Bug 2417151

Summary: ostreecontainer deployment: ipa-client-install fails
Product: [Fedora] Fedora Reporter: Robert <robert-fedora>
Component: anacondaAssignee: Martin Kolman <mkolman>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 42CC: a.badger, alpha, anaconda-maint, kkoukiou, mkolman, w
Target Milestone: ---Keywords: Desktop
Target Release: ---   
Hardware: x86_64   
OS: Linux   
URL: https://gitlab.com/eu-os/eu-os.gitlab.io/-/snippets/4906744
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ipaclient-install.log none

Description Robert 2025-11-25 21:36:41 UTC 
I want to enrol a fedora laptop to freeipa during foreman pxe provisioning.

Note that when I login as root after boot and call the same ipa-client-install line from the orginal-ks.cfg, then the enrolment is successful.

I have this in the kickstart template:

%post
exec < /dev/tty3 > /dev/tty3
chvt 3
(
logger "Starting anaconda <%= @host %> postinstall"
<% if host_enc['parameters']['realm'] && @host.realm && (@host.realm.realm_type == 'FreeIPA' || @host.realm.realm_type == 'Red Hat Identity Management') -%>
  ##
  ## IPA Client Installation
  ##
  echo "Realm found: setup ipa-client"
  /usr/libexec/openssh/sshd-keygen rsa
  
  # HOTFIX for https://github.com/fedora-silverblue/issue-tracker/issues/427
  mkdir -p /var/lib/ipa-client/sysrestore
  mkdir -p /var/lib/ipa-client/pki
  mkdir -p /var/log
  touch /var/log/ipaclient-install.log

  # One-time password will be requested at install time. Otherwise, $HOST[OTP] is used as a placeholder value.
  /usr/sbin/ipa-client-install -w '<%= @host.otp || "$HOST[OTP]" %>' --realm=<%= @host.realm %> -U --mkhomedir
<% end -%>



full config: https://gitlab.com/eu-os/eu-os.gitlab.io/-/snippets/4906744

Reproducible: Always

Steps to Reproduce:
1. configure everything in foreman (hard to give here the complete setup)
2. provision with foreman via pxe
3. reboot and see that the /etc/krb5.conf is not setup and see errors in the ipaclient-install.log
Actual Results:
ipa enrolment failed

Expected Results:
ipa enrolement worked
Comment 1 Robert 2025-11-25 21:37:30 UTC 
Created attachment 2116214 [details]
ipaclient-install.log