Hello there!
Ubuntu 18.04 (and previous ones) works just fine
In Ubuntu 22.04 I'm trying to execute ipa-client install but it fails with:
root@fisica75:~# ipa-client-install
This program will set up IPA client.
Version 4.9.8
WARNING: conflicting time&date synchronization service 'ntp' will be
disabled in favor of chronyd
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]:
Client hostname: fisica75.fisica.cabib
Realm: FISICA.CABIB
DNS Domain: fisica.cabib
IPA Server: ipaserver.fisica.cabib
BaseDN: dc=fisica,dc=cabib
Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was
provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: tavo
Password for tavo@FISICA.CABIB:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=FISICA.CABIB
Issuer: CN=Certificate Authority,O=FISICA.CABIB
Valid From: 2014-01-14 12:56:57
Valid Until: 2034-01-14 12:56:57
Enrolled in IPA realm FISICA.CABIB
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm FISICA.CABIB
cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch,
certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997)
The ipa-client-install command failed. See /var/log/ipaclient-install.log
for more information
root@fisica75:~#
There is no Hostname mismatch for the server certificate. It has been
working just fine for years with multiple distros as clients. I can access
the website with the same URL and cert is just fine.
Any ideas?
Thanks!
--
Gustavo Berman
2022-05-26T12:18:49Z DEBUG Logging to /var/log/ipaclient-install.log
2022-05-26T12:18:49Z DEBUG ipa-client-install was invoked with arguments [] and options: {'unattended': False, 'principal': None, 'prompt_password': False, 'on_master': False, 'ca_cert_files': None, 'force': False, 'configure_firefox': False, 'firefox_dir': None, 'keytab': None, 'mkhomedir': False, 'force_join': False, 'ntp_servers': None, 'ntp_pool': None, 'no_ntp': False, 'force_ntpd': False, 'nisdomain': None, 'no_nisdomain': False, 'ssh_trust_dns': False, 'no_ssh': False, 'no_sshd': False, 'no_sudo': False, 'no_dns_sshfp': False, 'kinit_attempts': None, 'request_cert': False, 'ip_addresses': None, 'all_ip_addresses': False, 'fixed_primary': False, 'permit': False, 'enable_dns_updates': False, 'no_krb5_offline_passwords': False, 'preserve_sssd': False, 'automount_location': None, 'domain_name': None, 'servers': None, 'realm_name': None, 'host_name': None, 'verbose': False, 'quiet': False, 'log_file': None, 'uninstall': False}
2022-05-26T12:18:49Z DEBUG IPA version 4.9.8
2022-05-26T12:18:49Z DEBUG IPA platform debian
2022-05-26T12:18:49Z DEBUG IPA os-release Ubuntu 22.04 (Jammy Jellyfish)
2022-05-26T12:18:49Z DEBUG Starting external process
2022-05-26T12:18:49Z DEBUG args=['/usr/sbin/selinuxenabled']
2022-05-26T12:18:49Z DEBUG Process execution failed
2022-05-26T12:18:49Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2022-05-26T12:18:49Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2022-05-26T12:18:49Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2022-05-26T12:18:49Z DEBUG Starting external process
2022-05-26T12:18:49Z DEBUG args=['sudo', '-V']
2022-05-26T12:18:49Z DEBUG Process finished, return code=0
2022-05-26T12:18:49Z DEBUG stdout=Sudo versión 1.9.9
Opciones de configuración: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking -v --with-all-insults --with-pam --with-pam-login --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor --with-editor=/usr/bin/editor --with-exampledir=/usr/share/doc/sudo/examples --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p: --disable-root-mailer --with-sendmail=/usr/sbin/sendmail --with-rundir=/run/sudo --with-sssd --with-sssd-lib=/usr/lib/x86_64-linux-gnu --enable-zlib=system --with-selinux --with-linux-audit --enable-tmpfiles.d=yes --without-lecture --with-tty-tickets --enable-admin-flag
versión del complemento de políticas de sudoers 1.9.9
versión de gramática del archivo Sudoers 48
Ruta de sudoers: /etc/sudoers
Métodos de autenticicación: 'pam'
Facilidad de syslog, cuando se usa syslog para el registro: authpriv
Prioridad de syslog a usarse cuando el usuario se autentifica con éxito: notice
Prioridad de syslog a usarse cuando el usuario no se autentifica con éxito: alert
Envía correo si la autenticicación de usuario falla
Envía correo si el usuario no está en sudoers
Da la charla al usuario la primera vez que use sudo
Requiere a los usuarios que por defecto se autentifiquen
Root puede usar sudo
Permite alguna recolección de datos para dar mensajes de error útiles
Requerir nombres de equipo plenamente-cualificados en el fichero sudoers
Visudo obedecerá a la variable de entorno EDITOR
Establece las variables de entorno LOGNAME y USER
Longitud a la cual enrollar las lineas del registro (0 para no enrollar): 80
Temporizador de la marca de tiempo de la autenticicación: 15,0 minutos
Temporizador de la solicitud de contraseña: 0,0 minutos
Número de intentos para introducir una contraseña: 3
Umask que debe usarse o 0777 para usar la del usuario: 022
Camino al programa de correo: /usr/sbin/sendmail
Banderas para el programa de correo: -t
Dirección a la que enviar el correo: root
Linea de tema a usar en los mensajes de correo: *** SECURITY information for %h ***
Mensaje de contraseña incorrecta: Lo siento, pruebe otra vez.
Camino al directorio de estado de las charlas: /var/lib/sudo/lectured
Camino al directorio de marcas de tiempo de las autenticaciones: /run/sudo/ts
Solicitud por omisión de contraseña: [sudo] contraseña para %p:
Usuario por omisión que se utilizará para ejecutar los comandos: root
Valor que substituirá al del usuario en el $PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Camino al editor que se usará por visudo: /usr/bin/editor
Cuando se requiera una contraseña para la seudo orden «list»: any
Cuando se requiera una contraseña para la seudo orden «verify»: all
Descriptores de archivos>= 3 se cerrará antes de ejecutar una orden
Restablece el entorno a un conjunto predeterminado de variables
Environment variables to check for safety:
TZ
TERM
LINGUAS
LC_*
LANGUAGE
LANG
COLORTERM
Variables de entorno para eliminar:
*=()*
RUBYOPT
RUBYLIB
PYTHONUSERBASE
PYTHONINSPECT
PYTHONPATH
PYTHONHOME
TMPPREFIX
ZDOTDIR
READNULLCMD
NULLCMD
FPATH
PERL5DB
PERL5OPT
PERL5LIB
PERLLIB
PERLIO_DEBUG
JAVA_TOOL_OPTIONS
SHELLOPTS
BASHOPTS
GLOBIGNORE
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
CDPATH
IFS
Variables de entorno para preservar:
XAUTHORIZATION
XAUTHORITY
PS2
PS1
PATH
LS_COLORS
KRB5CCNAME
HOSTNAME
DPKG_COLORS
DISPLAY
COLORS
Local a usar mientras se analizan los sudoers: C
Comprimir los registros E/S usando zlib
Ejecutar las órdenes siempre en pseudo-tty
Directorio en el que se almacenan las entradas/salidas de los registros:/var/log/sudo-io
Archivo en el que se almacenan las entradas/salidas de los registros: %{seq}
Añadairuna entrada al achivo utpm/utpmx cuando se reserva una pty
PAM service name to use: sudo
PAM service name to use for login shells: sudo-i
Intentar establecer credenciales de PAM para el usuario de destino
Crear una sesión de PAM nueva para el comando que se ejecutará en
Perform PAM account validation management
Enable sudoers netgroup support
Check parent directories for writability when editing files with sudoedit
Allow commands to be run even if sudo cannot write to the audit log
Allow commands to be run even if sudo cannot write to the log file
Log entries larger than this value will be split into multiple syslog messages: 960
File mode to use for the I/O log files: 0600
Execute commands by file descriptor instead of by path: digest_only
Type of authentication timestamp record: tty
Ignore case when matching user names
Ignore case when matching group names
Log when a command is allowed by sudoers
Log when a command is denied by sudoers
Sudo log server timeout in seconds: 30
Enable SO_KEEPALIVE socket option on the socket connected to the logserver
Verify that the log server's certificate is valid
Set the pam remote user to the user running sudo
The format of logs to produce: sudo
Enable SELinux RBAC support
Path to the file that is created the first time sudo is run: ~/.sudo_as_admin_successful
The largest size core dump file that may be created (in bytes): 0,0
Dirección IP local y pares de máscara de red:
10.73.25.248/255.255.255.192
fe80::300e:ee9e:ed5:716c/ffff:ffff:ffff:ffff::
Sudoers I/O plugin version 1.9.9
Sudoers audit plugin version 1.9.9
2022-05-26T12:18:49Z DEBUG stderr=
2022-05-26T12:18:49Z DEBUG Deleting invalid keytab: '/etc/krb5.keytab'.
2022-05-26T12:18:49Z DEBUG [IPA Discovery]
2022-05-26T12:18:49Z DEBUG Starting IPA discovery with domain=None, servers=None, hostname=fisica75.fisica.cabib
2022-05-26T12:18:49Z DEBUG Start searching for LDAP SRV record in "fisica.cabib" (domain of the hostname) and its sub-domains
2022-05-26T12:18:49Z DEBUG Search DNS for SRV record of _ldap._tcp.fisica.cabib
2022-05-26T12:18:50Z DEBUG DNS record found: 0 100 389 ipaserver.fisica.cabib.
2022-05-26T12:18:50Z DEBUG [Kerberos realm search]
2022-05-26T12:18:50Z DEBUG Search DNS for TXT record of _kerberos.fisica.cabib
2022-05-26T12:18:50Z DEBUG DNS record found: "FISICA.CABIB"
2022-05-26T12:18:50Z DEBUG Search DNS for SRV record of _kerberos._udp.fisica.cabib
2022-05-26T12:18:50Z DEBUG DNS record found: 0 100 88 ipaserver.fisica.cabib.
2022-05-26T12:18:50Z DEBUG [LDAP server check]
2022-05-26T12:18:50Z DEBUG Verifying that ipaserver.fisica.cabib (realm FISICA.CABIB) is an IPA server
2022-05-26T12:18:50Z DEBUG Init LDAP connection to: ldap://ipaserver.fisica.cabib:389
2022-05-26T12:18:50Z DEBUG Search LDAP server for IPA base DN
2022-05-26T12:18:50Z DEBUG Check if naming context 'dc=fisica,dc=cabib' is for IPA
2022-05-26T12:18:50Z DEBUG Naming context 'dc=fisica,dc=cabib' is a valid IPA context
2022-05-26T12:18:50Z DEBUG Search for (objectClass=krbRealmContainer) in dc=fisica,dc=cabib (sub)
2022-05-26T12:18:50Z DEBUG Found: cn=FISICA.CABIB,cn=kerberos,dc=fisica,dc=cabib
2022-05-26T12:18:50Z DEBUG Discovery result: Success; server=ipaserver.fisica.cabib, domain=fisica.cabib, kdc=ipaserver.fisica.cabib, basedn=dc=fisica,dc=cabib
2022-05-26T12:18:50Z DEBUG Validated servers: ipaserver.fisica.cabib
2022-05-26T12:18:50Z DEBUG will use discovered domain: fisica.cabib
2022-05-26T12:18:50Z DEBUG Start searching for LDAP SRV record in "fisica.cabib" (Validating DNS Discovery) and its sub-domains
2022-05-26T12:18:50Z DEBUG Search DNS for SRV record of _ldap._tcp.fisica.cabib
2022-05-26T12:18:50Z DEBUG DNS record found: 0 100 389 ipaserver.fisica.cabib.
2022-05-26T12:18:50Z DEBUG DNS validated, enabling discovery
2022-05-26T12:18:50Z DEBUG will use discovered server: ipaserver.fisica.cabib
2022-05-26T12:18:50Z INFO Discovery was successful!
2022-05-26T12:18:57Z DEBUG will use discovered realm: FISICA.CABIB
2022-05-26T12:18:57Z DEBUG will use discovered basedn: dc=fisica,dc=cabib
2022-05-26T12:18:57Z INFO Client hostname: fisica75.fisica.cabib
2022-05-26T12:18:57Z DEBUG Hostname source: Machine's FQDN
2022-05-26T12:18:57Z INFO Realm: FISICA.CABIB
2022-05-26T12:18:57Z DEBUG Realm source: Discovered from LDAP DNS records in ipaserver.fisica.cabib
2022-05-26T12:18:57Z INFO DNS Domain: fisica.cabib
2022-05-26T12:18:57Z DEBUG DNS Domain source: Discovered LDAP SRV records from fisica.cabib (domain of the hostname)
2022-05-26T12:18:57Z INFO IPA Server: ipaserver.fisica.cabib
2022-05-26T12:18:57Z DEBUG IPA Server source: Discovered from LDAP DNS records in ipaserver.fisica.cabib
2022-05-26T12:18:57Z INFO BaseDN: dc=fisica,dc=cabib
2022-05-26T12:18:57Z DEBUG BaseDN source: From IPA server ldap://ipaserver.fisica.cabib:389
2022-05-26T12:19:01Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2022-05-26T12:19:01Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2022-05-26T12:19:01Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2022-05-26T12:19:01Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2022-05-26T12:19:01Z DEBUG Starting external process
2022-05-26T12:19:01Z DEBUG args=['/usr/sbin/ipa-rmkeytab', '-k', '/etc/krb5.keytab', '-r', 'FISICA.CABIB']
2022-05-26T12:19:01Z DEBUG Process finished, return code=7
2022-05-26T12:19:01Z DEBUG stdout=
2022-05-26T12:19:01Z DEBUG stderr=Failed to set cursor 'No existe el archivo o el directorio'
2022-05-26T12:19:01Z DEBUG Starting external process
2022-05-26T12:19:01Z DEBUG args=['/usr/sbin/service', 'ntp', 'status', '']
2022-05-26T12:19:01Z DEBUG Process finished, return code=4
2022-05-26T12:19:01Z DEBUG stdout=
2022-05-26T12:19:01Z DEBUG stderr=Unit ntp.service could not be found.
2022-05-26T12:19:01Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2022-05-26T12:19:01Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2022-05-26T12:19:01Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2022-05-26T12:19:01Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2022-05-26T12:19:01Z DEBUG Search DNS for SRV record of _ntp._udp.fisica.cabib
2022-05-26T12:19:01Z DEBUG DNS record not found: NXDOMAIN
2022-05-26T12:19:01Z INFO Synchronizing time
2022-05-26T12:19:01Z WARNING No SRV records of NTP servers found and no NTP server or pool address was provided.
2022-05-26T12:19:01Z DEBUG Starting external process
2022-05-26T12:19:01Z DEBUG args=['/bin/systemctl', 'enable', 'chrony.service']
2022-05-26T12:19:02Z DEBUG Process finished, return code=0
2022-05-26T12:19:02Z DEBUG stdout=
2022-05-26T12:19:02Z DEBUG stderr=Synchronizing state of chrony.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable chrony
2022-05-26T12:19:02Z DEBUG Starting external process
2022-05-26T12:19:02Z DEBUG args=['/bin/systemctl', 'restart', 'chrony.service']
2022-05-26T12:19:03Z DEBUG Process finished, return code=0
2022-05-26T12:19:03Z DEBUG stdout=
2022-05-26T12:19:03Z DEBUG stderr=
2022-05-26T12:19:03Z DEBUG Starting external process
2022-05-26T12:19:03Z DEBUG args=['/bin/systemctl', 'is-active', 'chrony.service']
2022-05-26T12:19:03Z DEBUG Process finished, return code=0
2022-05-26T12:19:03Z DEBUG stdout=active
2022-05-26T12:19:03Z DEBUG stderr=
2022-05-26T12:19:03Z DEBUG Restart of chrony.service complete
2022-05-26T12:19:03Z INFO Attempting to sync time with chronyc.
2022-05-26T12:19:03Z DEBUG Starting external process
2022-05-26T12:19:03Z DEBUG args=['/usr/bin/chronyc', '-d', 'waitsync', '4', '0', '0', '3']
2022-05-26T12:19:12Z DEBUG Process finished, return code=0
2022-05-26T12:19:12Z DEBUG stdout=try: 1, refid: 00000000, correction: 0.000000000, skew: 0.000
try: 2, refid: 00000000, correction: 0.000000000, skew: 0.000
try: 3, refid: 00000000, correction: 0.000000000, skew: 0.000
try: 4, refid: 0A4901E6, correction: 0.000018063, skew: 29.998
2022-05-26T12:19:12Z DEBUG stderr=
2022-05-26T12:19:12Z INFO Time synchronization was successful.
2022-05-26T12:19:14Z DEBUG will use principal provided as option: tavo
2022-05-26T12:19:14Z DEBUG Starting external process
2022-05-26T12:19:14Z DEBUG args=['/usr/sbin/selinuxenabled']
2022-05-26T12:19:14Z DEBUG Process execution failed
2022-05-26T12:19:14Z DEBUG Starting external process
2022-05-26T12:19:14Z DEBUG args=['/bin/keyctl', 'get_persistent', '@s', '0']
2022-05-26T12:19:14Z DEBUG Process finished, return code=0
2022-05-26T12:19:14Z DEBUG stdout=927400826
2022-05-26T12:19:14Z DEBUG stderr=
2022-05-26T12:19:14Z DEBUG Enabling persistent keyring CCACHE
2022-05-26T12:19:14Z DEBUG Writing Kerberos configuration to /tmp/tmpe_voehkm:
2022-05-26T12:19:14Z DEBUG #File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = FISICA.CABIB
dns_lookup_realm = false
rdns = false
dns_canonicalize_hostname = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
FISICA.CABIB = {
kdc = ipaserver.fisica.cabib:88
master_kdc = ipaserver.fisica.cabib:88
admin_server = ipaserver.fisica.cabib:749
kpasswd_server = ipaserver.fisica.cabib:464
default_domain = fisica.cabib
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.fisica.cabib = FISICA.CABIB
fisica.cabib = FISICA.CABIB
fisica75.fisica.cabib = FISICA.CABIB
2022-05-26T12:19:14Z DEBUG Writing configuration file /tmp/tmpe_voehkm
2022-05-26T12:19:14Z DEBUG #File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = FISICA.CABIB
dns_lookup_realm = false
rdns = false
dns_canonicalize_hostname = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
FISICA.CABIB = {
kdc = ipaserver.fisica.cabib:88
master_kdc = ipaserver.fisica.cabib:88
admin_server = ipaserver.fisica.cabib:749
kpasswd_server = ipaserver.fisica.cabib:464
default_domain = fisica.cabib
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.fisica.cabib = FISICA.CABIB
fisica.cabib = FISICA.CABIB
fisica75.fisica.cabib = FISICA.CABIB
2022-05-26T12:19:55Z DEBUG Initializing principal tavo@FISICA.CABIB using password
2022-05-26T12:19:55Z DEBUG Starting external process
2022-05-26T12:19:55Z DEBUG args=['/usr/bin/kinit', 'tavo@FISICA.CABIB', '-c', '/tmp/krbccj_umtcb0/ccache']
2022-05-26T12:19:55Z DEBUG Process finished, return code=0
2022-05-26T12:19:55Z DEBUG stdout=Password for tavo@FISICA.CABIB:
2022-05-26T12:19:55Z DEBUG stderr=
2022-05-26T12:19:55Z DEBUG trying to retrieve CA cert via LDAP from ipaserver.fisica.cabib
2022-05-26T12:19:55Z DEBUG retrieving schema for SchemaCache url=ldap://ipaserver.fisica.cabib:389 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fe2ff1e1d80>
2022-05-26T12:19:56Z INFO Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=FISICA.CABIB
Issuer: CN=Certificate Authority,O=FISICA.CABIB
Valid From: 2014-01-14 12:56:57
Valid Until: 2034-01-14 12:56:57
2022-05-26T12:19:56Z DEBUG Starting external process
2022-05-26T12:19:56Z DEBUG args=['/usr/sbin/ipa-join', '-s', 'ipaserver.fisica.cabib', '-b', 'dc=fisica,dc=cabib', '-h', 'fisica75.fisica.cabib', '-k', '/etc/krb5.keytab']
2022-05-26T12:19:56Z DEBUG Process finished, return code=0
2022-05-26T12:19:56Z DEBUG stdout=
2022-05-26T12:19:56Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab
2022-05-26T12:19:56Z INFO Enrolled in IPA realm FISICA.CABIB
2022-05-26T12:19:56Z DEBUG Starting external process
2022-05-26T12:19:56Z DEBUG args=['/usr/bin/kdestroy']
2022-05-26T12:19:56Z DEBUG Process finished, return code=0
2022-05-26T12:19:56Z DEBUG stdout=
2022-05-26T12:19:56Z DEBUG stderr=
2022-05-26T12:19:56Z DEBUG Initializing principal host/fisica75.fisica.cabib@FISICA.CABIB using keytab /etc/krb5.keytab
2022-05-26T12:19:56Z DEBUG using ccache /etc/ipa/.dns_ccache
2022-05-26T12:19:57Z DEBUG Attempt 1/5: success
2022-05-26T12:19:57Z DEBUG Backing up system configuration file '/etc/ipa/default.conf'
2022-05-26T12:19:57Z DEBUG -> Not backing up - '/etc/ipa/default.conf' doesn't exist
2022-05-26T12:19:57Z DEBUG Writing configuration file /etc/ipa/default.conf
2022-05-26T12:19:57Z DEBUG #File modified by ipa-client-install
[global]
basedn = dc=fisica,dc=cabib
realm = FISICA.CABIB
domain = fisica.cabib
server = ipaserver.fisica.cabib
host = fisica75.fisica.cabib
xmlrpc_uri = https://ipaserver.fisica.cabib/ipa/xml
enable_ra = True
2022-05-26T12:19:57Z INFO Created /etc/ipa/default.conf
2022-05-26T12:19:57Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf'
2022-05-26T12:19:57Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist
2022-05-26T12:19:57Z DEBUG New SSSD config will be created
2022-05-26T12:19:57Z INFO Configured /etc/sssd/sssd.conf
2022-05-26T12:19:57Z DEBUG Backing up system configuration file '/etc/krb5.conf'
2022-05-26T12:19:57Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2022-05-26T12:19:57Z DEBUG Starting external process
2022-05-26T12:19:57Z DEBUG args=['/usr/sbin/selinuxenabled']
2022-05-26T12:19:57Z DEBUG Process execution failed
2022-05-26T12:19:57Z DEBUG Starting external process
2022-05-26T12:19:57Z DEBUG args=['/bin/keyctl', 'get_persistent', '@s', '0']
2022-05-26T12:19:57Z DEBUG Process finished, return code=0
2022-05-26T12:19:57Z DEBUG stdout=927400826
2022-05-26T12:19:57Z DEBUG stderr=
2022-05-26T12:19:57Z DEBUG Enabling persistent keyring CCACHE
2022-05-26T12:19:57Z DEBUG Writing Kerberos configuration to /etc/krb5.conf:
2022-05-26T12:19:57Z DEBUG #File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = FISICA.CABIB
dns_lookup_realm = true
rdns = false
dns_canonicalize_hostname = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
FISICA.CABIB = {
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.fisica.cabib = FISICA.CABIB
fisica.cabib = FISICA.CABIB
fisica75.fisica.cabib = FISICA.CABIB
2022-05-26T12:19:57Z DEBUG Writing configuration file /etc/krb5.conf
2022-05-26T12:19:57Z DEBUG #File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = FISICA.CABIB
dns_lookup_realm = true
rdns = false
dns_canonicalize_hostname = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
FISICA.CABIB = {
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.fisica.cabib = FISICA.CABIB
fisica.cabib = FISICA.CABIB
fisica75.fisica.cabib = FISICA.CABIB
2022-05-26T12:19:57Z INFO Configured /etc/krb5.conf for IPA realm FISICA.CABIB
2022-05-26T12:19:57Z DEBUG Starting external process
2022-05-26T12:19:57Z DEBUG args=['/usr/bin/certutil', '-d', '/tmp/tmpetyu20up', '-N', '-f', '/tmp/tmpetyu20up/pwdfile.txt', '-@', '/tmp/tmpetyu20up/pwdfile.txt']
2022-05-26T12:19:57Z DEBUG Process finished, return code=0
2022-05-26T12:19:57Z DEBUG stdout=
2022-05-26T12:19:57Z DEBUG stderr=
2022-05-26T12:19:57Z DEBUG Starting external process
2022-05-26T12:19:57Z DEBUG args=['/usr/sbin/selinuxenabled']
2022-05-26T12:19:57Z DEBUG Process execution failed
2022-05-26T12:19:57Z DEBUG Starting external process
2022-05-26T12:19:57Z DEBUG args=['/usr/sbin/selinuxenabled']
2022-05-26T12:19:57Z DEBUG Process execution failed
2022-05-26T12:19:57Z DEBUG Starting external process
2022-05-26T12:19:57Z DEBUG args=['/usr/sbin/selinuxenabled']
2022-05-26T12:19:57Z DEBUG Process execution failed
2022-05-26T12:19:57Z DEBUG Starting external process
2022-05-26T12:19:57Z DEBUG args=['/usr/sbin/selinuxenabled']
2022-05-26T12:19:57Z DEBUG Process execution failed
2022-05-26T12:19:57Z DEBUG Starting external process
2022-05-26T12:19:57Z DEBUG args=['/usr/sbin/selinuxenabled']
2022-05-26T12:19:57Z DEBUG Process execution failed
2022-05-26T12:19:57Z DEBUG Starting external process
2022-05-26T12:19:57Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpetyu20up', '-A', '-n', 'CA certificate 1', '-t', 'C,,', '-a', '-f', '/tmp/tmpetyu20up/pwdfile.txt']
2022-05-26T12:19:57Z DEBUG Process finished, return code=0
2022-05-26T12:19:57Z DEBUG stdout=
2022-05-26T12:19:57Z DEBUG stderr=
2022-05-26T12:19:57Z DEBUG failed to find session_cookie in persistent storage for principal 'host/fisica75.fisica.cabib@FISICA.CABIB'
2022-05-26T12:19:57Z DEBUG trying https://ipaserver.fisica.cabib/ipa/json
2022-05-26T12:19:57Z DEBUG Created connection context.rpcclient_140612862196752
2022-05-26T12:19:57Z DEBUG [try 1]: Forwarding 'schema' to json server 'https://ipaserver.fisica.cabib/ipa/json'
2022-05-26T12:19:57Z DEBUG HTTP connection destroyed (ipaserver.fisica.cabib)
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/ipaclient/remote_plugins/__init__.py", line 125, in get_package
plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/ipalib/rpc.py", line 693, in single_request
h = self.make_connection(host)
File "/usr/lib/python3/dist-packages/ipalib/rpc.py", line 569, in make_connection
conn.connect()
File "/usr/lib/python3.10/http/client.py", line 1454, in connect
self.sock = self._context.wrap_socket(self.sock,
File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.10/ssl.py", line 1070, in _create
self.do_handshake()
File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997)
2022-05-26T12:19:57Z DEBUG Destroyed connection context.rpcclient_140612862196752
2022-05-26T12:19:57Z DEBUG File "/usr/lib/python3/dist-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3/dist-packages/ipapython/install/cli.py", line 342, in run
return cfgr.run()
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise
raise value
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise
raise value
File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise
raise value
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise
raise value
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise
raise value
File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3/dist-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3/dist-packages/ipaclient/install/client.py", line 3949, in main
install(self)
File "/usr/lib/python3/dist-packages/ipaclient/install/client.py", line 2649, in install
_install(options)
File "/usr/lib/python3/dist-packages/ipaclient/install/client.py", line 2966, in _install
api.finalize()
File "/usr/lib/python3/dist-packages/ipalib/plugable.py", line 759, in finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python3/dist-packages/ipalib/plugable.py", line 438, in __do_if_not_done
getattr(self, name)()
File "/usr/lib/python3/dist-packages/ipalib/plugable.py", line 638, in load_plugins
for package in self.packages:
File "/usr/lib/python3/dist-packages/ipalib/__init__.py", line 949, in packages
ipaclient.remote_plugins.get_package(self),
File "/usr/lib/python3/dist-packages/ipaclient/remote_plugins/__init__.py", line 133, in get_package
plugins = schema.get_package(server_info, client)
File "/usr/lib/python3/dist-packages/ipaclient/remote_plugins/schema.py", line 552, in get_package
schema = Schema(client)
File "/usr/lib/python3/dist-packages/ipaclient/remote_plugins/schema.py", line 401, in __init__
fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
File "/usr/lib/python3/dist-packages/ipaclient/remote_plugins/schema.py", line 426, in _fetch
schema = client.forward(u'schema', **kwargs)['result']
File "/usr/lib/python3/dist-packages/ipalib/rpc.py", line 1192, in forward
raise NetworkError(uri=server, error=str(e))
2022-05-26T12:19:57Z DEBUG The ipa-client-install command failed, exception: NetworkError: cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997)
2022-05-26T12:19:57Z ERROR cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997)
2022-05-26T12:19:57Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
