On Tue, Feb 13, 2024 at 5:43 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Mauricio Tavares via FreeIPA-users wrote:
> On Tue, Feb 13, 2024 at 4:37 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
>>
>> Mauricio Tavares via FreeIPA-users wrote:
>>> So I am trying to add the first ipa client to my test environment. If
>>> I am running ipa-client-install as a root, why is it barking that
>>>
>>> nisdomainname: you must be root to change the domain name
>>>
>>> [root@idm-client1 /]# ipa-client-install --domain example.test
>>> --no-ntp --mkhomedir
>>> This program will set up IPA client.
>>> Version 4.9.12
>>>
>>> Discovery was successful!
>>> Client hostname: idm-client1.example.test
>>> Realm: EXAMPLE.TEST
>>> DNS Domain: example.test
>>> IPA Server: idm01.example.test
>>> BaseDN: dc=example,dc=test
>>>
>>> Continue to configure the system with these values? [no]: yes
>>> Continue to configure the system with these values? [no]: yes
>>> Skipping chrony configuration
>>> User authorized to enroll computers: admin
>>> Password for admin(a)EXAMPLE.TEST:
>>> Successfully retrieved CA cert
>>> Subject: CN=Certificate Authority,O=EXAMPLE.TEST
>>> Issuer: CN=Certificate Authority,O=EXAMPLE.TEST
>>> Valid From: 2024-02-07 15:25:44
>>> Valid Until: 2044-02-07 15:25:44
>>>
>>> Enrolled in IPA realm EXAMPLE.TEST
>>> Created /etc/ipa/default.conf
>>> Configured /etc/sssd/sssd.conf
>>> Systemwide CA database updated.
>>> SSSD enabled
>>> Configured /etc/openldap/ldap.conf
>>> /etc/ssh/ssh_config not found, skipping configuration
>>> /etc/ssh/sshd_config not found, skipping configuration
>>> Configuring example.test as NIS domain.
>>> CalledProcessError(Command ['/bin/systemctl', 'restart',
>>> 'nis-domainname.service'] returned non-zero exit status 1: 'Job
for
>>> nis-domainname.service failed because the control process exited with
>>> error code.\nSee "systemctl status nis-domainname.service" and
>>> "journalctl -xe" for details.\n')
>>> The ipa-client-install command failed. See
>>> /var/log/ipaclient-install.log for more information
>>> [root@idm-client1 /]#
>>>
>>> [root@idm-client1 /]# systemctl status nis-domainname.service --full
--no-pager
>>> ● nis-domainname.service - Read and set NIS domainname from
>>> /etc/sysconfig/network
>>> Loaded: loaded (/usr/lib/systemd/system/nis-domainname.service;
>>> enabled; vendor preset: enabled)
>>> Active: failed (Result: exit-code) since Mon 2024-02-12 21:26:58
>>> UTC; 2min 24s ago
>>> Process: 300 ExecStart=/usr/libexec/hostname/nis-domainname
>>> (code=exited, status=1/FAILURE)
>>> Main PID: 300 (code=exited, status=1/FAILURE)
>>>
>>> Feb 12 21:26:58 idm-client1.example.test systemd[1]: Starting Read and
>>> set NIS domainname from /etc/sysconfig/network...
>>> Feb 12 21:26:58 idm-client1.example.test nis-domainname[301]:
>>> nisdomainname: you must be root to change the domain name
>>> Feb 12 21:26:58 idm-client1.example.test systemd[1]:
>>> nis-domainname.service: Main process exited, code=exited,
>>> status=1/FAILURE
>>> Feb 12 21:26:58 idm-client1.example.test systemd[1]:
>>> nis-domainname.service: Failed with result 'exit-code'.
>>> Feb 12 21:26:58 idm-client1.example.test systemd[1]: Failed to start
>>> Read and set NIS domainname from /etc/sysconfig/network.
>>> [root@idm-client1 /]#
>>
>> Looks like this message appears on any EPERM failure [1]. Are you
>> running in a container? Any SELinux errors?
>
> Right you are: running in container. SELinux currently disabled in host.
You could try --no-nisdomain
Or a more complex approach like the server container does,
https://github.com/freeipa/freeipa-container/blob/master/hostnamectl-wrapper
rob
----no-nisdomain worked for me. Thanks! I will also check the
server container approach; there are things there I would like to use
anyway.