1">                           IN   SRV     40 0 123 <a href="http://ipa2.uk">ipa2.uk</a></p>
<p class="gmail-p2"><br></p><p class="gmail-p2"><br></p><p class="gmail-p2">Not sure what Im getting wrong.</p><div><div class="gmail_signature"><div dir="ltr"><span style="color:rgb(0,0,0);font-family:"times new roman";font-size:medium">-- </span><br style="color:rgb(0,0,0);font-family:"times new roman";font-size:medium"><table border="0" cellpadding="0" cellspacing="0" style="font-size:12.8px;font-family:"times new roman""><tbody><tr><td>Regards</td></tr><tr height="15"><td colspan="2"> </td></tr><tr><td colspan="2"><font color="003366" face="arial" size="3"><b>Mick</b></font></td></tr></tbody></table></div></div></div>
</div>