The server returned a 401 to the authentication request. You'll want to
look in the apache error log file on the IPA server to see if that holds
any clues.
rob
Phinees Garandi via FreeIPA-users wrote:
Hello Rob,
I also tested using the --force flag the output is the same
this is the content of /var/log/ipaclient-install
`2021-12-02T15:31:13Z DEBUG Logging to /var/log/ipaclient-install.log
2021-12-02T15:31:13Z DEBUG ipa-client-install was invoked with arguments [] and options:
{'unattended': False, 'principal': 'admin',
'prompt_password': False, 'on_master': False, 'ca_cert_files':
None, '
force': True, 'configure_firefox': True, 'firefox_dir': None,
'keytab': None, 'mkhomedir': True, 'force_join': False,
'ntp_servers': ['ipa.toto.fr'], 'ntp_pool': None,
'no_ntp': False, 'force
_ntpd': False, 'nisdomain': None, 'no_nisdomain': False,
'ssh_trust_dns': True, 'no_ssh': False, 'no_sshd': False,
'no_sudo': False, 'no_dns_sshfp': False, 'kinit_attempts': None,
'request_cert': False,
'ip_addresses': None, 'all_ip_addresses': False, 'fixed_primary':
False, 'permit': False, 'enable_dns_updates': False,
'no_krb5_offline_passwords': False, 'preserve_sssd': False,
'automount_location': No
ne, 'domain_name': 'toto.fr', 'servers': ['ipa.toto.fr'],
'realm_name': 'toto.FR', 'host_name': 'slurm-nfs.toto.fr',
'verbose': False, 'quiet': False, 'log
_file': None, 'uninstall': False}
2021-12-02T15:31:13Z DEBUG IPA version 4.9.6-6.module+el8.5.0+674+69615a50
2021-12-02T15:31:13Z DEBUG IPA platform rhel
2021-12-02T15:31:13Z DEBUG IPA os-release Rocky Linux 8.4 (Green Obsidian)
2021-12-02T15:31:13Z DEBUG Starting external process
2021-12-02T15:31:13Z DEBUG args=['/usr/sbin/selinuxenabled']
2021-12-02T15:31:13Z DEBUG Process finished, return code=0
2021-12-02T15:31:13Z DEBUG stdout=
2021-12-02T15:31:13Z DEBUG stderr=
2021-12-02T15:31:13Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2021-12-02T15:31:13Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-12-02T15:31:13Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-12-02T15:31:13Z DEBUG Starting external process
2021-12-02T15:31:13Z DEBUG args=['/bin/systemctl', 'is-enabled',
'ntpd.service']
2021-12-02T15:31:13Z DEBUG Process finished, return code=1
2021-12-02T15:31:13Z DEBUG stdout=
2021-12-02T15:31:13Z DEBUG stderr=Failed to get unit file state for ntpd.service: No such
file or directory
2021-12-02T15:31:13Z DEBUG Starting external process
2021-12-02T15:31:13Z DEBUG args=['/bin/systemctl', 'is-active',
'ntpd.service']
2021-12-02T15:31:13Z DEBUG Process finished, return code=3
2021-12-02T15:31:13Z DEBUG stdout=inactive
2021-12-02T15:31:13Z DEBUG stderr=
2021-12-02T15:31:13Z DEBUG Starting external process
2021-12-02T15:31:13Z DEBUG args=['sudo', '-V']
2021-12-02T15:31:13Z DEBUG Process finished, return code=0
2021-12-02T15:31:13Z DEBUG stdout=Sudo version 1.8.29
Options de configuration : --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu
--program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr
--bindir=/usr/bin --sbindir=/usr
/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include
--libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var
--sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/
share/info --prefix=/usr --sbindir=/usr/sbin --libdir=/usr/lib64
--docdir=/usr/share/doc/sudo --disable-root-mailer --with-logging=syslog
--with-logfac=authpriv --with-pam --with-pam-login --with-editor=
/bin/vi --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap
--with-ldap-conf-file=/etc/sudo-ldap.conf --with-selinux --with-passprompt=[sudo] password
for %p: --with-linux-audit --with-ss
sd
La version du greffon de politique de sudoers est 1.8.29
La version de la grammaire du fichier sudoers est 46
Chemin d'accès à sudoers : /etc/sudoers
chemin d'accès à nsswitch : /etc/nsswitch.conf
chemin d'accès à ldap.conf : /etc/sudo-ldap.conf
chemin d'accès à ldap.secret : /etc/ldap.secret
Méthodes d'authentification : 'pam'
Mécanisme syslog si syslog est utilisé pour la journalisation des événements : authpriv
Priorité syslog utilisée lorsque l'authentification de l'utilisateur est réussie
: notice
Priorité Syslog utilisée lorsque l'authentification de l'utilisateur a échoué :
alert
Ne pas tenir compte de « . » dans $PATH
Envoi d'un courriel si l'utilisateur ne figure pas dans sudoers
Adresse les recommandations d'usage à l'utilisateur lors de la première exécution
de sudo
Exige l'authentification de l'utilisateur par défaut
L'utilisateur root peut exécuter sudo
Assignation systématique du répertoire personnel de l'utilisateur cible dans $HOME
Autorise la collecte de certaines informations dans le but d'afficher des messages
d'erreurs pertinents
Visudo se conformera au contenu de la variable d'environnement EDITOR
Définir les variables d'environnement LOGNAME et USER
Longueur après laquelle intercaler un retour à la ligne dans le fichier journal (0
indique qu'il n'y a pas de retour à la ligne) : 80
Délai d'expiration de l'horodatage de l'authentification : 5,0 minutes
Délai d'expiration de l'invite de saisie de mot de passe : 5,0 minutes
Nombre de tentatives de saisie du mot de passe : 3
Umask à utiliser, ou 0777 pour hériter de celui de l'utilisateur : 022
Emplacement du programme d'envoi de courriel : /usr/sbin/sendmail
Attributs à utiliser avec le programme d'envoi de courriel : -t
Adresse du destinataire des courriels : root
Champ objet des courriels envoyés : *** SECURITY information for %h ***
Message informant de la saisie d'un mot de passe incorrect : Désolé, essayez de
nouveau.
Répertoire contenant l'attestation que l'utilisateur a déjà reçu les
recommandations : /var/db/sudo/lectured
Répertoire contenant l'horodatage de l'authentification : /run/sudo/ts
Invite de mot de passe par défaut : [sudo] Mot de passe de %p :
Utilisateur par défaut avec l'identité duquel exécuter les commandes : root
Nouvelle valeur prise par la variable $PATH de l'utilisateur :
/sbin:/bin:/usr/sbin:/usr/bin
Emplacement de l'éditeur appelé par visudo : /bin/vi
Quand demander un mot de passe pour l'usage de la pseudo commande « list » : any
Quand demander un mot de passe pour l'utilisation de la pseudo commande « verify » :
all
Les descripteurs de fichiers >= 3 seront fermés avant l'exécution d'une
commande
Réinitialise l'environnement à un jeu de variables par défaut
Variables d'environnement à valider pour s'assurer du bon fonctionnement :
TZ
TERM
LINGUAS
LC_*
LANGUAGE
LANG
COLORTERM
Variables d'environnement à supprimer :
*=()*
RUBYOPT
RUBYLIB
PYTHONUSERBASE
PYTHONINSPECT
PYTHONPATH
PYTHONHOME
TMPPREFIX
ZDOTDIR
READNULLCMD
NULLCMD
FPATH
PERL5DB
PERL5OPT
PERL5LIB
PERLLIB
PERLIO_DEBUG
JAVA_TOOL_OPTIONS
SHELLOPTS
BASHOPTS
GLOBIGNORE
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
CDPATH
IFS
Variables d'environnement à conserver :
XAUTHORITY
_XKB_CHARSET
LINGUAS
LANGUAGE
LC_ALL
LC_TIME
LC_TELEPHONE
LC_PAPER
LC_NUMERIC
LC_NAME
LC_MONETARY
LC_MESSAGES
LC_MEASUREMENT
LC_IDENTIFICATION
LC_COLLATE
LC_CTYPE
LC_ADDRESS
LANG
USERNAME
QTDIR
PS2
PS1
MAIL
LS_COLORS
KDEDIR
HISTSIZE
HOSTNAME
DISPLAY
COLORS
Environnement linguistique à utiliser lors de l'analyse syntaxique de sudoers : C
Compression des informations renvoyées par les opérations d'E/S avec zlib
Répertoire dans lequel les informations renvoyées par les opérations d'entrée/sortie
seront stockées : /var/log/sudo-io
Fichier dans lequel les informations renvoyées par les opérations d'entrée/sortie
seront stockées : %{seq}
Ajout d'une entrée au fichier utmp/utmpx lors de l'allocation d'un
pseudo-terminal
Nom de service PAM à utiliser : sudo
Nom de service PAM à utiliser pour les interpréteurs de commandes : sudo-i
Tentative de création des données d'identification PAM pour l'utilisateur cible
Création d'une nouvelle session PAM pour l'exécution de la commande
Réaliser la gestion de la validation du compte PAM
Numéro de séquence maximum dans le journal E/S : 0
Activation de la prise en charge de netgroup par sudoers
Vérification que les droits du répertoire parent autorisent la modification des fichiers
avec sudoedit
Interroge le greffon de groupe pour les groupes système inconnus
Autoriser l'exécution des commandes même si sudo ne sait pas écrire dans le journal
d'audit
Autoriser l'exécution des commandes même si sudo ne sait pas écrire dans le fichier
journal
Résoudre les groupes dans sudoers et établir la correspondance sur le ID de groupe au
lieu du nom
Les entrées du journal plus longues que cette valeur seront scindées en plusieurs
messages dans syslog : 960
Mode de permission à utiliser sur les fichiers de journaux des E/S : 0600
Exécuter les commandes par descripteur de fichier plutôt que par chemin : digest_only
Type de l'enregistrement de l'horodatage de l'authentification : tty
Ignorer la casse lors de la correspondance des noms d'utilisateurs
Ignorer la casse lors de la correspondance des noms de groupes
Écrire dans le journal lorsqu'une commande est autorisée par sudoers
Écrire dans le journal lorsqu'une commande est interdite par sudoers
Don't pre-resolve all group names
Couples adresse IP locale/masque de sous-réseau :
xx.xx.xx.xx/255.255.255.254
2001:bc8:628:1149::1/ffff:ffff:ffff:ffff::
fe80::dc1c:98ff:fe38:604a/ffff:ffff:ffff:ffff::
Sudoers I/O plugin version 1.8.29
2021-12-02T15:31:13Z DEBUG stderr=
2021-12-02T15:31:13Z DEBUG Deleting invalid keytab: '/etc/krb5.keytab'.
2021-12-02T15:31:13Z WARNING Using existing certificate '/etc/ipa/ca.crt'.
2021-12-02T15:31:13Z DEBUG [IPA Discovery]
2021-12-02T15:31:13Z DEBUG Starting IPA discovery with domain=toto.fr,
servers=['ipa.toto.fr'], hostname=slurm-nfs.toto.fr
2021-12-02T15:31:13Z DEBUG Server and domain forced
2021-12-02T15:31:13Z DEBUG [Kerberos realm search]
2021-12-02T15:31:13Z DEBUG Kerberos realm forced
2021-12-02T15:31:13Z DEBUG [LDAP server check]
2021-12-02T15:31:13Z DEBUG Verifying that ipa.toto.fr (realm toto.FR) is an IPA server
2021-12-02T15:31:13Z DEBUG Init LDAP connection to: ldap://ipa.toto.fr:389
2021-12-02T15:31:13Z DEBUG Search LDAP server for IPA base DN
2021-12-02T15:31:13Z DEBUG Check if naming context 'dc=toto,dc=fr' is for IPA
2021-12-02T15:31:13Z DEBUG Naming context 'dc=toto,dc=fr' is a valid IPA context
2021-12-02T15:31:13Z DEBUG Search for (objectClass=krbRealmContainer) in dc=toto,dc=fr
(sub)
2021-12-02T15:31:13Z DEBUG Found: cn=toto.FR,cn=kerberos,dc=toto,dc=fr
2021-12-02T15:31:13Z DEBUG Discovery result: Success; server=ipa.toto.fr, domain=toto.fr,
kdc=ipa.toto.fr, basedn=dc=toto,dc=fr
2021-12-02T15:31:13Z DEBUG Validated servers: ipa.toto.fr
2021-12-02T15:31:13Z DEBUG will use discovered domain: toto.fr
2021-12-02T15:31:13Z DEBUG Using servers from command line, disabling DNS discovery
2021-12-02T15:31:13Z DEBUG will use provided server: ipa.toto.fr
2021-12-02T15:31:13Z INFO Autodiscovery of servers for failover cannot work with this
configuration.
2021-12-02T15:31:13Z INFO If you proceed with the installation, services will be
configured to always access the discovered server for all operations and will not fail
over to other servers in case of failure.
2021-12-02T15:31:14Z DEBUG will use discovered realm: toto.FR
2021-12-02T15:31:14Z DEBUG will use discovered basedn: dc=toto,dc=fr
2021-12-02T15:31:14Z INFO Client hostname: slurm-nfs.toto.fr
2021-12-02T15:31:14Z DEBUG Hostname source: Provided as option
2021-12-02T15:31:14Z INFO Realm: toto.FR
2021-12-02T15:31:14Z DEBUG Realm source: Discovered from LDAP DNS records in ipa.toto.fr
2021-12-02T15:31:14Z INFO DNS Domain: toto.fr
2021-12-02T15:31:14Z DEBUG DNS Domain source: Forced
2021-12-02T15:31:14Z INFO IPA Server: ipa.toto.fr
2021-12-02T15:31:14Z DEBUG IPA Server source: Provided as option
2021-12-02T15:31:14Z INFO BaseDN: dc=toto,dc=fr
2021-12-02T15:31:14Z DEBUG BaseDN source: From IPA server ldap://ipa.toto.fr:389
2021-12-02T15:31:14Z INFO NTP server: ipa.toto.fr
2021-12-02T15:31:15Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2021-12-02T15:31:15Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-12-02T15:31:15Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-12-02T15:31:15Z DEBUG Saving StateFile to
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-12-02T15:31:15Z DEBUG Starting external process
2021-12-02T15:31:15Z DEBUG args=['/usr/sbin/ipa-rmkeytab', '-k',
'/etc/krb5.keytab', '-r', 'toto.FR']
2021-12-02T15:31:15Z DEBUG Process finished, return code=7
2021-12-02T15:31:15Z DEBUG stdout=
2021-12-02T15:31:15Z DEBUG stderr=Failed to set cursor 'No such file or
directory'
2021-12-02T15:31:15Z DEBUG Backing up system configuration file '/etc/hostname'
2021-12-02T15:31:15Z DEBUG -> Not backing up - already have a copy of
'/etc/hostname'
2021-12-02T15:31:15Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-12-02T15:31:15Z DEBUG Saving StateFile to
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-12-02T15:31:15Z DEBUG Starting external process
2021-12-02T15:31:15Z DEBUG args=['/bin/hostnamectl', 'set-hostname',
'slurm-nfs.toto.fr']
2021-12-02T15:31:16Z DEBUG Process finished, return code=0
2021-12-02T15:31:16Z DEBUG stdout=
2021-12-02T15:31:16Z DEBUG stderr=
2021-12-02T15:31:16Z DEBUG Starting external process
2021-12-02T15:31:16Z DEBUG args=['/bin/systemctl', 'is-enabled',
'ntpd.service']
2021-12-02T15:31:16Z DEBUG Process finished, return code=1
2021-12-02T15:31:16Z DEBUG stdout=
2021-12-02T15:31:16Z DEBUG stderr=Failed to get unit file state for ntpd.service: No such
file or directory
2021-12-02T15:31:16Z DEBUG Starting external process
2021-12-02T15:31:16Z DEBUG args=['/bin/systemctl', 'is-active',
'ntpd.service']
2021-12-02T15:31:16Z DEBUG Process finished, return code=3
2021-12-02T15:31:16Z DEBUG stdout=inactive
2021-12-02T15:31:16Z DEBUG stderr=
2021-12-02T15:31:16Z INFO Synchronizing time
2021-12-02T15:31:16Z DEBUG Starting external process
2021-12-02T15:31:16Z DEBUG args=['/bin/systemctl', 'is-enabled',
'chronyd.service']
2021-12-02T15:31:16Z DEBUG Process finished, return code=0
2021-12-02T15:31:16Z DEBUG stdout=enabled
2021-12-02T15:31:16Z DEBUG stderr=
2021-12-02T15:31:16Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-12-02T15:31:16Z DEBUG Saving StateFile to
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-12-02T15:31:16Z DEBUG Configuring chrony
2021-12-02T15:31:16Z DEBUG Setting time servers:
2021-12-02T15:31:16Z DEBUG 'ipa.toto.fr'
2021-12-02T15:31:16Z DEBUG Backing up '/etc/chrony.conf'
2021-12-02T15:31:16Z DEBUG Backing up system configuration file
'/etc/chrony.conf'
2021-12-02T15:31:16Z DEBUG -> Not backing up - already have a copy of
'/etc/chrony.conf'
2021-12-02T15:31:16Z DEBUG Writing configuration to '/etc/chrony.conf'
2021-12-02T15:31:16Z INFO Configuration of chrony was changed by installer.
2021-12-02T15:31:16Z DEBUG Starting external process
2021-12-02T15:31:16Z DEBUG args=['/usr/sbin/selinuxenabled']
2021-12-02T15:31:16Z DEBUG Process finished, return code=0
2021-12-02T15:31:16Z DEBUG stdout=
2021-12-02T15:31:16Z DEBUG stderr=
2021-12-02T15:31:16Z DEBUG Starting external process
2021-12-02T15:31:16Z DEBUG args=['/sbin/restorecon', '/etc/chrony.conf']
2021-12-02T15:31:16Z DEBUG Process finished, return code=0
2021-12-02T15:31:16Z DEBUG stdout=
2021-12-02T15:31:16Z DEBUG stderr=
2021-12-02T15:31:16Z DEBUG Starting external process
2021-12-02T15:31:16Z DEBUG args=['/bin/systemctl', 'enable',
'chronyd.service']
2021-12-02T15:31:16Z DEBUG Process finished, return code=0
2021-12-02T15:31:16Z DEBUG stdout=
2021-12-02T15:31:16Z DEBUG stderr=
2021-12-02T15:31:16Z DEBUG Starting external process
2021-12-02T15:31:16Z DEBUG args=['/bin/systemctl', 'restart',
'chronyd.service']
2021-12-02T15:31:16Z DEBUG Process finished, return code=0
2021-12-02T15:31:16Z DEBUG stdout=
2021-12-02T15:31:16Z DEBUG stderr=
2021-12-02T15:31:16Z DEBUG Starting external process
2021-12-02T15:31:16Z DEBUG args=['/bin/systemctl', 'is-active',
'chronyd.service']
2021-12-02T15:31:16Z DEBUG Process finished, return code=0
2021-12-02T15:31:16Z DEBUG stdout=active
2021-12-02T15:31:16Z DEBUG stderr=
2021-12-02T15:31:16Z DEBUG Restart of chronyd.service complete
2021-12-02T15:31:16Z INFO Attempting to sync time with chronyc.
2021-12-02T15:31:16Z DEBUG Starting external process
2021-12-02T15:31:16Z DEBUG args=['/usr/bin/chronyc', '-d',
'waitsync', '4', '0', '0', '3']
2021-12-02T15:31:22Z DEBUG Process finished, return code=0
2021-12-02T15:31:22Z DEBUG stdout=try: 1, refid: 00000000, correction: 0.000000000, skew:
0.000
try: 2, refid: 00000000, correction: 0.000000000, skew: 0.000
try: 3, refid: 0AC20303, correction: 0.000000012, skew: 0.674
2021-12-02T15:31:22Z DEBUG stderr=Resolved 127.0.0.1 to 127.0.0.1
Resolved ::1 to ::1
Opening connection to /var/run/chrony/chronyd.sock
Sent 104 bytes
Timeout 1.000000 seconds
Received 104 bytes
Reply cmd=33 reply=5 stat=0
Sent 104 bytes
Timeout 1.000000 seconds
Received 104 bytes
Reply cmd=33 reply=5 stat=0
Sent 104 bytes
Timeout 1.000000 seconds
Received 104 bytes
Reply cmd=33 reply=5 stat=0
2021-12-02T15:31:22Z INFO Time synchronization was successful.
2021-12-02T15:31:22Z DEBUG Starting external process
2021-12-02T15:31:22Z DEBUG args=['/usr/sbin/selinuxenabled']
2021-12-02T15:31:22Z DEBUG Process finished, return code=0
2021-12-02T15:31:22Z DEBUG stdout=
2021-12-02T15:31:22Z DEBUG stderr=
2021-12-02T15:31:22Z DEBUG Starting external process
2021-12-02T15:31:22Z DEBUG args=['/sbin/restorecon',
'/etc/krb5.conf.d/freeipa']
2021-12-02T15:31:22Z DEBUG Process finished, return code=0
2021-12-02T15:31:22Z DEBUG stdout=
2021-12-02T15:31:22Z DEBUG stderr=
2021-12-02T15:31:22Z DEBUG Starting external process
2021-12-02T15:31:22Z DEBUG args=['/bin/keyctl', 'get_persistent',
'@s', '0']
2021-12-02T15:31:22Z DEBUG Process finished, return code=0
2021-12-02T15:31:22Z DEBUG stdout=626651679
2021-12-02T15:31:22Z DEBUG stderr=
2021-12-02T15:31:22Z DEBUG Enabling persistent keyring CCACHE
2021-12-02T15:31:22Z DEBUG Writing Kerberos configuration to /tmp/tmp4psb3w9_:
2021-12-02T15:31:22Z DEBUG #File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = toto.FR
dns_lookup_realm = false
rdns = false
dns_canonicalize_hostname = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
toto.FR = {
kdc = ipa.toto.fr:88
master_kdc = ipa.toto.fr:88
admin_server = ipa.toto.fr:749
kpasswd_server = ipa.toto.fr:464
default_domain = toto.fr
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.toto.fr = toto.FR
toto.fr = toto.FR
slurm-nfs.toto.fr = toto.FR
2021-12-02T15:31:22Z DEBUG Writing configuration file /tmp/tmp4psb3w9_
2021-12-02T15:31:22Z DEBUG #File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = toto.FR
dns_lookup_realm = false
rdns = false
dns_canonicalize_hostname = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
toto.FR = {
kdc = ipa.toto.fr:88
master_kdc = ipa.toto.fr:88
admin_server = ipa.toto.fr:749
kpasswd_server = ipa.toto.fr:464
default_domain = toto.fr
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.toto.fr = toto.FR
toto.fr = toto.FR
slurm-nfs.toto.fr = toto.FR
2021-12-02T15:31:25Z DEBUG Initializing principal admin(a)toto.FR using password
2021-12-02T15:31:25Z DEBUG Starting external process
2021-12-02T15:31:25Z DEBUG args=['/usr/bin/kinit', 'admin(a)toto.FR',
'-c', '/tmp/krbccozn4gy3o/ccache']
2021-12-02T15:31:25Z DEBUG Process finished, return code=0
2021-12-02T15:31:25Z DEBUG stdout=Password for admin(a)toto.FR:
2021-12-02T15:31:25Z DEBUG stderr=
2021-12-02T15:31:25Z DEBUG trying to retrieve CA cert via LDAP from ipa.toto.fr
2021-12-02T15:31:25Z DEBUG retrieving schema for SchemaCache url=ldap://ipa.toto.fr:389
conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fcdbd40bc50>
2021-12-02T15:31:25Z DEBUG Existing CA cert and Retrieved CA cert are identical
2021-12-02T15:31:25Z DEBUG Starting external process
2021-12-02T15:31:25Z DEBUG args=['/usr/sbin/ipa-join', '-s',
'ipa.toto.fr', '-b', 'dc=toto,dc=fr', '-h',
'slurm-nfs.toto.fr', '-k', '/etc/krb5.keytab']
2021-12-02T15:31:25Z DEBUG Process finished, return code=17
2021-12-02T15:31:25Z DEBUG stdout=
2021-12-02T15:31:25Z DEBUG stderr=JSON-RPC call was unauthorized. Check your
credentials.
2021-12-02T15:31:25Z INFO Use ipa-getkeytab to obtain a host principal for this server.
2021-12-02T15:31:25Z DEBUG Starting external process
2021-12-02T15:31:25Z DEBUG args=['/usr/bin/kdestroy']
2021-12-02T15:31:25Z DEBUG Process finished, return code=0
2021-12-02T15:31:25Z DEBUG stdout=
2021-12-02T15:31:25Z DEBUG stderr=
2021-12-02T15:31:25Z DEBUG Initializing principal host/slurm-nfs.toto.fr(a)toto.FR using
keytab /etc/krb5.keytab
2021-12-02T15:31:25Z DEBUG using ccache /etc/ipa/.dns_ccache
2021-12-02T15:31:25Z INFO Please make sure the following ports are opened in the firewall
settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after
enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
2021-12-02T15:31:25Z ERROR Failed to obtain host TGT: Major (851968): Unspecified GSS
failure. Minor code may provide more information, Minor (2529639107): No credentials
cache found
2021-12-02T15:31:25Z WARNING Installation failed. Force set so not rolling back changes.
2021-12-02T15:31:25Z DEBUG File
"/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 342, in
run
return cfgr.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360,
in run
return self.execute()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386,
in execute
for rval in self._executor():
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431,
in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460,
in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421,
in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418,
in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81,
in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59,
in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655,
in _configure
next(executor)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431,
in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460,
in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518,
in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515,
in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421,
in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418,
in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81,
in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65,
in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line
3949, in main
install(self)
File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line
2649, in install
_install(options)
File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line
2877, in _install
raise ScriptError(rval=CLIENT_INSTALL_ERROR)
2021-12-02T15:31:25Z DEBUG The ipa-client-install command failed, exception: ScriptError:
2021-12-02T15:31:25Z ERROR The ipa-client-install command failed. See
/var/log/ipaclient-install.log for more information
`
And the content of /etc/krb5.conf
`# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
# default_realm =
EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
#
EXAMPLE.COM = {
# kdc =
kerberos.example.com
# admin_server =
kerberos.example.com
# }
[domain_realm]
# .example.com =
EXAMPLE.COM
#
example.com =
EXAMPLE.COM
`
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure