[Freeipa-users] Ubuntu Client HELL
Rob Crittenden
rcritten at redhat.com
Fri Feb 21 19:57:10 UTC 2014
Todd Maugh wrote:
> IM in limbo here trying to solve this issue
It would help if you said what issue you were having...
And what version of the client you are running.
Trolling through the log I see a couple of things:
ntpdate failed, but that can happen if you already have ntpd configured
on your client. We have a ticket open on that.
The DNS update failed, presumably because you aren't using IPA for DNS.
Not a big deal.
The certmonger failure is due to a bad uninstall in the past. It is
still tracking an old cert. You can clear it with:
# ipa-getcert list
# ipa-getcert stop-tracking -i <request id>
The SSH keys are failing to load because they already exist in the host
entry. I guess it was pre-created, or left over from a previous attempt?
It doesn't appear to be a fatal error.
rob
>
> here is my out put with the debug
>
> root at se-idm-ubuntu-client-01:/var/lib/ipa-client/sysrestore#
> ipa-client-install -d --no-dns-sshfp
> --hostname=se-idm-ubuntu-client-01.boingo.com --force-join
> --domain=boingo.com --server=se-idm-01.boingo.com
> /usr/sbin/ipa-client-install was invoked with options: {'domain':
> 'boingo.com', 'force': False, 'krb5_offline_passwords': True, 'primary':
> False, 'realm_name': None, 'force_ntpd': False, 'create_sshfp': False,
> 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server':
> None, 'ca_cert_file': None, 'principal': None, 'keytab': None,
> 'hostname': 'se-idm-ubuntu-client-01.boingo.com', 'no_ac': False,
> 'unattended': None, 'sssd': True, 'trust_sshfp': False, 'dns_updates':
> False, 'mkhomedir': False, 'conf_ssh': True, 'force_join': True,
> 'server': ['se-idm-01.boingo.com'], 'prompt_password': False, 'permit':
> False, 'debug': True, 'preserve_sssd': False, 'uninstall': False}
> missing options might be asked for interactively later
> Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
> WARNING: ntpd time&date synchronization service will not be configured as
> conflicting service (chronyd) is enabled
> Use --force-ntpd option to disable it and force configuration of ntpd
>
> [IPA Discovery]
> Starting IPA discovery with domain=boingo.com,
> servers=['se-idm-01.boingo.com'],
> hostname=se-idm-ubuntu-client-01.boingo.com
> Server and domain forced
> [Kerberos realm search]
> Search DNS for TXT record of _kerberos.boingo.com
> DNS record not found: NXDOMAIN
> [LDAP server check]
> Verifying that se-idm-01.boingo.com (realm None) is an IPA server
> Init LDAP connection to: se-idm-01.boingo.com
> Search LDAP server for IPA base DN
> Check if naming context 'dc=boingo,dc=com' is for IPA
> Naming context 'dc=boingo,dc=com' is a valid IPA context
> Search for (objectClass=krbRealmContainer) in dc=boingo,dc=com (sub)
> Found: cn=BOINGO.COM,cn=kerberos,dc=boingo,dc=com
> Discovery result: Success; server=se-idm-01.boingo.com,
> domain=boingo.com, kdc=None, basedn=dc=boingo,dc=com
> Validated servers: se-idm-01.boingo.com
> will use discovered domain: boingo.com
> Using servers from command line, disabling DNS discovery
> will use provided server: se-idm-01.boingo.com
> Autodiscovery of servers for failover cannot work with this configuration.
> If you proceed with the installation, services will be configured to
> always access the discovered server for all operations and will not fail
> over to other servers in case of failure.
> Proceed with fixed values and no DNS discovery? [no]: yes
> will use discovered realm: BOINGO.COM
> will use discovered basedn: dc=boingo,dc=com
> Hostname: se-idm-ubuntu-client-01.boingo.com
> Hostname source: Provided as option
> Realm: BOINGO.COM
> Realm source: Discovered from LDAP DNS records in se-idm-01.boingo.com
> DNS Domain: boingo.com
> DNS Domain source: Forced
> IPA Server: se-idm-01.boingo.com
> IPA Server source: Provided as option
> BaseDN: dc=boingo,dc=com
> BaseDN source: From IPA server ldap://se-idm-01.boingo.com:389
>
> Continue to configure the system with these values? [no]: yes
> Starting external process
> args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r BOINGO.COM
> Process finished, return code=0
> stdout=
> stderr=Removing principal host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM
>
> Removed old keys for realm BOINGO.COM from /etc/krb5.keytab
> Starting external process
> args=/bin/hostname se-idm-ubuntu-client-01.boingo.com
> Process finished, return code=0
> stdout=
> stderr=
> Backing up system configuration file '/etc/hostname'
> Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
> Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
> User authorized to enroll computers: admin
> will use principal provided as option: admin
> Synchronizing time with KDC...
> Search DNS for SRV record of _ntp._udp.boingo.com
> DNS record not found: NXDOMAIN
> Starting external process
> args=/usr/sbin/ntpdate -s -b -v se-idm-01.boingo.com
> Process finished, return code=1
> stdout=
> stderr=
> Starting external process
> args=/usr/sbin/ntpdate -s -b -v se-idm-01.boingo.com
> Process finished, return code=1
> stdout=
> stderr=
> Starting external process
> args=/usr/sbin/ntpdate -s -b -v se-idm-01.boingo.com
> Process finished, return code=1
> stdout=
> stderr=
> Unable to sync time with IPA NTP server, assuming the time is in sync.
> Please check that 123 UDP port is opened.
> Writing Kerberos configuration to /tmp/tmpBuP7iE:
> #File modified by ipa-client-install
>
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [libdefaults]
> default_realm = BOINGO.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> BOINGO.COM = {
> kdc = se-idm-01.boingo.com:88
> master_kdc = se-idm-01.boingo.com:88
> admin_server = se-idm-01.boingo.com:749
> default_domain = boingo.com
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
> [domain_realm]
> .boingo.com = BOINGO.COM
> boingo.com = BOINGO.COM
>
> Password for admin at BOINGO.COM:
> Starting external process
> args=kinit admin at BOINGO.COM
> Process finished, return code=0
> stdout=Password for admin at BOINGO.COM:
>
> stderr=
> trying to retrieve CA cert via LDAP from se-idm-01.boingo.com
> flushing ldap://se-idm-01.boingo.com:389 from SchemaCache
> retrieving schema for SchemaCache url=ldap://se-idm-01.boingo.com:389
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x140ff80>
> Existing CA cert and Retrieved CA cert are identical
> Starting external process
> args=/usr/sbin/ipa-join -s se-idm-01.boingo.com -b dc=boingo,dc=com -d
> -h se-idm-ubuntu-client-01.boingo.com -f
> Process finished, return code=0
> stdout=
> stderr=XML-RPC CALL:
>
> <?xml version="1.0" encoding="UTF-8"?>\r\n
> <methodCall>\r\n
> <methodName>join</methodName>\r\n
> <params>\r\n
> <param><value><array><data>\r\n
> <value><string>se-idm-ubuntu-client-01.boingo.com</string></value>\r\n
> </data></array></value></param>\r\n
> <param><value><struct>\r\n
> <member><name>nsosversion</name>\r\n
> <value><string>3.2.0-58-generic</string></value></member>\r\n
> <member><name>nshardwareplatform</name>\r\n
> <value><string>x86_64</string></value></member>\r\n
> </struct></value></param>\r\n
> </params>\r\n
> </methodCall>\r\n
>
> XML-RPC RESPONSE:
>
> <?xml version='1.0' encoding='UTF-8'?>\n
> <methodResponse>\n
> <params>\n
> <param>\n
> <value><array><data>\n
> <value><string>fqdn=se-idm-ubuntu-client-01.boingo.com,cn=computers,cn=accounts,dc=boingo,dc=com</string></value>\n
> <value><struct>\n
> <member>\n
> <name>sshpubkeyfp</name>\n
> <value><array><data>\n
> <value><string>F9:63:24:7C:AF:AF:10:F8:1E:C2:16:69:FE:EF:57:18
> root at 1204base (ssh-dss)</string></value>\n
> <value><string>85:E8:4E:22:E6:7E:73:0D:10:5C:CB:1A:FC:8B:DE:5C
> root at 1204base (ssh-rsa)</string></value>\n
> <value><string>B8:BF:50:00:03:BF:AD:71:34:28:CE:83:0A:74:5E:8A
> root at 1204base (ecdsa-sha2-nistp256)</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>has_keytab</name>\n
> <value><boolean>1</boolean></value>\n
> </member>\n
> <member>\n
> <name>ipasshpubkey</name>\n
> <value><array><data>\n
> <value><string>ssh-dss
> AAAAB3NzaC1kc3MAAACBAPC0DSpZuBTz08MTehuPVq2IDPZMjSpmZz+zuQ9UbAb2yzWspsUfH3FRXMsp5M/NjKjZEUt+f5u24Q6D20Puo1qlhSW6KZv9xtx3Az/zWskvyE5XltCarOjokyjIdF4tcdlpI2onXKJBcUatZI1P9PHe+zEWMY+kbPmQ1R8h2mJTAAAAFQC1Xlgau1z17rjf5HkIBBk+d5WHJQAAAIEAut8bZLpXb1oKCQnTPV4PTXI0bAdIJWHf/4H1HN3E3rUwWwnGY/JiABBDxBJwdGnuYA9EpHZqx9+zkE86XS64Oh48VLvoVKmzMjALKnsMRDe4T5RUkxmOul36Iv+ughRNBRdO013N/j6ABj/6je73AYUGz3mKrWB+tz/szUZMAcsAAACAF73ttJiAMtcydaa63zCD+XldAk6jQwXgz0kBNTVq/n4CdFK4M+NxpH4YN93g5BQZ2IsfOlUUqrZiNy/BLrvqLBJJS+nhyLLKYEyBeiP6dnmVWw7R7A4ZX8osd4PyEAcCcfdzYGxvOJ8x5PdGu8ev8ytVEluxeHyW59vEvKlHBM0=
> root at 1204base</string></value>\n
> <value><string>ssh-rsa
> AAAAB3NzaC1yc2EAAAADAQABAAABAQCsoydbxu62xM4SHZbrPpPg95+iFLft7NnVvxPXr4rSQTUzrb+yUE1Eas5+/2wuyO3cYFPLVEe0hPF+7UHfRS7O/PiAZKvz7dSklt16lkq3BuHKi52IVwNgxsQfbD84FDCY1CaGeUScpAIVZ6JVc6D4+JM/INPsvStqreegqUy/bZRZ+YuT11AdxVTsOCwfCJWgyBPL5yDb11VfFglLm/8KnZ6asgyDeuaLNxwBySnifICX0WTx7VoQ1w8p+5Ncf7VAO8fojOZ/SwMqqP9ym7JT6OJvKL/ROd/5yZ/F21bmjZ/wKSrZDuhpZa+t6Qfn+ImrQm19VPhgdQsNZPhlE5Lv
> root at 1204base</string></value>\n
> <value><string>ecdsa-sha2-nistp256
> AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK3ijpgDWM3+GwSGZrRIr5pXPfjJB+BXtUubwAebdVsXjgQPfD0lUjyF8jsn4Znz2PV8TFTJeCY9Nsg57aRcMmw=
> root at 1204base</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>cn</name>\n
> <value><array><data>\n
> <value><string>se-idm-ubuntu-client-01.boingo.com</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>usercertificate</name>\n
> <value><array><data>\n
> <value><base64>\n
> MIIDqTCCApGgAwIBAgIBGjANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpCT0lOR08uQ09NMR4w\n
> HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTQwMjIxMTc1MzI5WhcNMTYwMjIyMTc1\n
> MzI5WjBCMRMwEQYDVQQKEwpCT0lOR08uQ09NMSswKQYDVQQDEyJzZS1pZG0tdWJ1bnR1LWNsaWVu\n
> dC0wMS5ib2luZ28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2f//2Wz6UwUp\n
> EErhWDHE+maebFuN82TQnYoAkrDGkebMOmtbLIy8fa7BdY5VNf+bJrLZkoGVq5us9aTc+s1YX63P\n
> rmbPjFbO8+vL9I8IVIUutkUTNEhpVm0xiFe+n6jF7OXnjo/sfYZ1zT2QUyLN3TMF97hU2+QBItuJ\n
> XY7ChOWk++YeYjgPK0xkcjbMZkNGKxKFF1qURmZVvj0VLgUxX8UwwFQZZK2XEg1Iexa+4SsKhdJN\n
> wNagw1x99CiUXChn7V4lYZe8Uk7QDalGrgQTCVAIT+/9IpR94H6N68bHYA/hdBmV1JshTrL2Uhr0\n
> Z2eNSjv3bpHC7BqeyWLllLw55wIDAQABo4G2MIGzMB8GA1UdIwQYMBaAFC53PmsjH7HOB4yeCQkD\n
> z3yaIEbNMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL3NlLWlkbS0wMS5ib2lu\n
> Z28uY29tOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr\n
> BgEFBQcDAjAdBgNVHQ4EFgQU7XOSHg+lb/Yizi5G81VQAT0VPQswDQYJKoZIhvcNAQELBQADggEB\n
> AGL9mbEyxQSv9d1dbMIW1V4NOBOJFKYmEXKxuQtrOEUDTN7H7IGNm7grMgOMYzrLYs1ftRxXrySF\n
> d8k/B3q8LBV2RQ7d0pT67cRH+YV6csmtpZ+YSOYSR+0e6F6BIsMCAU8lsjA7qvVYuaFCc+wvdiIp\n
> rea4piqV+lxWp1m0b/mdFuCbLyXao+pr2F5JhCHueHnn14I3k+E78f07hQUccOuS0BELWo9chy+l\n
> co7djPuzeG8MKTTr7+9L47dqhKhrY4sHyS+LhaUf3Y+irbLxgeqiBIjkV4TVkfZNZg4b6NvajgKM\n
> L9bj5XRwrSAhv1YccwzE1GDOOrp2j3LRYIcEUok=\n
> </base64></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>krbextradata</name>\n
> <value><array><data>\n
> <value><base64>\n
> AAKVkgdTaG9zdC9zZS1pZG0tdWJ1bnR1LWNsaWVudC0wMS5ib2luZ28uY29tQEJPSU5HTy5DT00A\n
> </base64></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>has_password</name>\n
> <value><boolean>0</boolean></value>\n
> </member>\n
> <member>\n
> <name>subject</name>\n
> <value><string>CN=se-idm-ubuntu-client-01.boingo.com,O=BOINGO.COM</string></value>\n
> </member>\n
> <member>\n
> <name>ipacertificatesubjectbase</name>\n
> <value><array><data>\n
> <value><string>O=BOINGO.COM</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>sha1_fingerprint</name>\n
> <value><string>60:5c:7f:f5:e7:77:b7:3c:0c:c8:c0:07:3f:c3:00:18:c1:dd:9d:af</string></value>\n
> </member>\n
> <member>\n
> <name>krblastsuccessfulauth</name>\n
> <value><array><data>\n
> <value><string>20140221181453Z</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>serial_number</name>\n
> <value><string>26</string></value>\n
> </member>\n
> <member>\n
> <name>managedby_host</name>\n
> <value><array><data>\n
> <value><string>se-idm-ubuntu-client-01.boingo.com</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>enrolledby_user</name>\n
> <value><array><data>\n
> <value><string>admin</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>dn</name>\n
> <value><string>fqdn=se-idm-ubuntu-client-01.boingo.com,cn=computers,cn=accounts,dc=boingo,dc=com</string></value>\n
> </member>\n
> <member>\n
> <name>issuer</name>\n
> <value><string>CN=Certificate Authority,O=BOINGO.COM</string></value>\n
> </member>\n
> <member>\n
> <name>ipauniqueid</name>\n
> <value><array><data>\n
> <value><string>459b077c-9b20-11e3-89c9-782bcb03bc6d</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>krbprincipalname</name>\n
> <value><array><data>\n
> <value><string>host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>serverhostname</name>\n
> <value><array><data>\n
> <value><string>se-idm-ubuntu-client-01</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>objectclass</name>\n
> <value><array><data>\n
> <value><string>ipaobject</string></value>\n
> <value><string>nshost</string></value>\n
> <value><string>ipahost</string></value>\n
> <value><string>pkiuser</string></value>\n
> <value><string>ipaservice</string></value>\n
> <value><string>krbprincipalaux</string></value>\n
> <value><string>krbprincipal</string></value>\n
> <value><string>ieee802device</string></value>\n
> <value><string>ipasshhost</string></value>\n
> <value><string>top</string></value>\n
> <value><string>ipaSshGroupOfPubKeys</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>valid_not_before</name>\n
> <value><string>Fri Feb 21 17:53:29 2014 UTC</string></value>\n
> </member>\n
> <member>\n
> <name>valid_not_after</name>\n
> <value><string>Mon Feb 22 17:53:29 2016 UTC</string></value>\n
> </member>\n
> <member>\n
> <name>fqdn</name>\n
> <value><array><data>\n
> <value><string>se-idm-ubuntu-client-01.boingo.com</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>managing_host</name>\n
> <value><array><data>\n
> <value><string>se-idm-ubuntu-client-01.boingo.com</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>md5_fingerprint</name>\n
> <value><string>bb:dc:38:b3:19:ab:7c:07:27:31:f9:a7:78:a4:98:16</string></value>\n
> </member>\n
> <member>\n
> <name>serial_number_hex</name>\n
> <value><string>0x1A</string></value>\n
> </member>\n
> <member>\n
> <name>krblastpwdchange</name>\n
> <value><array><data>\n
> <value><string>20140221175325Z</string></value>\n
> </data></array></value>\n
> </member>\n
> </struct></value>\n
> </data></array></value>\n
> </param>\n
> </params>\n
> </methodResponse>\n
>
> Keytab successfully retrieved and stored in: /etc/krb5.keytab
> Certificate subject base is: O=BOINGO.COM
>
> Enrolled in IPA realm BOINGO.COM
> Starting external process
> args=kdestroy
> Process finished, return code=0
> stdout=
> stderr=
> Starting external process
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM
> Process finished, return code=0
> stdout=
> stderr=
> Backing up system configuration file '/etc/ipa/default.conf'
> -> Not backing up - '/etc/ipa/default.conf' doesn't exist
> Created /etc/ipa/default.conf
> importing all plugin modules in
> '/usr/lib/python2.7/dist-packages/ipalib/plugins'...
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/aci.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/automember.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/automount.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/baseldap.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/batch.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/config.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/delegation.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/dns.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/entitle.py'
> skipping plugin module ipalib.plugins.entitle: No module named
> rhsm.connection
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/group.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacrule.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacsvc.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacsvcgroup.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbactest.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/host.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/hostgroup.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/idrange.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/internal.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/kerberos.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/krbtpolicy.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/migration.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/misc.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/netgroup.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/passwd.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/permission.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/ping.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/pkinit.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/privilege.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/pwpolicy.py'
> Starting external process
> args=klist -V
> Process finished, return code=0
> stdout=Kerberos 5 version 1.10-beta1
>
> stderr=
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/realmdomains.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/role.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/selfservice.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/selinuxusermap.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/service.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/sudocmd.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/sudocmdgroup.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/sudorule.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/trust.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/user.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/virtual.py'
> importing plugin module
> '/usr/lib/python2.7/dist-packages/ipalib/plugins/xmlclient.py'
> Backing up system configuration file '/etc/sssd/sssd.conf'
> Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
> Domain boingo.com is already configured in existing SSSD config,
> creating a new one.
> The old /etc/sssd/sssd.conf is backed up and will be restored during
> uninstall.
> Configured /etc/sssd/sssd.conf
> Starting external process
> args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i
> /etc/ipa/ca.crt
> Process finished, return code=0
> stdout=
> stderr=
> Backing up system configuration file '/etc/krb5.conf'
> Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
> Writing Kerberos configuration to /etc/krb5.conf:
> #File modified by ipa-client-install
>
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [libdefaults]
> default_realm = BOINGO.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> BOINGO.COM = {
> kdc = se-idm-01.boingo.com:88
> master_kdc = se-idm-01.boingo.com:88
> admin_server = se-idm-01.boingo.com:749
> default_domain = boingo.com
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
> [domain_realm]
> .boingo.com = BOINGO.COM
> boingo.com = BOINGO.COM
>
> Configured /etc/krb5.conf for IPA realm BOINGO.COM
> Starting external process
> args=keyctl search @s user
> ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM
> Process finished, return code=1
> stdout=
> stderr=keyctl_search: Required key not available
>
> Starting external process
> args=keyctl search @s user
> ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM
> Process finished, return code=1
> stdout=
> stderr=keyctl_search: Required key not available
>
> failed to find session_cookie in persistent storage for principal
> 'host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM'
> trying https://se-idm-01.boingo.com/ipa/xml
> Created connection context.xmlclient
> raw: env(None, server=True)
> env(None, server=True, all=True)
> Forwarding 'env' to server u'https://se-idm-01.boingo.com/ipa/xml'
> NSSConnection init se-idm-01.boingo.com
> Connecting: 66.103.90.130:0
> auth_certificate_callback: check_sig=True is_server=False
> Data:
> Version: 3 (0x2)
> Serial Number: 10 (0xa)
> Signature Algorithm:
> Algorithm: PKCS #1 SHA-256 With RSA Encryption
> Issuer: CN=Certificate Authority,O=BOINGO.COM
> Validity:
> Not Before: Wed Jan 22 23:22:58 2014 UTC
> Not After : Sat Jan 23 23:22:58 2016 UTC
> Subject: CN=se-idm-01.boingo.com,O=BOINGO.COM
> Subject Public Key Info:
> Public Key Algorithm:
> Algorithm: PKCS #1 RSA Encryption
> RSA Public Key:
> Modulus:
> da:61:36:ca:15:d7:7f:e1:8d:6d:8b:16:f1:36:66:db:
> 52:77:cb:54:45:24:70:ec:fb:f7:e9:3b:65:e3:39:65:
> fe:56:90:8c:f6:6c:da:2c:7e:e4:96:6d:f8:60:57:02:
> 93:db:91:7e:96:d1:03:03:34:ab:0a:90:39:6d:8a:e0:
> 92:a1:1c:62:3c:61:24:51:b8:e0:87:96:5f:a0:24:85:
> 2b:c5:43:4e:52:fd:a8:f9:28:25:00:84:53:31:51:e0:
> 01:02:57:3d:48:26:b4:99:c4:aa:5a:51:36:f6:0f:14:
> b2:ad:f1:15:10:05:86:ee:d1:d0:32:5b:c4:7b:4c:db:
> 82:28:3d:62:36:43:e0:c3:7b:ed:c9:b9:c4:58:34:a1:
> be:c5:1e:c0:b6:c7:9c:5b:1e:1d:48:b6:22:41:0e:e2:
> 4f:43:e0:1b:e2:64:f4:57:69:67:10:64:04:7a:a4:0a:
> 73:c5:6e:39:28:0b:76:9b:2b:b8:36:6a:59:e3:5e:84:
> 50:ce:b6:e3:19:43:c0:f4:85:02:81:39:74:91:f5:22:
> 04:c3:1f:49:64:39:b9:29:64:de:c4:69:76:56:a1:78:
> 58:fd:33:28:62:77:1f:4a:3f:9d:8d:11:d2:00:0a:c0:
> 73:1f:4f:42:89:26:a5:f2:93:a3:07:ef:3e:80:50:45
> Exponent: 65537 (0x10001)
> Signed Extensions: (5)
> Name: Certificate Authority Key Identifier
> Critical: False
> Key ID:
> 2e:77:3e:6b:23:1f:b1:ce:07:8c:9e:09:09:03:cf:7c:
> 9a:20:46:cd
> Serial Number: None
> General Names: [0 total]
>
> Name: Authority Information Access
> Critical: False
>
> Name: Certificate Key Usage
> Critical: True
> Usages:
> Digital Signature
> Non-Repudiation
> Key Encipherment
> Data Encipherment
>
> Name: Extended Key Usage
> Critical: False
> Usages:
> TLS Web Server Authentication Certificate
> TLS Web Client Authentication Certificate
>
> Name: Certificate Subject Key ID
> Critical: False
> Data:
> c5:83:cc:e3:c4:64:6f:f1:67:47:f3:cd:6a:bd:f5:2c:
> ac:91:1e:0c
>
> Signature:
> Signature Algorithm:
> Algorithm: PKCS #1 SHA-256 With RSA Encryption
> Signature:
> b1:5d:69:6a:52:2a:42:4c:f7:4c:1e:f5:6e:4c:87:30:
> f5:f5:ab:9c:ad:e5:7e:8c:e1:54:95:1d:53:56:8f:8f:
> fc:a7:de:f2:61:f7:cd:a9:79:a7:a2:53:dd:8d:19:89:
> ce:fb:92:bb:ca:d7:4f:84:e2:63:9b:b6:b6:a0:aa:24:
> 10:ac:7c:ce:17:09:d1:4e:2a:8e:ae:55:fc:0a:11:52:
> ab:23:8b:25:85:15:3c:f3:bb:0a:51:11:4f:fc:87:e1:
> 0e:ca:12:cc:15:d4:36:57:a8:a4:db:42:0e:d1:1e:dc:
> 1f:64:33:34:da:58:4d:a6:39:ff:b5:2c:50:6c:99:67:
> ff:af:c0:65:d1:f6:d9:33:d5:a8:c9:9c:e3:6e:fa:b7:
> 96:09:cd:73:eb:80:21:7d:04:af:ce:fb:76:d8:b1:ef:
> b0:23:50:85:1c:34:9c:a2:9c:d7:c2:fd:0d:f0:bd:1f:
> 98:ec:19:03:00:47:17:9b:a2:1d:09:3f:04:3c:59:4c:
> 81:51:38:f0:e8:1e:74:49:5e:76:a1:d6:9a:9b:3d:fe:
> 85:12:37:6b:3f:c7:a7:62:ce:ea:68:d8:ff:47:5a:74:
> 41:ab:ea:0c:6a:35:e9:57:a6:3b:1f:c9:e1:12:87:8b:
> 81:eb:c4:73:c8:a9:4d:88:a9:40:22:f9:66:06:70:b4
> Fingerprint (MD5):
> 43:6b:f7:a8:12:d6:72:2f:3c:36:60:ff:ea:6b:53:a9
> Fingerprint (SHA1):
> 91:b6:61:43:5d:0b:d0:14:cf:71:c8:c6:20:88:74:be:
> ce:ad:a0:53
> approved_usage = SSLServer intended_usage = SSLServer
> cert valid True for "CN=se-idm-01.boingo.com,O=BOINGO.COM"
> handshake complete, peer = 66.103.90.130:443
> received Set-Cookie 'ipa_session=feebdfa3447e7a8bdae71ad28871835e;
> Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014
> 19:47:41 GMT; Secure; HttpOnly'
> storing cookie 'ipa_session=feebdfa3447e7a8bdae71ad28871835e;
> Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014
> 19:47:41 GMT; Secure; HttpOnly' for principal
> host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM
> Starting external process
> args=keyctl search @s user
> ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM
> Process finished, return code=1
> stdout=
> stderr=keyctl_search: Required key not available
>
> Starting external process
> args=keyctl search @s user
> ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM
> Process finished, return code=1
> stdout=
> stderr=keyctl_search: Required key not available
>
> Starting external process
> args=keyctl padd user
> ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM @s
> Process finished, return code=0
> stdout=546101869
>
> stderr=
> Hostname (se-idm-ubuntu-client-01.boingo.com) not found in DNS
> Writing nsupdate commands to /etc/ipa/.dns_update.txt:
>
> zone boingo.com.
> update delete se-idm-ubuntu-client-01.boingo.com. IN A
> send
> update add se-idm-ubuntu-client-01.boingo.com. 1200 IN A 23.253.21.58
> send
>
> Starting external process
> args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
> Process finished, return code=1
> stdout=
> stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS
> failure. Minor code may provide more information, Minor = Server
> DNS/ns-1454.awsdns-53.org at BOINGO.COM not found in Kerberos database.
>
> nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt'
> returned non-zero exit status 1
> Failed to update DNS records.
> Starting external process
> args=/usr/sbin/service dbus status
> Process finished, return code=0
> stdout=dbus start/running, process 1004
>
> stderr=
> Starting external process
> args=/usr/sbin/service certmonger restart
> Process finished, return code=0
> stdout=certmonger stop/waiting
> certmonger start/running
>
> stderr=
> Starting external process
> args=/usr/sbin/service certmonger status
> Process finished, return code=0
> stdout=certmonger start/running
>
> stderr=
> Starting external process
> args=/usr/sbin/service certmonger stop
> Process finished, return code=0
> stdout=certmonger stop/waiting
>
> stderr=
> certmonger failed to stop: [Errno 2] No such file or directory:
> '/var/run/ipa/services.list'
> Starting external process
> args=/usr/sbin/service certmonger restart
> Process finished, return code=0
> stdout=certmonger start/running
>
> stderr=stop: Unknown instance:
>
> Starting external process
> args=/usr/sbin/service certmonger status
> Process finished, return code=0
> stdout=certmonger start/running
>
> stderr=
> Starting external process
> args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate -
> se-idm-ubuntu-client-01.boingo.com -N
> CN=se-idm-ubuntu-client-01.boingo.com,O=BOINGO.COM -K
> host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM
> Process finished, return code=1
> stdout=Certificate at same location is already used by request with
> nickname "20140221175328".
>
> stderr=
> certmonger request for host certificate failed
> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
> raw: host_mod(u'se-idm-ubuntu-client-01.boingo.com',
> ipasshpubkey=[u'ssh-rsa
> AAAAB3NzaC1yc2EAAAADAQABAAABAQCsoydbxu62xM4SHZbrPpPg95+iFLft7NnVvxPXr4rSQTUzrb+yUE1Eas5+/2wuyO3cYFPLVEe0hPF+7UHfRS7O/PiAZKvz7dSklt16lkq3BuHKi52IVwNgxsQfbD84FDCY1CaGeUScpAIVZ6JVc6D4+JM/INPsvStqreegqUy/bZRZ+YuT11AdxVTsOCwfCJWgyBPL5yDb11VfFglLm/8KnZ6asgyDeuaLNxwBySnifICX0WTx7VoQ1w8p+5Ncf7VAO8fojOZ/SwMqqP9ym7JT6OJvKL/ROd/5yZ/F21bmjZ/wKSrZDuhpZa+t6Qfn+ImrQm19VPhgdQsNZPhlE5Lv
> root at 1204base', u'ssh-dss
> AAAAB3NzaC1kc3MAAACBAPC0DSpZuBTz08MTehuPVq2IDPZMjSpmZz+zuQ9UbAb2yzWspsUfH3FRXMsp5M/NjKjZEUt+f5u24Q6D20Puo1qlhSW6KZv9xtx3Az/zWskvyE5XltCarOjokyjIdF4tcdlpI2onXKJBcUatZI1P9PHe+zEWMY+kbPmQ1R8h2mJTAAAAFQC1Xlgau1z17rjf5HkIBBk+d5WHJQAAAIEAut8bZLpXb1oKCQnTPV4PTXI0bAdIJWHf/4H1HN3E3rUwWwnGY/JiABBDxBJwdGnuYA9EpHZqx9+zkE86XS64Oh48VLvoVKmzMjALKnsMRDe4T5RUkxmOul36Iv+ughRNBRdO013N/j6ABj/6je73AYUGz3mKrWB+tz/szUZMAcsAAACAF73ttJiAMtcydaa63zCD+XldAk6jQwXgz0kBNTVq/n4CdFK4M+NxpH4YN93g5BQZ2IsfOlUUqrZiNy/BLrvqLBJJS+nhyLLKYEyBeiP6dnmVWw7R7A4ZX8osd4PyEAcCcfdzYGxvOJ8x5PdGu8ev8ytVEluxeHyW59vEvKlHBM0=
> root at 1204base', u'ecdsa-sha2-nistp256
> AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK3ijpgDWM3+GwSGZrRIr5pXPfjJB+BXtUubwAebdVsXjgQPfD0lUjyF8jsn4Znz2PV8TFTJeCY9Nsg57aRcMmw=
> root at 1204base'], updatedns=False)
> host_mod(u'se-idm-ubuntu-client-01.boingo.com', random=False,
> ipasshpubkey=(u'ssh-rsa
> AAAAB3NzaC1yc2EAAAADAQABAAABAQCsoydbxu62xM4SHZbrPpPg95+iFLft7NnVvxPXr4rSQTUzrb+yUE1Eas5+/2wuyO3cYFPLVEe0hPF+7UHfRS7O/PiAZKvz7dSklt16lkq3BuHKi52IVwNgxsQfbD84FDCY1CaGeUScpAIVZ6JVc6D4+JM/INPsvStqreegqUy/bZRZ+YuT11AdxVTsOCwfCJWgyBPL5yDb11VfFglLm/8KnZ6asgyDeuaLNxwBySnifICX0WTx7VoQ1w8p+5Ncf7VAO8fojOZ/SwMqqP9ym7JT6OJvKL/ROd/5yZ/F21bmjZ/wKSrZDuhpZa+t6Qfn+ImrQm19VPhgdQsNZPhlE5Lv
> root at 1204base', u'ssh-dss
> AAAAB3NzaC1kc3MAAACBAPC0DSpZuBTz08MTehuPVq2IDPZMjSpmZz+zuQ9UbAb2yzWspsUfH3FRXMsp5M/NjKjZEUt+f5u24Q6D20Puo1qlhSW6KZv9xtx3Az/zWskvyE5XltCarOjokyjIdF4tcdlpI2onXKJBcUatZI1P9PHe+zEWMY+kbPmQ1R8h2mJTAAAAFQC1Xlgau1z17rjf5HkIBBk+d5WHJQAAAIEAut8bZLpXb1oKCQnTPV4PTXI0bAdIJWHf/4H1HN3E3rUwWwnGY/JiABBDxBJwdGnuYA9EpHZqx9+zkE86XS64Oh48VLvoVKmzMjALKnsMRDe4T5RUkxmOul36Iv+ughRNBRdO013N/j6ABj/6je73AYUGz3mKrWB+tz/szUZMAcsAAACAF73ttJiAMtcydaa63zCD+XldAk6jQwXgz0kBNTVq/n4CdFK4M+NxpH4YN93g5BQZ2IsfOlUUqrZiNy/BLrvqLBJJS+nhyLLKYEyBeiP6dnmVWw7R7A4ZX8osd4PyEAcCcfdzYGxvOJ8x5PdGu8ev8ytVEluxeHyW59vEvKlHBM0=
> root at 1204base', u'ecdsa-sha2-nistp256
> AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK3ijpgDWM3+GwSGZrRIr5pXPfjJB+BXtUubwAebdVsXjgQPfD0lUjyF8jsn4Znz2PV8TFTJeCY9Nsg57aRcMmw=
> root at 1204base'), rights=False, updatedns=False, all=False, raw=False)
> Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml'
> NSSConnection init se-idm-01.boingo.com
> Connecting: 66.103.90.130:0
> handshake complete, peer = 66.103.90.130:443
> received Set-Cookie 'ipa_session=19d25037e9a9416d6201a0fbd3faaccb;
> Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014
> 19:47:43 GMT; Secure; HttpOnly'
> storing cookie 'ipa_session=19d25037e9a9416d6201a0fbd3faaccb;
> Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014
> 19:47:43 GMT; Secure; HttpOnly' for principal
> host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM
> Starting external process
> args=keyctl search @s user
> ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM
> Process finished, return code=1
> stdout=
> stderr=keyctl_search: Required key not available
>
> Starting external process
> args=keyctl search @s user
> ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM
> Process finished, return code=1
> stdout=
> stderr=keyctl_search: Required key not available
>
> Starting external process
> args=keyctl padd user
> ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM @s
> Process finished, return code=0
> stdout=1008872903
>
> stderr=
> Caught fault 4202 from server https://se-idm-01.boingo.com/ipa/xml: no
> modifications to be performed
> Starting external process
> args=/usr/sbin/service nscd status
> Process finished, return code=1
> stdout=
> stderr=nscd: unrecognized service
>
> Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
> Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list