[Freeipa-users] Issue with ipa-client-install v4.4.0
Mick Love
mick.love at oxygen8.com
Thu Mar 2 15:58:34 UTC 2017
Hi, I seem to having some issue trying to install the IPA client (version
4.4.0) on Centos 7 using DNS.
I can get a working install by issuing the —server flags, but I would
rather do it using SRV so we can issue the command via salt to multiple
servers, and should we add another replicant. We will only need to update
the SRV records rather than updating all our client servers.
I am running this command,
$>ipa-client-install --force-ntpd --mkhomedir --principal admin --realm=
UK.INTERNAL.MYDOMAIN.COM --domain uk.internal.mydomain.com --unattended -w
superhard
But I keep getting this.
Discovery was successful!
Client hostname: portalwaf2.uk
Realm: UK.INTERNAL.MYDOMAIN.COM
DNS Domain: freeipa.uk.internal.mydomain.com
IPA Server: ipa1.uk.internal.mydomain.com
BaseDN: dc=uk,dc=internal,dc=mydomain,dc=com
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=UK.INTERNAL.MYDOMAIN.COM
Issuer: CN=Certificate Authority,O=UK.INTERNAL.MYDOMAIN.COM
Valid From: Fri Feb 17 12:09:04 2017 UTC
Valid Until: Tue Feb 17 12:09:04 2037 UTC
Enrolled in IPA realm UK.INTERNAL.MYDOMAIN.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm UK.INTERNAL.MYDOMAIN.COM
trying https://ipa1.uk.internal.mydomain.com/ipa/json
Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 3128, in <module>
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 3109, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 2818, in install
api.finalize()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in
finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in
__do_if_not_done
getattr(self, name)()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in
load_plugins
for package in self.packages:
File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in
packages
ipaclient.remote_plugins.get_package(self),
File
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py",
line 118, in get_package
plugins = schema.get_package(server_info, client)
File
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line
543, in get_package
schema = Schema(client)
File
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line
387, in __init__
fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
File
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line
413, in _fetch
client.connect(verbose=False)
File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in
connect
conn = self.create_connection(*args, **kw)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 931, in
create_connection
raise errors.KerberosError(message=unicode(krberr))
ipalib.errors.KerberosError: Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (2529639066): Cannot find
KDC for realm "UK.INTERNAL.MYDOMAIN.COM"
Installation log:
2017-03-02T15:38:32Z DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'domain': 'freeipa.uk.internal.mydomain.com', 'force': False,
'krb5_offline_passwords': True, 'ip_addresses': [], 'configure_firefox':
False, 'primary': False, 'realm_name': 'UK.INTERNAL.MYDOMAIN.COM',
'force_ntpd': True, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp':
True, 'on_master': False, 'no_nisdomain': False, 'nisdomain': None,
'ca_cert_file': None, 'principal': 'admin', 'keytab': None, 'hostname':
None, 'request_cert': False, 'trust_sshfp': False, 'no_ac': False,
'unattended': True, 'all_ip_addresses': False, 'location': None, 'sssd':
True, 'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates': False,
'conf_sudo': True, 'conf_ssh': True, 'force_join': True, 'firefox_dir':
None, 'server': None, 'prompt_password': False, 'permit': False, 'debug':
False, 'preserve_sssd': False, 'mkhomedir': True, 'uninstall': False}
2017-03-02T15:38:32Z DEBUG missing options might be asked for interactively
later
2017-03-02T15:38:32Z DEBUG IPA version 4.4.0-14.el7.centos.4
2017-03-02T15:38:32Z DEBUG [IPA Discovery]
2017-03-02T15:38:32Z DEBUG Starting IPA discovery with domain=
freeipa.uk.internal.mydomain.com, servers=None, hostname=portalwaf2.uk
2017-03-02T15:38:32Z DEBUG Search for LDAP SRV record in
freeipa.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _ldap._
tcp.freeipa.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 389
ipa1.uk.internal.mydomain.com.
2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 389
ipa2.uk.internal.mydomain.com.
2017-03-02T15:38:32Z DEBUG [Kerberos realm search]
2017-03-02T15:38:32Z DEBUG Kerberos realm forced
2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _kerberos._
udp.freeipa.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 88
ipa2.uk.internal.mydomain.com.
2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 88
ipa1.uk.internal.mydomain.com.
2017-03-02T15:38:32Z DEBUG [LDAP server check]
2017-03-02T15:38:32Z DEBUG Verifying that ipa1.uk.internal.mydomain.com
(realm UK.INTERNAL.MYDOMAIN.COM) is an IPA server
2017-03-02T15:38:32Z DEBUG Init LDAP connection to:
ipa1.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG Search LDAP server for IPA base DN
2017-03-02T15:38:32Z DEBUG Check if naming context
'dc=uk,dc=internal,dc=mydomain,dc=com' is for IPA
2017-03-02T15:38:32Z DEBUG Naming context
'dc=uk,dc=internal,dc=mydomain,dc=com' is a valid IPA context
2017-03-02T15:38:32Z DEBUG Search for (objectClass=krbRealmContainer) in
dc=uk,dc=internal,dc=mydomain,dc=com (sub)
2017-03-02T15:38:32Z DEBUG Found: cn=UK.INTERNAL.MYDOMAIN.COM
,cn=kerberos,dc=uk,dc=internal,dc=mydomain,dc=com
2017-03-02T15:38:32Z DEBUG Discovery result: Success; server=
ipa1.uk.internal.mydomain.com, domain=freeipa.uk.internal.mydomain.com, kdc=
ipa2.uk.internal.mydomain.com,ipa1.uk.internal.mydomain.com,
basedn=dc=uk,dc=internal,dc=mydomain,dc=com
2017-03-02T15:38:32Z DEBUG Validated servers: ipa1.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG will use discovered domain:
freeipa.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG Start searching for LDAP SRV record in "
freeipa.uk.internal.mydomain.com" (Validating DNS Discovery) and its
sub-domains
2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _ldap._
tcp.freeipa.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 389
ipa2.uk.internal.mydomain.com.
2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 389
ipa1.uk.internal.mydomain.com.
2017-03-02T15:38:32Z DEBUG DNS validated, enabling discovery
2017-03-02T15:38:32Z DEBUG will use discovered server:
ipa1.uk.internal.mydomain.com
2017-03-02T15:38:32Z INFO Discovery was successful!
2017-03-02T15:38:32Z DEBUG will use discovered realm:
UK.INTERNAL.MYDOMAIN.COM
2017-03-02T15:38:32Z DEBUG will use discovered basedn:
dc=uk,dc=internal,dc=mydomain,dc=com
2017-03-02T15:38:32Z INFO Client hostname: portalwaf2.uk
2017-03-02T15:38:32Z DEBUG Hostname source: Machine's FQDN
2017-03-02T15:38:32Z INFO Realm: UK.INTERNAL.MYDOMAIN.COM
2017-03-02T15:38:32Z DEBUG Realm source: Discovered from LDAP DNS records
in ipa1.uk.internal.mydomain.com
2017-03-02T15:38:32Z INFO DNS Domain: freeipa.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG DNS Domain source: Discovered LDAP SRV records
from freeipa.uk.internal.mydomain.com
2017-03-02T15:38:32Z INFO IPA Server: ipa1.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG IPA Server source: Discovered from LDAP DNS
records in ipa1.uk.internal.mydomain.com
2017-03-02T15:38:32Z INFO BaseDN: dc=uk,dc=internal,dc=mydomain,dc=com
2017-03-02T15:38:32Z DEBUG BaseDN source: From IPA server ldap://
ipa1.uk.internal.mydomain.com:389
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab
-r UK.INTERNAL.MYDOMAIN.COM
2017-03-02T15:38:32Z DEBUG Process finished, return code=5
2017-03-02T15:38:32Z DEBUG stdout=
2017-03-02T15:38:32Z DEBUG stderr=realm not found
2017-03-02T15:38:32Z INFO Synchronizing time with KDC...
2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _ntp._
udp.freeipa.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 123
ipa2.uk.internal.mydomain.com.
2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 123
ipa1.uk.internal.mydomain.com.
2017-03-02T15:38:32Z INFO Attempting to sync time using ntpd. Will timeout
after 15 seconds
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=/usr/bin/timeout 15 /usr/sbin/ntpd -qgc
/tmp/tmplUZ6sG
2017-03-02T15:38:32Z DEBUG Process finished, return code=0
2017-03-02T15:38:32Z DEBUG stdout=ntpd: time set -1.083636s
2017-03-02T15:38:32Z DEBUG stderr=
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=keyctl get_persistent @s 0
2017-03-02T15:38:32Z DEBUG Process finished, return code=0
2017-03-02T15:38:32Z DEBUG stdout=540282011
2017-03-02T15:38:32Z DEBUG stderr=
2017-03-02T15:38:32Z DEBUG Enabling persistent keyring CCACHE
2017-03-02T15:38:32Z DEBUG Writing Kerberos configuration to /tmp/tmpEVHPqI:
2017-03-02T15:38:32Z DEBUG #File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = UK.INTERNAL.MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
UK.INTERNAL.MYDOMAIN.COM = {
kdc = ipa1.uk.internal.mydomain.com:88
master_kdc = ipa1.uk.internal.mydomain.com:88
admin_server = ipa1.uk.internal.mydomain.com:749
kpasswd_server = ipa1.uk.internal.mydomain.com:464
default_domain = freeipa.uk.internal.mydomain.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.freeipa.uk.internal.mydomain.com = UK.INTERNAL.MYDOMAIN.COM
freeipa.uk.internal.mydomain.com = UK.INTERNAL.MYDOMAIN.COM
portalwaf2.uk = UK.INTERNAL.MYDOMAIN.COM
.uk = UK.INTERNAL.MYDOMAIN.COM
uk = UK.INTERNAL.MYDOMAIN.COM
2017-03-02T15:38:32Z DEBUG Initializing principal
admin at UK.INTERNAL.MYDOMAIN.COM using password
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=/usr/bin/kinit
admin at UK.INTERNAL.MYDOMAIN.COM -c /tmp/krbccxpYNsC/ccache
2017-03-02T15:38:32Z DEBUG Process finished, return code=0
2017-03-02T15:38:32Z DEBUG stdout=Password for
admin at UK.INTERNAL.MYDOMAIN.COM:
2017-03-02T15:38:32Z DEBUG stderr=
2017-03-02T15:38:32Z DEBUG trying to retrieve CA cert via LDAP from
ipa1.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG flushing ldap://ipa1.uk.internal.mydomain.com:389
from SchemaCache
2017-03-02T15:38:32Z DEBUG retrieving schema for SchemaCache url=ldap://
ipa1.uk.internal.mydomain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject
instance at 0x1fb8ab8>
2017-03-02T15:38:32Z INFO Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=UK.INTERNAL.MYDOMAIN.COM
Issuer: CN=Certificate Authority,O=UK.INTERNAL.MYDOMAIN.COM
Valid From: Fri Feb 17 12:09:04 2017 UTC
Valid Until: Tue Feb 17 12:09:04 2037 UTC
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=/usr/sbin/ipa-join -s
ipa1.uk.internal.mydomain.com -b dc=uk,dc=internal,dc=mydomain,dc=com -h
portalwaf2.uk -f
2017-03-02T15:38:32Z DEBUG Process finished, return code=0
2017-03-02T15:38:32Z DEBUG stdout=
2017-03-02T15:38:32Z DEBUG stderr=Keytab successfully retrieved and stored
in: /etc/krb5.keytab
Certificate subject base is: O=UK.INTERNAL.MYDOMAIN.COM
2017-03-02T15:38:32Z INFO Enrolled in IPA realm UK.INTERNAL.MYDOMAIN.COM
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=kdestroy
2017-03-02T15:38:32Z DEBUG Process finished, return code=0
2017-03-02T15:38:32Z DEBUG stdout=
2017-03-02T15:38:32Z DEBUG stderr=
2017-03-02T15:38:32Z DEBUG Initializing principal host/
portalwaf2.uk at UK.INTERNAL.MYDOMAIN.COM using keytab /etc/krb5.keytab
2017-03-02T15:38:32Z DEBUG using ccache /etc/ipa/.dns_ccache
2017-03-02T15:38:32Z DEBUG Attempt 1/5: success
2017-03-02T15:38:32Z DEBUG Backing up system configuration file
'/etc/ipa/default.conf'
2017-03-02T15:38:32Z DEBUG -> Not backing up - '/etc/ipa/default.conf'
doesn't exist
2017-03-02T15:38:32Z INFO Created /etc/ipa/default.conf
2017-03-02T15:38:32Z DEBUG Backing up system configuration file
'/etc/sssd/sssd.conf'
2017-03-02T15:38:32Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf'
doesn't exist
2017-03-02T15:38:32Z INFO New SSSD config will be created
2017-03-02T15:38:32Z DEBUG Backing up system configuration file
'/etc/nsswitch.conf'
2017-03-02T15:38:32Z DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-03-02T15:38:32Z INFO Configured sudoers in /etc/nsswitch.conf
2017-03-02T15:38:32Z INFO Configured /etc/sssd/sssd.conf
2017-03-02T15:38:32Z DEBUG Backing up system configuration file
'/etc/krb5.conf'
2017-03-02T15:38:32Z DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=keyctl get_persistent @s 0
2017-03-02T15:38:32Z DEBUG Process finished, return code=0
2017-03-02T15:38:32Z DEBUG stdout=540282011
2017-03-02T15:38:32Z DEBUG stderr=
2017-03-02T15:38:32Z DEBUG Enabling persistent keyring CCACHE
2017-03-02T15:38:32Z DEBUG Writing Kerberos configuration to /etc/krb5.conf:
2017-03-02T15:38:32Z DEBUG #File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = UK.INTERNAL.MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
UK.INTERNAL.MYDOMAIN.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.freeipa.uk.internal.mydomain.com = UK.INTERNAL.MYDOMAIN.COM
freeipa.uk.internal.mydomain.com = UK.INTERNAL.MYDOMAIN.COM
portalwaf2.uk = UK.INTERNAL.MYDOMAIN.COM
.uk = UK.INTERNAL.MYDOMAIN.COM
uk = UK.INTERNAL.MYDOMAIN.COM
2017-03-02T15:38:32Z INFO Configured /etc/krb5.conf for IPA realm
UK.INTERNAL.MYDOMAIN.COM
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=keyctl search @s user
ipa_session_cookie:host/portalwaf2.uk at UK.INTERNAL.MYDOMAIN.COM
2017-03-02T15:38:32Z DEBUG Process finished, return code=1
2017-03-02T15:38:32Z DEBUG stdout=
2017-03-02T15:38:32Z DEBUG stderr=keyctl_search: Required key not available
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=/usr/bin/certutil -d /tmp/tmpKqp0s3 -N -f
/tmp/tmp8JvkBZ
2017-03-02T15:38:32Z DEBUG Process finished, return code=0
2017-03-02T15:38:32Z DEBUG stdout=
2017-03-02T15:38:32Z DEBUG stderr=
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=/usr/bin/certutil -d /tmp/tmpKqp0s3 -A -n
CA certificate 1 -t C,,
2017-03-02T15:38:32Z DEBUG Process finished, return code=0
2017-03-02T15:38:32Z DEBUG stdout=
2017-03-02T15:38:32Z DEBUG stderr=
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=keyctl search @s user
ipa_session_cookie:host/portalwaf2.uk at UK.INTERNAL.MYDOMAIN.COM
2017-03-02T15:38:32Z DEBUG Process finished, return code=1
2017-03-02T15:38:32Z DEBUG stdout=
2017-03-02T15:38:32Z DEBUG stderr=keyctl_search: Required key not available
2017-03-02T15:38:32Z DEBUG failed to find session_cookie in persistent
storage for principal 'host/portalwaf2.uk at UK.INTERNAL.MYDOMAIN.COM'
2017-03-02T15:38:32Z INFO trying
https://ipa1.uk.internal.mydomain.com/ipa/json2017-03-02T15:38:32Z DEBUG
/usr/sbin/ipa-client-install was invoked with options: {'domain': '
freeipa.uk.internal.mydomain.com', 'force': False,
'krb5_offline_passwords': True, 'ip_addresses': [], 'configure_firefox':
False, 'primary': False, 'realm_name': 'UK.INTERNAL.mydomain.COM',
'force_ntpd': True, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp':
True, 'on_master': False, 'no_nisdomain': False, 'nisdomain': None,
'ca_cert_file': None, 'principal': 'admin', 'keytab': None, 'hostname':
None, 'request_cert': False, 'trust_sshfp': False, 'no_ac': False,
'unattended': True, 'all_ip_addresses': False, 'location': None, 'sssd':
True, 'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates': False,
'conf_sudo': True, 'conf_ssh': True, 'force_join': True, 'firefox_dir':
None, 'server': None, 'prompt_password': False, 'permit': False, 'debug':
False, 'preserve_sssd': False, 'mkhomedir': True, 'uninstall': False}
2017-03-02T15:38:32Z DEBUG missing options might be asked for interactively
later
2017-03-02T15:38:32Z DEBUG IPA version 4.4.0-14.el7.centos.4
2017-03-02T15:38:32Z DEBUG [IPA Discovery]
2017-03-02T15:38:32Z DEBUG Starting IPA discovery with domain=
freeipa.uk.internal.mydomain.com, servers=None, hostname=portalwaf2.uk
2017-03-02T15:38:32Z DEBUG Search for LDAP SRV record in
freeipa.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _ldap._
tcp.freeipa.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 389
ipa1.uk.internal.mydomain.com.
2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 389
ipa2.uk.internal.mydomain.com.
2017-03-02T15:38:32Z DEBUG [Kerberos realm search]
2017-03-02T15:38:32Z DEBUG Kerberos realm forced
2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _kerberos._
udp.freeipa.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 88
ipa2.uk.internal.mydomain.com.
2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 88
ipa1.uk.internal.mydomain.com.
2017-03-02T15:38:32Z DEBUG [LDAP server check]
2017-03-02T15:38:32Z DEBUG Verifying that ipa1.uk.internal.mydomain.com
(realm UK.INTERNAL.MYDOMAIN.COM) is an IPA server
2017-03-02T15:38:32Z DEBUG Init LDAP connection to:
ipa1.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG Search LDAP server for IPA base DN
2017-03-02T15:38:32Z DEBUG Check if naming context
'dc=uk,dc=internal,dc=mydomain,dc=com' is for IPA
2017-03-02T15:38:32Z DEBUG Naming context
'dc=uk,dc=internal,dc=mydomain,dc=com' is a valid IPA context
2017-03-02T15:38:32Z DEBUG Search for (objectClass=krbRealmContainer) in
dc=uk,dc=internal,dc=mydomain,dc=com (sub)
2017-03-02T15:38:32Z DEBUG Found: cn=UK.INTERNAL.mydomain.COM
,cn=kerberos,dc=uk,dc=internal,dc=mydomain,dc=com
2017-03-02T15:38:32Z DEBUG Discovery result: Success; server=
ipa1.uk.internal.mydomain.com, domain=freeipa.uk.internal.mydomain.com, kdc=
ipa2.uk.internal.mydomain.com,ipa1.uk.internal.mydomain.com,
basedn=dc=uk,dc=internal,dc=mydomain,dc=com
2017-03-02T15:38:32Z DEBUG Validated servers: ipa1.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG will use discovered domain:
freeipa.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG Start searching for LDAP SRV record in "
freeipa.uk.internal.mydomain.com" (Validating DNS Discovery) and its
sub-domains
2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _ldap._
tcp.freeipa.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 389
ipa2.uk.internal.mydomain.com.
2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 389
ipa1.uk.internal.mydomain.com.
2017-03-02T15:38:32Z DEBUG DNS validated, enabling discovery
2017-03-02T15:38:32Z DEBUG will use discovered server:
ipa1.uk.internal.mydomain.com
2017-03-02T15:38:32Z INFO Discovery was successful!
2017-03-02T15:38:32Z DEBUG will use discovered realm:
UK.INTERNAL.MYDOMAIN.COM
2017-03-02T15:38:32Z DEBUG will use discovered basedn:
dc=uk,dc=internal,dc=mydomain,dc=com
2017-03-02T15:38:32Z INFO Client hostname: portalwaf2.uk
2017-03-02T15:38:32Z DEBUG Hostname source: Machine's FQDN
2017-03-02T15:38:32Z INFO Realm: UK.INTERNAL.MYDOMAIN.COM
2017-03-02T15:38:32Z DEBUG Realm source: Discovered from LDAP DNS records
in ipa1.uk.internal.mydomain.com
2017-03-02T15:38:32Z INFO DNS Domain: freeipa.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG DNS Domain source: Discovered LDAP SRV records
from freeipa.uk.internal.mydomain.com
2017-03-02T15:38:32Z INFO IPA Server: ipa1.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG IPA Server source: Discovered from LDAP DNS
records in ipa1.uk.internal.mydomain.com
2017-03-02T15:38:32Z INFO BaseDN: dc=uk,dc=internal,dc=mydomain,dc=com
2017-03-02T15:38:32Z DEBUG BaseDN source: From IPA server ldap://
ipa1.uk.internal.mydomain.com:389
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab
-r UK.INTERNAL.MYDOMAIN.COM
2017-03-02T15:38:32Z DEBUG Process finished, return code=5
2017-03-02T15:38:32Z DEBUG stdout=
2017-03-02T15:38:32Z DEBUG stderr=realm not found
2017-03-02T15:38:32Z INFO Synchronizing time with KDC...
2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _ntp._
udp.freeipa.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 123
ipa2.uk.internal.mydomain.com.
2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 123
ipa1.uk.internal.mydomain.com.
2017-03-02T15:38:32Z INFO Attempting to sync time using ntpd. Will timeout
after 15 seconds
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=/usr/bin/timeout 15 /usr/sbin/ntpd -qgc
/tmp/tmplUZ6sG
2017-03-02T15:38:32Z DEBUG Process finished, return code=0
2017-03-02T15:38:32Z DEBUG stdout=ntpd: time set -1.083636s
2017-03-02T15:38:32Z DEBUG stderr=
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=keyctl get_persistent @s 0
2017-03-02T15:38:32Z DEBUG Process finished, return code=0
2017-03-02T15:38:32Z DEBUG stdout=540282011
2017-03-02T15:38:32Z DEBUG stderr=
2017-03-02T15:38:32Z DEBUG Enabling persistent keyring CCACHE
2017-03-02T15:38:32Z DEBUG Writing Kerberos configuration to /tmp/tmpEVHPqI:
2017-03-02T15:38:32Z DEBUG #File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = UK.INTERNAL.MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
UK.INTERNAL.MYDOMAIN.COM = {
kdc = ipa1.uk.internal.mydomain.com:88
master_kdc = ipa1.uk.internal.mydomain.com:88
admin_server = ipa1.uk.internal.mydomain.com:749
kpasswd_server = ipa1.uk.internal.mydomain.com:464
default_domain = freeipa.uk.internal.mydomain.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.freeipa.uk.internal.mydomain.com = UK.INTERNAL.MYDOMAIN.COM
freeipa.uk.internal.mydomain.com = UK.INTERNAL.MYDOMAIN.COM
portalwaf2.uk = UK.INTERNAL.MYDOMAIN.COM
.uk = UK.INTERNAL.MYDOMAIN.COM
uk = UK.INTERNAL.MYDOMAIN.COM
2017-03-02T15:38:32Z DEBUG Initializing principal
admin at UK.INTERNAL.MYDOMAIN.COM using password
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=/usr/bin/kinit
admin at UK.INTERNAL.MYDOMAIN.COM -c /tmp/krbccxpYNsC/ccache
2017-03-02T15:38:32Z DEBUG Process finished, return code=0
2017-03-02T15:38:32Z DEBUG stdout=Password for
admin at UK.INTERNAL.MYDOMAIN.COM:
2017-03-02T15:38:32Z DEBUG stderr=
2017-03-02T15:38:32Z DEBUG trying to retrieve CA cert via LDAP from
ipa1.uk.internal.mydomain.com
2017-03-02T15:38:32Z DEBUG flushing ldap://ipa1.uk.internal.mydomain.com:389
from SchemaCache
2017-03-02T15:38:32Z DEBUG retrieving schema for SchemaCache url=ldap://
ipa1.uk.internal.mydomain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject
instance at 0x1fb8ab8>
2017-03-02T15:38:32Z INFO Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=UK.INTERNAL.MYDOMAIN.COM
Issuer: CN=Certificate Authority,O=UK.INTERNAL.MYDOMAIN.COM
Valid From: Fri Feb 17 12:09:04 2017 UTC
Valid Until: Tue Feb 17 12:09:04 2037 UTC
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=/usr/sbin/ipa-join -s
ipa1.uk.internal.mydomain.com -b dc=uk,dc=internal,dc=mydomain,dc=com -h
portalwaf2.uk -f
2017-03-02T15:38:32Z DEBUG Process finished, return code=0
2017-03-02T15:38:32Z DEBUG stdout=
2017-03-02T15:38:32Z DEBUG stderr=Keytab successfully retrieved and stored
in: /etc/krb5.keytab
Certificate subject base is: O=UK.INTERNAL.mydomain.COM
2017-03-02T15:38:32Z INFO Enrolled in IPA realm UK.INTERNAL.MYDOMAIN.COM
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=kdestroy
2017-03-02T15:38:32Z DEBUG Process finished, return code=0
2017-03-02T15:38:32Z DEBUG stdout=
2017-03-02T15:38:32Z DEBUG stderr=
2017-03-02T15:38:32Z DEBUG Initializing principal host/
portalwaf2.uk at UK.INTERNAL.MYDOMAIN.COM using keytab /etc/krb5.keytab
2017-03-02T15:38:32Z DEBUG using ccache /etc/ipa/.dns_ccache
2017-03-02T15:38:32Z DEBUG Attempt 1/5: success
2017-03-02T15:38:32Z DEBUG Backing up system configuration file
'/etc/ipa/default.conf'
2017-03-02T15:38:32Z DEBUG -> Not backing up - '/etc/ipa/default.conf'
doesn't exist
2017-03-02T15:38:32Z INFO Created /etc/ipa/default.conf
2017-03-02T15:38:32Z DEBUG Backing up system configuration file
'/etc/sssd/sssd.conf'
2017-03-02T15:38:32Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf'
doesn't exist
2017-03-02T15:38:32Z INFO New SSSD config will be created
2017-03-02T15:38:32Z DEBUG Backing up system configuration file
'/etc/nsswitch.conf'
2017-03-02T15:38:32Z DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-03-02T15:38:32Z INFO Configured sudoers in /etc/nsswitch.conf
2017-03-02T15:38:32Z INFO Configured /etc/sssd/sssd.conf
2017-03-02T15:38:32Z DEBUG Backing up system configuration file
'/etc/krb5.conf'
2017-03-02T15:38:32Z DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=keyctl get_persistent @s 0
2017-03-02T15:38:32Z DEBUG Process finished, return code=0
2017-03-02T15:38:32Z DEBUG stdout=540282011
2017-03-02T15:38:32Z DEBUG stderr=
2017-03-02T15:38:32Z DEBUG Enabling persistent keyring CCACHE
2017-03-02T15:38:32Z DEBUG Writing Kerberos configuration to /etc/krb5.conf:
2017-03-02T15:38:32Z DEBUG #File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = UK.INTERNAL.MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
UK.INTERNAL.MYDOMAIN.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.freeipa.uk.internal.mydomain.com = UK.INTERNAL.MYDOMAIN.COM
freeipa.uk.internal.mydomain.com = UK.INTERNAL.MYDOMAIN.COM
portalwaf2.uk = UK.INTERNAL.MYDOMAIN.COM
.uk = UK.INTERNAL.MYDOMAIN.COM
uk = UK.INTERNAL.MYDOMAIN.COM
2017-03-02T15:38:32Z INFO Configured /etc/krb5.conf for IPA realm
UK.INTERNAL.MYDOMAIN.COM
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=keyctl search @s user
ipa_session_cookie:host/portalwaf2.uk at UK.INTERNAL.MYDOMAIN.COM
2017-03-02T15:38:32Z DEBUG Process finished, return code=1
2017-03-02T15:38:32Z DEBUG stdout=
2017-03-02T15:38:32Z DEBUG stderr=keyctl_search: Required key not available
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=/usr/bin/certutil -d /tmp/tmpKqp0s3 -N -f
/tmp/tmp8JvkBZ
2017-03-02T15:38:32Z DEBUG Process finished, return code=0
2017-03-02T15:38:32Z DEBUG stdout=
2017-03-02T15:38:32Z DEBUG stderr=
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=/usr/bin/certutil -d /tmp/tmpKqp0s3 -A -n
CA certificate 1 -t C,,
2017-03-02T15:38:32Z DEBUG Process finished, return code=0
2017-03-02T15:38:32Z DEBUG stdout=
2017-03-02T15:38:32Z DEBUG stderr=
2017-03-02T15:38:32Z DEBUG Starting external process
2017-03-02T15:38:32Z DEBUG args=keyctl search @s user
ipa_session_cookie:host/portalwaf2.uk at UK.INTERNAL.MYDOMAIN.COM
2017-03-02T15:38:32Z DEBUG Process finished, return code=1
2017-03-02T15:38:32Z DEBUG stdout=
2017-03-02T15:38:32Z DEBUG stderr=keyctl_search: Required key not available
2017-03-02T15:38:32Z DEBUG failed to find session_cookie in persistent
storage for principal 'host/portalwaf2.uk at UK.INTERNAL.MYDOMAIN.COM'
2017-03-02T15:38:32Z INFO trying
https://ipa1.uk.internal.mydomain.com/ipa/json
Running ipa-getcert list returns: Number of certificates and requests being
tracked: 0.
DNS records:
SRV record for FreeIPA
_kerberos.freeipa.uk IN TXT "FREEIPA.UK.INTERNAL.MYDOMAIN.COM"
_ldap._tcp IN SRV 60 0 389 ipa1.uk
IN SRV 40 0 389 ipa2.uk
_ldap._tcp.freeipa.uk IN SRV 60 0 389 ipa1.uk
IN SRV 40 0 389 ipa2.uk
_ldaps._tcp.freeipa.uk IN SRV 60 0 636 ipa1.uk
IN SRV 40 0 636 ipa2.uk
_kerberos._tcp.freeipa.uk IN SRV 60 0 464 ipa1.uk
IN SRV 40 0 464 ipa2.uk
_http._tcp.freeipa.uk IN SRV 60 0 80 ipa1.uk
IN SRV 40 0 80 ipa2.uk
_https._tcp.freeipa.uk IN SRV 60 0 443 ipa1.uk
IN SRV 40 0 442 ipa2.uk
_kerberos-adm._tcp.freeipa.uk IN SRV 60 0 749 ipa1.uk
IN SRV 40 0 749 ipa2.uk
_kerberos-master._udp.freeipa.uk IN SRV 0 0 88 ipa1.uk
_kerberos._udp.freeipa.uk IN SRV 60 0 88 ipa1.uk
IN SRV 40 0 88 ipa2.uk
_kpasswd._udp.freeipa.uk IN SRV 60 0 464 ipa1.uk
IN SRV 40 0 464 ipa2.uk
_ntp._udp.freeipa.uk IN SRV 60 0 123 ipa1.uk
IN SRV 40 0 123 ipa2.uk
Not sure what Im getting wrong.
--
Regards
*Mick*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170302/803209c6/attachment.htm>
More information about the Freeipa-users
mailing list