2008-08-25 06:24:16,081 DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2008-08-25 06:24:16,176 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2008-08-25 06:24:16,180 DEBUG Configuring ntpd 2008-08-25 06:24:16,183 DEBUG [1/4]: stopping ntpd 2008-08-25 06:24:17,064 INFO ntpd is stopped 2008-08-25 06:24:17,069 INFO 2008-08-25 06:24:17,073 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2008-08-25 06:24:18,009 INFO Shutting down ntpd: [FAILED] 2008-08-25 06:24:18,014 INFO 2008-08-25 06:24:18,017 DEBUG [2/4]: writing configuration 2008-08-25 06:24:18,031 DEBUG Backing up system configuration file '/etc/ntp.conf' 2008-08-25 06:24:18,044 DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2008-08-25 06:24:18,049 DEBUG Backing up system configuration file '/etc/sysconfig/ntpd' 2008-08-25 06:24:18,059 DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2008-08-25 06:24:18,070 DEBUG [3/4]: configuring ntpd to start on boot 2008-08-25 06:24:18,247 INFO ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off 2008-08-25 06:24:18,251 INFO 2008-08-25 06:24:18,256 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2008-08-25 06:24:18,598 INFO 2008-08-25 06:24:18,603 INFO 2008-08-25 06:24:18,606 DEBUG [4/4]: starting ntpd 2008-08-25 06:24:19,306 INFO Starting ntpd: [ OK ] 2008-08-25 06:24:19,311 INFO 2008-08-25 06:24:19,314 DEBUG done configuring ntpd. 2008-08-25 06:24:19,318 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2008-08-25 06:24:19,334 DEBUG Configuring directory server: 2008-08-25 06:24:19,347 DEBUG [1/16]: creating directory server user 2008-08-25 06:24:19,353 DEBUG adding ds user dirsrv 2008-08-25 06:24:19,767 INFO 2008-08-25 06:24:19,772 INFO 2008-08-25 06:24:19,775 DEBUG done adding user 2008-08-25 06:24:19,778 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2008-08-25 06:24:19,784 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2008-08-25 06:24:19,791 DEBUG [2/16]: creating directory server instance 2008-08-25 06:24:20,453 INFO 2008-08-25 06:24:20,458 INFO 2008-08-25 06:24:20,461 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2008-08-25 06:24:20,469 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2008-08-25 06:24:20,476 DEBUG dn: dc=priv,dc=ovirt,dc=org objectClass: top objectClass: domain objectClass: pilotObject dc: priv info: IPA V1.0 2008-08-25 06:24:20,484 DEBUG writing inf template 2008-08-25 06:24:20,507 DEBUG [General] FullMachineName= management.priv.ovirt.org SuiteSpotUserID= dirsrv ServerRoot= /usr/lib/dirsrv [slapd] ServerPort= 389 ServerIdentifier= PRIV-OVIRT-ORG Suffix= dc=priv,dc=ovirt,dc=org RootDN= cn=Directory Manager InstallLdifFile= /var/lib/dirsrv/boot.ldif 2008-08-25 06:24:20,511 DEBUG calling setup-ds.pl 2008-08-25 06:24:44,130 INFO [08/08/25:06:24:44] - [Setup] Info Your new DS instance 'PRIV-OVIRT-ORG' was successfully created. Your new DS instance 'PRIV-OVIRT-ORG' was successfully created. [08/08/25:06:24:44] - [Setup] Success Exiting . . . Log file is '-' Exiting . . . Log file is '-' 2008-08-25 06:24:44,137 INFO WARNING: The root password is less than 8 characters long. You should choose a longer one. 2008-08-25 06:24:44,141 DEBUG completed creating ds instance 2008-08-25 06:24:44,145 DEBUG restarting ds instance 2008-08-25 06:24:50,738 INFO Shutting down dirsrv: PRIV-OVIRT-ORG...[ OK ] Starting dirsrv: PRIV-OVIRT-ORG...[ OK ] 2008-08-25 06:24:50,744 INFO 2008-08-25 06:24:50,750 DEBUG done restarting ds instance 2008-08-25 06:24:50,758 DEBUG [3/16]: adding default schema 2008-08-25 06:24:50,803 DEBUG [4/16]: enabling memberof plugin 2008-08-25 06:24:51,239 INFO add objectclass: top nsSlapdPlugin extensibleObject add cn: ipa-memberof add nsslapd-pluginpath: libipa-memberof-plugin add nsslapd-plugininitfunc: ipamo_postop_init add nsslapd-plugintype: postoperation add nsslapd-pluginenabled: on add nsslapd-pluginid: memberof add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: Red Hat add nsslapd-plugindescription: Memberof plugin adding new entry "cn=ipa-memberof,cn=plugins,cn=config" modify complete 2008-08-25 06:24:51,246 INFO ldap_initialize( ldap://127.0.0.1 ) 2008-08-25 06:24:51,252 DEBUG [5/16]: enabling referential integrity plugin 2008-08-25 06:24:51,636 INFO replace nsslapd-pluginenabled: on add nsslapd-pluginArg7: manager add nsslapd-pluginArg8: secretary modifying entry "cn=referential integrity postoperation,cn=plugins,cn=config" modify complete 2008-08-25 06:24:51,643 INFO ldap_initialize( ldap://127.0.0.1 ) 2008-08-25 06:24:51,649 DEBUG [6/16]: enabling distributed numeric assignment plugin 2008-08-25 06:24:52,005 INFO add objectclass: top nsSlapdPlugin extensibleObject add cn: ipa-dna add nsslapd-pluginpath: libipa-dna-plugin add nsslapd-plugininitfunc: ipa_dna_init add nsslapd-plugintype: preoperation add nsslapd-pluginenabled: on add nsslapd-pluginid: ipa-dna add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: Red Hat add nsslapd-plugindescription: IPA Distributed numeric assignment plugin adding new entry "cn=ipa-dna,cn=plugins,cn=config" modify complete 2008-08-25 06:24:52,012 INFO ldap_initialize( ldap://127.0.0.1 ) 2008-08-25 06:24:52,018 DEBUG [7/16]: configuring uniqueness plugin 2008-08-25 06:24:52,397 INFO add objectClass: top nsSlapdPlugin extensibleObject add cn: krbPrincipalName uniqueness add nsslapd-pluginPath: libattr-unique-plugin add nsslapd-pluginInitfunc: NSUniqueAttr_Init add nsslapd-pluginType: preoperation add nsslapd-pluginEnabled: on add nsslapd-pluginarg0: krbPrincipalName add nsslapd-pluginarg1: dc=priv,dc=ovirt,dc=org add nsslapd-plugin-depends-on-type: database add nsslapd-pluginId: NSUniqueAttr add nsslapd-pluginVersion: 1.1.0 add nsslapd-pluginVendor: Fedora Project add nsslapd-pluginDescription: Enforce unique attribute values adding new entry "cn=krbPrincipalName uniqueness,cn=plugins,cn=config" modify complete 2008-08-25 06:24:52,404 INFO ldap_initialize( ldap://127.0.0.1 ) 2008-08-25 06:24:52,412 DEBUG [8/16]: creating indices 2008-08-25 06:24:54,372 INFO add objectClass: top nsIndex add cn: krbPrincipalName add nsSystemIndex: false add nsIndexType: eq sub adding new entry "cn=krbPrincipalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: ou add nsSystemIndex: false add nsIndexType: eq sub adding new entry "cn=ou,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: carLicense add nsSystemIndex: false add nsIndexType: eq sub adding new entry "cn=carLicense,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: title add nsSystemIndex: false add nsIndexType: eq sub adding new entry "cn=title,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: manager add nsSystemIndex: false add nsIndexType: eq adding new entry "cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: secretary add nsSystemIndex: false add nsIndexType: eq adding new entry "cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: displayname add nsSystemIndex: false add nsIndexType: eq sub adding new entry "cn=displayname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add nsIndexType: sub modifying entry "cn=uid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: memberof add nsSystemIndex: false add nsIndexType: eq adding new entry "cn=memberof,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: uidnumber add nsSystemIndex: false add nsIndexType: eq add nsMatchingRule: integerOrderingMatch adding new entry "cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: gidnumber add nsSystemIndex: false add nsIndexType: eq add nsMatchingRule: integerOrderingMatch adding new entry "cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete 2008-08-25 06:24:54,383 INFO ldap_initialize( ldap://127.0.0.1 ) 2008-08-25 06:24:54,393 DEBUG [9/16]: configuring ssl for ds instance 2008-08-25 06:24:54,402 DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2008-08-25 06:24:54,878 INFO 2008-08-25 06:24:54,887 INFO 2008-08-25 06:25:01,256 INFO 2008-08-25 06:25:01,264 INFO Generating key. This may take a few moments... 2008-08-25 06:25:04,625 INFO 2008-08-25 06:25:04,632 INFO Generating key. This may take a few moments... 2008-08-25 06:25:04,932 INFO 2008-08-25 06:25:04,939 INFO 2008-08-25 06:25:05,367 INFO pk12util: PKCS12 EXPORT SUCCESSFUL 2008-08-25 06:25:05,374 INFO 2008-08-25 06:25:09,159 INFO 2008-08-25 06:25:09,167 INFO Generating key. This may take a few moments... 2008-08-25 06:25:09,760 INFO 2008-08-25 06:25:09,768 INFO 2008-08-25 06:25:10,343 DEBUG [10/16]: configuring certmap.conf 2008-08-25 06:25:10,355 DEBUG [11/16]: restarting directory server 2008-08-25 06:25:21,741 INFO Shutting down dirsrv: PRIV-OVIRT-ORG...[ OK ] Starting dirsrv: PRIV-OVIRT-ORG...[ OK ] 2008-08-25 06:25:21,749 INFO 2008-08-25 06:25:22,663 INFO dirsrv PRIV-OVIRT-ORG (pid 1813) is running... 2008-08-25 06:25:22,672 INFO 2008-08-25 06:25:22,680 DEBUG [12/16]: adding default layout 2008-08-25 06:25:24,042 INFO add objectClass: top nsContainer krbPwdPolicy add cn: accounts add krbMinPwdLife: 3600 add krbPwdMinDiffChars: 0 add krbPwdMinLength: 8 add krbPwdHistoryLength: 0 add krbMaxPwdLife: 7776000 adding new entry "cn=accounts,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: top nsContainer add cn: users adding new entry "cn=users,cn=accounts,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: top nsContainer add cn: groups adding new entry "cn=groups,cn=accounts,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: top nsContainer add cn: services adding new entry "cn=services,cn=accounts,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: top nsContainer add cn: computers adding new entry "cn=computers,cn=accounts,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: nsContainer top add cn: etc adding new entry "cn=etc,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: nsContainer top add cn: sysaccounts adding new entry "cn=sysaccounts,cn=etc,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: nsContainer top add cn: ipa adding new entry "cn=ipa,cn=etc,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: nsContainer top add cn: masters adding new entry "cn=masters,cn=ipa,cn=etc,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: top person posixAccount KrbPrincipalAux inetUser add uid: admin add krbPrincipalName: admin@PRIV.OVIRT.ORG add cn: Administrator add sn: Administrator add uidNumber: 999 add gidNumber: 1001 add homeDirectory: /home/admin add loginShell: /bin/bash add gecos: Administrator add nsAccountLock: False adding new entry "uid=admin,cn=users,cn=accounts,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: nsContainer top add cn: radius adding new entry "cn=radius,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: nsContainer top add cn: clients adding new entry "cn=clients,cn=radius,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: nsContainer top add cn: profiles adding new entry "cn=profiles,cn=radius,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: top radiusprofile add uid: ipa_default adding new entry "uid=ipa_default, cn=profiles,cn=radius,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: top groupofnames posixGroup add cn: admins add description: Account administrators group add gidNumber: 1001 add member: uid=admin,cn=users,cn=accounts,dc=priv,dc=ovirt,dc=org add nsAccountLock: False adding new entry "cn=admins,cn=groups,cn=accounts,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: top groupofnames posixGroup add gidNumber: 1002 add description: Default group for all users add cn: ipausers adding new entry "cn=ipausers,cn=groups,cn=accounts,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: top groupofnames posixGroup add gidNumber: 1003 add description: Limited admins who can edit other users add cn: editors adding new entry "cn=editors,cn=groups,cn=accounts,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: nsContainer top ipaGuiConfig add ipaUserSearchFields: uid,givenName,sn,telephoneNumber,ou,title add ipaGroupSearchFields: cn,description add ipaSearchTimeLimit: 2 add ipaSearchRecordsLimit: 0 add ipaHomesRootDir: /home add ipaDefaultLoginShell: /bin/sh add ipaDefaultPrimaryGroup: ipausers add ipaMaxUsernameLength: 8 add ipaPwdExpAdvNotify: 4 add ipaGroupObjectClasses: top groupofnames posixGroup inetUser add ipaUserObjectClasses: top person organizationalPerson inetOrgPerson inetUser posixAccount krbPrincipalAux radiusprofile add ipaDefaultEmailDomain: priv.ovirt.org adding new entry "cn=ipaConfig,cn=etc,dc=priv,dc=ovirt,dc=org" modify complete add description: Lock accounts based on group membership add objectClass: top ldapsubentry cosSuperDefinition cosClassicDefinition add cosTemplateDn: cn=cosTemplates,cn=accounts,dc=priv,dc=ovirt,dc=org add cosAttribute: nsAccountLock operational add cosSpecifier: memberOf add cn: Account Inactivation adding new entry "cn=account inactivation,cn=accounts,dc=priv,dc=ovirt,dc=org" modify complete add objectclass: top nsContainer add cn: cosTemplates adding new entry "cn=cosTemplates,cn=accounts,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: top cosTemplate extensibleobject add nsAccountLock: true add cosPriority: 1 adding new entry "cn="cn=inactivated,cn=account inactivation,cn=accounts,dc=priv,dc=ovirt,dc=org", cn=cosTemplates,cn=accounts,dc=priv,dc=ovirt,dc=org" modify complete add objectclass: top groupofnames adding new entry "cn=inactivated,cn=account inactivation,cn=accounts,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: top cosTemplate extensibleobject add nsAccountLock: false add cosPriority: 0 adding new entry "cn="cn=activated,cn=account inactivation,cn=accounts,dc=priv,dc=ovirt,dc=org", cn=cosTemplates,cn=accounts,dc=priv,dc=ovirt,dc=org" modify complete add objectclass: top groupofnames adding new entry "cn=Activated,cn=Account Inactivation,cn=accounts,dc=priv,dc=ovirt,dc=org" modify complete 2008-08-25 06:25:24,051 INFO ldap_initialize( ldap://127.0.0.1 ) 2008-08-25 06:25:24,072 DEBUG [13/16]: configuring Posix uid/gid generation as first master 2008-08-25 06:25:24,856 INFO add objectclass: top nsContainer extensibleObject add cn: Posix adding new entry "cn=Posix,cn=ipa-dna,cn=plugins,cn=config" modify complete add objectclass: top extensibleObject add cn: Accounts add dnaType: uidNumber add dnaNextValue: 1100 add dnaInterval: 1 add dnaMaxValue: 1000000000 add dnaMagicRegen: 999 add dnaFilter: (objectclass=posixAccount) add dnaScope: dc=priv,dc=ovirt,dc=org adding new entry "cn=Accounts,cn=Posix,cn=ipa-dna,cn=plugins,cn=config" modify complete add objectclass: top extensibleObject add cn: Groups add dnaType: gidNumber add dnaNextValue: 1100 add dnaInterval: 1 add dnaMaxValue: 1000000000 add dnaMagicRegen: 999 add dnaFilter: (objectclass=posixGroup) add dnaScope: dc=priv,dc=ovirt,dc=org adding new entry "cn=Groups,cn=Posix,cn=ipa-dna,cn=plugins,cn=config" modify complete 2008-08-25 06:25:24,864 INFO ldap_initialize( ldap://127.0.0.1 ) 2008-08-25 06:25:24,878 DEBUG [14/16]: adding master entry as first master 2008-08-25 06:25:25,174 INFO add objectclass: top extensibleObject add cn: management.priv.ovirt.org add dnabase: 1100 add dnainterval: 4 adding new entry "cn=management.priv.ovirt.org,cn=masters,cn=ipa,cn=etc,dc=priv,dc=ovirt,dc=org" modify complete 2008-08-25 06:25:25,184 INFO ldap_initialize( ldap://127.0.0.1 ) 2008-08-25 06:25:25,193 DEBUG [15/16]: initializing group membership 2008-08-25 06:25:25,618 INFO add objectClass: top extensibleObject add cn: IPA install add basedn: dc=priv,dc=ovirt,dc=org add filter: (objectclass=*) add ttl: 10 adding new entry "cn=IPA install 1219645459, cn=memberof task, cn=tasks, cn=config" modify complete 2008-08-25 06:25:25,626 INFO ldap_initialize( ldap://127.0.0.1 ) 2008-08-25 06:25:25,638 DEBUG [16/16]: configuring directory to start on boot 2008-08-25 06:25:25,839 INFO dirsrv 0:off 1:off 2:off 3:off 4:off 5:off 6:off 2008-08-25 06:25:25,848 INFO 2008-08-25 06:25:25,856 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2008-08-25 06:25:26,045 INFO 2008-08-25 06:25:26,052 INFO 2008-08-25 06:25:26,058 DEBUG done configuring dirsrv. 2008-08-25 06:25:26,063 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2008-08-25 06:25:26,081 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2008-08-25 06:25:27,747 INFO krb5kdc is stopped 2008-08-25 06:25:27,755 INFO 2008-08-25 06:25:27,761 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2008-08-25 06:25:29,204 INFO Stopping Kerberos 5 KDC: [FAILED] 2008-08-25 06:25:29,211 INFO 2008-08-25 06:25:29,217 DEBUG Configuring Kerberos KDC 2008-08-25 06:25:29,222 DEBUG [1/13]: setting KDC account password 2008-08-25 06:25:29,228 DEBUG Backing up system configuration file '/var/kerberos/krb5kdc/ldappwd' 2008-08-25 06:25:29,237 DEBUG -> Not backing up - '/var/kerberos/krb5kdc/ldappwd' doesn't exist 2008-08-25 06:25:29,247 DEBUG [2/13]: adding sasl mappings to the directory 2008-08-25 06:25:30,420 DEBUG [3/13]: adding kerberos entries to the DS 2008-08-25 06:25:30,743 INFO add objectclass: account simplesecurityobject add uid: kdc add userPassword: WPQPKTCVWOMI adding new entry "uid=kdc,cn=sysaccounts,cn=etc,dc=priv,dc=ovirt,dc=org" modify complete add objectClass: krbContainer top add cn: kerberos add aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=priv,dc=ovirt,dc=org";) adding new entry "cn=kerberos,dc=priv,dc=ovirt,dc=org" modify complete 2008-08-25 06:25:30,752 INFO ldap_initialize( ldap://127.0.0.1 ) 2008-08-25 06:25:30,761 DEBUG [4/13]: adding default ACIs 2008-08-25 06:25:31,200 INFO add aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=users,cn=accounts,dc=priv,dc=ovirt,dc=org";) (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";) (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=priv,dc=ovirt,dc=org";) (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@PRIV.OVIRT.ORG,cn=PRIV.OVIRT.ORG,cn=kerberos,dc=priv,dc=ovirt,dc=org";) (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "KDC System Account can access passwords"; allow (all) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=priv,dc=ovirt,dc=org";) (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account can update some fields"; allow (write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=priv,dc=ovirt,dc=org";) (targetattr = "krbPrincipalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Only the KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=priv,dc=ovirt,dc=org";) (targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=priv,dc=ovirt,dc=org";) (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=priv,dc=ovirt,dc=org";) (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";) modifying entry "dc=priv,dc=ovirt,dc=org" modify complete add aci: (targetfilter = "(objectClass=ipaGuiConfig)")(targetattr != "aci")(version 3.0;acl "Admins can change GUI config"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=priv,dc=ovirt,dc=org";) modifying entry "cn=ipaConfig,cn=etc,dc=priv,dc=ovirt,dc=org" modify complete add aci: (targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=priv,dc=ovirt,dc=org";) (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow (write, delete) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=priv,dc=ovirt,dc=org";) modifying entry "cn=accounts,dc=priv,dc=ovirt,dc=org" modify complete add aci: (targetattr = "*")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=users,cn=accounts,dc=priv,dc=ovirt,dc=org || ldap:///krbprincipalname=radius/management.priv.ovirt.org@PRIV.OVIRT.ORG,cn=PRIV.OVIRT.ORG,cn=kerberos,dc=priv,dc=ovirt,dc=org";) (targetfilter = "(objectClass=radiusprofile)")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=priv,dc=ovirt,dc=org";) modifying entry "cn=radius,dc=priv,dc=ovirt,dc=org" modify complete add aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=priv,dc=ovirt,dc=org";) modifying entry "cn=services,cn=accounts,dc=priv,dc=ovirt,dc=org" modify complete 2008-08-25 06:25:31,209 INFO ldap_initialize( ldap://127.0.0.1 ) 2008-08-25 06:25:31,223 DEBUG [5/13]: configuring KDC 2008-08-25 06:25:31,234 DEBUG Backing up system configuration file '/var/kerberos/krb5kdc/kdc.conf' 2008-08-25 06:25:31,255 DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2008-08-25 06:25:31,278 DEBUG Backing up system configuration file '/etc/krb5.conf' 2008-08-25 06:25:31,299 DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2008-08-25 06:25:31,318 DEBUG Backing up system configuration file '/usr/share/ipa/html/krb5.ini' 2008-08-25 06:25:31,326 DEBUG -> Not backing up - '/usr/share/ipa/html/krb5.ini' doesn't exist 2008-08-25 06:25:31,339 DEBUG Backing up system configuration file '/usr/share/ipa/html/krb.con' 2008-08-25 06:25:31,345 DEBUG -> Not backing up - '/usr/share/ipa/html/krb.con' doesn't exist 2008-08-25 06:25:31,361 DEBUG Backing up system configuration file '/usr/share/ipa/html/krbrealm.con' 2008-08-25 06:25:31,367 DEBUG -> Not backing up - '/usr/share/ipa/html/krbrealm.con' doesn't exist 2008-08-25 06:25:31,962 INFO 2008-08-25 06:25:31,970 INFO 2008-08-25 06:25:31,977 DEBUG [6/13]: adding default keytypes 2008-08-25 06:25:32,287 INFO add krbSupportedEncSaltTypes: aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 modifying entry "cn=PRIV.OVIRT.ORG,cn=kerberos,dc=priv,dc=ovirt,dc=org" modify complete add krbDefaultEncSaltTypes: aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal modifying entry "cn=PRIV.OVIRT.ORG,cn=kerberos,dc=priv,dc=ovirt,dc=org" modify complete 2008-08-25 06:25:32,297 INFO ldap_initialize( ldap://127.0.0.1 ) 2008-08-25 06:25:32,308 DEBUG [7/13]: creating a keytab for the directory 2008-08-25 06:25:32,866 INFO Authenticating as principal root/admin@PRIV.OVIRT.ORG with password. 2008-08-25 06:25:32,875 INFO kadmin.local: Cannot find/read stored master key while initializing kadmin.local interface 2008-08-25 06:25:32,924 DEBUG Command '/usr/kerberos/sbin/kadmin.local -q addprinc -randkey ldap/management.priv.ovirt.org@PRIV.OVIRT.ORG' returned non-zero exit status 1 File "/usr/sbin/ipa-server-install", line 572, in sys.exit(main()) File "/usr/sbin/ipa-server-install", line 495, in main krb.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, master_password) File "/usr/lib/python2.5/site-packages/ipaserver/krbinstance.py", line 147, in create_instance self.start_creation("Configuring Kerberos KDC") File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line 139, in start_creation method() File "/usr/lib/python2.5/site-packages/ipaserver/krbinstance.py", line 370, in __create_ds_keytab installutils.kadmin_addprinc(ldap_principal) File "/usr/lib/python2.5/site-packages/ipaserver/installutils.py", line 207, in kadmin_addprinc kadmin("addprinc -randkey " + principal) File "/usr/lib/python2.5/site-packages/ipaserver/installutils.py", line 204, in kadmin ipautil.run(["/usr/kerberos/sbin/kadmin.local", "-q", command]) File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 83, in run raise CalledProcessError(p.returncode, ' '.join(args))