ipa-getkeytab: PrincipalName not found
by Harald Dunkel
Hi folks,
maybe I missed something, but shouldn't admin have sufficient
privileges to run
# ipa-client-install --hostname stretch1.vs.example.de --no-ssh --no-sshd --no-nisdomain --no-sudo --no-ntp --no-dns-sshfp
# reboot
:
:
# kinit admin
# ipa-getkeytab -s ipa1.example.de -p HTTP/stretch1.vs.example.de -k /etc/apache2/apache2.keytab
?
ipa-getkeytab failed with
Failed to parse result: PrincipalName not found.
I would have expected it to create the principal on the fly.
"admin" was created at freeipa install time on the first server,
AFAIR. It is member of the "admins" and "trust admins" groups.
I am concerned that I corrupted something. Every helpful comment
is highly appreciated.
Harri
2 months, 3 weeks
nfsidmap/nss_getpwnam fails to resolve users with IPA/NFSv4+krb5
by Robert Sturrock
Hi All.
We have IPA setup in an AD trust to support our Linux fleet. I’m running into a problem trying to get Ubuntu (16.04) clients to resolve names/ids on an NFS-mounted filesystem from an NFS server using NFSv4/krb5. Files and directories show up as ‘nobody’ or an incorrect numerical ID when listed with ‘ls’. RHEL7 clients seem to working fine with a very similar configuration (as far as I can tell).
The particulars are:
- AD forest has domains ‘localdomain’ and ‘student.localdomain’ (my user identity is ‘user@localdomain’)
- IPA domain is ‘ipa.localdomain’
- The NFS server (RHEL7) and clients (Ubu16.04, RHEL7) are both enrolled to IPA (with 'Domain=ipa.localdomain’ in /etc/idmapd.conf).
I have mounted the NFS volume on the clients with a simple:
mount -t nfs4 nfs-server.ipa.localdomain:/export /mnt
Listing my directory as myself (‘rns@localdomain’) on the Ubuntu client, I see:
$ ls -ld rns
drwx------ 18 nobody 4294967294 4096 Oct 25 15:18 rns
.. with these corresponding nfsidmap messages:
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: key: 0x2c254c26 type: uid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' domain 'ipa.localdomain': resulting localname '(null)'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' does not map into domain 'ipa.localdomain'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: nsswitch->name_to_uid returned -22
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: final return value is -22
.. whereas on the RHEL7 client, I see:
$ ls -ld rns
drwx------. 18 rns@localdomain rns@localdomain 4096 Oct 25 15:18 rns
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: key: 0xf113fd2 type: uid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' domain 'ipa.localdomain': resulting localname 'rns@localdomain'
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: final return value is 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: key: 0x2125a5d2 type: gid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: calling nsswitch->name_to_gid
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: final return value is 0
Why does the Ubuntu client's nfsidmap think that my identity doesn’t map into ‘ipa.localdomain’ and therefore (presumably) returns the error code ‘-22’?
(My identity resolves ok from the shell, using ‘id rns@localdomain’ and I can login and use local filesystems without issue).
The idmapd.conf looks like this:
[General]
Verbosity = 4
Pipefs-Directory = /run/rpc_pipefs
Domain = ipa.localdomain
Local-Realms = LOCALDOMAIN, STUDENT.LOCALDOMAIN, IPA.LOCALDOMAIN
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
Method = nsswitch
Any pointers appreciated!
Regards,
Robert.
4 months, 1 week
IPA server upgrade fails with KDC error
by Johannes Brandstetter
Hi,
I'm trying to upgrade FreeIPA through ipa-server-upgrade from 4.4 to 4.5. The command fails with an "ACIError: Insufficient access:" . I find in the kdc log that it complains about " Database module does not match KDC version - while initializing database for realm..."
Does anybody know how to fix this?
Some more info:
$ cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
$ tail /var/log/krb5kdc.log
krb5kdc: Server error - while fetching master key K/M for realm XXX
krb5kdc: Database module does not match KDC version - while initializing database for realm XXX
$ sudo less /var/log/ipaupgrade.log
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG duration: 0 seconds
2017-10-16T13:04:13Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-10-16T13:04:14Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run
server.upgrade()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1896, in upgrade
data_upgrade.create_instance()
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 124, in create_instance
runtime=90)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 96, in __start
api.Backend.ldap2.connect()
File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect
conn = self.create_connection(*args, **kw)
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 190, in create_connection
client_controls=clientctrls)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1111, in external_bind
'', auth_tokens, server_controls, client_controls)
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1007, in error_handler
raise errors.ACIError(info=info)
2017-10-16T13:04:14Z DEBUG The ipa-server-upgrade command failed, exception: ACIError: Insufficient access:
2017-10-16T13:04:14Z ERROR Insufficient access:
2017-10-16T13:04:14Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
$ sudo less /var/log/yum.log
Oct 16 05:36:02 Updated: ipa-common-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:36:02 Updated: ipa-client-common-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:36:25 Updated: libipa_hbac-1.15.2-50.el7_4.2.x86_64
Oct 16 05:36:53 Updated: python-libipa_hbac-1.15.2-50.el7_4.2.x86_64
Oct 16 05:36:55 Updated: python2-ipalib-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:36:55 Updated: python2-ipaclient-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:37:23 Updated: ipa-python-compat-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:38:43 Updated: ipa-server-common-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:38:44 Updated: python2-ipaserver-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:38:44 Updated: sssd-ipa-1.15.2-50.el7_4.2.x86_64
Oct 16 05:39:01 Installed: ipa-client-4.5.0-21.el7.centos.1.2.x86_64
Oct 16 05:39:28 Updated: ipsilon-tools-ipa-2.0.2-5.el7.centos.noarch
Oct 16 05:39:29 Updated: ipa-server-4.5.0-21.el7.centos.1.2.x86_64
Oct 16 05:40:48 Erased: ipa-admintools-4.4.0-14.el7.centos.7.noarch
Oct 16 05:19:30 Updated: krb5-libs-1.15.1-8.el7.x86_64
Oct 16 05:19:30 Updated: krb5-workstation-1.15.1-8.el7.x86_64
Oct 16 05:19:31 Updated: krb5-server-1.15.1-8.el7.x86_64
Oct 16 05:19:31 Updated: krb5-pkinit-1.15.1-8.el7.x86_64
Oct 16 05:38:22 Updated: sssd-krb5-common-1.15.2-50.el7_4.2.x86_64
Oct 16 05:38:57 Updated: sssd-krb5-1.15.2-50.el7_4.2.x86_64
Cheers,
Johannes
7 months, 3 weeks
using freeipa with an AWS elastic load balancer
by ridha.zorgui@infor.com
I set up a FreeIPA master and replica behind an elastic load balancer in AWS cloud. FreeIPA Clients will be contacting the replica and the master sever through the load balancer so the dns name used when configurting the clients is the ELB CNAME. The problem is when retreiving ldap data and during the authentication, the SSL handshake fails as the certificate sent back from the master or replica has a hostname different than the one used in the sssd ( the ELB CNAME). so the connection is terminated. There is a workaround which is the use reqcert=allow but this bring a security issue with a MITM attack. another solution i found is the use SAN. I was able to add the ELB DNS as a SAN in freeipa servers certificate. i made sure it is there by downloading the certificate and checking that the elb san exist but when testing it the same problem remain. Please help.
9 months, 1 week
Web UI login fails after upgrading to 4.5
by Marius Bjørnstad
Hi all,
After I upgraded to FreeIPA 4.5 (on CentOS 7), I get an error "Login failed due to an unknown reason" on the web UI, no matter if I use the admin user or my personal user. From what I can tell, all the ipa commands work fine on the command line, and kinit also works fine.
I have included some output from /var/log/httpd/error_log below. It would be great if someone could make a guess (or better) at what is going wrong, or which logs to look at, etc.
When I run the command in the CalledProcessError, I get a password prompt for WELLKNOWN/ANONYMOUS(a)OUS.NSC.LOCAL (the second part is the realm name).
Thanks,
Marius
[Thu Oct 05 11:36:34.898930 2017] [core:notice] [pid 7417] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Thu Oct 05 11:36:34.899649 2017] [suexec:notice] [pid 7417] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Oct 05 11:36:34.899669 2017] [:warn] [pid 7417] NSSSessionCacheTimeout is deprecated. Ignoring.
[Thu Oct 05 11:36:35.065273 2017] [auth_digest:notice] [pid 7417] AH01757: generating secret for digest authentication ...
[Thu Oct 05 11:36:35.065933 2017] [lbmethod_heartbeat:notice] [pid 7417] AH02282: No slotmem from mod_heartmonitor
[Thu Oct 05 11:36:35.065947 2017] [:warn] [pid 7417] NSSSessionCacheTimeout is deprecated. Ignoring.
[Thu Oct 05 11:36:35.100828 2017] [mpm_prefork:notice] [pid 7417] AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations
[Thu Oct 05 11:36:35.100849 2017] [core:notice] [pid 7417] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Thu Oct 05 11:36:36.676629 2017] [:error] [pid 7424] ipa: INFO: *** PROCESS START ***
[Thu Oct 05 11:36:36.695362 2017] [:error] [pid 7425] ipa: INFO: *** PROCESS START ***
--- login attempt performed now ---
[Thu Oct 05 11:36:38.504718 2017] [:error] [pid 7424] [remote 192.168.1.48:244] mod_wsgi (pid=7424): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Thu Oct 05 11:36:38.504758 2017] [:error] [pid 7424] [remote 192.168.1.48:244] Traceback (most recent call last):
[Thu Oct 05 11:36:38.504776 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/share/ipa/wsgi.py", line 51, in application
[Thu Oct 05 11:36:38.504845 2017] [:error] [pid 7424] [remote 192.168.1.48:244] return api.Backend.wsgi_dispatch(environ, start_response)
[Thu Oct 05 11:36:38.504855 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__
[Thu Oct 05 11:36:38.505045 2017] [:error] [pid 7424] [remote 192.168.1.48:244] return self.route(environ, start_response)
[Thu Oct 05 11:36:38.505054 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route
[Thu Oct 05 11:36:38.505067 2017] [:error] [pid 7424] [remote 192.168.1.48:244] return app(environ, start_response)
[Thu Oct 05 11:36:38.505072 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 929, in __call__
[Thu Oct 05 11:36:38.505079 2017] [:error] [pid 7424] [remote 192.168.1.48:244] self.kinit(user_principal, password, ipa_ccache_name)
[Thu Oct 05 11:36:38.505083 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit
[Thu Oct 05 11:36:38.505089 2017] [:error] [pid 7424] [remote 192.168.1.48:244] pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
[Thu Oct 05 11:36:38.505094 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 125, in kinit_armor
[Thu Oct 05 11:36:38.505135 2017] [:error] [pid 7424] [remote 192.168.1.48:244] run(args, env=env, raiseonerr=True, capture_error=True)
[Thu Oct 05 11:36:38.505143 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 511, in run
[Thu Oct 05 11:36:38.505346 2017] [:error] [pid 7424] [remote 192.168.1.48:244] raise CalledProcessError(p.returncode, arg_string, str(output))
[Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_7424 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1
1 year, 6 months
Unable to use externa groups or users, truster domain object not found
by Henrik Stigendal
Hello everyone,
I’m new to this and are trying to setup a working trust against an AD forrest, I seem to have a working trust but when I try to reference external groups (or users) I get:
# ipa group-add-member ad_users_external --external "AD2\Domain Users"
[member user]:
[member group]:
Group name: ad_users_external
Description: AD users external map
Failed members:
member user:
member group: AD2\Domain Users: trusted domain object not found
-------------------------
Number of members added 0
-------------------------
I enable some logging and last in the mail is the output there from the command above, any suggestions what could cause this? Current version of IPA is 4.5.
Regards
Henrik
Tue Nov 21 13:10:42.675713 2017] [:warn] [pid 38221] [client 192.168.6.82:34714] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin(a)IDM.TEST.NET)!, referer: https://ipaserver.idm.test.net/ipa/xml
string_to_sid: SID AD2\Domain Users is not in a valid format
lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
Processing section "[global]"
INFO: Current debug levels:
all: 11
tdb: 11
printdrivers: 11
lanman: 11
smb: 11
rpc_parse: 11
rpc_srv: 11
rpc_cli: 11
passdb: 11
sam: 11
auth: 11
winbind: 11
vfs: 11
idmap: 11
quota: 11
acls: 11
locking: 11
msdfs: 11
dmapi: 11
registry: 11
scavenger: 11
dns: 11
ldb: 11
tevent: 11
pm_process() returned Yes
added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0
added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0
added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0
added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0
added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0
added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0
added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0
added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0
finddcs: searching for a DC by DNS domain ad2.test.net
finddcs: looking for SRV records for _ldap._tcp.ad2.test.net
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.ad2.test.net<0x0>
getlmhostsent: lmhost entry: 127.0.0.1 localhost
ads_dns_lookup_srv: 2 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389]
ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389]
Addrs = 192.168.5.158@389/adserver,192.168.5.104(a)389/adserver
finddcs: DNS SRV response 0 at '192.168.5.158'
finddcs: DNS SRV response 1 at '192.168.5.104'
finddcs: performing CLDAP query on 192.168.5.158
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x0001f1fc (127484)
0: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
0: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
1: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
1: NBT_SERVER_DS_8
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : 63c3a477-85f9-5f01-96e8-2597a5c48978
forest : 'ad2.test.net'
dns_domain : 'ad2.test.net'
pdc_dns_name : 'adserver.ad2.test.net'
domain_name : 'AD2'
pdc_name : 'adserver'
user_name : ''
server_site : 'AS001'
client_site : 'AS002'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
finddcs: Found matching DC 192.168.5.158 with server_type=0x0001f1fc
[Tue Nov 21 13:10:42.740320 2017] [:error] [pid 26496] ipa: INFO: [jsonserver_session] admin(a)IDM.TEST.NET: group_add_member/1(u'ad_users_external', ipaexternalmember=(u'AD2\\\\Domain Users',), version=u'2.228'): SUCCESS
1 year, 7 months
upgrade to ubuntu 17.10 fails
by David Harvey
Hi wisdom of the list,
I know I am an edge case with running on ubuntu, but hoped someone might be
able to shed some light.
A bit of background. I'm trying to test upgrades without potentially
hosing my existing services, so I have cloned the VM, given it a new IP
address, updated hosts file and pointed DNS somewhere that doesn't know
about the real IPA services (8.8.8.8) so it won't try and sync or replicate.
Attempting to upgrade hits a snags or two, some described in bugs already
like the pki version number confusing the apt scripts
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1703051 ). The one I
can't work around however is below.
It seems deeply unhappy, and restarting the services result in the
dogtag-pki web page being available until a login attempt is made (as
occurs during the ipa-server-upgrade) after which point it bombs with a 500
error.
Could the below caused by
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1716842 ?
Any advice appreciated, as I think even when 18.04 hits with the proposed
updates to rely on to tomcat 8.5, I'll still need to upgrade via 17.10
which seems currently fraught! If it relates to my method of cloning the
VM, is there a better way of testing upgrades without potentially hosing
the existing live systems?
Thanks in advance,
David
2017-11-15T13:05:59Z DEBUG approved_usage = SSL Server intended_usage = SSL
Server
2017-11-15T13:05:59Z DEBUG cert valid True for "CN=ipa1.my.net,O=THOMAC.NET"
2017-11-15T13:05:59Z DEBUG handshake complete, peer = IPADDRESS
2017-11-15T13:05:59Z DEBUG Protocol: TLS1.2
2017-11-15T13:05:59Z DEBUG Cipher: TLS_RSA_WITH_AES_128_CBC_SHA
2017-11-15T13:05:59Z DEBUG response status 500
2017-11-15T13:05:59Z DEBUG response headers {'content-length': '2292',
'content-language': 'en', 'server': 'Apache-Coyote/1.1', 'connection':
'close', 'date': 'Wed, 15 Nov 2017 13:05:59 GMT', 'content-type':
'text/html;charset=utf-8'}
2017-11-15T13:05:59Z DEBUG response body '<!DOCTYPE
html><html><head><title>Apache Tomcat/8.0.46 (Ubuntu) - Error
report</title><style type="text/css">H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
{color : black;}A.name {color : black;}.line {height: 1px;
background-color: #525D76; border: none;}</style> </head><body><h1>HTTP
Status 500 - Subsystem unavailable</h1><div
class="line"></div><p><b>type</b> Exception report</p><p><b>message</b>
<u>Subsystem unavailable</u></p><p><b>description</b> <u>The server
encountered an internal error that prevented it from fulfilling this
request.</u></p><p><b>exception</b></p><pre>javax.ws.rs.ServiceUnavailableException:
Subsystem
unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:138)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:283)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>note</b>
<u>The full stack trace of the root cause is available in the Apache
Tomcat/8.0.46 (Ubuntu) logs.</u></p><hr class="line"><h3>Apache
Tomcat/8.0.46 (Ubuntu)</h3></body></html>'
2017-11-15T13:05:59Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-11-15T13:05:59Z DEBUG File
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 172, in
execute
return_value = self.run()
File
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
File
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py",
line 1878, in upgrade
upgrade_configuration()
File
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py",
line 1797, in upgrade_configuration
ca_enable_ldap_profile_subsystem(ca)
File
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py",
line 347, in ca_enable_ldap_profile_subsystem
cainstance.migrate_profiles_to_ldap()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py",
line 1981, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py",
line 1987, in _create_dogtag_profile
with api.Backend.ra_certprofile as profile_api:
File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/dogtag.py", line
1294, in __enter__
raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA
REST API'))
2017-11-15T13:05:59Z DEBUG The ipa-server-upgrade command failed,
exception: RemoteRetrieveError: Failed to authenticate to CA REST API
2017-11-15T13:05:59Z ERROR Unexpected error - see /var/log/ipaupgrade.log
for details:
RemoteRetrieveError: Failed to authenticate to CA REST API
1 year, 7 months
freeipa sudoers help
by Andrew Meyer
In preparation for a migration I am trying to setup sudoers within freeipa. I have about a dozen people that will need to sudo to another user and run commands. However I want to add all the commands for that user into my rule.
would this be best practice to add ALL the commands into 1 rule? or should I do a sudocmdgroup?
ipa sudorule-add-allow-command --sudocmds "/usr/bin/vim" files-commandsWould I just put a comma after each command? Or should I do this all individually and add all the commands to a cmd group?
1 year, 7 months
Accessing KRB5 NFS from local system accounts
by Gordon Messmer
I'm troubleshooting a problem: A local system account (daemon) needs to
access a file on an NFS4 filesystem with sec=krb5. My understanding is
that only processes which have a Kerberos ticket are able to access
files on such a filesystem, and that seems to be the case on the system
I'm troubleshooting.
Suppose I need a keytab to identify the "daemon" user. I don't think I
want to create a new user in FreeIPA, since it would have a uid/gid that
conflict with the locally defined account. However, I think I do need a
keytab for "daemon@DOMAIN". The ipa command doesn't seem to provide a
means of creating such a principal.
Should I work directly in kadmin to create the principal and export the
keytab? Am I even on the right track?
1 year, 7 months
Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200
by Fuji San
Hello,
I have trouble enrolling a ipa client.
I just installed Fedora 27 and all the packages are up-to-date.
I succeeded to enroll 2 previous F27 clients, but this one is giving me a hard time.
Any help would be welcome.
Fuji
------
$ ipa-client-install --enable-dns-updates --mkhomedir --ssh-trust-dns --no-nisdomain --server=ipaserver.mydomain --domain=mydomain
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: ipaclient.mydomain
Realm: MYDOMAIN
DNS Domain: mydomain
IPA Server: ipaserver.mydomain
BaseDN: dc=mydomain
Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin@MYDOMAIN:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=MYDOMAIN
Issuer: CN=Certificate Authority,O=MYDOMAIN
Valid From: 2015-09-11 08:02:12
Valid Until: 2035-09-11 08:02:12
Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200
Installation failed. Rolling back changes.
Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1.
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Client uninstall complete.
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
-----
------
2017-11-30T10:11:50Z DEBUG Logging to /var/log/ipaclient-install.log
2017-11-30T10:11:50Z DEBUG ipa-client-install was invoked with arguments [] and options: {'unattended': False, 'principal': None, 'prompt_password': False, 'on_master': False, 'ca_cert_files': None, 'no_ac': False, 'force': False, 'configure_firefox': False, 'firefox_dir': None, 'keytab': None, 'mkhomedir': True, 'force_join': False, 'ntp_servers': None, 'no_ntp': False, 'force_ntpd': False, 'nisdomain': None, 'no_nisdomain': True, 'ssh_trust_dns': True, 'no_ssh': False, 'no_sshd': False, 'no_sudo': False, 'no_dns_sshfp': False, 'kinit_attempts': None, 'request_cert': False, 'ip_addresses': None, 'all_ip_addresses': False, 'fixed_primary': False, 'permit': False, 'enable_dns_updates': True, 'no_krb5_offline_passwords': False, 'preserve_sssd': False, 'no_sssd': False, 'automount_location': None, 'domain_name': 'mydomain', 'servers': ['ipaserver.mydomain'], 'realm_name': None, 'host_name': None, 'verbose': False, 'quiet': False, 'log_file': None, 'uninstall': False}
2017-11-30T10:11:50Z DEBUG IPA version 4.6.1-3.fc27
2017-11-30T10:11:50Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-11-30T10:11:50Z DEBUG Starting external process
2017-11-30T10:11:50Z DEBUG args=/usr/sbin/selinuxenabled
2017-11-30T10:11:50Z DEBUG Process finished, return code=1
2017-11-30T10:11:50Z DEBUG stdout=
2017-11-30T10:11:50Z DEBUG stderr=
2017-11-30T10:11:50Z DEBUG Starting external process
2017-11-30T10:11:50Z DEBUG args=/bin/systemctl is-enabled chronyd.service
2017-11-30T10:11:50Z DEBUG Process finished, return code=0
2017-11-30T10:11:50Z DEBUG stdout=enabled
2017-11-30T10:11:50Z DEBUG stderr=
2017-11-30T10:11:50Z DEBUG [IPA Discovery]
2017-11-30T10:11:50Z DEBUG Starting IPA discovery with domain=mydomain, servers=['ipaserver.mydomain'], hostname=ipaclient.mydomain
2017-11-30T10:11:50Z DEBUG Server and domain forced
2017-11-30T10:11:50Z DEBUG [Kerberos realm search]
2017-11-30T10:11:50Z DEBUG Search DNS for TXT record of _kerberos.mydomain
2017-11-30T10:11:50Z DEBUG DNS record found: "MYDOMAIN"
2017-11-30T10:11:50Z DEBUG [LDAP server check]
2017-11-30T10:11:50Z DEBUG Verifying that ipaserver.mydomain (realm MYDOMAIN) is an IPA server
2017-11-30T10:11:50Z DEBUG Init LDAP connection to: ldap://ipaserver.mydomain:389
2017-11-30T10:11:50Z DEBUG Search LDAP server for IPA base DN
2017-11-30T10:11:50Z DEBUG Check if naming context 'dc=mydomain' is for IPA
2017-11-30T10:11:50Z DEBUG Naming context 'dc=mydomain' is a valid IPA context
2017-11-30T10:11:50Z DEBUG Search for (objectClass=krbRealmContainer) in dc=mydomain (sub)
2017-11-30T10:11:50Z DEBUG Found: cn=MYDOMAIN,cn=kerberos,dc=mydomain
2017-11-30T10:11:50Z DEBUG Discovery result: Success; server=ipaserver.mydomain, domain=mydomain, kdc=ipaserver.mydomain, basedn=dc=mydomain
2017-11-30T10:11:50Z DEBUG Validated servers: ipaserver.mydomain
2017-11-30T10:11:50Z DEBUG will use discovered domain: mydomain
2017-11-30T10:11:50Z DEBUG Using servers from command line, disabling DNS discovery
2017-11-30T10:11:50Z DEBUG will use provided server: ipaserver.mydomain
2017-11-30T10:11:50Z INFO Autodiscovery of servers for failover cannot work with this configuration.
2017-11-30T10:11:50Z INFO If you proceed with the installation, services will be configured to always access the discovered server for all mydomaintions and will not fail over to other servers in case of failure.
2017-11-30T10:11:53Z DEBUG will use discovered realm: MYDOMAIN
2017-11-30T10:11:53Z DEBUG will use discovered basedn: dc=mydomain
2017-11-30T10:11:53Z INFO Client hostname: ipaclient.mydomain
2017-11-30T10:11:53Z DEBUG Hostname source: Machine's FQDN
2017-11-30T10:11:53Z INFO Realm: MYDOMAIN
2017-11-30T10:11:53Z DEBUG Realm source: Discovered from LDAP DNS records in ipaserver.mydomain
2017-11-30T10:11:53Z INFO DNS Domain: mydomain
2017-11-30T10:11:53Z DEBUG DNS Domain source: Forced
2017-11-30T10:11:53Z INFO IPA Server: ipaserver.mydomain
2017-11-30T10:11:53Z DEBUG IPA Server source: Provided as option
2017-11-30T10:11:53Z INFO BaseDN: dc=mydomain
2017-11-30T10:11:53Z DEBUG BaseDN source: From IPA server ldap://ipaserver.mydomain:389
2017-11-30T10:11:55Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-11-30T10:11:55Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:11:55Z DEBUG Starting external process
2017-11-30T10:11:55Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r MYDOMAIN
2017-11-30T10:11:55Z DEBUG Process finished, return code=3
2017-11-30T10:11:55Z DEBUG stdout=
2017-11-30T10:11:55Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory
2017-11-30T10:11:55Z INFO Skipping synchronizing time with NTP server.
2017-11-30T10:11:58Z DEBUG will use principal provided as option: admin
2017-11-30T10:11:58Z DEBUG Starting external process
2017-11-30T10:11:58Z DEBUG args=keyctl get_persistent @s 0
2017-11-30T10:11:58Z DEBUG Process finished, return code=0
2017-11-30T10:11:58Z DEBUG stdout=227339787
2017-11-30T10:11:58Z DEBUG stderr=
2017-11-30T10:11:58Z DEBUG Enabling persistent keyring CCACHE
2017-11-30T10:11:58Z DEBUG Writing Kerberos configuration to /tmp/tmp5wx608ci:
2017-11-30T10:11:58Z DEBUG #File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = MYDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
MYDOMAIN = {
kdc = ipaserver.mydomain:88
master_kdc = ipaserver.mydomain:88
admin_server = ipaserver.mydomain:749
kpasswd_server = ipaserver.mydomain:464
default_domain = mydomain
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.mydomain = MYDOMAIN
mydomain = MYDOMAIN
ipaclient.mydomain = MYDOMAIN
2017-11-30T10:12:03Z DEBUG Initializing principal admin@MYDOMAIN using password
2017-11-30T10:12:03Z DEBUG Starting external process
2017-11-30T10:12:03Z DEBUG args=/usr/bin/kinit admin@MYDOMAIN -c /tmp/krbcct8vze36h/ccache
2017-11-30T10:12:03Z DEBUG Process finished, return code=0
2017-11-30T10:12:03Z DEBUG stdout=Password for admin@MYDOMAIN:
2017-11-30T10:12:03Z DEBUG stderr=
2017-11-30T10:12:03Z DEBUG trying to retrieve CA cert via LDAP from ipaserver.mydomain
2017-11-30T10:12:03Z DEBUG retrieving schema for SchemaCache url=ldap://ipaserver.mydomain:389 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f20e73c5b70>
2017-11-30T10:12:03Z INFO Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=MYDOMAIN
Issuer: CN=Certificate Authority,O=MYDOMAIN
Valid From: 2015-09-11 08:02:12
Valid Until: 2035-09-11 08:02:12
2017-11-30T10:12:03Z DEBUG Starting external process
2017-11-30T10:12:03Z DEBUG args=/usr/sbin/ipa-join -s ipaserver.mydomain -b dc=mydomain -h ipaclient.mydomain
2017-11-30T10:12:03Z DEBUG Process finished, return code=17
2017-11-30T10:12:03Z DEBUG stdout=
2017-11-30T10:12:03Z DEBUG stderr=HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200
2017-11-30T10:12:03Z ERROR Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200
2017-11-30T10:12:03Z ERROR Installation failed. Rolling back changes.
2017-11-30T10:12:03Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-11-30T10:12:03Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:03Z DEBUG Starting external process
2017-11-30T10:12:03Z DEBUG args=ipa-client-automount --uninstall --debug
2017-11-30T10:12:04Z DEBUG Process finished, return code=1
2017-11-30T10:12:04Z DEBUG stdout=
2017-11-30T10:12:04Z DEBUG stderr=IPA client is not configured on this system
2017-11-30T10:12:04Z ERROR Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1.
2017-11-30T10:12:04Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-11-30T10:12:04Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n Local IPA host -a -f /etc/ipa/nssdb/pwdfile.txt
2017-11-30T10:12:04Z DEBUG Process finished, return code=255
2017-11-30T10:12:04Z DEBUG stdout=
2017-11-30T10:12:04Z DEBUG stderr=certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/usr/bin/certutil -d /etc/pki/nssdb -L -n IPA Machine Certificate - ipaclient.mydomain -a -f /etc/pki/nssdb/pwdfile.txt
2017-11-30T10:12:04Z DEBUG Process finished, return code=255
2017-11-30T10:12:04Z DEBUG stdout=
2017-11-30T10:12:04Z DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate - ipaclient.mydomain
: PR_FILE_NOT_FOUND_ERROR: File not found
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/bin/systemctl start certmonger.service
2017-11-30T10:12:04Z DEBUG Process finished, return code=0
2017-11-30T10:12:04Z DEBUG stdout=
2017-11-30T10:12:04Z DEBUG stderr=
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/bin/systemctl is-active certmonger.service
2017-11-30T10:12:04Z DEBUG Process finished, return code=0
2017-11-30T10:12:04Z DEBUG stdout=active
2017-11-30T10:12:04Z DEBUG stderr=
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/bin/systemctl stop certmonger.service
2017-11-30T10:12:04Z DEBUG Process finished, return code=0
2017-11-30T10:12:04Z DEBUG stdout=
2017-11-30T10:12:04Z DEBUG stderr=
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/bin/systemctl disable certmonger.service
2017-11-30T10:12:04Z DEBUG Process finished, return code=0
2017-11-30T10:12:04Z DEBUG stdout=
2017-11-30T10:12:04Z DEBUG stderr=
2017-11-30T10:12:04Z INFO Disabling client Kerberos and LDAP configurations
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/usr/sbin/authconfig --disableldap --disablekrb5 --disablesssdauth --disablemkhomedir --update
2017-11-30T10:12:05Z DEBUG Process finished, return code=0
2017-11-30T10:12:05Z DEBUG stdout=
2017-11-30T10:12:05Z DEBUG stderr=
2017-11-30T10:12:05Z DEBUG Error while moving /etc/sssd/sssd.conf to /etc/sssd/sssd.conf.deleted
2017-11-30T10:12:05Z INFO Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
2017-11-30T10:12:05Z DEBUG Starting external process
2017-11-30T10:12:05Z DEBUG args=/bin/systemctl stop sssd.service
2017-11-30T10:12:05Z DEBUG Process finished, return code=0
2017-11-30T10:12:05Z DEBUG stdout=
2017-11-30T10:12:05Z DEBUG stderr=
2017-11-30T10:12:05Z DEBUG Starting external process
2017-11-30T10:12:05Z DEBUG args=/bin/systemctl disable sssd.service
2017-11-30T10:12:05Z DEBUG Process finished, return code=0
2017-11-30T10:12:05Z DEBUG stdout=
2017-11-30T10:12:05Z DEBUG stderr=Removed /etc/systemd/system/multi-user.target.wants/sssd.service.
2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:05Z DEBUG Starting external process
2017-11-30T10:12:05Z DEBUG args=/bin/systemctl disable fedora-domainname.service
2017-11-30T10:12:05Z DEBUG Process finished, return code=0
2017-11-30T10:12:05Z DEBUG stdout=
2017-11-30T10:12:05Z DEBUG stderr=
2017-11-30T10:12:05Z DEBUG Starting external process
2017-11-30T10:12:05Z DEBUG args=/bin/systemctl list-unit-files --full
2017-11-30T10:12:05Z DEBUG Process finished, return code=0
2017-11-30T10:12:05Z DEBUG stdout=UNIT FILE STATE
proc-sys-fs-binfmt_misc.automount static
-.mount generated
boot.mount generated
dev-hugepages.mount static
dev-mqueue.mount static
home.mount generated
proc-fs-nfsd.mount static
proc-sys-fs-binfmt_misc.mount static
sys-fs-fuse-connections.mount static
sys-kernel-config.mount static
sys-kernel-debug.mount static
tmp.mount static
var-lib-nfs-rpc_pipefs.mount static
cups.path enabled
systemd-ask-password-console.path static
systemd-ask-password-plymouth.path static
systemd-ask-password-wall.path static
session-2.scope transient
abrt-ccpp.service disabled
abrt-journal-core.service enabled
abrt-oops.service enabled
abrt-pstoreoops.service disabled
abrt-vmcore.service enabled
abrt-xorg.service enabled
abrtd.service enabled
accounts-daemon.service enabled
alsa-restore.service static
alsa-state.service static
anaconda-direct.service static
anaconda-nm-config.service static
anaconda-noshell.service static
anaconda-pre.service static
anaconda-shell@.service static
anaconda-sshd.service static
anaconda-tmux@.service static
anaconda.service static
arp-ethers.service disabled
auditd.service enabled
auth-rpcgss-module.service static
autofs.service disabled
autovt@.service enabled
avahi-daemon.service enabled
blk-availability.service disabled
bluetooth.service enabled
brltty.service disabled
btattach-bcm@.service static
canberra-system-bootup.service disabled
canberra-system-shutdown-reboot.service disabled
canberra-system-shutdown.service disabled
certmonger.service disabled
chrony-dnssrv@.service static
chrony-wait.service disabled
chronyd.service enabled
clean-mount-point@.service static
colord.service static
configure-printer@.service static
console-getty.service disabled
container-getty@.service static
crond.service enabled
cups-browsed.service disabled
cups.service disabled
dbus-org.bluez.service enabled
dbus-org.fedoraproject.FirewallD1.service enabled
dbus-org.freedesktop.Avahi.service enabled
dbus-org.freedesktop.hostname1.service static
dbus-org.freedesktop.locale1.service static
dbus-org.freedesktop.login1.service static
dbus-org.freedesktop.ModemManager1.service enabled
dbus-org.freedesktop.network1.service enabled
dbus-org.freedesktop.NetworkManager.service enabled
dbus-org.freedesktop.nm-dispatcher.service enabled
dbus-org.freedesktop.resolve1.service enabled
dbus-org.freedesktop.timedate1.service enabled
dbus.service static
dbxtool.service enabled
debug-shell.service disabled
display-manager.service enabled
dm-event.service disabled
dmraid-activation.service enabled
dnf-makecache.service static
dnfdaemon.service static
dnsmasq.service disabled
dracut-cmdline.service static
dracut-initqueue.service static
dracut-mount.service static
dracut-pre-mount.service static
dracut-pre-pivot.service static
dracut-pre-trigger.service static
dracut-pre-udev.service static
dracut-shutdown.service static
ebtables.service disabled
emergency.service static
fcoe.service disabled
fedora-domainname.service disabled
fedora-import-state.service enabled
fedora-loadmodules.service disabled
fedora-readonly.service enabled
firewalld.service enabled
fprintd.service static
fstrim.service static
geoclue.service static
getty@.service enabled
gssproxy.service disabled
halt-local.service static
hypervfcopyd.service static
hypervkvpd.service static
hypervvssd.service static
initial-setup-reconfiguration.service disabled
initial-setup.service disabled
initrd-cleanup.service static
initrd-parse-etc.service static
initrd-switch-root.service static
initrd-udevadm-cleanup-db.service static
instperf.service static
iodine-client.service disabled
ipsec.service disabled
irqbalance.service enabled
iscsi-shutdown.service static
iscsi.service enabled
iscsid.service disabled
iscsiuio.service disabled
kdump.service disabled
kmod-static-nodes.service static
ldconfig.service static
lightdm.service enabled
livesys-late.service generated
livesys.service generated
lldpad.service disabled
lvm2-lvmetad.service disabled
lvm2-lvmpolld.service disabled
lvm2-monitor.service enabled
lvm2-pvscan@.service static
mcelog.service enabled
mdadm-grow-continue@.service static
mdadm-last-resort@.service static
mdmon@.service static
mdmonitor.service enabled
messagebus.service static
mlocate-updatedb.service static
ModemManager.service enabled
multipathd.service enabled
netconsole.service generated
network.service generated
NetworkManager-dispatcher.service enabled
NetworkManager-wait-online.service enabled
NetworkManager.service enabled
nfs-blkmap.service disabled
nfs-config.service static
nfs-idmap.service static
nfs-idmapd.service static
nfs-lock.service static
nfs-mountd.service static
nfs-secure.service static
nfs-server.service disabled
nfs-utils.service static
nfs.service disabled
nscd.service enabled
nslcd.service enabled
ntpd.service disabled
oddjobd.service disabled
openvpn-client@.service disabled
openvpn-server@.service disabled
plymouth-halt.service static
plymouth-kexec.service static
plymouth-poweroff.service static
plymouth-quit-wait.service static
plymouth-quit.service static
plymouth-read-write.service static
plymouth-reboot.service static
plymouth-start.service static
plymouth-switch-root.service static
polkit.service static
powerline.service disabled
pppoe-server.service disabled
psacct.service disabled
qemu-guest-agent.service static
quotaon.service static
rc-local.service static
rdisc.service disabled
realmd.service static
rescue.service static
rngd.service enabled
rpc-gssd.service static
rpc-statd-notify.service static
rpc-statd.service static
rpcbind.service disabled
rsyslog.service enabled
rtkit-daemon.service enabled
selinux-autorelabel-mark.service static
selinux-autorelabel.service static
serial-getty@.service disabled
smartd.service enabled
speech-dispatcherd.service disabled
spice-vdagentd.service enabled
sshd-keygen@.service disabled
sshd.service enabled
sshd@.service static
sssd-autofs.service indirect
sssd-kcm.service indirect
sssd-nss.service indirect
sssd-pac.service indirect
sssd-pam.service indirect
sssd-secrets.service indirect
sssd-ssh.service indirect
sssd-sudo.service indirect
sssd.service disabled
syslog.service enabled
system-update-cleanup.service static
systemd-ask-password-console.service static
systemd-ask-password-plymouth.service static
systemd-ask-password-wall.service static
systemd-backlight@.service static
systemd-binfmt.service static
systemd-bootchart.service disabled
systemd-coredump@.service static
systemd-exit.service static
systemd-firstboot.service static
systemd-fsck-root.service enabled-runtime
systemd-fsck@.service static
systemd-halt.service static
systemd-hibernate-resume@.service static
systemd-hibernate.service static
systemd-hostnamed.service static
systemd-hwdb-update.service static
systemd-hybrid-sleep.service static
systemd-initctl.service static
systemd-journal-catalog-update.service static
systemd-journal-flush.service static
systemd-journald.service static
systemd-kexec.service static
systemd-localed.service static
systemd-logind.service static
systemd-machine-id-commit.service static
systemd-modules-load.service static
systemd-networkd-wait-online.service disabled
systemd-networkd.service enabled
systemd-poweroff.service static
systemd-quotacheck.service static
systemd-random-seed.service static
systemd-reboot.service static
systemd-remount-fs.service static
systemd-resolved.service enabled
systemd-rfkill.service static
systemd-suspend.service static
systemd-sysctl.service static
systemd-sysusers.service static
systemd-timedated.service masked
systemd-timesyncd.service disabled
systemd-tmpfiles-clean.service static
systemd-tmpfiles-setup-dev.service static
systemd-tmpfiles-setup.service static
systemd-udev-settle.service static
systemd-udev-trigger.service static
systemd-udevd.service static
systemd-update-done.service static
systemd-update-utmp-runlevel.service static
systemd-update-utmp.service static
systemd-user-sessions.service static
systemd-vconsole-setup.service static
systemd-volatile-root.service static
tcsd.service disabled
teamd@.service static
timedatex.service enabled
udisks2.service enabled
unbound-anchor.service static
upower.service disabled
usb_modeswitch@.service static
usbmuxd.service static
user@.service static
vboxadd-service.service enabled
vboxadd.service enabled
vgauthd.service enabled
vmtoolsd.service enabled
wacom-inputattach@.service static
wpa_supplicant.service disabled
xl2tpd.service disabled
zram.service static
system.slice static
user-0.slice transient
user.slice static
avahi-daemon.socket enabled
cups.socket enabled
dbus.socket static
dm-event.socket enabled
iscsid.socket enabled
iscsiuio.socket enabled
lldpad.socket disabled
lvm2-lvmetad.socket enabled
lvm2-lvmpolld.socket enabled
multipathd.socket static
nscd.socket enabled
rpcbind.socket disabled
sshd.socket disabled
sssd-autofs.socket disabled
sssd-kcm.socket enabled
sssd-nss.socket disabled
sssd-pac.socket disabled
sssd-pam-priv.socket disabled
sssd-pam.socket disabled
sssd-secrets.socket enabled
sssd-ssh.socket disabled
sssd-sudo.socket disabled
syslog.socket static
systemd-coredump.socket static
systemd-initctl.socket static
systemd-journald-audit.socket static
systemd-journald-dev-log.socket static
systemd-journald.socket static
systemd-networkd.socket disabled
systemd-rfkill.socket static
systemd-udevd-control.socket static
systemd-udevd-kernel.socket static
dev-mapper-fedora00\x2dswap.swap generated
anaconda.target static
basic.target static
bluetooth.target static
cryptsetup-pre.target static
cryptsetup.target static
ctrl-alt-del.target disabled
default.target enabled
emergency.target static
exit.target disabled
final.target static
getty.target static
graphical.target enabled
halt.target disabled
hibernate.target static
hybrid-sleep.target static
initrd-fs.target static
initrd-root-device.target static
initrd-root-fs.target static
initrd-switch-root.target static
initrd.target static
kexec.target disabled
local-fs-pre.target static
local-fs.target static
multi-user.target static
network-online.target static
network-pre.target static
network.target static
nfs-client.target enabled
nss-lookup.target static
nss-user-lookup.target static
paths.target static
poweroff.target disabled
printer.target static
reboot.target disabled
remote-cryptsetup.target disabled
remote-fs-pre.target static
remote-fs.target enabled
rescue.target disabled
rpc_pipefs.target static
rpcbind.target static
runlevel0.target disabled
runlevel1.target disabled
runlevel2.target static
runlevel3.target static
runlevel4.target static
runlevel5.target enabled
runlevel6.target disabled
selinux-autorelabel.target static
shutdown.target static
sigpwr.target static
sleep.target static
slices.target static
smartcard.target static
sockets.target static
sound.target static
spice-vdagentd.target static
sshd-keygen.target static
suspend.target static
swap.target static
sysinit.target static
system-update.target static
time-sync.target static
timers.target static
umount.target static
chrony-dnssrv@.timer disabled
dnf-makecache.timer enabled
fstrim.timer disabled
mdadm-last-resort@.timer static
mlocate-updatedb.timer enabled
systemd-tmpfiles-clean.timer static
unbound-anchor.timer enabled
384 unit files listed.
2017-11-30T10:12:05Z DEBUG stderr=
2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:05Z DEBUG Starting external process
2017-11-30T10:12:05Z DEBUG args=/bin/systemctl list-unit-files --full
2017-11-30T10:12:05Z DEBUG Process finished, return code=0
2017-11-30T10:12:05Z DEBUG stdout=UNIT FILE STATE
proc-sys-fs-binfmt_misc.automount static
-.mount generated
boot.mount generated
dev-hugepages.mount static
dev-mqueue.mount static
home.mount generated
proc-fs-nfsd.mount static
proc-sys-fs-binfmt_misc.mount static
sys-fs-fuse-connections.mount static
sys-kernel-config.mount static
sys-kernel-debug.mount static
tmp.mount static
var-lib-nfs-rpc_pipefs.mount static
cups.path enabled
systemd-ask-password-console.path static
systemd-ask-password-plymouth.path static
systemd-ask-password-wall.path static
session-2.scope transient
abrt-ccpp.service disabled
abrt-journal-core.service enabled
abrt-oops.service enabled
abrt-pstoreoops.service disabled
abrt-vmcore.service enabled
abrt-xorg.service enabled
abrtd.service enabled
accounts-daemon.service enabled
alsa-restore.service static
alsa-state.service static
anaconda-direct.service static
anaconda-nm-config.service static
anaconda-noshell.service static
anaconda-pre.service static
anaconda-shell@.service static
anaconda-sshd.service static
anaconda-tmux@.service static
anaconda.service static
arp-ethers.service disabled
auditd.service enabled
auth-rpcgss-module.service static
autofs.service disabled
autovt@.service enabled
avahi-daemon.service enabled
blk-availability.service disabled
[...]
384 unit files listed.
2017-11-30T10:12:05Z DEBUG stderr=
2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:05Z INFO Client uninstall complete.
2017-11-30T10:12:05Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 174, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 336, in run
cfgr.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 364, in run
self.execute()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 388, in execute
for _nothing in self._executor():
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 430, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 459, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 420, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 417, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 654, in _configure
next(executor)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 430, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 459, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 517, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 654, in _configure
next(executor)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 430, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 459, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 517, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 514, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 420, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 417, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 66, in _install
for _nothing in self._installer(self.parent):
File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 3624, in main
install(self)
File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 2346, in install
_install(options)
File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 2568, in _install
raise ScriptError(rval=CLIENT_INSTALL_ERROR)
2017-11-30T10:12:05Z DEBUG The ipa-client-install command failed, exception: ScriptError:
2017-11-30T10:12:05Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
(END)
---------
1 year, 7 months
