Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1450425

Summary: After ipa-server-install cannot ssh to machine anymore.
Product: Red Hat Enterprise Linux 7 Reporter: Michal Reznik <mreznik>
Component: authconfigAssignee: Pavel Březina <pbrezina>
Status: CLOSED ERRATA QA Contact: Xiyang Dong <xdong>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.4CC: dkupka, jpazdziora, ksiddiqu, mvarun, nsoman, pkis, ppicka, pvoborni, rcritten, sbose, spoore, tmraz, tscherf, xdong
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: authconfig-6.2.8-28.el7 Doc Type: No Doc Update
Doc Text:
If this bug requires documentation, please select an appropriate Doc Type value.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 07:27:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
sssd log
none
sssd conf
none
sshd conf
none
nsswitch conf none

Description Michal Reznik 2017-05-12 13:40:32 UTC 
Description of problem:

After ipa-server-install cannot ssh to machine anymore. Getting packet_write_wait: Connection to 192.168.222.10 port 22: Broken pipe.

Version-Release number of selected component (if applicable):

ipa-server-4.5.0-11.el7.x86_64
openssh-7.4p1-6.el7.x86_64

Steps to Reproduce:
1. ssh to ipa server
2. run ipa-server-install
3. exit
4. try to ssh again

Actual results:

ssh root.222.10
Password: 
packet_write_wait: Connection to 192.168.222.10 port 22: Broken pipe

Expected results:

successful login
Comment 8 Petr Vobornik 2017-05-12 16:02:12 UTC 
interactive with non-domain user works for me as well
Comment 9 Petr Vobornik 2017-05-12 16:44:05 UTC 
In addition to trying
 ssh -v

Share also:
- journalctl output from logging time or `journalctl -u sshd.service`
- /etc/nsswitch.conf
- /etc/ssh/sshd_config

maybe also sssd logs and config.
Comment 10 Varun Mylaraiah 2017-05-14 05:29:29 UTC 
[root@ibm-x3650m4-01-vm-13 ~]# id aduser1
uid=1261602355(aduser1) gid=1261602355(aduser1) groups=1261602355(aduser1),1261600513(domain users),1261601629(adgroup2),1261601559(adgroup1),1261602139(adunigroup1)

[root@ibm-x3650m4-01-vm-13 ~]# getent passwd aduser1
aduser1:*:1261602355:1261602355:aduser1 users:/home/pne.qe/aduser1:

with ssh -v
============
[root@ibm-x3650m4-01-vm-13 ~]# ssh -o StrictHostKeyChecking=no -l aduser1 ibm-x3650m4-01-vm-13.userexsm24.test -v
OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 62: Applying options for *
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 ibm-x3650m4-01-vm-13.userexsm24.test
debug1: permanently_set_uid: 0/0
debug1: permanently_drop_suid: 0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to ibm-x3650m4-01-vm-13.userexsm24.test:22 as 'aduser1'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305 MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:f87GeqcO/Hy2qNawm9zRkqYe5Enx9llqZhT/7DT4H1Q
debug1: Host 'ibm-x3650m4-01-vm-13.userexsm24.test' is known and matches the ECDSA host key.
debug1: Found key in /var/lib/sss/pubconf/known_hosts:3
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Offering DSA public key: /root/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password: 
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to ibm-x3650m4-01-vm-13.userexsm24.test (via proxy).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions
debug1: Entering interactive session.
debug1: pledge: proc
packet_write_wait: Connection to UNKNOWN port 65535: Broken pipe


journalctl -u sshd.service
==========================
May 14 00:56:36 ibm-x3650m4-01-vm-13.userexsm24.test sshd[30940]: Postponed keyboard-interactive for aduser1 from 10.16.41.26 port 37634 ssh2 [preauth]
May 14 00:56:44 ibm-x3650m4-01-vm-13.userexsm24.test sshd[30944]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.16.41.26 user=aduser1
May 14 00:56:46 ibm-x3650m4-01-vm-13.userexsm24.test sshd[30940]: Postponed keyboard-interactive/pam for aduser1 from 10.16.41.26 port 37634 ssh2 [preauth]
May 14 00:56:46 ibm-x3650m4-01-vm-13.userexsm24.test sshd[30940]: Accepted keyboard-interactive/pam for aduser1 from 10.16.41.26 port 37634 ssh2
May 14 00:56:46 ibm-x3650m4-01-vm-13.userexsm24.test sshd[30940]: fatal: PAM: pam_setcred(): The return value should be ignored by PAM dispatch
Comment 11 Varun Mylaraiah 2017-05-14 05:30:24 UTC 
Created attachment 1278557 [details]
sssd log
Comment 12 Varun Mylaraiah 2017-05-14 05:31:01 UTC 
Created attachment 1278558 [details]
sssd conf
Comment 13 Varun Mylaraiah 2017-05-14 05:31:41 UTC 
Created attachment 1278559 [details]
sshd conf
Comment 14 Varun Mylaraiah 2017-05-14 05:32:28 UTC 
Created attachment 1278560 [details]
nsswitch conf
Comment 15 Sumit Bose 2017-05-15 07:58:44 UTC 
There is an (at least for me) unexpected line in the PAM auth configuration. If I comment it out in /etc/pam.d/password-auth (the configuration used by sshd)

...
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
#SB# auth        [default=1 success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so
...

authentication starts working again with challenge-response as well on hp-dl380pgen8-02-vm-1.lab.bos.redhat.com. Please check if this helps at other places you see this issue as well.
Comment 16 Kaleem 2017-05-15 08:06:46 UTC 
(In reply to Sumit Bose from comment #15)
> There is an (at least for me) unexpected line in the PAM auth configuration.
> If I comment it out in /etc/pam.d/password-auth (the configuration used by
> sshd)
> 
> ...
> auth        required      pam_env.so
> auth        required      pam_faildelay.so delay=2000000
> #SB# auth        [default=1 success=ok] pam_succeed_if.so uid >= 1000 quiet
> auth        [default=1 success=ok] pam_localuser.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
> auth        sufficient    pam_sss.so forward_pass
> auth        required      pam_deny.so
> ...
> 
> authentication starts working again with challenge-response as well on
> hp-dl380pgen8-02-vm-1.lab.bos.redhat.com. Please check if this helps at
> other places you see this issue as well.

Same for me also.
Comment 17 Sumit Bose 2017-05-15 08:24:10 UTC 
It looks like this was added to fix https://bugzilla.redhat.com/show_bug.cgi?id=1441604
Comment 18 Tomas Mraz 2017-05-15 13:45:13 UTC 
OK, the fix must be in authconfig.

The line must look like:

auth   [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet

Do not ask me why - or I know why but it is a very long and complicated story.
Comment 20 Tomas Mraz 2017-05-15 13:51:17 UTC 
Pavel, I committed the fix to upstream authconfig.
Comment 23 Xiyang Dong 2017-05-21 20:19:46 UTC 
Verified on authconfig-6.2.8-28.el7 :

19:53:10 :: [  BEGIN   ] :: Running ' /usr/sbin/ipa-server-install --setup-dns --forwarder=10.11.5.19 --reverse-zone=169.16.172.in-addr.arpa. --allow-zone-overlap --hostname=host-8-178-58.testrelm.test -r TESTRELM.TEST -n testrelm.test -p xxx -a xxx --ip-address=172.16.169.175 -U'
19:53:13 
19:53:13 The log file for this installation can be found in /var/log/ipaserver-install.log
19:53:13 ==============================================================================
19:53:13 This program will set up the IPA Server.
19:53:13 
19:53:13 This includes:
19:53:13   * Configure a stand-alone CA (dogtag) for certificate management
19:53:13   * Configure the Network Time Daemon (ntpd)
19:53:13   * Create and configure an instance of Directory Server
19:53:13   * Create and configure a Kerberos Key Distribution Center (KDC)
19:53:13   * Configure Apache (httpd)
19:53:13   * Configure DNS (bind)
19:53:13   * Configure the KDC to enable PKINIT
19:53:13 
19:53:13 WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
19:53:13 in favor of ntpd
19:53:13 
19:53:13 Warning: skipping DNS resolution of host host-8-178-58.testrelm.test
19:53:13 Checking DNS domain testrelm.test., please wait ...
19:53:13 Checking DNS forwarders, please wait ...
19:53:13 Using reverse zone(s) 169.16.172.in-addr.arpa.
19:53:13 
19:53:13 The IPA Master Server will be configured with:
19:53:13 Hostname:       host-8-178-58.testrelm.test
19:53:13 IP address(es): 172.16.169.175
19:53:13 Domain name:    testrelm.test
19:53:13 Realm name:     TESTRELM.TEST
19:53:13 
19:53:13 BIND DNS server will be configured to serve IPA domain with:
19:53:13 Forwarders:       10.11.5.19
19:53:13 Forward policy:   only
19:53:13 Reverse zone(s):  169.16.172.in-addr.arpa.
19:53:13 
19:53:13 Configuring NTP daemon (ntpd)
19:53:13   [1/4]: stopping ntpd
19:53:13   [2/4]: writing configuration
19:53:13   [3/4]: configuring ntpd to start on boot
19:53:13   [4/4]: starting ntpd
19:53:13 Done configuring NTP daemon (ntpd).
19:53:13 Configuring directory server (dirsrv). Estimated time: 30 seconds
19:53:13   [1/45]: creating directory server instance
19:53:15   [2/45]: enabling ldapi
19:53:15   [3/45]: configure autobind for root
19:53:15   [4/45]: stopping directory server
19:53:16   [5/45]: updating configuration in dse.ldif
19:53:16   [6/45]: starting directory server
19:53:16   [7/45]: adding default schema
19:53:16   [8/45]: enabling memberof plugin
19:53:16   [9/45]: enabling winsync plugin
19:53:16   [10/45]: configuring replication version plugin
19:53:16   [11/45]: enabling IPA enrollment plugin
19:53:16   [12/45]: configuring uniqueness plugin
19:53:16   [13/45]: configuring uuid plugin
19:53:16   [14/45]: configuring modrdn plugin
19:53:16   [15/45]: configuring DNS plugin
19:53:16   [16/45]: enabling entryUSN plugin
19:53:16   [17/45]: configuring lockout plugin
19:53:16   [18/45]: configuring topology plugin
19:53:16   [19/45]: creating indices
19:53:16   [20/45]: enabling referential integrity plugin
19:53:16   [21/45]: configuring certmap.conf
19:53:16   [22/45]: configure new location for managed entries
19:53:16   [23/45]: configure dirsrv ccache
19:53:16   [24/45]: enabling SASL mapping fallback
19:53:16   [25/45]: restarting directory server
19:53:17   [26/45]: adding sasl mappings to the directory
19:53:17   [27/45]: adding default layout
19:53:18   [28/45]: adding delegation layout
19:53:18   [29/45]: creating container for managed entries
19:53:18   [30/45]: configuring user private groups
19:53:18   [31/45]: configuring netgroups from hostgroups
19:53:18   [32/45]: creating default Sudo bind user
19:53:18   [33/45]: creating default Auto Member layout
19:53:18   [34/45]: adding range check plugin
19:53:18   [35/45]: creating default HBAC rule allow_all
19:53:18   [36/45]: adding entries for topology management
19:53:18   [37/45]: initializing group membership
19:53:19 *** Current Time: Sun May 21 15:54:48 2017 Localwatchdog at: Sun May 21 18:52:49 2017
19:53:19   [38/45]: adding master entry
19:53:19   [39/45]: initializing domain level
19:53:19   [40/45]: configuring Posix uid/gid generation
19:53:19   [41/45]: adding replication acis
19:53:19   [42/45]: activating sidgen plugin
19:53:19   [43/45]: activating extdom plugin
19:53:19   [44/45]: tuning directory server
19:53:21   [45/45]: configuring directory to start on boot
19:53:21 Done configuring directory server (dirsrv).
19:53:21 Configuring Kerberos KDC (krb5kdc)
19:53:21   [1/10]: adding kerberos container to the directory
19:53:21   [2/10]: configuring KDC
19:53:21   [3/10]: initialize kerberos container
19:53:21   [4/10]: adding default ACIs
19:53:21   [5/10]: creating a keytab for the directory
19:53:21   [6/10]: creating a keytab for the machine
19:53:23   [7/10]: adding the password extension to the directory
19:53:23   [8/10]: creating anonymous principal
19:53:23   [9/10]: starting the KDC
19:53:23   [10/10]: configuring KDC to start on boot
19:53:23 Done configuring Kerberos KDC (krb5kdc).
19:53:23 Configuring kadmin
19:53:23   [1/2]: starting kadmin 
19:53:24   [2/2]: configuring kadmin to start on boot
19:53:24 Done configuring kadmin.
19:53:24 Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
19:53:24   [1/29]: configuring certificate server instance
19:54:19 *** Current Time: Sun May 21 15:55:48 2017 Localwatchdog at: Sun May 21 18:52:49 2017
19:54:24   [2/29]: exporting Dogtag certificate store pin
19:54:24   [3/29]: stopping certificate server instance to update CS.cfg
19:54:25   [4/29]: backing up CS.cfg
19:54:25   [5/29]: disabling nonces
19:54:25   [6/29]: set up CRL publishing
19:54:25   [7/29]: enable PKIX certificate path discovery and validation
19:54:25   [8/29]: starting certificate server instance
19:54:37   [9/29]: configure certmonger for renewals
19:54:38   [10/29]: requesting RA certificate from CA
19:55:00   [11/29]: setting up signing cert profile
19:55:00   [12/29]: setting audit signing renewal to 2 years
19:55:00   [13/29]: restarting certificate server
19:55:19 *** Current Time: Sun May 21 15:56:48 2017 Localwatchdog at: Sun May 21 18:52:49 2017
19:55:27   [14/29]: publishing the CA certificate
19:55:27   [15/29]: adding RA agent as a trusted user
19:55:27   [16/29]: authorizing RA to modify profiles
19:55:27   [17/29]: authorizing RA to manage lightweight CAs
19:55:27   [18/29]: Ensure lightweight CAs container exists
19:55:28   [19/29]: configure certificate renewals
19:55:31   [20/29]: configure Server-Cert certificate renewal
19:55:32   [21/29]: Configure HTTP to proxy connections
19:55:32   [22/29]: restarting certificate server
19:55:45   [23/29]: updating IPA configuration
19:55:45   [24/29]: enabling CA instance
19:55:45   [25/29]: migrating certificate profiles to LDAP
19:55:53   [26/29]: importing IPA certificate profiles
19:55:54   [27/29]: adding default CA ACL
19:55:54   [28/29]: adding 'ipa' CA entry
19:55:55   [29/29]: configuring certmonger renewal for lightweight CAs
19:55:55 Done configuring certificate server (pki-tomcatd).
19:55:55 Configuring directory server (dirsrv)
19:55:55   [1/3]: configuring TLS for DS instance
19:56:01   [2/3]: adding CA certificate entry
19:56:01   [3/3]: restarting directory server
19:56:02 Done configuring directory server (dirsrv).
19:56:14 Configuring ipa-otpd
19:56:14   [1/2]: starting ipa-otpd 
19:56:14   [2/2]: configuring ipa-otpd to start on boot
19:56:15 Done configuring ipa-otpd.
19:56:15 Configuring ipa-custodia
19:56:15   [1/5]: Generating ipa-custodia config file
19:56:15   [2/5]: Making sure custodia container exists
19:56:16   [3/5]: Generating ipa-custodia keys
19:56:16   [4/5]: starting ipa-custodia 
19:56:16   [5/5]: configuring ipa-custodia to start on boot
19:56:17 Done configuring ipa-custodia.
19:56:17 Configuring the web interface (httpd)
19:56:17   [1/22]: stopping httpd
19:56:17   [2/22]: setting mod_nss port to 443
19:56:17   [3/22]: setting mod_nss cipher suite
19:56:17   [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
19:56:17   [5/22]: setting mod_nss password file
19:56:17   [6/22]: enabling mod_nss renegotiate
19:56:17   [7/22]: enabling mod_nss OCSP
19:56:17   [8/22]: adding URL rewriting rules
19:56:17   [9/22]: configuring httpd
19:56:17   [10/22]: setting up httpd keytab
19:56:17   [11/22]: configuring Gssproxy
19:56:17   [12/22]: setting up ssl
19:56:18 *** Current Time: Sun May 21 15:57:48 2017 Localwatchdog at: Sun May 21 18:52:49 2017
19:56:23   [13/22]: configure certmonger for renewals
19:56:23   [14/22]: importing CA certificates from LDAP
19:56:24   [15/22]: publish CA cert
19:56:25   [16/22]: clean up any existing httpd ccaches
19:56:25   [17/22]: configuring SELinux for httpd
19:56:26   [18/22]: create KDC proxy config
19:56:26   [19/22]: enable KDC proxy
19:56:26   [20/22]: starting httpd
19:56:27   [21/22]: configuring httpd to start on boot
19:56:28   [22/22]: enabling oddjobd
19:56:28 Done configuring the web interface (httpd).
19:56:28 Configuring Kerberos KDC (krb5kdc)
19:56:28   [1/1]: installing X509 Certificate for PKINIT
19:56:34 Done configuring Kerberos KDC (krb5kdc).
19:56:35 Applying LDAP updates
19:56:35 Upgrading IPA:. Estimated time: 1 minute 30 seconds
19:56:35   [1/9]: stopping directory server
19:56:37   [2/9]: saving configuration
19:56:37   [3/9]: disabling listeners
19:56:37   [4/9]: enabling DS global lock
19:56:37   [5/9]: starting directory server
19:56:37   [6/9]: upgrading server
19:57:18 *** Current Time: Sun May 21 15:58:48 2017 Localwatchdog at: Sun May 21 18:52:49 2017
19:57:45   [7/9]: stopping directory server
19:57:46   [8/9]: restoring configuration
19:57:46   [9/9]: starting directory server
19:57:47 Done.
19:57:47 Restarting the KDC
19:57:47 Configuring DNS (named)
19:57:47   [1/12]: generating rndc key file
19:57:47   [2/12]: adding DNS container
19:57:48   [3/12]: setting up our zone
19:57:48   [4/12]: setting up reverse zone
19:57:48   [5/12]: setting up our own record
19:57:48   [6/12]: setting up records for other masters
19:57:48   [7/12]: adding NS record to the zones
19:57:48   [8/12]: setting up kerberos principal
19:57:48   [9/12]: setting up named.conf
19:57:48   [10/12]: setting up server configuration
19:57:48   [11/12]: configuring named to start on boot
19:57:49   [12/12]: changing resolv.conf to point to ourselves
19:57:49 Done configuring DNS (named).
19:57:51 Restarting the web server to pick up resolv.conf changes
19:57:51 Configuring DNS key synchronization service (ipa-dnskeysyncd)
19:57:51   [1/7]: checking status
19:57:51   [2/7]: setting up bind-dyndb-ldap working directory
19:57:51   [3/7]: setting up kerberos principal
19:57:53   [4/7]: setting up SoftHSM
19:57:53   [5/7]: adding DNSSEC containers
19:57:53   [6/7]: creating replica keys
19:57:55   [7/7]: configuring ipa-dnskeysyncd to start on boot
19:57:55 Done configuring DNS key synchronization service (ipa-dnskeysyncd).
19:57:55 Restarting ipa-dnskeysyncd
19:57:55 Restarting named
19:57:56 Updating DNS system records
19:57:58 Configuring client side components
19:57:59 Using existing certificate '/etc/ipa/ca.crt'.
19:57:59 Client hostname: host-8-178-58.testrelm.test
19:57:59 Realm: TESTRELM.TEST
19:57:59 DNS Domain: testrelm.test
19:57:59 IPA Server: host-8-178-58.testrelm.test
19:57:59 BaseDN: dc=testrelm,dc=test
19:57:59 Skipping synchronizing time with NTP server.
19:57:59 New SSSD config will be created
19:57:59 Configured sudoers in /etc/nsswitch.conf
19:57:59 Configured /etc/sssd/sssd.conf
19:57:59 trying https://host-8-178-58.testrelm.test/ipa/json
19:57:59 Forwarding 'schema' to json server 'https://host-8-178-58.testrelm.test/ipa/json'
19:58:03 trying https://host-8-178-58.testrelm.test/ipa/session/json
19:58:03 Forwarding 'ping' to json server 'https://host-8-178-58.testrelm.test/ipa/session/json'
19:58:03 Forwarding 'ca_is_enabled' to json server 'https://host-8-178-58.testrelm.test/ipa/session/json'
19:58:05 Systemwide CA database updated.
19:58:05 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
19:58:05 Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
19:58:05 Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
19:58:05 Forwarding 'host_mod' to json server 'https://host-8-178-58.testrelm.test/ipa/session/json'
19:58:05 SSSD enabled
19:58:06 Configured /etc/openldap/ldap.conf
19:58:06 Configured /etc/ssh/ssh_config
19:58:06 Configured /etc/ssh/sshd_config
19:58:06 Configuring testrelm.test as NIS domain.
19:58:06 Client configuration complete.
19:58:06 The ipa-client-install command was successful
19:58:06 
19:58:09 
19:58:09 ==============================================================================
19:58:09 Setup complete
19:58:09 
19:58:09 Next steps:
19:58:09 	1. You must make sure these network ports are open:
19:58:09 		TCP Ports:
19:58:09 		  * 80, 443: HTTP/HTTPS
19:58:09 		  * 389, 636: LDAP/LDAPS
19:58:09 		  * 88, 464: kerberos
19:58:09 		  * 53: bind
19:58:09 		UDP Ports:
19:58:09 		  * 88, 464: kerberos
19:58:09 		  * 53: bind
19:58:09 		  * 123: ntp
19:58:09 
19:58:09 	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
19:58:09 	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
19:58:09 	   and the web user interface.
19:58:09 
19:58:09 Be sure to back up the CA certificates stored in /root/cacert.p12
19:58:09 These files are required to create replicas. The password for these
19:58:09 files is the Directory Manager password
19:58:10 :: [   PASS   ] :: Command ' /usr/sbin/ipa-server-install --setup-dns --forwarder=10.11.5.19 --reverse-zone=169.16.172.in-addr.arpa. --allow-zone-overlap --hostname=host-8-178-58.testrelm.test -r TESTRELM.TEST -n testrelm.test -p xxx -a xxx --ip-address=172.16.169.175 -U' (Expected 0, got 0)

$ ssh root.178.58
The authenticity of host '10.8.178.58 (10.8.178.58)' can't be established.
ECDSA key fingerprint is 94:ec:08:d2:bd:d4:e1:7e:f0:7d:3e:f3:0f:99:86:ea.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.8.178.58' (ECDSA) to the list of known hosts.
Password: 
Last login: Sun May 21 16:03:09 2017 from 10.8.177.88
Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.4-candidate-runtest-i18n/35/
[root@host-8-178-58 ~]#
Comment 25 errata-xmlrpc 2017-08-01 07:27:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2285