July 2023 - FreeIPA-users - Fedora Mailing-Lists

FreeIPA PKI Certs wont renew "Adjustment limit exceeded"

by T A

On FreeIPA version 4.6.8-5 realized that pki-tomcatd wouldnt start ipactl status pki-tomcatd Service: STOPPED Ran 'getcert list' and found the 'pki-tomcat' cert was expired Rolled back the system clock to before the cert expired, now starts up ipactl status pki-tomcatd Service: STARTED Tried to renew with 'ipa-getcert resubmit -i "123456"' but it shows "status: CA_UNREACHABLE" 'ipa-cert fix' didnt work either Checked logs again 'journalctl -t certmonger' and found 'ns-slapd' was giving out this error when it tried to renew 'csngen_adjust_local_time - Adjustment limit exceeded: value - 435060 limit - 86400' Any way to change the adjustment limit or force this cert to renew anyway?

2 days, 3 hours

3
6
3 / 0

Installing FreeIPA server + replica using Ansible Role FreeIPA

by Finn Fysj

The installation of IPA server and replica does not produce desired result. Even though the mkhomedir is set to true the feature is not enabled in the authselect. Also the replica server does not replicate SUDO and HBAC rules from the IPA master. Is the only solution to re-install the whole IPA server/replicas stuff? Kinda stupid. Example of the IPA server role: - role: freeipa.ansible_freeipa.ipaserver vars: ipaserver: "{{ ansible_hostname }}.example" ipaserver_hostname: "{{ ansible_hostname }}.example" ipaadmin_password: "test123" ipadm_password: "test321" ipaserver_domain: "example.com" ipaserver_realm: "EXAMPLE.COM" ipaserver_no_host_dns: true ipaserver_mem_check: true ipaserver_install_packages: true ipaserver_setup_dns: false ipaserver_no_pkinit: true ipaserver_no_hbac_allow: true ipaserver_no_ui_redirect: false ipaclient_no_ntp: true ipaclient_mkhomedir: true ipaclient_no_sudo: false

4 days, 9 hours

4
7
0 / 0

kinit: KDC can't fulfill requested option while renewing credentials - which approach?

by Pieter Baele

I tried various approached to get Renewable tickets : modifying the kdc modifying krb5.conf using kadmin.local on every replica to modify the principal; which is not working - as designed (?)- in IPA What should I do to get a ticket with the correct R flag from IPA ? I don't think this is SSSD related (the service needing the renewable ticket this way is Apache Storm) Thanks a lot!

4 days, 23 hours

3
4
0 / 0

AIX - IPA group membership

by Ronald Wimmer

I can and use IPA users on an AIX client. As well as groups. But somehow group membership does not seem to be configured correctly... # id y179768 uid=1246660005(y179768) gid=1246660005(y179768) # lsgroup -R LDAP ipa-aix-g ipa-aix-g id=1246690508 users= registry=LDAP Anyone has a hint what could be misconfigured?

1 week, 6 days

4
15
0 / 0

2FA only for certain hosts/host groups

by Ronald Wimmer

Is it possible to enforce the second factor for a user only when trying to login to specific hosts/host groups? List here says yes... https://blog.delouw.ch/2016/10/16/freeipa-selective-2fa-authentication-in... I'm gonna give it a try. Cheers, Ronald

2 weeks, 6 days

2
4
0 / 0

Custom ssl cert for freeipa docker

by Leo O

Hello Guys, I'm would like to use custom ssl certificates for http and ldap, I saw the following: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP But I wonder how would this be done when using freeipa in a docker/podman container. I mean the container is started with "--read-only" flag. So it's not clear to me what the correct approach here would be. I hope it's not that you have to re-build an own image with the ssl certificates every time? Background Info: I'm using acme.sh in a VM, which creates my wildcard letsencrypt certificates and puts them on an nfs share. Freeipa should simply use that certificates for http and ldap and that's it. No renewing as this is done by the acme.sh VM itself.

1 month

3
10
0 / 0

In FreeIPA AD trust environment add AD user to local group

by Sameer Gurung

I have integrated freeipa with AD via a two way trust. However I now have a problem How do I add my AD users logging in to linux clients to the local machines docker group so that they can run docker. Any help would be appreciated. Thanks everyone! Sameer K Gurung -- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Saint Mary's College, Shillong, Meghalaya, India-793003, smcs.ac.in <http://smcs.ac.in>

1 month, 1 week

3
9
0 / 0

Visibility/access of Freeipa users to windows on trusted AD

by Francis Augusto Medeiros-Logeay

Hi, I have searched this everywhere, but can't find it. I want to grant access to a FreeIPA user to a Windows machine. When I try to grant the user access on windows, adding it like FREEIPADOMAIN\freeipauser, I get an error. There is a trust between both domains, but every place where I see the trusted domain on Windows (for example when configuring a GPO) I can't search for FreeIPA users. Is this how it is supposed to be, or how can I see my FreeIPA users on Windows the same way I see AD users on my freeipa linux clients? Best, Francis -- Francis Augusto Medeiros-Logeay Oslo, Norway

1 month, 2 weeks

2
4
0 / 0

Help with ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure in attempt to loadbalance

by dweller dweller

Hi. I am aware that there have been many discussions regarding fully load balancing FreeIPA replicas, but I am doing it for the sake of experimentation. For my tests, I mainly rely on this article - https://mrgecko.org/blog/2022/freeipa-load-balance, although I am using nginx instead of HAProxy. Currently, I have only one replica that is behind an nginx proxy, and I am able to access the FreeIPA WebUI via the load balancer's hostname and perform usual operations without any issues. However, I am now trying to enroll a host using the "--server=<loadbalancer_hostname>" option, but the installation fails. I have collected two types of ipaclient-install logs - one that fails when I try to add the host with "--server=<loadbalancer>", and one "healthy" log from the enrollment of the same host, bypassing the proxy directly to the ipa-server (as in the usual operation). with "--server=<loadbalancer>": >failed to find session_cookie in persistent storage for principal 'host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL' >trying https://lb.ipa.edu.novalocal/ipa/json >Created connection context.rpcclient_140218712782800 >[try 1]: Forwarding 'schema' to json server 'https://lb.ipa.edu.novalocal/ipa/json' >New HTTP connection (lb.ipa.edu.novalocal) >[4637] 1690357386.007597: ccselect module realm chose cache FILE:/etc/ipa/.dns_ccache with client principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL for server principal HTTP/lb.ipa.edu.novalocal(a)EDU-IPA.NOVALOCAL >[4637] 1690357386.007598: Getting credentials host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/lb.ipa.edu.novalocal(a)EDU-IPA.NOVALOCAL using ccache FILE:/etc/ipa/.dns_ccache >[4637] 1690357386.007599: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/lb.ipa.edu.novalocal(a)EDU-IPA.NOVALOCAL from FILE:/etc/ipa/.dns_ccache with result: -1765328243/Matching credential not found (filename: /etc/ipa/.dns_ccache) >[4637] 1690357386.007600: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krbtgt/EDU-IPA.NOVALOCAL(a)EDU-IPA.NOVALOCAL from FILE:/etc/ipa/.dns_ccache with result: 0/Success >[4637] 1690357386.007601: Starting with TGT for client realm: host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krbtgt/EDU-IPA.NOVALOCAL(a)EDU-IPA.NOVALOCAL >[4637] 1690357386.007602: Requesting tickets for HTTP/lb.ipa.edu.novalocal(a)EDU-IPA.NOVALOCAL, referrals on >[4637] 1690357386.007603: Generated subkey for TGS request: aes256-cts/F148 >[4637] 1690357386.007604: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts >[4637] 1690357386.007606: Encoding request body and padata into FAST request >[4637] 1690357386.007607: Sending request (2338 bytes) to EDU-IPA.NOVALOCAL >[4637] 1690357386.007608: Initiating TCP connection to stream 172.28.19.159:88 >[4637] 1690357386.007609: Sending TCP request to stream 172.28.19.159:88 >[4637] 1690357386.007610: Received answer (2307 bytes) from stream 172.28.19.159:88 >[4637] 1690357386.007611: Terminating TCP connection to stream 172.28.19.159:88 >[4637] 1690357386.007612: Response was from master KDC >[4637] 1690357386.007613: Decoding FAST response >[4637] 1690357386.007614: FAST reply key: aes256-cts/2EEF >[4637] 1690357386.007615: TGS reply is for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/lb.ipa.edu.novalocal(a)EDU-IPA.NOVALOCAL with session key aes256-cts/011A >[4637] 1690357386.007616: TGS request result: 0/Success >[4637] 1690357386.007617: Received creds for desired service HTTP/lb.ipa.edu.novalocal(a)EDU-IPA.NOVALOCAL >[4637] 1690357386.007618: Storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/lb.ipa.edu.novalocal(a)EDU-IPA.NOVALOCAL in FILE:/etc/ipa/.dns_ccache >[4637] 1690357386.007620: Creating authenticator for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/lb.ipa.edu.novalocal(a)EDU-IPA.NOVALOCAL, seqnum 355879243, subkey aes256-cts/2361, session key aes256-cts/011A >[4637] 1690357386.007625: Read AP-REP, time 1690357386.7621, subkey aes256-cts/9ABD, seqnum 40531156 >received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=%2bhag7JQJbAfw2IDK9dAniiDEoewHlMpUXT5bjUBYHxr4jsjVz7FOJdB7Ch8KsOBwJAOlnf6NAdJOJik2a%2buW%2bRhvchtk3puGPk0Q6PZ34UESQLVyelSgVzjsWPeybbNKAwa%2f6pQJoCYWd5drZDbxnv%2fz0qxNkJ2niQikaXi1ZkgndV7z5r00gPluZhJS9Mb6Nrl9T1JWUVc0UZJAk0LaJGTjjEBUxcpDaXs6QMq1LvY8BYfmff3KLkm%2b8JyfX6hRkUA088wimKQsLsHnHKbInDtgt2SwQCntfKIXQt9YEbvyOr9w1%2bWNEXDXLtGMxQT3;path=/ipa;httponly;secure;']' >storing cookie 'ipa_session=MagBearerToken=%2bhag7JQJbAfw2IDK9dAniiDEoewHlMpUXT5bjUBYHxr4jsjVz7FOJdB7Ch8KsOBwJAOlnf6NAdJOJik2a%2buW%2bRhvchtk3puGPk0Q6PZ34UESQLVyelSgVzjsWPeybbNKAwa%2f6pQJoCYWd5drZDbxnv%2fz0qxNkJ2niQikaXi1ZkgndV7z5r00gPluZhJS9Mb6Nrl9T1JWUVc0UZJAk0LaJGTjjEBUxcpDaXs6QMq1LvY8BYfmff3KLkm%2b8JyfX6hRkUA088wimKQsLsHnHKbInDtgt2SwQCntfKIXQt9YEbvyOr9w1%2bWNEXDXLtGMxQT3;' for principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL >[4637] 1690357386.007629: Storing config in FILE:/etc/ipa/.dns_ccache for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL: X-IPA-Session-Cookie: ipa_session=MagBearerToken=%2bhag7JQJbAfw2IDK9dAniiDEoewHlMpUXT5bjUBYHxr4jsjVz7FOJdB7Ch8KsOBwJAOlnf6NAdJOJik2a%2buW%2bRhvchtk3puGPk0Q6PZ34UESQLVyelSgVzjsWPeybbNKAwa%2f6pQJoCYWd5drZDbxnv%2fz0qxNkJ2niQikaXi1ZkgndV7z5r00gPluZhJS9Mb6Nrl9T1JWUVc0UZJAk0LaJGTjjEBUxcpDaXs6QMq1LvY8BYfmff3KLkm%2b8JyfX6hRkUA088wimKQsLsHnHKbInDtgt2SwQCntfKIXQt9YEbvyOr9w1%2bWNEXDXLtGMxQT3;\x00 >[4637] 1690357386.007630: Storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krb5_ccache_conf_data/X-IPA-Session-Cookie/host\/test-lb-enroll.edu.novalocal\@EDU-IPA.NOVALOCAL(a)X-CACHECONF: in FILE:/etc/ipa/.dns_ccache >Destroyed connection context.rpcclient_140218712782800 > File "/usr/lib64/python3/site-packages/ipapython/admintool.py", line 180, in execute > return_value = self.run() > File "/usr/lib64/python3/site-packages/ipapython/install/cli.py", line 342, in run > return cfgr.run() > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 360, in run > return self.execute() > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 386, in execute > for rval in self._executor(): > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 431, in __runner > exc_handler(exc_info) > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception > self._handle_exception(exc_info) > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 450, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 421, in __runner > step() > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 418, in <lambda> > step = lambda: next(self.__gen) > File "/usr/lib64/python3/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python3/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib64/python3/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 655, in _configure > next(executor) > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 431, in __runner > exc_handler(exc_info) > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception > self._handle_exception(exc_info) > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 518, in _handle_exception > self.__parent._handle_exception(exc_info) > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 450, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 515, in _handle_exception > super(ComponentBase, self)._handle_exception(exc_info) > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 450, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 421, in __runner > step() > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 418, in <lambda> > step = lambda: next(self.__gen) > File "/usr/lib64/python3/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python3/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib64/python3/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib64/python3/site-packages/ipapython/install/common.py", line 65, in _install > for unused in self._installer(self.parent): > File "/usr/lib64/python3/site-packages/ipaclient/install/client.py", line 3833, in main > install(self) > File "/usr/lib64/python3/site-packages/ipaclient/install/client.py", line 2520, in install > _install(options) > File "/usr/lib64/python3/site-packages/ipaclient/install/client.py", line 2846, in _install > api.finalize() > File "/usr/lib64/python3/site-packages/ipalib/plugable.py", line 751, in finalize > self.__do_if_not_done('load_plugins') > File "/usr/lib64/python3/site-packages/ipalib/plugable.py", line 438, in __do_if_not_done > getattr(self, name)() > File "/usr/lib64/python3/site-packages/ipalib/plugable.py", line 630, in load_plugins > for package in self.packages: > File "/usr/lib64/python3/site-packages/ipalib/__init__.py", line 949, in packages > ipaclient.remote_plugins.get_package(self), > File "/usr/lib64/python3/site-packages/ipaclient/remote_plugins/__init__.py", line 134, in get_package > plugins = schema.get_package(server_info, client) > File "/usr/lib64/python3/site-packages/ipaclient/remote_plugins/schema.py", line 553, in get_package > schema = Schema(client) > File "/usr/lib64/python3/site-packages/ipaclient/remote_plugins/schema.py", line 402, in __init__ > fingerprint, ttl = self._fetch(client, ignore_cache=read_failed) > File "/usr/lib64/python3/site-packages/ipaclient/remote_plugins/schema.py", line 427, in _fetch > schema = client.forward(u'schema', **kwargs)['result'] > File "/usr/lib64/python3/site-packages/ipalib/rpc.py", line 1151, in forward > return self._call_command(command, params) > File "/usr/lib64/python3/site-packages/ipalib/rpc.py", line 1127, in _call_command > return command(*params) > File "/usr/lib64/python3/site-packages/ipalib/rpc.py", line 1281, in _call > return self.__request(name, args) > File "/usr/lib64/python3/site-packages/ipalib/rpc.py", line 1275, in __request > raise error_class(**kw) > >The ipa-client-install command failed, exception: ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty) >Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty) normal enrollment (same spot in the logs): >restart of certmonger.service complete >Adding SSH public key from /etc/openssh/ssh_host_rsa_key.pub >Adding SSH public key from /etc/openssh/ssh_host_dsa_key.pub >Adding SSH public key from /etc/openssh/ssh_host_ecdsa_key.pub >Adding SSH public key from /etc/openssh/ssh_host_ed25519_key.pub >[try 1]: Forwarding 'host_mod' to json server 'https://infra-ipa-master-01.edu-ipa.novalocal/ipa/json' >HTTP connection keep-alive (infra-ipa-master-01.edu-ipa.novalocal) >[3825] 1690356381.860222: ccselect module realm chose cache FILE:/etc/ipa/.dns_ccache with client principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL for server principal HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL >[3825] 1690356381.860223: Getting credentials host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@ using ccache FILE:/etc/ipa/.dns_ccache >[3825] 1690356381.860224: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@ from FILE:/etc/ipa/.dns_ccache with result: 0/Success >[3825] 1690356381.860226: Creating authenticator for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@, seqnum 279994011, subkey aes256-cts/E278, session key aes256-cts/B2AD >[3825] 1690356381.860231: Read AP-REP, time 1690356381.860227, subkey aes256-cts/6032, seqnum 235082758 >received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=5XuhX%2bo07hp5qHnzynQMGsdohzfvuaAYlilcKWmx%2fE2xeBKvvbqvWVEsk2gPHGr7hdQoDcXXirlgzgHDsIKEk7gNOuDHYO8fo%2fuXzYsTQU4osh4GhNtfZu7sZvnWoZz8uKe3ggoF%2b5%2fdZIy7Sao%2b6GnrEKTVzmHBNCPUUyyMBMBOX83eGmJO2WunWXMoJw4NEM%2buSPWwkpUtp4nuniTxuFzEtoyDnBGuJqMB93dTA7hkE7ASNy3o5TjbvXBjIuM3Y1R9ecbfWxI4psuQfnkQKOaCTidU3xRDyY72%2brrH2U5N0yBggeL3CEExSm%2fWQadG;path=/ipa;httponly;secure;']' >storing cookie 'ipa_session=MagBearerToken=5XuhX%2bo07hp5qHnzynQMGsdohzfvuaAYlilcKWmx%2fE2xeBKvvbqvWVEsk2gPHGr7hdQoDcXXirlgzgHDsIKEk7gNOuDHYO8fo%2fuXzYsTQU4osh4GhNtfZu7sZvnWoZz8uKe3ggoF%2b5%2fdZIy7Sao%2b6GnrEKTVzmHBNCPUUyyMBMBOX83eGmJO2WunWXMoJw4NEM%2buSPWwkpUtp4nuniTxuFzEtoyDnBGuJqMB93dTA7hkE7ASNy3o5TjbvXBjIuM3Y1R9ecbfWxI4psuQfnkQKOaCTidU3xRDyY72%2brrH2U5N0yBggeL3CEExSm%2fWQadG;' for principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL >[3825] 1690356381.860235: Storing config in FILE:/etc/ipa/.dns_ccache for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL: X-IPA-Session-Cookie: ipa_session=MagBearerToken=5XuhX%2bo07hp5qHnzynQMGsdohzfvuaAYlilcKWmx%2fE2xeBKvvbqvWVEsk2gPHGr7hdQoDcXXirlgzgHDsIKEk7gNOuDHYO8fo%2fuXzYsTQU4osh4GhNtfZu7sZvnWoZz8uKe3ggoF%2b5%2fdZIy7Sao%2b6GnrEKTVzmHBNCPUUyyMBMBOX83eGmJO2WunWXMoJw4NEM%2buSPWwkpUtp4nuniTxuFzEtoyDnBGuJqMB93dTA7hkE7ASNy3o5TjbvXBjIuM3Y1R9ecbfWxI4psuQfnkQKOaCTidU3xRDyY72%2brrH2U5N0yBggeL3CEExSm%2fWQadG;\x00 >[3825] 1690356381.860236: Storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krb5_ccache_conf_data/X-IPA-Session-Cookie/host\/test-lb-enroll.edu.novalocal\@EDU-IPA.NOVALOCAL(a)X-CACHECONF: in FILE:/etc/ipa/.dns_ccache > > >Found zone name: edu.novalocal >The master is: infra-ipa-master-01.edu-ipa.novalocal >start_gssrequest >[3898] 1690356381.745962: ccselect module realm chose cache FILE:/etc/ipa/.dns_ccache with client principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL for server principal DNS/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL >[3898] 1690356381.745963: Getting credentials host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> DNS/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL using ccache FILE:/etc/ipa/.dns_ccache >[3898] 1690356381.745964: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> DNS/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL from FILE:/etc/ipa/.dns_ccache with result: 0/Success >[3898] 1690356381.745966: Creating authenticator for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> DNS/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL, seqnum 15181654, subkey aes256-cts/ECC7, session key aes256-cts/607C >send_gssrequest > > >Process finished, return code=1 >stdout= >stderr= >[3825] 1690356380.148934: ccselect module realm chose cache FILE:/etc/ipa/.dns_ccache with client principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL for server principal ldap/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL >[3825] 1690356380.148935: Getting credentials host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> ldap/infra-ipa-master-01.edu-ipa.novalocal@ using ccache FILE:/etc/ipa/.dns_ccache >[3825] 1690356380.148936: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> ldap/infra-ipa-master-01.edu-ipa.novalocal@ from FILE:/etc/ipa/.dns_ccache with result: -1765328243/Matching credential not found (filename: /etc/ipa/.dns_ccache) >[3825] 1690356380.148937: Retrying host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> ldap/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL with result: -1765328243/Matching credential not found (filename: /etc/ipa/.dns_ccache) >[3825] 1690356380.148938: Server has referral realm; starting with ldap/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL >[3825] 1690356380.148939: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krbtgt/EDU-IPA.NOVALOCAL(a)EDU-IPA.NOVALOCAL from FILE:/etc/ipa/.dns_ccache with result: 0/Success >[3825] 1690356380.148940: Starting with TGT for client realm: host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krbtgt/EDU-IPA.NOVALOCAL(a)EDU-IPA.NOVALOCAL >[3825] 1690356380.148941: Requesting tickets for ldap/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL, referrals on >[3825] 1690356380.148942: Generated subkey for TGS request: aes256-cts/3DE8 >[3825] 1690356380.148943: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts >[3825] 1690356380.148945: Encoding request body and padata into FAST request >[3825] 1690356380.148946: Sending request (2377 bytes) to EDU-IPA.NOVALOCAL >[3825] 1690356380.148947: Initiating TCP connection to stream 172.28.19.159:88 >[3825] 1690356380.148948: Sending TCP request to stream 172.28.19.159:88 >[3825] 1690356380.148949: Received answer (2302 bytes) from stream 172.28.19.159:88 >[3825] 1690356380.148950: Terminating TCP connection to stream 172.28.19.159:88 >[3825] 1690356380.148951: Response was from master KDC >[3825] 1690356380.148952: Decoding FAST response >[3825] 1690356380.148953: FAST reply key: aes256-cts/BBE7 >[3825] 1690356380.148954: TGS reply is for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> ldap/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL with session key aes256-cts/207E >[3825] 1690356380.148955: TGS request result: 0/Success >[3825] 1690356380.148956: Received creds for desired service ldap/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL >[3825] 1690356380.148957: Storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> ldap/infra-ipa-master-01.edu-ipa.novalocal@ in FILE:/etc/ipa/.dns_ccache >[3825] 1690356380.148958: Also storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> ldap/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL based on ticket >[3825] 1690356380.148959: Removing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> ldap/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL from FILE:/etc/ipa/.dns_ccache >[3825] 1690356380.148961: Creating authenticator for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> ldap/infra-ipa-master-01.edu-ipa.novalocal@, seqnum 224156792, subkey aes256-cts/6EF9, session key aes256-cts/207E >[3825] 1690356380.148966: Read AP-REP, time 1690356380.148962, subkey aes256-cts/4E53, seqnum 820684970 >Adding CA certificates to the IPA NSS database. > > >failed to find session_cookie in persistent storage for principal 'host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL' >trying https://infra-ipa-master-01.edu-ipa.novalocal/ipa/json >Created connection context.rpcclient_139803356784400 >Try RPC connection >[try 1]: Forwarding 'ping' to json server 'https://infra-ipa-master-01.edu-ipa.novalocal/ipa/json' >New HTTP connection (infra-ipa-master-01.edu-ipa.novalocal) >[3825] 1690356380.148857: ccselect module realm chose cache FILE:/etc/ipa/.dns_ccache with client principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL for server principal HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL >[3825] 1690356380.148858: Getting credentials host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@ using ccache FILE:/etc/ipa/.dns_ccache >[3825] 1690356380.148859: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@ from FILE:/etc/ipa/.dns_ccache with result: -1765328243/Matching credential not found (filename: /etc/ipa/.dns_ccache) >[3825] 1690356380.148860: Retrying host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL with result: -1765328243/Matching credential not found (filename: /etc/ipa/.dns_ccache) >[3825] 1690356380.148861: Server has referral realm; starting with HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL >[3825] 1690356380.148862: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krbtgt/EDU-IPA.NOVALOCAL(a)EDU-IPA.NOVALOCAL from FILE:/etc/ipa/.dns_ccache with result: 0/Success >[3825] 1690356380.148863: Starting with TGT for client realm: host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krbtgt/EDU-IPA.NOVALOCAL(a)EDU-IPA.NOVALOCAL >[3825] 1690356380.148864: Requesting tickets for HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL, referrals on >[3825] 1690356380.148865: Generated subkey for TGS request: aes256-cts/46AB >[3825] 1690356380.148866: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts >[3825] 1690356380.148868: Encoding request body and padata into FAST request >[3825] 1690356380.148869: Sending request (2377 bytes) to EDU-IPA.NOVALOCAL >[3825] 1690356380.148870: Initiating TCP connection to stream 172.28.19.159:88 >[3825] 1690356380.148871: Sending TCP request to stream 172.28.19.159:88 >[3825] 1690356380.148872: Received answer (2345 bytes) from stream 172.28.19.159:88 >[3825] 1690356380.148873: Terminating TCP connection to stream 172.28.19.159:88 >[3825] 1690356380.148874: Response was from master KDC >[3825] 1690356380.148875: Decoding FAST response >[3825] 1690356380.148876: FAST reply key: aes256-cts/4ACD >[3825] 1690356380.148877: TGS reply is for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL with session key aes256-cts/B2AD >[3825] 1690356380.148878: TGS request result: 0/Success >[3825] 1690356380.148879: Received creds for desired service HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL >[3825] 1690356380.148880: Storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@ in FILE:/etc/ipa/.dns_ccache >[3825] 1690356380.148881: Also storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL based on ticket >[3825] 1690356380.148882: Removing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL from FILE:/etc/ipa/.dns_ccache >[3825] 1690356380.148884: Creating authenticator for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@, seqnum 232117189, subkey aes256-cts/E5F8, session key aes256-cts/B2AD >[3825] 1690356380.148889: Read AP-REP, time 1690356380.148885, subkey aes256-cts/9C66, seqnum 920243718 >received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=nBJ5K%2f0zqcv8v2%2bivGh1TAlnIQEQXaojxHZZL6lPgVtAEv%2f6j%2bEclnVBY6dlnoUVRkyvnAkIVuxLx6HNXZsVsLxhbOZmYkyspRIE59scDW0R%2bBuRiTeBmDKza6GUSTW%2b53ppLozZH8ijT88lpy3%2fnbZKk607ez97vomrVzBCduj0G2y9u6wXyJdnw1TjBtjpr8VThkN46%2fS%2fK8qqf81s6xZiFHretceNwbPgzZFWJVSfUd7LGe%2bR5xGJ2XhNx5%2fVOZGzbhQhigkgullEuxQgV6oordsRg4DsIrOa542JTGTaV%2bvFRAbQ48XXEp1Jj5UV;path=/ipa;httponly;secure;']' >storing cookie 'ipa_session=MagBearerToken=nBJ5K%2f0zqcv8v2%2bivGh1TAlnIQEQXaojxHZZL6lPgVtAEv%2f6j%2bEclnVBY6dlnoUVRkyvnAkIVuxLx6HNXZsVsLxhbOZmYkyspRIE59scDW0R%2bBuRiTeBmDKza6GUSTW%2b53ppLozZH8ijT88lpy3%2fnbZKk607ez97vomrVzBCduj0G2y9u6wXyJdnw1TjBtjpr8VThkN46%2fS%2fK8qqf81s6xZiFHretceNwbPgzZFWJVSfUd7LGe%2bR5xGJ2XhNx5%2fVOZGzbhQhigkgullEuxQgV6oordsRg4DsIrOa542JTGTaV%2bvFRAbQ48XXEp1Jj5UV;' for principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL >[3825] 1690356380.148893: Storing config in FILE:/etc/ipa/.dns_ccache for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL: X-IPA-Session-Cookie: ipa_session=MagBearerToken=nBJ5K%2f0zqcv8v2%2bivGh1TAlnIQEQXaojxHZZL6lPgVtAEv%2f6j%2bEclnVBY6dlnoUVRkyvnAkIVuxLx6HNXZsVsLxhbOZmYkyspRIE59scDW0R%2bBuRiTeBmDKza6GUSTW%2b53ppLozZH8ijT88lpy3%2fnbZKk607ez97vomrVzBCduj0G2y9u6wXyJdnw1TjBtjpr8VThkN46%2fS%2fK8qqf81s6xZiFHretceNwbPgzZFWJVSfUd7LGe%2bR5xGJ2XhNx5%2fVOZGzbhQhigkgullEuxQgV6oordsRg4DsIrOa542JTGTaV%2bvFRAbQ48XXEp1Jj5UV;\x00 >[3825] 1690356380.148894: Storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krb5_ccache_conf_data/X-IPA-Session-Cookie/host\/test-lb-enroll.edu.novalocal\@EDU-IPA.NOVALOCAL(a)X-CACHECONF: in FILE:/etc/ipa/.dns_ccache >[try 1]: Forwarding 'ca_is_enabled' to json server 'https://infra-ipa-master-01.edu-ipa.novalocal/ipa/json' >HTTP connection keep-alive (infra-ipa-master-01.edu-ipa.novalocal) >[3825] 1690356380.148898: ccselect module realm chose cache FILE:/etc/ipa/.dns_ccache with client principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL for server principal HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL >[3825] 1690356380.148899: Getting credentials host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@ using ccache FILE:/etc/ipa/.dns_ccache >[3825] 1690356380.148900: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@ from FILE:/etc/ipa/.dns_ccache with result: 0/Success >[3825] 1690356380.148902: Creating authenticator for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@, seqnum 678605449, subkey aes256-cts/747F, session key aes256-cts/B2AD >[3825] 1690356380.148907: Read AP-REP, time 1690356380.148903, subkey aes256-cts/C2C1, seqnum 37258182 >received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=mVqhYtLqfVgBwvixoFSlHLw2nOQULW20e%2f4LOsro2xvfKooihP%2bgVAkKlaRvnN2XMVs66AyoibsKmvEgzMKK07HwnPLuzetxHpHYHtK8NkDD7%2f%2bJB0W00ME%2bj153OQTv8qRRvzyWHUBEb56AucOvopC%2bHIBUNLUpN342m4Jjl754AR2c4gTcoy7vR3fkO9vop4CMSPIq5OsnOsEfUYz6DkkcOMb06axmoRZY%2f1JbF3ohIVOXC1Uvtjy5uVk7uQiszSegQDdwOrRBZlkeeShvAma6vyc%2b7MCDnpPAN0KuZ4Y1M6LeVo5JH3J6UwrZz0M%2f;path=/ipa;httponly;secure;']' >storing cookie 'ipa_session=MagBearerToken=mVqhYtLqfVgBwvixoFSlHLw2nOQULW20e%2f4LOsro2xvfKooihP%2bgVAkKlaRvnN2XMVs66AyoibsKmvEgzMKK07HwnPLuzetxHpHYHtK8NkDD7%2f%2bJB0W00ME%2bj153OQTv8qRRvzyWHUBEb56AucOvopC%2bHIBUNLUpN342m4Jjl754AR2c4gTcoy7vR3fkO9vop4CMSPIq5OsnOsEfUYz6DkkcOMb06axmoRZY%2f1JbF3ohIVOXC1Uvtjy5uVk7uQiszSegQDdwOrRBZlkeeShvAma6vyc%2b7MCDnpPAN0KuZ4Y1M6LeVo5JH3J6UwrZz0M%2f;' for principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL >[3825] 1690356380.148911: Storing config in FILE:/etc/ipa/.dns_ccache for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL: X-IPA-Session-Cookie: ipa_session=MagBearerToken=mVqhYtLqfVgBwvixoFSlHLw2nOQULW20e%2f4LOsro2xvfKooihP%2bgVAkKlaRvnN2XMVs66AyoibsKmvEgzMKK07HwnPLuzetxHpHYHtK8NkDD7%2f%2bJB0W00ME%2bj153OQTv8qRRvzyWHUBEb56AucOvopC%2bHIBUNLUpN342m4Jjl754AR2c4gTcoy7vR3fkO9vop4CMSPIq5OsnOsEfUYz6DkkcOMb06axmoRZY%2f1JbF3ohIVOXC1Uvtjy5uVk7uQiszSegQDdwOrRBZlkeeShvAma6vyc%2b7MCDnpPAN0KuZ4Y1M6LeVo5JH3J6UwrZz0M%2f;\x00 >[3825] 1690356380.148912: Storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krb5_ccache_conf_data/X-IPA-Session-Cookie/host\/test-lb-enroll.edu.novalocal\@EDU-IPA.NOVALOCAL(a)X-CACHECONF: in FILE:/etc/ipa/.dns_ccache >[try 1]: Forwarding 'config_show' to json server 'https://infra-ipa-master-01.edu-ipa.novalocal/ipa/json' >HTTP connection keep-alive (infra-ipa-master-01.edu-ipa.novalocal) >[3825] 1690356380.148916: ccselect module realm chose cache FILE:/etc/ipa/.dns_ccache with client principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL for server principal HTTP/infra-ipa-master-01.edu-ipa.novalocal(a)EDU-IPA.NOVALOCAL >[3825] 1690356380.148917: Getting credentials host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@ using ccache FILE:/etc/ipa/.dns_ccache >[3825] 1690356380.148918: Retrieving host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@ from FILE:/etc/ipa/.dns_ccache with result: 0/Success >[3825] 1690356380.148920: Creating authenticator for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> HTTP/infra-ipa-master-01.edu-ipa.novalocal@, seqnum 896576105, subkey aes256-cts/02A5, session key aes256-cts/B2AD >[3825] 1690356380.148925: Read AP-REP, time 1690356380.148921, subkey aes256-cts/D3B7, seqnum 175125735 >received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=%2fh0A2rAP%2b9B%2fKydCZfB9jTvCngqGmE4PpTSutwiDNm7LVxbA7pFr6WhMuHRuEnSo%2bzl8KEoelocipvUzAlZV2pvwelwygtqV0moRYWM6YlfEVX82J5o8DatYvaw24CksBRIH1DYZJJZPNrkC2MUj7XQdyPSr7RY8zF%2fw53iAdx3LFd2yyB2juwkxAp47eNVdLX%2fI4pFgBSFukOQKE0DSmv89qT7NSWvBGzb4PfO9mxMpGIkOqhawSYV%2ftLwpxg4dMOx64sCXnjdbVaghABYKzYzQkQ9UeJZOuvl3EH5xz6PomnG5crEQVjIi1UxbyDfX;path=/ipa;httponly;secure;']' >storing cookie 'ipa_session=MagBearerToken=%2fh0A2rAP%2b9B%2fKydCZfB9jTvCngqGmE4PpTSutwiDNm7LVxbA7pFr6WhMuHRuEnSo%2bzl8KEoelocipvUzAlZV2pvwelwygtqV0moRYWM6YlfEVX82J5o8DatYvaw24CksBRIH1DYZJJZPNrkC2MUj7XQdyPSr7RY8zF%2fw53iAdx3LFd2yyB2juwkxAp47eNVdLX%2fI4pFgBSFukOQKE0DSmv89qT7NSWvBGzb4PfO9mxMpGIkOqhawSYV%2ftLwpxg4dMOx64sCXnjdbVaghABYKzYzQkQ9UeJZOuvl3EH5xz6PomnG5crEQVjIi1UxbyDfX;' for principal host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL >[3825] 1690356380.148929: Storing config in FILE:/etc/ipa/.dns_ccache for host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL: X-IPA-Session-Cookie: ipa_session=MagBearerToken=%2fh0A2rAP%2b9B%2fKydCZfB9jTvCngqGmE4PpTSutwiDNm7LVxbA7pFr6WhMuHRuEnSo%2bzl8KEoelocipvUzAlZV2pvwelwygtqV0moRYWM6YlfEVX82J5o8DatYvaw24CksBRIH1DYZJJZPNrkC2MUj7XQdyPSr7RY8zF%2fw53iAdx3LFd2yyB2juwkxAp47eNVdLX%2fI4pFgBSFukOQKE0DSmv89qT7NSWvBGzb4PfO9mxMpGIkOqhawSYV%2ftLwpxg4dMOx64sCXnjdbVaghABYKzYzQkQ9UeJZOuvl3EH5xz6PomnG5crEQVjIi1UxbyDfX;\x00 >[3825] 1690356380.148930: Storing host/test-lb-enroll.edu.novalocal(a)EDU-IPA.NOVALOCAL -> krb5_ccache_conf_data/X-IPA-Session-Cookie/host\/test-lb-enroll.edu.novalocal\@EDU-IPA.NOVALOCAL(a)X-CACHECONF: in FILE:/etc/ipa/.dns_ccache >Starting external process >args=['/usr/bin/certutil', '-d', '/etc/ipa/nssdb', '-N', '-f', '/etc/ipa/nssdb/pwdfile.txt', '-@', '/etc/ipa/nssdb/pwdfile.txt'] Seems like for some reason install script is unable to save credentials to /etc/ipa/.dns_ccache in the first case. Any ideas why it can be happenning? Despite obvious permissions issues, cause I specifically ran normal installation in the same environment, to eliminate any host setup problems. Client version is: freeipa-client-4.8.9-alt4.c9f2.3.x86_64

1 month, 3 weeks

2
4
0 / 0

local root can login but freeipa users can't

by barry y

This happen randomly, local root can login through SSH to the affected system but for freeipa user, login was successful but there's no prompt. When successfully logged in, it only display a message saying "Last login: xxx" and then no prompt. There's no sssd errors though, restarting the service doesn't help either. While the issue happen to one system, other systems freeipa users can login no problem. Only way to get out of this is to restart the entire system.

1 month, 4 weeks

3
8
0 / 0

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users July 2023