Hi, I seem to having some issue trying to install the IPA client (version 4.4.0) on Centos 7 using DNS.
I can get a working install by issuing the —server flags, but I would rather do it using SRV so we can issue the command via salt to multiple servers, and should we add another replicant. We will only need to update the SRV records rather than updating all our client servers. I am running this command, $>ipa-client-install --force-ntpd --mkhomedir --principal admin --realm= UK.INTERNAL.MYDOMAIN.COM --domain uk.internal.mydomain.com --unattended -w superhard But I keep getting this. Discovery was successful! Client hostname: portalwaf2.uk Realm: UK.INTERNAL.MYDOMAIN.COM DNS Domain: freeipa.uk.internal.mydomain.com IPA Server: ipa1.uk.internal.mydomain.com BaseDN: dc=uk,dc=internal,dc=mydomain,dc=com Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Successfully retrieved CA cert Subject: CN=Certificate Authority,O=UK.INTERNAL.MYDOMAIN.COM Issuer: CN=Certificate Authority,O=UK.INTERNAL.MYDOMAIN.COM Valid From: Fri Feb 17 12:09:04 2017 UTC Valid Until: Tue Feb 17 12:09:04 2037 UTC Enrolled in IPA realm UK.INTERNAL.MYDOMAIN.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm UK.INTERNAL.MYDOMAIN.COM trying https://ipa1.uk.internal.mydomain.com/ipa/json Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 3128, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 3109, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2818, in install api.finalize() File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in load_plugins for package in self.packages: File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in packages ipaclient.remote_plugins.get_package(self), File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 118, in get_package plugins = schema.get_package(server_info, client) File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 543, in get_package schema = Schema(client) File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 387, in __init__ fingerprint, ttl = self._fetch(client, ignore_cache=read_failed) File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 413, in _fetch client.connect(verbose=False) File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 931, in create_connection raise errors.KerberosError(message=unicode(krberr)) ipalib.errors.KerberosError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639066): Cannot find KDC for realm "UK.INTERNAL.MYDOMAIN.COM" Installation log: 2017-03-02T15:38:32Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': 'freeipa.uk.internal.mydomain.com', 'force': False, 'krb5_offline_passwords': True, 'ip_addresses': [], 'configure_firefox': False, 'primary': False, 'realm_name': 'UK.INTERNAL.MYDOMAIN.COM', 'force_ntpd': True, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'no_nisdomain': False, 'nisdomain': None, 'ca_cert_file': None, 'principal': 'admin', 'keytab': None, 'hostname': None, 'request_cert': False, 'trust_sshfp': False, 'no_ac': False, 'unattended': True, 'all_ip_addresses': False, 'location': None, 'sssd': True, 'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': True, 'firefox_dir': None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'mkhomedir': True, 'uninstall': False} 2017-03-02T15:38:32Z DEBUG missing options might be asked for interactively later 2017-03-02T15:38:32Z DEBUG IPA version 4.4.0-14.el7.centos.4 2017-03-02T15:38:32Z DEBUG [IPA Discovery] 2017-03-02T15:38:32Z DEBUG Starting IPA discovery with domain= freeipa.uk.internal.mydomain.com, servers=None, hostname=portalwaf2.uk 2017-03-02T15:38:32Z DEBUG Search for LDAP SRV record in freeipa.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _ldap._ tcp.freeipa.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 389 ipa1.uk.internal.mydomain.com. 2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 389 ipa2.uk.internal.mydomain.com. 2017-03-02T15:38:32Z DEBUG [Kerberos realm search] 2017-03-02T15:38:32Z DEBUG Kerberos realm forced 2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _kerberos._ udp.freeipa.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 88 ipa2.uk.internal.mydomain.com. 2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 88 ipa1.uk.internal.mydomain.com. 2017-03-02T15:38:32Z DEBUG [LDAP server check] 2017-03-02T15:38:32Z DEBUG Verifying that ipa1.uk.internal.mydomain.com (realm UK.INTERNAL.MYDOMAIN.COM) is an IPA server 2017-03-02T15:38:32Z DEBUG Init LDAP connection to: ipa1.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG Search LDAP server for IPA base DN 2017-03-02T15:38:32Z DEBUG Check if naming context 'dc=uk,dc=internal,dc=mydomain,dc=com' is for IPA 2017-03-02T15:38:32Z DEBUG Naming context 'dc=uk,dc=internal,dc=mydomain,dc=com' is a valid IPA context 2017-03-02T15:38:32Z DEBUG Search for (objectClass=krbRealmContainer) in dc=uk,dc=internal,dc=mydomain,dc=com (sub) 2017-03-02T15:38:32Z DEBUG Found: cn=UK.INTERNAL.MYDOMAIN.COM ,cn=kerberos,dc=uk,dc=internal,dc=mydomain,dc=com 2017-03-02T15:38:32Z DEBUG Discovery result: Success; server= ipa1.uk.internal.mydomain.com, domain=freeipa.uk.internal.mydomain.com, kdc= ipa2.uk.internal.mydomain.com,ipa1.uk.internal.mydomain.com, basedn=dc=uk,dc=internal,dc=mydomain,dc=com 2017-03-02T15:38:32Z DEBUG Validated servers: ipa1.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG will use discovered domain: freeipa.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG Start searching for LDAP SRV record in " freeipa.uk.internal.mydomain.com" (Validating DNS Discovery) and its sub-domains 2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _ldap._ tcp.freeipa.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 389 ipa2.uk.internal.mydomain.com. 2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 389 ipa1.uk.internal.mydomain.com. 2017-03-02T15:38:32Z DEBUG DNS validated, enabling discovery 2017-03-02T15:38:32Z DEBUG will use discovered server: ipa1.uk.internal.mydomain.com 2017-03-02T15:38:32Z INFO Discovery was successful! 2017-03-02T15:38:32Z DEBUG will use discovered realm: UK.INTERNAL.MYDOMAIN.COM 2017-03-02T15:38:32Z DEBUG will use discovered basedn: dc=uk,dc=internal,dc=mydomain,dc=com 2017-03-02T15:38:32Z INFO Client hostname: portalwaf2.uk 2017-03-02T15:38:32Z DEBUG Hostname source: Machine's FQDN 2017-03-02T15:38:32Z INFO Realm: UK.INTERNAL.MYDOMAIN.COM 2017-03-02T15:38:32Z DEBUG Realm source: Discovered from LDAP DNS records in ipa1.uk.internal.mydomain.com 2017-03-02T15:38:32Z INFO DNS Domain: freeipa.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG DNS Domain source: Discovered LDAP SRV records from freeipa.uk.internal.mydomain.com 2017-03-02T15:38:32Z INFO IPA Server: ipa1.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG IPA Server source: Discovered from LDAP DNS records in ipa1.uk.internal.mydomain.com 2017-03-02T15:38:32Z INFO BaseDN: dc=uk,dc=internal,dc=mydomain,dc=com 2017-03-02T15:38:32Z DEBUG BaseDN source: From IPA server ldap:// ipa1.uk.internal.mydomain.com:389 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r UK.INTERNAL.MYDOMAIN.COM 2017-03-02T15:38:32Z DEBUG Process finished, return code=5 2017-03-02T15:38:32Z DEBUG stdout= 2017-03-02T15:38:32Z DEBUG stderr=realm not found 2017-03-02T15:38:32Z INFO Synchronizing time with KDC... 2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _ntp._ udp.freeipa.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 123 ipa2.uk.internal.mydomain.com. 2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 123 ipa1.uk.internal.mydomain.com. 2017-03-02T15:38:32Z INFO Attempting to sync time using ntpd. Will timeout after 15 seconds 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=/usr/bin/timeout 15 /usr/sbin/ntpd -qgc /tmp/tmplUZ6sG 2017-03-02T15:38:32Z DEBUG Process finished, return code=0 2017-03-02T15:38:32Z DEBUG stdout=ntpd: time set -1.083636s 2017-03-02T15:38:32Z DEBUG stderr= 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=keyctl get_persistent @s 0 2017-03-02T15:38:32Z DEBUG Process finished, return code=0 2017-03-02T15:38:32Z DEBUG stdout=540282011 2017-03-02T15:38:32Z DEBUG stderr= 2017-03-02T15:38:32Z DEBUG Enabling persistent keyring CCACHE 2017-03-02T15:38:32Z DEBUG Writing Kerberos configuration to /tmp/tmpEVHPqI: 2017-03-02T15:38:32Z DEBUG #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = UK.INTERNAL.MYDOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] UK.INTERNAL.MYDOMAIN.COM = { kdc = ipa1.uk.internal.mydomain.com:88 master_kdc = ipa1.uk.internal.mydomain.com:88 admin_server = ipa1.uk.internal.mydomain.com:749 kpasswd_server = ipa1.uk.internal.mydomain.com:464 default_domain = freeipa.uk.internal.mydomain.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .freeipa.uk.internal.mydomain.com = UK.INTERNAL.MYDOMAIN.COM freeipa.uk.internal.mydomain.com = UK.INTERNAL.MYDOMAIN.COM portalwaf2.uk = UK.INTERNAL.MYDOMAIN.COM .uk = UK.INTERNAL.MYDOMAIN.COM uk = UK.INTERNAL.MYDOMAIN.COM 2017-03-02T15:38:32Z DEBUG Initializing principal ad...@uk.internal.mydomain.com using password 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=/usr/bin/kinit ad...@uk.internal.mydomain.com -c /tmp/krbccxpYNsC/ccache 2017-03-02T15:38:32Z DEBUG Process finished, return code=0 2017-03-02T15:38:32Z DEBUG stdout=Password for ad...@uk.internal.mydomain.com: 2017-03-02T15:38:32Z DEBUG stderr= 2017-03-02T15:38:32Z DEBUG trying to retrieve CA cert via LDAP from ipa1.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG flushing ldap://ipa1.uk.internal.mydomain.com:389 from SchemaCache 2017-03-02T15:38:32Z DEBUG retrieving schema for SchemaCache url=ldap:// ipa1.uk.internal.mydomain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x1fb8ab8> 2017-03-02T15:38:32Z INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=UK.INTERNAL.MYDOMAIN.COM Issuer: CN=Certificate Authority,O=UK.INTERNAL.MYDOMAIN.COM Valid From: Fri Feb 17 12:09:04 2017 UTC Valid Until: Tue Feb 17 12:09:04 2037 UTC 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=/usr/sbin/ipa-join -s ipa1.uk.internal.mydomain.com -b dc=uk,dc=internal,dc=mydomain,dc=com -h portalwaf2.uk -f 2017-03-02T15:38:32Z DEBUG Process finished, return code=0 2017-03-02T15:38:32Z DEBUG stdout= 2017-03-02T15:38:32Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab Certificate subject base is: O=UK.INTERNAL.MYDOMAIN.COM 2017-03-02T15:38:32Z INFO Enrolled in IPA realm UK.INTERNAL.MYDOMAIN.COM 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=kdestroy 2017-03-02T15:38:32Z DEBUG Process finished, return code=0 2017-03-02T15:38:32Z DEBUG stdout= 2017-03-02T15:38:32Z DEBUG stderr= 2017-03-02T15:38:32Z DEBUG Initializing principal host/ portalwaf2...@uk.internal.mydomain.com using keytab /etc/krb5.keytab 2017-03-02T15:38:32Z DEBUG using ccache /etc/ipa/.dns_ccache 2017-03-02T15:38:32Z DEBUG Attempt 1/5: success 2017-03-02T15:38:32Z DEBUG Backing up system configuration file '/etc/ipa/default.conf' 2017-03-02T15:38:32Z DEBUG -> Not backing up - '/etc/ipa/default.conf' doesn't exist 2017-03-02T15:38:32Z INFO Created /etc/ipa/default.conf 2017-03-02T15:38:32Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf' 2017-03-02T15:38:32Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist 2017-03-02T15:38:32Z INFO New SSSD config will be created 2017-03-02T15:38:32Z DEBUG Backing up system configuration file '/etc/nsswitch.conf' 2017-03-02T15:38:32Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2017-03-02T15:38:32Z INFO Configured sudoers in /etc/nsswitch.conf 2017-03-02T15:38:32Z INFO Configured /etc/sssd/sssd.conf 2017-03-02T15:38:32Z DEBUG Backing up system configuration file '/etc/krb5.conf' 2017-03-02T15:38:32Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=keyctl get_persistent @s 0 2017-03-02T15:38:32Z DEBUG Process finished, return code=0 2017-03-02T15:38:32Z DEBUG stdout=540282011 2017-03-02T15:38:32Z DEBUG stderr= 2017-03-02T15:38:32Z DEBUG Enabling persistent keyring CCACHE 2017-03-02T15:38:32Z DEBUG Writing Kerberos configuration to /etc/krb5.conf: 2017-03-02T15:38:32Z DEBUG #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = UK.INTERNAL.MYDOMAIN.COM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] UK.INTERNAL.MYDOMAIN.COM = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .freeipa.uk.internal.mydomain.com = UK.INTERNAL.MYDOMAIN.COM freeipa.uk.internal.mydomain.com = UK.INTERNAL.MYDOMAIN.COM portalwaf2.uk = UK.INTERNAL.MYDOMAIN.COM .uk = UK.INTERNAL.MYDOMAIN.COM uk = UK.INTERNAL.MYDOMAIN.COM 2017-03-02T15:38:32Z INFO Configured /etc/krb5.conf for IPA realm UK.INTERNAL.MYDOMAIN.COM 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=keyctl search @s user ipa_session_cookie:host/portalwaf2...@uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG Process finished, return code=1 2017-03-02T15:38:32Z DEBUG stdout= 2017-03-02T15:38:32Z DEBUG stderr=keyctl_search: Required key not available 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=/usr/bin/certutil -d /tmp/tmpKqp0s3 -N -f /tmp/tmp8JvkBZ 2017-03-02T15:38:32Z DEBUG Process finished, return code=0 2017-03-02T15:38:32Z DEBUG stdout= 2017-03-02T15:38:32Z DEBUG stderr= 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=/usr/bin/certutil -d /tmp/tmpKqp0s3 -A -n CA certificate 1 -t C,, 2017-03-02T15:38:32Z DEBUG Process finished, return code=0 2017-03-02T15:38:32Z DEBUG stdout= 2017-03-02T15:38:32Z DEBUG stderr= 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=keyctl search @s user ipa_session_cookie:host/portalwaf2...@uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG Process finished, return code=1 2017-03-02T15:38:32Z DEBUG stdout= 2017-03-02T15:38:32Z DEBUG stderr=keyctl_search: Required key not available 2017-03-02T15:38:32Z DEBUG failed to find session_cookie in persistent storage for principal 'host/portalwaf2...@uk.internal.mydomain.com' 2017-03-02T15:38:32Z INFO trying https://ipa1.uk.internal.mydomain.com/ipa/json2017-03-02T15:38:32Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': ' freeipa.uk.internal.mydomain.com', 'force': False, 'krb5_offline_passwords': True, 'ip_addresses': [], 'configure_firefox': False, 'primary': False, 'realm_name': 'UK.INTERNAL.mydomain.COM', 'force_ntpd': True, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'no_nisdomain': False, 'nisdomain': None, 'ca_cert_file': None, 'principal': 'admin', 'keytab': None, 'hostname': None, 'request_cert': False, 'trust_sshfp': False, 'no_ac': False, 'unattended': True, 'all_ip_addresses': False, 'location': None, 'sssd': True, 'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': True, 'firefox_dir': None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'mkhomedir': True, 'uninstall': False} 2017-03-02T15:38:32Z DEBUG missing options might be asked for interactively later 2017-03-02T15:38:32Z DEBUG IPA version 4.4.0-14.el7.centos.4 2017-03-02T15:38:32Z DEBUG [IPA Discovery] 2017-03-02T15:38:32Z DEBUG Starting IPA discovery with domain= freeipa.uk.internal.mydomain.com, servers=None, hostname=portalwaf2.uk 2017-03-02T15:38:32Z DEBUG Search for LDAP SRV record in freeipa.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _ldap._ tcp.freeipa.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 389 ipa1.uk.internal.mydomain.com. 2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 389 ipa2.uk.internal.mydomain.com. 2017-03-02T15:38:32Z DEBUG [Kerberos realm search] 2017-03-02T15:38:32Z DEBUG Kerberos realm forced 2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _kerberos._ udp.freeipa.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 88 ipa2.uk.internal.mydomain.com. 2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 88 ipa1.uk.internal.mydomain.com. 2017-03-02T15:38:32Z DEBUG [LDAP server check] 2017-03-02T15:38:32Z DEBUG Verifying that ipa1.uk.internal.mydomain.com (realm UK.INTERNAL.MYDOMAIN.COM) is an IPA server 2017-03-02T15:38:32Z DEBUG Init LDAP connection to: ipa1.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG Search LDAP server for IPA base DN 2017-03-02T15:38:32Z DEBUG Check if naming context 'dc=uk,dc=internal,dc=mydomain,dc=com' is for IPA 2017-03-02T15:38:32Z DEBUG Naming context 'dc=uk,dc=internal,dc=mydomain,dc=com' is a valid IPA context 2017-03-02T15:38:32Z DEBUG Search for (objectClass=krbRealmContainer) in dc=uk,dc=internal,dc=mydomain,dc=com (sub) 2017-03-02T15:38:32Z DEBUG Found: cn=UK.INTERNAL.mydomain.COM ,cn=kerberos,dc=uk,dc=internal,dc=mydomain,dc=com 2017-03-02T15:38:32Z DEBUG Discovery result: Success; server= ipa1.uk.internal.mydomain.com, domain=freeipa.uk.internal.mydomain.com, kdc= ipa2.uk.internal.mydomain.com,ipa1.uk.internal.mydomain.com, basedn=dc=uk,dc=internal,dc=mydomain,dc=com 2017-03-02T15:38:32Z DEBUG Validated servers: ipa1.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG will use discovered domain: freeipa.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG Start searching for LDAP SRV record in " freeipa.uk.internal.mydomain.com" (Validating DNS Discovery) and its sub-domains 2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _ldap._ tcp.freeipa.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 389 ipa2.uk.internal.mydomain.com. 2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 389 ipa1.uk.internal.mydomain.com. 2017-03-02T15:38:32Z DEBUG DNS validated, enabling discovery 2017-03-02T15:38:32Z DEBUG will use discovered server: ipa1.uk.internal.mydomain.com 2017-03-02T15:38:32Z INFO Discovery was successful! 2017-03-02T15:38:32Z DEBUG will use discovered realm: UK.INTERNAL.MYDOMAIN.COM 2017-03-02T15:38:32Z DEBUG will use discovered basedn: dc=uk,dc=internal,dc=mydomain,dc=com 2017-03-02T15:38:32Z INFO Client hostname: portalwaf2.uk 2017-03-02T15:38:32Z DEBUG Hostname source: Machine's FQDN 2017-03-02T15:38:32Z INFO Realm: UK.INTERNAL.MYDOMAIN.COM 2017-03-02T15:38:32Z DEBUG Realm source: Discovered from LDAP DNS records in ipa1.uk.internal.mydomain.com 2017-03-02T15:38:32Z INFO DNS Domain: freeipa.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG DNS Domain source: Discovered LDAP SRV records from freeipa.uk.internal.mydomain.com 2017-03-02T15:38:32Z INFO IPA Server: ipa1.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG IPA Server source: Discovered from LDAP DNS records in ipa1.uk.internal.mydomain.com 2017-03-02T15:38:32Z INFO BaseDN: dc=uk,dc=internal,dc=mydomain,dc=com 2017-03-02T15:38:32Z DEBUG BaseDN source: From IPA server ldap:// ipa1.uk.internal.mydomain.com:389 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r UK.INTERNAL.MYDOMAIN.COM 2017-03-02T15:38:32Z DEBUG Process finished, return code=5 2017-03-02T15:38:32Z DEBUG stdout= 2017-03-02T15:38:32Z DEBUG stderr=realm not found 2017-03-02T15:38:32Z INFO Synchronizing time with KDC... 2017-03-02T15:38:32Z DEBUG Search DNS for SRV record of _ntp._ udp.freeipa.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG DNS record found: 40 0 123 ipa2.uk.internal.mydomain.com. 2017-03-02T15:38:32Z DEBUG DNS record found: 60 0 123 ipa1.uk.internal.mydomain.com. 2017-03-02T15:38:32Z INFO Attempting to sync time using ntpd. Will timeout after 15 seconds 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=/usr/bin/timeout 15 /usr/sbin/ntpd -qgc /tmp/tmplUZ6sG 2017-03-02T15:38:32Z DEBUG Process finished, return code=0 2017-03-02T15:38:32Z DEBUG stdout=ntpd: time set -1.083636s 2017-03-02T15:38:32Z DEBUG stderr= 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=keyctl get_persistent @s 0 2017-03-02T15:38:32Z DEBUG Process finished, return code=0 2017-03-02T15:38:32Z DEBUG stdout=540282011 2017-03-02T15:38:32Z DEBUG stderr= 2017-03-02T15:38:32Z DEBUG Enabling persistent keyring CCACHE 2017-03-02T15:38:32Z DEBUG Writing Kerberos configuration to /tmp/tmpEVHPqI: 2017-03-02T15:38:32Z DEBUG #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = UK.INTERNAL.MYDOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] UK.INTERNAL.MYDOMAIN.COM = { kdc = ipa1.uk.internal.mydomain.com:88 master_kdc = ipa1.uk.internal.mydomain.com:88 admin_server = ipa1.uk.internal.mydomain.com:749 kpasswd_server = ipa1.uk.internal.mydomain.com:464 default_domain = freeipa.uk.internal.mydomain.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .freeipa.uk.internal.mydomain.com = UK.INTERNAL.MYDOMAIN.COM freeipa.uk.internal.mydomain.com = UK.INTERNAL.MYDOMAIN.COM portalwaf2.uk = UK.INTERNAL.MYDOMAIN.COM .uk = UK.INTERNAL.MYDOMAIN.COM uk = UK.INTERNAL.MYDOMAIN.COM 2017-03-02T15:38:32Z DEBUG Initializing principal ad...@uk.internal.mydomain.com using password 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=/usr/bin/kinit ad...@uk.internal.mydomain.com -c /tmp/krbccxpYNsC/ccache 2017-03-02T15:38:32Z DEBUG Process finished, return code=0 2017-03-02T15:38:32Z DEBUG stdout=Password for ad...@uk.internal.mydomain.com: 2017-03-02T15:38:32Z DEBUG stderr= 2017-03-02T15:38:32Z DEBUG trying to retrieve CA cert via LDAP from ipa1.uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG flushing ldap://ipa1.uk.internal.mydomain.com:389 from SchemaCache 2017-03-02T15:38:32Z DEBUG retrieving schema for SchemaCache url=ldap:// ipa1.uk.internal.mydomain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x1fb8ab8> 2017-03-02T15:38:32Z INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=UK.INTERNAL.MYDOMAIN.COM Issuer: CN=Certificate Authority,O=UK.INTERNAL.MYDOMAIN.COM Valid From: Fri Feb 17 12:09:04 2017 UTC Valid Until: Tue Feb 17 12:09:04 2037 UTC 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=/usr/sbin/ipa-join -s ipa1.uk.internal.mydomain.com -b dc=uk,dc=internal,dc=mydomain,dc=com -h portalwaf2.uk -f 2017-03-02T15:38:32Z DEBUG Process finished, return code=0 2017-03-02T15:38:32Z DEBUG stdout= 2017-03-02T15:38:32Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab Certificate subject base is: O=UK.INTERNAL.mydomain.COM 2017-03-02T15:38:32Z INFO Enrolled in IPA realm UK.INTERNAL.MYDOMAIN.COM 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=kdestroy 2017-03-02T15:38:32Z DEBUG Process finished, return code=0 2017-03-02T15:38:32Z DEBUG stdout= 2017-03-02T15:38:32Z DEBUG stderr= 2017-03-02T15:38:32Z DEBUG Initializing principal host/ portalwaf2...@uk.internal.mydomain.com using keytab /etc/krb5.keytab 2017-03-02T15:38:32Z DEBUG using ccache /etc/ipa/.dns_ccache 2017-03-02T15:38:32Z DEBUG Attempt 1/5: success 2017-03-02T15:38:32Z DEBUG Backing up system configuration file '/etc/ipa/default.conf' 2017-03-02T15:38:32Z DEBUG -> Not backing up - '/etc/ipa/default.conf' doesn't exist 2017-03-02T15:38:32Z INFO Created /etc/ipa/default.conf 2017-03-02T15:38:32Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf' 2017-03-02T15:38:32Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist 2017-03-02T15:38:32Z INFO New SSSD config will be created 2017-03-02T15:38:32Z DEBUG Backing up system configuration file '/etc/nsswitch.conf' 2017-03-02T15:38:32Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2017-03-02T15:38:32Z INFO Configured sudoers in /etc/nsswitch.conf 2017-03-02T15:38:32Z INFO Configured /etc/sssd/sssd.conf 2017-03-02T15:38:32Z DEBUG Backing up system configuration file '/etc/krb5.conf' 2017-03-02T15:38:32Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=keyctl get_persistent @s 0 2017-03-02T15:38:32Z DEBUG Process finished, return code=0 2017-03-02T15:38:32Z DEBUG stdout=540282011 2017-03-02T15:38:32Z DEBUG stderr= 2017-03-02T15:38:32Z DEBUG Enabling persistent keyring CCACHE 2017-03-02T15:38:32Z DEBUG Writing Kerberos configuration to /etc/krb5.conf: 2017-03-02T15:38:32Z DEBUG #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = UK.INTERNAL.MYDOMAIN.COM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] UK.INTERNAL.MYDOMAIN.COM = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .freeipa.uk.internal.mydomain.com = UK.INTERNAL.MYDOMAIN.COM freeipa.uk.internal.mydomain.com = UK.INTERNAL.MYDOMAIN.COM portalwaf2.uk = UK.INTERNAL.MYDOMAIN.COM .uk = UK.INTERNAL.MYDOMAIN.COM uk = UK.INTERNAL.MYDOMAIN.COM 2017-03-02T15:38:32Z INFO Configured /etc/krb5.conf for IPA realm UK.INTERNAL.MYDOMAIN.COM 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=keyctl search @s user ipa_session_cookie:host/portalwaf2...@uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG Process finished, return code=1 2017-03-02T15:38:32Z DEBUG stdout= 2017-03-02T15:38:32Z DEBUG stderr=keyctl_search: Required key not available 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=/usr/bin/certutil -d /tmp/tmpKqp0s3 -N -f /tmp/tmp8JvkBZ 2017-03-02T15:38:32Z DEBUG Process finished, return code=0 2017-03-02T15:38:32Z DEBUG stdout= 2017-03-02T15:38:32Z DEBUG stderr= 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=/usr/bin/certutil -d /tmp/tmpKqp0s3 -A -n CA certificate 1 -t C,, 2017-03-02T15:38:32Z DEBUG Process finished, return code=0 2017-03-02T15:38:32Z DEBUG stdout= 2017-03-02T15:38:32Z DEBUG stderr= 2017-03-02T15:38:32Z DEBUG Starting external process 2017-03-02T15:38:32Z DEBUG args=keyctl search @s user ipa_session_cookie:host/portalwaf2...@uk.internal.mydomain.com 2017-03-02T15:38:32Z DEBUG Process finished, return code=1 2017-03-02T15:38:32Z DEBUG stdout= 2017-03-02T15:38:32Z DEBUG stderr=keyctl_search: Required key not available 2017-03-02T15:38:32Z DEBUG failed to find session_cookie in persistent storage for principal 'host/portalwaf2...@uk.internal.mydomain.com' 2017-03-02T15:38:32Z INFO trying https://ipa1.uk.internal.mydomain.com/ipa/json Running ipa-getcert list returns: Number of certificates and requests being tracked: 0. DNS records: SRV record for FreeIPA _kerberos.freeipa.uk IN TXT "FREEIPA.UK.INTERNAL.MYDOMAIN.COM" _ldap._tcp IN SRV 60 0 389 ipa1.uk IN SRV 40 0 389 ipa2.uk _ldap._tcp.freeipa.uk IN SRV 60 0 389 ipa1.uk IN SRV 40 0 389 ipa2.uk _ldaps._tcp.freeipa.uk IN SRV 60 0 636 ipa1.uk IN SRV 40 0 636 ipa2.uk _kerberos._tcp.freeipa.uk IN SRV 60 0 464 ipa1.uk IN SRV 40 0 464 ipa2.uk _http._tcp.freeipa.uk IN SRV 60 0 80 ipa1.uk IN SRV 40 0 80 ipa2.uk _https._tcp.freeipa.uk IN SRV 60 0 443 ipa1.uk IN SRV 40 0 442 ipa2.uk _kerberos-adm._tcp.freeipa.uk IN SRV 60 0 749 ipa1.uk IN SRV 40 0 749 ipa2.uk _kerberos-master._udp.freeipa.uk IN SRV 0 0 88 ipa1.uk _kerberos._udp.freeipa.uk IN SRV 60 0 88 ipa1.uk IN SRV 40 0 88 ipa2.uk _kpasswd._udp.freeipa.uk IN SRV 60 0 464 ipa1.uk IN SRV 40 0 464 ipa2.uk _ntp._udp.freeipa.uk IN SRV 60 0 123 ipa1.uk IN SRV 40 0 123 ipa2.uk Not sure what Im getting wrong. -- Regards *Mick*
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project