Rohan Talkar
2021-06-02 23:42:25 UTC
HI Team,
We are migrating from our current Directory Service 389DS to FreeIPA. Our all servers at present authenticated by 389DS server.
Our infra hosted on AWS cloud. Please find below setup of FreeIPA & Client on which we are performing tests & getting issue.
FreeIPA Servers
Primary Master Server = Region 1
Secondary Master Server = Region 2
OS = CentOS Linux release 8.3.2011
IPA Version = 4.8.7, API_VERSION: 2.239
FreeIPA Client
OS = CentOS release 6.9 (Final)
Kernel Version = Linux drxlceco6app01 2.6.32-696.1.1.el6.x86_64 #1 SMP Tue Apr 11 17:13:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
IPA Client version = 3.0.0-51.el6.centos
Our DNS getting managed from "/etc/hosts" file by manually adding DNS entries of server.
On centos 6 client installation gets stuck after SSSD setup completes. Below output for details.
NOTE = For security reason we have masked our Domain nme to "XYZ.com" & other details with Capital "X".
========================================
case "$env" in
echo 'This is US DR'
This is US DR
++ hostname
ipa-client-install --mkhomedir --no-krb5-offline-passwords --hostname=drxlceco6app01.XYZ.com --force-join --fixed-primary --server=drxipaco8lds01.XYZ.com --server=prdipaco8ldm01.XYZ.com --domain XYZ.com --realm XYZ.COM
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Hostname: drxlceco6app01.XYZ.com
Realm: XYZ.COM
DNS Domain: XYZ.com
IPA Server: prdipaco8ldm01.XYZ.com, drxipaco8lds01.XYZ.com
BaseDN: dc=XYZ,dc=com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Password for ***@XYZ.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=XYZ.COM
Issuer: CN=Certificate Authority,O=XYZ.COM
Valid From: Mon Apr 19 14:35:38 2021 UTC
Valid Until: Fri Apr 19 14:35:38 2041 UTC
Enrolled in IPA realm XYZ.COM
Attempting to get host TGT...
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm XYZ.COM
trying https://prdipaco8ldm01.XYZ.com/ipa/xml
Forwarding 'env' to server u'https://prdipaco8ldm01.XYZ.com/ipa/xml'
Hostname (drxlceco6app01.XYZ.com) not found in DNS
Failed to update DNS records.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server u'https://prdipaco8ldm01.XYZ.com/ipa/xml'
Could not update DNS SSHFP records.
SSSD enabled
Configuring XYZ.com as NIS domain
========================================
Current /etc/nsswitch.conf entries as below.
========================================
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
========================================
Complete client installation logs as below.
========================================
2021-06-01T17:25:40Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': 'XYZ.com', 'force': False, 'realm_name': 'XYZ.COM', 'krb5_offline_passwords': False, 'primary': True, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': False, 'principal': None, 'hostname': 'drxlceco6app01.XYZ.com', 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': True, 'ca_cert_file': None, 'server': ['drxipaco8lds01.XYZ.com', 'prdipaco8ldm01.XYZ.com'], 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False}
2021-06-01T17:25:40Z DEBUG missing options might be asked for interactively later
2021-06-01T17:25:40Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2021-06-01T17:25:40Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-06-01T17:25:40Z DEBUG [IPA Discovery]
2021-06-01T17:25:40Z DEBUG Starting IPA discovery with domain=XYZ.com, servers=['drxipaco8lds01.XYZ.com', 'prdipaco8ldm01.XYZ.com'], hostname=drxlceco6app01.XYZ.com
2021-06-01T17:25:40Z DEBUG Server and domain forced
2021-06-01T17:25:40Z DEBUG [Kerberos realm search]
2021-06-01T17:25:40Z DEBUG Kerberos realm forced
2021-06-01T17:25:40Z DEBUG Search DNS for SRV record of _kerberos._udp.XYZ.com.
2021-06-01T17:25:40Z DEBUG No DNS record found
2021-06-01T17:25:40Z DEBUG SRV record for KDC not found! Domain: XYZ.com
2021-06-01T17:25:40Z DEBUG [LDAP server check]
2021-06-01T17:25:40Z DEBUG Verifying that drxipaco8lds01.XYZ.com (realm XYZ.COM) is an IPA server
2021-06-01T17:25:40Z DEBUG Init LDAP connection with: ldap://drxipaco8lds01.XYZ.com:389
2021-06-01T17:25:40Z DEBUG Search LDAP server for IPA base DN
2021-06-01T17:25:40Z DEBUG Check if naming context 'dc=XYZ,dc=com' is for IPA
2021-06-01T17:25:40Z DEBUG LDAP Error: Anonymous access not allowed
2021-06-01T17:25:40Z DEBUG Verifying that prdipaco8ldm01.XYZ.com (realm XYZ.COM) is an IPA server
2021-06-01T17:25:40Z DEBUG Init LDAP connection with: ldap://prdipaco8ldm01.XYZ.com:389
2021-06-01T17:25:40Z DEBUG Search LDAP server for IPA base DN
2021-06-01T17:25:40Z DEBUG Check if naming context 'dc=XYZ,dc=com' is for IPA
2021-06-01T17:25:40Z DEBUG LDAP Error: Anonymous access not allowed
2021-06-01T17:25:40Z DEBUG Generated basedn from realm: dc=XYZ,dc=com
2021-06-01T17:25:40Z DEBUG Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=XYZ.com, kdc=None, basedn=dc=XYZ,dc=com
2021-06-01T17:25:40Z DEBUG Validated servers: prdipaco8ldm01.XYZ.com,drxipaco8lds01.XYZ.com
2021-06-01T17:25:40Z DEBUG will use discovered domain: XYZ.com
2021-06-01T17:25:40Z DEBUG Using servers from command line, disabling DNS discovery
2021-06-01T17:25:40Z DEBUG will use provided server: drxipaco8lds01.XYZ.com, prdipaco8ldm01.XYZ.com
2021-06-01T17:25:40Z INFO Autodiscovery of servers for failover cannot work with this configuration.
2021-06-01T17:25:40Z INFO If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
2021-06-01T17:26:20Z DEBUG will use discovered realm: XYZ.COM
2021-06-01T17:26:20Z DEBUG will use discovered basedn: dc=XYZ,dc=com
2021-06-01T17:26:20Z INFO Hostname: drxlceco6app01.XYZ.com
2021-06-01T17:26:20Z DEBUG Hostname source: Provided as option
2021-06-01T17:26:20Z INFO Realm: XYZ.COM
2021-06-01T17:26:20Z DEBUG Realm source: Forced
2021-06-01T17:26:20Z INFO DNS Domain: XYZ.com
2021-06-01T17:26:20Z DEBUG DNS Domain source: Forced
2021-06-01T17:26:20Z INFO IPA Server: prdipaco8ldm01.XYZ.com, drxipaco8lds01.XYZ.com
2021-06-01T17:26:20Z DEBUG IPA Server source: Provided as option
2021-06-01T17:26:20Z INFO BaseDN: dc=XYZ,dc=com
2021-06-01T17:26:20Z DEBUG BaseDN source: Generated from Kerberos realm
2021-06-01T17:26:45Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r XYZ.COM
2021-06-01T17:26:45Z DEBUG stdout=
2021-06-01T17:26:45Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory
2021-06-01T17:26:45Z DEBUG args=/bin/hostname drxlceco6app01.XYZ.com
2021-06-01T17:26:45Z DEBUG stdout=
2021-06-01T17:26:45Z DEBUG stderr=
2021-06-01T17:26:45Z DEBUG Backing up system configuration file '/etc/sysconfig/network'
2021-06-01T17:26:45Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2021-06-01T17:26:45Z DEBUG args=/usr/sbin/selinuxenabled
2021-06-01T17:26:45Z DEBUG stdout=
2021-06-01T17:26:45Z DEBUG stderr=
2021-06-01T17:26:45Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-06-01T17:26:51Z DEBUG will use principal provided as option: admin
2021-06-01T17:26:51Z INFO Synchronizing time with KDC...
2021-06-01T17:26:51Z DEBUG Search DNS for SRV record of _ntp._udp.XYZ.com.
2021-06-01T17:26:51Z DEBUG No DNS record found
2021-06-01T17:26:55Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v prdipaco8ldm01.XYZ.com
2021-06-01T17:26:55Z DEBUG stdout=
2021-06-01T17:26:55Z DEBUG stderr=
2021-06-01T17:26:59Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v prdipaco8ldm01.XYZ.com
2021-06-01T17:26:59Z DEBUG stdout=
2021-06-01T17:26:59Z DEBUG stderr=
2021-06-01T17:27:03Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v prdipaco8ldm01.XYZ.com
2021-06-01T17:27:03Z DEBUG stdout=
2021-06-01T17:27:03Z DEBUG stderr=
2021-06-01T17:27:03Z WARNING Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
2021-06-01T17:27:03Z DEBUG Writing Kerberos configuration to /tmp/tmpGWIbHp:
2021-06-01T17:27:03Z DEBUG #File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = XYZ.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
XYZ.COM = {
kdc = prdipaco8ldm01.XYZ.com:88
master_kdc = prdipaco8ldm01.XYZ.com:88
admin_server = prdipaco8ldm01.XYZ.com:749
kdc = drxipaco8lds01.XYZ.com:88
master_kdc = drxipaco8lds01.XYZ.com:88
admin_server = drxipaco8lds01.XYZ.com:749
default_domain = XYZ.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.XYZ.com = XYZ.COM
XYZ.com = XYZ.COM
2021-06-01T17:27:07Z DEBUG args=kinit ***@XYZ.COM
2021-06-01T17:27:07Z DEBUG stdout=Password for ***@XYZ.COM:
2021-06-01T17:27:07Z DEBUG stderr=
2021-06-01T17:27:07Z DEBUG trying to retrieve CA cert via LDAP from ldap://prdipaco8ldm01.XYZ.com
2021-06-01T17:27:07Z INFO Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=XYZ.COM
Issuer: CN=Certificate Authority,O=XYZ.COM
Valid From: Mon Apr 19 14:35:38 2021 UTC
Valid Until: Fri Apr 19 14:35:38 2041 UTC
2021-06-01T17:27:08Z DEBUG args=/usr/sbin/ipa-join -s prdipaco8ldm01.XYZ.com -b dc=XYZ,dc=com -h drxlceco6app01.XYZ.com -f
2021-06-01T17:27:08Z DEBUG stdout=
2021-06-01T17:27:08Z DEBUG stderr=Failed to retrieve encryption type Triple DES cbc mode with HMAC/sha1 (#16)
Failed to retrieve encryption type ArcFour with HMAC/md5 (#23)
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=XYZ.COM
2021-06-01T17:27:08Z INFO Enrolled in IPA realm XYZ.COM
2021-06-01T17:27:08Z DEBUG args=kdestroy
2021-06-01T17:27:08Z DEBUG stdout=
2021-06-01T17:27:08Z DEBUG stderr=
2021-06-01T17:27:08Z INFO Attempting to get host TGT...
2021-06-01T17:27:08Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/***@XYZ.COM
2021-06-01T17:27:08Z DEBUG stdout=
2021-06-01T17:27:08Z DEBUG stderr=
2021-06-01T17:27:08Z DEBUG Attempt 1/5 succeeded.
2021-06-01T17:27:08Z DEBUG Backing up system configuration file '/etc/ipa/default.conf'
2021-06-01T17:27:08Z DEBUG -> Not backing up - '/etc/ipa/default.conf' doesn't exist
2021-06-01T17:27:08Z INFO Created /etc/ipa/default.conf
2021-06-01T17:27:08Z DEBUG importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'...
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
2021-06-01T17:27:08Z DEBUG args=klist -V
2021-06-01T17:27:08Z DEBUG stdout=Kerberos 5 version 1.10.3
2021-06-01T17:27:08Z DEBUG stderr=
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
2021-06-01T17:27:09Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf'
2021-06-01T17:27:09Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist
2021-06-01T17:27:09Z INFO New SSSD config will be created
2021-06-01T17:27:09Z DEBUG Backing up system configuration file '/etc/nsswitch.conf'
2021-06-01T17:27:09Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2021-06-01T17:27:09Z INFO Configured sudoers in /etc/nsswitch.conf
2021-06-01T17:27:09Z INFO Configured /etc/sssd/sssd.conf
2021-06-01T17:27:09Z DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
2021-06-01T17:27:09Z DEBUG stdout=
2021-06-01T17:27:09Z DEBUG stderr=
2021-06-01T17:27:09Z DEBUG Backing up system configuration file '/etc/krb5.conf'
2021-06-01T17:27:09Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2021-06-01T17:27:09Z DEBUG Writing Kerberos configuration to /etc/krb5.conf:
2021-06-01T17:27:09Z DEBUG #File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = XYZ.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
XYZ.COM = {
kdc = prdipaco8ldm01.XYZ.com:88
master_kdc = prdipaco8ldm01.XYZ.com:88
admin_server = prdipaco8ldm01.XYZ.com:749
kdc = drxipaco8lds01.XYZ.com:88
master_kdc = drxipaco8lds01.XYZ.com:88
admin_server = drxipaco8lds01.XYZ.com:749
default_domain = XYZ.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.XYZ.com = XYZ.COM
XYZ.com = XYZ.COM
2021-06-01T17:27:09Z INFO Configured /etc/krb5.conf for IPA realm XYZ.COM
2021-06-01T17:27:09Z DEBUG args=keyctl search @s user ipa_session_cookie:host/***@XYZ.COM
2021-06-01T17:27:09Z DEBUG stdout=
2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available
2021-06-01T17:27:09Z DEBUG args=keyctl search @s user ipa_session_cookie:host/***@XYZ.COM
2021-06-01T17:27:09Z DEBUG stdout=
2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available
2021-06-01T17:27:09Z DEBUG failed to find session_cookie in persistent storage for principal 'host/***@XYZ.COM'
2021-06-01T17:27:09Z INFO trying https://prdipaco8ldm01.XYZ.com/ipa/xml
2021-06-01T17:27:09Z DEBUG Created connection context.xmlclient
2021-06-01T17:27:09Z DEBUG raw: env(None, server=True)
2021-06-01T17:27:09Z DEBUG env(None, server=True, all=True)
2021-06-01T17:27:09Z INFO Forwarding 'env' to server u'https://prdipaco8ldm01.XYZ.com/ipa/xml'
2021-06-01T17:27:09Z DEBUG NSSConnection init prdipaco8ldm01.XYZ.com
2021-06-01T17:27:09Z DEBUG Connecting: 10.113.10.50:0
2021-06-01T17:27:09Z DEBUG auth_certificate_callback: check_sig=True is_server=False
Data:
Version: 3 (0x2)
Serial Number: 9 (0x9)
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Certificate Authority,O=XYZ.COM
Validity:
Not Before: Mon Apr 19 14:37:53 2021 UTC
Not After: Thu Apr 20 14:37:53 2023 UTC
Subject: CN=prdipaco8ldm01.XYZ.com,O=XYZ.COM
Subject Public Key Info:
Public Key Algorithm:
Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Exponent:
65537 (0x10001)
Signed Extensions: (7 total)
Name: Certificate Authority Key Identifier
Critical: False
Key ID:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX
Serial Number: None
General Names: [0 total]
Name: Authority Information Access
Critical: False
Authority Information Access: [1 total]
Info [1]:
Method: PKIX Online Certificate Status Protocol
Location: URI: http://ipa-ca.XYZ.com/ca/ocsp
Name: Certificate Key Usage
Critical: True
Usages:
Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Name: Extended Key Usage
Critical: False
Usages:
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
Name: CRL Distribution Points
Critical: False
CRL Distribution Points: [1 total]
Point [1]:
General Names: [1 total]
http://ipa-ca.XYZ.com/ipa/crl/MasterCRL.bin
Issuer: Directory Name: CN=Certificate Authority,O=ipaca
Reasons: ()
Name: Certificate Subject Key ID
Critical: False
Data:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX
Name: Certificate Subject Alt Name
Critical: False
Names:
prdipaco8ldm01.XYZ.com
ipa-ca.XYZ.com
HTTP/***@XYZ.COM
['[0]', '[1]']
Signature:
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Fingerprint (MD5):
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Fingerprint (SHA1):
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX
2021-06-01T17:27:09Z DEBUG approved_usage = SSL Server intended_usage = SSL Server
2021-06-01T17:27:09Z DEBUG cert valid True for "CN=prdipaco8ldm01.XYZ.com,O=XYZ.COM"
2021-06-01T17:27:09Z DEBUG handshake complete, peer = 10.113.10.50:443
2021-06-01T17:27:09Z DEBUG Protocol: TLS1.2
2021-06-01T17:27:09Z DEBUG Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2021-06-01T17:27:09Z DEBUG received Set-Cookie 'ipa_session=MagBearerToken=Aus0%2bwdoksGBb%2belr0QOIi6Yk7TDzrcvkEuJLRtZf1KNWdahbAPsUyeWqGHs2CM72OMQKtkhONEi6FBan0Km69ssXfx%2bgu6r96B9VC4paNAXVi%2fVr3dd450OSsT1%2fHevzaAFoqFI0Mz95R%2bWgeIkuR4eZ%2fjvCLSGBlM3TwoQUMLA9CKKqPAh6kyN%2fMy6YaG0oXET1ht51P4zJ3rfXdPP9Ael%2bvTNQrS%2fiyCE%2b4TzjZtoNLHei2s5BoGlyZ3GPUS7;path=/ipa;httponly;secure;'
2021-06-01T17:27:09Z DEBUG storing cookie 'ipa_session=MagBearerToken=Aus0%2bwdoksGBb%2belr0QOIi6Yk7TDzrcvkEuJLRtZf1KNWdahbAPsUyeWqGHs2CM72OMQKtkhONEi6FBan0Km69ssXfx%2bgu6r96B9VC4paNAXVi%2fVr3dd450OSsT1%2fHevzaAFoqFI0Mz95R%2bWgeIkuR4eZ%2fjvCLSGBlM3TwoQUMLA9CKKqPAh6kyN%2fMy6YaG0oXET1ht51P4zJ3rfXdPP9Ael%2bvTNQrS%2fiyCE%2b4TzjZtoNLHei2s5BoGlyZ3GPUS7; Domain=prdipaco8ldm01.XYZ.com; Path=/ipa; Secure; HttpOnly' for principal host/***@XYZ.COM
2021-06-01T17:27:09Z DEBUG args=keyctl search @s user ipa_session_cookie:host/***@XYZ.COM
2021-06-01T17:27:09Z DEBUG stdout=
2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available
2021-06-01T17:27:09Z DEBUG args=keyctl search @s user ipa_session_cookie:host/***@XYZ.COM
2021-06-01T17:27:09Z DEBUG stdout=
2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available
2021-06-01T17:27:09Z DEBUG args=keyctl padd user ipa_session_cookie:host/***@XYZ.COM @s
2021-06-01T17:27:09Z DEBUG stdout=915601519
2021-06-01T17:27:09Z DEBUG stderr=
2021-06-01T17:27:09Z WARNING Hostname (drxlceco6app01.XYZ.com) not found in DNS
2021-06-01T17:27:09Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt:
2021-06-01T17:27:09Z DEBUG
zone XYZ.com.
update delete drxlceco6app01.XYZ.com. IN A
send
update add drxlceco6app01.XYZ.com. 1200 IN A 10.111.5.11
send
2021-06-01T17:27:10Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
2021-06-01T17:27:10Z DEBUG stdout=
2021-06-01T17:27:10Z DEBUG stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/***@XYZ.COM not found in Kerberos database.
2021-06-01T17:27:10Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1
2021-06-01T17:27:10Z ERROR Failed to update DNS records.
2021-06-01T17:27:10Z DEBUG args=/sbin/service messagebus start
2021-06-01T17:27:10Z DEBUG stdout=Starting system message bus:
2021-06-01T17:27:10Z DEBUG stderr=
2021-06-01T17:27:10Z DEBUG args=/sbin/service messagebus status
2021-06-01T17:27:10Z DEBUG stdout=messagebus (pid 1186) is running...
2021-06-01T17:27:10Z DEBUG stderr=
2021-06-01T17:27:10Z DEBUG args=/sbin/service certmonger restart
2021-06-01T17:27:10Z DEBUG stdout=Stopping certmonger: ?[60G[?[0;31mFAILED?[0;39m]
Starting certmonger: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:10Z DEBUG stderr=
2021-06-01T17:27:10Z DEBUG args=/sbin/service certmonger status
2021-06-01T17:27:10Z DEBUG stdout=certmonger (pid 1974) is running...
2021-06-01T17:27:10Z DEBUG stderr=
2021-06-01T17:27:10Z DEBUG args=/sbin/service certmonger stop
2021-06-01T17:27:10Z DEBUG stdout=Stopping certmonger: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:10Z DEBUG stderr=
2021-06-01T17:27:11Z DEBUG args=/sbin/service certmonger restart
2021-06-01T17:27:11Z DEBUG stdout=Stopping certmonger: ?[60G[?[0;31mFAILED?[0;39m]
Starting certmonger: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:11Z DEBUG stderr=
2021-06-01T17:27:11Z DEBUG args=/sbin/service certmonger status
2021-06-01T17:27:11Z DEBUG stdout=certmonger (pid 2063) is running...
2021-06-01T17:27:11Z DEBUG stderr=
2021-06-01T17:27:11Z DEBUG args=/sbin/chkconfig certmonger on
2021-06-01T17:27:11Z DEBUG stdout=
2021-06-01T17:27:11Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - drxlceco6app01.XYZ.com -N CN=drxlceco6app01.XYZ.com,O=XYZ.COM -K host/***@XYZ.COM
2021-06-01T17:27:12Z DEBUG stdout=New signing request "20210601172712" added.
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z INFO Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
2021-06-01T17:27:12Z DEBUG raw: host_mod(u'drxlceco6app01.XYZ.com', ipasshpubkey=[u'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAobH2Rt+aBxrhxWJazVGUpMej9nnncp8DhPewnZkyZxoSAyDc6C5c3nBqW22/Cr7gk26d/D2Ietbi0E7mFrt5Wo4bGgN2KcnlG3ABSifvwh3oqzL+anT6+/lkwzgm3hwIQQRDfF3/GljmvX495HateMqc7syLyOe5ZnKI4Xu6khQ/JF1hhv+8GiUbl7+le+QxYuosmNNIekfMqVbtJ8IM7Zf5/CXINIkwy1UtV+gl0JsAn6AlcBfLcsssg6LQVdgCCjVsJFNB2t+tR0LozJ8L5mDerKqVxJZWI3EnfLIXMq0VWoVfn20fPe0pkcoiyv9bQt/YsDxZS54BFjlTK7DpjQ=='], updatedns=False)
2021-06-01T17:27:12Z DEBUG host_mod(u'drxlceco6app01.XYZ.com', random=False, ipasshpubkey=(u'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAobH2Rt+aBxrhxWJazVGUpMej9nnncp8DhPewnZkyZxoSAyDc6C5c3nBqW22/Cr7gk26d/D2Ietbi0E7mFrt5Wo4bGgN2KcnlG3ABSifvwh3oqzL+anT6+/lkwzgm3hwIQQRDfF3/GljmvX495HateMqc7syLyOe5ZnKI4Xu6khQ/JF1hhv+8GiUbl7+le+QxYuosmNNIekfMqVbtJ8IM7Zf5/CXINIkwy1UtV+gl0JsAn6AlcBfLcsssg6LQVdgCCjVsJFNB2t+tR0LozJ8L5mDerKqVxJZWI3EnfLIXMq0VWoVfn20fPe0pkcoiyv9bQt/YsDxZS54BFjlTK7DpjQ==',), rights=False, updatedns=False, all=False, raw=False, no_members=False)
2021-06-01T17:27:12Z INFO Forwarding 'host_mod' to server u'https://prdipaco8ldm01.XYZ.com/ipa/xml'
2021-06-01T17:27:12Z DEBUG NSSConnection init prdipaco8ldm01.XYZ.com
2021-06-01T17:27:12Z DEBUG Connecting: 10.113.10.50:0
2021-06-01T17:27:12Z DEBUG handshake complete, peer = 10.113.10.50:443
2021-06-01T17:27:12Z DEBUG Protocol: TLS1.2
2021-06-01T17:27:12Z DEBUG Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2021-06-01T17:27:12Z DEBUG received Set-Cookie 'ipa_session=MagBearerToken=yKnSiJdb44vhq6AuqB%2boAE5Fatp7CXJ8A9xYVUqlqXI73Gk9ukPfIr9%2bD6KnSCiBXmtVx3flwJ1Rf17528nymjCE5vMtNTSeVU5l8rn36fEtAFq6QZt%2bAHs2LjPLWwyR9geT7Y5aKgLbEMDzZv0DTwM3N2ocM0b7Rc6inZUvAgU%2fYmqmkZafsbYy%2fCUm2Kgyx%2b%2fZ6kQg%2fK94CVAqMLxZDE1k1gAP3qq98k%2fllMQu9k0GAYcdKEbmN%2bwff4LzeQRs;path=/ipa;httponly;secure;'
2021-06-01T17:27:12Z DEBUG storing cookie 'ipa_session=MagBearerToken=yKnSiJdb44vhq6AuqB%2boAE5Fatp7CXJ8A9xYVUqlqXI73Gk9ukPfIr9%2bD6KnSCiBXmtVx3flwJ1Rf17528nymjCE5vMtNTSeVU5l8rn36fEtAFq6QZt%2bAHs2LjPLWwyR9geT7Y5aKgLbEMDzZv0DTwM3N2ocM0b7Rc6inZUvAgU%2fYmqmkZafsbYy%2fCUm2Kgyx%2b%2fZ6kQg%2fK94CVAqMLxZDE1k1gAP3qq98k%2fllMQu9k0GAYcdKEbmN%2bwff4LzeQRs; Domain=prdipaco8ldm01.XYZ.com; Path=/ipa; Secure; HttpOnly' for principal host/***@XYZ.COM
2021-06-01T17:27:12Z DEBUG args=keyctl search @s user ipa_session_cookie:host/***@XYZ.COM
2021-06-01T17:27:12Z DEBUG stdout=915601519
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG args=keyctl search @s user ipa_session_cookie:host/***@XYZ.COM
2021-06-01T17:27:12Z DEBUG stdout=915601519
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG args=keyctl pupdate 915601519
2021-06-01T17:27:12Z DEBUG stdout=
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG Caught fault 4202 from server https://prdipaco8ldm01.XYZ.com/ipa/xml: no modifications to be performed
2021-06-01T17:27:12Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt:
2021-06-01T17:27:12Z DEBUG zone XYZ.com.
update delete drxlceco6app01.XYZ.com. IN SSHFP
send
update add drxlceco6app01.XYZ.com. 1200 IN SSHFP 1 1 F6ABCFF542C5E35268387C2A53EBF83C5C6B0517
send
2021-06-01T17:27:12Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
2021-06-01T17:27:12Z DEBUG stdout=
2021-06-01T17:27:12Z DEBUG stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/***@XYZ.COM not found in Kerberos database.
2021-06-01T17:27:12Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1
2021-06-01T17:27:12Z WARNING Could not update DNS SSHFP records.
2021-06-01T17:27:12Z DEBUG args=/sbin/service nscd status
2021-06-01T17:27:12Z DEBUG stdout=nscd is stopped
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG args=/sbin/service nscd stop
2021-06-01T17:27:12Z DEBUG stdout=
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG args=/sbin/chkconfig nscd off
2021-06-01T17:27:12Z DEBUG stdout=
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-06-01T17:27:12Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-06-01T17:27:12Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-06-01T17:27:15Z DEBUG args=/usr/sbin/authconfig --enablesssdauth --enablemkhomedir --update --enablesssd
2021-06-01T17:27:15Z DEBUG stdout=Starting sssd: ?[60G[?[0;32m OK ?[0;39m]
Starting oddjobd: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:15Z DEBUG stderr=
2021-06-01T17:27:15Z INFO SSSD enabled
2021-06-01T17:27:15Z INFO Configuring XYZ.com as NIS domain
2021-06-01T17:27:15Z DEBUG args=/bin/nisdomainname
2021-06-01T17:27:15Z DEBUG stdout=(none)
2021-06-01T17:27:15Z DEBUG stderr=
2021-06-01T17:27:15Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-06-01T17:27:15Z DEBUG args=/usr/sbin/authconfig --update --nisdomain XYZ.com
2021-06-01T17:27:15Z DEBUG stdout=Starting sssd: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:15Z DEBUG stderr=
2021-06-01T17:27:15Z DEBUG args=/bin/nisdomainname XYZ.com
2021-06-01T17:27:15Z DEBUG stdout=
2021-06-01T17:27:15Z DEBUG stderr=
========================================
I am unable to understand what i am missing or changes required in current config.
Any help / suggestions appreciated.
Regards,
Rohan
_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/
We are migrating from our current Directory Service 389DS to FreeIPA. Our all servers at present authenticated by 389DS server.
Our infra hosted on AWS cloud. Please find below setup of FreeIPA & Client on which we are performing tests & getting issue.
FreeIPA Servers
Primary Master Server = Region 1
Secondary Master Server = Region 2
OS = CentOS Linux release 8.3.2011
IPA Version = 4.8.7, API_VERSION: 2.239
FreeIPA Client
OS = CentOS release 6.9 (Final)
Kernel Version = Linux drxlceco6app01 2.6.32-696.1.1.el6.x86_64 #1 SMP Tue Apr 11 17:13:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
IPA Client version = 3.0.0-51.el6.centos
Our DNS getting managed from "/etc/hosts" file by manually adding DNS entries of server.
On centos 6 client installation gets stuck after SSSD setup completes. Below output for details.
NOTE = For security reason we have masked our Domain nme to "XYZ.com" & other details with Capital "X".
========================================
case "$env" in
echo 'This is US DR'
This is US DR
++ hostname
ipa-client-install --mkhomedir --no-krb5-offline-passwords --hostname=drxlceco6app01.XYZ.com --force-join --fixed-primary --server=drxipaco8lds01.XYZ.com --server=prdipaco8ldm01.XYZ.com --domain XYZ.com --realm XYZ.COM
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Hostname: drxlceco6app01.XYZ.com
Realm: XYZ.COM
DNS Domain: XYZ.com
IPA Server: prdipaco8ldm01.XYZ.com, drxipaco8lds01.XYZ.com
BaseDN: dc=XYZ,dc=com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Password for ***@XYZ.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=XYZ.COM
Issuer: CN=Certificate Authority,O=XYZ.COM
Valid From: Mon Apr 19 14:35:38 2021 UTC
Valid Until: Fri Apr 19 14:35:38 2041 UTC
Enrolled in IPA realm XYZ.COM
Attempting to get host TGT...
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm XYZ.COM
trying https://prdipaco8ldm01.XYZ.com/ipa/xml
Forwarding 'env' to server u'https://prdipaco8ldm01.XYZ.com/ipa/xml'
Hostname (drxlceco6app01.XYZ.com) not found in DNS
Failed to update DNS records.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server u'https://prdipaco8ldm01.XYZ.com/ipa/xml'
Could not update DNS SSHFP records.
SSSD enabled
Configuring XYZ.com as NIS domain
========================================
Current /etc/nsswitch.conf entries as below.
========================================
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
========================================
Complete client installation logs as below.
========================================
2021-06-01T17:25:40Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': 'XYZ.com', 'force': False, 'realm_name': 'XYZ.COM', 'krb5_offline_passwords': False, 'primary': True, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': False, 'principal': None, 'hostname': 'drxlceco6app01.XYZ.com', 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': True, 'ca_cert_file': None, 'server': ['drxipaco8lds01.XYZ.com', 'prdipaco8ldm01.XYZ.com'], 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False}
2021-06-01T17:25:40Z DEBUG missing options might be asked for interactively later
2021-06-01T17:25:40Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2021-06-01T17:25:40Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-06-01T17:25:40Z DEBUG [IPA Discovery]
2021-06-01T17:25:40Z DEBUG Starting IPA discovery with domain=XYZ.com, servers=['drxipaco8lds01.XYZ.com', 'prdipaco8ldm01.XYZ.com'], hostname=drxlceco6app01.XYZ.com
2021-06-01T17:25:40Z DEBUG Server and domain forced
2021-06-01T17:25:40Z DEBUG [Kerberos realm search]
2021-06-01T17:25:40Z DEBUG Kerberos realm forced
2021-06-01T17:25:40Z DEBUG Search DNS for SRV record of _kerberos._udp.XYZ.com.
2021-06-01T17:25:40Z DEBUG No DNS record found
2021-06-01T17:25:40Z DEBUG SRV record for KDC not found! Domain: XYZ.com
2021-06-01T17:25:40Z DEBUG [LDAP server check]
2021-06-01T17:25:40Z DEBUG Verifying that drxipaco8lds01.XYZ.com (realm XYZ.COM) is an IPA server
2021-06-01T17:25:40Z DEBUG Init LDAP connection with: ldap://drxipaco8lds01.XYZ.com:389
2021-06-01T17:25:40Z DEBUG Search LDAP server for IPA base DN
2021-06-01T17:25:40Z DEBUG Check if naming context 'dc=XYZ,dc=com' is for IPA
2021-06-01T17:25:40Z DEBUG LDAP Error: Anonymous access not allowed
2021-06-01T17:25:40Z DEBUG Verifying that prdipaco8ldm01.XYZ.com (realm XYZ.COM) is an IPA server
2021-06-01T17:25:40Z DEBUG Init LDAP connection with: ldap://prdipaco8ldm01.XYZ.com:389
2021-06-01T17:25:40Z DEBUG Search LDAP server for IPA base DN
2021-06-01T17:25:40Z DEBUG Check if naming context 'dc=XYZ,dc=com' is for IPA
2021-06-01T17:25:40Z DEBUG LDAP Error: Anonymous access not allowed
2021-06-01T17:25:40Z DEBUG Generated basedn from realm: dc=XYZ,dc=com
2021-06-01T17:25:40Z DEBUG Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=XYZ.com, kdc=None, basedn=dc=XYZ,dc=com
2021-06-01T17:25:40Z DEBUG Validated servers: prdipaco8ldm01.XYZ.com,drxipaco8lds01.XYZ.com
2021-06-01T17:25:40Z DEBUG will use discovered domain: XYZ.com
2021-06-01T17:25:40Z DEBUG Using servers from command line, disabling DNS discovery
2021-06-01T17:25:40Z DEBUG will use provided server: drxipaco8lds01.XYZ.com, prdipaco8ldm01.XYZ.com
2021-06-01T17:25:40Z INFO Autodiscovery of servers for failover cannot work with this configuration.
2021-06-01T17:25:40Z INFO If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
2021-06-01T17:26:20Z DEBUG will use discovered realm: XYZ.COM
2021-06-01T17:26:20Z DEBUG will use discovered basedn: dc=XYZ,dc=com
2021-06-01T17:26:20Z INFO Hostname: drxlceco6app01.XYZ.com
2021-06-01T17:26:20Z DEBUG Hostname source: Provided as option
2021-06-01T17:26:20Z INFO Realm: XYZ.COM
2021-06-01T17:26:20Z DEBUG Realm source: Forced
2021-06-01T17:26:20Z INFO DNS Domain: XYZ.com
2021-06-01T17:26:20Z DEBUG DNS Domain source: Forced
2021-06-01T17:26:20Z INFO IPA Server: prdipaco8ldm01.XYZ.com, drxipaco8lds01.XYZ.com
2021-06-01T17:26:20Z DEBUG IPA Server source: Provided as option
2021-06-01T17:26:20Z INFO BaseDN: dc=XYZ,dc=com
2021-06-01T17:26:20Z DEBUG BaseDN source: Generated from Kerberos realm
2021-06-01T17:26:45Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r XYZ.COM
2021-06-01T17:26:45Z DEBUG stdout=
2021-06-01T17:26:45Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory
2021-06-01T17:26:45Z DEBUG args=/bin/hostname drxlceco6app01.XYZ.com
2021-06-01T17:26:45Z DEBUG stdout=
2021-06-01T17:26:45Z DEBUG stderr=
2021-06-01T17:26:45Z DEBUG Backing up system configuration file '/etc/sysconfig/network'
2021-06-01T17:26:45Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2021-06-01T17:26:45Z DEBUG args=/usr/sbin/selinuxenabled
2021-06-01T17:26:45Z DEBUG stdout=
2021-06-01T17:26:45Z DEBUG stderr=
2021-06-01T17:26:45Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-06-01T17:26:51Z DEBUG will use principal provided as option: admin
2021-06-01T17:26:51Z INFO Synchronizing time with KDC...
2021-06-01T17:26:51Z DEBUG Search DNS for SRV record of _ntp._udp.XYZ.com.
2021-06-01T17:26:51Z DEBUG No DNS record found
2021-06-01T17:26:55Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v prdipaco8ldm01.XYZ.com
2021-06-01T17:26:55Z DEBUG stdout=
2021-06-01T17:26:55Z DEBUG stderr=
2021-06-01T17:26:59Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v prdipaco8ldm01.XYZ.com
2021-06-01T17:26:59Z DEBUG stdout=
2021-06-01T17:26:59Z DEBUG stderr=
2021-06-01T17:27:03Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v prdipaco8ldm01.XYZ.com
2021-06-01T17:27:03Z DEBUG stdout=
2021-06-01T17:27:03Z DEBUG stderr=
2021-06-01T17:27:03Z WARNING Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
2021-06-01T17:27:03Z DEBUG Writing Kerberos configuration to /tmp/tmpGWIbHp:
2021-06-01T17:27:03Z DEBUG #File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = XYZ.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
XYZ.COM = {
kdc = prdipaco8ldm01.XYZ.com:88
master_kdc = prdipaco8ldm01.XYZ.com:88
admin_server = prdipaco8ldm01.XYZ.com:749
kdc = drxipaco8lds01.XYZ.com:88
master_kdc = drxipaco8lds01.XYZ.com:88
admin_server = drxipaco8lds01.XYZ.com:749
default_domain = XYZ.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.XYZ.com = XYZ.COM
XYZ.com = XYZ.COM
2021-06-01T17:27:07Z DEBUG args=kinit ***@XYZ.COM
2021-06-01T17:27:07Z DEBUG stdout=Password for ***@XYZ.COM:
2021-06-01T17:27:07Z DEBUG stderr=
2021-06-01T17:27:07Z DEBUG trying to retrieve CA cert via LDAP from ldap://prdipaco8ldm01.XYZ.com
2021-06-01T17:27:07Z INFO Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=XYZ.COM
Issuer: CN=Certificate Authority,O=XYZ.COM
Valid From: Mon Apr 19 14:35:38 2021 UTC
Valid Until: Fri Apr 19 14:35:38 2041 UTC
2021-06-01T17:27:08Z DEBUG args=/usr/sbin/ipa-join -s prdipaco8ldm01.XYZ.com -b dc=XYZ,dc=com -h drxlceco6app01.XYZ.com -f
2021-06-01T17:27:08Z DEBUG stdout=
2021-06-01T17:27:08Z DEBUG stderr=Failed to retrieve encryption type Triple DES cbc mode with HMAC/sha1 (#16)
Failed to retrieve encryption type ArcFour with HMAC/md5 (#23)
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=XYZ.COM
2021-06-01T17:27:08Z INFO Enrolled in IPA realm XYZ.COM
2021-06-01T17:27:08Z DEBUG args=kdestroy
2021-06-01T17:27:08Z DEBUG stdout=
2021-06-01T17:27:08Z DEBUG stderr=
2021-06-01T17:27:08Z INFO Attempting to get host TGT...
2021-06-01T17:27:08Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/***@XYZ.COM
2021-06-01T17:27:08Z DEBUG stdout=
2021-06-01T17:27:08Z DEBUG stderr=
2021-06-01T17:27:08Z DEBUG Attempt 1/5 succeeded.
2021-06-01T17:27:08Z DEBUG Backing up system configuration file '/etc/ipa/default.conf'
2021-06-01T17:27:08Z DEBUG -> Not backing up - '/etc/ipa/default.conf' doesn't exist
2021-06-01T17:27:08Z INFO Created /etc/ipa/default.conf
2021-06-01T17:27:08Z DEBUG importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'...
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
2021-06-01T17:27:08Z DEBUG args=klist -V
2021-06-01T17:27:08Z DEBUG stdout=Kerberos 5 version 1.10.3
2021-06-01T17:27:08Z DEBUG stderr=
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
2021-06-01T17:27:09Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf'
2021-06-01T17:27:09Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist
2021-06-01T17:27:09Z INFO New SSSD config will be created
2021-06-01T17:27:09Z DEBUG Backing up system configuration file '/etc/nsswitch.conf'
2021-06-01T17:27:09Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2021-06-01T17:27:09Z INFO Configured sudoers in /etc/nsswitch.conf
2021-06-01T17:27:09Z INFO Configured /etc/sssd/sssd.conf
2021-06-01T17:27:09Z DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
2021-06-01T17:27:09Z DEBUG stdout=
2021-06-01T17:27:09Z DEBUG stderr=
2021-06-01T17:27:09Z DEBUG Backing up system configuration file '/etc/krb5.conf'
2021-06-01T17:27:09Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2021-06-01T17:27:09Z DEBUG Writing Kerberos configuration to /etc/krb5.conf:
2021-06-01T17:27:09Z DEBUG #File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = XYZ.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
XYZ.COM = {
kdc = prdipaco8ldm01.XYZ.com:88
master_kdc = prdipaco8ldm01.XYZ.com:88
admin_server = prdipaco8ldm01.XYZ.com:749
kdc = drxipaco8lds01.XYZ.com:88
master_kdc = drxipaco8lds01.XYZ.com:88
admin_server = drxipaco8lds01.XYZ.com:749
default_domain = XYZ.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.XYZ.com = XYZ.COM
XYZ.com = XYZ.COM
2021-06-01T17:27:09Z INFO Configured /etc/krb5.conf for IPA realm XYZ.COM
2021-06-01T17:27:09Z DEBUG args=keyctl search @s user ipa_session_cookie:host/***@XYZ.COM
2021-06-01T17:27:09Z DEBUG stdout=
2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available
2021-06-01T17:27:09Z DEBUG args=keyctl search @s user ipa_session_cookie:host/***@XYZ.COM
2021-06-01T17:27:09Z DEBUG stdout=
2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available
2021-06-01T17:27:09Z DEBUG failed to find session_cookie in persistent storage for principal 'host/***@XYZ.COM'
2021-06-01T17:27:09Z INFO trying https://prdipaco8ldm01.XYZ.com/ipa/xml
2021-06-01T17:27:09Z DEBUG Created connection context.xmlclient
2021-06-01T17:27:09Z DEBUG raw: env(None, server=True)
2021-06-01T17:27:09Z DEBUG env(None, server=True, all=True)
2021-06-01T17:27:09Z INFO Forwarding 'env' to server u'https://prdipaco8ldm01.XYZ.com/ipa/xml'
2021-06-01T17:27:09Z DEBUG NSSConnection init prdipaco8ldm01.XYZ.com
2021-06-01T17:27:09Z DEBUG Connecting: 10.113.10.50:0
2021-06-01T17:27:09Z DEBUG auth_certificate_callback: check_sig=True is_server=False
Data:
Version: 3 (0x2)
Serial Number: 9 (0x9)
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Certificate Authority,O=XYZ.COM
Validity:
Not Before: Mon Apr 19 14:37:53 2021 UTC
Not After: Thu Apr 20 14:37:53 2023 UTC
Subject: CN=prdipaco8ldm01.XYZ.com,O=XYZ.COM
Subject Public Key Info:
Public Key Algorithm:
Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Exponent:
65537 (0x10001)
Signed Extensions: (7 total)
Name: Certificate Authority Key Identifier
Critical: False
Key ID:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX
Serial Number: None
General Names: [0 total]
Name: Authority Information Access
Critical: False
Authority Information Access: [1 total]
Info [1]:
Method: PKIX Online Certificate Status Protocol
Location: URI: http://ipa-ca.XYZ.com/ca/ocsp
Name: Certificate Key Usage
Critical: True
Usages:
Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Name: Extended Key Usage
Critical: False
Usages:
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
Name: CRL Distribution Points
Critical: False
CRL Distribution Points: [1 total]
Point [1]:
General Names: [1 total]
http://ipa-ca.XYZ.com/ipa/crl/MasterCRL.bin
Issuer: Directory Name: CN=Certificate Authority,O=ipaca
Reasons: ()
Name: Certificate Subject Key ID
Critical: False
Data:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX
Name: Certificate Subject Alt Name
Critical: False
Names:
prdipaco8ldm01.XYZ.com
ipa-ca.XYZ.com
HTTP/***@XYZ.COM
['[0]', '[1]']
Signature:
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Fingerprint (MD5):
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Fingerprint (SHA1):
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX
2021-06-01T17:27:09Z DEBUG approved_usage = SSL Server intended_usage = SSL Server
2021-06-01T17:27:09Z DEBUG cert valid True for "CN=prdipaco8ldm01.XYZ.com,O=XYZ.COM"
2021-06-01T17:27:09Z DEBUG handshake complete, peer = 10.113.10.50:443
2021-06-01T17:27:09Z DEBUG Protocol: TLS1.2
2021-06-01T17:27:09Z DEBUG Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2021-06-01T17:27:09Z DEBUG received Set-Cookie 'ipa_session=MagBearerToken=Aus0%2bwdoksGBb%2belr0QOIi6Yk7TDzrcvkEuJLRtZf1KNWdahbAPsUyeWqGHs2CM72OMQKtkhONEi6FBan0Km69ssXfx%2bgu6r96B9VC4paNAXVi%2fVr3dd450OSsT1%2fHevzaAFoqFI0Mz95R%2bWgeIkuR4eZ%2fjvCLSGBlM3TwoQUMLA9CKKqPAh6kyN%2fMy6YaG0oXET1ht51P4zJ3rfXdPP9Ael%2bvTNQrS%2fiyCE%2b4TzjZtoNLHei2s5BoGlyZ3GPUS7;path=/ipa;httponly;secure;'
2021-06-01T17:27:09Z DEBUG storing cookie 'ipa_session=MagBearerToken=Aus0%2bwdoksGBb%2belr0QOIi6Yk7TDzrcvkEuJLRtZf1KNWdahbAPsUyeWqGHs2CM72OMQKtkhONEi6FBan0Km69ssXfx%2bgu6r96B9VC4paNAXVi%2fVr3dd450OSsT1%2fHevzaAFoqFI0Mz95R%2bWgeIkuR4eZ%2fjvCLSGBlM3TwoQUMLA9CKKqPAh6kyN%2fMy6YaG0oXET1ht51P4zJ3rfXdPP9Ael%2bvTNQrS%2fiyCE%2b4TzjZtoNLHei2s5BoGlyZ3GPUS7; Domain=prdipaco8ldm01.XYZ.com; Path=/ipa; Secure; HttpOnly' for principal host/***@XYZ.COM
2021-06-01T17:27:09Z DEBUG args=keyctl search @s user ipa_session_cookie:host/***@XYZ.COM
2021-06-01T17:27:09Z DEBUG stdout=
2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available
2021-06-01T17:27:09Z DEBUG args=keyctl search @s user ipa_session_cookie:host/***@XYZ.COM
2021-06-01T17:27:09Z DEBUG stdout=
2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available
2021-06-01T17:27:09Z DEBUG args=keyctl padd user ipa_session_cookie:host/***@XYZ.COM @s
2021-06-01T17:27:09Z DEBUG stdout=915601519
2021-06-01T17:27:09Z DEBUG stderr=
2021-06-01T17:27:09Z WARNING Hostname (drxlceco6app01.XYZ.com) not found in DNS
2021-06-01T17:27:09Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt:
2021-06-01T17:27:09Z DEBUG
zone XYZ.com.
update delete drxlceco6app01.XYZ.com. IN A
send
update add drxlceco6app01.XYZ.com. 1200 IN A 10.111.5.11
send
2021-06-01T17:27:10Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
2021-06-01T17:27:10Z DEBUG stdout=
2021-06-01T17:27:10Z DEBUG stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/***@XYZ.COM not found in Kerberos database.
2021-06-01T17:27:10Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1
2021-06-01T17:27:10Z ERROR Failed to update DNS records.
2021-06-01T17:27:10Z DEBUG args=/sbin/service messagebus start
2021-06-01T17:27:10Z DEBUG stdout=Starting system message bus:
2021-06-01T17:27:10Z DEBUG stderr=
2021-06-01T17:27:10Z DEBUG args=/sbin/service messagebus status
2021-06-01T17:27:10Z DEBUG stdout=messagebus (pid 1186) is running...
2021-06-01T17:27:10Z DEBUG stderr=
2021-06-01T17:27:10Z DEBUG args=/sbin/service certmonger restart
2021-06-01T17:27:10Z DEBUG stdout=Stopping certmonger: ?[60G[?[0;31mFAILED?[0;39m]
Starting certmonger: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:10Z DEBUG stderr=
2021-06-01T17:27:10Z DEBUG args=/sbin/service certmonger status
2021-06-01T17:27:10Z DEBUG stdout=certmonger (pid 1974) is running...
2021-06-01T17:27:10Z DEBUG stderr=
2021-06-01T17:27:10Z DEBUG args=/sbin/service certmonger stop
2021-06-01T17:27:10Z DEBUG stdout=Stopping certmonger: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:10Z DEBUG stderr=
2021-06-01T17:27:11Z DEBUG args=/sbin/service certmonger restart
2021-06-01T17:27:11Z DEBUG stdout=Stopping certmonger: ?[60G[?[0;31mFAILED?[0;39m]
Starting certmonger: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:11Z DEBUG stderr=
2021-06-01T17:27:11Z DEBUG args=/sbin/service certmonger status
2021-06-01T17:27:11Z DEBUG stdout=certmonger (pid 2063) is running...
2021-06-01T17:27:11Z DEBUG stderr=
2021-06-01T17:27:11Z DEBUG args=/sbin/chkconfig certmonger on
2021-06-01T17:27:11Z DEBUG stdout=
2021-06-01T17:27:11Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - drxlceco6app01.XYZ.com -N CN=drxlceco6app01.XYZ.com,O=XYZ.COM -K host/***@XYZ.COM
2021-06-01T17:27:12Z DEBUG stdout=New signing request "20210601172712" added.
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z INFO Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
2021-06-01T17:27:12Z DEBUG raw: host_mod(u'drxlceco6app01.XYZ.com', ipasshpubkey=[u'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAobH2Rt+aBxrhxWJazVGUpMej9nnncp8DhPewnZkyZxoSAyDc6C5c3nBqW22/Cr7gk26d/D2Ietbi0E7mFrt5Wo4bGgN2KcnlG3ABSifvwh3oqzL+anT6+/lkwzgm3hwIQQRDfF3/GljmvX495HateMqc7syLyOe5ZnKI4Xu6khQ/JF1hhv+8GiUbl7+le+QxYuosmNNIekfMqVbtJ8IM7Zf5/CXINIkwy1UtV+gl0JsAn6AlcBfLcsssg6LQVdgCCjVsJFNB2t+tR0LozJ8L5mDerKqVxJZWI3EnfLIXMq0VWoVfn20fPe0pkcoiyv9bQt/YsDxZS54BFjlTK7DpjQ=='], updatedns=False)
2021-06-01T17:27:12Z DEBUG host_mod(u'drxlceco6app01.XYZ.com', random=False, ipasshpubkey=(u'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAobH2Rt+aBxrhxWJazVGUpMej9nnncp8DhPewnZkyZxoSAyDc6C5c3nBqW22/Cr7gk26d/D2Ietbi0E7mFrt5Wo4bGgN2KcnlG3ABSifvwh3oqzL+anT6+/lkwzgm3hwIQQRDfF3/GljmvX495HateMqc7syLyOe5ZnKI4Xu6khQ/JF1hhv+8GiUbl7+le+QxYuosmNNIekfMqVbtJ8IM7Zf5/CXINIkwy1UtV+gl0JsAn6AlcBfLcsssg6LQVdgCCjVsJFNB2t+tR0LozJ8L5mDerKqVxJZWI3EnfLIXMq0VWoVfn20fPe0pkcoiyv9bQt/YsDxZS54BFjlTK7DpjQ==',), rights=False, updatedns=False, all=False, raw=False, no_members=False)
2021-06-01T17:27:12Z INFO Forwarding 'host_mod' to server u'https://prdipaco8ldm01.XYZ.com/ipa/xml'
2021-06-01T17:27:12Z DEBUG NSSConnection init prdipaco8ldm01.XYZ.com
2021-06-01T17:27:12Z DEBUG Connecting: 10.113.10.50:0
2021-06-01T17:27:12Z DEBUG handshake complete, peer = 10.113.10.50:443
2021-06-01T17:27:12Z DEBUG Protocol: TLS1.2
2021-06-01T17:27:12Z DEBUG Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2021-06-01T17:27:12Z DEBUG received Set-Cookie 'ipa_session=MagBearerToken=yKnSiJdb44vhq6AuqB%2boAE5Fatp7CXJ8A9xYVUqlqXI73Gk9ukPfIr9%2bD6KnSCiBXmtVx3flwJ1Rf17528nymjCE5vMtNTSeVU5l8rn36fEtAFq6QZt%2bAHs2LjPLWwyR9geT7Y5aKgLbEMDzZv0DTwM3N2ocM0b7Rc6inZUvAgU%2fYmqmkZafsbYy%2fCUm2Kgyx%2b%2fZ6kQg%2fK94CVAqMLxZDE1k1gAP3qq98k%2fllMQu9k0GAYcdKEbmN%2bwff4LzeQRs;path=/ipa;httponly;secure;'
2021-06-01T17:27:12Z DEBUG storing cookie 'ipa_session=MagBearerToken=yKnSiJdb44vhq6AuqB%2boAE5Fatp7CXJ8A9xYVUqlqXI73Gk9ukPfIr9%2bD6KnSCiBXmtVx3flwJ1Rf17528nymjCE5vMtNTSeVU5l8rn36fEtAFq6QZt%2bAHs2LjPLWwyR9geT7Y5aKgLbEMDzZv0DTwM3N2ocM0b7Rc6inZUvAgU%2fYmqmkZafsbYy%2fCUm2Kgyx%2b%2fZ6kQg%2fK94CVAqMLxZDE1k1gAP3qq98k%2fllMQu9k0GAYcdKEbmN%2bwff4LzeQRs; Domain=prdipaco8ldm01.XYZ.com; Path=/ipa; Secure; HttpOnly' for principal host/***@XYZ.COM
2021-06-01T17:27:12Z DEBUG args=keyctl search @s user ipa_session_cookie:host/***@XYZ.COM
2021-06-01T17:27:12Z DEBUG stdout=915601519
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG args=keyctl search @s user ipa_session_cookie:host/***@XYZ.COM
2021-06-01T17:27:12Z DEBUG stdout=915601519
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG args=keyctl pupdate 915601519
2021-06-01T17:27:12Z DEBUG stdout=
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG Caught fault 4202 from server https://prdipaco8ldm01.XYZ.com/ipa/xml: no modifications to be performed
2021-06-01T17:27:12Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt:
2021-06-01T17:27:12Z DEBUG zone XYZ.com.
update delete drxlceco6app01.XYZ.com. IN SSHFP
send
update add drxlceco6app01.XYZ.com. 1200 IN SSHFP 1 1 F6ABCFF542C5E35268387C2A53EBF83C5C6B0517
send
2021-06-01T17:27:12Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
2021-06-01T17:27:12Z DEBUG stdout=
2021-06-01T17:27:12Z DEBUG stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/***@XYZ.COM not found in Kerberos database.
2021-06-01T17:27:12Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1
2021-06-01T17:27:12Z WARNING Could not update DNS SSHFP records.
2021-06-01T17:27:12Z DEBUG args=/sbin/service nscd status
2021-06-01T17:27:12Z DEBUG stdout=nscd is stopped
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG args=/sbin/service nscd stop
2021-06-01T17:27:12Z DEBUG stdout=
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG args=/sbin/chkconfig nscd off
2021-06-01T17:27:12Z DEBUG stdout=
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-06-01T17:27:12Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-06-01T17:27:12Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-06-01T17:27:15Z DEBUG args=/usr/sbin/authconfig --enablesssdauth --enablemkhomedir --update --enablesssd
2021-06-01T17:27:15Z DEBUG stdout=Starting sssd: ?[60G[?[0;32m OK ?[0;39m]
Starting oddjobd: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:15Z DEBUG stderr=
2021-06-01T17:27:15Z INFO SSSD enabled
2021-06-01T17:27:15Z INFO Configuring XYZ.com as NIS domain
2021-06-01T17:27:15Z DEBUG args=/bin/nisdomainname
2021-06-01T17:27:15Z DEBUG stdout=(none)
2021-06-01T17:27:15Z DEBUG stderr=
2021-06-01T17:27:15Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-06-01T17:27:15Z DEBUG args=/usr/sbin/authconfig --update --nisdomain XYZ.com
2021-06-01T17:27:15Z DEBUG stdout=Starting sssd: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:15Z DEBUG stderr=
2021-06-01T17:27:15Z DEBUG args=/bin/nisdomainname XYZ.com
2021-06-01T17:27:15Z DEBUG stdout=
2021-06-01T17:27:15Z DEBUG stderr=
========================================
I am unable to understand what i am missing or changes required in current config.
Any help / suggestions appreciated.
Regards,
Rohan
_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/