Thanks for taking a look gents. Ask and ye shall receive. :)
-Chris
===[ CLI output ]==========
root@sfca-do-1:~# ipa-client-install -p admin --mkhomedir
--hostname=`hostname`
Discovery was successful!
Client hostname:
sfca-do-1.xyz.com
Realm:
IPA.xyz.COM
DNS Domain:
xyz.com
IPA Server:
sfca-do-4.ipa.xyz.com
BaseDN: dc=ipa,dc=xyz,dc=com
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync.
Please check that 123 UDP port is opened.
Password for admin(a)IPA.xyz.COM:
Successfully retrieved CA cert
Subject: CN=Certificate
Authority,O=IPA.xyz.COM
Issuer: CN=Certificate
Authority,O=IPA.xyz.COM
Valid From: Fri Apr 07 22:57:36 2017 UTC
Valid Until: Tue Apr 07 22:57:36 2037 UTC
Subject: E=support(a)cacert.org,CN=CA Cert Signing
Authority,OU=http://www.cacert.org,O=Root CA
Issuer: E=support(a)cacert.org,CN=CA Cert Signing
Authority,OU=http://www.cacert.org,O=Root CA
Valid From: Sun Mar 30 12:29:49 2003 UTC
Valid Until: Tue Mar 29 12:29:49 2033 UTC
Subject: E=support(a)cacert.org,CN=CA Cert Signing
Authority,OU=http://www.cacert.org,O=Root CA
Issuer: E=support(a)cacert.org,CN=CA Cert Signing
Authority,OU=http://www.cacert.org,O=Root CA
Valid From: Sun Mar 30 12:29:49 2003 UTC
Valid Until: Tue Mar 29 12:29:49 2033 UTC
Subject: CN=DST Root CA X3,O=Digital Signature Trust Co.
Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
Valid From: Sat Sep 30 21:12:19 2000 UTC
Valid Until: Thu Sep 30 14:01:15 2021 UTC
Subject: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
Valid From: Thu Mar 17 16:40:46 2016 UTC
Valid Until: Wed Mar 17 16:40:46 2021 UTC
Enrolled in IPA realm
IPA.xyz.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm
IPA.xyz.COM
trying
https://sfca-do-4.ipa.xyz.com/ipa/json
Forwarding 'ping' to json server 'https://sfca-do-4.ipa.xyz.com/ipa/json'
Cannot connect to the server due to Kerberos error: Major (851968):
Unspecified GSS failure. Minor code may provide more information, Minor
(2529639066): Cannot find KDC for realm "IPA.xyz.COM". Trying with
delegate=True
trying
https://sfca-do-4.ipa.xyz.com/ipa/json
Forwarding 'ping' to json server 'https://sfca-do-4.ipa.xyz.com/ipa/json'
Second connect with delegate=True also failed: Major (851968):
Unspecified GSS failure. Minor code may provide more information, Minor
(2529639066): Cannot find KDC for realm "IPA.xyz.COM"
Cannot connect to the IPA server RPC interface: Major (851968):
Unspecified GSS failure. Minor code may provide more information, Minor
(2529639066): Cannot find KDC for realm "IPA.xyz.COM"
Installation failed. Rolling back changes.
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm:
Configuration file does not specify default realm.
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
==========
===[ /var/log/ipaclient-install.log ]=====
2018-01-17T02:11:41Z DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'domain': None, 'force': False,
'krb5_offline_passwords':
True, 'ip_addresses': [], 'configure_firefox': False, 'primary':
False,
'realm_name': None, 'force_ntpd': False, 'create_sshfp': True,
'conf_sshd': True, 'conf_ntp': True, 'on_master': False,
'no_nisdomain':
False, 'nisdomain': None, 'ca_cert_file': None, 'principal':
'admin',
'keytab': None, 'hostname': 'sfca-do-1.xyz.com',
'request_cert': False,
'trust_sshfp': False, 'no_ac': False, 'unattended': None,
'all_ip_addresses': False, 'location': None, 'sssd': True,
'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates': False,
'conf_sudo': True, 'conf_ssh': True, 'force_join': False,
'firefox_dir':
None, 'server': None, 'prompt_password': False, 'permit': False,
'debug': False, 'preserve_sssd': False, 'mkhomedir': True,
'uninstall':
False}
2018-01-17T02:11:41Z DEBUG missing options might be asked for
interactively later
2018-01-17T02:11:41Z DEBUG IPA version 4.3.1
2018-01-17T02:11:41Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2018-01-17T02:11:41Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2018-01-17T02:11:41Z DEBUG Starting external process
2018-01-17T02:11:41Z DEBUG args=/bin/systemctl is-enabled chronyd.service
2018-01-17T02:11:41Z DEBUG Process finished, return code=1
2018-01-17T02:11:41Z DEBUG stdout=
2018-01-17T02:11:41Z DEBUG stderr=Failed to get unit file state for
chronyd.service: No such file or directory
2018-01-17T02:11:41Z DEBUG Starting external process
2018-01-17T02:11:41Z DEBUG args=/bin/systemctl is-active chronyd.service
2018-01-17T02:11:41Z DEBUG Process finished, return code=3
2018-01-17T02:11:41Z DEBUG stdout=inactive
2018-01-17T02:11:41Z DEBUG stderr=
2018-01-17T02:11:41Z DEBUG [IPA Discovery]
2018-01-17T02:11:41Z DEBUG Starting IPA discovery with domain=None,
servers=None,
hostname=sfca-do-1.xyz.com
2018-01-17T02:11:41Z DEBUG Start searching for LDAP SRV record in
"xyz.com" (domain of the hostname) and its sub-domains
2018-01-17T02:11:41Z DEBUG Search DNS for SRV record of
_ldap._tcp.xyz.com
2018-01-17T02:11:41Z DEBUG DNS record found: 10 100 389
sfca-do-4.ipa.xyz.com.
2018-01-17T02:11:41Z DEBUG [Kerberos realm search]
2018-01-17T02:11:41Z DEBUG Search DNS for TXT record of
_kerberos.xyz.com
2018-01-17T02:11:41Z DEBUG DNS record found: "IPA.xyz.COM"
2018-01-17T02:11:41Z DEBUG Search DNS for SRV record of
_kerberos._udp.xyz.com
2018-01-17T02:11:41Z DEBUG DNS record found: 10 100 88
sfca-do-4.ipa.xyz.com.
2018-01-17T02:11:41Z DEBUG [LDAP server check]
2018-01-17T02:11:41Z DEBUG Verifying that
sfca-do-4.ipa.xyz.com (realm
IPA.xyz.COM) is an IPA server
2018-01-17T02:11:41Z DEBUG Init LDAP connection to:
sfca-do-4.ipa.xyz.com
2018-01-17T02:11:41Z DEBUG Search LDAP server for IPA base DN
2018-01-17T02:11:41Z DEBUG Check if naming context
'dc=ipa,dc=xyz,dc=com' is for IPA
2018-01-17T02:11:41Z DEBUG Naming context 'dc=ipa,dc=xyz,dc=com' is a
valid IPA context
2018-01-17T02:11:41Z DEBUG Search for (objectClass=krbRealmContainer) in
dc=ipa,dc=xyz,dc=com (sub)
2018-01-17T02:11:41Z DEBUG Found:
cn=IPA.xyz.COM,cn=kerberos,dc=ipa,dc=xyz,dc=com
2018-01-17T02:11:41Z DEBUG Discovery result: Success;
server=sfca-do-4.ipa.xyz.com,
domain=xyz.com,
kdc=sfca-do-4.ipa.xyz.com,
basedn=dc=ipa,dc=xyz,dc=com
2018-01-17T02:11:41Z DEBUG Validated servers:
sfca-do-4.ipa.xyz.com
2018-01-17T02:11:41Z DEBUG will use discovered domain:
xyz.com
2018-01-17T02:11:41Z DEBUG Start searching for LDAP SRV record in
"xyz.com" (Validating DNS Discovery) and its sub-domains
2018-01-17T02:11:41Z DEBUG Search DNS for SRV record of
_ldap._tcp.xyz.com
2018-01-17T02:11:41Z DEBUG DNS record found: 10 100 389
sfca-do-4.ipa.xyz.com.
2018-01-17T02:11:41Z DEBUG DNS validated, enabling discovery
2018-01-17T02:11:41Z DEBUG will use discovered server:
sfca-do-4.ipa.xyz.com
2018-01-17T02:11:41Z INFO Discovery was successful!
2018-01-17T02:11:41Z DEBUG will use discovered realm:
IPA.xyz.COM
2018-01-17T02:11:41Z DEBUG will use discovered basedn: dc=ipa,dc=xyz,dc=com
2018-01-17T02:11:41Z INFO Client hostname:
sfca-do-1.xyz.com
2018-01-17T02:11:41Z DEBUG Hostname source: Provided as option
2018-01-17T02:11:41Z INFO Realm:
IPA.xyz.COM
2018-01-17T02:11:41Z DEBUG Realm source: Discovered from LDAP DNS
records in
sfca-do-4.ipa.xyz.com
2018-01-17T02:11:41Z INFO DNS Domain:
xyz.com
2018-01-17T02:11:41Z DEBUG DNS Domain source: Discovered LDAP SRV
records from
xyz.com (domain of the hostname)
2018-01-17T02:11:41Z INFO IPA Server:
sfca-do-4.ipa.xyz.com
2018-01-17T02:11:41Z DEBUG IPA Server source: Discovered from LDAP DNS
records in
sfca-do-4.ipa.xyz.com
2018-01-17T02:11:41Z INFO BaseDN: dc=ipa,dc=xyz,dc=com
2018-01-17T02:11:41Z DEBUG BaseDN source: From IPA server
ldap://sfca-do-4.ipa.xyz.com:389
2018-01-17T02:11:44Z DEBUG Starting external process
2018-01-17T02:11:44Z DEBUG args=/usr/sbin/ipa-rmkeytab -k
/etc/krb5.keytab -r
IPA.xyz.COM
2018-01-17T02:11:44Z DEBUG Process finished, return code=5
2018-01-17T02:11:44Z DEBUG stdout=
2018-01-17T02:11:44Z DEBUG stderr=realm not found
2018-01-17T02:11:44Z DEBUG Starting external process
2018-01-17T02:11:44Z DEBUG args=/bin/hostname
sfca-do-1.xyz.com
2018-01-17T02:11:44Z DEBUG Process finished, return code=0
2018-01-17T02:11:44Z DEBUG stdout=
2018-01-17T02:11:44Z DEBUG stderr=
2018-01-17T02:11:44Z DEBUG Backing up system configuration file
'/etc/hostname'
2018-01-17T02:11:44Z DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2018-01-17T02:11:44Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2018-01-17T02:11:44Z DEBUG Saving StateFile to
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2018-01-17T02:11:44Z INFO Synchronizing time with KDC...
2018-01-17T02:11:44Z DEBUG Search DNS for SRV record of
_ntp._udp.xyz.com
2018-01-17T02:11:44Z DEBUG DNS record found: 10 100 123
sfca-do-4.ipa.xyz.com.
2018-01-17T02:11:44Z INFO Attempting to sync time using ntpd. Will
timeout after 15 seconds
2018-01-17T02:11:44Z DEBUG Starting external process
2018-01-17T02:11:44Z DEBUG args=/usr/bin/timeout 15 /usr/sbin/ntpd -qgc
/tmp/tmp1p24vZ
2018-01-17T02:11:44Z DEBUG Process finished, return code=1
2018-01-17T02:11:44Z DEBUG stdout=16 Jan 18:11:44 ntpd[7370]: ntpd
4.2.8p4(a)1.3265-o Thu Sep 7 20:43:09 UTC 2017 (1): Starting
16 Jan 18:11:44 ntpd[7370]: Command line: /usr/sbin/ntpd -qgc /tmp/tmp1p24vZ
16 Jan 18:11:44 ntpd[7370]: proto: precision = 0.322 usec (-21)
2018-01-17T02:11:44Z DEBUG stderr=16 Jan 18:11:44 ntpd[7370]: unable to
bind to wildcard address :: - another process may be running - EXITING
2018-01-17T02:11:44Z INFO Attempting to sync time using ntpd. Will
timeout after 15 seconds
2018-01-17T02:11:44Z DEBUG Starting external process
2018-01-17T02:11:44Z DEBUG args=/usr/bin/timeout 15 /usr/sbin/ntpd -qgc
/tmp/tmpBmT1eO
2018-01-17T02:11:44Z DEBUG Process finished, return code=1
2018-01-17T02:11:44Z DEBUG stdout=16 Jan 18:11:44 ntpd[7373]: ntpd
4.2.8p4(a)1.3265-o Thu Sep 7 20:43:09 UTC 2017 (1): Starting
16 Jan 18:11:44 ntpd[7373]: Command line: /usr/sbin/ntpd -qgc /tmp/tmpBmT1eO
16 Jan 18:11:44 ntpd[7373]: proto: precision = 0.327 usec (-21)
2018-01-17T02:11:44Z DEBUG stderr=16 Jan 18:11:44 ntpd[7373]: unable to
bind to wildcard address :: - another process may be running - EXITING
2018-01-17T02:11:44Z WARNING Unable to sync time with NTP server,
assuming the time is in sync. Please check that 123 UDP port is opened.
2018-01-17T02:11:44Z DEBUG Starting external process
2018-01-17T02:11:44Z DEBUG args=keyctl get_persistent @s 0
2018-01-17T02:11:44Z DEBUG Process finished, return code=0
2018-01-17T02:11:44Z DEBUG stdout=638917143
2018-01-17T02:11:44Z DEBUG stderr=
2018-01-17T02:11:44Z DEBUG Enabling persistent keyring CCACHE
2018-01-17T02:11:44Z DEBUG Writing Kerberos configuration to /tmp/tmpPKnyq_:
2018-01-17T02:11:44Z DEBUG #File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm =
IPA.xyz.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IPA.xyz.COM = {
kdc = sfca-do-4.ipa.xyz.com:88
master_kdc = sfca-do-4.ipa.xyz.com:88
admin_server = sfca-do-4.ipa.xyz.com:749
default_domain =
xyz.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.xyz.com =
IPA.xyz.COM
xyz.com =
IPA.xyz.COM
2018-01-17T02:11:50Z DEBUG Initializing principal admin(a)IPA.xyz.COM
using password
2018-01-17T02:11:50Z DEBUG Starting external process
2018-01-17T02:11:50Z DEBUG args=/usr/bin/kinit admin(a)IPA.xyz.COM -c
/tmp/krbccCNSUmS/ccache
2018-01-17T02:11:50Z DEBUG Process finished, return code=0
2018-01-17T02:11:50Z DEBUG stdout=Password for admin(a)IPA.xyz.COM:
2018-01-17T02:11:50Z DEBUG stderr=
2018-01-17T02:11:50Z DEBUG trying to retrieve CA cert via LDAP from
sfca-do-4.ipa.xyz.com
2018-01-17T02:11:50Z DEBUG flushing ldap://sfca-do-4.ipa.xyz.com:389
from SchemaCache
2018-01-17T02:11:50Z DEBUG retrieving schema for SchemaCache
url=ldap://sfca-do-4.ipa.xyz.com:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f77bb8fe320>
2018-01-17T02:11:50Z INFO Successfully retrieved CA cert
Subject: CN=Certificate
Authority,O=IPA.xyz.COM
Issuer: CN=Certificate
Authority,O=IPA.xyz.COM
Valid From: Fri Apr 07 22:57:36 2017 UTC
Valid Until: Tue Apr 07 22:57:36 2037 UTC
Subject: E=support(a)cacert.org,CN=CA Cert Signing
Authority,OU=http://www.cacert.org,O=Root CA
Issuer: E=support(a)cacert.org,CN=CA Cert Signing
Authority,OU=http://www.cacert.org,O=Root CA
Valid From: Sun Mar 30 12:29:49 2003 UTC
Valid Until: Tue Mar 29 12:29:49 2033 UTC
Subject: E=support(a)cacert.org,CN=CA Cert Signing
Authority,OU=http://www.cacert.org,O=Root CA
Issuer: E=support(a)cacert.org,CN=CA Cert Signing
Authority,OU=http://www.cacert.org,O=Root CA
Valid From: Sun Mar 30 12:29:49 2003 UTC
Valid Until: Tue Mar 29 12:29:49 2033 UTC
Subject: CN=DST Root CA X3,O=Digital Signature Trust Co.
Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
Valid From: Sat Sep 30 21:12:19 2000 UTC
Valid Until: Thu Sep 30 14:01:15 2021 UTC
Subject: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
Valid From: Thu Mar 17 16:40:46 2016 UTC
Valid Until: Wed Mar 17 16:40:46 2021 UTC
2018-01-17T02:11:50Z DEBUG Starting external process
2018-01-17T02:11:50Z DEBUG args=/usr/sbin/ipa-join -s
sfca-do-4.ipa.xyz.com -b dc=ipa,dc=xyz,dc=com -h
sfca-do-1.xyz.com
2018-01-17T02:11:51Z DEBUG Process finished, return code=0
2018-01-17T02:11:51Z DEBUG stdout=
2018-01-17T02:11:51Z DEBUG stderr=Failed to parse result: Failed to
decode GetKeytab Control.
Retrying with pre-4.0 keytab retrieval method...
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is:
O=IPA.xyz.COM
2018-01-17T02:11:51Z INFO Enrolled in IPA realm
IPA.xyz.COM
2018-01-17T02:11:51Z DEBUG Starting external process
2018-01-17T02:11:51Z DEBUG args=kdestroy
2018-01-17T02:11:51Z DEBUG Process finished, return code=0
2018-01-17T02:11:51Z DEBUG stdout=
2018-01-17T02:11:51Z DEBUG stderr=
2018-01-17T02:11:51Z DEBUG Initializing principal
host/sfca-do-1.xyz.com(a)IPA.xyz.COM using keytab /etc/krb5.keytab
2018-01-17T02:11:51Z DEBUG using ccache /etc/ipa/.dns_ccache
2018-01-17T02:11:51Z DEBUG Attempt 1/5: success
2018-01-17T02:11:51Z DEBUG Backing up system configuration file
'/etc/ipa/default.conf'
2018-01-17T02:11:51Z DEBUG -> Not backing up - '/etc/ipa/default.conf'
doesn't exist
2018-01-17T02:11:51Z INFO Created /etc/ipa/default.conf
2018-01-17T02:11:51Z DEBUG importing all plugin modules in ipalib.plugins...
2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.aci
2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.automember
2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.automount
2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.baseldap
2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.baseuser
2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.batch
2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.caacl
2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.cert
2018-01-17T02:11:51Z DEBUG importing plugin module
ipalib.plugins.certprofile
2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.config
2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.delegation
2018-01-17T02:11:51Z DEBUG importing plugin module ipalib.plugins.dns
2018-01-17T02:11:52Z DEBUG importing plugin module
ipalib.plugins.domainlevel
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.group
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.hbacrule
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.hbacsvc
2018-01-17T02:11:52Z DEBUG importing plugin module
ipalib.plugins.hbacsvcgroup
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.hbactest
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.host
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.hostgroup
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.idrange
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.idviews
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.internal
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.krbtpolicy
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.migration
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.misc
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.netgroup
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.otpconfig
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.otptoken
2018-01-17T02:11:52Z DEBUG importing plugin module
ipalib.plugins.otptoken_yubikey
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.passwd
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.permission
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.ping
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.pkinit
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.privilege
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.pwpolicy
2018-01-17T02:11:52Z DEBUG Starting external process
2018-01-17T02:11:52Z DEBUG args=klist -V
2018-01-17T02:11:52Z DEBUG Process finished, return code=0
2018-01-17T02:11:52Z DEBUG stdout=Kerberos 5 version 1.13.2
2018-01-17T02:11:52Z DEBUG stderr=
2018-01-17T02:11:52Z DEBUG importing plugin module
ipalib.plugins.radiusproxy
2018-01-17T02:11:52Z DEBUG importing plugin module
ipalib.plugins.realmdomains
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.role
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.rpcclient
2018-01-17T02:11:52Z DEBUG importing plugin module
ipalib.plugins.selfservice
2018-01-17T02:11:52Z DEBUG importing plugin module
ipalib.plugins.selinuxusermap
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.server
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.service
2018-01-17T02:11:52Z DEBUG importing plugin module
ipalib.plugins.servicedelegation
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.session
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.stageuser
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.sudocmd
2018-01-17T02:11:52Z DEBUG importing plugin module
ipalib.plugins.sudocmdgroup
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.sudorule
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.topology
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.trust
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.user
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.vault
2018-01-17T02:11:52Z DEBUG importing plugin module ipalib.plugins.virtual
2018-01-17T02:11:53Z DEBUG Backing up system configuration file
'/etc/sssd/sssd.conf'
2018-01-17T02:11:53Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf'
doesn't exist
2018-01-17T02:11:53Z INFO New SSSD config will be created
2018-01-17T02:11:53Z DEBUG Backing up system configuration file
'/etc/nsswitch.conf'
2018-01-17T02:11:53Z DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2018-01-17T02:11:53Z INFO Configured sudoers in /etc/nsswitch.conf
2018-01-17T02:11:53Z INFO Configured /etc/sssd/sssd.conf
2018-01-17T02:11:53Z DEBUG Backing up system configuration file
'/etc/krb5.conf'
2018-01-17T02:11:53Z DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2018-01-17T02:11:53Z DEBUG Starting external process
2018-01-17T02:11:53Z DEBUG args=keyctl get_persistent @s 0
2018-01-17T02:11:53Z DEBUG Process finished, return code=0
2018-01-17T02:11:53Z DEBUG stdout=638917143
2018-01-17T02:11:53Z DEBUG stderr=
2018-01-17T02:11:53Z DEBUG Enabling persistent keyring CCACHE
2018-01-17T02:11:53Z DEBUG Writing Kerberos configuration to /etc/krb5.conf:
2018-01-17T02:11:53Z DEBUG #File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm =
IPA.xyz.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IPA.xyz.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.xyz.com =
IPA.xyz.COM
xyz.com =
IPA.xyz.COM
2018-01-17T02:11:53Z INFO Configured /etc/krb5.conf for IPA realm
IPA.xyz.COM
2018-01-17T02:11:53Z DEBUG Starting external process
2018-01-17T02:11:53Z DEBUG args=keyctl search @s user
ipa_session_cookie:host/sfca-do-1.xyz.com@IPA.xyz.COM
2018-01-17T02:11:53Z DEBUG Process finished, return code=1
2018-01-17T02:11:53Z DEBUG stdout=
2018-01-17T02:11:53Z DEBUG stderr=keyctl_search: Required key not available
2018-01-17T02:11:53Z DEBUG Starting external process
2018-01-17T02:11:53Z DEBUG args=/usr/bin/certutil -d /tmp/tmpfdJ4GJ -N
-f /tmp/tmpUmc3dK
2018-01-17T02:11:53Z DEBUG Process finished, return code=0
2018-01-17T02:11:53Z DEBUG stdout=
2018-01-17T02:11:53Z DEBUG stderr=
2018-01-17T02:11:53Z DEBUG Starting external process
2018-01-17T02:11:53Z DEBUG args=/usr/bin/certutil -d /tmp/tmpfdJ4GJ -A
-n CA certificate 1 -t C,,
2018-01-17T02:11:53Z DEBUG Process finished, return code=0
2018-01-17T02:11:53Z DEBUG stdout=
2018-01-17T02:11:53Z DEBUG stderr=
2018-01-17T02:11:53Z DEBUG Starting external process
2018-01-17T02:11:53Z DEBUG args=/usr/bin/certutil -d /tmp/tmpfdJ4GJ -A
-n CA certificate 2 -t C,,
2018-01-17T02:11:53Z DEBUG Process finished, return code=0
2018-01-17T02:11:53Z DEBUG stdout=
2018-01-17T02:11:53Z DEBUG stderr=
2018-01-17T02:11:53Z DEBUG Starting external process
2018-01-17T02:11:53Z DEBUG args=/usr/bin/certutil -d /tmp/tmpfdJ4GJ -A
-n CA certificate 3 -t C,,
2018-01-17T02:11:53Z DEBUG Process finished, return code=0
2018-01-17T02:11:53Z DEBUG stdout=
2018-01-17T02:11:53Z DEBUG stderr=
2018-01-17T02:11:53Z DEBUG Starting external process
2018-01-17T02:11:53Z DEBUG args=/usr/bin/certutil -d /tmp/tmpfdJ4GJ -A
-n CA certificate 4 -t C,,
2018-01-17T02:11:53Z DEBUG Process finished, return code=0
2018-01-17T02:11:53Z DEBUG stdout=
2018-01-17T02:11:53Z DEBUG stderr=
2018-01-17T02:11:53Z DEBUG Starting external process
2018-01-17T02:11:53Z DEBUG args=/usr/bin/certutil -d /tmp/tmpfdJ4GJ -A
-n CA certificate 5 -t C,,
2018-01-17T02:11:53Z DEBUG Process finished, return code=0
2018-01-17T02:11:53Z DEBUG stdout=
2018-01-17T02:11:53Z DEBUG stderr=
2018-01-17T02:11:53Z DEBUG failed to find session_cookie in persistent
storage for principal 'host/sfca-do-1.xyz.com(a)IPA.xyz.COM'
2018-01-17T02:11:53Z INFO trying
https://sfca-do-4.ipa.xyz.com/ipa/json
2018-01-17T02:11:53Z DEBUG Created connection
context.rpcclient_140152147110416
2018-01-17T02:11:53Z DEBUG Try RPC connection
2018-01-17T02:11:53Z INFO Forwarding 'ping' to json server
'https://sfca-do-4.ipa.xyz.com/ipa/json'
2018-01-17T02:11:53Z DEBUG Destroyed connection
context.rpcclient_140152147110416
2018-01-17T02:11:53Z INFO Cannot connect to the server due to Kerberos
error: Major (851968): Unspecified GSS failure. Minor code may provide
more information, Minor (2529639066): Cannot find KDC for realm
"IPA.xyz.COM". Trying with delegate=True
2018-01-17T02:11:53Z INFO trying
https://sfca-do-4.ipa.xyz.com/ipa/json
2018-01-17T02:11:53Z DEBUG Created connection
context.rpcclient_140152147110416
2018-01-17T02:11:53Z DEBUG Try RPC connection
2018-01-17T02:11:53Z INFO Forwarding 'ping' to json server
'https://sfca-do-4.ipa.xyz.com/ipa/json'
2018-01-17T02:11:53Z WARNING Second connect with delegate=True also
failed: Major (851968): Unspecified GSS failure. Minor code may provide
more information, Minor (2529639066): Cannot find KDC for realm
"IPA.xyz.COM"
2018-01-17T02:11:53Z ERROR Cannot connect to the IPA server RPC
interface: Major (851968): Unspecified GSS failure. Minor code may
provide more information, Minor (2529639066): Cannot find KDC for realm
"IPA.xyz.COM"
2018-01-17T02:11:53Z ERROR Installation failed. Rolling back changes.
2018-01-17T02:11:53Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2018-01-17T02:11:53Z DEBUG Starting external process
2018-01-17T02:11:53Z DEBUG args=ipa-client-automount --uninstall --debug
2018-01-17T02:11:56Z DEBUG Process finished, return code=0
2018-01-17T02:11:56Z DEBUG stdout=Restoring configuration
2018-01-17T02:11:56Z DEBUG stderr=importing all plugin modules in
ipalib.plugins...
importing plugin module ipalib.plugins.aci
importing plugin module ipalib.plugins.automember
importing plugin module ipalib.plugins.automount
importing plugin module ipalib.plugins.baseldap
importing plugin module ipalib.plugins.baseuser
importing plugin module ipalib.plugins.batch
importing plugin module ipalib.plugins.caacl
importing plugin module ipalib.plugins.cert
importing plugin module ipalib.plugins.certprofile
importing plugin module ipalib.plugins.config
importing plugin module ipalib.plugins.delegation
importing plugin module ipalib.plugins.dns
importing plugin module ipalib.plugins.domainlevel
importing plugin module ipalib.plugins.group
importing plugin module ipalib.plugins.hbacrule
importing plugin module ipalib.plugins.hbacsvc
importing plugin module ipalib.plugins.hbacsvcgroup
importing plugin module ipalib.plugins.hbactest
importing plugin module ipalib.plugins.host
importing plugin module ipalib.plugins.hostgroup
importing plugin module ipalib.plugins.idrange
importing plugin module ipalib.plugins.idviews
importing plugin module ipalib.plugins.internal
importing plugin module ipalib.plugins.krbtpolicy
importing plugin module ipalib.plugins.migration
importing plugin module ipalib.plugins.misc
importing plugin module ipalib.plugins.netgroup
importing plugin module ipalib.plugins.otpconfig
importing plugin module ipalib.plugins.otptoken
importing plugin module ipalib.plugins.otptoken_yubikey
importing plugin module ipalib.plugins.passwd
importing plugin module ipalib.plugins.permission
importing plugin module ipalib.plugins.ping
importing plugin module ipalib.plugins.pkinit
importing plugin module ipalib.plugins.privilege
importing plugin module ipalib.plugins.pwpolicy
Starting external process
args=klist -V
Process finished, return code=0
stdout=Kerberos 5 version 1.13.2
stderr=
importing plugin module ipalib.plugins.radiusproxy
importing plugin module ipalib.plugins.realmdomains
importing plugin module ipalib.plugins.role
importing plugin module ipalib.plugins.rpcclient
importing plugin module ipalib.plugins.selfservice
importing plugin module ipalib.plugins.selinuxusermap
importing plugin module ipalib.plugins.server
importing plugin module ipalib.plugins.service
importing plugin module ipalib.plugins.servicedelegation
importing plugin module ipalib.plugins.session
importing plugin module ipalib.plugins.stageuser
importing plugin module ipalib.plugins.sudocmd
importing plugin module ipalib.plugins.sudocmdgroup
importing plugin module ipalib.plugins.sudorule
importing plugin module ipalib.plugins.topology
importing plugin module ipalib.plugins.trust
importing plugin module ipalib.plugins.user
importing plugin module ipalib.plugins.vault
importing plugin module ipalib.plugins.virtual
Restoring system configuration file '/etc/nsswitch.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2018-01-17T02:11:56Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2018-01-17T02:11:56Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2018-01-17T02:11:56Z DEBUG Starting external process
2018-01-17T02:11:56Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -L
-n Local IPA host -a
2018-01-17T02:11:56Z DEBUG Process finished, return code=255
2018-01-17T02:11:56Z DEBUG stdout=
2018-01-17T02:11:56Z DEBUG stderr=certutil: function failed:
SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old,
unsupported format.
2018-01-17T02:11:56Z DEBUG Starting external process
2018-01-17T02:11:56Z DEBUG args=/usr/bin/certutil -d /etc/pki/nssdb -L
-n IPA Machine Certificate -
sfca-do-1.xyz.com -a
2018-01-17T02:11:56Z DEBUG Process finished, return code=255
2018-01-17T02:11:56Z DEBUG stdout=
2018-01-17T02:11:56Z DEBUG stderr=certutil: function failed:
SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old,
unsupported format.
2018-01-17T02:11:56Z DEBUG Starting external process
2018-01-17T02:11:56Z DEBUG args=/bin/systemctl start certmonger.service
2018-01-17T02:11:56Z DEBUG Process finished, return code=0
2018-01-17T02:11:56Z DEBUG stdout=
2018-01-17T02:11:56Z DEBUG stderr=
2018-01-17T02:11:56Z DEBUG Starting external process
2018-01-17T02:11:56Z DEBUG args=/bin/systemctl is-active certmonger.service
2018-01-17T02:11:56Z DEBUG Process finished, return code=0
2018-01-17T02:11:56Z DEBUG stdout=active
2018-01-17T02:11:56Z DEBUG stderr=
2018-01-17T02:11:56Z DEBUG Starting external process
2018-01-17T02:11:56Z DEBUG args=/bin/systemctl stop certmonger.service
2018-01-17T02:11:56Z DEBUG Process finished, return code=0
2018-01-17T02:11:56Z DEBUG stdout=
2018-01-17T02:11:56Z DEBUG stderr=
2018-01-17T02:11:56Z DEBUG Starting external process
2018-01-17T02:11:56Z DEBUG args=/bin/systemctl disable certmonger.service
2018-01-17T02:11:57Z DEBUG Process finished, return code=0
2018-01-17T02:11:57Z DEBUG stdout=
2018-01-17T02:11:57Z DEBUG stderr=Synchronizing state of
certmonger.service with SysV init with /lib/systemd/systemd-sysv-install...
Executing /lib/systemd/systemd-sysv-install disable certmonger
insserv: warning: current start runlevel(s) (empty) of script
`certmonger' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script
`certmonger' overrides LSB defaults (0 1 6).
insserv: warning: current start runlevel(s) (empty) of script
`certmonger' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script
`certmonger' overrides LSB defaults (0 1 6).
2018-01-17T02:11:57Z INFO Unenrolling client from IPA server
2018-01-17T02:11:57Z DEBUG Starting external process
2018-01-17T02:11:57Z DEBUG args=/usr/sbin/ipa-join --unenroll -h
sfca-do-1.xyz.com
2018-01-17T02:11:57Z DEBUG Process finished, return code=21
2018-01-17T02:11:57Z DEBUG stdout=
2018-01-17T02:11:57Z DEBUG stderr=Error getting default Kerberos realm:
Configuration file does not specify default realm.
2018-01-17T02:11:57Z ERROR Unenrolling host failed: Error getting
default Kerberos realm: Configuration file does not specify default realm.
2018-01-17T02:11:57Z INFO Removing Kerberos service principals from
/etc/krb5.keytab
2018-01-17T02:11:57Z DEBUG Starting external process
2018-01-17T02:11:57Z DEBUG args=/usr/sbin/ipa-rmkeytab -k
/etc/krb5.keytab -r
IPA.xyz.COM
2018-01-17T02:11:57Z DEBUG Process finished, return code=0
2018-01-17T02:11:57Z DEBUG stdout=
2018-01-17T02:11:57Z DEBUG stderr=Removing principal
host/sfca-do-1.xyz.com(a)IPA.xyz.COM
2018-01-17T02:11:57Z INFO Disabling client Kerberos and LDAP configurations
2018-01-17T02:11:57Z INFO Redundant SSSD configuration file
/etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
2018-01-17T02:11:57Z DEBUG Starting external process
2018-01-17T02:11:57Z DEBUG args=/bin/systemctl stop sssd.service
2018-01-17T02:11:57Z DEBUG Process finished, return code=0
2018-01-17T02:11:57Z DEBUG stdout=
2018-01-17T02:11:57Z DEBUG stderr=
2018-01-17T02:11:57Z DEBUG Starting external process
2018-01-17T02:11:57Z DEBUG args=/bin/systemctl disable sssd.service
2018-01-17T02:11:57Z DEBUG Process finished, return code=0
2018-01-17T02:11:57Z DEBUG stdout=
2018-01-17T02:11:57Z DEBUG stderr=
2018-01-17T02:11:57Z INFO Restoring client configuration files
2018-01-17T02:11:57Z DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2018-01-17T02:11:57Z DEBUG -> no files, removing file
2018-01-17T02:11:57Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2018-01-17T02:11:57Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2018-01-17T02:11:57Z DEBUG Saving StateFile to
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2018-01-17T02:11:57Z DEBUG -> no modules, removing file
2018-01-17T02:11:57Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2018-01-17T02:11:57Z DEBUG Starting external process
2018-01-17T02:11:57Z DEBUG args=/bin/systemctl list-unit-files --full
2018-01-17T02:11:58Z DEBUG Process finished, return code=0
2018-01-17T02:11:58Z DEBUG stdout=UNIT
FILE STATE
proc-sys-fs-binfmt_misc.automount static
dev-hugepages.mount static
dev-mqueue.mount static
proc-sys-fs-binfmt_misc.mount static
sys-fs-fuse-connections.mount static
sys-kernel-config.mount static
sys-kernel-debug.mount static
acpid.path enabled
systemd-ask-password-console.path static
systemd-ask-password-plymouth.path static
systemd-ask-password-wall.path static
systemd-networkd-resolvconf-update.path static
accounts-daemon.service enabled
acpid.service disabled
apport-forward@.service static
apt-daily-upgrade.service static
apt-daily.service static
atd.service enabled
autovt@.service enabled
bind9-pkcs11.service masked
bind9-resolvconf.service masked
bind9.service masked
bootlogd.service masked
bootlogs.service masked
bootmisc.service masked
certbot.service static
certmonger.service disabled
check_mk@.service static
checkfs.service masked
checkroot-bootclean.service masked
checkroot.service masked
cloud-config.service enabled
cloud-final.service enabled
cloud-init-local.service enabled
cloud-init.service enabled
console-getty.service disabled
console-setup.service static
console-shell.service disabled
container-getty@.service static
cron.service enabled
cryptdisks-early.service masked
cryptdisks.service masked
dbus-org.freedesktop.hostname1.service static
dbus-org.freedesktop.locale1.service static
dbus-org.freedesktop.login1.service static
dbus-org.freedesktop.network1.service disabled
dbus-org.freedesktop.resolve1.service disabled
dbus-org.freedesktop.timedate1.service static
dbus.service static
debug-shell.service disabled
dm-event.service disabled
emergency.service static
fail2ban.service enabled
friendly-recovery.service enabled
fuse.service masked
getty-static.service static
getty@.service enabled
halt.service masked
hostname.service masked
hwclock.service masked
ifup@.service static
initrd-cleanup.service static
initrd-parse-etc.service static
initrd-switch-root.service static
initrd-udevadm-cleanup-db.service static
iscsi.service enabled
iscsid.service enabled
keyboard-setup.service disabled
killprocs.service masked
kmod-static-nodes.service static
kmod.service static
lvm2-lvmetad.service disabled
lvm2-lvmpolld.service disabled
lvm2-monitor.service enabled
lvm2-pvscan@.service static
lvm2.service masked
lxcfs.service enabled
lxd-bridge.service static
lxd-containers.service enabled
lxd.service indirect
mdadm-shutdown.service disabled
module-init-tools.service static
motd.service masked
mountall-bootclean.service masked
mountall.service masked
mountdevsubfs.service masked
mountkernfs.service masked
mountnfs-bootclean.service masked
mountnfs.service masked
mysql.service enabled
networking.service enabled
oddjobd.service enabled
open-iscsi.service enabled
pdns.service enabled
pdns@.service disabled
plymouth-halt.service static
plymouth-kexec.service static
plymouth-log.service static
plymouth-poweroff.service static
plymouth-quit-wait.service static
plymouth-quit.service static
plymouth-read-write.service static
plymouth-reboot.service static
plymouth-start.service static
plymouth-switch-root.service static
plymouth.service static
polkitd.service static
pollinate.service enabled
procps.service static
quotaon.service static
rc-local.service static
rc.local.service static
rc.service masked
rcS.service masked
reboot.service masked
rescue.service static
resolvconf.service enabled
rmnologin.service masked
rsync.service disabled
rsyslog.service masked
screen-cleanup.service masked
sendsigs.service masked
serial-getty@.service disabled
setvtrgb.service static
sigpwr-container-shutdown.service static
single.service masked
snapd.autoimport.service enabled
snapd.core-fixup.service enabled
snapd.refresh.service static
snapd.service enabled
snapd.snap-repair.service static
snapd.system-shutdown.service enabled
ssh.service enabled
ssh@.service static
sshd.service enabled
sssd.service disabled
stop-bootlogd-single.service masked
stop-bootlogd.service masked
syslog-ng.service enabled
syslog.service masked
systemd-ask-password-console.service static
systemd-ask-password-plymouth.service static
systemd-ask-password-wall.service static
systemd-backlight@.service static
systemd-binfmt.service static
systemd-bootchart.service disabled
systemd-bus-proxyd.service static
systemd-exit.service static
systemd-fsck-root.service static
systemd-fsck@.service static
systemd-fsckd.service static
systemd-halt.service static
systemd-hibernate-resume@.service static
systemd-hibernate.service static
systemd-hostnamed.service static
systemd-hwdb-update.service static
systemd-hybrid-sleep.service static
systemd-initctl.service static
systemd-journal-flush.service static
systemd-journald.service static
systemd-kexec.service static
systemd-localed.service static
systemd-logind.service static
systemd-machine-id-commit.service static
systemd-modules-load.service static
systemd-networkd-resolvconf-update.service static
systemd-networkd-wait-online.service disabled
systemd-networkd.service disabled
systemd-poweroff.service static
systemd-quotacheck.service static
systemd-random-seed.service static
systemd-reboot.service static
systemd-remount-fs.service static
systemd-resolved.service disabled
systemd-rfkill.service static
systemd-suspend.service static
systemd-sysctl.service static
systemd-timedated.service static
systemd-timesyncd.service enabled
systemd-tmpfiles-clean.service static
systemd-tmpfiles-setup-dev.service static
systemd-tmpfiles-setup.service static
systemd-udev-settle.service static
systemd-udev-trigger.service static
systemd-udevd.service static
systemd-update-utmp-runlevel.service static
systemd-update-utmp.service static
systemd-user-sessions.service static
udev-finish.service masked
udev.service static
ufw.service enabled
umountfs.service masked
umountnfs.service masked
umountroot.service masked
unattended-upgrades.service enabled
urandom.service static
ureadahead-stop.service static
ureadahead.service enabled
user@.service static
uuidd.service indirect
x11-common.service masked
-.slice static
machine.slice static
system.slice static
user.slice static
acpid.socket enabled
apport-forward.socket enabled
check_mk.socket enabled
dbus.socket static
dm-event.socket enabled
lvm2-lvmetad.socket enabled
lvm2-lvmpolld.socket enabled
lxd.socket enabled
snapd.socket enabled
ssh.socket disabled
syslog.socket static
systemd-bus-proxyd.socket static
systemd-fsckd.socket static
systemd-initctl.socket static
systemd-journald-audit.socket static
systemd-journald-dev-log.socket static
systemd-journald.socket static
systemd-networkd.socket disabled
systemd-rfkill.socket static
systemd-udevd-control.socket static
systemd-udevd-kernel.socket static
uuidd.socket enabled
basic.target static
bluetooth.target static
busnames.target static
cloud-config.target static
cloud-init.target static
cryptsetup-pre.target static
cryptsetup.target static
ctrl-alt-del.target disabled
default.target static
emergency.target static
exit.target disabled
final.target static
getty.target static
graphical.target static
halt.target disabled
hibernate.target static
hybrid-sleep.target static
initrd-fs.target static
initrd-root-fs.target static
initrd-switch-root.target static
initrd.target static
kexec.target disabled
local-fs-pre.target static
local-fs.target static
mail-transport-agent.target static
multi-user.target static
network-online.target static
network-pre.target static
network.target static
nss-lookup.target static
nss-user-lookup.target static
paths.target static
poweroff.target disabled
printer.target static
reboot.target disabled
remote-fs-pre.target static
remote-fs.target enabled
rescue.target disabled
rpcbind.target static
runlevel0.target disabled
runlevel1.target disabled
runlevel2.target static
runlevel3.target static
runlevel4.target static
runlevel5.target static
runlevel6.target disabled
shutdown.target static
sigpwr.target static
sleep.target static
slices.target static
smartcard.target static
sockets.target static
sound.target static
suspend.target static
swap.target static
sysinit.target static
system-update.target static
time-sync.target static
timers.target static
umount.target static
apt-daily-upgrade.timer enabled
apt-daily.timer enabled
certbot.timer enabled
snapd.refresh.timer enabled
snapd.snap-repair.timer enabled
systemd-tmpfiles-clean.timer static
ureadahead-stop.timer static
294 unit files listed.
2018-01-17T02:11:58Z DEBUG stderr=
2018-01-17T02:11:58Z INFO nscd daemon is not installed, skip configuration
2018-01-17T02:11:58Z DEBUG Starting external process
2018-01-17T02:11:58Z DEBUG args=/bin/systemctl list-unit-files --full
2018-01-17T02:11:58Z DEBUG Process finished, return code=0
2018-01-17T02:11:58Z DEBUG stdout=UNIT
FILE STATE
proc-sys-fs-binfmt_misc.automount static
dev-hugepages.mount static
dev-mqueue.mount static
proc-sys-fs-binfmt_misc.mount static
sys-fs-fuse-connections.mount static
sys-kernel-config.mount static
sys-kernel-debug.mount static
acpid.path enabled
systemd-ask-password-console.path static
systemd-ask-password-plymouth.path static
systemd-ask-password-wall.path static
systemd-networkd-resolvconf-update.path static
accounts-daemon.service enabled
acpid.service disabled
apport-forward@.service static
apt-daily-upgrade.service static
apt-daily.service static
atd.service enabled
autovt@.service enabled
bind9-pkcs11.service masked
bind9-resolvconf.service masked
bind9.service masked
bootlogd.service masked
bootlogs.service masked
bootmisc.service masked
certbot.service static
certmonger.service disabled
check_mk@.service static
checkfs.service masked
checkroot-bootclean.service masked
checkroot.service masked
cloud-config.service enabled
cloud-final.service enabled
cloud-init-local.service enabled
cloud-init.service enabled
console-getty.service disabled
console-setup.service static
console-shell.service disabled
container-getty@.service static
cron.service enabled
cryptdisks-early.service masked
cryptdisks.service masked
dbus-org.freedesktop.hostname1.service static
dbus-org.freedesktop.locale1.service static
dbus-org.freedesktop.login1.service static
dbus-org.freedesktop.network1.service disabled
dbus-org.freedesktop.resolve1.service disabled
dbus-org.freedesktop.timedate1.service static
dbus.service static
debug-shell.service disabled
dm-event.service disabled
emergency.service static
fail2ban.service enabled
friendly-recovery.service enabled
fuse.service masked
getty-static.service static
getty@.service enabled
halt.service masked
hostname.service masked
hwclock.service masked
ifup@.service static
initrd-cleanup.service static
initrd-parse-etc.service static
initrd-switch-root.service static
initrd-udevadm-cleanup-db.service static
iscsi.service enabled
iscsid.service enabled
keyboard-setup.service disabled
killprocs.service masked
kmod-static-nodes.service static
kmod.service static
lvm2-lvmetad.service disabled
lvm2-lvmpolld.service disabled
lvm2-monitor.service enabled
lvm2-pvscan@.service static
lvm2.service masked
lxcfs.service enabled
lxd-bridge.service static
lxd-containers.service enabled
lxd.service indirect
mdadm-shutdown.service disabled
module-init-tools.service static
motd.service masked
mountall-bootclean.service masked
mountall.service masked
mountdevsubfs.service masked
mountkernfs.service masked
mountnfs-bootclean.service masked
mountnfs.service masked
mysql.service enabled
networking.service enabled
oddjobd.service enabled
open-iscsi.service enabled
pdns.service enabled
pdns@.service disabled
plymouth-halt.service static
plymouth-kexec.service static
plymouth-log.service static
plymouth-poweroff.service static
plymouth-quit-wait.service static
plymouth-quit.service static
plymouth-read-write.service static
plymouth-reboot.service static
plymouth-start.service static
plymouth-switch-root.service static
plymouth.service static
polkitd.service static
pollinate.service enabled
procps.service static
quotaon.service static
rc-local.service static
rc.local.service static
rc.service masked
rcS.service masked
reboot.service masked
rescue.service static
resolvconf.service enabled
rmnologin.service masked
rsync.service disabled
rsyslog.service masked
screen-cleanup.service masked
sendsigs.service masked
serial-getty@.service disabled
setvtrgb.service static
sigpwr-container-shutdown.service static
single.service masked
snapd.autoimport.service enabled
snapd.core-fixup.service enabled
snapd.refresh.service static
snapd.service enabled
snapd.snap-repair.service static
snapd.system-shutdown.service enabled
ssh.service enabled
ssh@.service static
sshd.service enabled
sssd.service disabled
stop-bootlogd-single.service masked
stop-bootlogd.service masked
syslog-ng.service enabled
syslog.service masked
systemd-ask-password-console.service static
systemd-ask-password-plymouth.service static
systemd-ask-password-wall.service static
systemd-backlight@.service static
systemd-binfmt.service static
systemd-bootchart.service disabled
systemd-bus-proxyd.service static
systemd-exit.service static
systemd-fsck-root.service static
systemd-fsck@.service static
systemd-fsckd.service static
systemd-halt.service static
systemd-hibernate-resume@.service static
systemd-hibernate.service static
systemd-hostnamed.service static
systemd-hwdb-update.service static
systemd-hybrid-sleep.service static
systemd-initctl.service static
systemd-journal-flush.service static
systemd-journald.service static
systemd-kexec.service static
systemd-localed.service static
systemd-logind.service static
systemd-machine-id-commit.service static
systemd-modules-load.service static
systemd-networkd-resolvconf-update.service static
systemd-networkd-wait-online.service disabled
systemd-networkd.service disabled
systemd-poweroff.service static
systemd-quotacheck.service static
systemd-random-seed.service static
systemd-reboot.service static
systemd-remount-fs.service static
systemd-resolved.service disabled
systemd-rfkill.service static
systemd-suspend.service static
systemd-sysctl.service static
systemd-timedated.service static
systemd-timesyncd.service enabled
systemd-tmpfiles-clean.service static
systemd-tmpfiles-setup-dev.service static
systemd-tmpfiles-setup.service static
systemd-udev-settle.service static
systemd-udev-trigger.service static
systemd-udevd.service static
systemd-update-utmp-runlevel.service static
systemd-update-utmp.service static
systemd-user-sessions.service static
udev-finish.service masked
udev.service static
ufw.service enabled
umountfs.service masked
umountnfs.service masked
umountroot.service masked
unattended-upgrades.service enabled
urandom.service static
ureadahead-stop.service static
ureadahead.service enabled
user@.service static
uuidd.service indirect
x11-common.service masked
-.slice static
machine.slice static
system.slice static
user.slice static
acpid.socket enabled
apport-forward.socket enabled
check_mk.socket enabled
dbus.socket static
dm-event.socket enabled
lvm2-lvmetad.socket enabled
lvm2-lvmpolld.socket enabled
lxd.socket enabled
snapd.socket enabled
ssh.socket disabled
syslog.socket static
systemd-bus-proxyd.socket static
systemd-fsckd.socket static
systemd-initctl.socket static
systemd-journald-audit.socket static
systemd-journald-dev-log.socket static
systemd-journald.socket static
systemd-networkd.socket disabled
systemd-rfkill.socket static
systemd-udevd-control.socket static
systemd-udevd-kernel.socket static
uuidd.socket enabled
basic.target static
bluetooth.target static
busnames.target static
cloud-config.target static
cloud-init.target static
cryptsetup-pre.target static
cryptsetup.target static
ctrl-alt-del.target disabled
default.target static
emergency.target static
exit.target disabled
final.target static
getty.target static
graphical.target static
halt.target disabled
hibernate.target static
hybrid-sleep.target static
initrd-fs.target static
initrd-root-fs.target static
initrd-switch-root.target static
initrd.target static
kexec.target disabled
local-fs-pre.target static
local-fs.target static
mail-transport-agent.target static
multi-user.target static
network-online.target static
network-pre.target static
network.target static
nss-lookup.target static
nss-user-lookup.target static
paths.target static
poweroff.target disabled
printer.target static
reboot.target disabled
remote-fs-pre.target static
remote-fs.target enabled
rescue.target disabled
rpcbind.target static
runlevel0.target disabled
runlevel1.target disabled
runlevel2.target static
runlevel3.target static
runlevel4.target static
runlevel5.target static
runlevel6.target disabled
shutdown.target static
sigpwr.target static
sleep.target static
slices.target static
smartcard.target static
sockets.target static
sound.target static
suspend.target static
swap.target static
sysinit.target static
system-update.target static
time-sync.target static
timers.target static
umount.target static
apt-daily-upgrade.timer enabled
apt-daily.timer enabled
certbot.timer enabled
snapd.refresh.timer enabled
snapd.snap-repair.timer enabled
systemd-tmpfiles-clean.timer static
ureadahead-stop.timer static
294 unit files listed.
2018-01-17T02:11:58Z DEBUG stderr=
2018-01-17T02:11:58Z INFO nslcd daemon is not installed, skip configuration
2018-01-17T02:11:58Z INFO Client uninstall complete.
==========
On 1/16/18 1:11 PM, Rob Crittenden wrote:
Robbie Harwood via FreeIPA-users wrote:
> Chris Moody via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
> writes:
>
>> 2018-01-15T21:55:24Z INFO Configured /etc/krb5.conf for IPA realm
>>
IPA.XYZ.COM
>> 2018-01-15T21:55:24Z DEBUG Starting external process
>> 2018-01-15T21:55:24Z DEBUG args=keyctl search @s user
>> ipa_session_cookie:host/sfca-do-1.xyz.com@IPA.XYZ.COM
>> 2018-01-15T21:55:24Z DEBUG Process finished, return code=1
>> 2018-01-15T21:55:24Z DEBUG stdout=
>> 2018-01-15T21:55:24Z DEBUG stderr=keyctl_search: Required key not available
> I'm not familiar with what IPA's trying to do here, but this looks like
> a problem? Can someone else comment?
This is perfectly normal. IPA stores the session cookie in the kernel
keyring. Given this is a new install there is no cookie to find.
>> I have tried manually setting /etc/krb5.conf to the contents that get>
>> generated & display during the verbose client-install process (as seen
>> above), that manually spell out the KDC details, and am able to run a
>> 'kinit admin' just fine from the CLI on the client, so kerberos DOES
>> function from the client. It talks to the KDC beautifully and
>> authenticates just fine... so I'm not sure how the client-install
>> process is getting confused/lost when trying to find/contact the KDC.
> Someone else who knows more than me: how is the install different than a
> normal kinit?
I think we'd need to see the full ipaclient-install.log.
rob