View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0004984 | Rocky-Linux-9 | ipa | public | 2023-12-08 08:48 | 2024-01-08 23:21 |
Reporter | Sergei Ser | Assigned To | Louis Abel | ||
Priority | high | Severity | block | Reproducibility | always |
Status | needinfo | Resolution | open | ||
Summary | 0004984: ipa client 4.10.2 - Failed to obtain host TGT | ||||
Description | Hello! - Rocky 9.3 and ipa-client 4.10.2 - I can't join the domain - ERROR Failed to obtain host TGT: Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529639122): Pre-authentication failed: Invalid argument - Rocky 9.0, 9.1, 9.2 and ipa-client 4.10.2 - Joins the domain without problems All credentials entered are correct. 2023-12-08T08:32:29Z INFO Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) 2023-12-08T08:32:29Z ERROR Failed to obtain host TGT: Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529639122): Pre-authentication failed: Invalid argument 2023-12-08T08:32:29Z ERROR Installation failed. Rolling back changes. 2023-12-08T08:32:29Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2023-12-08T08:32:29Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:32:29Z DEBUG Starting external process 2023-12-08T08:32:29Z DEBUG args=['/usr/sbin/ipa-client-automount', '--uninstall', '--debug'] 2023-12-08T08:32:30Z DEBUG Process finished, return code=2 2023-12-08T08:32:30Z DEBUG stdout=IPA client is not configured on this system | ||||
Tags | No tags attached. | ||||
Thank you for the report. In our own testing, we have been able to successfully join Rocky Linux 8.9/9.3, Fedora 39, CentOS Stream 8 and 9 to a 9.3 domain (ipa version 4.10.2-4.el9_3.1) without any issues. Please provide the following information: # IPA server cat /etc/os-release rpm -q krb5-libs rpm -q ipa-server rpm -q sssd update-crypto-policies --show grep <hostname of ipa client> /var/log/krb5kdc.log # IPA client Please attach a sanitized /var/log/ipaclient-install.log |
|
# IPA server 1) cat /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" 2) rpm -q krb5-libs krb5-libs-1.15.1-46.el7.x86_64 3) rpm -q ipa-server ipa-server-4.6.6-11.el7.centos.x86_64 4) rpm -q sssd sssd-1.16.4-37.el7_8.3.x86_64 5)update-crypto-policies --show not using 6) grep <hostname of ipa client> /var/log/krb5kdc.log Dec 08 11:32:29 dc01 krb5kdc[2085](info): AS_REQ (4 etypes {20 19 18 17}) ip: NEEDED_PREAUTH: host/inf-my-tt@domain for krbtgt/domain@domain, Additional pre-authentication required Dec 08 11:32:29 dc01 krb5kdc[2085](info): AS_REQ (4 etypes {20 19 18 17}) ip: NEEDED_PREAUTH: host/inf-my-tt@domain for krbtgt/domain@domain, Additional pre-authentication required ipaclient-install.log (83,819 bytes)
2023-12-08T08:31:45Z DEBUG Logging to /var/log/ipaclient-install.log 2023-12-08T08:31:45Z DEBUG ipa-client-install was invoked with arguments [] and options: {'unattended': False, 'principal': None, 'prompt_password': False, 'on_master': False, 'ca_cert_files': None, 'force': False, 'configure_firefox': False, 'firefox_dir': None, 'keytab': None, 'mkhomedir': False, 'force_join': False, 'ntp_servers': None, 'ntp_pool': None, 'no_ntp': False, 'force_ntpd': False, 'nisdomain': None, 'no_nisdomain': False, 'ssh_trust_dns': False, 'no_ssh': False, 'no_sshd': False, 'no_sudo': False, 'subid': False, 'no_dns_sshfp': False, 'kinit_attempts': None, 'request_cert': False, 'ip_addresses': None, 'all_ip_addresses': False, 'fixed_primary': False, 'permit': False, 'enable_dns_updates': False, 'no_krb5_offline_passwords': False, 'preserve_sssd': False, 'pkinit_identity': None, 'pkinit_anchors': None, 'automount_location': None, 'domain_name': None, 'servers': None, 'realm_name': None, 'host_name': None, 'verbose': False, 'quiet': False, 'log_file': None, 'uninstall': False} 2023-12-08T08:31:45Z DEBUG IPA version 4.10.2-4.el9_3.1 2023-12-08T08:31:45Z DEBUG IPA platform rhel 2023-12-08T08:31:45Z DEBUG IPA os-release Rocky Linux 9.3 (Blue Onyx) 2023-12-08T08:31:45Z DEBUG Starting external process 2023-12-08T08:31:45Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-12-08T08:31:45Z DEBUG Process finished, return code=0 2023-12-08T08:31:45Z DEBUG stdout= 2023-12-08T08:31:45Z DEBUG stderr= 2023-12-08T08:31:45Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2023-12-08T08:31:45Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:31:45Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:31:45Z DEBUG Starting external process 2023-12-08T08:31:45Z DEBUG args=['/bin/systemctl', 'is-enabled', 'ntpd.service'] 2023-12-08T08:31:45Z DEBUG Process finished, return code=1 2023-12-08T08:31:45Z DEBUG stdout= 2023-12-08T08:31:45Z DEBUG stderr=Failed to get unit file state for ntpd.service: No such file or directory 2023-12-08T08:31:45Z DEBUG Starting external process 2023-12-08T08:31:45Z DEBUG args=['/bin/systemctl', 'is-active', 'ntpd.service'] 2023-12-08T08:31:45Z DEBUG Process finished, return code=3 2023-12-08T08:31:45Z DEBUG stdout=inactive 2023-12-08T08:31:45Z DEBUG stderr= 2023-12-08T08:31:45Z DEBUG Starting external process 2023-12-08T08:31:45Z DEBUG args=['/bin/systemctl', 'is-enabled', 'systemd-timesyncd.service'] 2023-12-08T08:31:45Z DEBUG Process finished, return code=1 2023-12-08T08:31:45Z DEBUG stdout= 2023-12-08T08:31:45Z DEBUG stderr=Failed to get unit file state for systemd-timesyncd.service: No such file or directory 2023-12-08T08:31:45Z DEBUG Starting external process 2023-12-08T08:31:45Z DEBUG args=['/bin/systemctl', 'is-active', 'systemd-timesyncd.service'] 2023-12-08T08:31:45Z DEBUG Process finished, return code=3 2023-12-08T08:31:45Z DEBUG stdout=inactive 2023-12-08T08:31:45Z DEBUG stderr= 2023-12-08T08:31:45Z DEBUG Starting external process 2023-12-08T08:31:45Z DEBUG args=['sudo', '-V'] 2023-12-08T08:31:45Z DEBUG Process finished, return code=0 2023-12-08T08:31:45Z DEBUG stdout=Sudo version 1.9.5p2 Configure options: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --prefix=/usr --sbindir=/usr/sbin --libdir=/usr/lib64 --docdir=/usr/share/doc/sudo --disable-openssl --disable-root-mailer --disable-log-server --disable-log-client --with-logging=syslog --with-logfac=authpriv --with-pam --with-pam-login --with-editor=/bin/vi --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf --with-selinux --with-passprompt=[sudo] password for %p: --enable-python --with-linux-audit --with-sssd Sudoers policy plugin version 1.9.5p2 Sudoers file grammar version 48 Sudoers path: /etc/sudoers nsswitch path: /etc/nsswitch.conf ldap.conf path: /etc/sudo-ldap.conf ldap.secret path: /etc/ldap.secret Authentication methods: 'pam' Syslog facility if syslog is being used for logging: authpriv Syslog priority to use when user authenticates successfully: notice Syslog priority to use when user authenticates unsuccessfully: alert Ignore '.' in $PATH Send mail if the user is not in sudoers Lecture user the first time they run sudo Require users to authenticate by default Root may run sudo Always set $HOME to the target user's home directory Allow some information gathering to give useful error messages Visudo will honor the EDITOR environment variable Set the LOGNAME and USER environment variables Length at which to wrap log file lines (0 for no wrap): 80 Authentication timestamp timeout: 5.0 minutes Password prompt timeout: 5.0 minutes Number of tries to enter a password: 3 Umask to use or 0777 to use user's: 022 Path to mail program: /usr/sbin/sendmail Flags for mail program: -t Address to send mail to: root Subject line for mail messages: *** SECURITY information for %h *** Incorrect password message: Sorry, try again. Path to lecture status dir: /var/db/sudo/lectured Path to authentication timestamp dir: /run/sudo/ts Default password prompt: [sudo] password for %p: Default user to run commands as: root Value to override user's $PATH with: /sbin:/bin:/usr/sbin:/usr/bin Path to the editor for use by visudo: /bin/vi When to require a password for 'list' pseudocommand: any When to require a password for 'verify' pseudocommand: all File descriptors >= 3 will be closed before executing a command Reset the environment to a default set of variables Environment variables to check for safety: TZ TERM LINGUAS LC_* LANGUAGE LANG COLORTERM Environment variables to remove: *=()* RUBYOPT RUBYLIB PYTHONUSERBASE PYTHONINSPECT PYTHONPATH PYTHONHOME TMPPREFIX ZDOTDIR READNULLCMD NULLCMD FPATH PERL5DB PERL5OPT PERL5LIB PERLLIB PERLIO_DEBUG JAVA_TOOL_OPTIONS SHELLOPTS BASHOPTS GLOBIGNORE PS4 BASH_ENV ENV TERMCAP TERMPATH TERMINFO_DIRS TERMINFO _RLD* LD_* PATH_LOCALE NLSPATH HOSTALIASES RES_OPTIONS LOCALDOMAIN CDPATH IFS Environment variables to preserve: XAUTHORITY _XKB_CHARSET LINGUAS LANGUAGE LC_ALL LC_TIME LC_TELEPHONE LC_PAPER LC_NUMERIC LC_NAME LC_MONETARY LC_MESSAGES LC_MEASUREMENT LC_IDENTIFICATION LC_COLLATE LC_CTYPE LC_ADDRESS LANG USERNAME QTDIR PS2 PS1 MAIL LS_COLORS KDEDIR HISTSIZE HOSTNAME DISPLAY COLORS Locale to use while parsing sudoers: C Compress I/O logs using zlib Directory in which to store input/output logs: /var/log/sudo-io File in which to store the input/output log: %{seq} Add an entry to the utmp/utmpx file when allocating a pty PAM service name to use: sudo PAM service name to use for login shells: sudo-i Attempt to establish PAM credentials for the target user Create a new PAM session for the command to run in Perform PAM account validation management Enable sudoers netgroup support Check parent directories for writability when editing files with sudoedit Query the group plugin for unknown system groups Allow commands to be run even if sudo cannot write to the audit log Allow commands to be run even if sudo cannot write to the log file Resolve groups in sudoers and match on the group ID, not the name Log entries larger than this value will be split into multiple syslog messages: 960 File mode to use for the I/O log files: 0600 Execute commands by file descriptor instead of by path: digest_only Type of authentication timestamp record: tty Ignore case when matching user names Ignore case when matching group names Log when a command is allowed by sudoers Log when a command is denied by sudoers Sudo log server timeout in seconds: 30 Enable SO_KEEPALIVE socket option on the socket connected to the logserver Verify that the log server's certificate is valid Set the pam remote user to the user running sudo The format of logs to produce: sudo Enable SELinux RBAC support Local IP address and netmask pairs: ip/255.255.254.0 fe80::250:56ff:fea3:b1aa/ffff:ffff:ffff:ffff:: Sudoers I/O plugin version 1.9.5p2 Sudoers audit plugin version 1.9.5p2 2023-12-08T08:31:45Z DEBUG stderr= 2023-12-08T08:31:45Z DEBUG [IPA Discovery] 2023-12-08T08:31:45Z DEBUG Starting IPA discovery with domain=None, servers=None, hostname=inf-my-tt.domain 2023-12-08T08:31:45Z DEBUG Start searching for LDAP SRV record in "domain" (domain of the hostname) and its sub-domains 2023-12-08T08:31:45Z DEBUG Search DNS for SRV record of _ldap._tcp.domain 2023-12-08T08:31:45Z DEBUG DNS record found: 0 100 389 dc01.domain. 2023-12-08T08:31:45Z DEBUG DNS record found: 0 100 389 dc02.domain. 2023-12-08T08:31:45Z DEBUG DNS record found: 0 100 389 dc03-dmz.domain. 2023-12-08T08:31:45Z DEBUG [Kerberos realm search] 2023-12-08T08:31:45Z DEBUG Search DNS for TXT record of _kerberos.domain 2023-12-08T08:31:45Z DEBUG DNS record found: "domain" 2023-12-08T08:31:45Z DEBUG Search DNS for SRV record of _kerberos._udp.domain 2023-12-08T08:31:45Z DEBUG DNS record found: 0 100 88 dc01.domain. 2023-12-08T08:31:45Z DEBUG DNS record found: 0 100 88 dc03-dmz.domain. 2023-12-08T08:31:45Z DEBUG DNS record found: 0 100 88 dc02.domain. 2023-12-08T08:31:45Z DEBUG [LDAP server check] 2023-12-08T08:31:45Z DEBUG Verifying that dc01.domain (realm domain) is an IPA server 2023-12-08T08:31:45Z DEBUG Init LDAP connection to: ldap://dc01.domain:389 2023-12-08T08:31:45Z DEBUG Search LDAP server for IPA base DN 2023-12-08T08:31:45Z DEBUG Check if naming context 'dc=ipa,dc=mont,dc=ru' is for IPA 2023-12-08T08:31:45Z DEBUG Naming context 'dc=ipa,dc=mont,dc=ru' is a valid IPA context 2023-12-08T08:31:45Z DEBUG Search for (objectClass=krbRealmContainer) in dc=ipa,dc=mont,dc=ru (sub) 2023-12-08T08:31:45Z DEBUG Found: cn=domain,cn=kerberos,dc=ipa,dc=mont,dc=ru 2023-12-08T08:31:45Z DEBUG Discovery result: Success; server=dc01.domain, domain=domain, kdc=dc01.domain,dc03-dmz.domain,dc02.domain, basedn=dc=ipa,dc=mont,dc=ru 2023-12-08T08:31:45Z DEBUG Validated servers: dc01.domain 2023-12-08T08:31:45Z DEBUG will use discovered domain: domain 2023-12-08T08:31:45Z DEBUG Start searching for LDAP SRV record in "domain" (Validating DNS Discovery) and its sub-domains 2023-12-08T08:31:45Z DEBUG Search DNS for SRV record of _ldap._tcp.domain 2023-12-08T08:31:45Z DEBUG DNS record found: 0 100 389 dc02.domain. 2023-12-08T08:31:45Z DEBUG DNS record found: 0 100 389 dc03-dmz.domain. 2023-12-08T08:31:45Z DEBUG DNS record found: 0 100 389 dc01.domain. 2023-12-08T08:31:45Z DEBUG DNS validated, enabling discovery 2023-12-08T08:31:45Z DEBUG will use discovered server: dc01.domain 2023-12-08T08:31:45Z INFO Discovery was successful! 2023-12-08T08:31:47Z DEBUG will use discovered realm: domain 2023-12-08T08:31:47Z DEBUG will use discovered basedn: dc=ipa,dc=mont,dc=ru 2023-12-08T08:31:47Z INFO Client hostname: inf-my-tt.domain 2023-12-08T08:31:47Z DEBUG Hostname source: Machine's FQDN 2023-12-08T08:31:47Z INFO Realm: domain 2023-12-08T08:31:47Z DEBUG Realm source: Discovered from LDAP DNS records in dc01.domain 2023-12-08T08:31:47Z INFO DNS Domain: domain 2023-12-08T08:31:47Z DEBUG DNS Domain source: Discovered LDAP SRV records from domain (domain of the hostname) 2023-12-08T08:31:47Z INFO IPA Server: dc01.domain 2023-12-08T08:31:47Z DEBUG IPA Server source: Discovered from LDAP DNS records in dc01.domain 2023-12-08T08:31:47Z INFO BaseDN: dc=ipa,dc=mont,dc=ru 2023-12-08T08:31:47Z DEBUG BaseDN source: From IPA server ldap://dc01.domain:389 2023-12-08T08:31:48Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2023-12-08T08:31:48Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:31:48Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:31:48Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:31:48Z DEBUG Starting external process 2023-12-08T08:31:48Z DEBUG args=['/usr/sbin/ipa-rmkeytab', '-k', '/etc/krb5.keytab', '-r', 'domain'] 2023-12-08T08:31:48Z DEBUG Process finished, return code=0 2023-12-08T08:31:48Z DEBUG stdout= 2023-12-08T08:31:48Z DEBUG stderr=Removing principal host/inf-my-tt.domain@domain 2023-12-08T08:31:48Z INFO Removed old keys for realm domain from /etc/krb5.keytab 2023-12-08T08:31:48Z DEBUG Starting external process 2023-12-08T08:31:48Z DEBUG args=['/bin/systemctl', 'is-enabled', 'ntpd.service'] 2023-12-08T08:31:48Z DEBUG Process finished, return code=1 2023-12-08T08:31:48Z DEBUG stdout= 2023-12-08T08:31:48Z DEBUG stderr=Failed to get unit file state for ntpd.service: No such file or directory 2023-12-08T08:31:48Z DEBUG Starting external process 2023-12-08T08:31:48Z DEBUG args=['/bin/systemctl', 'is-active', 'ntpd.service'] 2023-12-08T08:31:48Z DEBUG Process finished, return code=3 2023-12-08T08:31:48Z DEBUG stdout=inactive 2023-12-08T08:31:48Z DEBUG stderr= 2023-12-08T08:31:48Z DEBUG Starting external process 2023-12-08T08:31:48Z DEBUG args=['/bin/systemctl', 'is-enabled', 'systemd-timesyncd.service'] 2023-12-08T08:31:48Z DEBUG Process finished, return code=1 2023-12-08T08:31:48Z DEBUG stdout= 2023-12-08T08:31:48Z DEBUG stderr=Failed to get unit file state for systemd-timesyncd.service: No such file or directory 2023-12-08T08:31:48Z DEBUG Starting external process 2023-12-08T08:31:48Z DEBUG args=['/bin/systemctl', 'is-active', 'systemd-timesyncd.service'] 2023-12-08T08:31:48Z DEBUG Process finished, return code=3 2023-12-08T08:31:48Z DEBUG stdout=inactive 2023-12-08T08:31:48Z DEBUG stderr= 2023-12-08T08:31:48Z DEBUG Search DNS for SRV record of _ntp._udp.domain 2023-12-08T08:31:48Z DEBUG DNS record found: 0 100 123 dc02.domain. 2023-12-08T08:31:48Z DEBUG DNS record found: 0 100 123 dc03-dmz.domain. 2023-12-08T08:31:48Z DEBUG DNS record found: 0 100 123 dc01.domain. 2023-12-08T08:31:48Z DEBUG Found DNS record for NTP server: dc02.domain 2023-12-08T08:31:48Z DEBUG Found DNS record for NTP server: dc03-dmz.domain 2023-12-08T08:31:48Z DEBUG Found DNS record for NTP server: dc01.domain 2023-12-08T08:31:48Z INFO Synchronizing time 2023-12-08T08:31:48Z DEBUG Starting external process 2023-12-08T08:31:48Z DEBUG args=['/bin/systemctl', 'is-enabled', 'chronyd.service'] 2023-12-08T08:31:48Z DEBUG Process finished, return code=1 2023-12-08T08:31:48Z DEBUG stdout=disabled 2023-12-08T08:31:48Z DEBUG stderr= 2023-12-08T08:31:48Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:31:48Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:31:48Z DEBUG Configuring chrony 2023-12-08T08:31:48Z DEBUG Setting time servers: 2023-12-08T08:31:48Z DEBUG 'dc02.domain' 2023-12-08T08:31:48Z DEBUG 'dc03-dmz.domain' 2023-12-08T08:31:48Z DEBUG 'dc01.domain' 2023-12-08T08:31:48Z DEBUG Backing up '/etc/chrony.conf' 2023-12-08T08:31:48Z DEBUG Backing up system configuration file '/etc/chrony.conf' 2023-12-08T08:31:48Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2023-12-08T08:31:48Z DEBUG Writing configuration to '/etc/chrony.conf' 2023-12-08T08:31:48Z INFO Configuration of chrony was changed by installer. 2023-12-08T08:31:48Z DEBUG Starting external process 2023-12-08T08:31:48Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-12-08T08:31:48Z DEBUG Process finished, return code=0 2023-12-08T08:31:48Z DEBUG stdout= 2023-12-08T08:31:48Z DEBUG stderr= 2023-12-08T08:31:48Z DEBUG Starting external process 2023-12-08T08:31:48Z DEBUG args=['/sbin/restorecon', '/etc/chrony.conf'] 2023-12-08T08:31:48Z DEBUG Process finished, return code=0 2023-12-08T08:31:48Z DEBUG stdout= 2023-12-08T08:31:48Z DEBUG stderr= 2023-12-08T08:31:48Z DEBUG Starting external process 2023-12-08T08:31:48Z DEBUG args=['/bin/systemctl', 'enable', 'chronyd.service'] 2023-12-08T08:31:48Z DEBUG Process finished, return code=0 2023-12-08T08:31:48Z DEBUG stdout= 2023-12-08T08:31:48Z DEBUG stderr=Created symlink /etc/systemd/system/multi-user.target.wants/chronyd.service → /usr/lib/systemd/system/chronyd.service. 2023-12-08T08:31:48Z DEBUG Starting external process 2023-12-08T08:31:48Z DEBUG args=['/bin/systemctl', 'restart', 'chronyd.service'] 2023-12-08T08:31:48Z DEBUG Process finished, return code=0 2023-12-08T08:31:48Z DEBUG stdout= 2023-12-08T08:31:48Z DEBUG stderr= 2023-12-08T08:31:48Z DEBUG Starting external process 2023-12-08T08:31:48Z DEBUG args=['/bin/systemctl', 'is-active', 'chronyd.service'] 2023-12-08T08:31:48Z DEBUG Process finished, return code=0 2023-12-08T08:31:48Z DEBUG stdout=active 2023-12-08T08:31:48Z DEBUG stderr= 2023-12-08T08:31:48Z DEBUG Restart of chronyd.service complete 2023-12-08T08:31:48Z INFO Attempting to sync time with chronyc. 2023-12-08T08:31:48Z DEBUG Starting external process 2023-12-08T08:31:48Z DEBUG args=['/usr/bin/chronyc', '-d', 'waitsync', '4', '0', '0', '3'] 2023-12-08T08:31:54Z DEBUG Process finished, return code=0 2023-12-08T08:31:54Z DEBUG stdout=try: 1, refid: 00000000, correction: 0.000000000, skew: 0.000 try: 2, refid: 00000000, correction: 0.000000000, skew: 0.000 try: 3, refid: 0A15FE16, correction: 0.411695391, skew: 53.477 2023-12-08T08:31:54Z DEBUG stderr=Resolved 127.0.0.1 to 127.0.0.1 Resolved ::1 to ::1 Could not remove /run/chrony/chronyc.98679.sock : No such file or directory Opened Unix socket fd=3 remote=/run/chrony/chronyd.sock local=/run/chrony/chronyc.98679.sock Sent data fd=3 len=104 Timeout 1.000000 seconds Received data fd=3 len=104 Reply cmd=33 reply=5 stat=0 Sent data fd=3 len=104 Timeout 1.000000 seconds Received data fd=3 len=104 Reply cmd=33 reply=5 stat=0 Sent data fd=3 len=104 Timeout 1.000000 seconds Received data fd=3 len=104 Reply cmd=33 reply=5 stat=0 2023-12-08T08:31:54Z INFO Time synchronization was successful. 2023-12-08T08:32:15Z DEBUG will use principal provided as option: myuser 2023-12-08T08:32:15Z DEBUG Starting external process 2023-12-08T08:32:15Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-12-08T08:32:15Z DEBUG Process finished, return code=0 2023-12-08T08:32:15Z DEBUG stdout= 2023-12-08T08:32:15Z DEBUG stderr= 2023-12-08T08:32:15Z DEBUG Starting external process 2023-12-08T08:32:15Z DEBUG args=['/sbin/restorecon', '/etc/krb5.conf.d/freeipa'] 2023-12-08T08:32:15Z DEBUG Process finished, return code=0 2023-12-08T08:32:15Z DEBUG stdout= 2023-12-08T08:32:15Z DEBUG stderr= 2023-12-08T08:32:15Z DEBUG Starting external process 2023-12-08T08:32:15Z DEBUG args=['/bin/keyctl', 'get_persistent', '@s', '0'] 2023-12-08T08:32:15Z DEBUG Process finished, return code=0 2023-12-08T08:32:15Z DEBUG stdout=780631014 2023-12-08T08:32:15Z DEBUG stderr= 2023-12-08T08:32:15Z DEBUG Enabling persistent keyring CCACHE 2023-12-08T08:32:15Z DEBUG Writing Kerberos configuration to /tmp/tmpec_wcgxq: 2023-12-08T08:32:15Z DEBUG #File modified by ipa-client-install includedir /etc/krb5.conf.d/ [libdefaults] default_realm = domain dns_lookup_realm = false rdns = false dns_canonicalize_hostname = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] domain = { kdc = dc01.domain:88 master_kdc = dc01.domain:88 admin_server = dc01.domain:749 kpasswd_server = dc01.domain:464 default_domain = domain pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .domain = domain domain = domain inf-my-tt.domain = domain 2023-12-08T08:32:15Z DEBUG Writing configuration file /tmp/tmpec_wcgxq 2023-12-08T08:32:15Z DEBUG #File modified by ipa-client-install includedir /etc/krb5.conf.d/ [libdefaults] default_realm = domain dns_lookup_realm = false rdns = false dns_canonicalize_hostname = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] domain = { kdc = dc01.domain:88 master_kdc = dc01.domain:88 admin_server = dc01.domain:749 kpasswd_server = dc01.domain:464 default_domain = domain pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .domain = domain domain = domain inf-my-tt.domain = domain 2023-12-08T08:32:28Z DEBUG Initializing principal myuser@domain using password 2023-12-08T08:32:28Z DEBUG Starting external process 2023-12-08T08:32:28Z DEBUG args=['/usr/bin/kinit', 'myuser@domain', '-c', '/tmp/krbccry7zokx2/ccache'] 2023-12-08T08:32:28Z DEBUG Process finished, return code=0 2023-12-08T08:32:28Z DEBUG stdout=Password for myuser@domain: 2023-12-08T08:32:28Z DEBUG stderr= 2023-12-08T08:32:28Z DEBUG trying to retrieve CA cert via LDAP from dc01.domain 2023-12-08T08:32:28Z DEBUG retrieving schema for SchemaCache url=ldap://dc01.domain:389 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f826b83f670> 2023-12-08T08:32:29Z INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=domain Issuer: CN=Certificate Authority,O=domain Valid From: 2018-12-14 10:48:38 Valid Until: 2038-12-14 10:48:38 2023-12-08T08:32:29Z DEBUG Starting external process 2023-12-08T08:32:29Z DEBUG args=['/usr/sbin/ipa-join', '-s', 'dc01.domain', '-b', 'dc=ipa,dc=mont,dc=ru', '-h', 'inf-my-tt.domain', '-k', '/etc/krb5.keytab'] 2023-12-08T08:32:29Z DEBUG Process finished, return code=0 2023-12-08T08:32:29Z DEBUG stdout= 2023-12-08T08:32:29Z DEBUG stderr=Failed to parse result: Insufficient access rights Retrying with pre-4.0 keytab retrieval method... Failed to retrieve encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC (#18) Failed to retrieve encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC (#17) Keytab successfully retrieved and stored in: /etc/krb5.keytab 2023-12-08T08:32:29Z INFO Enrolled in IPA realm domain 2023-12-08T08:32:29Z DEBUG Starting external process 2023-12-08T08:32:29Z DEBUG args=['/usr/bin/kdestroy'] 2023-12-08T08:32:29Z DEBUG Process finished, return code=0 2023-12-08T08:32:29Z DEBUG stdout= 2023-12-08T08:32:29Z DEBUG stderr= 2023-12-08T08:32:29Z DEBUG Initializing principal host/inf-my-tt.domain@domain using keytab /etc/krb5.keytab 2023-12-08T08:32:29Z DEBUG using ccache /etc/ipa/.dns_ccache 2023-12-08T08:32:29Z INFO Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) 2023-12-08T08:32:29Z ERROR Failed to obtain host TGT: Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529639122): Pre-authentication failed: Invalid argument 2023-12-08T08:32:29Z ERROR Installation failed. Rolling back changes. 2023-12-08T08:32:29Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2023-12-08T08:32:29Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:32:29Z DEBUG Starting external process 2023-12-08T08:32:29Z DEBUG args=['/usr/sbin/ipa-client-automount', '--uninstall', '--debug'] 2023-12-08T08:32:30Z DEBUG Process finished, return code=2 2023-12-08T08:32:30Z DEBUG stdout=IPA client is not configured on this system 2023-12-08T08:32:30Z DEBUG stderr= 2023-12-08T08:32:30Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2023-12-08T08:32:30Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:32:30Z DEBUG Starting external process 2023-12-08T08:32:30Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/nssdb', '-L', '-n', 'IPA Machine Certificate - inf-my-tt.domain', '-a', '-f', '/etc/pki/nssdb/pwdfile.txt'] 2023-12-08T08:32:30Z DEBUG Process finished, return code=255 2023-12-08T08:32:30Z DEBUG stdout= 2023-12-08T08:32:30Z DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate - inf-my-tt.domain : PR_FILE_NOT_FOUND_ERROR: File not found 2023-12-08T08:32:30Z DEBUG Starting external process 2023-12-08T08:32:30Z DEBUG args=['/bin/systemctl', 'start', 'certmonger.service'] 2023-12-08T08:32:30Z DEBUG Process finished, return code=0 2023-12-08T08:32:30Z DEBUG stdout= 2023-12-08T08:32:30Z DEBUG stderr= 2023-12-08T08:32:30Z DEBUG Starting external process 2023-12-08T08:32:30Z DEBUG args=['/bin/systemctl', 'is-active', 'certmonger.service'] 2023-12-08T08:32:30Z DEBUG Process finished, return code=0 2023-12-08T08:32:30Z DEBUG stdout=active 2023-12-08T08:32:30Z DEBUG stderr= 2023-12-08T08:32:30Z DEBUG Start of certmonger.service complete 2023-12-08T08:32:30Z DEBUG Starting external process 2023-12-08T08:32:30Z DEBUG args=['/bin/systemctl', 'stop', 'certmonger.service'] 2023-12-08T08:32:30Z DEBUG Process finished, return code=0 2023-12-08T08:32:30Z DEBUG stdout= 2023-12-08T08:32:30Z DEBUG stderr= 2023-12-08T08:32:30Z DEBUG Stop of certmonger.service complete 2023-12-08T08:32:30Z DEBUG Starting external process 2023-12-08T08:32:30Z DEBUG args=['/bin/systemctl', 'disable', 'certmonger.service'] 2023-12-08T08:32:30Z DEBUG Process finished, return code=0 2023-12-08T08:32:30Z DEBUG stdout= 2023-12-08T08:32:30Z DEBUG stderr= 2023-12-08T08:32:30Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:32:30Z DEBUG Starting external process 2023-12-08T08:32:30Z DEBUG args=['/bin/systemctl', 'stop', 'oddjobd.service'] 2023-12-08T08:32:30Z DEBUG Process finished, return code=0 2023-12-08T08:32:30Z DEBUG stdout= 2023-12-08T08:32:30Z DEBUG stderr= 2023-12-08T08:32:30Z DEBUG Stop of oddjobd.service complete 2023-12-08T08:32:30Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:32:30Z DEBUG Starting external process 2023-12-08T08:32:30Z DEBUG args=['/bin/systemctl', 'disable', 'oddjobd.service'] 2023-12-08T08:32:30Z DEBUG Process finished, return code=0 2023-12-08T08:32:30Z DEBUG stdout= 2023-12-08T08:32:30Z DEBUG stderr= 2023-12-08T08:32:30Z INFO Disabling client Kerberos and LDAP configurations 2023-12-08T08:32:30Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:32:30Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:32:30Z INFO Restoring client configuration files 2023-12-08T08:32:30Z DEBUG Starting external process 2023-12-08T08:32:30Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-12-08T08:32:30Z DEBUG Process finished, return code=0 2023-12-08T08:32:30Z DEBUG stdout= 2023-12-08T08:32:30Z DEBUG stderr= 2023-12-08T08:32:30Z DEBUG Starting external process 2023-12-08T08:32:30Z DEBUG args=['/sbin/restorecon', '/etc/chrony.conf'] 2023-12-08T08:32:30Z DEBUG Process finished, return code=0 2023-12-08T08:32:30Z DEBUG stdout= 2023-12-08T08:32:30Z DEBUG stderr= 2023-12-08T08:32:30Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2023-12-08T08:32:30Z DEBUG -> no files, removing file 2023-12-08T08:32:30Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:32:30Z DEBUG Starting external process 2023-12-08T08:32:30Z DEBUG args=['/bin/systemctl', 'disable', 'nis-domainname.service'] 2023-12-08T08:32:30Z DEBUG Process finished, return code=0 2023-12-08T08:32:30Z DEBUG stdout= 2023-12-08T08:32:30Z DEBUG stderr= 2023-12-08T08:32:30Z DEBUG Starting external process 2023-12-08T08:32:30Z DEBUG args=['/bin/systemctl', 'list-unit-files', '--full'] 2023-12-08T08:32:31Z DEBUG Process finished, return code=0 2023-12-08T08:32:31Z DEBUG stdout=UNIT FILE STATE PRESET proc-sys-fs-binfmt_misc.automount static - -.mount generated - boot.mount generated - dev-hugepages.mount static - dev-mqueue.mount static - home.mount generated - proc-fs-nfsd.mount static - proc-sys-fs-binfmt_misc.mount disabled disabled sys-fs-fuse-connections.mount static - sys-kernel-config.mount static - sys-kernel-debug.mount static - sys-kernel-tracing.mount static - tmp.mount disabled disabled var-lib-nfs-rpc_pipefs.mount static - var.mount generated - systemd-ask-password-console.path static - systemd-ask-password-plymouth.path static - systemd-ask-password-wall.path static - session-3.scope transient - arp-ethers.service disabled disabled atd.service enabled enabled auditd.service enabled enabled auth-rpcgss-module.service static - autofs.service disabled disabled autovt@.service alias - blk-availability.service disabled disabled bluetooth.service enabled enabled bolt.service static - canberra-system-bootup.service disabled disabled canberra-system-shutdown-reboot.service disabled disabled canberra-system-shutdown.service disabled disabled certmonger.service disabled disabled chrony-wait.service disabled disabled chronyd.service enabled enabled cni-dhcp.service disabled disabled cockpit-motd.service static - cockpit-wsinstance-http.service static - cockpit-wsinstance-https-factory@.service static - cockpit-wsinstance-https@.service static - cockpit.service static - console-getty.service disabled disabled container-getty@.service static - cpupower.service disabled disabled crond.service enabled enabled dbus-broker.service enabled enabled dbus-org.bluez.service alias - dbus-org.fedoraproject.FirewallD1.service alias - dbus-org.freedesktop.hostname1.service alias - dbus-org.freedesktop.locale1.service alias - dbus-org.freedesktop.login1.service alias - dbus-org.freedesktop.nm-dispatcher.service alias - dbus-org.freedesktop.timedate1.service alias - dbus.service alias - debug-shell.service disabled disabled dm-event.service static - dnf-makecache.service static - dnf-system-upgrade-cleanup.service static - dnf-system-upgrade.service disabled disabled dracut-cmdline.service static - dracut-initqueue.service static - dracut-mount.service static - dracut-pre-mount.service static - dracut-pre-pivot.service static - dracut-pre-trigger.service static - dracut-pre-udev.service static - dracut-shutdown-onfailure.service static - dracut-shutdown.service static - emergency.service static - firewalld.service enabled enabled flatpak-system-helper.service static - fprintd.service static - fstrim.service static - geoclue.service static - getty@.service enabled enabled grub-boot-indeterminate.service static - grub2-systemd-integration.service static - gssproxy.service disabled disabled initrd-cleanup.service static - initrd-parse-etc.service static - initrd-switch-root.service static - initrd-udevadm-cleanup-db.service static - iprdump.service disabled disabled iprinit.service disabled disabled iprupdate.service disabled disabled irqbalance.service enabled enabled iscsi-init.service static - iscsi-onboot.service enabled enabled iscsi-shutdown.service static - iscsi.service enabled enabled iscsid.service disabled disabled iscsiuio.service disabled disabled kdump.service enabled enabled kmod-static-nodes.service static - kpatch.service disabled disabled kvm_stat.service disabled disabled ldconfig.service static - ledmon.service disabled disabled libstoragemgmt.service enabled enabled logrotate.service static - low-memory-monitor.service enabled enabled lvm2-lvmpolld.service static - lvm2-monitor.service enabled enabled man-db-cache-update.service static - man-db-restart-cache-update.service disabled disabled mcelog.service enabled enabled mdadm-grow-continue@.service static - mdadm-last-resort@.service static - mdcheck_continue.service static - mdcheck_start.service static - mdmon@.service static - mdmonitor-oneshot.service static - mdmonitor.service enabled enabled microcode.service enabled enabled mlocate-updatedb.service static - modprobe@.service static - multipathd.service enabled enabled netavark-dhcp-proxy.service disabled disabled NetworkManager-dispatcher.service enabled enabled NetworkManager-wait-online.service enabled disabled NetworkManager.service enabled enabled nfs-blkmap.service disabled disabled nfs-idmapd.service static - nfs-mountd.service static - nfs-server.service disabled disabled nfs-utils.service static - nfsdcld.service static - nftables.service disabled disabled nis-domainname.service disabled enabled nm-priv-helper.service static - nvmefc-boot-connections.service enabled enabled nvmf-autoconnect.service disabled disabled nvmf-connect@.service static - oddjobd.service disabled disabled packagekit-offline-update.service static - packagekit.service static - pam_namespace.service static - plymouth-halt.service static - plymouth-kexec.service static - plymouth-poweroff.service static - plymouth-quit-wait.service static - plymouth-quit.service static - plymouth-read-write.service static - plymouth-reboot.service static - plymouth-start.service static - plymouth-switch-root-initramfs.service static - plymouth-switch-root.service static - podman-auto-update.service disabled disabled podman-clean-transient.service disabled disabled podman-kube@.service disabled disabled podman-restart.service disabled disabled podman.service disabled disabled polkit.service static - psacct.service disabled disabled quotaon.service static - raid-check.service static - rc-local.service static - rdisc.service disabled disabled realmd.service static - rescue.service static - rpc-gssd.service static - rpc-statd-notify.service static - rpc-statd.service static - rpcbind.service enabled enabled rpmdb-rebuild.service disabled disabled rsyslog.service enabled enabled rtkit-daemon.service enabled enabled selinux-autorelabel-mark.service enabled enabled selinux-autorelabel.service static - selinux-check-proper-disable.service disabled disabled serial-getty@.service disabled disabled setroubleshootd.service static - smartd.service enabled enabled sshd-keygen@.service disabled disabled sshd.service enabled enabled sshd@.service static - sssd-autofs.service indirect disabled sssd-ifp.service static - sssd-kcm.service indirect disabled sssd-nss.service indirect disabled sssd-pac.service indirect disabled sssd-pam.service indirect disabled sssd-ssh.service indirect disabled sssd-sudo.service indirect disabled sssd.service enabled enabled sysstat-collect.service static - sysstat-summary.service static - sysstat.service enabled enabled system-update-cleanup.service static - systemd-ask-password-console.service static - systemd-ask-password-plymouth.service static - systemd-ask-password-wall.service static - systemd-backlight@.service static - systemd-binfmt.service static - systemd-bless-boot.service static - systemd-boot-check-no-failures.service disabled disabled systemd-boot-system-token.service static - systemd-boot-update.service disabled enabled systemd-coredump@.service static - systemd-exit.service static - systemd-firstboot.service static - systemd-fsck-root.service static - systemd-fsck@.service static - systemd-growfs-root.service static - systemd-growfs@.service static - systemd-halt.service static - systemd-hibernate-resume@.service static - systemd-hibernate.service static - systemd-hostnamed.service static - systemd-hwdb-update.service static - systemd-hybrid-sleep.service static - systemd-initctl.service static - systemd-journal-catalog-update.service static - systemd-journal-flush.service static - systemd-journald.service static - systemd-journald@.service static - systemd-kexec.service static - systemd-localed.service static - systemd-logind.service static - systemd-machine-id-commit.service static - systemd-modules-load.service static - systemd-network-generator.service enabled enabled systemd-pcrphase-initrd.service static - systemd-pcrphase-sysinit.service static - systemd-pcrphase.service static - systemd-poweroff.service static - systemd-pstore.service disabled enabled systemd-quotacheck.service static - systemd-random-seed.service static - systemd-reboot.service static - systemd-remount-fs.service enabled-runtime disabled systemd-repart.service static - systemd-rfkill.service static - systemd-suspend-then-hibernate.service static - systemd-suspend.service static - systemd-sysctl.service static - systemd-sysext.service disabled disabled systemd-sysupdate-reboot.service indirect disabled systemd-sysupdate.service indirect disabled systemd-sysusers.service static - systemd-timedated.service static - systemd-tmpfiles-clean.service static - systemd-tmpfiles-setup-dev.service static - systemd-tmpfiles-setup.service static - systemd-udev-settle.service static - systemd-udev-trigger.service static - systemd-udevd.service static - systemd-update-done.service static - systemd-update-utmp-runlevel.service static - systemd-update-utmp.service static - systemd-user-sessions.service static - systemd-vconsole-setup.service static - systemd-volatile-root.service static - teamd@.service static - udisks2.service enabled enabled upower.service enabled enabled usb_modeswitch@.service static - user-runtime-dir@.service static - user@.service static - vgauthd.service enabled disabled vmtoolsd.service enabled enabled system-cockpithttps.slice static - system-systemd\x2dcryptsetup.slice static - user.slice static - cni-dhcp.socket disabled disabled cockpit-wsinstance-http.socket static - cockpit-wsinstance-https-factory.socket static - cockpit-wsinstance-https@.socket static - cockpit.socket disabled disabled dbus.socket enabled enabled dm-event.socket enabled enabled iscsid.socket enabled enabled iscsiuio.socket enabled enabled lvm2-lvmpolld.socket enabled enabled multipathd.socket enabled disabled netavark-dhcp-proxy.socket disabled disabled podman.socket disabled disabled rpcbind.socket enabled enabled sshd.socket disabled disabled sssd-autofs.socket disabled disabled sssd-kcm.socket enabled enabled sssd-nss.socket disabled disabled sssd-pac.socket disabled disabled sssd-pam-priv.socket disabled disabled sssd-pam.socket disabled disabled sssd-ssh.socket disabled disabled sssd-sudo.socket disabled disabled syslog.socket static - systemd-coredump.socket static - systemd-initctl.socket static - systemd-journald-audit.socket static - systemd-journald-dev-log.socket static - systemd-journald-varlink@.socket static - systemd-journald.socket static - systemd-journald@.socket static - systemd-rfkill.socket static - systemd-udevd-control.socket static - systemd-udevd-kernel.socket static - dev-mapper-vg_swap\x2dlv_swap.swap generated - basic.target static - blockdev@.target static - bluetooth.target static - boot-complete.target static - cryptsetup-pre.target static - cryptsetup.target static - ctrl-alt-del.target alias - default.target alias - emergency.target static - exit.target disabled disabled factory-reset.target static - final.target static - first-boot-complete.target static - getty-pre.target static - getty.target static - graphical.target static - halt.target disabled disabled hibernate.target static - hybrid-sleep.target static - initrd-fs.target static - initrd-root-device.target static - initrd-root-fs.target static - initrd-switch-root.target static - initrd-usr-fs.target static - initrd.target static - integritysetup-pre.target static - integritysetup.target static - iprutils.target disabled disabled kexec.target disabled disabled local-fs-pre.target static - local-fs.target static - multi-user.target indirect disabled network-online.target static - network-pre.target static - network.target static - nfs-client.target enabled disabled nss-lookup.target static - nss-user-lookup.target static - nvmf-connect.target static - paths.target static - poweroff.target disabled disabled printer.target static - reboot.target enabled enabled remote-cryptsetup.target disabled enabled remote-fs-pre.target static - remote-fs.target enabled enabled remote-veritysetup.target disabled disabled rescue.target static - rpc_pipefs.target static - rpcbind.target static - runlevel0.target alias - runlevel1.target alias - runlevel2.target alias - runlevel3.target alias - runlevel4.target alias - runlevel5.target alias - runlevel6.target alias - selinux-autorelabel.target static - shutdown.target static - sigpwr.target static - sleep.target static - slices.target static - smartcard.target static - sockets.target static - sound.target static - sshd-keygen.target static - suspend-then-hibernate.target static - suspend.target static - swap.target static - sysinit.target static - system-update-pre.target static - system-update.target static - time-set.target static - time-sync.target static - timers.target static - umount.target static - usb-gadget.target static - veritysetup-pre.target static - veritysetup.target static - dnf-makecache.timer enabled enabled fstrim.timer disabled disabled logrotate.timer enabled enabled mdadm-last-resort@.timer static - mdcheck_continue.timer disabled disabled mdcheck_start.timer disabled disabled mdmonitor-oneshot.timer disabled disabled mlocate-updatedb.timer enabled enabled podman-auto-update.timer disabled disabled raid-check.timer disabled disabled sysstat-collect.timer enabled disabled sysstat-summary.timer enabled disabled systemd-sysupdate-reboot.timer disabled disabled systemd-sysupdate.timer disabled disabled systemd-tmpfiles-clean.timer static - 392 unit files listed. 2023-12-08T08:32:31Z DEBUG stderr= 2023-12-08T08:32:31Z INFO nscd daemon is not installed, skip configuration 2023-12-08T08:32:31Z DEBUG Starting external process 2023-12-08T08:32:31Z DEBUG args=['/bin/systemctl', 'list-unit-files', '--full'] 2023-12-08T08:32:31Z DEBUG Process finished, return code=0 2023-12-08T08:32:31Z DEBUG stdout=UNIT FILE STATE PRESET proc-sys-fs-binfmt_misc.automount static - -.mount generated - boot.mount generated - dev-hugepages.mount static - dev-mqueue.mount static - home.mount generated - proc-fs-nfsd.mount static - proc-sys-fs-binfmt_misc.mount disabled disabled sys-fs-fuse-connections.mount static - sys-kernel-config.mount static - sys-kernel-debug.mount static - sys-kernel-tracing.mount static - tmp.mount disabled disabled var-lib-nfs-rpc_pipefs.mount static - var.mount generated - systemd-ask-password-console.path static - systemd-ask-password-plymouth.path static - systemd-ask-password-wall.path static - session-3.scope transient - arp-ethers.service disabled disabled atd.service enabled enabled auditd.service enabled enabled auth-rpcgss-module.service static - autofs.service disabled disabled autovt@.service alias - blk-availability.service disabled disabled bluetooth.service enabled enabled bolt.service static - canberra-system-bootup.service disabled disabled canberra-system-shutdown-reboot.service disabled disabled canberra-system-shutdown.service disabled disabled certmonger.service disabled disabled chrony-wait.service disabled disabled chronyd.service enabled enabled cni-dhcp.service disabled disabled cockpit-motd.service static - cockpit-wsinstance-http.service static - cockpit-wsinstance-https-factory@.service static - cockpit-wsinstance-https@.service static - cockpit.service static - console-getty.service disabled disabled container-getty@.service static - cpupower.service disabled disabled crond.service enabled enabled dbus-broker.service enabled enabled dbus-org.bluez.service alias - dbus-org.fedoraproject.FirewallD1.service alias - dbus-org.freedesktop.hostname1.service alias - dbus-org.freedesktop.locale1.service alias - dbus-org.freedesktop.login1.service alias - dbus-org.freedesktop.nm-dispatcher.service alias - dbus-org.freedesktop.timedate1.service alias - dbus.service alias - debug-shell.service disabled disabled dm-event.service static - dnf-makecache.service static - dnf-system-upgrade-cleanup.service static - dnf-system-upgrade.service disabled disabled dracut-cmdline.service static - dracut-initqueue.service static - dracut-mount.service static - dracut-pre-mount.service static - dracut-pre-pivot.service static - dracut-pre-trigger.service static - dracut-pre-udev.service static - dracut-shutdown-onfailure.service static - dracut-shutdown.service static - emergency.service static - firewalld.service enabled enabled flatpak-system-helper.service static - fprintd.service static - fstrim.service static - geoclue.service static - getty@.service enabled enabled grub-boot-indeterminate.service static - grub2-systemd-integration.service static - gssproxy.service disabled disabled initrd-cleanup.service static - initrd-parse-etc.service static - initrd-switch-root.service static - initrd-udevadm-cleanup-db.service static - iprdump.service disabled disabled iprinit.service disabled disabled iprupdate.service disabled disabled irqbalance.service enabled enabled iscsi-init.service static - iscsi-onboot.service enabled enabled iscsi-shutdown.service static - iscsi.service enabled enabled iscsid.service disabled disabled iscsiuio.service disabled disabled kdump.service enabled enabled kmod-static-nodes.service static - kpatch.service disabled disabled kvm_stat.service disabled disabled ldconfig.service static - ledmon.service disabled disabled libstoragemgmt.service enabled enabled logrotate.service static - low-memory-monitor.service enabled enabled lvm2-lvmpolld.service static - lvm2-monitor.service enabled enabled man-db-cache-update.service static - man-db-restart-cache-update.service disabled disabled mcelog.service enabled enabled mdadm-grow-continue@.service static - mdadm-last-resort@.service static - mdcheck_continue.service static - mdcheck_start.service static - mdmon@.service static - mdmonitor-oneshot.service static - mdmonitor.service enabled enabled microcode.service enabled enabled mlocate-updatedb.service static - modprobe@.service static - multipathd.service enabled enabled netavark-dhcp-proxy.service disabled disabled NetworkManager-dispatcher.service enabled enabled NetworkManager-wait-online.service enabled disabled NetworkManager.service enabled enabled nfs-blkmap.service disabled disabled nfs-idmapd.service static - nfs-mountd.service static - nfs-server.service disabled disabled nfs-utils.service static - nfsdcld.service static - nftables.service disabled disabled nis-domainname.service disabled enabled nm-priv-helper.service static - nvmefc-boot-connections.service enabled enabled nvmf-autoconnect.service disabled disabled nvmf-connect@.service static - oddjobd.service disabled disabled packagekit-offline-update.service static - packagekit.service static - pam_namespace.service static - plymouth-halt.service static - plymouth-kexec.service static - plymouth-poweroff.service static - plymouth-quit-wait.service static - plymouth-quit.service static - plymouth-read-write.service static - plymouth-reboot.service static - plymouth-start.service static - plymouth-switch-root-initramfs.service static - plymouth-switch-root.service static - podman-auto-update.service disabled disabled podman-clean-transient.service disabled disabled podman-kube@.service disabled disabled podman-restart.service disabled disabled podman.service disabled disabled polkit.service static - psacct.service disabled disabled quotaon.service static - raid-check.service static - rc-local.service static - rdisc.service disabled disabled realmd.service static - rescue.service static - rpc-gssd.service static - rpc-statd-notify.service static - rpc-statd.service static - rpcbind.service enabled enabled rpmdb-rebuild.service disabled disabled rsyslog.service enabled enabled rtkit-daemon.service enabled enabled selinux-autorelabel-mark.service enabled enabled selinux-autorelabel.service static - selinux-check-proper-disable.service disabled disabled serial-getty@.service disabled disabled setroubleshootd.service static - smartd.service enabled enabled sshd-keygen@.service disabled disabled sshd.service enabled enabled sshd@.service static - sssd-autofs.service indirect disabled sssd-ifp.service static - sssd-kcm.service indirect disabled sssd-nss.service indirect disabled sssd-pac.service indirect disabled sssd-pam.service indirect disabled sssd-ssh.service indirect disabled sssd-sudo.service indirect disabled sssd.service enabled enabled sysstat-collect.service static - sysstat-summary.service static - sysstat.service enabled enabled system-update-cleanup.service static - systemd-ask-password-console.service static - systemd-ask-password-plymouth.service static - systemd-ask-password-wall.service static - systemd-backlight@.service static - systemd-binfmt.service static - systemd-bless-boot.service static - systemd-boot-check-no-failures.service disabled disabled systemd-boot-system-token.service static - systemd-boot-update.service disabled enabled systemd-coredump@.service static - systemd-exit.service static - systemd-firstboot.service static - systemd-fsck-root.service static - systemd-fsck@.service static - systemd-growfs-root.service static - systemd-growfs@.service static - systemd-halt.service static - systemd-hibernate-resume@.service static - systemd-hibernate.service static - systemd-hostnamed.service static - systemd-hwdb-update.service static - systemd-hybrid-sleep.service static - systemd-initctl.service static - systemd-journal-catalog-update.service static - systemd-journal-flush.service static - systemd-journald.service static - systemd-journald@.service static - systemd-kexec.service static - systemd-localed.service static - systemd-logind.service static - systemd-machine-id-commit.service static - systemd-modules-load.service static - systemd-network-generator.service enabled enabled systemd-pcrphase-initrd.service static - systemd-pcrphase-sysinit.service static - systemd-pcrphase.service static - systemd-poweroff.service static - systemd-pstore.service disabled enabled systemd-quotacheck.service static - systemd-random-seed.service static - systemd-reboot.service static - systemd-remount-fs.service enabled-runtime disabled systemd-repart.service static - systemd-rfkill.service static - systemd-suspend-then-hibernate.service static - systemd-suspend.service static - systemd-sysctl.service static - systemd-sysext.service disabled disabled systemd-sysupdate-reboot.service indirect disabled systemd-sysupdate.service indirect disabled systemd-sysusers.service static - systemd-timedated.service static - systemd-tmpfiles-clean.service static - systemd-tmpfiles-setup-dev.service static - systemd-tmpfiles-setup.service static - systemd-udev-settle.service static - systemd-udev-trigger.service static - systemd-udevd.service static - systemd-update-done.service static - systemd-update-utmp-runlevel.service static - systemd-update-utmp.service static - systemd-user-sessions.service static - systemd-vconsole-setup.service static - systemd-volatile-root.service static - teamd@.service static - udisks2.service enabled enabled upower.service enabled enabled usb_modeswitch@.service static - user-runtime-dir@.service static - user@.service static - vgauthd.service enabled disabled vmtoolsd.service enabled enabled system-cockpithttps.slice static - system-systemd\x2dcryptsetup.slice static - user.slice static - cni-dhcp.socket disabled disabled cockpit-wsinstance-http.socket static - cockpit-wsinstance-https-factory.socket static - cockpit-wsinstance-https@.socket static - cockpit.socket disabled disabled dbus.socket enabled enabled dm-event.socket enabled enabled iscsid.socket enabled enabled iscsiuio.socket enabled enabled lvm2-lvmpolld.socket enabled enabled multipathd.socket enabled disabled netavark-dhcp-proxy.socket disabled disabled podman.socket disabled disabled rpcbind.socket enabled enabled sshd.socket disabled disabled sssd-autofs.socket disabled disabled sssd-kcm.socket enabled enabled sssd-nss.socket disabled disabled sssd-pac.socket disabled disabled sssd-pam-priv.socket disabled disabled sssd-pam.socket disabled disabled sssd-ssh.socket disabled disabled sssd-sudo.socket disabled disabled syslog.socket static - systemd-coredump.socket static - systemd-initctl.socket static - systemd-journald-audit.socket static - systemd-journald-dev-log.socket static - systemd-journald-varlink@.socket static - systemd-journald.socket static - systemd-journald@.socket static - systemd-rfkill.socket static - systemd-udevd-control.socket static - systemd-udevd-kernel.socket static - dev-mapper-vg_swap\x2dlv_swap.swap generated - basic.target static - blockdev@.target static - bluetooth.target static - boot-complete.target static - cryptsetup-pre.target static - cryptsetup.target static - ctrl-alt-del.target alias - default.target alias - emergency.target static - exit.target disabled disabled factory-reset.target static - final.target static - first-boot-complete.target static - getty-pre.target static - getty.target static - graphical.target static - halt.target disabled disabled hibernate.target static - hybrid-sleep.target static - initrd-fs.target static - initrd-root-device.target static - initrd-root-fs.target static - initrd-switch-root.target static - initrd-usr-fs.target static - initrd.target static - integritysetup-pre.target static - integritysetup.target static - iprutils.target disabled disabled kexec.target disabled disabled local-fs-pre.target static - local-fs.target static - multi-user.target indirect disabled network-online.target static - network-pre.target static - network.target static - nfs-client.target enabled disabled nss-lookup.target static - nss-user-lookup.target static - nvmf-connect.target static - paths.target static - poweroff.target disabled disabled printer.target static - reboot.target enabled enabled remote-cryptsetup.target disabled enabled remote-fs-pre.target static - remote-fs.target enabled enabled remote-veritysetup.target disabled disabled rescue.target static - rpc_pipefs.target static - rpcbind.target static - runlevel0.target alias - runlevel1.target alias - runlevel2.target alias - runlevel3.target alias - runlevel4.target alias - runlevel5.target alias - runlevel6.target alias - selinux-autorelabel.target static - shutdown.target static - sigpwr.target static - sleep.target static - slices.target static - smartcard.target static - sockets.target static - sound.target static - sshd-keygen.target static - suspend-then-hibernate.target static - suspend.target static - swap.target static - sysinit.target static - system-update-pre.target static - system-update.target static - time-set.target static - time-sync.target static - timers.target static - umount.target static - usb-gadget.target static - veritysetup-pre.target static - veritysetup.target static - dnf-makecache.timer enabled enabled fstrim.timer disabled disabled logrotate.timer enabled enabled mdadm-last-resort@.timer static - mdcheck_continue.timer disabled disabled mdcheck_start.timer disabled disabled mdmonitor-oneshot.timer disabled disabled mlocate-updatedb.timer enabled enabled podman-auto-update.timer disabled disabled raid-check.timer disabled disabled sysstat-collect.timer enabled disabled sysstat-summary.timer enabled disabled systemd-sysupdate-reboot.timer disabled disabled systemd-sysupdate.timer disabled disabled systemd-tmpfiles-clean.timer static - 392 unit files listed. 2023-12-08T08:32:31Z DEBUG stderr= 2023-12-08T08:32:31Z INFO nslcd daemon is not installed, skip configuration 2023-12-08T08:32:31Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:32:31Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:32:31Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:32:31Z DEBUG Restoring system configuration file '/etc/chrony.conf' 2023-12-08T08:32:31Z DEBUG Configuration file /etc/chrony.conf was not restored. 2023-12-08T08:32:31Z DEBUG Starting external process 2023-12-08T08:32:31Z DEBUG args=['/bin/systemctl', 'stop', 'chronyd.service'] 2023-12-08T08:32:31Z DEBUG Process finished, return code=0 2023-12-08T08:32:31Z DEBUG stdout= 2023-12-08T08:32:31Z DEBUG stderr= 2023-12-08T08:32:31Z DEBUG Stop of chronyd.service complete 2023-12-08T08:32:31Z DEBUG Starting external process 2023-12-08T08:32:31Z DEBUG args=['/bin/systemctl', 'disable', 'chronyd.service'] 2023-12-08T08:32:31Z DEBUG Process finished, return code=0 2023-12-08T08:32:31Z DEBUG stdout= 2023-12-08T08:32:31Z DEBUG stderr=Removed "/etc/systemd/system/multi-user.target.wants/chronyd.service". 2023-12-08T08:32:31Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:32:31Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-12-08T08:32:31Z DEBUG -> no modules, removing file 2023-12-08T08:32:31Z INFO Client uninstall complete. 2023-12-08T08:32:31Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 344, in run return cfgr.run() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 435, in __runner exc_handler(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 425, in __runner step() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 419, in step_next return next(self.__gen) File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 663, in _configure next(executor) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 435, in __runner exc_handler(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 526, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 523, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 425, in __runner step() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 419, in step_next return next(self.__gen) File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.9/site-packages/ipaclient/install/client.py", line 4063, in main install(self) File "/usr/lib/python3.9/site-packages/ipaclient/install/client.py", line 2679, in install _install(options, dict()) File "/usr/lib/python3.9/site-packages/ipaclient/install/client.py", line 115, in inner func(options, tdict) File "/usr/lib/python3.9/site-packages/ipaclient/install/client.py", line 2934, in _install raise ScriptError(rval=CLIENT_INSTALL_ERROR) 2023-12-08T08:32:31Z DEBUG The ipa-client-install command failed, exception: ScriptError: 2023-12-08T08:32:31Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information |
|
After some analysis, you may be running into kerberos compatibility issues. Kerberos in 8 and 9 are 1.18.2-26 and 1.21.1-1 respectively. CentOS 7 sits firmly on 1.15.1-46 with no backports coming. There are some issues with PAC ticket signatures at the moment in 8 and 9, which may (or may not) be part of this issue. However, we cannot know for sure until patches are released upstream. When they are released upstream, it will trickle down to Rocky, which could eventually lead us to find out if this indeed the (or part of the) issue. We will leave this ticket open until then. Side notes: As you are running on a soon to be end of life release (CentOS 7), we highly recommend planning on migrating to a newer version. This will require you to stand up EL8 systems and then decommission/remove the EL7 machines from the domain. The same operation would then need to be done if you're going to move to EL9. I recommend that you plan on moving all the way to EL9, as 8.10 arrives in May and it will be maintenance only after. See the following documentation: https://linuxguideandhints.com/el/freeipa/#server-migrationupgrade https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/migrating_to_identity_management_on_rhel_8/index https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/migrating_to_identity_management_on_rhel_9/index See the following tickets: https://issues.redhat.com/browse/RHEL-20442 https://pagure.io/freeipa/issue/9371 |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2023-12-08 08:48 | Sergei Ser | New Issue | |
2023-12-08 09:04 | Louis Abel | Assigned To | => Louis Abel |
2023-12-08 09:04 | Louis Abel | Status | new => needinfo |
2023-12-08 09:04 | Louis Abel | Note Added: 0005281 | |
2023-12-08 09:16 | Louis Abel | Note Edited: 0005281 | |
2023-12-08 11:00 | Sergei Ser | Note Added: 0005282 | |
2023-12-08 11:00 | Sergei Ser | File Added: ipaclient-install.log | |
2024-01-08 23:21 | Louis Abel | Note Added: 0005513 |