lune voo via FreeIPA-users wrote: > Hello everyone. > > I send you this mail because I try to connect an ipa-client 4.6.4 on > RHEL7 to an ipa-server 3.0.0 on RHEL6 and I get the following message > when I try to register the client to the server : > ### > ipa-client-install \ > --domain=<MY_DOMAIN> \ > --realm=<MY_REALM> \ > --server=<MY_IPA_MASTER> \ > --principal=admin \ > --password='<admin_password>' \ > --mkhomedir \ > --hostname=<MY_CLIENT_HOST> \ > --no-ntp \ > --no-ssh \ > --no-sshd \ > --unattended \ > ### > > And here is the error I got : > ### > WARNING: yacc table file version is out of date > Client hostname: <MY_CLIENT_HOST> > Realm: <MY_REALM> > DNS Domain: <MY_DOMAIN> > IPA Server: <MY_IPA_MASTER> > BaseDN: dc=<MY_REALM> > > Skipping synchronizing time with NTP server. > Please make sure the following ports are opened in the firewall settings: > TCP: 80, 88, 389 > UDP: 88 (at least one of TCP/UDP ports 88 has to be open) > Also note that following ports are necessary for ipa-client working > properly after enrollment: > TCP: 464 > UDP: 464, 123 (if NTP enabled) > Installation failed. Rolling back changes. > Unconfigured automount client failed: Command 'ipa-client-automount > --uninstall --debug' returned non-zero exit status 1 > Failed to start certmonger: Command '/bin/systemctl start > certmonger.service' returned non-zero exit status 1 > Command '/bin/systemctl start certmonger.service' returned non-zero exit > status 1 > Command '/bin/systemctl start certmonger.service' returned non-zero exit > status 1 > The ipa-client-install command failed. See > /var/log/ipaclient-install.log for more information > [root@<MY_CLIENT_HOST> ~]# /bin/systemctl start certmonger.service > Job for certmonger.service failed because the control process exited > with error code. See "systemctl status certmonger.service" and > "journalctl -xe" for details. > [root@<MY_CLIENT_HOST> ~]# systemctl status certmonger.service > ● certmonger.service - Certificate monitoring and PKI enrollment > Loaded: loaded (/usr/lib/systemd/system/certmonger.service; disabled; > vendor preset: disabled) > Active: failed (Result: exit-code) since Mon 2019-08-26 11:42:20 > CEST; 27s ago > Process: 21027 ExecStart=/usr/sbin/certmonger -S -p > /var/run/certmonger.pid -n $OPTS (code=exited, status=1/FAILURE) > Main PID: 21027 (code=exited, status=1/FAILURE) > > Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: Starting Certificate > monitoring and PKI enrollment... > Aug 26 11:42:20 <MY_CLIENT_HOST> certmonger[21027]: 2019-08-26 11:42:20 > [21027] Unable to set well-known bus name "org.fedorahosted.certmonger": > Connection ":1.21663" is not allowed to own the service "or...tion file(-1). > Aug 26 11:42:20 <MY_CLIENT_HOST> certmonger[21027]: Error connecting to > D-Bus. > Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: certmonger.service: main > process exited, code=exited, status=1/FAILURE > Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: Failed to start Certificate > monitoring and PKI enrollment. > Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: Unit certmonger.service > entered failed state. > Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: certmonger.service failed. > ### > > When I retried the command, it said the client was already configured so > I tried to unconfigure it with the following command : > ### > ipa-client-install -U --uninstall > ### > > But then I got the following error : > ### > The ipa-client-install command failed, exception: CalledProcessError: > Command '/bin/systemctl start certmonger.service' returned non-zero exit > status 1 > Command '/bin/systemctl start certmonger.service' returned non-zero exit > status 1 > ### > > When I enable debug and check the logs, I can see a first error here : > ### > Starting external process > args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -L -n Local IPA host -a -f > /etc/ipa/nssdb/pwdfile.txt > Process finished, return code=255 > stdout= > stderr=certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The > certificate/key database is in an old, unsupported format. > ### > > When I check the content of /etc/ipa/nssdb, I can find only this > pwdfile.txt indeed. > When I check the content of this folder on another RHEL7 host, I see > more content : > ### > # ls -l /etc/ipa/nssdb/ > total 80 > -rw-r--r-- 1 root root 65536 Aug 9 2018 cert8.db > -rw-r--r-- 1 root root 16384 Aug 9 2018 key3.db > -rw------- 1 root root 40 Aug 9 2018 pwdfile.txt > -rw-r--r-- 1 root root 16384 Aug 9 2018 secmod.db > ### > > May you help me to understand and solve this problem please ? > > I tried to use a client version lower than the 4.4.0 instead of 4.6.4 to > register to a 3.0.0 server but I still have the same problem.
I think we need to see the full ipaclient-install.log. The uninstaller will run a bunch of operations that can fail, like the NSS failure you report, and that's ok because it's just being thorough to try to ensure the previous state is obtained. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
