Hello Rob.
Thank you for your reply.
Here is the log from the ipa client 4.4 uninstallation :
###
2019-08-26T11:52:26Z DEBUG /sbin/ipa-client-install was invoked with
options: {'domain': None, 'force': True, 'krb5_offline_passwords': True,
'ip_addresses': [], 'configure_firefox': False, 'primary': False,
'realm_name': None, 'force_ntpd': False, 'create_sshfp': True, 'conf_sshd':
True, 'conf_ntp': True, 'on_master': False, 'no_nisdomain': False,
'nisdomain': None, 'ca_cert_file': None, 'principal': None, 'keytab': None,
'hostname': None, 'request_cert': False, 'trust_sshfp': False, 'no_ac':
False, 'unattended': None, 'all_ip_addresses': False, 'location': None,
'sssd': True, 'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates':
False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': False,
'firefox_dir': None, 'server': None, 'prompt_password': False, 'permit':
False, 'debug': False, 'preserve_sssd': False, 'mkhomedir': False,
'uninstall': True}
2019-08-26T11:52:26Z DEBUG missing options might be asked for interactively
later
2019-08-26T11:52:26Z DEBUG IPA version 4.4.0-12.el7
2019-08-26T11:52:26Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2019-08-26T11:52:26Z DEBUG Starting external process
2019-08-26T11:52:26Z DEBUG args=ipa-client-automount --uninstall --debug
2019-08-26T11:52:27Z DEBUG Process finished, return code=0
2019-08-26T11:52:27Z DEBUG stdout=Restoring configuration
2019-08-26T11:52:27Z DEBUG stderr=/etc/host.conf: line 2: bad command
`nospoof off'
/etc/host.conf: line 5: bad command `spoof off'
/etc/host.conf: line 6: bad command `spoofalert off'
WARNING: yacc table file version is out of date
2019-08-26T11:52:27Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2019-08-26T11:52:27Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2019-08-26T11:52:27Z DEBUG Starting external process
2019-08-26T11:52:27Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n
Local IPA host -a
2019-08-26T11:52:27Z DEBUG Process finished, return code=255
2019-08-26T11:52:27Z DEBUG stdout=
2019-08-26T11:52:27Z DEBUG stderr=certutil: function failed:
SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old,
unsupported format.
2019-08-26T11:52:27Z DEBUG Starting external process
2019-08-26T11:52:27Z DEBUG args=/usr/bin/certutil -d /etc/pki/nssdb -L -n
IPA Machine Certificate - <MY_CLIENT_HOST> -a
2019-08-26T11:52:27Z DEBUG Process finished, return code=255
2019-08-26T11:52:27Z DEBUG stdout=
2019-08-26T11:52:27Z DEBUG stderr=certutil: Could not find cert: IPA
Machine Certificate - <MY_CLIENT_HOST>
: PR_FILE_NOT_FOUND_ERROR: File not found
2019-08-26T11:52:27Z DEBUG Starting external process
2019-08-26T11:52:27Z DEBUG args=/bin/systemctl start certmonger.service
2019-08-26T11:52:27Z DEBUG Process finished, return code=1
2019-08-26T11:52:27Z DEBUG stdout=
2019-08-26T11:52:27Z DEBUG stderr=Job for certmonger.service failed because
the control process exited with error code. See "systemctl status
certmonger.service" and "journalctl -xe" for details.
2019-08-26T11:52:27Z ERROR Failed to start certmonger: Command
'/bin/systemctl start certmonger.service' returned non-zero exit status 1
###
Best regards.
Lune
Le lun. 26 août 2019 à 14:11, Rob Crittenden <[email protected]> a écrit :
> lune voo via FreeIPA-users wrote:
> > Hello everyone.
> >
> > I send you this mail because I try to connect an ipa-client 4.6.4 on
> > RHEL7 to an ipa-server 3.0.0 on RHEL6 and I get the following message
> > when I try to register the client to the server :
> > ###
> > ipa-client-install \
> > --domain=<MY_DOMAIN> \
> > --realm=<MY_REALM> \
> > --server=<MY_IPA_MASTER> \
> > --principal=admin \
> > --password='<admin_password>' \
> > --mkhomedir \
> > --hostname=<MY_CLIENT_HOST> \
> > --no-ntp \
> > --no-ssh \
> > --no-sshd \
> > --unattended \
> > ###
> >
> > And here is the error I got :
> > ###
> > WARNING: yacc table file version is out of date
> > Client hostname: <MY_CLIENT_HOST>
> > Realm: <MY_REALM>
> > DNS Domain: <MY_DOMAIN>
> > IPA Server: <MY_IPA_MASTER>
> > BaseDN: dc=<MY_REALM>
> >
> > Skipping synchronizing time with NTP server.
> > Please make sure the following ports are opened in the firewall settings:
> > TCP: 80, 88, 389
> > UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
> > Also note that following ports are necessary for ipa-client working
> > properly after enrollment:
> > TCP: 464
> > UDP: 464, 123 (if NTP enabled)
> > Installation failed. Rolling back changes.
> > Unconfigured automount client failed: Command 'ipa-client-automount
> > --uninstall --debug' returned non-zero exit status 1
> > Failed to start certmonger: Command '/bin/systemctl start
> > certmonger.service' returned non-zero exit status 1
> > Command '/bin/systemctl start certmonger.service' returned non-zero exit
> > status 1
> > Command '/bin/systemctl start certmonger.service' returned non-zero exit
> > status 1
> > The ipa-client-install command failed. See
> > /var/log/ipaclient-install.log for more information
> > [root@<MY_CLIENT_HOST> ~]# /bin/systemctl start certmonger.service
> > Job for certmonger.service failed because the control process exited
> > with error code. See "systemctl status certmonger.service" and
> > "journalctl -xe" for details.
> > [root@<MY_CLIENT_HOST> ~]# systemctl status certmonger.service
> > ● certmonger.service - Certificate monitoring and PKI enrollment
> > Loaded: loaded (/usr/lib/systemd/system/certmonger.service; disabled;
> > vendor preset: disabled)
> > Active: failed (Result: exit-code) since Mon 2019-08-26 11:42:20
> > CEST; 27s ago
> > Process: 21027 ExecStart=/usr/sbin/certmonger -S -p
> > /var/run/certmonger.pid -n $OPTS (code=exited, status=1/FAILURE)
> > Main PID: 21027 (code=exited, status=1/FAILURE)
> >
> > Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: Starting Certificate
> > monitoring and PKI enrollment...
> > Aug 26 11:42:20 <MY_CLIENT_HOST> certmonger[21027]: 2019-08-26 11:42:20
> > [21027] Unable to set well-known bus name "org.fedorahosted.certmonger":
> > Connection ":1.21663" is not allowed to own the service "or...tion
> file(-1).
> > Aug 26 11:42:20 <MY_CLIENT_HOST> certmonger[21027]: Error connecting to
> > D-Bus.
> > Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: certmonger.service: main
> > process exited, code=exited, status=1/FAILURE
> > Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: Failed to start Certificate
> > monitoring and PKI enrollment.
> > Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: Unit certmonger.service
> > entered failed state.
> > Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: certmonger.service failed.
> > ###
> >
> > When I retried the command, it said the client was already configured so
> > I tried to unconfigure it with the following command :
> > ###
> > ipa-client-install -U --uninstall
> > ###
> >
> > But then I got the following error :
> > ###
> > The ipa-client-install command failed, exception: CalledProcessError:
> > Command '/bin/systemctl start certmonger.service' returned non-zero exit
> > status 1
> > Command '/bin/systemctl start certmonger.service' returned non-zero exit
> > status 1
> > ###
> >
> > When I enable debug and check the logs, I can see a first error here :
> > ###
> > Starting external process
> > args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -L -n Local IPA host -a -f
> > /etc/ipa/nssdb/pwdfile.txt
> > Process finished, return code=255
> > stdout=
> > stderr=certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
> > certificate/key database is in an old, unsupported format.
> > ###
> >
> > When I check the content of /etc/ipa/nssdb, I can find only this
> > pwdfile.txt indeed.
> > When I check the content of this folder on another RHEL7 host, I see
> > more content :
> > ###
> > # ls -l /etc/ipa/nssdb/
> > total 80
> > -rw-r--r-- 1 root root 65536 Aug 9 2018 cert8.db
> > -rw-r--r-- 1 root root 16384 Aug 9 2018 key3.db
> > -rw------- 1 root root 40 Aug 9 2018 pwdfile.txt
> > -rw-r--r-- 1 root root 16384 Aug 9 2018 secmod.db
> > ###
> >
> > May you help me to understand and solve this problem please ?
> >
> > I tried to use a client version lower than the 4.4.0 instead of 4.6.4 to
> > register to a 3.0.0 server but I still have the same problem.
>
> I think we need to see the full ipaclient-install.log. The uninstaller
> will run a bunch of operations that can fail, like the NSS failure you
> report, and that's ok because it's just being thorough to try to ensure
> the previous state is obtained.
>
> rob
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
