Hello,

Thank you all for help in past, as I'm keep encountering one after another 
issue.

Sorry for long email, as posting log. let me know if there is other way.


IPA Server OS:      CentOS Linux release 7.0.1406 (Core)

IPA Server RPM:   ipa-server-4.4.0-14.el7.centos.7.x86_64


Client OS:            CentOS Linux release 7.3.1611 (Core)

IPA client RPM:   ipa-client-4.5.0-21.el7.centos.1.2.x86_64 (as well as 
ipa-client-4.4.0-14.el7.centos.7.x86_64)


I'm not able to enroll new client recently, and getting following message:


Enrolled in IPA realm EXAMPLE.COM

Created /etc/ipa/default.conf

New SSSD config will be created

Configured sudoers in /etc/nsswitch.conf

Configured /etc/sssd/sssd.conf

Configured /etc/krb5.conf for IPA realm EXAMPLE.COM

trying https://ds01.example.com/ipa/json

[try 1]: Forwarding 'schema' to json server 'https://ds01.example.com/ipa/json'

trying https://ds01.example.com/ipa/session/json

[try 1]: Forwarding 'ping' to json server 
'https://ds01.example.com/ipa/session/json'

[try 1]: Forwarding 'ca_is_enabled' to json server 
'https://ds01.example.com/ipa/session/json'

Installation failed. Force set so not rolling back changes.

Failed to add EXAMPLE.COM IPA CA to the IPA NSS database.

The ipa-client-install command failed. See /var/log/ipaclient-install.log for 
more information


The ipa-client-install.log is:


2017-10-05T23:34:37Z DEBUG Logging to /var/log/ipaclient-install.log

2017-10-05T23:34:37Z DEBUG ipa-client-install was invoked with arguments [] and 
options: {'no_dns_sshfp': False, 'force': True, 'verbose': False, 
'ip_addresses': None, 'configure_firefox': False, 'realm_name': None, 
'force_ntpd': False, 'on_master': False, 'no_nisdomain': False, 
'ssh_trust_dns': False, 'principal': None, 'keytab': None, 'no_ntp': False, 
'domain_name': None, 'request_cert': False, 'fixed_primary': False, 'no_ac': 
False, 'no_sudo': False, 'ca_cert_files': None, 'all_ip_addresses': False, 
'kinit_attempts': None, 'ntp_servers': None, 'enable_dns_updates': False, 
'no_sshd': False, 'no_sssd': False, 'no_krb5_offline_passwords': False, 
'servers': None, 'no_ssh': False, 'force_join': False, 'firefox_dir': None, 
'unattended': False, 'quiet': False, 'nisdomain': None, 'prompt_password': 
False, 'host_name': None, 'permit': False, 'automount_location': None, 
'preserve_sssd': False, 'mkhomedir': False, 'log_file': None, 'uninstall': 
False}

2017-10-05T23:34:37Z DEBUG IPA version 4.5.0-21.el7.centos.1.2

2017-10-05T23:34:37Z DEBUG Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'

2017-10-05T23:34:37Z DEBUG Starting external process

2017-10-05T23:34:37Z DEBUG args=/usr/sbin/selinuxenabled

2017-10-05T23:34:37Z DEBUG Process finished, return code=1

2017-10-05T23:34:37Z DEBUG stdout=

2017-10-05T23:34:37Z DEBUG stderr=

2017-10-05T23:34:37Z DEBUG Starting external process

2017-10-05T23:34:37Z DEBUG args=/bin/systemctl is-enabled chronyd.service

2017-10-05T23:34:37Z DEBUG Process finished, return code=0

2017-10-05T23:34:37Z DEBUG stdout=enabled



2017-10-05T23:34:37Z DEBUG stderr=

2017-10-05T23:34:37Z DEBUG [IPA Discovery]

2017-10-05T23:34:37Z DEBUG Starting IPA discovery with domain=None, 
servers=None, hostname=groc-5.example.com

2017-10-05T23:34:37Z DEBUG Start searching for LDAP SRV record in "example.com" 
(domain of the hostname) and its sub-domains

2017-10-05T23:34:37Z DEBUG Search DNS for SRV record of _ldap._tcp.example.com

2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 389 ds01.example.com.

2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 389 ipa01.example.com.

2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 389 ds02.example.com.

2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 389 ds03.example.com.

2017-10-05T23:34:37Z DEBUG [Kerberos realm search]

2017-10-05T23:34:37Z DEBUG Search DNS for TXT record of _kerberos.example.com

2017-10-05T23:34:37Z DEBUG DNS record found: "EXAMPLE.COM"

2017-10-05T23:34:37Z DEBUG Search DNS for SRV record of 
_kerberos._udp.example.com

2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 88 ipa01.example.com.

2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 88 ds01.example.com.

2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 88 ds03.example.com.

2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 88 ds02.example.com.

2017-10-05T23:34:37Z DEBUG [LDAP server check]

2017-10-05T23:34:37Z DEBUG Verifying that ds01.example.com (realm EXAMPLE.COM) 
is an IPA server

2017-10-05T23:34:37Z DEBUG Init LDAP connection to: ldap://ds01.example.com:389

2017-10-05T23:34:37Z DEBUG Search LDAP server for IPA base DN

2017-10-05T23:34:37Z DEBUG Check if naming context 'dc=example,dc=com' is for 
IPA

2017-10-05T23:34:37Z DEBUG Naming context 'dc=example,dc=com' is a valid IPA 
context

2017-10-05T23:34:37Z DEBUG Search for (objectClass=krbRealmContainer) in 
dc=example,dc=com (sub)

2017-10-05T23:34:37Z DEBUG Found: cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com

2017-10-05T23:34:37Z DEBUG Discovery result: Success; server=ds01.example.com, 
domain=example.com, 
kdc=ipa01.example.com,ds01.example.com,ds03.example.com,ds02.example.com, 
basedn=dc=example,dc=com

2017-10-05T23:34:37Z DEBUG Validated servers: ds01.example.com

2017-10-05T23:34:37Z DEBUG will use discovered domain: example.com

2017-10-05T23:34:37Z DEBUG Start searching for LDAP SRV record in "example.com" 
(Validating DNS Discovery) and its sub-domains

2017-10-05T23:34:37Z DEBUG Search DNS for SRV record of _ldap._tcp.example.com

2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 389 ipa01.example.com.

2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 389 ds02.example.com.

2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 389 ds03.example.com.

2017-10-05T23:34:37Z DEBUG DNS record found: 0 100 389 ds01.example.com.

2017-10-05T23:34:37Z DEBUG DNS validated, enabling discovery

2017-10-05T23:34:37Z DEBUG will use discovered server: ds01.example.com

2017-10-05T23:34:37Z INFO Discovery was successful!

2017-10-05T23:34:37Z DEBUG will use discovered realm: EXAMPLE.COM

2017-10-05T23:34:37Z DEBUG will use discovered basedn: dc=example,dc=com

2017-10-05T23:34:37Z INFO Client hostname: groc-5.example.com

2017-10-05T23:34:37Z DEBUG Hostname source: Machine's FQDN

2017-10-05T23:34:37Z INFO Realm: EXAMPLE.COM

2017-10-05T23:34:37Z DEBUG Realm source: Discovered from LDAP DNS records in 
ds01.example.com

2017-10-05T23:34:37Z INFO DNS Domain: example.com

2017-10-05T23:34:37Z DEBUG DNS Domain source: Discovered LDAP SRV records from 
example.com (domain of the hostname)

2017-10-05T23:34:37Z INFO IPA Server: ds01.example.com

2017-10-05T23:34:37Z DEBUG IPA Server source: Discovered from LDAP DNS records 
in ds01.example.com

2017-10-05T23:34:37Z INFO BaseDN: dc=example,dc=com

2017-10-05T23:34:37Z DEBUG BaseDN source: From IPA server 
ldap://ds01.example.com:389

2017-10-05T23:34:39Z DEBUG Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'

2017-10-05T23:34:39Z DEBUG Loading StateFile from 
'/var/lib/ipa-client/sysrestore/sysrestore.state'

2017-10-05T23:34:39Z DEBUG Starting external process

2017-10-05T23:34:39Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r 
EXAMPLE.COM

2017-10-05T23:34:39Z DEBUG Process finished, return code=5

2017-10-05T23:34:39Z DEBUG stdout=

2017-10-05T23:34:39Z DEBUG stderr=realm not found



2017-10-05T23:34:39Z INFO Skipping synchronizing time with NTP server.

2017-10-05T23:34:41Z DEBUG will use principal provided as option: admin

2017-10-05T23:34:41Z DEBUG Starting external process

2017-10-05T23:34:41Z DEBUG args=keyctl get_persistent @s 0

2017-10-05T23:34:41Z DEBUG Process finished, return code=0

2017-10-05T23:34:41Z DEBUG stdout=218715285



2017-10-05T23:34:41Z DEBUG stderr=

2017-10-05T23:34:41Z DEBUG Enabling persistent keyring CCACHE

2017-10-05T23:34:41Z DEBUG Writing Kerberos configuration to /tmp/tmpVCsDCR:

2017-10-05T23:34:41Z DEBUG #File modified by ipa-client-install



includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/



[libdefaults]

  default_realm = EXAMPLE.COM

  dns_lookup_realm = false

  dns_lookup_kdc = false

  rdns = false

  dns_canonicalize_hostname = false

  ticket_lifetime = 24h

  forwardable = true

  udp_preference_limit = 0

  default_ccache_name = KEYRING:persistent:%{uid}





[realms]

  EXAMPLE.COM = {

    kdc = ds01.example.com:88

    master_kdc = ds01.example.com:88

    admin_server = ds01.example.com:749

    kpasswd_server = ds01.example.com:464

    default_domain = example.com

    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem

    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem



  }





[domain_realm]

  .example.com = EXAMPLE.COM

  example.com = EXAMPLE.COM

  groc-5.example.com = EXAMPLE.COM







2017-10-05T23:34:45Z DEBUG Initializing principal 
ad...@example.com<mailto:ad...@example.com> using password

2017-10-05T23:34:45Z DEBUG Starting external process

2017-10-05T23:34:45Z DEBUG args=/usr/bin/kinit 
ad...@example.com<mailto:ad...@example.com> -c /tmp/krbccbP9vNK/ccache

2017-10-05T23:34:45Z DEBUG Process finished, return code=0

2017-10-05T23:34:45Z DEBUG stdout=Password for 
ad...@example.com<mailto:ad...@example.com>:



2017-10-05T23:34:45Z DEBUG stderr=

2017-10-05T23:34:45Z DEBUG trying to retrieve CA cert via LDAP from 
ds01.example.com

2017-10-05T23:34:45Z DEBUG retrieving schema for SchemaCache 
url=ldap://ds01.example.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance 
at 0x2c25ea8>

2017-10-05T23:34:45Z INFO Successfully retrieved CA cert

    Subject:     CN=Certificate Authority,O=EXAMPLE.COM

    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM

    Valid From:  2014-08-03 19:28:18

    Valid Until: 2034-08-03 19:28:18



    Subject:     CN=Certificate Authority,O=EXAMPLE.COM

    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM

    Valid From:  2017-05-30 00:17:28

    Valid Until: 2037-05-30 00:17:28



    Subject:     CN=Certificate Authority,O=EXAMPLE.COM

    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM

    Valid From:  2017-05-30 00:19:13

    Valid Until: 2037-05-30 00:19:13



    Subject:     CN=Certificate Authority,O=EXAMPLE.COM

    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM

    Valid From:  2017-05-30 00:38:33

    Valid Until: 2037-05-30 00:38:33



    Subject:     CN=Certificate Authority,O=EXAMPLE.COM

    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM

    Valid From:  2017-06-01 12:55:08

    Valid Until: 2037-06-01 12:55:08



2017-10-05T23:34:45Z DEBUG Starting external process

2017-10-05T23:34:45Z DEBUG args=/usr/sbin/ipa-join -s ds01.example.com -b 
dc=example,dc=com -h groc-5.example.com

2017-10-05T23:34:47Z DEBUG Process finished, return code=0

2017-10-05T23:34:47Z DEBUG stdout=

2017-10-05T23:34:47Z DEBUG stderr=Failed to parse result: Failed to decode 
GetKeytab Control.



Retrying with pre-4.0 keytab retrieval method...

Failed to retrieve encryption type Camellia-128 CTS mode with CMAC (#25)

Failed to retrieve encryption type Camellia-256 CTS mode with CMAC (#26)

Keytab successfully retrieved and stored in: /etc/krb5.keytab

Certificate subject base is: O=EXAMPLE.COM



2017-10-05T23:34:47Z INFO Enrolled in IPA realm EXAMPLE.COM

2017-10-05T23:34:47Z DEBUG Starting external process

2017-10-05T23:34:47Z DEBUG args=kdestroy

2017-10-05T23:34:47Z DEBUG Process finished, return code=0

2017-10-05T23:34:47Z DEBUG stdout=

2017-10-05T23:34:47Z DEBUG stderr=

2017-10-05T23:34:47Z DEBUG Initializing principal 
host/groc-5.example....@example.com<mailto:host/groc-5.example....@example.com> 
using keytab /etc/krb5.keytab

2017-10-05T23:34:47Z DEBUG using ccache /etc/ipa/.dns_ccache

2017-10-05T23:34:47Z DEBUG Attempt 1/5: success

2017-10-05T23:34:47Z DEBUG Backing up system configuration file 
'/etc/ipa/default.conf'

2017-10-05T23:34:47Z DEBUG   -> Not backing up - '/etc/ipa/default.conf' 
doesn't exist

2017-10-05T23:34:47Z INFO Created /etc/ipa/default.conf

2017-10-05T23:34:47Z DEBUG Backing up system configuration file 
'/etc/sssd/sssd.conf'

2017-10-05T23:34:47Z DEBUG   -> Not backing up - '/etc/sssd/sssd.conf' doesn't 
exist

2017-10-05T23:34:47Z INFO New SSSD config will be created

2017-10-05T23:34:47Z DEBUG Backing up system configuration file 
'/etc/nsswitch.conf'

2017-10-05T23:34:47Z DEBUG Saving Index File to 
'/var/lib/ipa-client/sysrestore/sysrestore.index'

2017-10-05T23:34:47Z INFO Configured sudoers in /etc/nsswitch.conf

2017-10-05T23:34:47Z INFO Configured /etc/sssd/sssd.conf

2017-10-05T23:34:47Z DEBUG Backing up system configuration file '/etc/krb5.conf'

2017-10-05T23:34:47Z DEBUG Saving Index File to 
'/var/lib/ipa-client/sysrestore/sysrestore.index'

2017-10-05T23:34:47Z DEBUG Starting external process

2017-10-05T23:34:47Z DEBUG args=keyctl get_persistent @s 0

2017-10-05T23:34:47Z DEBUG Process finished, return code=0

2017-10-05T23:34:47Z DEBUG stdout=218715285



2017-10-05T23:34:47Z DEBUG stderr=

2017-10-05T23:34:47Z DEBUG Enabling persistent keyring CCACHE

2017-10-05T23:34:47Z DEBUG Writing Kerberos configuration to /etc/krb5.conf:

2017-10-05T23:34:47Z DEBUG #File modified by ipa-client-install



includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/



[libdefaults]

  default_realm = EXAMPLE.COM

  dns_lookup_realm = false

  dns_lookup_kdc = false

  rdns = false

  dns_canonicalize_hostname = false

  ticket_lifetime = 24h

  forwardable = true

  udp_preference_limit = 0

  default_ccache_name = KEYRING:persistent:%{uid}





[realms]

  EXAMPLE.COM = {

    kdc = ds01.example.com:88

    master_kdc = ds01.example.com:88

    admin_server = ds01.example.com:749

    kpasswd_server = ds01.example.com:464

    default_domain = example.com

    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem

    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem



  }





[domain_realm]

  .example.com = EXAMPLE.COM

  example.com = EXAMPLE.COM

  groc-5.example.com = EXAMPLE.COM







2017-10-05T23:34:47Z INFO Configured /etc/krb5.conf for IPA realm EXAMPLE.COM

2017-10-05T23:34:47Z DEBUG Starting external process

2017-10-05T23:34:47Z DEBUG args=/usr/bin/certutil -d /tmp/tmpzYMe1L -N -f 
/tmp/tmpzYMe1L/pwdfile.txt -f /tmp/tmpzYMe1L/pwdfile.txt

2017-10-05T23:34:47Z DEBUG Process finished, return code=0

2017-10-05T23:34:47Z DEBUG stdout=

2017-10-05T23:34:47Z DEBUG stderr=

2017-10-05T23:34:47Z DEBUG Starting external process

2017-10-05T23:34:47Z DEBUG args=/usr/bin/certutil -d /tmp/tmpzYMe1L -A -n CA 
certificate 1 -t C,, -f /tmp/tmpzYMe1L/pwdfile.txt

2017-10-05T23:34:47Z DEBUG Process finished, return code=0

2017-10-05T23:34:47Z DEBUG stdout=

2017-10-05T23:34:47Z DEBUG stderr=

2017-10-05T23:34:47Z DEBUG Starting external process

2017-10-05T23:34:47Z DEBUG args=/usr/bin/certutil -d /tmp/tmpzYMe1L -A -n CA 
certificate 2 -t C,, -f /tmp/tmpzYMe1L/pwdfile.txt

2017-10-05T23:34:47Z DEBUG Process finished, return code=0

2017-10-05T23:34:47Z DEBUG stdout=

2017-10-05T23:34:47Z DEBUG stderr=

2017-10-05T23:34:47Z DEBUG Starting external process

2017-10-05T23:34:47Z DEBUG args=/usr/bin/certutil -d /tmp/tmpzYMe1L -A -n CA 
certificate 3 -t C,, -f /tmp/tmpzYMe1L/pwdfile.txt

2017-10-05T23:34:47Z DEBUG Process finished, return code=0

2017-10-05T23:34:47Z DEBUG stdout=

2017-10-05T23:34:47Z DEBUG stderr=

2017-10-05T23:34:47Z DEBUG Starting external process

2017-10-05T23:34:47Z DEBUG args=/usr/bin/certutil -d /tmp/tmpzYMe1L -A -n CA 
certificate 4 -t C,, -f /tmp/tmpzYMe1L/pwdfile.txt

2017-10-05T23:34:47Z DEBUG Process finished, return code=0

2017-10-05T23:34:47Z DEBUG stdout=

2017-10-05T23:34:47Z DEBUG stderr=

2017-10-05T23:34:47Z DEBUG Starting external process

2017-10-05T23:34:47Z DEBUG args=/usr/bin/certutil -d /tmp/tmpzYMe1L -A -n CA 
certificate 5 -t C,, -f /tmp/tmpzYMe1L/pwdfile.txt

2017-10-05T23:34:47Z DEBUG Process finished, return code=0

2017-10-05T23:34:47Z DEBUG stdout=

2017-10-05T23:34:47Z DEBUG stderr=

2017-10-05T23:34:47Z DEBUG Error retrieving cookie from the persistent storage: 
expected string or buffer

2017-10-05T23:34:47Z DEBUG failed to find session_cookie in persistent storage 
for principal 'host/groc-5.example....@example.com'

2017-10-05T23:34:47Z INFO trying https://ds01.example.com/ipa/json

2017-10-05T23:34:47Z DEBUG New HTTP connection (ds01.example.com)

2017-10-05T23:34:47Z DEBUG received Set-Cookie (<type 
'list'>)'['ipa_session=c8b0ad6e060540145a210905bd242379; 
Domain=ds01.example.com; Path=/ipa; Expires=Thu, 05 Oct 2017 23:54:47 GMT; 
Secure; HttpOnly']'

2017-10-05T23:34:47Z DEBUG storing cookie 
'ipa_session=c8b0ad6e060540145a210905bd242379;' for principal 
host/groc-5.example....@example.com<mailto:host/groc-5.example....@example.com>

2017-10-05T23:34:47Z DEBUG Created connection context.rpcclient_53194256

2017-10-05T23:34:47Z INFO [try 1]: Forwarding 'schema' to json server 
'https://ds01.example.com/ipa/json'

2017-10-05T23:34:47Z DEBUG HTTP connection keep-alive (ds01.example.com)

2017-10-05T23:34:47Z DEBUG received Set-Cookie (<type 
'list'>)'['ipa_session=0552135805674c077504cbd3fcecfb87; 
Domain=ds01.example.com; Path=/ipa; Expires=Thu, 05 Oct 2017 23:54:47 GMT; 
Secure; HttpOnly']'

2017-10-05T23:34:47Z DEBUG storing cookie 
'ipa_session=0552135805674c077504cbd3fcecfb87;' for principal 
host/groc-5.example....@example.com<mailto:host/groc-5.example....@example.com>

2017-10-05T23:34:48Z DEBUG Destroyed connection context.rpcclient_53194256

2017-10-05T23:34:48Z DEBUG importing all plugin modules in 
ipaclient.remote_plugins.schema$ed0ad850...

2017-10-05T23:34:48Z DEBUG importing plugin module 
ipaclient.remote_plugins.schema$ed0ad850.plugins

2017-10-05T23:34:48Z DEBUG importing all plugin modules in ipaclient.plugins...

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.automember

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.automount

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.ca

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.cert

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.certmap

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.certprofile

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.dns

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.hbacrule

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.hbactest

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.host

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.idrange

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.internal

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.location

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.migration

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.misc

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.otptoken

2017-10-05T23:34:48Z DEBUG importing plugin module 
ipaclient.plugins.otptoken_yubikey

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.passwd

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.permission

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.rpcclient

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.server

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.service

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.sudorule

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.topology

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.trust

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.user

2017-10-05T23:34:48Z DEBUG importing plugin module ipaclient.plugins.vault

2017-10-05T23:34:48Z DEBUG found session_cookie in persistent storage for 
principal 'host/groc-5.example....@example.com', cookie: 
'ipa_session=0552135805674c077504cbd3fcecfb87'

2017-10-05T23:34:48Z DEBUG setting session_cookie into context 
'ipa_session=0552135805674c077504cbd3fcecfb87;'

2017-10-05T23:34:48Z INFO trying https://ds01.example.com/ipa/session/json

2017-10-05T23:34:48Z DEBUG New HTTP connection (ds01.example.com)

2017-10-05T23:34:48Z DEBUG received Set-Cookie (<type 
'list'>)'['ipa_session=0552135805674c077504cbd3fcecfb87; 
Domain=ds01.example.com; Path=/ipa; Expires=Thu, 05 Oct 2017 23:54:48 GMT; 
Secure; HttpOnly']'

2017-10-05T23:34:48Z DEBUG storing cookie 
'ipa_session=0552135805674c077504cbd3fcecfb87;' for principal 
host/groc-5.example....@example.com<mailto:host/groc-5.example....@example.com>

2017-10-05T23:34:48Z DEBUG Created connection context.rpcclient_94332368

2017-10-05T23:34:48Z DEBUG Try RPC connection

2017-10-05T23:34:48Z INFO [try 1]: Forwarding 'ping' to json server 
'https://ds01.example.com/ipa/session/json'

2017-10-05T23:34:48Z DEBUG HTTP connection keep-alive (ds01.example.com)

2017-10-05T23:34:48Z DEBUG received Set-Cookie (<type 
'list'>)'['ipa_session=0552135805674c077504cbd3fcecfb87; 
Domain=ds01.example.com; Path=/ipa; Expires=Thu, 05 Oct 2017 23:54:48 GMT; 
Secure; HttpOnly']'

2017-10-05T23:34:48Z DEBUG storing cookie 
'ipa_session=0552135805674c077504cbd3fcecfb87;' for principal 
host/groc-5.example....@example.com<mailto:host/groc-5.example....@example.com>

2017-10-05T23:34:48Z INFO [try 1]: Forwarding 'ca_is_enabled' to json server 
'https://ds01.example.com/ipa/session/json'

2017-10-05T23:34:48Z DEBUG HTTP connection keep-alive (ds01.example.com)

2017-10-05T23:34:48Z DEBUG received Set-Cookie (<type 
'list'>)'['ipa_session=0552135805674c077504cbd3fcecfb87; 
Domain=ds01.example.com; Path=/ipa; Expires=Thu, 05 Oct 2017 23:54:48 GMT; 
Secure; HttpOnly']'

2017-10-05T23:34:48Z DEBUG storing cookie 
'ipa_session=0552135805674c077504cbd3fcecfb87;' for principal 
host/groc-5.example....@example.com<mailto:host/groc-5.example....@example.com>

2017-10-05T23:34:48Z DEBUG Starting external process

2017-10-05T23:34:48Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -N -f 
/etc/ipa/nssdb/pwdfile.txt -f /etc/ipa/nssdb/pwdfile.txt

2017-10-05T23:34:48Z DEBUG Process finished, return code=0

2017-10-05T23:34:48Z DEBUG stdout=

2017-10-05T23:34:48Z DEBUG stderr=

2017-10-05T23:34:49Z DEBUG Adding CA certificates to the IPA NSS database.

2017-10-05T23:34:49Z DEBUG Starting external process

2017-10-05T23:34:49Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -A -n 
EXAMPLE.COM IPA CA -t CT,C,C -f /etc/ipa/nssdb/pwdfile.txt

2017-10-05T23:34:49Z DEBUG Process finished, return code=0

2017-10-05T23:34:49Z DEBUG stdout=

2017-10-05T23:34:49Z DEBUG stderr=

2017-10-05T23:34:49Z DEBUG Starting external process

2017-10-05T23:34:49Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -A -n 
EXAMPLE.COM IPA CA -t CT,C,C -f /etc/ipa/nssdb/pwdfile.txt

2017-10-05T23:34:49Z DEBUG Process finished, return code=255

2017-10-05T23:34:49Z DEBUG stdout=

2017-10-05T23:34:49Z DEBUG stderr=certutil: could not add certificate to token 
or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database.



2017-10-05T23:34:49Z WARNING Installation failed. Force set so not rolling back 
changes.

2017-10-05T23:34:49Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute

    return_value = self.run()

  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, 
in run

    cfgr.run()

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, 
in run

    self.execute()

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, 
in execute

    for _nothing in self._executor():

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, 
in __runner

    exc_handler(exc_info)

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, 
in _handle_execute_exception

    self._handle_exception(exc_info)

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, 
in _handle_exception

    six.reraise(*exc_info)

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, 
in __runner

    step()

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, 
in <lambda>

    step = lambda: next(self.__gen)

  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, 
in run_generator_with_yield_from

    six.reraise(*exc_info)

  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, 
in run_generator_with_yield_from

    value = gen.send(prev_value)

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, 
in _configure

    next(executor)

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, 
in __runner

    exc_handler(exc_info)

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, 
in _handle_execute_exception

    self._handle_exception(exc_info)

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, 
in _handle_exception

    self.__parent._handle_exception(exc_info)

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, 
in _handle_exception

    six.reraise(*exc_info)

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, 
in _handle_exception

    super(ComponentBase, self)._handle_exception(exc_info)

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, 
in _handle_exception

    six.reraise(*exc_info)

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, 
in __runner

    step()

  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, 
in <lambda>

    step = lambda: next(self.__gen)

  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, 
in run_generator_with_yield_from

    six.reraise(*exc_info)

  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, 
in run_generator_with_yield_from

    value = gen.send(prev_value)

  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, 
in _install

    for _nothing in self._installer(self.parent):

  File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 
3621, in main

    install(self)

  File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 
2348, in install

    _install(options)

  File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 
2791, in _install

    rval=CLIENT_INSTALL_ERROR)



2017-10-05T23:34:49Z DEBUG The ipa-client-install command failed, exception: 
ScriptError: Failed to add EXAMPLE.COM IPA CA to the IPA NSS database.

2017-10-05T23:34:49Z ERROR Failed to add EXAMPLE.COM IPA CA to the IPA NSS 
database.

2017-10-05T23:34:49Z ERROR The ipa-client-install command failed. See 
/var/log/ipaclient-install.log for more information


Regards,

Bhavin
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to