Thank You Florence.


On new client, /etc/ipa/nssdb was empty, I still deleted the nssdb dir on client,  ran uninstall command you mentioned, deleted the host on master, and ran ipa-client-install and still the same issue.


I have attached certificates from master server as well as the install log.


regards,

Bhavin






From: Florence Blanc-Renaud <flo@redhat.com>
Sent: Friday, October 6, 2017 1:25 AM
To: FreeIPA users list
Cc: Bhavin Vaidya
Subject: Re: [Freeipa-users] FreeIPA client installation failure
 
On 10/06/2017 02:04 AM, Bhavin Vaidya via FreeIPA-users wrote:
> Hello,
>
>
> Thank you all for help in past, as I'm keep encountering one after
> another issue.
>
> Sorry for long email, as posting log. let me know if there is other way.
>
>
> IPA Server OS: CentOS Linux release 7.0.1406 (Core)
>
>
> IPA Server RPM: ipa-server-4.4.0-14.el7.centos.7.x86_64
>
>
> Client OS: CentOS Linux release 7.3.1611 (Core)
>
> IPA client RPM: ipa-client-4.5.0-21.el7.centos.1.2.x86_64 (as well as
> ipa-client-4.4.0-14.el7.centos.7.x86_64)
>
>
> I'm not able to enroll new client recently, and getting following message:
>
>
Hi,

it looks like there are multiple versions for the IPA CA certificate,
and one of them is causing the issue. You can see in the log around
2017-10-05T23:34:45Z that CN=Certificate Authority,O=EXAMPLE.COM has
been renewed and corresponds to 5 items that can be found in
cn=certificates,cn=ipa,cn=etc,$SUFFIX.
The installer is trying to append them in /etc/ipa/nssdb and one of them
fails.
A little bit before this step (around 2017-10-05T23:34:47Z), the
installer has validated that the certs are OK by using a temporary NSS
DB, hence I don't think that the certs themselves are the issue, but
rather that /etc/ipa/nssdb already contained something that caused the
problem.

Was the /etc/ipa/nssdb already existing before you launched the
installation? Can you try to run ipa-client-install --uninstall -U, then
remove the files in /etc/ipa/nssdb, run ipa host-del <client> on the
master and re-launch the installation?

Flo

> Enrolled in IPA realm EXAMPLE.COM
>
> Created /etc/ipa/default.conf
>
> New SSSD config will be created
>
> Configured sudoers in /etc/nsswitch.conf
>
> Configured /etc/sssd/sssd.conf
>
> Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
>
> trying https://ds01.example.com/ipa/json
>
> [try 1]: Forwarding 'schema' to json server
> 'https://ds01.example.com/ipa/json'
>
> trying https://ds01.example.com/ipa/session/json
>
> [try 1]: Forwarding 'ping' to json server
> 'https://ds01.example.com/ipa/session/json'
>
> [try 1]: Forwarding 'ca_is_enabled' to json server
> 'https://ds01.example.com/ipa/session/json'
>
> Installation failed. Force set so not rolling back changes.
>
> Failed to add EXAMPLE.COM IPA CA to the IPA NSS database.
>
> The ipa-client-install command failed. See
> /var/log/ipaclient-install.log for more information
>
>
> The ipa-client-install.log is:
>
>
> 2017-10-05T23:34:37Z DEBUG Logging to /var/log/ipaclient-install.log
>
> 2017-10-05T23:34:37Z DEBUG ipa-client-install was invoked with arguments
> [] and options: {'no_dns_sshfp': False, 'force': True, 'verbose': False,
> 'ip_addresses': None, 'configure_firefox': False, 'realm_name': None,
> 'force_ntpd': False, 'on_master': False, 'no_nisdomain': False,
> 'ssh_trust_dns': False, 'principal': None, 'keytab': None, 'no_ntp':
> False, 'domain_name': None, 'request_cert': False, 'fixed_primary':
> False, 'no_ac': False, 'no_sudo': False, 'ca_cert_files': None,
> 'all_ip_addresses': False, 'kinit_attempts': None, 'ntp_servers': None,
> 'enable_dns_updates': False, 'no_sshd': False, 'no_sssd': False,
> 'no_krb5_offline_passwords': False, 'servers': None, 'no_ssh': False,
> 'force_join': False, 'firefox_dir': None, 'unattended': False, 'quiet':
> False, 'nisdomain': None, 'prompt_password': False, 'host_name': None,
> 'permit': False, 'automount_location': None, 'preserve_sssd': False,
> 'mkhomedir': False, 'log_file': None, 'uninstall': False}
>
> 2017-10-05T23:34:37Z DEBUG IPA version 4.5.0-21.el7.centos.1.2
>
> 2017-10-05T23:34:37Z DEBUG Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>
> 2017-10-05T23:34:37Z DEBUG Starting external process
>
> 2017-10-05T23:34:37Z DEBUG args=/usr/sbin/selinuxenabled
>
> 2017-10-05T23:34:37Z DEBUG Process finished, return code=1
>
> 2017-10-05T23:34:37Z DEBUG stdout=
>
> 2017-10-05T23:34:37Z DEBUG stderr=
>
> 2017-10-05T23:34:37Z DEBUG Starting external process
>
> 2017-10-05T23:34:37Z DEBUG args=/bin/systemctl is-enabled chronyd.service
>
> 2017-10-05T23:34:37Z DEBUG Process finished, return code=0
>
> 2017-10-05T23:34:37Z DEBUG stdout=enabled
>
> 2017-10-05T23:34:37Z DEBUG stderr=
>
> 2017-10-05T23:34:37Z DEBUG [IPA Discovery]
>
> 2017-10-05T23:34:37Z DEBUG Starting IPA discovery with domain=None,
> servers=None, hostname=groc-5.example.com
>
> 2017-10-05T23:34:37Z DEBUG Start searching for LDAP SRV record in
> "example.com" (domain of the hostname) and its sub-domains
>
> 2017-10-05T23:34:37Z DEBUG Search DNS for SRV record of
> _ldap._tcp.example.com
>
> 2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 389 ds01.example.com.
>
> 2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 389 ipa01.example.com.
>
> 2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 389 ds02.example.com.
>
> 2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 389 ds03.example.com.
>
> 2017-10-05T23:34:37Z DEBUG [Kerberos realm search]
>
> 2017-10-05T23:34:37Z DEBUG Search DNS for TXT record of
> _kerberos.example.com
>
> 2017-10-05T23:34:37Z DEBUG DNS record found: "EXAMPLE.COM"
>
> 2017-10-05T23:34:37Z DEBUG Search DNS for SRV record of
> _kerberos._udp.example.com
>
> 2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 88 ipa01.example.com.
>
> 2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 88 ds01.example.com.
>
> 2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 88 ds03.example.com.
>
> 2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 88 ds02.example.com.
>
> 2017-10-05T23:34:37Z DEBUG [LDAP server check]
>
> 2017-10-05T23:34:37Z DEBUG Verifying that ds01.example.com (realm
> EXAMPLE.COM) is an IPA server
>
> 2017-10-05T23:34:37Z DEBUG Init LDAP connection to:
> ldap://ds01.example.com:389
>
> 2017-10-05T23:34:37Z DEBUG Search LDAP server for IPA base DN
>
> 2017-10-05T23:34:37Z DEBUG Check if naming context 'dc=example,dc=com'
> is for IPA
>
> 2017-10-05T23:34:37Z DEBUG Naming context 'dc=example,dc=com' is a valid
> IPA context
>
> 2017-10-05T23:34:37Z DEBUG Search for (objectClass=krbRealmContainer) in
> dc=example,dc=com (sub)
>
> 2017-10-05T23:34:37Z DEBUG Found:
> cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
>
> 2017-10-05T23:34:37Z DEBUG Discovery result: Success;
> server=ds01.example.com, domain=example.com,
> kdc=ipa01.example.com,ds01.example.com,ds03.example.com,ds02.example.com, basedn=dc=example,dc=com
>
> 2017-10-05T23:34:37Z DEBUG Validated servers: ds01.example.com
>
> 2017-10-05T23:34:37Z DEBUG will use discovered domain: example.com
>
> 2017-10-05T23:34:37Z DEBUG Start searching for LDAP SRV record in
> "example.com" (Validating DNS Discovery) and its sub-domains
>
> 2017-10-05T23:34:37Z DEBUG Search DNS for SRV record of
> _ldap._tcp.example.com
>
> 2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 389 ipa01.example.com.
>
> 2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 389 ds02.example.com.
>
> 2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 389 ds03.example.com.
>
> 2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 389 ds01.example.com.
>
> 2017-10-05T23:34:37Z DEBUG DNS validated, enabling discovery
>
> 2017-10-05T23:34:37Z DEBUG will use discovered server: ds01.example.com
>
> 2017-10-05T23:34:37Z INFO Discovery was successful!
>
> 2017-10-05T23:34:37Z DEBUG will use discovered realm: EXAMPLE.COM
>
> 2017-10-05T23:34:37Z DEBUG will use discovered basedn: dc=example,dc=com
>
> 2017-10-05T23:34:37Z INFO Client hostname: groc-5.example.com
>
> 2017-10-05T23:34:37Z DEBUG Hostname source: Machine's FQDN
>
> 2017-10-05T23:34:37Z INFO Realm: EXAMPLE.COM
>
> 2017-10-05T23:34:37Z DEBUG Realm source: Discovered from LDAP DNS
> records in ds01.example.com
>
> 2017-10-05T23:34:37Z INFO DNS Domain: example.com
>
> 2017-10-05T23:34:37Z DEBUG DNS Domain source: Discovered LDAP SRV
> records from example.com (domain of the hostname)
>
> 2017-10-05T23:34:37Z INFO IPA Server: ds01.example.com
>
> 2017-10-05T23:34:37Z DEBUG IPA Server source: Discovered from LDAP DNS
> records in ds01.example.com
>
> 2017-10-05T23:34:37Z INFO BaseDN: dc=example,dc=com
>
> 2017-10-05T23:34:37Z DEBUG BaseDN source: From IPA server
> ldap://ds01.example.com:389
>
> 2017-10-05T23:34:39Z DEBUG Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>
> 2017-10-05T23:34:39Z DEBUG Loading StateFile from
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
>
> 2017-10-05T23:34:39Z DEBUG Starting external process
>
> 2017-10-05T23:34:39Z DEBUG args=/usr/sbin/ipa-rmkeytab -k
> /etc/krb5.keytab -r EXAMPLE.COM
>
> 2017-10-05T23:34:39Z DEBUG Process finished, return code=5
>
> 2017-10-05T23:34:39Z DEBUG stdout=
>
> 2017-10-05T23:34:39Z DEBUG stderr=realm not found
>
> 2017-10-05T23:34:39Z INFO Skipping synchronizing time with NTP server.
>
> 2017-10-05T23:34:41Z DEBUG will use principal provided as option: admin
>
> 2017-10-05T23:34:41Z DEBUG Starting external process
>
> 2017-10-05T23:34:41Z DEBUG args=keyctl get_persistent @s 0
>
> 2017-10-05T23:34:41Z DEBUG Process finished, return code=0
>
> 2017-10-05T23:34:41Z DEBUG stdout=218715285
>
> 2017-10-05T23:34:41Z DEBUG stderr=
>
> 2017-10-05T23:34:41Z DEBUG Enabling persistent keyring CCACHE
>
> 2017-10-05T23:34:41Z DEBUG Writing Kerberos configuration to /tmp/tmpVCsDCR:
>
> 2017-10-05T23:34:41Z DEBUG #File modified by ipa-client-install
>
> includedir /etc/krb5.conf.d/
>
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [libdefaults]
>
>    default_realm = EXAMPLE.COM
>
>    dns_lookup_realm = false
>
>    dns_lookup_kdc = false
>
>    rdns = false
>
>    dns_canonicalize_hostname = false
>
>    ticket_lifetime = 24h
>
>    forwardable = true
>
>    udp_preference_limit = 0
>
>    default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
>
>    EXAMPLE.COM = {
>
>      kdc = ds01.example.com:88
>
>      master_kdc = ds01.example.com:88
>
>      admin_server = ds01.example.com:749
>
>      kpasswd_server = ds01.example.com:464
>
>      default_domain = example.com
>
>      pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
>
>      pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
>
>    }
>
> [domain_realm]
>
>    .example.com = EXAMPLE.COM
>
>    example.com = EXAMPLE.COM
>
>    groc-5.example.com = EXAMPLE.COM
>
> 2017-10-05T23:34:45Z DEBUG Initializing principal admin@EXAMPLE.COM
> <mailto:admin@EXAMPLE.COM> using password
>
> 2017-10-05T23:34:45Z DEBUG Starting external process
>
> 2017-10-05T23:34:45Z DEBUG args=/usr/bin/kinit admin@EXAMPLE.COM
> <mailto:admin@EXAMPLE.COM> -c /tmp/krbccbP9vNK/ccache
>
> 2017-10-05T23:34:45Z DEBUG Process finished, return code=0
>
> 2017-10-05T23:34:45Z DEBUG stdout=Password for admin@EXAMPLE.COM
> <mailto:admin@EXAMPLE.COM>:
>
> 2017-10-05T23:34:45Z DEBUG stderr=
>
> 2017-10-05T23:34:45Z DEBUG trying to retrieve CA cert via LDAP from
> ds01.example.com
>
> 2017-10-05T23:34:45Z DEBUG retrieving schema for SchemaCache
> url=ldap://ds01.example.com:389 conn=<ldap.ldapobject.SimpleLDAPObject
> instance at 0x2c25ea8>
>
> 2017-10-05T23:34:45Z INFO Successfully retrieved CA cert
>
>      Subject:     CN=Certificate Authority,O=EXAMPLE.COM
>
>      Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
>
>      Valid From:  2014-08-03 19:28:18
>
>      Valid Until: 2034-08-03 19:28:18
>
>      Subject:     CN=Certificate Authority,O=EXAMPLE.COM
>
>      Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
>
>      Valid From:  2017-05-30 00:17:28
>
>      Valid Until: 2037-05-30 00:17:28
>
>      Subject:     CN=Certificate Authority,O=EXAMPLE.COM
>
>      Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
>
>      Valid From:  2017-05-30 00:19:13
>
>      Valid Until: 2037-05-30 00:19:13
>
>      Subject:     CN=Certificate Authority,O=EXAMPLE.COM
>
>      Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
>
>      Valid From:  2017-05-30 00:38:33
>
>      Valid Until: 2037-05-30 00:38:33
>
>      Subject:     CN=Certificate Authority,O=EXAMPLE.COM
>
>      Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
>
>      Valid From:  2017-06-01 12:55:08
>
>      Valid Until: 2037-06-01 12:55:08
>
> 2017-10-05T23:34:45Z DEBUG Starting external process
>
> 2017-10-05T23:34:45Z DEBUG args=/usr/sbin/ipa-join -s ds01.example.com
> -b dc=example,dc=com -h groc-5.example.com
>
> 2017-10-05T23:34:47Z DEBUG Process finished, return code=0
>
> 2017-10-05T23:34:47Z DEBUG stdout=
>
> 2017-10-05T23:34:47Z DEBUG stderr=Failed to parse result: Failed to
> decode GetKeytab Control.
>
> Retrying with pre-4.0 keytab retrieval method...
>
> Failed to retrieve encryption type Camellia-128 CTS mode with CMAC (#25)
>
> Failed to retrieve encryption type Camellia-256 CTS mode with CMAC (#26)
>
> Keytab successfully retrieved and stored in: /etc/krb5.keytab
>
> Certificate subject base is: O=EXAMPLE.COM
>
> 2017-10-05T23:34:47Z INFO Enrolled in IPA realm EXAMPLE.COM
>
> 2017-10-05T23:34:47Z DEBUG Starting external process
>
> 2017-10-05T23:34:47Z DEBUG args=kdestroy
>
> 2017-10-05T23:34:47Z DEBUG Process finished, return code=0
>
> 2017-10-05T23:34:47Z DEBUG stdout=
>
> 2017-10-05T23:34:47Z DEBUG stderr=
>
> 2017-10-05T23:34:47Z DEBUG Initializing principal
> host/groc-5.example.com@EXAMPLE.COM
> <mailto:host/groc-5.example.com@EXAMPLE.COM> using keytab /etc/krb5.keytab
>
> 2017-10-05T23:34:47Z DEBUG using ccache /etc/ipa/.dns_ccache
>
> 2017-10-05T23:34:47Z DEBUG Attempt 1/5: success
>
> 2017-10-05T23:34:47Z DEBUG Backing up system configuration file
> '/etc/ipa/default.conf'
>
> 2017-10-05T23:34:47Z DEBUG   -> Not backing up - '/etc/ipa/default.conf'
> doesn't exist
>
> 2017-10-05T23:34:47Z INFO Created /etc/ipa/default.conf
>
> 2017-10-05T23:34:47Z DEBUG Backing up system configuration file
> '/etc/sssd/sssd.conf'
>
> 2017-10-05T23:34:47Z DEBUG   -> Not backing up - '/etc/sssd/sssd.conf'
> doesn't exist
>
> 2017-10-05T23:34:47Z INFO New SSSD config will be created
>
> 2017-10-05T23:34:47Z DEBUG Backing up system configuration file
> '/etc/nsswitch.conf'
>
> 2017-10-05T23:34:47Z DEBUG Saving Index File to
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>
> 2017-10-05T23:34:47Z INFO Configured sudoers in /etc/nsswitch.conf
>
> 2017-10-05T23:34:47Z INFO Configured /etc/sssd/sssd.conf
>
> 2017-10-05T23:34:47Z DEBUG Backing up system configuration file
> '/etc/krb5.conf'
>
> 2017-10-05T23:34:47Z DEBUG Saving Index File to
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>
> 2017-10-05T23:34:47Z DEBUG Starting external process
>
> 2017-10-05T23:34:47Z DEBUG args=keyctl get_persistent @s 0
>
> 2017-10-05T23:34:47Z DEBUG Process finished, return code=0
>
> 2017-10-05T23:34:47Z DEBUG stdout=218715285
>
> 2017-10-05T23:34:47Z DEBUG stderr=
>
> 2017-10-05T23:34:47Z DEBUG Enabling persistent keyring CCACHE
>
> 2017-10-05T23:34:47Z DEBUG Writing Kerberos configuration to /etc/krb5.conf:
>
> 2017-10-05T23:34:47Z DEBUG #File modified by ipa-client-install
>
> includedir /etc/krb5.conf.d/
>
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [libdefaults]
>
>    default_realm = EXAMPLE.COM
>
>    dns_lookup_realm = false
>
>    dns_lookup_kdc = false
>
>    rdns = false
>
>    dns_canonicalize_hostname = false
>
>    ticket_lifetime = 24h
>
>    forwardable = true
>
>    udp_preference_limit = 0
>
>    default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
>
>    EXAMPLE.COM = {
>
>      kdc = ds01.example.com:88
>
>      master_kdc = ds01.example.com:88
>
>      admin_server = ds01.example.com:749
>
>      kpasswd_server = ds01.example.com:464
>
>      default_domain = example.com
>
>      pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
>
>      pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
>
>    }
>
> [domain_realm]
>
>    .example.com = EXAMPLE.COM
>
>    example.com = EXAMPLE.COM
>
>    groc-5.example.com = EXAMPLE.COM
>
> 2017-10-05T23:34:47Z INFO Configured /etc/krb5.conf for IPA realm
> EXAMPLE.COM
>
> 2017-10-05T23:34:47Z DEBUG Starting external process
>
> 2017-10-05T23:34:47Z DEBUG args=/usr/bin/certutil -d /tmp/tmpzYMe1L -N
> -f /tmp/tmpzYMe1L/pwdfile.txt -f /tmp/tmpzYMe1L/pwdfile.txt
>
> 2017-10-05T23:34:47Z DEBUG Process finished, return code=0
>
> 2017-10-05T23:34:47Z DEBUG stdout=
>
> 2017-10-05T23:34:47Z DEBUG stderr=
>
> 2017-10-05T23:34:47Z DEBUG Starting external process
>
> 2017-10-05T23:34:47Z DEBUG args=/usr/bin/certutil -d /tmp/tmpzYMe1L -A
> -n CA certificate 1 -t C,, -f /tmp/tmpzYMe1L/pwdfile.txt
>
> 2017-10-05T23:34:47Z DEBUG Process finished, return code=0
>
> 2017-10-05T23:34:47Z DEBUG stdout=
>
> 2017-10-05T23:34:47Z DEBUG stderr=
>
> 2017-10-05T23:34:47Z DEBUG Starting external process
>
> 2017-10-05T23:34:47Z DEBUG args=/usr/bin/certutil -d /tmp/tmpzYMe1L -A
> -n CA certificate 2 -t C,, -f /tmp/tmpzYMe1L/pwdfile.txt
>
> 2017-10-05T23:34:47Z DEBUG Process finished, return code=0
>
> 2017-10-05T23:34:47Z DEBUG stdout=
>
> 2017-10-05T23:34:47Z DEBUG stderr=
>
> 2017-10-05T23:34:47Z DEBUG Starting external process
>
> 2017-10-05T23:34:47Z DEBUG args=/usr/bin/certutil -d /tmp/tmpzYMe1L -A
> -n CA certificate 3 -t C,, -f /tmp/tmpzYMe1L/pwdfile.txt
>
> 2017-10-05T23:34:47Z DEBUG Process finished, return code=0
>
> 2017-10-05T23:34:47Z DEBUG stdout=
>
> 2017-10-05T23:34:47Z DEBUG stderr=
>
> 2017-10-05T23:34:47Z DEBUG Starting external process
>
> 2017-10-05T23:34:47Z DEBUG args=/usr/bin/certutil -d /tmp/tmpzYMe1L -A
> -n CA certificate 4 -t C,, -f /tmp/tmpzYMe1L/pwdfile.txt
>
> 2017-10-05T23:34:47Z DEBUG Process finished, return code=0
>
> 2017-10-05T23:34:47Z DEBUG stdout=
>
> 2017-10-05T23:34:47Z DEBUG stderr=
>
> 2017-10-05T23:34:47Z DEBUG Starting external process
>
> 2017-10-05T23:34:47Z DEBUG args=/usr/bin/certutil -d /tmp/tmpzYMe1L -A
> -n CA certificate 5 -t C,, -f /tmp/tmpzYMe1L/pwdfile.txt
>
> 2017-10-05T23:34:47Z DEBUG Process finished, return code=0
>
> 2017-10-05T23:34:47Z DEBUG stdout=
>
> 2017-10-05T23:34:47Z DEBUG stderr=
>
> 2017-10-05T23:34:47Z DEBUG Error retrieving cookie from the persistent
> storage: expected string or buffer
>
> 2017-10-05T23:34:47Z DEBUG failed to find session_cookie in persistent
> storage for principal 'host/groc-5.example.com@EXAMPLE.COM'
>
> 2017-10-05T23:34:47Z INFO trying https://ds01.example.com/ipa/json
>
> 2017-10-05T23:34:47Z DEBUG New HTTP connection (ds01.example.com)
>
> 2017-10-05T23:34:47Z DEBUG received Set-Cookie (<type
> 'list'>)'['ipa_session=c8b0ad6e060540145a210905bd242379;
> Domain=ds01.example.com; Path=/ipa; Expires=Thu, 05 Oct 2017 23:54:47
> GMT; Secure; HttpOnly']'
>
> 2017-10-05T23:34:47Z DEBUG storing cookie
> 'ipa_session=c8b0ad6e060540145a210905bd242379;' for principal
> host/groc-5.example.com@EXAMPLE.COM
> <mailto:host/groc-5.example.com@EXAMPLE.COM>
>
> 2017-10-05T23:34:47Z DEBUG Created connection context.rpcclient_53194256
>
> 2017-10-05T23:34:47Z INFO [try 1]: Forwarding 'schema' to json server
> 'https://ds01.example.com/ipa/json'
>
> 2017-10-05T23:34:47Z DEBUG HTTP connection keep-alive (ds01.example.com)
>
> 2017-10-05T23:34:47Z DEBUG received Set-Cookie (<type
> 'list'>)'['ipa_session=0552135805674c077504cbd3fcecfb87;
> Domain=ds01.example.com; Path=/ipa; Expires=Thu, 05 Oct 2017 23:54:47
> GMT; Secure; HttpOnly']'
>
> 2017-10-05T23:34:47Z DEBUG storing cookie
> 'ipa_session=0552135805674c077504cbd3fcecfb87;' for principal
> host/groc-5.example.com@EXAMPLE.COM
> <mailto:host/groc-5.example.com@EXAMPLE.COM>
>
> 2017-10-05T23:34:48Z DEBUG Destroyed connection context.rpcclient_53194256
>
> 2017-10-05T23:34:48Z DEBUG importing all plugin modules in
> ipaclient.remote_plugins.schema$ed0ad850...
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module
> ipaclient.remote_plugins.schema$ed0ad850.plugins
>
> 2017-10-05T23:34:48Z DEBUG importing all plugin modules in
> ipaclient.plugins...
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module
> ipaclient.plugins.automember
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module
> ipaclient.plugins.automount
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.ca
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.cert
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.certmap
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module
> ipaclient.plugins.certprofile
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.dns
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module
> ipaclient.plugins.hbacrule
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module
> ipaclient.plugins.hbactest
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.host
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.idrange
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module
> ipaclient.plugins.internal
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module
> ipaclient.plugins.location
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module
> ipaclient.plugins.migration
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.misc
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module
> ipaclient.plugins.otptoken
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module
> ipaclient.plugins.otptoken_yubikey
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.passwd
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module
> ipaclient.plugins.permission
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module
> ipaclient.plugins.rpcclient
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.server
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.service
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module
> ipaclient.plugins.sudorule
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module
> ipaclient.plugins.topology
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.trust
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.user
>
> 2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.vault
>
> 2017-10-05T23:34:48Z DEBUG found session_cookie in persistent storage
> for principal 'host/groc-5.example.com@EXAMPLE.COM', cookie:
> 'ipa_session=0552135805674c077504cbd3fcecfb87'
>
> 2017-10-05T23:34:48Z DEBUG setting session_cookie into context
> 'ipa_session=0552135805674c077504cbd3fcecfb87;'
>
> 2017-10-05T23:34:48Z INFO trying https://ds01.example.com/ipa/session/json
>
> 2017-10-05T23:34:48Z DEBUG New HTTP connection (ds01.example.com)
>
> 2017-10-05T23:34:48Z DEBUG received Set-Cookie (<type
> 'list'>)'['ipa_session=0552135805674c077504cbd3fcecfb87;
> Domain=ds01.example.com; Path=/ipa; Expires=Thu, 05 Oct 2017 23:54:48
> GMT; Secure; HttpOnly']'
>
> 2017-10-05T23:34:48Z DEBUG storing cookie
> 'ipa_session=0552135805674c077504cbd3fcecfb87;' for principal
> host/groc-5.example.com@EXAMPLE.COM
> <mailto:host/groc-5.example.com@EXAMPLE.COM>
>
> 2017-10-05T23:34:48Z DEBUG Created connection context.rpcclient_94332368
>
> 2017-10-05T23:34:48Z DEBUG Try RPC connection
>
> 2017-10-05T23:34:48Z INFO [try 1]: Forwarding 'ping' to json server
> 'https://ds01.example.com/ipa/session/json'
>
> 2017-10-05T23:34:48Z DEBUG HTTP connection keep-alive (ds01.example.com)
>
> 2017-10-05T23:34:48Z DEBUG received Set-Cookie (<type
> 'list'>)'['ipa_session=0552135805674c077504cbd3fcecfb87;
> Domain=ds01.example.com; Path=/ipa; Expires=Thu, 05 Oct 2017 23:54:48
> GMT; Secure; HttpOnly']'
>
> 2017-10-05T23:34:48Z DEBUG storing cookie
> 'ipa_session=0552135805674c077504cbd3fcecfb87;' for principal
> host/groc-5.example.com@EXAMPLE.COM
> <mailto:host/groc-5.example.com@EXAMPLE.COM>
>
> 2017-10-05T23:34:48Z INFO [try 1]: Forwarding 'ca_is_enabled' to json
> server 'https://ds01.example.com/ipa/session/json'
>
> 2017-10-05T23:34:48Z DEBUG HTTP connection keep-alive (ds01.example.com)
>
> 2017-10-05T23:34:48Z DEBUG received Set-Cookie (<type
> 'list'>)'['ipa_session=0552135805674c077504cbd3fcecfb87;
> Domain=ds01.example.com; Path=/ipa; Expires=Thu, 05 Oct 2017 23:54:48
> GMT; Secure; HttpOnly']'
>
> 2017-10-05T23:34:48Z DEBUG storing cookie
> 'ipa_session=0552135805674c077504cbd3fcecfb87;' for principal
> host/groc-5.example.com@EXAMPLE.COM
> <mailto:host/groc-5.example.com@EXAMPLE.COM>
>
> 2017-10-05T23:34:48Z DEBUG Starting external process
>
> 2017-10-05T23:34:48Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -N
> -f /etc/ipa/nssdb/pwdfile.txt -f /etc/ipa/nssdb/pwdfile.txt
>
> 2017-10-05T23:34:48Z DEBUG Process finished, return code=0
>
> 2017-10-05T23:34:48Z DEBUG stdout=
>
> 2017-10-05T23:34:48Z DEBUG stderr=
>
> 2017-10-05T23:34:49Z DEBUG Adding CA certificates to the IPA NSS database.
>
> 2017-10-05T23:34:49Z DEBUG Starting external process
>
> 2017-10-05T23:34:49Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -A
> -n EXAMPLE.COM IPA CA -t CT,C,C -f /etc/ipa/nssdb/pwdfile.txt
>
> 2017-10-05T23:34:49Z DEBUG Process finished, return code=0
>
> 2017-10-05T23:34:49Z DEBUG stdout=
>
> 2017-10-05T23:34:49Z DEBUG stderr=
>
> 2017-10-05T23:34:49Z DEBUG Starting external process
>
> 2017-10-05T23:34:49Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -A
> -n EXAMPLE.COM IPA CA -t CT,C,C -f /etc/ipa/nssdb/pwdfile.txt
>
> 2017-10-05T23:34:49Z DEBUG Process finished, return code=255
>
> 2017-10-05T23:34:49Z DEBUG stdout=
>
> 2017-10-05T23:34:49Z DEBUG stderr=certutil: could not add certificate to
> token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to
> database.
>
> 2017-10-05T23:34:49Z WARNING Installation failed. Force set so not
> rolling back changes.
>
> 2017-10-05T23:34:49Z DEBUG   File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
> execute
>
>      return_value = self.run()
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
> line 333, in run
>
>      cfgr.run()
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 368, in run
>
>      self.execute()
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 392, in execute
>
>      for _nothing in self._executor():
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 434, in __runner
>
>      exc_handler(exc_info)
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 463, in _handle_execute_exception
>
>      self._handle_exception(exc_info)
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 453, in _handle_exception
>
>      six.reraise(*exc_info)
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 424, in __runner
>
>      step()
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 421, in <lambda>
>
>      step = lambda: next(self.__gen)
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 81, in run_generator_with_yield_from
>
>      six.reraise(*exc_info)
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 59, in run_generator_with_yield_from
>
>      value = gen.send(prev_value)
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 658, in _configure
>
>      next(executor)
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 434, in __runner
>
>      exc_handler(exc_info)
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 463, in _handle_execute_exception
>
>      self._handle_exception(exc_info)
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 521, in _handle_exception
>
>      self.__parent._handle_exception(exc_info)
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 453, in _handle_exception
>
>      six.reraise(*exc_info)
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 518, in _handle_exception
>
>      super(ComponentBase, self)._handle_exception(exc_info)
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 453, in _handle_exception
>
>      six.reraise(*exc_info)
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 424, in __runner
>
>      step()
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 421, in <lambda>
>
>      step = lambda: next(self.__gen)
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 81, in run_generator_with_yield_from
>
>      six.reraise(*exc_info)
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 59, in run_generator_with_yield_from
>
>      value = gen.send(prev_value)
>
>    File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
> line 63, in _install
>
>      for _nothing in self._installer(self.parent):
>
>    File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py",
> line 3621, in main
>
>      install(self)
>
>    File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py",
> line 2348, in install
>
>      _install(options)
>
>    File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py",
> line 2791, in _install
>
>      rval=CLIENT_INSTALL_ERROR)
>
> 2017-10-05T23:34:49Z DEBUG The ipa-client-install command failed,
> exception: ScriptError: Failed to add EXAMPLE.COM IPA CA to the IPA NSS
> database.
>
> 2017-10-05T23:34:49Z ERROR Failed to add EXAMPLE.COM IPA CA to the IPA
> NSS database.
>
> 2017-10-05T23:34:49Z ERROR The ipa-client-install command failed. See
> /var/log/ipaclient-install.log for more information
>
>
> Regards,
>
> Bhavin
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
>