[Freeipa-users] Ubuntu Client HELL

Will Sheldon mail at willsheldon.com
Fri Feb 21 21:57:59 UTC 2014 

 +1 for `ipa force-delete client` script.


Kind regards,

Will Sheldon
+1.778-689-1244


On Friday, February 21, 2014 at 1:47 PM, Dmitri Pal wrote:

> On 02/21/2014 03:07 PM, Todd Maugh wrote:
> > thanks Rob! the main issue I am having is that the install is not completing and setting this ubuntu host up as a client.
> > 
> > I cleared out the old cert as you suggested, the ssh keys were copied over from a previous attempt. IM not using IPA as DNS and I understand the ntp part.
> > 
> > 
> > so now my install finishes up like this:
> > 
> > Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml'
> > NSSConnection init se-idm-01.boingo.com (http://se-idm-01.boingo.com)
> > Connecting: 66.103.90.130:0
> > handshake complete, peer = 66.103.90.130:443
> > received Set-Cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b; Domain=se-idm-01.boingo.com (http://se-idm-01.boingo.com); Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT; Secure; HttpOnly'
> > storing cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b; Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT; Secure; HttpOnly' for principal host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM (mailto:se-idm-ubuntu-client-01.boingo.com at BOINGO.COM)
> > Starting external process
> > args=keyctl search @s user ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM (mailto:se-idm-ubuntu-client-01.boingo.com at BOINGO.COM)
> > Process finished, return code=1
> > stdout=
> > stderr=keyctl_search: Required key not available
> > 
> > Starting external process
> > args=keyctl search @s user ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM (mailto:se-idm-ubuntu-client-01.boingo.com at BOINGO.COM)
> > Process finished, return code=1
> > stdout=
> > stderr=keyctl_search: Required key not available
> > 
> > Starting external process
> > args=keyctl padd user ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM (mailto:se-idm-ubuntu-client-01.boingo.com at BOINGO.COM) @s
> > Process finished, return code=0
> > stdout=700576616
> > 
> > stderr=
> > Caught fault 4202 from server https://se-idm-01.boingo.com/ipa/xml: no modifications to be performed
> > Writing nsupdate commands to /etc/ipa/.dns_update.txt:
> > zone boingo.com (http://boingo.com).
> > update delete se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com). IN SSHFP
> > send
> > update add se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com). 1200 IN SSHFP 1 1 AD5C9E4F7AEA55418455D54D84862A2B6EC16AB4
> > update add se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com). 1200 IN SSHFP 1 2 B1BE4E3E3B4A79CFFCE5B3BBCC31DFB9979F6A1D97EF4E3EF8F8295C2595033A
> > update add se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com). 1200 IN SSHFP 2 1 D456E5C237736406CB5F4B4C24C836217B6D977E
> > update add se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com). 1200 IN SSHFP 2 2 8125272934E18BFDDA77D5B03BBBF600A0833C37669C568A3476D623A191C457
> > update add se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com). 1200 IN SSHFP 3 1 270551D349212B7112D4A9079FF490C8D6733041
> > update add se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com). 1200 IN SSHFP 3 2 0BC5F5FA7155A03BD9B05DDD5882FD907A0FC8C6D6F6F3341521D4F7B57D3662
> > send
> > 
> > Starting external process
> > args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
> > Process finished, return code=1
> > stdout=
> > stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/ns-1454.awsdns-53.org at BOINGO.COM (mailto:ns-1454.awsdns-53.org at BOINGO.COM) not found in Kerberos database.
> > 
> > nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1
> > Could not update DNS SSHFP records.
> > Starting external process
> > args=/usr/sbin/service nscd status
> > Process finished, return code=1
> > stdout=
> > stderr=nscd: unrecognized service
> > 
> > Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
> > Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
> > 
> > 
> > 
> > thanks in advance for any help
> > 
> > -Todd
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > ________________________________________
> > From: freeipa-users-bounces at redhat.com (mailto:freeipa-users-bounces at redhat.com) [freeipa-users-bounces at redhat.com (mailto:freeipa-users-bounces at redhat.com)] on behalf of Rob Crittenden [rcritten at redhat.com (mailto:rcritten at redhat.com)]
> > Sent: Friday, February 21, 2014 11:57 AM
> > To: freeipa-users
> > Subject: Re: [Freeipa-users] Ubuntu Client HELL
> > 
> > Todd Maugh wrote:
> > > IM in limbo here trying to solve this issue
> > 
> > It would help if you said what issue you were having...
> > 
> > And what version of the client you are running.
> > 
> > Trolling through the log I see a couple of things:
> > 
> > ntpdate failed, but that can happen if you already have ntpd configured
> > on your client. We have a ticket open on that.
> > 
> > The DNS update failed, presumably because you aren't using IPA for DNS.
> > Not a big deal.
> > 
> > The certmonger failure is due to a bad uninstall in the past. It is
> > still tracking an old cert. You can clear it with:
> > 
> > # ipa-getcert list
> > # ipa-getcert stop-tracking -i<request id>
> > 
> > The SSH keys are failing to load because they already exist in the host
> > entry. I guess it was pre-created, or left over from a previous attempt?
> > It doesn't appear to be a fatal error.
> > 
> > rob
> > 
> > > here is my out put with the debug
> > > 
> > > root at se-idm-ubuntu-client-01:/var/lib/ipa-client/sysrestore#
> > > ipa-client-install -d --no-dns-sshfp
> > > --hostname=se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com) --force-join
> > > --domain=boingo.com (http://boingo.com) --server=se-idm-01.boingo.com (http://se-idm-01.boingo.com)
> > > /usr/sbin/ipa-client-install was invoked with options: {'domain':
> > > 'boingo.com (http://boingo.com)', 'force': False, 'krb5_offline_passwords': True, 'primary':
> > > False, 'realm_name': None, 'force_ntpd': False, 'create_sshfp': False,
> > > 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server':
> > > None, 'ca_cert_file': None, 'principal': None, 'keytab': None,
> > > 'hostname': 'se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com)', 'no_ac': False,
> > > 'unattended': None, 'sssd': True, 'trust_sshfp': False, 'dns_updates':
> > > False, 'mkhomedir': False, 'conf_ssh': True, 'force_join': True,
> > > 'server': ['se-idm-01.boingo.com (http://se-idm-01.boingo.com)'], 'prompt_password': False, 'permit':
> > > False, 'debug': True, 'preserve_sssd': False, 'uninstall': False}
> > > missing options might be asked for interactively later
> > > Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
> > > Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
> > > WARNING: ntpd time&date synchronization service will not be configured as
> > > conflicting service (chronyd) is enabled
> > > Use --force-ntpd option to disable it and force configuration of ntpd
> > > 
> > > [IPA Discovery]
> > > Starting IPA discovery with domain=boingo.com (http://boingo.com),
> > > servers=['se-idm-01.boingo.com (http://se-idm-01.boingo.com)'],
> > > hostname=se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com)
> > > Server and domain forced
> > > [Kerberos realm search]
> > > Search DNS for TXT record of _kerberos.boingo.com (http://_kerberos.boingo.com)
> > > DNS record not found: NXDOMAIN
> > > [LDAP server check]
> > > Verifying that se-idm-01.boingo.com (http://se-idm-01.boingo.com) (realm None) is an IPA server
> > > Init LDAP connection to: se-idm-01.boingo.com (http://se-idm-01.boingo.com)
> > > Search LDAP server for IPA base DN
> > > Check if naming context 'dc=boingo,dc=com' is for IPA
> > > Naming context 'dc=boingo,dc=com' is a valid IPA context
> > > Search for (objectClass=krbRealmContainer) in dc=boingo,dc=com (sub)
> > > Found: cn=BOINGO.COM,cn=kerberos,dc=boingo,dc=com
> > > Discovery result: Success; server=se-idm-01.boingo.com (http://se-idm-01.boingo.com),
> > > domain=boingo.com (http://boingo.com), kdc=None, basedn=dc=boingo,dc=com
> > > Validated servers: se-idm-01.boingo.com (http://se-idm-01.boingo.com)
> > > will use discovered domain: boingo.com (http://boingo.com)
> > > Using servers from command line, disabling DNS discovery
> > > will use provided server: se-idm-01.boingo.com (http://se-idm-01.boingo.com)
> > > Autodiscovery of servers for failover cannot work with this configuration.
> > > If you proceed with the installation, services will be configured to
> > > always access the discovered server for all operations and will not fail
> > > over to other servers in case of failure.
> > > Proceed with fixed values and no DNS discovery? [no]: yes
> > > will use discovered realm: BOINGO.COM
> > > will use discovered basedn: dc=boingo,dc=com
> > > Hostname: se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com)
> > > Hostname source: Provided as option
> > > Realm: BOINGO.COM
> > > Realm source: Discovered from LDAP DNS records in se-idm-01.boingo.com (http://se-idm-01.boingo.com)
> > > DNS Domain: boingo.com (http://boingo.com)
> > > DNS Domain source: Forced
> > > IPA Server: se-idm-01.boingo.com (http://se-idm-01.boingo.com)
> > > IPA Server source: Provided as option
> > > BaseDN: dc=boingo,dc=com
> > > BaseDN source: From IPA server ldap://se-idm-01.boingo.com:389 (http://se-idm-01.boingo.com:389)
> > > 
> > > Continue to configure the system with these values? [no]: yes
> > > Starting external process
> > > args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r BOINGO.COM
> > > Process finished, return code=0
> > > stdout=
> > > stderr=Removing principal host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM (mailto:se-idm-ubuntu-client-01.boingo.com at BOINGO.COM)
> > > 
> > > Removed old keys for realm BOINGO.COM from /etc/krb5.keytab
> > > Starting external process
> > > args=/bin/hostname se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com)
> > > Process finished, return code=0
> > > stdout=
> > > stderr=
> > > Backing up system configuration file '/etc/hostname'
> > > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
> > > Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
> > > User authorized to enroll computers: admin
> > > will use principal provided as option: admin
> > > Synchronizing time with KDC...
> > > Search DNS for SRV record of _ntp._udp.boingo.com (http://_ntp._udp.boingo.com)
> > > DNS record not found: NXDOMAIN
> > > Starting external process
> > > args=/usr/sbin/ntpdate -s -b -v se-idm-01.boingo.com (http://se-idm-01.boingo.com)
> > > Process finished, return code=1
> > > stdout=
> > > stderr=
> > > Starting external process
> > > args=/usr/sbin/ntpdate -s -b -v se-idm-01.boingo.com (http://se-idm-01.boingo.com)
> > > Process finished, return code=1
> > > stdout=
> > > stderr=
> > > Starting external process
> > > args=/usr/sbin/ntpdate -s -b -v se-idm-01.boingo.com (http://se-idm-01.boingo.com)
> > > Process finished, return code=1
> > > stdout=
> > > stderr=
> > > Unable to sync time with IPA NTP server, assuming the time is in sync.
> > > Please check that 123 UDP port is opened.
> > > Writing Kerberos configuration to /tmp/tmpBuP7iE:
> > > #File modified by ipa-client-install
> > > 
> > > includedir /var/lib/sss/pubconf/krb5.include.d/
> > > 
> > > [libdefaults]
> > > default_realm = BOINGO.COM
> > > dns_lookup_realm = false
> > > dns_lookup_kdc = false
> > > rdns = false
> > > ticket_lifetime = 24h
> > > forwardable = yes
> > > 
> > > [realms]
> > > BOINGO.COM = {
> > > kdc = se-idm-01.boingo.com:88 (http://se-idm-01.boingo.com:88)
> > > master_kdc = se-idm-01.boingo.com:88 (http://se-idm-01.boingo.com:88)
> > > admin_server = se-idm-01.boingo.com:749 (http://se-idm-01.boingo.com:749)
> > > default_domain = boingo.com (http://boingo.com)
> > > pkinit_anchors = FILE:/etc/ipa/ca.crt
> > > }
> > > 
> > > [domain_realm]
> > > .boingo.com (http://boingo.com) = BOINGO.COM
> > > boingo.com (http://boingo.com) = BOINGO.COM
> > > 
> > > Password for admin at BOINGO.COM (mailto:admin at BOINGO.COM):
> > > Starting external process
> > > args=kinit admin at BOINGO.COM (mailto:admin at BOINGO.COM)
> > > Process finished, return code=0
> > > stdout=Password for admin at BOINGO.COM (mailto:admin at BOINGO.COM):
> > > 
> > > stderr=
> > > trying to retrieve CA cert via LDAP from se-idm-01.boingo.com (http://se-idm-01.boingo.com)
> > > flushing ldap://se-idm-01.boingo.com:389 (http://se-idm-01.boingo.com:389) from SchemaCache
> > > retrieving schema for SchemaCache url=ldap://se-idm-01.boingo.com:389 (http://se-idm-01.boingo.com:389)
> > > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x140ff80>
> > > Existing CA cert and Retrieved CA cert are identical
> > > Starting external process
> > > args=/usr/sbin/ipa-join -s se-idm-01.boingo.com (http://se-idm-01.boingo.com) -b dc=boingo,dc=com -d
> > > -h se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com) -f
> > > Process finished, return code=0
> > > stdout=
> > > stderr=XML-RPC CALL:
> > > 
> > > <?xml version="1.0" encoding="UTF-8"?>\r\n
> > > <methodCall>\r\n
> > > <methodName>join</methodName>\r\n
> > > <params>\r\n
> > > <param><value><array><data>\r\n
> > > <value><string>se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com)</string></value>\r\n
> > > </data></array></value></param>\r\n
> > > <param><value><struct>\r\n
> > > <member><name>nsosversion</name>\r\n
> > > <value><string>3.2.0-58-generic</string></value></member>\r\n
> > > <member><name>nshardwareplatform</name>\r\n
> > > <value><string>x86_64</string></value></member>\r\n
> > > </struct></value></param>\r\n
> > > </params>\r\n
> > > </methodCall>\r\n
> > > 
> > > XML-RPC RESPONSE:
> > > 
> > > <?xml version='1.0' encoding='UTF-8'?>\n
> > > <methodResponse>\n
> > > <params>\n
> > > <param>\n
> > > <value><array><data>\n
> > > <value><string>fqdn=se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com),cn=computers,cn=accounts,dc=boingo,dc=com</string></value>\n
> > > <value><struct>\n
> > > <member>\n
> > > <name>sshpubkeyfp</name>\n
> > > <value><array><data>\n
> > > <value><string>F9:63:24:7C:AF:AF:10:F8:1E:C2:16:69:FE:EF:57:18
> > > root at 1204base (ssh-dss)</string></value>\n
> > > <value><string>85:E8:4E:22:E6:7E:73:0D:10:5C:CB:1A:FC:8B:DE:5C
> > > root at 1204base (ssh-rsa)</string></value>\n
> > > <value><string>B8:BF:50:00:03:BF:AD:71:34:28:CE:83:0A:74:5E:8A
> > > root at 1204base (ecdsa-sha2-nistp256)</string></value>\n
> > > </data></array></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>has_keytab</name>\n
> > > <value><boolean>1</boolean></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>ipasshpubkey</name>\n
> > > <value><array><data>\n
> > > <value><string>ssh-dss
> > > AAAAB3NzaC1kc3MAAACBAPC0DSpZuBTz08MTehuPVq2IDPZMjSpmZz+zuQ9UbAb2yzWspsUfH3FRXMsp5M/NjKjZEUt+f5u24Q6D20Puo1qlhSW6KZv9xtx3Az/zWskvyE5XltCarOjokyjIdF4tcdlpI2onXKJBcUatZI1P9PHe+zEWMY+kbPmQ1R8h2mJTAAAAFQC1Xlgau1z17rjf5HkIBBk+d5WHJQAAAIEAut8bZLpXb1oKCQnTPV4PTXI0bAdIJWHf/4H1HN3E3rUwWwnGY/JiABBDxBJwdGnuYA9EpHZqx9+zkE86XS64Oh48VLvoVKmzMjALKnsMRDe4T5RUkxmOul36Iv+ughRNBRdO013N/j6ABj/6je73AYUGz3mKrWB+tz/szUZMAcsAAACAF73ttJiAMtcydaa63zCD+XldAk6jQwXgz0kBNTVq/n4CdFK4M+NxpH4YN93g5BQZ2IsfOlUUqrZiNy/BLrvqLBJJS+nhyLLKYEyBeiP6dnmVWw7R7A4ZX8osd4PyEAcCcfdzYGxvOJ8x5PdGu8ev8ytVEluxeHyW59vEvKlHBM0=
> > > root at 1204base</string></value>\n
> > > <value><string>ssh-rsa
> > > AAAAB3NzaC1yc2EAAAADAQABAAABAQCsoydbxu62xM4SHZbrPpPg95+iFLft7NnVvxPXr4rSQTUzrb+yUE1Eas5+/2wuyO3cYFPLVEe0hPF+7UHfRS7O/PiAZKvz7dSklt16lkq3BuHKi52IVwNgxsQfbD84FDCY1CaGeUScpAIVZ6JVc6D4+JM/INPsvStqreegqUy/bZRZ+YuT11AdxVTsOCwfCJWgyBPL5yDb11VfFglLm/8KnZ6asgyDeuaLNxwBySnifICX0WTx7VoQ1w8p+5Ncf7VAO8fojOZ/SwMqqP9ym7JT6OJvKL/ROd/5yZ/F21bmjZ/wKSrZDuhpZa+t6Qfn+ImrQm19VPhgdQsNZPhlE5Lv
> > > root at 1204base</string></value>\n
> > > <value><string>ecdsa-sha2-nistp256
> > > AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK3ijpgDWM3+GwSGZrRIr5pXPfjJB+BXtUubwAebdVsXjgQPfD0lUjyF8jsn4Znz2PV8TFTJeCY9Nsg57aRcMmw=
> > > root at 1204base</string></value>\n
> > > </data></array></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>cn</name>\n
> > > <value><array><data>\n
> > > <value><string>se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com)</string></value>\n
> > > </data></array></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>usercertificate</name>\n
> > > <value><array><data>\n
> > > <value><base64>\n
> > > MIIDqTCCApGgAwIBAgIBGjANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpCT0lOR08uQ09NMR4w\n
> > > HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTQwMjIxMTc1MzI5WhcNMTYwMjIyMTc1\n
> > > MzI5WjBCMRMwEQYDVQQKEwpCT0lOR08uQ09NMSswKQYDVQQDEyJzZS1pZG0tdWJ1bnR1LWNsaWVu\n
> > > dC0wMS5ib2luZ28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2f//2Wz6UwUp\n
> > > EErhWDHE+maebFuN82TQnYoAkrDGkebMOmtbLIy8fa7BdY5VNf+bJrLZkoGVq5us9aTc+s1YX63P\n
> > > rmbPjFbO8+vL9I8IVIUutkUTNEhpVm0xiFe+n6jF7OXnjo/sfYZ1zT2QUyLN3TMF97hU2+QBItuJ\n
> > > XY7ChOWk++YeYjgPK0xkcjbMZkNGKxKFF1qURmZVvj0VLgUxX8UwwFQZZK2XEg1Iexa+4SsKhdJN\n
> > > wNagw1x99CiUXChn7V4lYZe8Uk7QDalGrgQTCVAIT+/9IpR94H6N68bHYA/hdBmV1JshTrL2Uhr0\n
> > > Z2eNSjv3bpHC7BqeyWLllLw55wIDAQABo4G2MIGzMB8GA1UdIwQYMBaAFC53PmsjH7HOB4yeCQkD\n
> > > z3yaIEbNMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL3NlLWlkbS0wMS5ib2lu\n
> > > Z28uY29tOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr\n
> > > BgEFBQcDAjAdBgNVHQ4EFgQU7XOSHg+lb/Yizi5G81VQAT0VPQswDQYJKoZIhvcNAQELBQADggEB\n
> > > AGL9mbEyxQSv9d1dbMIW1V4NOBOJFKYmEXKxuQtrOEUDTN7H7IGNm7grMgOMYzrLYs1ftRxXrySF\n
> > > d8k/B3q8LBV2RQ7d0pT67cRH+YV6csmtpZ+YSOYSR+0e6F6BIsMCAU8lsjA7qvVYuaFCc+wvdiIp\n
> > > rea4piqV+lxWp1m0b/mdFuCbLyXao+pr2F5JhCHueHnn14I3k+E78f07hQUccOuS0BELWo9chy+l\n
> > > co7djPuzeG8MKTTr7+9L47dqhKhrY4sHyS+LhaUf3Y+irbLxgeqiBIjkV4TVkfZNZg4b6NvajgKM\n
> > > L9bj5XRwrSAhv1YccwzE1GDOOrp2j3LRYIcEUok=\n
> > > </base64></value>\n
> > > </data></array></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>krbextradata</name>\n
> > > <value><array><data>\n
> > > <value><base64>\n
> > > AAKVkgdTaG9zdC9zZS1pZG0tdWJ1bnR1LWNsaWVudC0wMS5ib2luZ28uY29tQEJPSU5HTy5DT00A\n
> > > </base64></value>\n
> > > </data></array></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>has_password</name>\n
> > > <value><boolean>0</boolean></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>subject</name>\n
> > > <value><string>CN=se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com),O=BOINGO.COM</string></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>ipacertificatesubjectbase</name>\n
> > > <value><array><data>\n
> > > <value><string>O=BOINGO.COM</string></value>\n
> > > </data></array></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>sha1_fingerprint</name>\n
> > > <value><string>60:5c:7f:f5:e7:77:b7:3c:0c:c8:c0:07:3f:c3:00:18:c1:dd:9d:af</string></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>krblastsuccessfulauth</name>\n
> > > <value><array><data>\n
> > > <value><string>20140221181453Z</string></value>\n
> > > </data></array></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>serial_number</name>\n
> > > <value><string>26</string></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>managedby_host</name>\n
> > > <value><array><data>\n
> > > <value><string>se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com)</string></value>\n
> > > </data></array></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>enrolledby_user</name>\n
> > > <value><array><data>\n
> > > <value><string>admin</string></value>\n
> > > </data></array></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>dn</name>\n
> > > <value><string>fqdn=se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com),cn=computers,cn=accounts,dc=boingo,dc=com</string></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>issuer</name>\n
> > > <value><string>CN=Certificate Authority,O=BOINGO.COM</string></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>ipauniqueid</name>\n
> > > <value><array><data>\n
> > > <value><string>459b077c-9b20-11e3-89c9-782bcb03bc6d</string></value>\n
> > > </data></array></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>krbprincipalname</name>\n
> > > <value><array><data>\n
> > > <value><string>host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM (mailto:se-idm-ubuntu-client-01.boingo.com at BOINGO.COM)</string></value>\n
> > > </data></array></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>serverhostname</name>\n
> > > <value><array><data>\n
> > > <value><string>se-idm-ubuntu-client-01</string></value>\n
> > > </data></array></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>objectclass</name>\n
> > > <value><array><data>\n
> > > <value><string>ipaobject</string></value>\n
> > > <value><string>nshost</string></value>\n
> > > <value><string>ipahost</string></value>\n
> > > <value><string>pkiuser</string></value>\n
> > > <value><string>ipaservice</string></value>\n
> > > <value><string>krbprincipalaux</string></value>\n
> > > <value><string>krbprincipal</string></value>\n
> > > <value><string>ieee802device</string></value>\n
> > > <value><string>ipasshhost</string></value>\n
> > > <value><string>top</string></value>\n
> > > <value><string>ipaSshGroupOfPubKeys</string></value>\n
> > > </data></array></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>valid_not_before</name>\n
> > > <value><string>Fri Feb 21 17:53:29 2014 UTC</string></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>valid_not_after</name>\n
> > > <value><string>Mon Feb 22 17:53:29 2016 UTC</string></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>fqdn</name>\n
> > > <value><array><data>\n
> > > <value><string>se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com)</string></value>\n
> > > </data></array></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>managing_host</name>\n
> > > <value><array><data>\n
> > > <value><string>se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com)</string></value>\n
> > > </data></array></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>md5_fingerprint</name>\n
> > > <value><string>bb:dc:38:b3:19:ab:7c:07:27:31:f9:a7:78:a4:98:16</string></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>serial_number_hex</name>\n
> > > <value><string>0x1A</string></value>\n
> > > </member>\n
> > > <member>\n
> > > <name>krblastpwdchange</name>\n
> > > <value><array><data>\n
> > > <value><string>20140221175325Z</string></value>\n
> > > </data></array></value>\n
> > > </member>\n
> > > </struct></value>\n
> > > </data></array></value>\n
> > > </param>\n
> > > </params>\n
> > > </methodResponse>\n
> > > 
> > > Keytab successfully retrieved and stored in: /etc/krb5.keytab
> > > Certificate subject base is: O=BOINGO.COM
> > > 
> > > Enrolled in IPA realm BOINGO.COM
> > > Starting external process
> > > args=kdestroy
> > > Process finished, return code=0
> > > stdout=
> > > stderr=
> > > Starting external process
> > > args=/usr/bin/kinit -k -t /etc/krb5.keytab
> > > host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM (mailto:se-idm-ubuntu-client-01.boingo.com at BOINGO.COM)
> > > Process finished, return code=0
> > > stdout=
> > > stderr=
> > > Backing up system configuration file '/etc/ipa/default.conf'
> > > -> Not backing up - '/etc/ipa/default.conf' doesn't exist
> > > Created /etc/ipa/default.conf
> > > importing all plugin modules in
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins'...
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/aci.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/automember.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/automount.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/baseldap.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/batch.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/config.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/delegation.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/dns.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/entitle.py'
> > > skipping plugin module ipalib.plugins.entitle: No module named
> > > rhsm.connection
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/group.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacrule.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacsvc.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacsvcgroup.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbactest.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/host.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/hostgroup.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/idrange.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/internal.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/kerberos.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/krbtpolicy.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/migration.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/misc.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/netgroup.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/passwd.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/permission.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/ping.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/pkinit.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/privilege.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/pwpolicy.py'
> > > Starting external process
> > > args=klist -V
> > > Process finished, return code=0
> > > stdout=Kerberos 5 version 1.10-beta1
> > > 
> > > stderr=
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/realmdomains.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/role.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/selfservice.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/selinuxusermap.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/service.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/sudocmd.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/sudocmdgroup.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/sudorule.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/trust.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/user.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/virtual.py'
> > > importing plugin module
> > > '/usr/lib/python2.7/dist-packages/ipalib/plugins/xmlclient.py'
> > > Backing up system configuration file '/etc/sssd/sssd.conf'
> > > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
> > > Domain boingo.com (http://boingo.com) is already configured in existing SSSD config,
> > > creating a new one.
> > > The old /etc/sssd/sssd.conf is backed up and will be restored during
> > > uninstall.
> > > Configured /etc/sssd/sssd.conf
> > > Starting external process
> > > args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i
> > > /etc/ipa/ca.crt
> > > Process finished, return code=0
> > > stdout=
> > > stderr=
> > > Backing up system configuration file '/etc/krb5.conf'
> > > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
> > > Writing Kerberos configuration to /etc/krb5.conf:
> > > #File modified by ipa-client-install
> > > 
> > > includedir /var/lib/sss/pubconf/krb5.include.d/
> > > 
> > > [libdefaults]
> > > default_realm = BOINGO.COM
> > > dns_lookup_realm = false
> > > dns_lookup_kdc = false
> > > rdns = false
> > > ticket_lifetime = 24h
> > > forwardable = yes
> > > 
> > > [realms]
> > > BOINGO.COM = {
> > > kdc = se-idm-01.boingo.com:88 (http://se-idm-01.boingo.com:88)
> > > master_kdc = se-idm-01.boingo.com:88 (http://se-idm-01.boingo.com:88)
> > > admin_server = se-idm-01.boingo.com:749 (http://se-idm-01.boingo.com:749)
> > > default_domain = boingo.com (http://boingo.com)
> > > pkinit_anchors = FILE:/etc/ipa/ca.crt
> > > }
> > > 
> > > [domain_realm]
> > > .boingo.com (http://boingo.com) = BOINGO.COM
> > > boingo.com (http://boingo.com) = BOINGO.COM
> > > 
> > > Configured /etc/krb5.conf for IPA realm BOINGO.COM
> > > Starting external process
> > > args=keyctl search @s user
> > > ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM (mailto:se-idm-ubuntu-client-01.boingo.com at BOINGO.COM)
> > > Process finished, return code=1
> > > stdout=
> > > stderr=keyctl_search: Required key not available
> > > 
> > > Starting external process
> > > args=keyctl search @s user
> > > ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM (mailto:se-idm-ubuntu-client-01.boingo.com at BOINGO.COM)
> > > Process finished, return code=1
> > > stdout=
> > > stderr=keyctl_search: Required key not available
> > > 
> > > failed to find session_cookie in persistent storage for principal
> > > 'host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM (mailto:se-idm-ubuntu-client-01.boingo.com at BOINGO.COM)'
> > > trying https://se-idm-01.boingo.com/ipa/xml
> > > Created connection context.xmlclient
> > > raw: env(None, server=True)
> > > env(None, server=True, all=True)
> > > Forwarding 'env' to server u'https://se-idm-01.boingo.com/ipa/xml'
> > > NSSConnection init se-idm-01.boingo.com (http://se-idm-01.boingo.com)
> > > Connecting: 66.103.90.130:0
> > > auth_certificate_callback: check_sig=True is_server=False
> > > Data:
> > > Version: 3 (0x2)
> > > Serial Number: 10 (0xa)
> > > Signature Algorithm:
> > > Algorithm: PKCS #1 SHA-256 With RSA Encryption
> > > Issuer: CN=Certificate Authority,O=BOINGO.COM
> > > Validity:
> > > Not Before: Wed Jan 22 23:22:58 2014 UTC
> > > Not After : Sat Jan 23 23:22:58 2016 UTC
> > > Subject: CN=se-idm-01.boingo.com (http://se-idm-01.boingo.com),O=BOINGO.COM
> > > Subject Public Key Info:
> > > Public Key Algorithm:
> > > Algorithm: PKCS #1 RSA Encryption
> > > RSA Public Key:
> > > Modulus:
> > > da:61:36:ca:15:d7:7f:e1:8d:6d:8b:16:f1:36:66:db:
> > > 52:77:cb:54:45:24:70:ec:fb:f7:e9:3b:65:e3:39:65:
> > > fe:56:90:8c:f6:6c:da:2c:7e:e4:96:6d:f8:60:57:02:
> > > 93:db:91:7e:96:d1:03:03:34:ab:0a:90:39:6d:8a:e0:
> > > 92:a1:1c:62:3c:61:24:51:b8:e0:87:96:5f:a0:24:85:
> > > 2b:c5:43:4e:52:fd:a8:f9:28:25:00:84:53:31:51:e0:
> > > 01:02:57:3d:48:26:b4:99:c4:aa:5a:51:36:f6:0f:14:
> > > b2:ad:f1:15:10:05:86:ee:d1:d0:32:5b:c4:7b:4c:db:
> > > 82:28:3d:62:36:43:e0:c3:7b:ed:c9:b9:c4:58:34:a1:
> > > be:c5:1e:c0:b6:c7:9c:5b:1e:1d:48:b6:22:41:0e:e2:
> > > 4f:43:e0:1b:e2:64:f4:57:69:67:10:64:04:7a:a4:0a:
> > > 73:c5:6e:39:28:0b:76:9b:2b:b8:36:6a:59:e3:5e:84:
> > > 50:ce:b6:e3:19:43:c0:f4:85:02:81:39:74:91:f5:22:
> > > 04:c3:1f:49:64:39:b9:29:64:de:c4:69:76:56:a1:78:
> > > 58:fd:33:28:62:77:1f:4a:3f:9d:8d:11:d2:00:0a:c0:
> > > 73:1f:4f:42:89:26:a5:f2:93:a3:07:ef:3e:80:50:45
> > > Exponent: 65537 (0x10001)
> > > Signed Extensions: (5)
> > > Name: Certificate Authority Key Identifier
> > > Critical: False
> > > Key ID:
> > > 2e:77:3e:6b:23:1f:b1:ce:07:8c:9e:09:09:03:cf:7c:
> > > 9a:20:46:cd
> > > Serial Number: None
> > > General Names: [0 total]
> > > 
> > > Name: Authority Information Access
> > > Critical: False
> > > 
> > > Name: Certificate Key Usage
> > > Critical: True
> > > Usages:
> > > Digital Signature
> > > Non-Repudiation
> > > Key Encipherment
> > > Data Encipherment
> > > 
> > > Name: Extended Key Usage
> > > Critical: False
> > > Usages:
> > > TLS Web Server Authentication Certificate
> > > TLS Web Client Authentication Certificate
> > > 
> > > Name: Certificate Subject Key ID
> > > Critical: False
> > > Data:
> > > c5:83:cc:e3:c4:64:6f:f1:67:47:f3:cd:6a:bd:f5:2c:
> > > ac:91:1e:0c
> > > 
> > > Signature:
> > > Signature Algorithm:
> > > Algorithm: PKCS #1 SHA-256 With RSA Encryption
> > > Signature:
> > > b1:5d:69:6a:52:2a:42:4c:f7:4c:1e:f5:6e:4c:87:30:
> > > f5:f5:ab:9c:ad:e5:7e:8c:e1:54:95:1d:53:56:8f:8f:
> > > fc:a7:de:f2:61:f7:cd:a9:79:a7:a2:53:dd:8d:19:89:
> > > ce:fb:92:bb:ca:d7:4f:84:e2:63:9b:b6:b6:a0:aa:24:
> > > 10:ac:7c:ce:17:09:d1:4e:2a:8e:ae:55:fc:0a:11:52:
> > > ab:23:8b:25:85:15:3c:f3:bb:0a:51:11:4f:fc:87:e1:
> > > 0e:ca:12:cc:15:d4:36:57:a8:a4:db:42:0e:d1:1e:dc:
> > > 1f:64:33:34:da:58:4d:a6:39:ff:b5:2c:50:6c:99:67:
> > > ff:af:c0:65:d1:f6:d9:33:d5:a8:c9:9c:e3:6e:fa:b7:
> > > 96:09:cd:73:eb:80:21:7d:04:af:ce:fb:76:d8:b1:ef:
> > > b0:23:50:85:1c:34:9c:a2:9c:d7:c2:fd:0d:f0:bd:1f:
> > > 98:ec:19:03:00:47:17:9b:a2:1d:09:3f:04:3c:59:4c:
> > > 81:51:38:f0:e8:1e:74:49:5e:76:a1:d6:9a:9b:3d:fe:
> > > 85:12:37:6b:3f:c7:a7:62:ce:ea:68:d8:ff:47:5a:74:
> > > 41:ab:ea:0c:6a:35:e9:57:a6:3b:1f:c9:e1:12:87:8b:
> > > 81:eb:c4:73:c8:a9:4d:88:a9:40:22:f9:66:06:70:b4
> > > Fingerprint (MD5):
> > > 43:6b:f7:a8:12:d6:72:2f:3c:36:60:ff:ea:6b:53:a9
> > > Fingerprint (SHA1):
> > > 91:b6:61:43:5d:0b:d0:14:cf:71:c8:c6:20:88:74:be:
> > > ce:ad:a0:53
> > > approved_usage = SSLServer intended_usage = SSLServer
> > > cert valid True for "CN=se-idm-01.boingo.com (http://se-idm-01.boingo.com),O=BOINGO.COM"
> > > handshake complete, peer = 66.103.90.130:443
> > > received Set-Cookie 'ipa_session=feebdfa3447e7a8bdae71ad28871835e;
> > > Domain=se-idm-01.boingo.com (http://se-idm-01.boingo.com); Path=/ipa; Expires=Fri, 21 Feb 2014
> > > 19:47:41 GMT; Secure; HttpOnly'
> > > storing cookie 'ipa_session=feebdfa3447e7a8bdae71ad28871835e;
> > > Domain=se-idm-01.boingo.com (http://se-idm-01.boingo.com); Path=/ipa; Expires=Fri, 21 Feb 2014
> > > 19:47:41 GMT; Secure; HttpOnly' for principal
> > > host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM (mailto:se-idm-ubuntu-client-01.boingo.com at BOINGO.COM)
> > > Starting external process
> > > args=keyctl search @s user
> > > ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM (mailto:se-idm-ubuntu-client-01.boingo.com at BOINGO.COM)
> > > Process finished, return code=1
> > > stdout=
> > > stderr=keyctl_search: Required key not available
> > > 
> > > Starting external process
> > > args=keyctl search @s user
> > > ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM (mailto:se-idm-ubuntu-client-01.boingo.com at BOINGO.COM)
> > > Process finished, return code=1
> > > stdout=
> > > stderr=keyctl_search: Required key not available
> > > 
> > > Starting external process
> > > args=keyctl padd user
> > > ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM (mailto:se-idm-ubuntu-client-01.boingo.com at BOINGO.COM) @s
> > > Process finished, return code=0
> > > stdout=546101869
> > > 
> > > stderr=
> > > Hostname (se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com)) not found in DNS
> > > Writing nsupdate commands to /etc/ipa/.dns_update.txt:
> > > 
> > > zone boingo.com (http://boingo.com).
> > > update delete se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com). IN A
> > > send
> > > update add se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com). 1200 IN A 23.253.21.58
> > > send
> > > 
> > > Starting external process
> > > args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
> > > Process finished, return code=1
> > > stdout=
> > > stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS
> > > failure. Minor code may provide more information, Minor = Server
> > > DNS/ns-1454.awsdns-53.org at BOINGO.COM (mailto:ns-1454.awsdns-53.org at BOINGO.COM) not found in Kerberos database.
> > > 
> > > nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt'
> > > returned non-zero exit status 1
> > > Failed to update DNS records.
> > > Starting external process
> > > args=/usr/sbin/service dbus status
> > > Process finished, return code=0
> > > stdout=dbus start/running, process 1004
> > > 
> > > stderr=
> > > Starting external process
> > > args=/usr/sbin/service certmonger restart
> > > Process finished, return code=0
> > > stdout=certmonger stop/waiting
> > > certmonger start/running
> > > 
> > > stderr=
> > > Starting external process
> > > args=/usr/sbin/service certmonger status
> > > Process finished, return code=0
> > > stdout=certmonger start/running
> > > 
> > > stderr=
> > > Starting external process
> > > args=/usr/sbin/service certmonger stop
> > > Process finished, return code=0
> > > stdout=certmonger stop/waiting
> > > 
> > > stderr=
> > > certmonger failed to stop: [Errno 2] No such file or directory:
> > > '/var/run/ipa/services.list'
> > > Starting external process
> > > args=/usr/sbin/service certmonger restart
> > > Process finished, return code=0
> > > stdout=certmonger start/running
> > > 
> > > stderr=stop: Unknown instance:
> > > 
> > > Starting external process
> > > args=/usr/sbin/service certmonger status
> > > Process finished, return code=0
> > > stdout=certmonger start/running
> > > 
> > > stderr=
> > > Starting external process
> > > args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate -
> > > se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com) -N
> > > CN=se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com),O=BOINGO.COM -K
> > > host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM (mailto:se-idm-ubuntu-client-01.boingo.com at BOINGO.COM)
> > > Process finished, return code=1
> > > stdout=Certificate at same location is already used by request with
> > > nickname "20140221175328".
> > > 
> > > stderr=
> > > certmonger request for host certificate failed
> > > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
> > > Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
> > > Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
> > > raw: host_mod(u'se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com)',
> > > ipasshpubkey=[u'ssh-rsa
> > > AAAAB3NzaC1yc2EAAAADAQABAAABAQCsoydbxu62xM4SHZbrPpPg95+iFLft7NnVvxPXr4rSQTUzrb+yUE1Eas5+/2wuyO3cYFPLVEe0hPF+7UHfRS7O/PiAZKvz7dSklt16lkq3BuHKi52IVwNgxsQfbD84FDCY1CaGeUScpAIVZ6JVc6D4+JM/INPsvStqreegqUy/bZRZ+YuT11AdxVTsOCwfCJWgyBPL5yDb11VfFglLm/8KnZ6asgyDeuaLNxwBySnifICX0WTx7VoQ1w8p+5Ncf7VAO8fojOZ/SwMqqP9ym7JT6OJvKL/ROd/5yZ/F21bmjZ/wKSrZDuhpZa+t6Qfn+ImrQm19VPhgdQsNZPhlE5Lv
> > > root at 1204base', u'ssh-dss
> > > AAAAB3NzaC1kc3MAAACBAPC0DSpZuBTz08MTehuPVq2IDPZMjSpmZz+zuQ9UbAb2yzWspsUfH3FRXMsp5M/NjKjZEUt+f5u24Q6D20Puo1qlhSW6KZv9xtx3Az/zWskvyE5XltCarOjokyjIdF4tcdlpI2onXKJBcUatZI1P9PHe+zEWMY+kbPmQ1R8h2mJTAAAAFQC1Xlgau1z17rjf5HkIBBk+d5WHJQAAAIEAut8bZLpXb1oKCQnTPV4PTXI0bAdIJWHf/4H1HN3E3rUwWwnGY/JiABBDxBJwdGnuYA9EpHZqx9+zkE86XS64Oh48VLvoVKmzMjALKnsMRDe4T5RUkxmOul36Iv+ughRNBRdO013N/j6ABj/6je73AYUGz3mKrWB+tz/szUZMAcsAAACAF73ttJiAMtcydaa63zCD+XldAk6jQwXgz0kBNTVq/n4CdFK4M+NxpH4YN93g5BQZ2IsfOlUUqrZiNy/BLrvqLBJJS+nhyLLKYEyBeiP6dnmVWw7R7A4ZX8osd4PyEAcCcfdzYGxvOJ8x5PdGu8ev8ytVEluxeHyW59vEvKlHBM0=
> > > root at 1204base', u'ecdsa-sha2-nistp256
> > > AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK3ijpgDWM3+GwSGZrRIr5pXPfjJB+BXtUubwAebdVsXjgQPfD0lUjyF8jsn4Znz2PV8TFTJeCY9Nsg57aRcMmw=
> > > root at 1204base'], updatedns=False)
> > > host_mod(u'se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com)', random=False,
> > > ipasshpubkey=(u'ssh-rsa
> > > AAAAB3NzaC1yc2EAAAADAQABAAABAQCsoydbxu62xM4SHZbrPpPg95+iFLft7NnVvxPXr4rSQTUzrb+yUE1Eas5+/2wuyO3cYFPLVEe0hPF+7UHfRS7O/PiAZKvz7dSklt16lkq3BuHKi52IVwNgxsQfbD84FDCY1CaGeUScpAIVZ6JVc6D4+JM/INPsvStqreegqUy/bZRZ+YuT11AdxVTsOCwfCJWgyBPL5yDb11VfFglLm/8KnZ6asgyDeuaLNxwBySnifICX0WTx7VoQ1w8p+5Ncf7VAO8fojOZ/SwMqqP9ym7JT6OJvKL/ROd/5yZ/F21bmjZ/wKSrZDuhpZa+t6Qfn+ImrQm19VPhgdQsNZPhlE5Lv
> > > root at 1204base', u'ssh-dss
> > > AAAAB3NzaC1kc3MAAACBAPC0DSpZuBTz08MTehuPVq2IDPZMjSpmZz+zuQ9UbAb2yzWspsUfH3FRXMsp5M/NjKjZEUt+f5u24Q6D20Puo1qlhSW6KZv9xtx3Az/zWskvyE5XltCarOjokyjIdF4tcdlpI2onXKJBcUatZI1P9PHe+zEWMY+kbPmQ1R8h2mJTAAAAFQC1Xlgau1z17rjf5HkIBBk+d5WHJQAAAIEAut8bZLpXb1oKCQnTPV4PTXI0bAdIJWHf/4H1HN3E3rUwWwnGY/JiABBDxBJwdGnuYA9EpHZqx9+zkE86XS64Oh48VLvoVKmzMjALKnsMRDe4T5RUkxmOul36Iv+ughRNBRdO013N/j6ABj/6je73AYUGz3mKrWB+tz/szUZMAcsAAACAF73ttJiAMtcydaa63zCD+XldAk6jQwXgz0kBNTVq/n4CdFK4M+NxpH4YN93g5BQZ2IsfOlUUqrZiNy/BLrvqLBJJS+nhyLLKYEyBeiP6dnmVWw7R7A4ZX8osd4PyEAcCcfdzYGxvOJ8x5PdGu8ev8ytVEluxeHyW59vEvKlHBM0=
> > > root at 1204base', u'ecdsa-sha2-nistp256
> > > AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK3ijpgDWM3+GwSGZrRIr5pXPfjJB+BXtUubwAebdVsXjgQPfD0lUjyF8jsn4Znz2PV8TFTJeCY9Nsg57aRcMmw=
> > > root at 1204base'), rights=False, updatedns=False, all=False, raw=False)
> > > Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml'
> > > NSSConnection init se-idm-01.boingo.com (http://se-idm-01.boingo.com)
> > > Connecting: 66.103.90.130:0
> > > handshake complete, peer = 66.103.90.130:443
> > > received Set-Cookie 'ipa_session=19d25037e9a9416d6201a0fbd3faaccb;
> > > Domain=se-idm-01.boingo.com (http://se-idm-01.boingo.com); Path=/ipa; Expires=Fri, 21 Feb 2014
> > > 19:47:43 GMT; Secure; HttpOnly'
> > > storing cookie 'ipa_session=19d25037e9a9416d6201a0fbd3faaccb;
> > > Domain=se-idm-01.boingo.com (http://se-idm-01.boingo.com); Path=/ipa; Expires=Fri, 21 Feb 2014
> > > 19:47:43 GMT; Secure; HttpOnly' for principal
> > > host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM (mailto:se-idm-ubuntu-client-01.boingo.com at BOINGO.COM)
> > > Starting external process
> > > args=keyctl search @s user
> > > ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM (mailto:se-idm-ubuntu-client-01.boingo.com at BOINGO.COM)
> > > Process finished, return code=1
> > > stdout=
> > > stderr=keyctl_search: Required key not available
> > > 
> > > Starting external process
> > > args=keyctl search @s user
> > > ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM (mailto:se-idm-ubuntu-client-01.boingo.com at BOINGO.COM)
> > > Process finished, return code=1
> > > stdout=
> > > stderr=keyctl_search: Required key not available
> > > 
> > > Starting external process
> > > args=keyctl padd user
> > > ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo.com at BOINGO.COM (mailto:se-idm-ubuntu-client-01.boingo.com at BOINGO.COM) @s
> > > Process finished, return code=0
> > > stdout=1008872903
> > > 
> > > stderr=
> > > Caught fault 4202 from server https://se-idm-01.boingo.com/ipa/xml: no
> > > modifications to be performed
> > > Starting external process
> > > args=/usr/sbin/service nscd status
> > > Process finished, return code=1
> > > stdout=
> > > stderr=nscd: unrecognized service
> > > 
> > > Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
> > > Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
> > > 
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > Freeipa-users mailing list
> > > Freeipa-users at redhat.com (mailto:Freeipa-users at redhat.com)
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > 
> > 
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com (mailto:Freeipa-users at redhat.com)
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > 
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com (mailto:Freeipa-users at redhat.com)
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > 
> 
> 
> 
> Does the host have the old kerberos key?
> If you go to the IPA UI for the host does it still show that the host 
> has the key and the cert?
> I bet it is. Clean both. Or remove and recreate the host entry that 
> might be even cleaner but you need to think about all the host 
> membership entries that would be deleted with this operation so use caution.
> 
> The whole situation points to the following:
> 1) Client system was once provisioned
> 2) System was reimaged/reprovisioned but the unistall did not complete 
> or was not run or was run offline so server still thinks that the client 
> is still around a healthy but old instance and its keys are gone.
> 
> To clean this situation the host entry and related certs should be clean 
> both on the client and server side.
> 
> Do we have a how to about that? IMO it would be handy to have a HOWTO 
> that would tell "What should one do to reinstall the client if you wiped 
> client without doing anything on the server".
> 
> 
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
> 
> 
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ (http://www.redhat.com/carveoutcosts/)
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com (mailto:Freeipa-users at redhat.com)
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140221/c84e916e/attachment.htm>

More information about the Freeipa-users mailing list