HI Team,
We are migrating from our current Directory Service 389DS to FreeIPA. Our all servers at present authenticated by 389DS server.
Our infra hosted on AWS cloud. Please find below setup of FreeIPA & Client on which we are performing tests & getting issue.
FreeIPA Servers Primary Master Server = Region 1 Secondary Master Server = Region 2
OS = CentOS Linux release 8.3.2011 IPA Version = 4.8.7, API_VERSION: 2.239
FreeIPA Client OS = CentOS release 6.9 (Final) Kernel Version = Linux drxlceco6app01 2.6.32-696.1.1.el6.x86_64 #1 SMP Tue Apr 11 17:13:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux IPA Client version = 3.0.0-51.el6.centos
Our DNS getting managed from "/etc/hosts" file by manually adding DNS entries of server.
On centos 6 client installation gets stuck after SSSD setup completes. Below output for details.
NOTE = For security reason we have masked our Domain nme to "XYZ.com" & other details with Capital "X". ======================================== case "$env" in echo 'This is US DR' This is US DR ++ hostname ipa-client-install --mkhomedir --no-krb5-offline-passwords --hostname=drxlceco6app01.XYZ.com --force-join --fixed-primary --server=drxipaco8lds01.XYZ.com --server=prdipaco8ldm01.XYZ.com --domain XYZ.com --realm XYZ.COM Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Hostname: drxlceco6app01.XYZ.com Realm: XYZ.COM DNS Domain: XYZ.com IPA Server: prdipaco8ldm01.XYZ.com, drxipaco8lds01.XYZ.com BaseDN: dc=XYZ,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Password for admin(a)XYZ.COM: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=XYZ.COM Issuer: CN=Certificate Authority,O=XYZ.COM Valid From: Mon Apr 19 14:35:38 2021 UTC Valid Until: Fri Apr 19 14:35:38 2041 UTC
Enrolled in IPA realm XYZ.COM Attempting to get host TGT... Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm XYZ.COM trying https://prdipaco8ldm01.XYZ.com/ipa/xml Forwarding 'env' to server u'https://prdipaco8ldm01.XYZ.com/ipa/xml' Hostname (drxlceco6app01.XYZ.com) not found in DNS Failed to update DNS records. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u'https://prdipaco8ldm01.XYZ.com/ipa/xml' Could not update DNS SSHFP records. SSSD enabled Configuring XYZ.com as NIS domain
======================================== Current /etc/nsswitch.conf entries as below. ======================================== passwd: files ldap shadow: files ldap group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files netmasks: files networks: files protocols: files rpc: files services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus aliases: files nisplus
======================================== Complete client installation logs as below. ======================================== 2021-06-01T17:25:40Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': 'XYZ.com', 'force': False, 'realm_name': 'XYZ.COM', 'krb5_offline_passwords': False, 'primary': True, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': False, 'principal': None, 'hostname': 'drxlceco6app01.XYZ.com', 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': True, 'ca_cert_file': None, 'server': ['drxipaco8lds01.XYZ.com', 'prdipaco8ldm01.XYZ.com'], 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False} 2021-06-01T17:25:40Z DEBUG missing options might be asked for interactively later 2021-06-01T17:25:40Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2021-06-01T17:25:40Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2021-06-01T17:25:40Z DEBUG [IPA Discovery] 2021-06-01T17:25:40Z DEBUG Starting IPA discovery with domain=XYZ.com, servers=['drxipaco8lds01.XYZ.com', 'prdipaco8ldm01.XYZ.com'], hostname=drxlceco6app01.XYZ.com 2021-06-01T17:25:40Z DEBUG Server and domain forced 2021-06-01T17:25:40Z DEBUG [Kerberos realm search] 2021-06-01T17:25:40Z DEBUG Kerberos realm forced 2021-06-01T17:25:40Z DEBUG Search DNS for SRV record of _kerberos._udp.XYZ.com. 2021-06-01T17:25:40Z DEBUG No DNS record found 2021-06-01T17:25:40Z DEBUG SRV record for KDC not found! Domain: XYZ.com 2021-06-01T17:25:40Z DEBUG [LDAP server check] 2021-06-01T17:25:40Z DEBUG Verifying that drxipaco8lds01.XYZ.com (realm XYZ.COM) is an IPA server 2021-06-01T17:25:40Z DEBUG Init LDAP connection with: ldap://drxipaco8lds01.XYZ.com:389 2021-06-01T17:25:40Z DEBUG Search LDAP server for IPA base DN 2021-06-01T17:25:40Z DEBUG Check if naming context 'dc=XYZ,dc=com' is for IPA 2021-06-01T17:25:40Z DEBUG LDAP Error: Anonymous access not allowed 2021-06-01T17:25:40Z DEBUG Verifying that prdipaco8ldm01.XYZ.com (realm XYZ.COM) is an IPA server 2021-06-01T17:25:40Z DEBUG Init LDAP connection with: ldap://prdipaco8ldm01.XYZ.com:389 2021-06-01T17:25:40Z DEBUG Search LDAP server for IPA base DN 2021-06-01T17:25:40Z DEBUG Check if naming context 'dc=XYZ,dc=com' is for IPA 2021-06-01T17:25:40Z DEBUG LDAP Error: Anonymous access not allowed 2021-06-01T17:25:40Z DEBUG Generated basedn from realm: dc=XYZ,dc=com 2021-06-01T17:25:40Z DEBUG Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=XYZ.com, kdc=None, basedn=dc=XYZ,dc=com 2021-06-01T17:25:40Z DEBUG Validated servers: prdipaco8ldm01.XYZ.com,drxipaco8lds01.XYZ.com 2021-06-01T17:25:40Z DEBUG will use discovered domain: XYZ.com 2021-06-01T17:25:40Z DEBUG Using servers from command line, disabling DNS discovery 2021-06-01T17:25:40Z DEBUG will use provided server: drxipaco8lds01.XYZ.com, prdipaco8ldm01.XYZ.com 2021-06-01T17:25:40Z INFO Autodiscovery of servers for failover cannot work with this configuration. 2021-06-01T17:25:40Z INFO If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. 2021-06-01T17:26:20Z DEBUG will use discovered realm: XYZ.COM 2021-06-01T17:26:20Z DEBUG will use discovered basedn: dc=XYZ,dc=com 2021-06-01T17:26:20Z INFO Hostname: drxlceco6app01.XYZ.com 2021-06-01T17:26:20Z DEBUG Hostname source: Provided as option 2021-06-01T17:26:20Z INFO Realm: XYZ.COM 2021-06-01T17:26:20Z DEBUG Realm source: Forced 2021-06-01T17:26:20Z INFO DNS Domain: XYZ.com 2021-06-01T17:26:20Z DEBUG DNS Domain source: Forced 2021-06-01T17:26:20Z INFO IPA Server: prdipaco8ldm01.XYZ.com, drxipaco8lds01.XYZ.com 2021-06-01T17:26:20Z DEBUG IPA Server source: Provided as option 2021-06-01T17:26:20Z INFO BaseDN: dc=XYZ,dc=com 2021-06-01T17:26:20Z DEBUG BaseDN source: Generated from Kerberos realm 2021-06-01T17:26:45Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r XYZ.COM 2021-06-01T17:26:45Z DEBUG stdout= 2021-06-01T17:26:45Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory
2021-06-01T17:26:45Z DEBUG args=/bin/hostname drxlceco6app01.XYZ.com 2021-06-01T17:26:45Z DEBUG stdout= 2021-06-01T17:26:45Z DEBUG stderr= 2021-06-01T17:26:45Z DEBUG Backing up system configuration file '/etc/sysconfig/network' 2021-06-01T17:26:45Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2021-06-01T17:26:45Z DEBUG args=/usr/sbin/selinuxenabled 2021-06-01T17:26:45Z DEBUG stdout= 2021-06-01T17:26:45Z DEBUG stderr= 2021-06-01T17:26:45Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2021-06-01T17:26:51Z DEBUG will use principal provided as option: admin 2021-06-01T17:26:51Z INFO Synchronizing time with KDC... 2021-06-01T17:26:51Z DEBUG Search DNS for SRV record of _ntp._udp.XYZ.com. 2021-06-01T17:26:51Z DEBUG No DNS record found 2021-06-01T17:26:55Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v prdipaco8ldm01.XYZ.com 2021-06-01T17:26:55Z DEBUG stdout= 2021-06-01T17:26:55Z DEBUG stderr= 2021-06-01T17:26:59Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v prdipaco8ldm01.XYZ.com 2021-06-01T17:26:59Z DEBUG stdout= 2021-06-01T17:26:59Z DEBUG stderr= 2021-06-01T17:27:03Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v prdipaco8ldm01.XYZ.com 2021-06-01T17:27:03Z DEBUG stdout= 2021-06-01T17:27:03Z DEBUG stderr= 2021-06-01T17:27:03Z WARNING Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. 2021-06-01T17:27:03Z DEBUG Writing Kerberos configuration to /tmp/tmpGWIbHp: 2021-06-01T17:27:03Z DEBUG #File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults] default_realm = XYZ.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0
[realms] XYZ.COM = { kdc = prdipaco8ldm01.XYZ.com:88 master_kdc = prdipaco8ldm01.XYZ.com:88 admin_server = prdipaco8ldm01.XYZ.com:749 kdc = drxipaco8lds01.XYZ.com:88 master_kdc = drxipaco8lds01.XYZ.com:88 admin_server = drxipaco8lds01.XYZ.com:749 default_domain = XYZ.com pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm] .XYZ.com = XYZ.COM XYZ.com = XYZ.COM
2021-06-01T17:27:07Z DEBUG args=kinit admin(a)XYZ.COM 2021-06-01T17:27:07Z DEBUG stdout=Password for admin(a)XYZ.COM:
2021-06-01T17:27:07Z DEBUG stderr= 2021-06-01T17:27:07Z DEBUG trying to retrieve CA cert via LDAP from ldap://prdipaco8ldm01.XYZ.com 2021-06-01T17:27:07Z INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=XYZ.COM Issuer: CN=Certificate Authority,O=XYZ.COM Valid From: Mon Apr 19 14:35:38 2021 UTC Valid Until: Fri Apr 19 14:35:38 2041 UTC
2021-06-01T17:27:08Z DEBUG args=/usr/sbin/ipa-join -s prdipaco8ldm01.XYZ.com -b dc=XYZ,dc=com -h drxlceco6app01.XYZ.com -f 2021-06-01T17:27:08Z DEBUG stdout= 2021-06-01T17:27:08Z DEBUG stderr=Failed to retrieve encryption type Triple DES cbc mode with HMAC/sha1 (#16) Failed to retrieve encryption type ArcFour with HMAC/md5 (#23) Keytab successfully retrieved and stored in: /etc/krb5.keytab Certificate subject base is: O=XYZ.COM
2021-06-01T17:27:08Z INFO Enrolled in IPA realm XYZ.COM 2021-06-01T17:27:08Z DEBUG args=kdestroy 2021-06-01T17:27:08Z DEBUG stdout= 2021-06-01T17:27:08Z DEBUG stderr= 2021-06-01T17:27:08Z INFO Attempting to get host TGT... 2021-06-01T17:27:08Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/drxlceco6app01.XYZ.com(a)XYZ.COM 2021-06-01T17:27:08Z DEBUG stdout= 2021-06-01T17:27:08Z DEBUG stderr= 2021-06-01T17:27:08Z DEBUG Attempt 1/5 succeeded. 2021-06-01T17:27:08Z DEBUG Backing up system configuration file '/etc/ipa/default.conf' 2021-06-01T17:27:08Z DEBUG -> Not backing up - '/etc/ipa/default.conf' doesn't exist 2021-06-01T17:27:08Z INFO Created /etc/ipa/default.conf 2021-06-01T17:27:08Z DEBUG importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' 2021-06-01T17:27:08Z DEBUG args=klist -V 2021-06-01T17:27:08Z DEBUG stdout=Kerberos 5 version 1.10.3
2021-06-01T17:27:08Z DEBUG stderr= 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' 2021-06-01T17:27:09Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf' 2021-06-01T17:27:09Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist 2021-06-01T17:27:09Z INFO New SSSD config will be created 2021-06-01T17:27:09Z DEBUG Backing up system configuration file '/etc/nsswitch.conf' 2021-06-01T17:27:09Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2021-06-01T17:27:09Z INFO Configured sudoers in /etc/nsswitch.conf 2021-06-01T17:27:09Z INFO Configured /etc/sssd/sssd.conf 2021-06-01T17:27:09Z DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt 2021-06-01T17:27:09Z DEBUG stdout= 2021-06-01T17:27:09Z DEBUG stderr= 2021-06-01T17:27:09Z DEBUG Backing up system configuration file '/etc/krb5.conf' 2021-06-01T17:27:09Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2021-06-01T17:27:09Z DEBUG Writing Kerberos configuration to /etc/krb5.conf: 2021-06-01T17:27:09Z DEBUG #File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults] default_realm = XYZ.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0
[realms] XYZ.COM = { kdc = prdipaco8ldm01.XYZ.com:88 master_kdc = prdipaco8ldm01.XYZ.com:88 admin_server = prdipaco8ldm01.XYZ.com:749 kdc = drxipaco8lds01.XYZ.com:88 master_kdc = drxipaco8lds01.XYZ.com:88 admin_server = drxipaco8lds01.XYZ.com:749 default_domain = XYZ.com pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm] .XYZ.com = XYZ.COM XYZ.com = XYZ.COM
2021-06-01T17:27:09Z INFO Configured /etc/krb5.conf for IPA realm XYZ.COM 2021-06-01T17:27:09Z DEBUG args=keyctl search @s user ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM 2021-06-01T17:27:09Z DEBUG stdout= 2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available
2021-06-01T17:27:09Z DEBUG args=keyctl search @s user ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM 2021-06-01T17:27:09Z DEBUG stdout= 2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available
2021-06-01T17:27:09Z DEBUG failed to find session_cookie in persistent storage for principal 'host/drxlceco6app01.XYZ.com(a)XYZ.COM' 2021-06-01T17:27:09Z INFO trying https://prdipaco8ldm01.XYZ.com/ipa/xml 2021-06-01T17:27:09Z DEBUG Created connection context.xmlclient 2021-06-01T17:27:09Z DEBUG raw: env(None, server=True) 2021-06-01T17:27:09Z DEBUG env(None, server=True, all=True) 2021-06-01T17:27:09Z INFO Forwarding 'env' to server u'https://prdipaco8ldm01.XYZ.com/ipa/xml' 2021-06-01T17:27:09Z DEBUG NSSConnection init prdipaco8ldm01.XYZ.com 2021-06-01T17:27:09Z DEBUG Connecting: 10.113.10.50:0 2021-06-01T17:27:09Z DEBUG auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 9 (0x9) Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Certificate Authority,O=XYZ.COM Validity: Not Before: Mon Apr 19 14:37:53 2021 UTC Not After: Thu Apr 20 14:37:53 2023 UTC Subject: CN=prdipaco8ldm01.XYZ.com,O=XYZ.COM Subject Public Key Info: Public Key Algorithm: Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX Exponent: 65537 (0x10001) Signed Extensions: (7 total) Name: Certificate Authority Key Identifier Critical: False Key ID: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX Serial Number: None General Names: [0 total]
Name: Authority Information Access Critical: False Authority Information Access: [1 total] Info [1]: Method: PKIX Online Certificate Status Protocol Location: URI: http://ipa-ca.XYZ.com/ca/ocsp
Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment
Name: Extended Key Usage Critical: False Usages: TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate
Name: CRL Distribution Points Critical: False CRL Distribution Points: [1 total] Point [1]: General Names: [1 total] http://ipa-ca.XYZ.com/ipa/crl/MasterCRL.bin Issuer: Directory Name: CN=Certificate Authority,O=ipaca Reasons: ()
Name: Certificate Subject Key ID Critical: False Data: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX
Name: Certificate Subject Alt Name Critical: False Names: prdipaco8ldm01.XYZ.com ipa-ca.XYZ.com HTTP/prdipaco8ldm01.XYZ.com(a)XYZ.COM ['[0]', '[1]']
Signature: Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX Fingerprint (MD5): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX Fingerprint (SHA1): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX 2021-06-01T17:27:09Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2021-06-01T17:27:09Z DEBUG cert valid True for "CN=prdipaco8ldm01.XYZ.com,O=XYZ.COM" 2021-06-01T17:27:09Z DEBUG handshake complete, peer = 10.113.10.50:443 2021-06-01T17:27:09Z DEBUG Protocol: TLS1.2 2021-06-01T17:27:09Z DEBUG Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 2021-06-01T17:27:09Z DEBUG received Set-Cookie 'ipa_session=MagBearerToken=Aus0%2bwdoksGBb%2belr0QOIi6Yk7TDzrcvkEuJLRtZf1KNWdahbAPsUyeWqGHs2CM72OMQKtkhONEi6FBan0Km69ssXfx%2bgu6r96B9VC4paNAXVi%2fVr3dd450OSsT1%2fHevzaAFoqFI0Mz95R%2bWgeIkuR4eZ%2fjvCLSGBlM3TwoQUMLA9CKKqPAh6kyN%2fMy6YaG0oXET1ht51P4zJ3rfXdPP9Ael%2bvTNQrS%2fiyCE%2b4TzjZtoNLHei2s5BoGlyZ3GPUS7;path=/ipa;httponly;secure;' 2021-06-01T17:27:09Z DEBUG storing cookie 'ipa_session=MagBearerToken=Aus0%2bwdoksGBb%2belr0QOIi6Yk7TDzrcvkEuJLRtZf1KNWdahbAPsUyeWqGHs2CM72OMQKtkhONEi6FBan0Km69ssXfx%2bgu6r96B9VC4paNAXVi%2fVr3dd450OSsT1%2fHevzaAFoqFI0Mz95R%2bWgeIkuR4eZ%2fjvCLSGBlM3TwoQUMLA9CKKqPAh6kyN%2fMy6YaG0oXET1ht51P4zJ3rfXdPP9Ael%2bvTNQrS%2fiyCE%2b4TzjZtoNLHei2s5BoGlyZ3GPUS7; Domain=prdipaco8ldm01.XYZ.com; Path=/ipa; Secure; HttpOnly' for principal host/drxlceco6app01.XYZ.com(a)XYZ.COM 2021-06-01T17:27:09Z DEBUG args=keyctl search @s user ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM 2021-06-01T17:27:09Z DEBUG stdout= 2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available
2021-06-01T17:27:09Z DEBUG args=keyctl search @s user ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM 2021-06-01T17:27:09Z DEBUG stdout= 2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available
2021-06-01T17:27:09Z DEBUG args=keyctl padd user ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM @s 2021-06-01T17:27:09Z DEBUG stdout=915601519
2021-06-01T17:27:09Z DEBUG stderr= 2021-06-01T17:27:09Z WARNING Hostname (drxlceco6app01.XYZ.com) not found in DNS 2021-06-01T17:27:09Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt: 2021-06-01T17:27:09Z DEBUG zone XYZ.com. update delete drxlceco6app01.XYZ.com. IN A send update add drxlceco6app01.XYZ.com. 1200 IN A 10.111.5.11 send
2021-06-01T17:27:10Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2021-06-01T17:27:10Z DEBUG stdout= 2021-06-01T17:27:10Z DEBUG stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/udns1.ultradns.net(a)XYZ.COM not found in Kerberos database.
2021-06-01T17:27:10Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 2021-06-01T17:27:10Z ERROR Failed to update DNS records. 2021-06-01T17:27:10Z DEBUG args=/sbin/service messagebus start 2021-06-01T17:27:10Z DEBUG stdout=Starting system message bus:
2021-06-01T17:27:10Z DEBUG stderr= 2021-06-01T17:27:10Z DEBUG args=/sbin/service messagebus status 2021-06-01T17:27:10Z DEBUG stdout=messagebus (pid 1186) is running...
2021-06-01T17:27:10Z DEBUG stderr= 2021-06-01T17:27:10Z DEBUG args=/sbin/service certmonger restart 2021-06-01T17:27:10Z DEBUG stdout=Stopping certmonger: ?[60G[?[0;31mFAILED?[0;39m] Starting certmonger: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:10Z DEBUG stderr= 2021-06-01T17:27:10Z DEBUG args=/sbin/service certmonger status 2021-06-01T17:27:10Z DEBUG stdout=certmonger (pid 1974) is running...
2021-06-01T17:27:10Z DEBUG stderr= 2021-06-01T17:27:10Z DEBUG args=/sbin/service certmonger stop 2021-06-01T17:27:10Z DEBUG stdout=Stopping certmonger: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:10Z DEBUG stderr= 2021-06-01T17:27:11Z DEBUG args=/sbin/service certmonger restart 2021-06-01T17:27:11Z DEBUG stdout=Stopping certmonger: ?[60G[?[0;31mFAILED?[0;39m] Starting certmonger: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:11Z DEBUG stderr= 2021-06-01T17:27:11Z DEBUG args=/sbin/service certmonger status 2021-06-01T17:27:11Z DEBUG stdout=certmonger (pid 2063) is running...
2021-06-01T17:27:11Z DEBUG stderr= 2021-06-01T17:27:11Z DEBUG args=/sbin/chkconfig certmonger on 2021-06-01T17:27:11Z DEBUG stdout= 2021-06-01T17:27:11Z DEBUG stderr= 2021-06-01T17:27:12Z DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - drxlceco6app01.XYZ.com -N CN=drxlceco6app01.XYZ.com,O=XYZ.COM -K host/drxlceco6app01.XYZ.com(a)XYZ.COM 2021-06-01T17:27:12Z DEBUG stdout=New signing request "20210601172712" added.
2021-06-01T17:27:12Z DEBUG stderr= 2021-06-01T17:27:12Z INFO Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub 2021-06-01T17:27:12Z DEBUG raw: host_mod(u'drxlceco6app01.XYZ.com', ipasshpubkey=[u'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAobH2Rt+aBxrhxWJazVGUpMej9nnncp8DhPewnZkyZxoSAyDc6C5c3nBqW22/Cr7gk26d/D2Ietbi0E7mFrt5Wo4bGgN2KcnlG3ABSifvwh3oqzL+anT6+/lkwzgm3hwIQQRDfF3/GljmvX495HateMqc7syLyOe5ZnKI4Xu6khQ/JF1hhv+8GiUbl7+le+QxYuosmNNIekfMqVbtJ8IM7Zf5/CXINIkwy1UtV+gl0JsAn6AlcBfLcsssg6LQVdgCCjVsJFNB2t+tR0LozJ8L5mDerKqVxJZWI3EnfLIXMq0VWoVfn20fPe0pkcoiyv9bQt/YsDxZS54BFjlTK7DpjQ=='], updatedns=False) 2021-06-01T17:27:12Z DEBUG host_mod(u'drxlceco6app01.XYZ.com', random=False, ipasshpubkey=(u'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAobH2Rt+aBxrhxWJazVGUpMej9nnncp8DhPewnZkyZxoSAyDc6C5c3nBqW22/Cr7gk26d/D2Ietbi0E7mFrt5Wo4bGgN2KcnlG3ABSifvwh3oqzL+anT6+/lkwzgm3hwIQQRDfF3/GljmvX495HateMqc7syLyOe5ZnKI4Xu6khQ/JF1hhv+8GiUbl7+le+QxYuosmNNIekfMqVbtJ8IM7Zf5/CXINIkwy1UtV+gl0JsAn6AlcBfLcsssg6LQVdgCCjVsJFNB2t+tR0LozJ8L5mDerKqVxJZWI3EnfLIXMq0VWoVfn20fPe0pkcoiyv9bQt/YsDxZS54BFjlTK7DpjQ==',), rights=False, updatedns=False, all=False, raw=False, no_members=False) 2021-06-01T17:27:12Z INFO Forwarding 'host_mod' to server u'https://prdipaco8ldm01.XYZ.com/ipa/xml' 2021-06-01T17:27:12Z DEBUG NSSConnection init prdipaco8ldm01.XYZ.com 2021-06-01T17:27:12Z DEBUG Connecting: 10.113.10.50:0 2021-06-01T17:27:12Z DEBUG handshake complete, peer = 10.113.10.50:443 2021-06-01T17:27:12Z DEBUG Protocol: TLS1.2 2021-06-01T17:27:12Z DEBUG Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 2021-06-01T17:27:12Z DEBUG received Set-Cookie 'ipa_session=MagBearerToken=yKnSiJdb44vhq6AuqB%2boAE5Fatp7CXJ8A9xYVUqlqXI73Gk9ukPfIr9%2bD6KnSCiBXmtVx3flwJ1Rf17528nymjCE5vMtNTSeVU5l8rn36fEtAFq6QZt%2bAHs2LjPLWwyR9geT7Y5aKgLbEMDzZv0DTwM3N2ocM0b7Rc6inZUvAgU%2fYmqmkZafsbYy%2fCUm2Kgyx%2b%2fZ6kQg%2fK94CVAqMLxZDE1k1gAP3qq98k%2fllMQu9k0GAYcdKEbmN%2bwff4LzeQRs;path=/ipa;httponly;secure;' 2021-06-01T17:27:12Z DEBUG storing cookie 'ipa_session=MagBearerToken=yKnSiJdb44vhq6AuqB%2boAE5Fatp7CXJ8A9xYVUqlqXI73Gk9ukPfIr9%2bD6KnSCiBXmtVx3flwJ1Rf17528nymjCE5vMtNTSeVU5l8rn36fEtAFq6QZt%2bAHs2LjPLWwyR9geT7Y5aKgLbEMDzZv0DTwM3N2ocM0b7Rc6inZUvAgU%2fYmqmkZafsbYy%2fCUm2Kgyx%2b%2fZ6kQg%2fK94CVAqMLxZDE1k1gAP3qq98k%2fllMQu9k0GAYcdKEbmN%2bwff4LzeQRs; Domain=prdipaco8ldm01.XYZ.com; Path=/ipa; Secure; HttpOnly' for principal host/drxlceco6app01.XYZ.com(a)XYZ.COM 2021-06-01T17:27:12Z DEBUG args=keyctl search @s user ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM 2021-06-01T17:27:12Z DEBUG stdout=915601519
2021-06-01T17:27:12Z DEBUG stderr= 2021-06-01T17:27:12Z DEBUG args=keyctl search @s user ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM 2021-06-01T17:27:12Z DEBUG stdout=915601519
2021-06-01T17:27:12Z DEBUG stderr= 2021-06-01T17:27:12Z DEBUG args=keyctl pupdate 915601519 2021-06-01T17:27:12Z DEBUG stdout= 2021-06-01T17:27:12Z DEBUG stderr= 2021-06-01T17:27:12Z DEBUG Caught fault 4202 from server https://prdipaco8ldm01.XYZ.com/ipa/xml: no modifications to be performed 2021-06-01T17:27:12Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt: 2021-06-01T17:27:12Z DEBUG zone XYZ.com. update delete drxlceco6app01.XYZ.com. IN SSHFP send update add drxlceco6app01.XYZ.com. 1200 IN SSHFP 1 1 F6ABCFF542C5E35268387C2A53EBF83C5C6B0517 send
2021-06-01T17:27:12Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2021-06-01T17:27:12Z DEBUG stdout= 2021-06-01T17:27:12Z DEBUG stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/udns1.ultradns.net(a)XYZ.COM not found in Kerberos database.
2021-06-01T17:27:12Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 2021-06-01T17:27:12Z WARNING Could not update DNS SSHFP records. 2021-06-01T17:27:12Z DEBUG args=/sbin/service nscd status 2021-06-01T17:27:12Z DEBUG stdout=nscd is stopped
2021-06-01T17:27:12Z DEBUG stderr= 2021-06-01T17:27:12Z DEBUG args=/sbin/service nscd stop 2021-06-01T17:27:12Z DEBUG stdout= 2021-06-01T17:27:12Z DEBUG stderr= 2021-06-01T17:27:12Z DEBUG args=/sbin/chkconfig nscd off 2021-06-01T17:27:12Z DEBUG stdout= 2021-06-01T17:27:12Z DEBUG stderr= 2021-06-01T17:27:12Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2021-06-01T17:27:12Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2021-06-01T17:27:12Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2021-06-01T17:27:15Z DEBUG args=/usr/sbin/authconfig --enablesssdauth --enablemkhomedir --update --enablesssd 2021-06-01T17:27:15Z DEBUG stdout=Starting sssd: ?[60G[?[0;32m OK ?[0;39m] Starting oddjobd: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:15Z DEBUG stderr= 2021-06-01T17:27:15Z INFO SSSD enabled 2021-06-01T17:27:15Z INFO Configuring XYZ.com as NIS domain 2021-06-01T17:27:15Z DEBUG args=/bin/nisdomainname 2021-06-01T17:27:15Z DEBUG stdout=(none)
2021-06-01T17:27:15Z DEBUG stderr= 2021-06-01T17:27:15Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2021-06-01T17:27:15Z DEBUG args=/usr/sbin/authconfig --update --nisdomain XYZ.com 2021-06-01T17:27:15Z DEBUG stdout=Starting sssd: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:15Z DEBUG stderr= 2021-06-01T17:27:15Z DEBUG args=/bin/nisdomainname XYZ.com 2021-06-01T17:27:15Z DEBUG stdout= 2021-06-01T17:27:15Z DEBUG stderr=
======================================== I am unable to understand what i am missing or changes required in current config.
Any help / suggestions appreciated.
Regards, Rohan
If no one else has any ideas, RHEL6 / Centos 6 is well obsolete so it maybe its to old for a sssd client to work with new? I suggest do a trail run on a "modern" Linux client version Centos 8.3 by the look of it to prove that everything works OK. Then if no one suggests anything you might have to build your own rpm of sssd.
freeipa-users@lists.fedorahosted.org