Bug 1418596
Summary: | Resping ipa-server-docker container - 7.3.3 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Bašti <mbasti> |
Component: | ipa-server-container | Assignee: | Petr Vobornik <pvoborni> |
Status: | CLOSED ERRATA | QA Contact: | Nikhil Dehadrai <ndehadra> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.3 | CC: | mbabinsk, mbasti, mniranja |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-03-02 20:08:28 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Martin Bašti
2017-02-02 09:54:05 UTC
Versions: =========== [root@ipaserver1 ~]# atomic host status State: idle Deployments: ● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard Version: 7.3.3 (2017-02-27 16:31:38) Commit: bfc591ba1a4395c6b8e54d34964b05df4a61e0d82d20cc1a2fd817855c7e2da5 OSName: rhel-atomic-host rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard Version: 7.3.3 (2017-02-23 22:16:59) Commit: fbeed59bb47b14e32a6b28e13aaa1cad96e88188930a5bf880f949728b7f36ea OSName: rhel-atomic-host [root@ipaserver1 ~]# atomic info ipadocker Image Name: ipadocker BZComponent: ipa-server-docker Name: rhel7/ipa-server RUN_OPTS_FILE: /var/lib/${NAME}/docker-run-opts Release: 36 Version: 4.4.0 architecture: x86_64 authoritative-source-url: registry.access.redhat.com build-date: 2017-02-27T11:04:27.027814 com.redhat.build-host: ip-10-29-120-151.ec2.internal com.redhat.component: ipa-server-docker description: IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). distribution-scope: public install: docker run -ti --rm --privileged -v /:/host -e HOST=/host -e DATADIR=/var/lib/${NAME} -e NAME=${NAME} -e IMAGE=${IMAGE} ${IMAGE} /bin/install.sh io.k8s.description: IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). io.k8s.display-name: Identity Management (IdM) for Linux io.k8s.openshift.tags: Identity Management io.openshift.tags: base rhel7 name: rhel7/ipa-server release: 36 run: docker run ${RUN_OPTS} --name ${NAME} -v /var/lib/${NAME}:/data:Z -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /dev/urandom:/dev/random:ro ${IMAGE} stop: docker stop ${NAME} summary: Identity Management (IdM) for Linux provides centralized management of identities and policies for Atomic Host uninstall: docker run --rm --privileged -v /:/host -e HOST=/host -e DATADIR=/var/lib/${NAME} ${IMAGE} /bin/uninstall.sh vcs-ref: 16e3edc9a83722fbc2646f8bfd8642a15706e4d5 vcs-type: git vendor: Red Hat, Inc. version: 4.4.0 [root@ipaserver1 ~]# docker load < docker-image-sha256:abe848fc1a959bda7a6855c23b02bb68e1fc958bb8fc56c928b52c384af3a22d.x86_64.tar.gz 827264d42df6: Loading layer [==================================================>] 202.3 MB/202.3 MB 9ca8c628d8e7: Loading layer [==================================================>] 10.24 kB/10.24 kB e90eb4334236: Loading layer [==================================================>] 478.1 MB/478.1 MB Loaded image: mbasti/ipa-server-docker:extras-rhel-7.3-docker-candidate-20170227110351 [root@ipaserver1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE mbasti/ipa-server-docker extras-rhel-7.3-docker-candidate-20170227110351 f96b5cc687e6 5 hours ago 652.9 MB [root@ipaserver1 ~]# docker tag f96b5cc687e6 ipadocker [root@ipaserver1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE ipadocker latest f96b5cc687e6 5 hours ago 652.9 MB mbasti/ipa-server-docker extras-rhel-7.3-docker-candidate-20170227110351 f96b5cc687e6 5 hours ago 652.9 MB [root@ipaserver1 ~]# [root@ipaserver1 ~]# mkdir /var/lib/ipadocker [root@ipaserver1 ~]# cat /var/lib/ipadocker/ipa-server-install-options --setup-dns --ip-address=10.65.223.74 -r TESTRELM.TEST -a Secret123 -p Secret123 --no-ntp -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) Excluded by options: * Configure the Network Time Daemon (ntpd) Warning: skipping DNS resolution of host ipaserver1.testrelm.test The domain name has been determined based on the host name. Checking DNS domain testrelm.test., please wait ... Checking DNS forwarders, please wait ... The IPA Master Server will be configured with: Hostname: ipaserver1.testrelm.test IP address(es): 10.65.223.74 Domain name: testrelm.test Realm name: TESTRELM.TEST BIND DNS server will be configured to serve IPA domain with: Forwarders: 10.65.201.89 Forward policy: only Reverse zone(s): No reverse zone Configuring directory server (dirsrv). Estimated time: 1 minute [1/47]: creating directory server user [2/47]: creating directory server instance [3/47]: updating configuration in dse.ldif [4/47]: restarting directory server [5/47]: adding default schema [6/47]: enabling memberof plugin [7/47]: enabling winsync plugin [8/47]: configuring replication version plugin [9/47]: enabling IPA enrollment plugin [10/47]: enabling ldapi [11/47]: configuring uniqueness plugin [12/47]: configuring uuid plugin [13/47]: configuring modrdn plugin [14/47]: configuring DNS plugin [15/47]: enabling entryUSN plugin [16/47]: configuring lockout plugin [17/47]: configuring topology plugin [18/47]: creating indices [19/47]: enabling referential integrity plugin [20/47]: configuring certmap.conf [21/47]: configure autobind for root [22/47]: configure new location for managed entries [23/47]: configure dirsrv ccache [24/47]: enabling SASL mapping fallback [25/47]: restarting directory server [26/47]: adding sasl mappings to the directory [27/47]: adding default layout [28/47]: adding delegation layout [29/47]: creating container for managed entries [30/47]: configuring user private groups [31/47]: configuring netgroups from hostgroups [32/47]: creating default Sudo bind user [33/47]: creating default Auto Member layout [34/47]: adding range check plugin [35/47]: creating default HBAC rule allow_all [36/47]: adding sasl mappings to the directory [37/47]: adding entries for topology management [38/47]: initializing group membership [39/47]: adding master entry [40/47]: initializing domain level [41/47]: configuring Posix uid/gid generation [42/47]: adding replication acis [43/47]: enabling compatibility plugin [44/47]: activating sidgen plugin [45/47]: activating extdom plugin [46/47]: tuning directory server [47/47]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/31]: creating certificate server user [2/31]: configuring certificate server instance [3/31]: stopping certificate server instance to update CS.cfg [4/31]: backing up CS.cfg [5/31]: disabling nonces [6/31]: set up CRL publishing [7/31]: enable PKIX certificate path discovery and validation [8/31]: starting certificate server instance [9/31]: creating RA agent certificate database [10/31]: importing CA chain to RA certificate database [11/31]: fixing RA database permissions [12/31]: setting up signing cert profile [13/31]: setting audit signing renewal to 2 years [14/31]: restarting certificate server [15/31]: requesting RA certificate from CA [16/31]: issuing RA agent certificate [17/31]: adding RA agent as a trusted user [18/31]: authorizing RA to modify profiles [19/31]: authorizing RA to manage lightweight CAs [20/31]: Ensure lightweight CAs container exists [21/31]: configure certmonger for renewals [22/31]: configure certificate renewals [23/31]: configure RA certificate renewal [24/31]: configure Server-Cert certificate renewal [25/31]: Configure HTTP to proxy connections [26/31]: restarting certificate server [27/31]: migrating certificate profiles to LDAP [28/31]: importing IPA certificate profiles [29/31]: adding default CA ACL [30/31]: adding 'ipa' CA entry [31/31]: updating IPA configuration Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv). Estimated time: 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/9]: adding kerberos container to the directory [2/9]: configuring KDC [3/9]: initialize kerberos container WARNING: Your system is running out of entropy, you may experience long delays [4/9]: adding default ACIs [5/9]: creating a keytab for the directory [6/9]: creating a keytab for the machine [7/9]: adding the password extension to the directory [8/9]: starting the KDC [9/9]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring ipa-custodia [1/5]: Generating ipa-custodia config file [2/5]: Making sure custodia container exists [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring the web interface (httpd). Estimated time: 1 minute [1/21]: setting mod_nss port to 443 [2/21]: setting mod_nss cipher suite [3/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [4/21]: setting mod_nss password file [5/21]: enabling mod_nss renegotiate [6/21]: adding URL rewriting rules [7/21]: configuring httpd [8/21]: configure certmonger for renewals [9/21]: setting up httpd keytab [10/21]: setting up ssl [11/21]: importing CA certificates from LDAP [12/21]: setting up browser autoconfig [13/21]: publish CA cert [14/21]: clean up any existing httpd ccache [15/21]: configuring SELinux for httpd [16/21]: create KDC proxy user [17/21]: create KDC proxy config [18/21]: enable KDC proxy [19/21]: restarting httpd [20/21]: configuring httpd to start on boot [21/21]: enabling oddjobd Done configuring the web interface (httpd). Applying LDAP updates Upgrading IPA: [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Restarting the directory server Restarting the KDC Configuring DNS (named) [1/11]: generating rndc key file WARNING: Your system is running out of entropy, you may experience long delays [2/11]: adding DNS container [3/11]: setting up our zone [4/11]: setting up our own record [5/11]: setting up records for other masters [6/11]: adding NS record to the zones [7/11]: setting up kerberos principal [8/11]: setting up named.conf [9/11]: setting up server configuration [10/11]: configuring named to start on boot [11/11]: changing resolv.conf to point to ourselves Done configuring DNS (named). Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Restarting the web server Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Client hostname: ipaserver1.testrelm.test Realm: TESTRELM.TEST DNS Domain: testrelm.test IPA Server: ipaserver1.testrelm.test BaseDN: dc=testrelm,dc=test Skipping synchronizing time with NTP server. New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf trying https://ipaserver1.testrelm.test/ipa/json Forwarding 'schema' to json server 'https://ipaserver1.testrelm.test/ipa/json' trying https://ipaserver1.testrelm.test/ipa/json Forwarding 'ping' to json server 'https://ipaserver1.testrelm.test/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://ipaserver1.testrelm.test/ipa/json' Systemwide CA database updated. SSSD enabled Configured /etc/openldap/ldap.conf /etc/ssh/ssh_config not found, skipping configuration /etc/ssh/sshd_config not found, skipping configuration Configuring testrelm.test as NIS domain. Client configuration complete. ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. 3. Kerberos requires time synchronization between clients and servers for correct operation. You should consider enabling ntpd. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password Created symlink from /etc/systemd/system/container-ipa.target.wants/ipa-server-update-self-ip-address.service to /usr/lib/systemd/system/ipa-server-update-self-ip-address.service. Created symlink from /etc/systemd/system/container-ipa.target.wants/ipa-server-upgrade.service to /usr/lib/systemd/system/ipa-server-upgrade.service. Removed symlink /etc/systemd/system/container-ipa.target.wants/ipa-server-configure-first.service. FreeIPA server configured. Run ipadocker container ====================== [root@ipaserver1 ~]# docker run --net=host -d --name ipadocker -v /var/lib/ipadocker:/data:Z -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /dev/urandom:/dev/random:ro ipadocker 58a1ad4e3644ce61838beda27bc7960d317136fa5c07e94884939ad3512a4a0c Process selinux labels ========================= system_u:system_r:container_runtime_t:s0 root 18060 3733 0 22:19 ? 00:00:00 /usr/bin/docker-containerd-shim-current 58a1ad4e3644ce61838beda27bc7960d317136fa5c07e94884939ad3512a4a0c /var/run/docker/libcontainerd/58a1ad4e3644ce61838be system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18075 18060 0 22:19 ? 00:00:00 /usr/sbin/init --show-status=false system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18103 18075 0 22:19 ? 00:00:00 tail --silent -n 0 -f --retry /var/log/ipa-server-configure-first.log /var/log/ipa-server-run.log system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18115 18075 0 22:19 ? 00:00:00 /usr/lib/systemd/systemd-journald system_u:system_r:svirt_lxc_net_t:s0:c52,c880 dbus 18117 18075 0 22:19 ? 00:00:00 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18127 18075 0 22:19 ? 00:00:00 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18128 18075 0 22:19 ? 00:00:00 /usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 300 system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18133 18075 6 22:19 ? 00:00:02 /usr/bin/python2 /usr/sbin/ipactl start system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18150 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18151 18075 0 22:19 ? 00:00:00 /usr/sbin/sssd -D -f system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18152 18151 0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain testrelm.test --uid 0 --gid 0 --debug-to-files system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18154 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18155 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18156 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18157 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18158 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18159 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18168 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18170 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18172 18151 0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18173 18151 0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18174 18151 0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18175 18151 0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18176 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18178 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18179 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 389 18324 18075 7 22:20 ? 00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-TESTRELM-TEST -i /var/run/dirsrv/slapd-TESTRELM-TEST.pid system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18373 18075 0 22:20 ? 00:00:00 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18377 18075 0 22:20 ? 00:00:00 /usr/sbin/kadmind -P /var/run/kadmind.pid system_u:system_r:svirt_lxc_net_t:s0:c52,c880 25 18387 18075 0 22:20 ? 00:00:00 /usr/sbin/named-pkcs11 -u named system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18397 18075 0 22:20 ? 00:00:00 /usr/bin/memcached -d -s /var/run/ipa_memcached/ipa_memcached -u apache -m 64 -c 1024 -P /var/run/ipa_memcached/ipa_memcached.pid system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18408 18075 4 22:20 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18410 18408 2 22:20 ? 00:00:00 /usr/libexec/nss_pcache 65538 off /etc/httpd/alias system_u:system_r:svirt_lxc_net_t:s0:c52,c880 288 18411 18408 1 22:20 ? 00:00:00 (wsgi:kdcproxy) -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 288 18412 18408 1 22:20 ? 00:00:00 (wsgi:kdcproxy) -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18413 18408 18 22:20 ? 00:00:00 (wsgi:ipa) -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18414 18408 18 22:20 ? 00:00:00 (wsgi:ipa) -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18415 18408 3 22:20 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18416 18408 3 22:20 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18417 18408 3 22:20 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18418 18408 3 22:20 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18419 18408 3 22:20 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18422 18075 3 22:20 ? 00:00:00 /usr/bin/python2 /usr/sbin/custodia /etc/ipa/custodia/custodia.conf system_u:system_r:kernel_t:s0 root 18592 2 0 22:20 ? 00:00:00 [kworker/u2:3] system_u:system_r:svirt_lxc_net_t:s0:c52,c880 17 18593 18075 4 22:20 ? 00:00:00 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/tomcat unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 18628 13567 0 22:20 pts/0 00:00:00 ps -efZ Tried accessing ipaserver from another system using firefox and added user through web and cli [root@ipaserver1 /]# id ipauser1 uid=1800200001(ipauser1) gid=1800200001(ipauser1) groups=1800200001(ipauser1) [root@ipaserver1 /]# ipa userad^C [root@ipaserver1 /]# kinit admin Password for admin: [root@ipaserver1 /]# ipa user-add First name: ipa Last name: user2 User login [iuser2]: ipauser2 --------------------- Added user "ipauser2" --------------------- User login: ipauser2 First name: ipa Last name: user2 Full name: ipa user2 Display name: ipa user2 Initials: iu Home directory: /home/ipauser2 GECOS: ipa user2 Login shell: /bin/sh Principal name: ipauser2 Principal alias: ipauser2 Email address: ipauser2 UID: 1800200003 GID: 1800200003 Password: False Member of groups: ipausers Kerberos keys available: False [root@ipaserver1 ~]# docker exec -it ipadocker kdestroy [root@ipaserver1 ~]# docker exec -it ipadocker kinit admin Password for admin: kinit: Password incorrect while getting initial credentials [root@ipaserver1 ~]# docker exec -it ipadocker kinit admin Password for admin: [root@ipaserver1 ~]# docker exec -it ipadocker ipa user-add ipauser3 First name: ipa Last name: user3 --------------------- Added user "ipauser3" --------------------- User login: ipauser3 First name: ipa Last name: user3 Full name: ipa user3 Display name: ipa user3 Initials: iu Home directory: /home/ipauser3 GECOS: ipa user3 Login shell: /bin/sh Principal name: ipauser3 Principal alias: ipauser3 Email address: ipauser3 UID: 1800200004 GID: 1800200004 Password: False Member of groups: ipausers Kerberos keys available: False [root@ipaserver1 ~]# docker exec -it ipadocker ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [root@ipaserver1 ~]# docker exec -it ipadocker ipactl restart Stopping pki-tomcatd Service Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting ipa_memcached Service Restarting httpd Service Restarting ipa-custodia Service Restarting pki-tomcatd Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful [root@ipaserver1 ~]# docker exec -it ipadocker ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful Versions: =========== [root@ipaserver1 ~]# atomic host status State: idle Deployments: ● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard Version: 7.3.3 (2017-02-27 16:31:38) Commit: bfc591ba1a4395c6b8e54d34964b05df4a61e0d82d20cc1a2fd817855c7e2da5 OSName: rhel-atomic-host rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard Version: 7.3.3 (2017-02-23 22:16:59) Commit: fbeed59bb47b14e32a6b28e13aaa1cad96e88188930a5bf880f949728b7f36ea OSName: rhel-atomic-host [root@ipaserver1 ~]# atomic info ipadocker Image Name: ipadocker BZComponent: ipa-server-docker Name: rhel7/ipa-server RUN_OPTS_FILE: /var/lib/${NAME}/docker-run-opts Release: 36 Version: 4.4.0 architecture: x86_64 authoritative-source-url: registry.access.redhat.com build-date: 2017-02-27T11:04:27.027814 com.redhat.build-host: ip-10-29-120-151.ec2.internal com.redhat.component: ipa-server-docker description: IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). distribution-scope: public install: docker run -ti --rm --privileged -v /:/host -e HOST=/host -e DATADIR=/var/lib/${NAME} -e NAME=${NAME} -e IMAGE=${IMAGE} ${IMAGE} /bin/install.sh io.k8s.description: IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). io.k8s.display-name: Identity Management (IdM) for Linux io.k8s.openshift.tags: Identity Management io.openshift.tags: base rhel7 name: rhel7/ipa-server release: 36 run: docker run ${RUN_OPTS} --name ${NAME} -v /var/lib/${NAME}:/data:Z -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /dev/urandom:/dev/random:ro ${IMAGE} stop: docker stop ${NAME} summary: Identity Management (IdM) for Linux provides centralized management of identities and policies for Atomic Host uninstall: docker run --rm --privileged -v /:/host -e HOST=/host -e DATADIR=/var/lib/${NAME} ${IMAGE} /bin/uninstall.sh vcs-ref: 16e3edc9a83722fbc2646f8bfd8642a15706e4d5 vcs-type: git vendor: Red Hat, Inc. version: 4.4.0 [root@ipaserver1 ~]# docker load < docker-image-sha256:abe848fc1a959bda7a6855c23b02bb68e1fc958bb8fc56c928b52c384af3a22d.x86_64.tar.gz 827264d42df6: Loading layer [==================================================>] 202.3 MB/202.3 MB 9ca8c628d8e7: Loading layer [==================================================>] 10.24 kB/10.24 kB e90eb4334236: Loading layer [==================================================>] 478.1 MB/478.1 MB Loaded image: mbasti/ipa-server-docker:extras-rhel-7.3-docker-candidate-20170227110351 [root@ipaserver1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE mbasti/ipa-server-docker extras-rhel-7.3-docker-candidate-20170227110351 f96b5cc687e6 5 hours ago 652.9 MB [root@ipaserver1 ~]# docker tag f96b5cc687e6 ipadocker [root@ipaserver1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE ipadocker latest f96b5cc687e6 5 hours ago 652.9 MB mbasti/ipa-server-docker extras-rhel-7.3-docker-candidate-20170227110351 f96b5cc687e6 5 hours ago 652.9 MB [root@ipaserver1 ~]# [root@ipaserver1 ~]# mkdir /var/lib/ipadocker [root@ipaserver1 ~]# cat /var/lib/ipadocker/ipa-server-install-options --setup-dns --ip-address=10.65.223.74 -r TESTRELM.TEST -a Secret123 -p Secret123 --no-ntp -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) Excluded by options: * Configure the Network Time Daemon (ntpd) Warning: skipping DNS resolution of host ipaserver1.testrelm.test The domain name has been determined based on the host name. Checking DNS domain testrelm.test., please wait ... Checking DNS forwarders, please wait ... The IPA Master Server will be configured with: Hostname: ipaserver1.testrelm.test IP address(es): 10.65.223.74 Domain name: testrelm.test Realm name: TESTRELM.TEST BIND DNS server will be configured to serve IPA domain with: Forwarders: 10.65.201.89 Forward policy: only Reverse zone(s): No reverse zone Configuring directory server (dirsrv). Estimated time: 1 minute [1/47]: creating directory server user [2/47]: creating directory server instance [3/47]: updating configuration in dse.ldif [4/47]: restarting directory server [5/47]: adding default schema [6/47]: enabling memberof plugin [7/47]: enabling winsync plugin [8/47]: configuring replication version plugin [9/47]: enabling IPA enrollment plugin [10/47]: enabling ldapi [11/47]: configuring uniqueness plugin [12/47]: configuring uuid plugin [13/47]: configuring modrdn plugin [14/47]: configuring DNS plugin [15/47]: enabling entryUSN plugin [16/47]: configuring lockout plugin [17/47]: configuring topology plugin [18/47]: creating indices [19/47]: enabling referential integrity plugin [20/47]: configuring certmap.conf [21/47]: configure autobind for root [22/47]: configure new location for managed entries [23/47]: configure dirsrv ccache [24/47]: enabling SASL mapping fallback [25/47]: restarting directory server [26/47]: adding sasl mappings to the directory [27/47]: adding default layout [28/47]: adding delegation layout [29/47]: creating container for managed entries [30/47]: configuring user private groups [31/47]: configuring netgroups from hostgroups [32/47]: creating default Sudo bind user [33/47]: creating default Auto Member layout [34/47]: adding range check plugin [35/47]: creating default HBAC rule allow_all [36/47]: adding sasl mappings to the directory [37/47]: adding entries for topology management [38/47]: initializing group membership [39/47]: adding master entry [40/47]: initializing domain level [41/47]: configuring Posix uid/gid generation [42/47]: adding replication acis [43/47]: enabling compatibility plugin [44/47]: activating sidgen plugin [45/47]: activating extdom plugin [46/47]: tuning directory server [47/47]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/31]: creating certificate server user [2/31]: configuring certificate server instance [3/31]: stopping certificate server instance to update CS.cfg [4/31]: backing up CS.cfg [5/31]: disabling nonces [6/31]: set up CRL publishing [7/31]: enable PKIX certificate path discovery and validation [8/31]: starting certificate server instance [9/31]: creating RA agent certificate database [10/31]: importing CA chain to RA certificate database [11/31]: fixing RA database permissions [12/31]: setting up signing cert profile [13/31]: setting audit signing renewal to 2 years [14/31]: restarting certificate server [15/31]: requesting RA certificate from CA [16/31]: issuing RA agent certificate [17/31]: adding RA agent as a trusted user [18/31]: authorizing RA to modify profiles [19/31]: authorizing RA to manage lightweight CAs [20/31]: Ensure lightweight CAs container exists [21/31]: configure certmonger for renewals [22/31]: configure certificate renewals [23/31]: configure RA certificate renewal [24/31]: configure Server-Cert certificate renewal [25/31]: Configure HTTP to proxy connections [26/31]: restarting certificate server [27/31]: migrating certificate profiles to LDAP [28/31]: importing IPA certificate profiles [29/31]: adding default CA ACL [30/31]: adding 'ipa' CA entry [31/31]: updating IPA configuration Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv). Estimated time: 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/9]: adding kerberos container to the directory [2/9]: configuring KDC [3/9]: initialize kerberos container WARNING: Your system is running out of entropy, you may experience long delays [4/9]: adding default ACIs [5/9]: creating a keytab for the directory [6/9]: creating a keytab for the machine [7/9]: adding the password extension to the directory [8/9]: starting the KDC [9/9]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring ipa-custodia [1/5]: Generating ipa-custodia config file [2/5]: Making sure custodia container exists [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring the web interface (httpd). Estimated time: 1 minute [1/21]: setting mod_nss port to 443 [2/21]: setting mod_nss cipher suite [3/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [4/21]: setting mod_nss password file [5/21]: enabling mod_nss renegotiate [6/21]: adding URL rewriting rules [7/21]: configuring httpd [8/21]: configure certmonger for renewals [9/21]: setting up httpd keytab [10/21]: setting up ssl [11/21]: importing CA certificates from LDAP [12/21]: setting up browser autoconfig [13/21]: publish CA cert [14/21]: clean up any existing httpd ccache [15/21]: configuring SELinux for httpd [16/21]: create KDC proxy user [17/21]: create KDC proxy config [18/21]: enable KDC proxy [19/21]: restarting httpd [20/21]: configuring httpd to start on boot [21/21]: enabling oddjobd Done configuring the web interface (httpd). Applying LDAP updates Upgrading IPA: [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Restarting the directory server Restarting the KDC Configuring DNS (named) [1/11]: generating rndc key file WARNING: Your system is running out of entropy, you may experience long delays [2/11]: adding DNS container [3/11]: setting up our zone [4/11]: setting up our own record [5/11]: setting up records for other masters [6/11]: adding NS record to the zones [7/11]: setting up kerberos principal [8/11]: setting up named.conf [9/11]: setting up server configuration [10/11]: configuring named to start on boot [11/11]: changing resolv.conf to point to ourselves Done configuring DNS (named). Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Restarting the web server Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Client hostname: ipaserver1.testrelm.test Realm: TESTRELM.TEST DNS Domain: testrelm.test IPA Server: ipaserver1.testrelm.test BaseDN: dc=testrelm,dc=test Skipping synchronizing time with NTP server. New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf trying https://ipaserver1.testrelm.test/ipa/json Forwarding 'schema' to json server 'https://ipaserver1.testrelm.test/ipa/json' trying https://ipaserver1.testrelm.test/ipa/json Forwarding 'ping' to json server 'https://ipaserver1.testrelm.test/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://ipaserver1.testrelm.test/ipa/json' Systemwide CA database updated. SSSD enabled Configured /etc/openldap/ldap.conf /etc/ssh/ssh_config not found, skipping configuration /etc/ssh/sshd_config not found, skipping configuration Configuring testrelm.test as NIS domain. Client configuration complete. ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. 3. Kerberos requires time synchronization between clients and servers for correct operation. You should consider enabling ntpd. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password Created symlink from /etc/systemd/system/container-ipa.target.wants/ipa-server-update-self-ip-address.service to /usr/lib/systemd/system/ipa-server-update-self-ip-address.service. Created symlink from /etc/systemd/system/container-ipa.target.wants/ipa-server-upgrade.service to /usr/lib/systemd/system/ipa-server-upgrade.service. Removed symlink /etc/systemd/system/container-ipa.target.wants/ipa-server-configure-first.service. FreeIPA server configured. Run ipadocker container ====================== [root@ipaserver1 ~]# docker run --net=host -d --name ipadocker -v /var/lib/ipadocker:/data:Z -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /dev/urandom:/dev/random:ro ipadocker 58a1ad4e3644ce61838beda27bc7960d317136fa5c07e94884939ad3512a4a0c Process selinux labels ========================= system_u:system_r:container_runtime_t:s0 root 18060 3733 0 22:19 ? 00:00:00 /usr/bin/docker-containerd-shim-current 58a1ad4e3644ce61838beda27bc7960d317136fa5c07e94884939ad3512a4a0c /var/run/docker/libcontainerd/58a1ad4e3644ce61838be system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18075 18060 0 22:19 ? 00:00:00 /usr/sbin/init --show-status=false system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18103 18075 0 22:19 ? 00:00:00 tail --silent -n 0 -f --retry /var/log/ipa-server-configure-first.log /var/log/ipa-server-run.log system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18115 18075 0 22:19 ? 00:00:00 /usr/lib/systemd/systemd-journald system_u:system_r:svirt_lxc_net_t:s0:c52,c880 dbus 18117 18075 0 22:19 ? 00:00:00 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18127 18075 0 22:19 ? 00:00:00 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18128 18075 0 22:19 ? 00:00:00 /usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 300 system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18133 18075 6 22:19 ? 00:00:02 /usr/bin/python2 /usr/sbin/ipactl start system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18150 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18151 18075 0 22:19 ? 00:00:00 /usr/sbin/sssd -D -f system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18152 18151 0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain testrelm.test --uid 0 --gid 0 --debug-to-files system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18154 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18155 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18156 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18157 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18158 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18159 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18168 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18170 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18172 18151 0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18173 18151 0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18174 18151 0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18175 18151 0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18176 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18178 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18179 18127 0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit system_u:system_r:svirt_lxc_net_t:s0:c52,c880 389 18324 18075 7 22:20 ? 00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-TESTRELM-TEST -i /var/run/dirsrv/slapd-TESTRELM-TEST.pid system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18373 18075 0 22:20 ? 00:00:00 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18377 18075 0 22:20 ? 00:00:00 /usr/sbin/kadmind -P /var/run/kadmind.pid system_u:system_r:svirt_lxc_net_t:s0:c52,c880 25 18387 18075 0 22:20 ? 00:00:00 /usr/sbin/named-pkcs11 -u named system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18397 18075 0 22:20 ? 00:00:00 /usr/bin/memcached -d -s /var/run/ipa_memcached/ipa_memcached -u apache -m 64 -c 1024 -P /var/run/ipa_memcached/ipa_memcached.pid system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18408 18075 4 22:20 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18410 18408 2 22:20 ? 00:00:00 /usr/libexec/nss_pcache 65538 off /etc/httpd/alias system_u:system_r:svirt_lxc_net_t:s0:c52,c880 288 18411 18408 1 22:20 ? 00:00:00 (wsgi:kdcproxy) -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 288 18412 18408 1 22:20 ? 00:00:00 (wsgi:kdcproxy) -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18413 18408 18 22:20 ? 00:00:00 (wsgi:ipa) -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18414 18408 18 22:20 ? 00:00:00 (wsgi:ipa) -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18415 18408 3 22:20 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18416 18408 3 22:20 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18417 18408 3 22:20 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18418 18408 3 22:20 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18419 18408 3 22:20 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18422 18075 3 22:20 ? 00:00:00 /usr/bin/python2 /usr/sbin/custodia /etc/ipa/custodia/custodia.conf system_u:system_r:kernel_t:s0 root 18592 2 0 22:20 ? 00:00:00 [kworker/u2:3] system_u:system_r:svirt_lxc_net_t:s0:c52,c880 17 18593 18075 4 22:20 ? 00:00:00 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/tomcat unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 18628 13567 0 22:20 pts/0 00:00:00 ps -efZ Tried accessing ipaserver from another system using firefox and added user through web and cli [root@ipaserver1 /]# id ipauser1 uid=1800200001(ipauser1) gid=1800200001(ipauser1) groups=1800200001(ipauser1) [root@ipaserver1 /]# ipa userad^C [root@ipaserver1 /]# kinit admin Password for admin: [root@ipaserver1 /]# ipa user-add First name: ipa Last name: user2 User login [iuser2]: ipauser2 --------------------- Added user "ipauser2" --------------------- User login: ipauser2 First name: ipa Last name: user2 Full name: ipa user2 Display name: ipa user2 Initials: iu Home directory: /home/ipauser2 GECOS: ipa user2 Login shell: /bin/sh Principal name: ipauser2 Principal alias: ipauser2 Email address: ipauser2 UID: 1800200003 GID: 1800200003 Password: False Member of groups: ipausers Kerberos keys available: False [root@ipaserver1 ~]# docker exec -it ipadocker kdestroy [root@ipaserver1 ~]# docker exec -it ipadocker kinit admin Password for admin: kinit: Password incorrect while getting initial credentials [root@ipaserver1 ~]# docker exec -it ipadocker kinit admin Password for admin: [root@ipaserver1 ~]# docker exec -it ipadocker ipa user-add ipauser3 First name: ipa Last name: user3 --------------------- Added user "ipauser3" --------------------- User login: ipauser3 First name: ipa Last name: user3 Full name: ipa user3 Display name: ipa user3 Initials: iu Home directory: /home/ipauser3 GECOS: ipa user3 Login shell: /bin/sh Principal name: ipauser3 Principal alias: ipauser3 Email address: ipauser3 UID: 1800200004 GID: 1800200004 Password: False Member of groups: ipausers Kerberos keys available: False =================== Replica installation ----------------- [root@ipareplica1 ~]# atomic host status State: idle Deployments: ● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard Version: 7.3.3 (2017-02-27 16:31:38) Commit: bfc591ba1a4395c6b8e54d34964b05df4a61e0d82d20cc1a2fd817855c7e2da5 OSName: rhel-atomic-host rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard Version: 7.3.2-1 (2017-02-20 17:26:48) Commit: 69a74a4ed6954492a7c82279f6efe59bffb8952e95577f8359a6717d57a36774 OSName: rhel-atomic-host [root@ipareplica1 ~]# atomic info replicadocker Image Name: replicadocker BZComponent: ipa-server-docker Name: rhel7/ipa-server RUN_OPTS_FILE: /var/lib/${NAME}/docker-run-opts Release: 36 Version: 4.4.0 architecture: x86_64 authoritative-source-url: registry.access.redhat.com build-date: 2017-02-27T11:04:27.027814 com.redhat.build-host: ip-10-29-120-151.ec2.internal com.redhat.component: ipa-server-docker description: IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). distribution-scope: public install: docker run -ti --rm --privileged -v /:/host -e HOST=/host -e DATADIR=/var/lib/${NAME} -e NAME=${NAME} -e IMAGE=${IMAGE} ${IMAGE} /bin/install.sh io.k8s.description: IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). io.k8s.display-name: Identity Management (IdM) for Linux io.k8s.openshift.tags: Identity Management io.openshift.tags: base rhel7 name: rhel7/ipa-server release: 36 run: docker run ${RUN_OPTS} --name ${NAME} -v /var/lib/${NAME}:/data:Z -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /dev/urandom:/dev/random:ro ${IMAGE} stop: docker stop ${NAME} summary: Identity Management (IdM) for Linux provides centralized management of identities and policies for Atomic Host uninstall: docker run --rm --privileged -v /:/host -e HOST=/host -e DATADIR=/var/lib/${NAME} ${IMAGE} /bin/uninstall.sh vcs-ref: 16e3edc9a83722fbc2646f8bfd8642a15706e4d5 vcs-type: git vendor: Red Hat, Inc [root@ipareplica1 ~]# cat /var/lib/replicadocker/ipa-replica-install-options --setup-dns --forwarder=10.65.201.89 --setup-ca --server ipaserver1.testrelm.test --domain testrelm.test --admin-password Secret123 --principal admin -U [root@ipareplica1 ~]# atomic install --name replicadocker replicadocker net-host ipa-replica-install docker run -ti --rm --privileged -v /:/host -e HOST=/host -e DATADIR=/var/lib/replicadocker -e NAME=replicadocker -e IMAGE=replicadocker replicadocker /bin/install.sh net-host ipa-replica-install + chroot /host /usr/bin/docker run -ti --rm --name replicadocker -e NAME=replicadocker -e IMAGE=replicadocker -v /var/lib/replicadocker:/data:Z -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /dev/urandom:/dev/random:ro --net=host replicadocker exit-on-finished ipa-replica-install systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN) Detected virtualization docker. Detected architecture x86-64. Set hostname to <ipareplica1.testrelm.test>. Initializing machine ID from random generator. Mon Feb 27 23:17:11 UTC 2017 /usr/sbin/ipa-server-configure-first Configuring client side components Client hostname: ipareplica1.testrelm.test Realm: TESTRELM.TEST DNS Domain: testrelm.test IPA Server: ipaserver1.testrelm.test BaseDN: dc=testrelm,dc=test Skipping synchronizing time with NTP server. Successfully retrieved CA cert Subject: CN=Certificate Authority,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Valid From: Mon Feb 27 22:13:19 2017 UTC Valid Until: Fri Feb 27 22:13:19 2037 UTC Enrolled in IPA realm TESTRELM.TEST Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TESTRELM.TEST trying https://ipaserver1.testrelm.test/ipa/json Forwarding 'schema' to json server 'https://ipaserver1.testrelm.test/ipa/json' trying https://ipaserver1.testrelm.test/ipa/json Forwarding 'ping' to json server 'https://ipaserver1.testrelm.test/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://ipaserver1.testrelm.test/ipa/json' Systemwide CA database updated. Hostname (ipareplica1.testrelm.test) does not have A/AAAA record. ipa : ERROR The IP address 10.65.223.74 of host ipaserver1.testrelm.test resolves to: dhcp223-74.pnq.redhat.com.. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Checking DNS forwarders, please wait ... Run connection check to master Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/44]: creating directory server user [2/44]: creating directory server instance [3/44]: updating configuration in dse.ldif [4/44]: restarting directory server [5/44]: adding default schema [6/44]: enabling memberof plugin [7/44]: enabling winsync plugin [8/44]: configuring replication version plugin [9/44]: enabling IPA enrollment plugin [10/44]: enabling ldapi [11/44]: configuring uniqueness plugin [12/44]: configuring uuid plugin [13/44]: configuring modrdn plugin [14/44]: configuring DNS plugin [15/44]: enabling entryUSN plugin [16/44]: configuring lockout plugin [17/44]: configuring topology plugin [18/44]: creating indices [19/44]: enabling referential integrity plugin [20/44]: configuring certmap.conf [21/44]: configure autobind for root [22/44]: configure new location for managed entries [23/44]: configure dirsrv ccache [24/44]: enabling SASL mapping fallback [25/44]: restarting directory server [26/44]: creating DS keytab [27/44]: retrieving DS Certificate [28/44]: restarting directory server [29/44]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 6 seconds elapsed Update succeeded [30/44]: adding sasl mappings to the directory [31/44]: updating schema [32/44]: setting Auto Member configuration [33/44]: enabling S4U2Proxy delegation [34/44]: importing CA certificates from LDAP [35/44]: initializing group membership [36/44]: adding master entry [37/44]: initializing domain level [38/44]: configuring Posix uid/gid generation [39/44]: adding replication acis [40/44]: enabling compatibility plugin [41/44]: activating sidgen plugin [42/44]: activating extdom plugin [43/44]: tuning directory server [44/44]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring ipa-custodia [1/5]: Generating ipa-custodia config file [2/5]: Generating ipa-custodia keys [3/5]: Importing RA Key /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/4]: configuring KDC [2/4]: adding the password extension to the directory [3/4]: starting the KDC [4/4]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd). Estimated time: 1 minute [1/20]: setting mod_nss port to 443 [2/20]: setting mod_nss cipher suite [3/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [4/20]: setting mod_nss password file [5/20]: enabling mod_nss renegotiate [6/20]: adding URL rewriting rules [7/20]: configuring httpd [8/20]: configure certmonger for renewals [9/20]: setting up httpd keytab [10/20]: setting up ssl [11/20]: importing CA certificates from LDAP [12/20]: publish CA cert [13/20]: clean up any existing httpd ccache [14/20]: configuring SELinux for httpd [15/20]: create KDC proxy user [16/20]: create KDC proxy config [17/20]: enable KDC proxy [18/20]: restarting httpd [19/20]: configuring httpd to start on boot [20/20]: enabling oddjobd Done configuring the web interface (httpd). Applying LDAP updates Upgrading IPA: [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/26]: creating certificate server user [2/26]: creating certificate server db [3/26]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 5 seconds elapsed Update succeeded [4/26]: creating installation admin user [5/26]: setting up certificate server [6/26]: stopping instance to update CS.cfg [7/26]: backing up CS.cfg [8/26]: disabling nonces [9/26]: set up CRL publishing [10/26]: enable PKIX certificate path discovery and validation [11/26]: set up client auth to db [12/26]: destroying installation admin user [13/26]: Ensure lightweight CAs container exists [14/26]: Configure lightweight CA key retrieval [15/26]: starting instance [16/26]: importing CA chain to RA certificate database [17/26]: fixing RA database permissions [18/26]: setting up signing cert profile [19/26]: setting audit signing renewal to 2 years [20/26]: configure certificate renewals [21/26]: configure Server-Cert certificate renewal [22/26]: Configure HTTP to proxy connections [23/26]: updating IPA configuration [24/26]: Restart HTTP server to pick up changes [25/26]: enabling CA instance [26/26]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Configuring DNS (named) [1/8]: generating rndc key file WARNING: Your system is running out of entropy, you may experience long delays [2/8]: setting up our own record [3/8]: adding NS record to the zones [4/8]: setting up kerberos principal [5/8]: setting up named.conf [6/8]: setting up server configuration [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves Done configuring DNS (named). Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Created symlink from /etc/systemd/system/container-ipa.target.wants/ipa-server-update-self-ip-address.service to /usr/lib/systemd/system/ipa-server-update-self-ip-address.service. Created symlink from /etc/systemd/system/container-ipa.target.wants/ipa-server-upgrade.service to /usr/lib/systemd/system/ipa-server-upgrade.service. Removed symlink /etc/systemd/system/container-ipa.target.wants/ipa-server-configure-first.service. FreeIPA server configured. Start replica ipa process ============================ [root@ipareplica1 ~]# docker run --net=host -d --name replicadocker -v /var/lib/replicadocker:/data:Z -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /dev/urandom:/dev/random:ro replicadocker f5e888ccf2911a3816b4a35f1beedf19ecb0e307640b24618bddc980d768a439 Selinux labels of ipa process: ============================ system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17126 17098 0 23:24 ? 00:00:00 tail --silent -n 0 -f --retry /var/log/ipa-server-configure-first.log /var/log/ipa-server-run.log system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17140 17098 0 23:24 ? 00:00:00 /usr/lib/systemd/systemd-journald system_u:system_r:svirt_lxc_net_t:s0:c198,c402 dbus 17141 17098 0 23:24 ? 00:00:00 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17151 17098 0 23:24 ? 00:00:00 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17152 17098 0 23:24 ? 00:00:00 /usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 300 system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17156 17098 7 23:24 ? 00:00:02 /usr/bin/python2 /usr/sbin/ipactl start system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17171 17098 0 23:24 ? 00:00:00 /usr/sbin/sssd -D -f system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17172 17171 0 23:24 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain testrelm.test --uid 0 --gid 0 --debug-to-files system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17176 17151 0 23:24 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17179 17151 0 23:24 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17180 17151 0 23:24 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17181 17151 0 23:24 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17182 17151 0 23:24 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17193 17171 0 23:24 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17194 17171 0 23:24 ? 00:00:00 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17195 17171 0 23:24 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17196 17171 0 23:24 ? 00:00:00 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files system_u:system_r:svirt_lxc_net_t:s0:c198,c402 389 17329 17098 19 23:24 ? 00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-TESTRELM-TEST -i /var/run/dirsrv/slapd-TESTRELM-TEST.pid unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 17379 6447 0 23:24 pts/0 00:00:00 ps -efZ ---------------------------- [root@ipareplica1 ~]# docker exec -it replicadocker ipa user-find ipauser1 -------------- 1 user matched -------------- User login: ipauser1 First name: ipauser1 Last name: user1 Home directory: /home/ipauser1 Login shell: /bin/sh Principal name: ipauser1 Principal alias: ipauser1 Email address: ipauser1 UID: 1800200001 GID: 1800200001 Account disabled: False ---------------------------- Number of entries returned 1 ---------------------------- [root@ipareplica1 ~]# docker exec -it replicadocker ipa user-find ipauser2 -------------- 1 user matched -------------- User login: ipauser2 First name: ipa Last name: user2 Home directory: /home/ipauser2 Login shell: /bin/sh Principal name: ipauser2 Principal alias: ipauser2 Email address: ipauser2 UID: 1800200003 GID: 1800200003 Account disabled: False ---------------------------- Number of entries returned 1 ---------------------------- [root@ipareplica1 ~]# docker exec -it replicadocker ipa user-find ipauser3 -------------- 1 user matched -------------- User login: ipauser3 First name: ipa Last name: user3 Home directory: /home/ipauser3 Login shell: /bin/sh Principal name: ipauser3 Principal alias: ipauser3 Email address: ipauser3 UID: 1800200004 GID: 1800200004 Account disabled: False ---------------------------- Number of entries returned 1 ---------------------------- [root@ipareplica1 ~]# docker exec -it replicadocker ipa host-find --------------- 2 hosts matched --------------- Host name: ipareplica1.testrelm.test Principal name: host/ipareplica1.testrelm.test Principal alias: host/ipareplica1.testrelm.test Host name: ipaserver1.testrelm.test Principal name: host/ipaserver1.testrelm.test Principal alias: host/ipaserver1.testrelm.test ---------------------------- Number of entries returned 2 ---------------------------- client enrollment to ipa-master ---------------------------- [root@client1 ~]# ipa-client-install WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Discovery was successful! Client hostname: client1.testrelm.test Realm: TESTRELM.TEST DNS Domain: testrelm.test IPA Server: ipareplica1.testrelm.test BaseDN: dc=testrelm,dc=test Continue to configure the system with these values? [no]: yes Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for admin: Continue to configure the system with these values? [no]: yes Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for admin: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Valid From: Mon Feb 27 22:13:19 2017 UTC Valid Until: Fri Feb 27 22:13:19 2037 UTC Enrolled in IPA realm TESTRELM.TEST Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TESTRELM.TEST trying https://ipareplica1.testrelm.test/ipa/json Forwarding 'schema' to json server 'https://ipareplica1.testrelm.test/ipa/json' trying https://ipareplica1.testrelm.test/ipa/session/json Forwarding 'ping' to json server 'https://ipareplica1.testrelm.test/ipa/session/json' Forwarding 'ca_is_enabled' to json server 'https://ipareplica1.testrelm.test/ipa/session/json' Systemwide CA database updated. Hostname (client1.testrelm.test) does not have A/AAAA record. Missing reverse record(s) for address(es): 2620:52:0:1322:221:5eff:fe20:333e. Incorrect reverse record(s): 10.19.34.76 is pointing to qe-blade-06.idmqe.lab.eng.bos.redhat.com. instead of client1.testrelm.test. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://ipareplica1.testrelm.test/ipa/session/json' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring testrelm.test as NIS domain. Client configuration complete. [root@client1 ~]# id ipauser1 uid=1800200001(ipauser1) gid=1800200001(ipauser1) groups=1800200001(ipauser1) Login as ipa user ipauser1 on client ipaclient1.testrelm.test [root@client1 ~]# ssh ipauser1@localhost The authenticity of host 'localhost (<no hostip for proxy command>)' can't be established. ECDSA key fingerprint is e2:b1:51:3b:80:99:c2:1a:dc:40:44:3c:2e:d2:66:52. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. Password: Password expired. Change your password now. Current Password: New password: Retype new password: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** This System is reserved by mniranja. To return this system early. You can run the command: return2beaker.sh Ensure you have your logs off the system before returning to Beaker To extend your reservation time. You can run the command: extendtesttime.sh This is an interactive script. You will be prompted for how many hours you would like to extend the reservation. You should verify the watchdog was updated succesfully after you extend your reservation. https://beaker.engineering.redhat.com/recipes/3568517 For ssh, kvm, serial and power control operations please look here: https://beaker.engineering.redhat.com/view/qe-blade-06.idmqe.lab.eng.bos.redhat.com For the default root password, see: https://beaker.engineering.redhat.com/prefs/ Beaker Test information: HOSTNAME=qe-blade-06.idmqe.lab.eng.bos.redhat.com JOBID=1738337 RECIPEID=3568517 RESULT_SERVER=[::1]:7090 DISTRO=RHEL-7.3-updates-20170207.0 ARCHITECTURE=x86_64 Job Whiteboard: Recipe Whiteboard: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** Could not chdir to home directory /home/ipauser1: No such file or directory Is any action required from developers side? I see huge comments but I'm not sure if there is any question hidden or something. There is no action required from developers, The comments were the tests that i have ran, Moving it to verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0420 |