Thanks for taking a look gents. Ask and ye shall receive. :) -Chris===[ CLI output ]==========root@sfca-do-1:~# ipa-client-install -p admin --mkhomedir --hostname=`hostname`Discovery was successful!Client hostname: sfca-do-1.xyz.comRealm: IPA.xyz.COMDNS Domain: xyz.comIPA Server: sfca-do-4.ipa.xyz.comBaseDN: dc=ipa,dc=xyz,dc=comContinue to configure the system with these values? [no]: yesSynchronizing time with KDC...Attempting to sync time using ntpd. Will timeout after 15 secondsAttempting to sync time using ntpd. Will timeout after 15 secondsUnable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.Password for admin@IPA.xyz.COM: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.xyz.COM Issuer: CN=Certificate Authority,O=IPA.xyz.COM Valid From: Fri Apr 07 22:57:36 2017 UTC Valid Until: Tue Apr 07 22:57:36 2037 UTC Subject: E=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA Issuer: E=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA Valid From: Sun Mar 30 12:29:49 2003 UTC Valid Until: Tue Mar 29 12:29:49 2033 UTC Subject: E=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA Issuer: E=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA Valid From: Sun Mar 30 12:29:49 2003 UTC Valid Until: Tue Mar 29 12:29:49 2033 UTC Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. Valid From: Sat Sep 30 21:12:19 2000 UTC Valid Until: Thu Sep 30 14:01:15 2021 UTC Subject: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. Valid From: Thu Mar 17 16:40:46 2016 UTC Valid Until: Wed Mar 17 16:40:46 2021 UTCEnrolled in IPA realm IPA.xyz.COMCreated /etc/ipa/default.confNew SSSD config will be createdConfigured sudoers in /etc/nsswitch.confConfigured /etc/sssd/sssd.confConfigured /etc/krb5.conf for IPA realm IPA.xyz.COMtrying https://sfca-do-4.ipa.xyz.com/ipa/jsonForwarding 'ping' to json server 'https://sfca-do-4.ipa.xyz.com/ipa/json'Cannot connect to the server due to Kerberos error: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639066): Cannot find KDC for realm "IPA.xyz.COM". Trying with delegate=Truetrying https://sfca-do-4.ipa.xyz.com/ipa/jsonForwarding 'ping' to json server 'https://sfca-do-4.ipa.xyz.com/ipa/json'Second connect with delegate=True also failed: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639066): Cannot find KDC for realm "IPA.xyz.COM"Cannot connect to the IPA server RPC interface: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639066): Cannot find KDC for realm "IPA.xyz.COM"Installation failed. Rolling back changes.Unenrolling client from IPA serverUnenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm.Removing Kerberos service principals from /etc/krb5.keytabDisabling client Kerberos and LDAP configurationsRedundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deletedRestoring client configuration filesnscd daemon is not installed, skip configurationnslcd daemon is not installed, skip configurationClient uninstall complete.=============[ /var/log/ipaclient-install.log ]=====2018-01-17T02:11:41Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 'ip_addresses': [], 'configure_firefox': False, 'primary': False, 'realm_name': None, 'force_ntpd': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'no_nisdomain': False, 'nisdomain': None, 'ca_cert_file': None, 'principal': 'admin', 'keytab': None, 'hostname': 'sfca-do-1.xyz.com', 'request_cert': False, 'trust_sshfp': False, 'no_ac': False, 'unattended': None, 'all_ip_addresses': False, 'location': None, 'sssd': True, 'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': False, 'firefox_dir': None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'mkhomedir': True, 'uninstall': False}2018-01-17T02:11:41Z DEBUG missing options might be asked for interactively later2018-01-17T02:11:41Z DEBUG IPA version 4.3.12018-01-17T02:11:41Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'2018-01-17T02:11:41Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'2018-01-17T02:11:41Z DEBUG Starting external process2018-01-17T02:11:41Z DEBUG args=/bin/systemctl is-enabled chronyd.service2018-01-17T02:11:41Z DEBUG Process finished, return code=12018-01-17T02:11:41Z DEBUG stdout=2018-01-17T02:11:41Z DEBUG stderr=Failed to get unit file state for chronyd.service: No such file or directory2018-01-17T02:11:41Z DEBUG Starting external process2018-01-17T02:11:41Z DEBUG args=/bin/systemctl is-active chronyd.service2018-01-17T02:11:41Z DEBUG Process finished, return code=32018-01-17T02:11:41Z DEBUG stdout=inactive2018-01-17T02:11:41Z DEBUG stderr=2018-01-17T02:11:41Z DEBUG [IPA Discovery]2018-01-17T02:11:41Z DEBUG Starting IPA discovery with domain=None, servers=None, hostname=sfca-do-1.xyz.com2018-01-17T02:11:41Z DEBUG Start searching for LDAP SRV record in "xyz.com" (domain of the hostname) and its sub-domains2018-01-17T02:11:41Z DEBUG Search DNS for SRV record of _ldap._tcp.xyz.com2018-01-17T02:11:41Z DEBUG DNS record found: 10 100 389 sfca-do-4.ipa.xyz.com.2018-01-17T02:11:41Z DEBUG [Kerberos realm search]2018-01-17T02:11:41Z DEBUG Search DNS for TXT record of _kerberos.xyz.com2018-01-17T02:11:41Z DEBUG DNS record found: "IPA.xyz.COM"2018-01-17T02:11:41Z DEBUG Search DNS for SRV record of _kerberos._udp.xyz.com2018-01-17T02:11:41Z DEBUG DNS record found: 10 100 88 sfca-do-4.ipa.xyz.com.2018-01-17T02:11:41Z DEBUG [LDAP server check]2018-01-17T02:11:41Z DEBUG Verifying that sfca-do-4.ipa.xyz.com (realm IPA.xyz.COM) is an IPA server2018-01-17T02:11:41Z DEBUG Init LDAP connection to: sfca-do-4.ipa.xyz.com2018-01-17T02:11:41Z DEBUG Search LDAP server for IPA base DN2018-01-17T02:11:41Z DEBUG Check if naming context 'dc=ipa,dc=xyz,dc=com' is for IPA2018-01-17T02:11:41Z DEBUG Naming context 'dc=ipa,dc=xyz,dc=com' is a valid IPA context2018-01-17T02:11:41Z DEBUG Search for (objectClass=krbRealmContainer) in dc=ipa,dc=xyz,dc=com (sub)2018-01-17T02:11:41Z DEBUG Found: cn=IPA.xyz.COM,cn=kerberos,dc=ipa,dc=xyz,dc=com2018-01-17T02:11:41Z DEBUG Discovery result: Success; server=sfca-do-4.ipa.xyz.com, domain=xyz.com, kdc=sfca-do-4.ipa.xyz.com, basedn=dc=ipa,dc=xyz,dc=com2018-01-17T02:11:41Z DEBUG Validated servers: sfca-do-4.ipa.xyz.com2018-01-17T02:11:41Z DEBUG will use discovered domain: xyz.com2018-01-17T02:11:41Z DEBUG Start searching for LDAP SRV record in "xyz.com" (Validating DNS Discovery) and its sub-domains2018-01-17T02:11:41Z DEBUG Search DNS for SRV record of _ldap._tcp.xyz.com2018-01-17T02:11:41Z DEBUG DNS record found: 10 100 389 sfca-do-4.ipa.xyz.com.2018-01-17T02:11:41Z DEBUG DNS validated, enabling discovery2018-01-17T02:11:41Z DEBUG will use discovered server: sfca-do-4.ipa.xyz.com2018-01-17T02:11:41Z INFO Discovery was successful!2018-01-17T02:11:41Z DEBUG will use discovered realm: IPA.xyz.COM2018-01-17T02:11:41Z DEBUG will use discovered basedn: dc=ipa,dc=xyz,dc=com2018-01-17T02:11:41Z INFO Client hostname: sfca-do-1.xyz.com2018-01-17T02:11:41Z DEBUG Hostname source: Provided as option2018-01-17T02:11:41Z INFO Realm: IPA.xyz.COM2018-01-17T02:11:41Z DEBUG Realm source: Discovered from LDAP DNS records in sfca-do-4.ipa.xyz.com2018-01-17T02:11:41Z INFO DNS Domain: xyz.com2018-01-17T02:11:41Z DEBUG DNS Domain source: Discovered LDAP SRV records from xyz.com (domain of the hostname)2018-01-17T02:11:41Z INFO IPA Server: sfca-do-4.ipa.xyz.com2018-01-17T02:11:41Z DEBUG IPA Server source: Discovered from LDAP DNS records in sfca-do-4.ipa.xyz.com2018-01-17T02:11:41Z INFO BaseDN: dc=ipa,dc=xyz,dc=com2018-01-17T02:11:41Z DEBUG BaseDN source: From IPA server ldap://sfca-do-4.ipa.xyz.com:3892018-01-17T02:11:44Z DEBUG Starting external process2018-01-17T02:11:44Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r IPA.xyz.COM2018-01-17T02:11:44Z DEBUG Process finished, return code=52018-01-17T02:11:44Z DEBUG stdout=2018-01-17T02:11:44Z DEBUG stderr=realm not found2018-01-17T02:11:44Z DEBUG Starting external process2018-01-17T02:11:44Z DEBUG args=/bin/hostname sfca-do-1.xyz.com2018-01-17T02:11:44Z DEBUG Process finished, return code=02018-01-17T02:11:44Z DEBUG stdout=2018-01-17T02:11:44Z DEBUG stderr=2018-01-17T02:11:44Z DEBUG Backing up system configuration file '/etc/hostname'2018-01-17T02:11:44Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'2018-01-17T02:11:44Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'2018-01-17T02:11:44Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'2018-01-17T02:11:44Z INFO Synchronizing time with KDC...2018-01-17T02:11:44Z DEBUG Search DNS for SRV record of _ntp._udp.xyz.com2018-01-17T02:11:44Z DEBUG DNS record found: 10 100 123 sfca-do-4.ipa.xyz.com.2018-01-17T02:11:44Z INFO Attempting to sync time using ntpd. Will timeout after 15 seconds2018-01-17T02:11:44Z DEBUG Starting external process2018-01-17T02:11:44Z DEBUG args=/usr/bin/timeout 15 /usr/sbin/ntpd -qgc /tmp/tmp1p24vZ2018-01-17T02:11:44Z DEBUG Process finished, return code=12018-01-17T02:11:44Z DEBUG stdout=16 Jan 18:11:44 ntpd[7370]: ntpd 4.2.8p4@1.3265-o Thu Sep 7 20:43:09 UTC 2017 (1): Starting16 Jan 18:11:44 ntpd[7370]: Command line: /usr/sbin/ntpd -qgc /tmp/tmp1p24vZ16 Jan 18:11:44 ntpd[7370]: proto: precision = 0.322 usec (-21)2018-01-17T02:11:44Z DEBUG stderr=16 Jan 18:11:44 ntpd[7370]: unable to bind to wildcard address :: - another process may be running - EXITING2018-01-17T02:11:44Z INFO Attempting to sync time using ntpd. Will timeout after 15 seconds2018-01-17T02:11:44Z DEBUG Starting external process2018-01-17T02:11:44Z DEBUG args=/usr/bin/timeout 15 /usr/sbin/ntpd -qgc /tmp/tmpBmT1eO2018-01-17T02:11:44Z DEBUG Process finished, return code=12018-01-17T02:11:44Z DEBUG stdout=16 Jan 18:11:44 ntpd[7373]: ntpd 4.2.8p4@1.3265-o Thu Sep 7 20:43:09 UTC 2017 (1): Starting16 Jan 18:11:44 ntpd[7373]: Command line: /usr/sbin/ntpd -qgc /tmp/tmpBmT1eO16 Jan 18:11:44 ntpd[7373]: proto: precision = 0.327 usec (-21)2018-01-17T02:11:44Z DEBUG stderr=16 Jan 18:11:44 ntpd[7373]: unable to bind to wildcard address :: - another process may be running - EXITING2018-01-17T02:11:44Z WARNING Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.2018-01-17T02:11:44Z DEBUG Starting external process2018-01-17T02:11:44Z DEBUG args=keyctl get_persistent @s 02018-01-17T02:11:44Z DEBUG Process finished, return code=02018-01-17T02:11:44Z DEBUG stdout=6389171432018-01-17T02:11:44Z DEBUG stderr=2018-01-17T02:11:44Z DEBUG Enabling persistent keyring CCACHE2018-01-17T02:11:44Z DEBUG Writing Kerberos configuration to /tmp/tmpPKnyq_:2018-01-17T02:11:44Z DEBUG #File modified by ipa-client-installincludedir /var/lib/sss/pubconf/krb5.include.d/[libdefaults] default_realm = IPA.xyz.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid}[realms] IPA.xyz.COM = { kdc = sfca-do-4.ipa.xyz.com:88 master_kdc = sfca-do-4.ipa.xyz.com:88 admin_server = sfca-do-4.ipa.xyz.com:749 default_domain = xyz.com pkinit_anchors = FILE:/etc/ipa/ca.crt }[domain_realm] .xyz.com = IPA.xyz.COM xyz.com = IPA.xyz.COM2018-01-17T02:11:50Z DEBUG Initializing principal admin@IPA.xyz.COM using password2018-01-17T02:11:50Z DEBUG Starting external process2018-01-17T02:11:50Z DEBUG args=/usr/bin/kinit admin@IPA.xyz.COM -c /tmp/krbccCNSUmS/ccache2018-01-17T02:11:50Z DEBUG Process finished, return code=02018-01-17T02:11:50Z DEBUG stdout=Password for admin@IPA.xyz.COM:2018-01-17T02:11:50Z DEBUG stderr=2018-01-17T02:11:50Z DEBUG trying to retrieve CA cert via LDAP from sfca-do-4.ipa.xyz.com2018-01-17T02:11:50Z DEBUG flushing ldap://sfca-do-4.ipa.xyz.com:389 from SchemaCache2018-01-17T02:11:50Z DEBUG retrieving schema for SchemaCache url=ldap://sfca-do-4.ipa.xyz.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f77bb8fe320>2018-01-17T02:11:50Z INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.xyz.COM Issuer: CN=Certificate Authority,O=IPA.xyz.COM Valid From: Fri Apr 07 22:57:36 2017 UTC Valid Until: Tue Apr 07 22:57:36 2037 UTC Subject: E=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA Issuer: E=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA Valid From: Sun Mar 30 12:29:49 2003 UTC Valid Until: Tue Mar 29 12:29:49 2033 UTC Subject: E=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA Issuer: E=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA Valid From: Sun Mar 30 12:29:49 2003 UTC Valid Until: Tue Mar 29 12:29:49 2033 UTC Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. Valid From: Sat Sep 30 21:12:19 2000 UTC Valid Until: Thu Sep 30 14:01:15 2021 UTC Subject: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. Valid From: Thu Mar 17 16:40:46 2016 UTC Valid Until: Wed Mar 17 16:40:46 2021 UTC2018-01-17T02:11:50Z DEBUG Starting external process2018-01-17T02:11:50Z DEBUG args=/usr/sbin/ipa-join -s sfca-do-4.ipa.xyz.com -b dc=ipa,dc=xyz,dc=com -h sfca-do-1.xyz.com2018-01-17T02:11:51Z DEBUG Process finished, return code=02018-01-17T02:11:51Z DEBUG stdout=2018-01-17T02:11:51Z DEBUG stderr=Failed to parse result: Failed to decode GetKeytab Control.Retrying with pre-4.0 keytab retrieval method...Keytab successfully retrieved and stored in: /etc/krb5.keytabCertificate subject base is: O=IPA.xyz.COM2018-01-17T02:11:51Z INFO Enrolled in IPA realm IPA.xyz.COM2018-01-17T02:11:51Z DEBUG Starting external process2018-01-17T02:11:51Z DEBUG args=kdestroy2018-01-17T02:11:51Z DEBUG Process finished, return code=02018-01-17T02:11:51Z DEBUG stdout=2018-01-17T02:11:51Z DEBUG stderr=2018-01-17T02:11:51Z DEBUG Initializing principal host/sfca-do-1.xyz.com@IPA.xyz.COM using keytab /etc/krb5.keytab2018-01-17T02:11:51Z DEBUG using ccache /etc/ipa/.dns_ccache2018-01-17T02:11:51Z DEBUG Attempt 1/5: success2018-01-17T02:11:51Z DEBUG Backing up system configuration file '/etc/ipa/default.conf'2018-01-17T02:11:51Z DEBUG -> Not backing up - '/etc/ipa/default.conf' doesn't exist2018-01-17T02:11:51Z INFO Created /etc/ipa/default.conf2018-01-17T02:11:51Z DEBUG importing all plugin modules in ipalib.plugins...2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.aci2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.automember2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.automount2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.baseldap2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.baseuser2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.batch2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.caacl2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.cert2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.certprofile2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.config2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.delegation2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.dns2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.domainlevel2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.group2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.hbacrule2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.hbacsvc2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.hbacsvcgroup2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.hbactest2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.host2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.hostgroup2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.idrange2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.idviews2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.internal2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.krbtpolicy2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.migration2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.misc2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.netgroup2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.otpconfig2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.otptoken2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.otptoken_yubikey2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.passwd2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.permission2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.ping2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.pkinit2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.privilege2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.pwpolicy2018-01-17T02:11:52Z DEBUG Starting external process2018-01-17T02:11:52Z DEBUG args=klist -V2018-01-17T02:11:52Z DEBUG Process finished, return code=02018-01-17T02:11:52Z DEBUG stdout=Kerberos 5 version 1.13.22018-01-17T02:11:52Z DEBUG stderr=2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.radiusproxy2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.realmdomains2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.role2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.rpcclient2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.selfservice2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.selinuxusermap2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.server2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.service2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.servicedelegation2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.session2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.stageuser2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.sudocmd2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.sudocmdgroup2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.sudorule2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.topology2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.trust2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.user2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.vault2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.virtual2018-01-17T02:11:53Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf'2018-01-17T02:11:53Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist2018-01-17T02:11:53Z INFO New SSSD config will be created2018-01-17T02:11:53Z DEBUG Backing up system configuration file '/etc/nsswitch.conf'2018-01-17T02:11:53Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'2018-01-17T02:11:53Z INFO Configured sudoers in /etc/nsswitch.conf2018-01-17T02:11:53Z INFO Configured /etc/sssd/sssd.conf2018-01-17T02:11:53Z DEBUG Backing up system configuration file '/etc/krb5.conf'2018-01-17T02:11:53Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'2018-01-17T02:11:53Z DEBUG Starting external process2018-01-17T02:11:53Z DEBUG args=keyctl get_persistent @s 02018-01-17T02:11:53Z DEBUG Process finished, return code=02018-01-17T02:11:53Z DEBUG stdout=6389171432018-01-17T02:11:53Z DEBUG stderr=2018-01-17T02:11:53Z DEBUG Enabling persistent keyring CCACHE2018-01-17T02:11:53Z DEBUG Writing Kerberos configuration to /etc/krb5.conf:2018-01-17T02:11:53Z DEBUG #File modified by ipa-client-installincludedir /var/lib/sss/pubconf/krb5.include.d/[libdefaults] default_realm = IPA.xyz.COM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid}[realms] IPA.xyz.COM = { pkinit_anchors = FILE:/etc/ipa/ca.crt }[domain_realm] .xyz.com = IPA.xyz.COM xyz.com = IPA.xyz.COM2018-01-17T02:11:53Z INFO Configured /etc/krb5.conf for IPA realm IPA.xyz.COM2018-01-17T02:11:53Z DEBUG Starting external process2018-01-17T02:11:53Z DEBUG args=keyctl search @s user ipa_session_cookie:host/sfca-do-1.xyz.com@IPA.xyz.COM2018-01-17T02:11:53Z DEBUG Process finished, return code=12018-01-17T02:11:53Z DEBUG stdout=2018-01-17T02:11:53Z DEBUG stderr=keyctl_search: Required key not available2018-01-17T02:11:53Z DEBUG Starting external process2018-01-17T02:11:53Z DEBUG args=/usr/bin/certutil -d /tmp/tmpfdJ4GJ -N -f /tmp/tmpUmc3dK2018-01-17T02:11:53Z DEBUG Process finished, return code=02018-01-17T02:11:53Z DEBUG stdout=2018-01-17T02:11:53Z DEBUG stderr=2018-01-17T02:11:53Z DEBUG Starting external process2018-01-17T02:11:53Z DEBUG args=/usr/bin/certutil -d /tmp/tmpfdJ4GJ -A -n CA certificate 1 -t C,,2018-01-17T02:11:53Z DEBUG Process finished, return code=02018-01-17T02:11:53Z DEBUG stdout=2018-01-17T02:11:53Z DEBUG stderr=2018-01-17T02:11:53Z DEBUG Starting external process2018-01-17T02:11:53Z DEBUG args=/usr/bin/certutil -d /tmp/tmpfdJ4GJ -A -n CA certificate 2 -t C,,2018-01-17T02:11:53Z DEBUG Process finished, return code=02018-01-17T02:11:53Z DEBUG stdout=2018-01-17T02:11:53Z DEBUG stderr=2018-01-17T02:11:53Z DEBUG Starting external process2018-01-17T02:11:53Z DEBUG args=/usr/bin/certutil -d /tmp/tmpfdJ4GJ -A -n CA certificate 3 -t C,,2018-01-17T02:11:53Z DEBUG Process finished, return code=02018-01-17T02:11:53Z DEBUG stdout=2018-01-17T02:11:53Z DEBUG stderr=2018-01-17T02:11:53Z DEBUG Starting external process2018-01-17T02:11:53Z DEBUG args=/usr/bin/certutil -d /tmp/tmpfdJ4GJ -A -n CA certificate 4 -t C,,2018-01-17T02:11:53Z DEBUG Process finished, return code=02018-01-17T02:11:53Z DEBUG stdout=2018-01-17T02:11:53Z DEBUG stderr=2018-01-17T02:11:53Z DEBUG Starting external process2018-01-17T02:11:53Z DEBUG args=/usr/bin/certutil -d /tmp/tmpfdJ4GJ -A -n CA certificate 5 -t C,,2018-01-17T02:11:53Z DEBUG Process finished, return code=02018-01-17T02:11:53Z DEBUG stdout=2018-01-17T02:11:53Z DEBUG stderr=2018-01-17T02:11:53Z DEBUG failed to find session_cookie in persistent storage for principal 'host/sfca-do-1.xyz.com@IPA.xyz.COM'2018-01-17T02:11:53Z INFO trying https://sfca-do-4.ipa.xyz.com/ipa/json2018-01-17T02:11:53Z DEBUG Created connection context.rpcclient_1401521471104162018-01-17T02:11:53Z DEBUG Try RPC connection2018-01-17T02:11:53Z INFO Forwarding 'ping' to json server 'https://sfca-do-4.ipa.xyz.com/ipa/json'2018-01-17T02:11:53Z DEBUG Destroyed connection context.rpcclient_1401521471104162018-01-17T02:11:53Z INFO Cannot connect to the server due to Kerberos error: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639066): Cannot find KDC for realm "IPA.xyz.COM". Trying with delegate=True2018-01-17T02:11:53Z INFO trying https://sfca-do-4.ipa.xyz.com/ipa/json2018-01-17T02:11:53Z DEBUG Created connection context.rpcclient_1401521471104162018-01-17T02:11:53Z DEBUG Try RPC connection2018-01-17T02:11:53Z INFO Forwarding 'ping' to json server 'https://sfca-do-4.ipa.xyz.com/ipa/json'2018-01-17T02:11:53Z WARNING Second connect with delegate=True also failed: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639066): Cannot find KDC for realm "IPA.xyz.COM"2018-01-17T02:11:53Z ERROR Cannot connect to the IPA server RPC interface: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639066): Cannot find KDC for realm "IPA.xyz.COM"2018-01-17T02:11:53Z ERROR Installation failed. Rolling back changes.2018-01-17T02:11:53Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'2018-01-17T02:11:53Z DEBUG Starting external process2018-01-17T02:11:53Z DEBUG args=ipa-client-automount --uninstall --debug2018-01-17T02:11:56Z DEBUG Process finished, return code=02018-01-17T02:11:56Z DEBUG stdout=Restoring configuration2018-01-17T02:11:56Z DEBUG stderr=importing all plugin modules in ipalib.plugins...importing plugin module ipalib.plugins.aciimporting plugin module ipalib.plugins.automemberimporting plugin module ipalib.plugins.automountimporting plugin module ipalib.plugins.baseldapimporting plugin module ipalib.plugins.baseuserimporting plugin module ipalib.plugins.batchimporting plugin module ipalib.plugins.caaclimporting plugin module ipalib.plugins.certimporting plugin module ipalib.plugins.certprofileimporting plugin module ipalib.plugins.configimporting plugin module ipalib.plugins.delegationimporting plugin module ipalib.plugins.dnsimporting plugin module ipalib.plugins.domainlevelimporting plugin module ipalib.plugins.groupimporting plugin module ipalib.plugins.hbacruleimporting plugin module ipalib.plugins.hbacsvcimporting plugin module ipalib.plugins.hbacsvcgroupimporting plugin module ipalib.plugins.hbactestimporting plugin module ipalib.plugins.hostimporting plugin module ipalib.plugins.hostgroupimporting plugin module ipalib.plugins.idrangeimporting plugin module ipalib.plugins.idviewsimporting plugin module ipalib.plugins.internalimporting plugin module ipalib.plugins.krbtpolicyimporting plugin module ipalib.plugins.migrationimporting plugin module ipalib.plugins.miscimporting plugin module ipalib.plugins.netgroupimporting plugin module ipalib.plugins.otpconfigimporting plugin module ipalib.plugins.otptokenimporting plugin module ipalib.plugins.otptoken_yubikeyimporting plugin module ipalib.plugins.passwdimporting plugin module ipalib.plugins.permissionimporting plugin module ipalib.plugins.pingimporting plugin module ipalib.plugins.pkinitimporting plugin module ipalib.plugins.privilegeimporting plugin module ipalib.plugins.pwpolicyStarting external processargs=klist -VProcess finished, return code=0stdout=Kerberos 5 version 1.13.2stderr=importing plugin module ipalib.plugins.radiusproxyimporting plugin module ipalib.plugins.realmdomainsimporting plugin module ipalib.plugins.roleimporting plugin module ipalib.plugins.rpcclientimporting plugin module ipalib.plugins.selfserviceimporting plugin module ipalib.plugins.selinuxusermapimporting plugin module ipalib.plugins.serverimporting plugin module ipalib.plugins.serviceimporting plugin module ipalib.plugins.servicedelegationimporting plugin module ipalib.plugins.sessionimporting plugin module ipalib.plugins.stageuserimporting plugin module ipalib.plugins.sudocmdimporting plugin module ipalib.plugins.sudocmdgroupimporting plugin module ipalib.plugins.sudoruleimporting plugin module ipalib.plugins.topologyimporting plugin module ipalib.plugins.trustimporting plugin module ipalib.plugins.userimporting plugin module ipalib.plugins.vaultimporting plugin module ipalib.plugins.virtualRestoring system configuration file '/etc/nsswitch.conf'Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'2018-01-17T02:11:56Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'2018-01-17T02:11:56Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'2018-01-17T02:11:56Z DEBUG Starting external process2018-01-17T02:11:56Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n Local IPA host -a2018-01-17T02:11:56Z DEBUG Process finished, return code=2552018-01-17T02:11:56Z DEBUG stdout=2018-01-17T02:11:56Z DEBUG stderr=certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.2018-01-17T02:11:56Z DEBUG Starting external process2018-01-17T02:11:56Z DEBUG args=/usr/bin/certutil -d /etc/pki/nssdb -L -n IPA Machine Certificate - sfca-do-1.xyz.com -a2018-01-17T02:11:56Z DEBUG Process finished, return code=2552018-01-17T02:11:56Z DEBUG stdout=2018-01-17T02:11:56Z DEBUG stderr=certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.2018-01-17T02:11:56Z DEBUG Starting external process2018-01-17T02:11:56Z DEBUG args=/bin/systemctl start certmonger.service2018-01-17T02:11:56Z DEBUG Process finished, return code=02018-01-17T02:11:56Z DEBUG stdout=2018-01-17T02:11:56Z DEBUG stderr=2018-01-17T02:11:56Z DEBUG Starting external process2018-01-17T02:11:56Z DEBUG args=/bin/systemctl is-active certmonger.service2018-01-17T02:11:56Z DEBUG Process finished, return code=02018-01-17T02:11:56Z DEBUG stdout=active2018-01-17T02:11:56Z DEBUG stderr=2018-01-17T02:11:56Z DEBUG Starting external process2018-01-17T02:11:56Z DEBUG args=/bin/systemctl stop certmonger.service2018-01-17T02:11:56Z DEBUG Process finished, return code=02018-01-17T02:11:56Z DEBUG stdout=2018-01-17T02:11:56Z DEBUG stderr=2018-01-17T02:11:56Z DEBUG Starting external process2018-01-17T02:11:56Z DEBUG args=/bin/systemctl disable certmonger.service2018-01-17T02:11:57Z DEBUG Process finished, return code=02018-01-17T02:11:57Z DEBUG stdout=2018-01-17T02:11:57Z DEBUG stderr=Synchronizing state of certmonger.service with SysV init with /lib/systemd/systemd-sysv-install...Executing /lib/systemd/systemd-sysv-install disable certmongerinsserv: warning: current start runlevel(s) (empty) of script `certmonger' overrides LSB defaults (2 3 4 5).insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `certmonger' overrides LSB defaults (0 1 6).insserv: warning: current start runlevel(s) (empty) of script `certmonger' overrides LSB defaults (2 3 4 5).insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `certmonger' overrides LSB defaults (0 1 6).2018-01-17T02:11:57Z INFO Unenrolling client from IPA server2018-01-17T02:11:57Z DEBUG Starting external process2018-01-17T02:11:57Z DEBUG args=/usr/sbin/ipa-join --unenroll -h sfca-do-1.xyz.com2018-01-17T02:11:57Z DEBUG Process finished, return code=212018-01-17T02:11:57Z DEBUG stdout=2018-01-17T02:11:57Z DEBUG stderr=Error getting default Kerberos realm: Configuration file does not specify default realm.2018-01-17T02:11:57Z ERROR Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm.2018-01-17T02:11:57Z INFO Removing Kerberos service principals from /etc/krb5.keytab2018-01-17T02:11:57Z DEBUG Starting external process2018-01-17T02:11:57Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r IPA.xyz.COM2018-01-17T02:11:57Z DEBUG Process finished, return code=02018-01-17T02:11:57Z DEBUG stdout=2018-01-17T02:11:57Z DEBUG stderr=Removing principal host/sfca-do-1.xyz.com@IPA.xyz.COM2018-01-17T02:11:57Z INFO Disabling client Kerberos and LDAP configurations2018-01-17T02:11:57Z INFO Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted2018-01-17T02:11:57Z DEBUG Starting external process2018-01-17T02:11:57Z DEBUG args=/bin/systemctl stop sssd.service2018-01-17T02:11:57Z DEBUG Process finished, return code=02018-01-17T02:11:57Z DEBUG stdout=2018-01-17T02:11:57Z DEBUG stderr=2018-01-17T02:11:57Z DEBUG Starting external process2018-01-17T02:11:57Z DEBUG args=/bin/systemctl disable sssd.service2018-01-17T02:11:57Z DEBUG Process finished, return code=02018-01-17T02:11:57Z DEBUG stdout=2018-01-17T02:11:57Z DEBUG stderr=2018-01-17T02:11:57Z INFO Restoring client configuration files2018-01-17T02:11:57Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'2018-01-17T02:11:57Z DEBUG -> no files, removing file2018-01-17T02:11:57Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'2018-01-17T02:11:57Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'2018-01-17T02:11:57Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'2018-01-17T02:11:57Z DEBUG -> no modules, removing file2018-01-17T02:11:57Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'2018-01-17T02:11:57Z DEBUG Starting external process2018-01-17T02:11:57Z DEBUG args=/bin/systemctl list-unit-files --full2018-01-17T02:11:58Z DEBUG Process finished, return code=02018-01-17T02:11:58Z DEBUG stdout=UNIT FILE STATE proc-sys-fs-binfmt_misc.automount static dev-hugepages.mount static dev-mqueue.mount static proc-sys-fs-binfmt_misc.mount static sys-fs-fuse-connections.mount static sys-kernel-config.mount static sys-kernel-debug.mount static acpid.path enabled systemd-ask-password-console.path static systemd-ask-password-plymouth.path static systemd-ask-password-wall.path static systemd-networkd-resolvconf-update.path static accounts-daemon.service enabled acpid.service disabledapport-forward@.service static apt-daily-upgrade.service static apt-daily.service static atd.service enabled autovt@.service enabled bind9-pkcs11.service masked bind9-resolvconf.service masked bind9.service masked bootlogd.service masked bootlogs.service masked bootmisc.service masked certbot.service static certmonger.service disabledcheck_mk@.service static checkfs.service masked checkroot-bootclean.service masked checkroot.service masked cloud-config.service enabled cloud-final.service enabled cloud-init-local.service enabled cloud-init.service enabled console-getty.service disabledconsole-setup.service static console-shell.service disabledcontainer-getty@.service static cron.service enabled cryptdisks-early.service masked cryptdisks.service masked dbus-org.freedesktop.hostname1.service static dbus-org.freedesktop.locale1.service static dbus-org.freedesktop.login1.service static dbus-org.freedesktop.network1.service disableddbus-org.freedesktop.resolve1.service disableddbus-org.freedesktop.timedate1.service static dbus.service static debug-shell.service disableddm-event.service disabledemergency.service static fail2ban.service enabled friendly-recovery.service enabled fuse.service masked getty-static.service static getty@.service enabled halt.service masked hostname.service masked hwclock.service masked ifup@.service static initrd-cleanup.service static initrd-parse-etc.service static initrd-switch-root.service static initrd-udevadm-cleanup-db.service static iscsi.service enabled iscsid.service enabled keyboard-setup.service disabledkillprocs.service masked kmod-static-nodes.service static kmod.service static lvm2-lvmetad.service disabledlvm2-lvmpolld.service disabledlvm2-monitor.service enabled lvm2-pvscan@.service static lvm2.service masked lxcfs.service enabled lxd-bridge.service static lxd-containers.service enabled lxd.service indirectmdadm-shutdown.service disabledmodule-init-tools.service static motd.service masked mountall-bootclean.service masked mountall.service masked mountdevsubfs.service masked mountkernfs.service masked mountnfs-bootclean.service masked mountnfs.service masked mysql.service enabled networking.service enabled oddjobd.service enabled open-iscsi.service enabled pdns.service enabled pdns@.service disabledplymouth-halt.service static plymouth-kexec.service static plymouth-log.service static plymouth-poweroff.service static plymouth-quit-wait.service static plymouth-quit.service static plymouth-read-write.service static plymouth-reboot.service static plymouth-start.service static plymouth-switch-root.service static plymouth.service static polkitd.service static pollinate.service enabled procps.service static quotaon.service static rc-local.service static rc.local.service static rc.service masked rcS.service masked reboot.service masked rescue.service static resolvconf.service enabled rmnologin.service masked rsync.service disabledrsyslog.service masked screen-cleanup.service masked sendsigs.service masked serial-getty@.service disabledsetvtrgb.service static sigpwr-container-shutdown.service static single.service masked snapd.autoimport.service enabled snapd.core-fixup.service enabled snapd.refresh.service static snapd.service enabled snapd.snap-repair.service static snapd.system-shutdown.service enabled ssh.service enabled ssh@.service static sshd.service enabled sssd.service disabledstop-bootlogd-single.service masked stop-bootlogd.service masked syslog-ng.service enabled syslog.service masked systemd-ask-password-console.service static systemd-ask-password-plymouth.service static systemd-ask-password-wall.service static systemd-backlight@.service static systemd-binfmt.service static systemd-bootchart.service disabledsystemd-bus-proxyd.service static systemd-exit.service static systemd-fsck-root.service static systemd-fsck@.service static systemd-fsckd.service static systemd-halt.service static systemd-hibernate-resume@.service static systemd-hibernate.service static systemd-hostnamed.service static systemd-hwdb-update.service static systemd-hybrid-sleep.service static systemd-initctl.service static systemd-journal-flush.service static systemd-journald.service static systemd-kexec.service static systemd-localed.service static systemd-logind.service static systemd-machine-id-commit.service static systemd-modules-load.service static systemd-networkd-resolvconf-update.service static systemd-networkd-wait-online.service disabledsystemd-networkd.service disabledsystemd-poweroff.service static systemd-quotacheck.service static systemd-random-seed.service static systemd-reboot.service static systemd-remount-fs.service static systemd-resolved.service disabledsystemd-rfkill.service static systemd-suspend.service static systemd-sysctl.service static systemd-timedated.service static systemd-timesyncd.service enabled systemd-tmpfiles-clean.service static systemd-tmpfiles-setup-dev.service static systemd-tmpfiles-setup.service static systemd-udev-settle.service static systemd-udev-trigger.service static systemd-udevd.service static systemd-update-utmp-runlevel.service static systemd-update-utmp.service static systemd-user-sessions.service static udev-finish.service masked udev.service static ufw.service enabled umountfs.service masked umountnfs.service masked umountroot.service masked unattended-upgrades.service enabled urandom.service static ureadahead-stop.service static ureadahead.service enabled user@.service static uuidd.service indirectx11-common.service masked -.slice static machine.slice static system.slice static user.slice static acpid.socket enabled apport-forward.socket enabled check_mk.socket enabled dbus.socket static dm-event.socket enabled lvm2-lvmetad.socket enabled lvm2-lvmpolld.socket enabled lxd.socket enabled snapd.socket enabled ssh.socket disabledsyslog.socket static systemd-bus-proxyd.socket static systemd-fsckd.socket static systemd-initctl.socket static systemd-journald-audit.socket static systemd-journald-dev-log.socket static systemd-journald.socket static systemd-networkd.socket disabledsystemd-rfkill.socket static systemd-udevd-control.socket static systemd-udevd-kernel.socket static uuidd.socket enabled basic.target static bluetooth.target static busnames.target static cloud-config.target static cloud-init.target static cryptsetup-pre.target static cryptsetup.target static ctrl-alt-del.target disableddefault.target static emergency.target static exit.target disabledfinal.target static getty.target static graphical.target static halt.target disabledhibernate.target static hybrid-sleep.target static initrd-fs.target static initrd-root-fs.target static initrd-switch-root.target static initrd.target static kexec.target disabledlocal-fs-pre.target static local-fs.target static mail-transport-agent.target static multi-user.target static network-online.target static network-pre.target static network.target static nss-lookup.target static nss-user-lookup.target static paths.target static poweroff.target disabledprinter.target static reboot.target disabledremote-fs-pre.target static remote-fs.target enabled rescue.target disabledrpcbind.target static runlevel0.target disabledrunlevel1.target disabledrunlevel2.target static runlevel3.target static runlevel4.target static runlevel5.target static runlevel6.target disabledshutdown.target static sigpwr.target static sleep.target static slices.target static smartcard.target static sockets.target static sound.target static suspend.target static swap.target static sysinit.target static system-update.target static time-sync.target static timers.target static umount.target static apt-daily-upgrade.timer enabled apt-daily.timer enabled certbot.timer enabled snapd.refresh.timer enabled snapd.snap-repair.timer enabled systemd-tmpfiles-clean.timer static ureadahead-stop.timer static 294 unit files listed.2018-01-17T02:11:58Z DEBUG stderr=2018-01-17T02:11:58Z INFO nscd daemon is not installed, skip configuration2018-01-17T02:11:58Z DEBUG Starting external process2018-01-17T02:11:58Z DEBUG args=/bin/systemctl list-unit-files --full2018-01-17T02:11:58Z DEBUG Process finished, return code=02018-01-17T02:11:58Z DEBUG stdout=UNIT FILE STATE proc-sys-fs-binfmt_misc.automount static dev-hugepages.mount static dev-mqueue.mount static proc-sys-fs-binfmt_misc.mount static sys-fs-fuse-connections.mount static sys-kernel-config.mount static sys-kernel-debug.mount static acpid.path enabled systemd-ask-password-console.path static systemd-ask-password-plymouth.path static systemd-ask-password-wall.path static systemd-networkd-resolvconf-update.path static accounts-daemon.service enabled acpid.service disabledapport-forward@.service static apt-daily-upgrade.service static apt-daily.service static atd.service enabled autovt@.service enabled bind9-pkcs11.service masked bind9-resolvconf.service masked bind9.service masked bootlogd.service masked bootlogs.service masked bootmisc.service masked certbot.service static certmonger.service disabledcheck_mk@.service static checkfs.service masked checkroot-bootclean.service masked checkroot.service masked cloud-config.service enabled cloud-final.service enabled cloud-init-local.service enabled cloud-init.service enabled console-getty.service disabledconsole-setup.service static console-shell.service disabledcontainer-getty@.service static cron.service enabled cryptdisks-early.service masked cryptdisks.service masked dbus-org.freedesktop.hostname1.service static dbus-org.freedesktop.locale1.service static dbus-org.freedesktop.login1.service static dbus-org.freedesktop.network1.service disableddbus-org.freedesktop.resolve1.service disableddbus-org.freedesktop.timedate1.service static dbus.service static debug-shell.service disableddm-event.service disabledemergency.service static fail2ban.service enabled friendly-recovery.service enabled fuse.service masked getty-static.service static getty@.service enabled halt.service masked hostname.service masked hwclock.service masked ifup@.service static initrd-cleanup.service static initrd-parse-etc.service static initrd-switch-root.service static initrd-udevadm-cleanup-db.service static iscsi.service enabled iscsid.service enabled keyboard-setup.service disabledkillprocs.service masked kmod-static-nodes.service static kmod.service static lvm2-lvmetad.service disabledlvm2-lvmpolld.service disabledlvm2-monitor.service enabled lvm2-pvscan@.service static lvm2.service masked lxcfs.service enabled lxd-bridge.service static lxd-containers.service enabled lxd.service indirectmdadm-shutdown.service disabledmodule-init-tools.service static motd.service masked mountall-bootclean.service masked mountall.service masked mountdevsubfs.service masked mountkernfs.service masked mountnfs-bootclean.service masked mountnfs.service masked mysql.service enabled networking.service enabled oddjobd.service enabled open-iscsi.service enabled pdns.service enabled pdns@.service disabledplymouth-halt.service static plymouth-kexec.service static plymouth-log.service static plymouth-poweroff.service static plymouth-quit-wait.service static plymouth-quit.service static plymouth-read-write.service static plymouth-reboot.service static plymouth-start.service static plymouth-switch-root.service static plymouth.service static polkitd.service static pollinate.service enabled procps.service static quotaon.service static rc-local.service static rc.local.service static rc.service masked rcS.service masked reboot.service masked rescue.service static resolvconf.service enabled rmnologin.service masked rsync.service disabledrsyslog.service masked screen-cleanup.service masked sendsigs.service masked serial-getty@.service disabledsetvtrgb.service static sigpwr-container-shutdown.service static single.service masked snapd.autoimport.service enabled snapd.core-fixup.service enabled snapd.refresh.service static snapd.service enabled snapd.snap-repair.service static snapd.system-shutdown.service enabled ssh.service enabled ssh@.service static sshd.service enabled sssd.service disabledstop-bootlogd-single.service masked stop-bootlogd.service masked syslog-ng.service enabled syslog.service masked systemd-ask-password-console.service static systemd-ask-password-plymouth.service static systemd-ask-password-wall.service static systemd-backlight@.service static systemd-binfmt.service static systemd-bootchart.service disabledsystemd-bus-proxyd.service static systemd-exit.service static systemd-fsck-root.service static systemd-fsck@.service static systemd-fsckd.service static systemd-halt.service static systemd-hibernate-resume@.service static systemd-hibernate.service static systemd-hostnamed.service static systemd-hwdb-update.service static systemd-hybrid-sleep.service static systemd-initctl.service static systemd-journal-flush.service static systemd-journald.service static systemd-kexec.service static systemd-localed.service static systemd-logind.service static systemd-machine-id-commit.service static systemd-modules-load.service static systemd-networkd-resolvconf-update.service static systemd-networkd-wait-online.service disabledsystemd-networkd.service disabledsystemd-poweroff.service static systemd-quotacheck.service static systemd-random-seed.service static systemd-reboot.service static systemd-remount-fs.service static systemd-resolved.service disabledsystemd-rfkill.service static systemd-suspend.service static systemd-sysctl.service static systemd-timedated.service static systemd-timesyncd.service enabled systemd-tmpfiles-clean.service static systemd-tmpfiles-setup-dev.service static systemd-tmpfiles-setup.service static systemd-udev-settle.service static systemd-udev-trigger.service static systemd-udevd.service static systemd-update-utmp-runlevel.service static systemd-update-utmp.service static systemd-user-sessions.service static udev-finish.service masked udev.service static ufw.service enabled umountfs.service masked umountnfs.service masked umountroot.service masked unattended-upgrades.service enabled urandom.service static ureadahead-stop.service static ureadahead.service enabled user@.service static uuidd.service indirectx11-common.service masked -.slice static machine.slice static system.slice static user.slice static acpid.socket enabled apport-forward.socket enabled check_mk.socket enabled dbus.socket static dm-event.socket enabled lvm2-lvmetad.socket enabled lvm2-lvmpolld.socket enabled lxd.socket enabled snapd.socket enabled ssh.socket disabledsyslog.socket static systemd-bus-proxyd.socket static systemd-fsckd.socket static systemd-initctl.socket static systemd-journald-audit.socket static systemd-journald-dev-log.socket static systemd-journald.socket static systemd-networkd.socket disabledsystemd-rfkill.socket static systemd-udevd-control.socket static systemd-udevd-kernel.socket static uuidd.socket enabled basic.target static bluetooth.target static busnames.target static cloud-config.target static cloud-init.target static cryptsetup-pre.target static cryptsetup.target static ctrl-alt-del.target disableddefault.target static emergency.target static exit.target disabledfinal.target static getty.target static graphical.target static halt.target disabledhibernate.target static hybrid-sleep.target static initrd-fs.target static initrd-root-fs.target static initrd-switch-root.target static initrd.target static kexec.target disabledlocal-fs-pre.target static local-fs.target static mail-transport-agent.target static multi-user.target static network-online.target static network-pre.target static network.target static nss-lookup.target static nss-user-lookup.target static paths.target static poweroff.target disabledprinter.target static reboot.target disabledremote-fs-pre.target static remote-fs.target enabled rescue.target disabledrpcbind.target static runlevel0.target disabledrunlevel1.target disabledrunlevel2.target static runlevel3.target static runlevel4.target static runlevel5.target static runlevel6.target disabledshutdown.target static sigpwr.target static sleep.target static slices.target static smartcard.target static sockets.target static sound.target static suspend.target static swap.target static sysinit.target static system-update.target static time-sync.target static timers.target static umount.target static apt-daily-upgrade.timer enabled apt-daily.timer enabled certbot.timer enabled snapd.refresh.timer enabled snapd.snap-repair.timer enabled systemd-tmpfiles-clean.timer static ureadahead-stop.timer static 294 unit files listed.2018-01-17T02:11:58Z DEBUG stderr=2018-01-17T02:11:58Z INFO nslcd daemon is not installed, skip configuration2018-01-17T02:11:58Z INFO Client uninstall complete.==========

On 1/16/18 1:11 PM, Rob Crittenden wrote:

Robbie Harwood via FreeIPA-users wrote:

Chris Moody via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:

2018-01-15T21:55:24Z INFO Configured /etc/krb5.conf for IPA realm
IPA.XYZ.COM
2018-01-15T21:55:24Z DEBUG Starting external process
2018-01-15T21:55:24Z DEBUG args=keyctl search @s user
ipa_session_cookie:host/sfca-do-1.xyz.com@IPA.XYZ.COM
2018-01-15T21:55:24Z DEBUG Process finished, return code=1
2018-01-15T21:55:24Z DEBUG stdout=
2018-01-15T21:55:24Z DEBUG stderr=keyctl_search: Required key not available

I'm not familiar with what IPA's trying to do here, but this looks like
a problem?  Can someone else comment?

This is perfectly normal. IPA stores the session cookie in the kernel
keyring. Given this is a new install there is no cookie to find.

I have tried manually setting /etc/krb5.conf to the contents that get>
generated & display during the verbose client-install process (as seen
above), that manually spell out the KDC details, and am able to run a
'kinit admin' just fine from the CLI on the client, so kerberos DOES
function from the client.  It talks to the KDC beautifully and
authenticates just fine... so I'm not sure how the client-install
process is getting confused/lost when trying to find/contact the KDC.

Someone else who knows more than me: how is the install different than a
normal kinit?

I think we'd need to see the full ipaclient-install.log.

rob