Hello there! Ubuntu 18.04 (and previous ones) works just fine In Ubuntu 22.04 I'm trying to execute ipa-client install but it fails with:
root@fisica75:~# ipa-client-install This program will set up IPA client. Version 4.9.8 WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd Discovery was successful! Do you want to configure chrony with NTP server or pool address? [no]: Client hostname: fisica75.fisica.cabib Realm: FISICA.CABIB DNS Domain: fisica.cabib IPA Server: ipaserver.fisica.cabib BaseDN: dc=fisica,dc=cabib Continue to configure the system with these values? [no]: yes Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Attempting to sync time with chronyc. Time synchronization was successful. User authorized to enroll computers: tavo Password for tavo@FISICA.CABIB: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=FISICA.CABIB Issuer: CN=Certificate Authority,O=FISICA.CABIB Valid From: 2014-01-14 12:56:57 Valid Until: 2034-01-14 12:56:57 Enrolled in IPA realm FISICA.CABIB Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm FISICA.CABIB cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997) The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information root@fisica75:~# There is no Hostname mismatch for the server certificate. It has been working just fine for years with multiple distros as clients. I can access the website with the same URL and cert is just fine. Any ideas? Thanks! -- Gustavo Berman
2022-05-26T12:18:49Z DEBUG Logging to /var/log/ipaclient-install.log 2022-05-26T12:18:49Z DEBUG ipa-client-install was invoked with arguments [] and options: {'unattended': False, 'principal': None, 'prompt_password': False, 'on_master': False, 'ca_cert_files': None, 'force': False, 'configure_firefox': False, 'firefox_dir': None, 'keytab': None, 'mkhomedir': False, 'force_join': False, 'ntp_servers': None, 'ntp_pool': None, 'no_ntp': False, 'force_ntpd': False, 'nisdomain': None, 'no_nisdomain': False, 'ssh_trust_dns': False, 'no_ssh': False, 'no_sshd': False, 'no_sudo': False, 'no_dns_sshfp': False, 'kinit_attempts': None, 'request_cert': False, 'ip_addresses': None, 'all_ip_addresses': False, 'fixed_primary': False, 'permit': False, 'enable_dns_updates': False, 'no_krb5_offline_passwords': False, 'preserve_sssd': False, 'automount_location': None, 'domain_name': None, 'servers': None, 'realm_name': None, 'host_name': None, 'verbose': False, 'quiet': False, 'log_file': None, 'uninstall': False} 2022-05-26T12:18:49Z DEBUG IPA version 4.9.8 2022-05-26T12:18:49Z DEBUG IPA platform debian 2022-05-26T12:18:49Z DEBUG IPA os-release Ubuntu 22.04 (Jammy Jellyfish) 2022-05-26T12:18:49Z DEBUG Starting external process 2022-05-26T12:18:49Z DEBUG args=['/usr/sbin/selinuxenabled'] 2022-05-26T12:18:49Z DEBUG Process execution failed 2022-05-26T12:18:49Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2022-05-26T12:18:49Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2022-05-26T12:18:49Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2022-05-26T12:18:49Z DEBUG Starting external process 2022-05-26T12:18:49Z DEBUG args=['sudo', '-V'] 2022-05-26T12:18:49Z DEBUG Process finished, return code=0 2022-05-26T12:18:49Z DEBUG stdout=Sudo versión 1.9.9 Opciones de configuración: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking -v --with-all-insults --with-pam --with-pam-login --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor --with-editor=/usr/bin/editor --with-exampledir=/usr/share/doc/sudo/examples --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p: --disable-root-mailer --with-sendmail=/usr/sbin/sendmail --with-rundir=/run/sudo --with-sssd --with-sssd-lib=/usr/lib/x86_64-linux-gnu --enable-zlib=system --with-selinux --with-linux-audit --enable-tmpfiles.d=yes --without-lecture --with-tty-tickets --enable-admin-flag versión del complemento de políticas de sudoers 1.9.9 versión de gramática del archivo Sudoers 48 Ruta de sudoers: /etc/sudoers Métodos de autenticicación: 'pam' Facilidad de syslog, cuando se usa syslog para el registro: authpriv Prioridad de syslog a usarse cuando el usuario se autentifica con éxito: notice Prioridad de syslog a usarse cuando el usuario no se autentifica con éxito: alert Envía correo si la autenticicación de usuario falla Envía correo si el usuario no está en sudoers Da la charla al usuario la primera vez que use sudo Requiere a los usuarios que por defecto se autentifiquen Root puede usar sudo Permite alguna recolección de datos para dar mensajes de error útiles Requerir nombres de equipo plenamente-cualificados en el fichero sudoers Visudo obedecerá a la variable de entorno EDITOR Establece las variables de entorno LOGNAME y USER Longitud a la cual enrollar las lineas del registro (0 para no enrollar): 80 Temporizador de la marca de tiempo de la autenticicación: 15,0 minutos Temporizador de la solicitud de contraseña: 0,0 minutos Número de intentos para introducir una contraseña: 3 Umask que debe usarse o 0777 para usar la del usuario: 022 Camino al programa de correo: /usr/sbin/sendmail Banderas para el programa de correo: -t Dirección a la que enviar el correo: root Linea de tema a usar en los mensajes de correo: *** SECURITY information for %h *** Mensaje de contraseña incorrecta: Lo siento, pruebe otra vez. Camino al directorio de estado de las charlas: /var/lib/sudo/lectured Camino al directorio de marcas de tiempo de las autenticaciones: /run/sudo/ts Solicitud por omisión de contraseña: [sudo] contraseña para %p: Usuario por omisión que se utilizará para ejecutar los comandos: root Valor que substituirá al del usuario en el $PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin Camino al editor que se usará por visudo: /usr/bin/editor Cuando se requiera una contraseña para la seudo orden «list»: any Cuando se requiera una contraseña para la seudo orden «verify»: all Descriptores de archivos>= 3 se cerrará antes de ejecutar una orden Restablece el entorno a un conjunto predeterminado de variables Environment variables to check for safety: TZ TERM LINGUAS LC_* LANGUAGE LANG COLORTERM Variables de entorno para eliminar: *=()* RUBYOPT RUBYLIB PYTHONUSERBASE PYTHONINSPECT PYTHONPATH PYTHONHOME TMPPREFIX ZDOTDIR READNULLCMD NULLCMD FPATH PERL5DB PERL5OPT PERL5LIB PERLLIB PERLIO_DEBUG JAVA_TOOL_OPTIONS SHELLOPTS BASHOPTS GLOBIGNORE PS4 BASH_ENV ENV TERMCAP TERMPATH TERMINFO_DIRS TERMINFO _RLD* LD_* PATH_LOCALE NLSPATH HOSTALIASES RES_OPTIONS LOCALDOMAIN CDPATH IFS Variables de entorno para preservar: XAUTHORIZATION XAUTHORITY PS2 PS1 PATH LS_COLORS KRB5CCNAME HOSTNAME DPKG_COLORS DISPLAY COLORS Local a usar mientras se analizan los sudoers: C Comprimir los registros E/S usando zlib Ejecutar las órdenes siempre en pseudo-tty Directorio en el que se almacenan las entradas/salidas de los registros:/var/log/sudo-io Archivo en el que se almacenan las entradas/salidas de los registros: %{seq} Añadairuna entrada al achivo utpm/utpmx cuando se reserva una pty PAM service name to use: sudo PAM service name to use for login shells: sudo-i Intentar establecer credenciales de PAM para el usuario de destino Crear una sesión de PAM nueva para el comando que se ejecutará en Perform PAM account validation management Enable sudoers netgroup support Check parent directories for writability when editing files with sudoedit Allow commands to be run even if sudo cannot write to the audit log Allow commands to be run even if sudo cannot write to the log file Log entries larger than this value will be split into multiple syslog messages: 960 File mode to use for the I/O log files: 0600 Execute commands by file descriptor instead of by path: digest_only Type of authentication timestamp record: tty Ignore case when matching user names Ignore case when matching group names Log when a command is allowed by sudoers Log when a command is denied by sudoers Sudo log server timeout in seconds: 30 Enable SO_KEEPALIVE socket option on the socket connected to the logserver Verify that the log server's certificate is valid Set the pam remote user to the user running sudo The format of logs to produce: sudo Enable SELinux RBAC support Path to the file that is created the first time sudo is run: ~/.sudo_as_admin_successful The largest size core dump file that may be created (in bytes): 0,0 Dirección IP local y pares de máscara de red: 10.73.25.248/255.255.255.192 fe80::300e:ee9e:ed5:716c/ffff:ffff:ffff:ffff:: Sudoers I/O plugin version 1.9.9 Sudoers audit plugin version 1.9.9 2022-05-26T12:18:49Z DEBUG stderr= 2022-05-26T12:18:49Z DEBUG Deleting invalid keytab: '/etc/krb5.keytab'. 2022-05-26T12:18:49Z DEBUG [IPA Discovery] 2022-05-26T12:18:49Z DEBUG Starting IPA discovery with domain=None, servers=None, hostname=fisica75.fisica.cabib 2022-05-26T12:18:49Z DEBUG Start searching for LDAP SRV record in "fisica.cabib" (domain of the hostname) and its sub-domains 2022-05-26T12:18:49Z DEBUG Search DNS for SRV record of _ldap._tcp.fisica.cabib 2022-05-26T12:18:50Z DEBUG DNS record found: 0 100 389 ipaserver.fisica.cabib. 2022-05-26T12:18:50Z DEBUG [Kerberos realm search] 2022-05-26T12:18:50Z DEBUG Search DNS for TXT record of _kerberos.fisica.cabib 2022-05-26T12:18:50Z DEBUG DNS record found: "FISICA.CABIB" 2022-05-26T12:18:50Z DEBUG Search DNS for SRV record of _kerberos._udp.fisica.cabib 2022-05-26T12:18:50Z DEBUG DNS record found: 0 100 88 ipaserver.fisica.cabib. 2022-05-26T12:18:50Z DEBUG [LDAP server check] 2022-05-26T12:18:50Z DEBUG Verifying that ipaserver.fisica.cabib (realm FISICA.CABIB) is an IPA server 2022-05-26T12:18:50Z DEBUG Init LDAP connection to: ldap://ipaserver.fisica.cabib:389 2022-05-26T12:18:50Z DEBUG Search LDAP server for IPA base DN 2022-05-26T12:18:50Z DEBUG Check if naming context 'dc=fisica,dc=cabib' is for IPA 2022-05-26T12:18:50Z DEBUG Naming context 'dc=fisica,dc=cabib' is a valid IPA context 2022-05-26T12:18:50Z DEBUG Search for (objectClass=krbRealmContainer) in dc=fisica,dc=cabib (sub) 2022-05-26T12:18:50Z DEBUG Found: cn=FISICA.CABIB,cn=kerberos,dc=fisica,dc=cabib 2022-05-26T12:18:50Z DEBUG Discovery result: Success; server=ipaserver.fisica.cabib, domain=fisica.cabib, kdc=ipaserver.fisica.cabib, basedn=dc=fisica,dc=cabib 2022-05-26T12:18:50Z DEBUG Validated servers: ipaserver.fisica.cabib 2022-05-26T12:18:50Z DEBUG will use discovered domain: fisica.cabib 2022-05-26T12:18:50Z DEBUG Start searching for LDAP SRV record in "fisica.cabib" (Validating DNS Discovery) and its sub-domains 2022-05-26T12:18:50Z DEBUG Search DNS for SRV record of _ldap._tcp.fisica.cabib 2022-05-26T12:18:50Z DEBUG DNS record found: 0 100 389 ipaserver.fisica.cabib. 2022-05-26T12:18:50Z DEBUG DNS validated, enabling discovery 2022-05-26T12:18:50Z DEBUG will use discovered server: ipaserver.fisica.cabib 2022-05-26T12:18:50Z INFO Discovery was successful! 2022-05-26T12:18:57Z DEBUG will use discovered realm: FISICA.CABIB 2022-05-26T12:18:57Z DEBUG will use discovered basedn: dc=fisica,dc=cabib 2022-05-26T12:18:57Z INFO Client hostname: fisica75.fisica.cabib 2022-05-26T12:18:57Z DEBUG Hostname source: Machine's FQDN 2022-05-26T12:18:57Z INFO Realm: FISICA.CABIB 2022-05-26T12:18:57Z DEBUG Realm source: Discovered from LDAP DNS records in ipaserver.fisica.cabib 2022-05-26T12:18:57Z INFO DNS Domain: fisica.cabib 2022-05-26T12:18:57Z DEBUG DNS Domain source: Discovered LDAP SRV records from fisica.cabib (domain of the hostname) 2022-05-26T12:18:57Z INFO IPA Server: ipaserver.fisica.cabib 2022-05-26T12:18:57Z DEBUG IPA Server source: Discovered from LDAP DNS records in ipaserver.fisica.cabib 2022-05-26T12:18:57Z INFO BaseDN: dc=fisica,dc=cabib 2022-05-26T12:18:57Z DEBUG BaseDN source: From IPA server ldap://ipaserver.fisica.cabib:389 2022-05-26T12:19:01Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2022-05-26T12:19:01Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2022-05-26T12:19:01Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2022-05-26T12:19:01Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2022-05-26T12:19:01Z DEBUG Starting external process 2022-05-26T12:19:01Z DEBUG args=['/usr/sbin/ipa-rmkeytab', '-k', '/etc/krb5.keytab', '-r', 'FISICA.CABIB'] 2022-05-26T12:19:01Z DEBUG Process finished, return code=7 2022-05-26T12:19:01Z DEBUG stdout= 2022-05-26T12:19:01Z DEBUG stderr=Failed to set cursor 'No existe el archivo o el directorio' 2022-05-26T12:19:01Z DEBUG Starting external process 2022-05-26T12:19:01Z DEBUG args=['/usr/sbin/service', 'ntp', 'status', ''] 2022-05-26T12:19:01Z DEBUG Process finished, return code=4 2022-05-26T12:19:01Z DEBUG stdout= 2022-05-26T12:19:01Z DEBUG stderr=Unit ntp.service could not be found. 2022-05-26T12:19:01Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2022-05-26T12:19:01Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2022-05-26T12:19:01Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2022-05-26T12:19:01Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2022-05-26T12:19:01Z DEBUG Search DNS for SRV record of _ntp._udp.fisica.cabib 2022-05-26T12:19:01Z DEBUG DNS record not found: NXDOMAIN 2022-05-26T12:19:01Z INFO Synchronizing time 2022-05-26T12:19:01Z WARNING No SRV records of NTP servers found and no NTP server or pool address was provided. 2022-05-26T12:19:01Z DEBUG Starting external process 2022-05-26T12:19:01Z DEBUG args=['/bin/systemctl', 'enable', 'chrony.service'] 2022-05-26T12:19:02Z DEBUG Process finished, return code=0 2022-05-26T12:19:02Z DEBUG stdout= 2022-05-26T12:19:02Z DEBUG stderr=Synchronizing state of chrony.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable chrony 2022-05-26T12:19:02Z DEBUG Starting external process 2022-05-26T12:19:02Z DEBUG args=['/bin/systemctl', 'restart', 'chrony.service'] 2022-05-26T12:19:03Z DEBUG Process finished, return code=0 2022-05-26T12:19:03Z DEBUG stdout= 2022-05-26T12:19:03Z DEBUG stderr= 2022-05-26T12:19:03Z DEBUG Starting external process 2022-05-26T12:19:03Z DEBUG args=['/bin/systemctl', 'is-active', 'chrony.service'] 2022-05-26T12:19:03Z DEBUG Process finished, return code=0 2022-05-26T12:19:03Z DEBUG stdout=active 2022-05-26T12:19:03Z DEBUG stderr= 2022-05-26T12:19:03Z DEBUG Restart of chrony.service complete 2022-05-26T12:19:03Z INFO Attempting to sync time with chronyc. 2022-05-26T12:19:03Z DEBUG Starting external process 2022-05-26T12:19:03Z DEBUG args=['/usr/bin/chronyc', '-d', 'waitsync', '4', '0', '0', '3'] 2022-05-26T12:19:12Z DEBUG Process finished, return code=0 2022-05-26T12:19:12Z DEBUG stdout=try: 1, refid: 00000000, correction: 0.000000000, skew: 0.000 try: 2, refid: 00000000, correction: 0.000000000, skew: 0.000 try: 3, refid: 00000000, correction: 0.000000000, skew: 0.000 try: 4, refid: 0A4901E6, correction: 0.000018063, skew: 29.998 2022-05-26T12:19:12Z DEBUG stderr= 2022-05-26T12:19:12Z INFO Time synchronization was successful. 2022-05-26T12:19:14Z DEBUG will use principal provided as option: tavo 2022-05-26T12:19:14Z DEBUG Starting external process 2022-05-26T12:19:14Z DEBUG args=['/usr/sbin/selinuxenabled'] 2022-05-26T12:19:14Z DEBUG Process execution failed 2022-05-26T12:19:14Z DEBUG Starting external process 2022-05-26T12:19:14Z DEBUG args=['/bin/keyctl', 'get_persistent', '@s', '0'] 2022-05-26T12:19:14Z DEBUG Process finished, return code=0 2022-05-26T12:19:14Z DEBUG stdout=927400826 2022-05-26T12:19:14Z DEBUG stderr= 2022-05-26T12:19:14Z DEBUG Enabling persistent keyring CCACHE 2022-05-26T12:19:14Z DEBUG Writing Kerberos configuration to /tmp/tmpe_voehkm: 2022-05-26T12:19:14Z DEBUG #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = FISICA.CABIB dns_lookup_realm = false rdns = false dns_canonicalize_hostname = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] FISICA.CABIB = { kdc = ipaserver.fisica.cabib:88 master_kdc = ipaserver.fisica.cabib:88 admin_server = ipaserver.fisica.cabib:749 kpasswd_server = ipaserver.fisica.cabib:464 default_domain = fisica.cabib pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .fisica.cabib = FISICA.CABIB fisica.cabib = FISICA.CABIB fisica75.fisica.cabib = FISICA.CABIB 2022-05-26T12:19:14Z DEBUG Writing configuration file /tmp/tmpe_voehkm 2022-05-26T12:19:14Z DEBUG #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = FISICA.CABIB dns_lookup_realm = false rdns = false dns_canonicalize_hostname = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] FISICA.CABIB = { kdc = ipaserver.fisica.cabib:88 master_kdc = ipaserver.fisica.cabib:88 admin_server = ipaserver.fisica.cabib:749 kpasswd_server = ipaserver.fisica.cabib:464 default_domain = fisica.cabib pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .fisica.cabib = FISICA.CABIB fisica.cabib = FISICA.CABIB fisica75.fisica.cabib = FISICA.CABIB 2022-05-26T12:19:55Z DEBUG Initializing principal tavo@FISICA.CABIB using password 2022-05-26T12:19:55Z DEBUG Starting external process 2022-05-26T12:19:55Z DEBUG args=['/usr/bin/kinit', 'tavo@FISICA.CABIB', '-c', '/tmp/krbccj_umtcb0/ccache'] 2022-05-26T12:19:55Z DEBUG Process finished, return code=0 2022-05-26T12:19:55Z DEBUG stdout=Password for tavo@FISICA.CABIB: 2022-05-26T12:19:55Z DEBUG stderr= 2022-05-26T12:19:55Z DEBUG trying to retrieve CA cert via LDAP from ipaserver.fisica.cabib 2022-05-26T12:19:55Z DEBUG retrieving schema for SchemaCache url=ldap://ipaserver.fisica.cabib:389 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fe2ff1e1d80> 2022-05-26T12:19:56Z INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=FISICA.CABIB Issuer: CN=Certificate Authority,O=FISICA.CABIB Valid From: 2014-01-14 12:56:57 Valid Until: 2034-01-14 12:56:57 2022-05-26T12:19:56Z DEBUG Starting external process 2022-05-26T12:19:56Z DEBUG args=['/usr/sbin/ipa-join', '-s', 'ipaserver.fisica.cabib', '-b', 'dc=fisica,dc=cabib', '-h', 'fisica75.fisica.cabib', '-k', '/etc/krb5.keytab'] 2022-05-26T12:19:56Z DEBUG Process finished, return code=0 2022-05-26T12:19:56Z DEBUG stdout= 2022-05-26T12:19:56Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab 2022-05-26T12:19:56Z INFO Enrolled in IPA realm FISICA.CABIB 2022-05-26T12:19:56Z DEBUG Starting external process 2022-05-26T12:19:56Z DEBUG args=['/usr/bin/kdestroy'] 2022-05-26T12:19:56Z DEBUG Process finished, return code=0 2022-05-26T12:19:56Z DEBUG stdout= 2022-05-26T12:19:56Z DEBUG stderr= 2022-05-26T12:19:56Z DEBUG Initializing principal host/fisica75.fisica.cabib@FISICA.CABIB using keytab /etc/krb5.keytab 2022-05-26T12:19:56Z DEBUG using ccache /etc/ipa/.dns_ccache 2022-05-26T12:19:57Z DEBUG Attempt 1/5: success 2022-05-26T12:19:57Z DEBUG Backing up system configuration file '/etc/ipa/default.conf' 2022-05-26T12:19:57Z DEBUG -> Not backing up - '/etc/ipa/default.conf' doesn't exist 2022-05-26T12:19:57Z DEBUG Writing configuration file /etc/ipa/default.conf 2022-05-26T12:19:57Z DEBUG #File modified by ipa-client-install [global] basedn = dc=fisica,dc=cabib realm = FISICA.CABIB domain = fisica.cabib server = ipaserver.fisica.cabib host = fisica75.fisica.cabib xmlrpc_uri = https://ipaserver.fisica.cabib/ipa/xml enable_ra = True 2022-05-26T12:19:57Z INFO Created /etc/ipa/default.conf 2022-05-26T12:19:57Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf' 2022-05-26T12:19:57Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist 2022-05-26T12:19:57Z DEBUG New SSSD config will be created 2022-05-26T12:19:57Z INFO Configured /etc/sssd/sssd.conf 2022-05-26T12:19:57Z DEBUG Backing up system configuration file '/etc/krb5.conf' 2022-05-26T12:19:57Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2022-05-26T12:19:57Z DEBUG Starting external process 2022-05-26T12:19:57Z DEBUG args=['/usr/sbin/selinuxenabled'] 2022-05-26T12:19:57Z DEBUG Process execution failed 2022-05-26T12:19:57Z DEBUG Starting external process 2022-05-26T12:19:57Z DEBUG args=['/bin/keyctl', 'get_persistent', '@s', '0'] 2022-05-26T12:19:57Z DEBUG Process finished, return code=0 2022-05-26T12:19:57Z DEBUG stdout=927400826 2022-05-26T12:19:57Z DEBUG stderr= 2022-05-26T12:19:57Z DEBUG Enabling persistent keyring CCACHE 2022-05-26T12:19:57Z DEBUG Writing Kerberos configuration to /etc/krb5.conf: 2022-05-26T12:19:57Z DEBUG #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = FISICA.CABIB dns_lookup_realm = true rdns = false dns_canonicalize_hostname = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] FISICA.CABIB = { pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .fisica.cabib = FISICA.CABIB fisica.cabib = FISICA.CABIB fisica75.fisica.cabib = FISICA.CABIB 2022-05-26T12:19:57Z DEBUG Writing configuration file /etc/krb5.conf 2022-05-26T12:19:57Z DEBUG #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = FISICA.CABIB dns_lookup_realm = true rdns = false dns_canonicalize_hostname = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] FISICA.CABIB = { pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .fisica.cabib = FISICA.CABIB fisica.cabib = FISICA.CABIB fisica75.fisica.cabib = FISICA.CABIB 2022-05-26T12:19:57Z INFO Configured /etc/krb5.conf for IPA realm FISICA.CABIB 2022-05-26T12:19:57Z DEBUG Starting external process 2022-05-26T12:19:57Z DEBUG args=['/usr/bin/certutil', '-d', '/tmp/tmpetyu20up', '-N', '-f', '/tmp/tmpetyu20up/pwdfile.txt', '-@', '/tmp/tmpetyu20up/pwdfile.txt'] 2022-05-26T12:19:57Z DEBUG Process finished, return code=0 2022-05-26T12:19:57Z DEBUG stdout= 2022-05-26T12:19:57Z DEBUG stderr= 2022-05-26T12:19:57Z DEBUG Starting external process 2022-05-26T12:19:57Z DEBUG args=['/usr/sbin/selinuxenabled'] 2022-05-26T12:19:57Z DEBUG Process execution failed 2022-05-26T12:19:57Z DEBUG Starting external process 2022-05-26T12:19:57Z DEBUG args=['/usr/sbin/selinuxenabled'] 2022-05-26T12:19:57Z DEBUG Process execution failed 2022-05-26T12:19:57Z DEBUG Starting external process 2022-05-26T12:19:57Z DEBUG args=['/usr/sbin/selinuxenabled'] 2022-05-26T12:19:57Z DEBUG Process execution failed 2022-05-26T12:19:57Z DEBUG Starting external process 2022-05-26T12:19:57Z DEBUG args=['/usr/sbin/selinuxenabled'] 2022-05-26T12:19:57Z DEBUG Process execution failed 2022-05-26T12:19:57Z DEBUG Starting external process 2022-05-26T12:19:57Z DEBUG args=['/usr/sbin/selinuxenabled'] 2022-05-26T12:19:57Z DEBUG Process execution failed 2022-05-26T12:19:57Z DEBUG Starting external process 2022-05-26T12:19:57Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpetyu20up', '-A', '-n', 'CA certificate 1', '-t', 'C,,', '-a', '-f', '/tmp/tmpetyu20up/pwdfile.txt'] 2022-05-26T12:19:57Z DEBUG Process finished, return code=0 2022-05-26T12:19:57Z DEBUG stdout= 2022-05-26T12:19:57Z DEBUG stderr= 2022-05-26T12:19:57Z DEBUG failed to find session_cookie in persistent storage for principal 'host/fisica75.fisica.cabib@FISICA.CABIB' 2022-05-26T12:19:57Z DEBUG trying https://ipaserver.fisica.cabib/ipa/json 2022-05-26T12:19:57Z DEBUG Created connection context.rpcclient_140612862196752 2022-05-26T12:19:57Z DEBUG [try 1]: Forwarding 'schema' to json server 'https://ipaserver.fisica.cabib/ipa/json' 2022-05-26T12:19:57Z DEBUG HTTP connection destroyed (ipaserver.fisica.cabib) Traceback (most recent call last): File "/usr/lib/python3/dist-packages/ipaclient/remote_plugins/__init__.py", line 125, in get_package plugins = api._remote_plugins AttributeError: 'API' object has no attribute '_remote_plugins' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/ipalib/rpc.py", line 693, in single_request h = self.make_connection(host) File "/usr/lib/python3/dist-packages/ipalib/rpc.py", line 569, in make_connection conn.connect() File "/usr/lib/python3.10/http/client.py", line 1454, in connect self.sock = self._context.wrap_socket(self.sock, File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket return self.sslsocket_class._create( File "/usr/lib/python3.10/ssl.py", line 1070, in _create self.do_handshake() File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997) 2022-05-26T12:19:57Z DEBUG Destroyed connection context.rpcclient_140612862196752 2022-05-26T12:19:57Z DEBUG File "/usr/lib/python3/dist-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3/dist-packages/ipapython/install/cli.py", line 342, in run return cfgr.run() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3/dist-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3/dist-packages/ipaclient/install/client.py", line 3949, in main install(self) File "/usr/lib/python3/dist-packages/ipaclient/install/client.py", line 2649, in install _install(options) File "/usr/lib/python3/dist-packages/ipaclient/install/client.py", line 2966, in _install api.finalize() File "/usr/lib/python3/dist-packages/ipalib/plugable.py", line 759, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python3/dist-packages/ipalib/plugable.py", line 438, in __do_if_not_done getattr(self, name)() File "/usr/lib/python3/dist-packages/ipalib/plugable.py", line 638, in load_plugins for package in self.packages: File "/usr/lib/python3/dist-packages/ipalib/__init__.py", line 949, in packages ipaclient.remote_plugins.get_package(self), File "/usr/lib/python3/dist-packages/ipaclient/remote_plugins/__init__.py", line 133, in get_package plugins = schema.get_package(server_info, client) File "/usr/lib/python3/dist-packages/ipaclient/remote_plugins/schema.py", line 552, in get_package schema = Schema(client) File "/usr/lib/python3/dist-packages/ipaclient/remote_plugins/schema.py", line 401, in __init__ fingerprint, ttl = self._fetch(client, ignore_cache=read_failed) File "/usr/lib/python3/dist-packages/ipaclient/remote_plugins/schema.py", line 426, in _fetch schema = client.forward(u'schema', **kwargs)['result'] File "/usr/lib/python3/dist-packages/ipalib/rpc.py", line 1192, in forward raise NetworkError(uri=server, error=str(e)) 2022-05-26T12:19:57Z DEBUG The ipa-client-install command failed, exception: NetworkError: cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997) 2022-05-26T12:19:57Z ERROR cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997) 2022-05-26T12:19:57Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure