Bug 953936

Summary: realm join --user=admin $DOMAIN fails with Couldn't join realm: Running ipa-client-install failed
Product: [Fedora] Fedora Reporter: Tomas Babej <tbabej>
Component: realmdAssignee: Stef Walter <stefw>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dpal, jhrozek, mkosek, stefw, yaneti, yelley
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-19 19:50:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
logs none

Description Tomas Babej 2013-04-19 15:07:55 UTC 
Created attachment 737662 [details]
logs

Running realm join --user=admin $DOMAIN I got after entering admin's password:

realm: Couldn't join realm: Running ipa-client-install failed

From ipaclient-install.log:

2013-04-19T14:40:52Z DEBUG Starting external process
2013-04-19T14:40:52Z DEBUG args=/usr/sbin/authconfig --enablesssdauth --enablemkhomedir --update --enablesssd
2013-04-19T14:40:52Z DEBUG Process execution failed

After running /usr/sbin/authconfig --enablesssdauth --enablemkhomedir --update --enablesssd manually:

[root@vm-050 ~]# /usr/sbin/authconfig --enablesssdauth --enablemkhomedir --update --enablesssd
[root@vm-050 ~]# echo $?
0

However, realmd reports that host is already joined to the domain

[root@vm-050 ~]# realm join --user=admin $DOMAINrealm: Already joined to this domain

This is correct however, IPA server reports that host is joined.
Comment 1 Tomas Babej 2013-04-19 15:25:50 UTC 
Leaving the realm fails with the following:

realm: Couldn't leave realm: Running ipa-client-install failed

From the log:

2013-04-19T15:12:25Z DEBUG stderr=
2013-04-19T15:12:25Z DEBUG Starting external process
2013-04-19T15:12:25Z DEBUG args=/usr/bin/certutil -L -d /etc/pki/nssdb -n IPA Machine Certificate - vm-050.idm.lab.eng.brq.redhat.com
2013-04-19T15:12:25Z DEBUG Process finished, return code=255
2013-04-19T15:12:25Z DEBUG stdout=
2013-04-19T15:12:25Z DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate - vm-050.idm.lab.eng.brq.redhat.com
: File not found

2013-04-19T15:12:25Z DEBUG Starting external process
2013-04-19T15:12:25Z DEBUG args=/bin/systemctl stop certmonger.service
2013-04-19T15:12:25Z DEBUG Process finished, return code=0
2013-04-19T15:12:25Z DEBUG stdout=
2013-04-19T15:12:25Z DEBUG stderr=
2013-04-19T15:12:29Z DEBUG Starting external process
2013-04-19T15:12:29Z DEBUG args=/bin/systemctl disable certmonger.service
2013-04-19T15:12:29Z DEBUG Process finished, return code=0
2013-04-19T15:12:29Z DEBUG stdout=
2013-04-19T15:12:29Z DEBUG stderr=
2013-04-19T15:12:29Z INFO Unenrolling client from IPA server
2013-04-19T15:12:30Z DEBUG Starting external process
2013-04-19T15:12:30Z DEBUG args=/usr/sbin/ipa-join --unenroll -h vm-050.idm.lab.eng.brq.redhat.com
2013-04-19T15:12:30Z DEBUG Process finished, return code=181
2013-04-19T15:12:30Z DEBUG stdout=
2013-04-19T15:12:30Z DEBUG stderr=Error obtaining initial credentials: Key table entry not found.

2013-04-19T15:12:30Z ERROR Unenrolling host failed: Error obtaining initial credentials: Key table entry not found.

2013-04-19T15:12:30Z INFO Removing Kerberos service principals from /etc/krb5.keytab
2013-04-19T15:12:30Z DEBUG Starting external process
2013-04-19T15:12:30Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r IDM.LAB.ENG.BRQ.REDHAT.COM
2013-04-19T15:12:30Z DEBUG Process finished, return code=5
2013-04-19T15:12:30Z DEBUG stdout=
2013-04-19T15:12:30Z DEBUG stderr=realm not found

2013-04-19T15:12:30Z ERROR Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5
2013-04-19T15:12:30Z INFO Disabling client Kerberos and LDAP configurations
2013-04-19T15:12:30Z DEBUG Starting external process
2013-04-19T15:12:30Z DEBUG args=/usr/sbin/authconfig --disablekrb5 --disablesssd --update --disablemkhomedir --disableldap --disablesssdauth
2013-04-19T15:12:30Z DEBUG Process execution failed
2013-04-19T15:12:30Z ERROR Failed to remove krb5/LDAP configuration: [Errno 13] Permission denied
Comment 2 Dmitri Pal 2013-04-19 19:42:41 UTC 
Does the same sequence of the IPA commands works in case of direct invocation via script without realmd?
Comment 3 Stef Walter 2013-04-19 19:50:06 UTC 
This is fixed by  selinux-policy-3.12.1-34.fc19

http://koji.fedoraproject.org/koji/buildinfo?buildID=412811

Please reopen if temporarily disabling SELinux does not solve this issue:

setenforce permissive

*** This bug has been marked as a duplicate of bug 953286 ***