Bug 1450425 - After ipa-server-install cannot ssh to machine anymore.
Summary: After ipa-server-install cannot ssh to machine anymore.
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: authconfig
Version: 7.4
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Pavel Březina
QA Contact: Xiyang Dong
URL:
Whiteboard:
Keywords: Regression, TestBlocker
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-12 13:40 UTC by Michal Reznik
Modified: 2017-08-01 07:27 UTC (History)
14 users (show)

(edit)
If this bug requires documentation, please select an appropriate Doc Type value.
Clone Of:
(edit)
Last Closed: 2017-08-01 07:27:56 UTC


Attachments (Terms of Use)
sssd log (357.00 KB, text/plain)
2017-05-14 05:30 UTC, Varun Mylaraiah
no flags Details
sssd conf (770 bytes, text/plain)
2017-05-14 05:31 UTC, Varun Mylaraiah
no flags Details
sshd conf (4.02 KB, text/plain)
2017-05-14 05:31 UTC, Varun Mylaraiah
no flags Details
nsswitch conf (1.72 KB, text/plain)
2017-05-14 05:32 UTC, Varun Mylaraiah
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2285 normal SHIPPED_LIVE Moderate: authconfig security, bug fix, and enhancement update 2017-08-01 11:26:21 UTC

Description Michal Reznik 2017-05-12 13:40:32 UTC
Description of problem:

After ipa-server-install cannot ssh to machine anymore. Getting packet_write_wait: Connection to 192.168.222.10 port 22: Broken pipe.

Version-Release number of selected component (if applicable):

ipa-server-4.5.0-11.el7.x86_64
openssh-7.4p1-6.el7.x86_64

Steps to Reproduce:
1. ssh to ipa server
2. run ipa-server-install
3. exit
4. try to ssh again

Actual results:

ssh root@192.168.222.10
Password: 
packet_write_wait: Connection to 192.168.222.10 port 22: Broken pipe

Expected results:

successful login

Comment 8 Petr Vobornik 2017-05-12 16:02:12 UTC
interactive with non-domain user works for me as well

Comment 9 Petr Vobornik 2017-05-12 16:44:05 UTC
In addition to trying
 ssh -v

Share also:
- journalctl output from logging time or `journalctl -u sshd.service`
- /etc/nsswitch.conf
- /etc/ssh/sshd_config

maybe also sssd logs and config.

Comment 10 Varun Mylaraiah 2017-05-14 05:29:29 UTC
[root@ibm-x3650m4-01-vm-13 ~]# id aduser1@pne.qe
uid=1261602355(aduser1@pne.qe) gid=1261602355(aduser1@pne.qe) groups=1261602355(aduser1@pne.qe),1261600513(domain users@pne.qe),1261601629(adgroup2@pne.qe),1261601559(adgroup1@pne.qe),1261602139(adunigroup1@pne.qe)

[root@ibm-x3650m4-01-vm-13 ~]# getent passwd aduser1@pne.qe
aduser1@pne.qe:*:1261602355:1261602355:aduser1 users:/home/pne.qe/aduser1:

with ssh -v
============
[root@ibm-x3650m4-01-vm-13 ~]# ssh -o StrictHostKeyChecking=no -l aduser1@pne.qe ibm-x3650m4-01-vm-13.userexsm24.test -v
OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 62: Applying options for *
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 ibm-x3650m4-01-vm-13.userexsm24.test
debug1: permanently_set_uid: 0/0
debug1: permanently_drop_suid: 0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to ibm-x3650m4-01-vm-13.userexsm24.test:22 as 'aduser1@pne.qe'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:f87GeqcO/Hy2qNawm9zRkqYe5Enx9llqZhT/7DT4H1Q
debug1: Host 'ibm-x3650m4-01-vm-13.userexsm24.test' is known and matches the ECDSA host key.
debug1: Found key in /var/lib/sss/pubconf/known_hosts:3
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Offering DSA public key: /root/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password: 
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to ibm-x3650m4-01-vm-13.userexsm24.test (via proxy).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: proc
packet_write_wait: Connection to UNKNOWN port 65535: Broken pipe


journalctl -u sshd.service
==========================
May 14 00:56:36 ibm-x3650m4-01-vm-13.userexsm24.test sshd[30940]: Postponed keyboard-interactive for aduser1@pne.qe from 10.16.41.26 port 37634 ssh2 [preauth]
May 14 00:56:44 ibm-x3650m4-01-vm-13.userexsm24.test sshd[30944]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.16.41.26 user=aduser1@pne.qe
May 14 00:56:46 ibm-x3650m4-01-vm-13.userexsm24.test sshd[30940]: Postponed keyboard-interactive/pam for aduser1@pne.qe from 10.16.41.26 port 37634 ssh2 [preauth]
May 14 00:56:46 ibm-x3650m4-01-vm-13.userexsm24.test sshd[30940]: Accepted keyboard-interactive/pam for aduser1@pne.qe from 10.16.41.26 port 37634 ssh2
May 14 00:56:46 ibm-x3650m4-01-vm-13.userexsm24.test sshd[30940]: fatal: PAM: pam_setcred(): The return value should be ignored by PAM dispatch

Comment 11 Varun Mylaraiah 2017-05-14 05:30 UTC
Created attachment 1278557 [details]
sssd log

Comment 12 Varun Mylaraiah 2017-05-14 05:31 UTC
Created attachment 1278558 [details]
sssd conf

Comment 13 Varun Mylaraiah 2017-05-14 05:31 UTC
Created attachment 1278559 [details]
sshd conf

Comment 14 Varun Mylaraiah 2017-05-14 05:32 UTC
Created attachment 1278560 [details]
nsswitch conf

Comment 15 Sumit Bose 2017-05-15 07:58:44 UTC
There is an (at least for me) unexpected line in the PAM auth configuration. If I comment it out in /etc/pam.d/password-auth (the configuration used by sshd)

...
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
#SB# auth        [default=1 success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so
...

authentication starts working again with challenge-response as well on hp-dl380pgen8-02-vm-1.lab.bos.redhat.com. Please check if this helps at other places you see this issue as well.

Comment 16 Kaleem 2017-05-15 08:06:46 UTC
(In reply to Sumit Bose from comment #15)
> There is an (at least for me) unexpected line in the PAM auth configuration.
> If I comment it out in /etc/pam.d/password-auth (the configuration used by
> sshd)
> 
> ...
> auth        required      pam_env.so
> auth        required      pam_faildelay.so delay=2000000
> #SB# auth        [default=1 success=ok] pam_succeed_if.so uid >= 1000 quiet
> auth        [default=1 success=ok] pam_localuser.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
> auth        sufficient    pam_sss.so forward_pass
> auth        required      pam_deny.so
> ...
> 
> authentication starts working again with challenge-response as well on
> hp-dl380pgen8-02-vm-1.lab.bos.redhat.com. Please check if this helps at
> other places you see this issue as well.

Same for me also.

Comment 17 Sumit Bose 2017-05-15 08:24:10 UTC
It looks like this was added to fix https://bugzilla.redhat.com/show_bug.cgi?id=1441604

Comment 18 Tomas Mraz 2017-05-15 13:45:13 UTC
OK, the fix must be in authconfig.

The line must look like:

auth   [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet

Do not ask me why - or I know why but it is a very long and complicated story.

Comment 20 Tomas Mraz 2017-05-15 13:51:17 UTC
Pavel, I committed the fix to upstream authconfig.

Comment 23 Xiyang Dong 2017-05-21 20:19:46 UTC
Verified on authconfig-6.2.8-28.el7 :

19:53:10 :: [  BEGIN   ] :: Running ' /usr/sbin/ipa-server-install --setup-dns --forwarder=10.11.5.19 --reverse-zone=169.16.172.in-addr.arpa. --allow-zone-overlap --hostname=host-8-178-58.testrelm.test -r TESTRELM.TEST -n testrelm.test -p xxx -a xxx --ip-address=172.16.169.175 -U'
19:53:13 
19:53:13 The log file for this installation can be found in /var/log/ipaserver-install.log
19:53:13 ==============================================================================
19:53:13 This program will set up the IPA Server.
19:53:13 
19:53:13 This includes:
19:53:13   * Configure a stand-alone CA (dogtag) for certificate management
19:53:13   * Configure the Network Time Daemon (ntpd)
19:53:13   * Create and configure an instance of Directory Server
19:53:13   * Create and configure a Kerberos Key Distribution Center (KDC)
19:53:13   * Configure Apache (httpd)
19:53:13   * Configure DNS (bind)
19:53:13   * Configure the KDC to enable PKINIT
19:53:13 
19:53:13 WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
19:53:13 in favor of ntpd
19:53:13 
19:53:13 Warning: skipping DNS resolution of host host-8-178-58.testrelm.test
19:53:13 Checking DNS domain testrelm.test., please wait ...
19:53:13 Checking DNS forwarders, please wait ...
19:53:13 Using reverse zone(s) 169.16.172.in-addr.arpa.
19:53:13 
19:53:13 The IPA Master Server will be configured with:
19:53:13 Hostname:       host-8-178-58.testrelm.test
19:53:13 IP address(es): 172.16.169.175
19:53:13 Domain name:    testrelm.test
19:53:13 Realm name:     TESTRELM.TEST
19:53:13 
19:53:13 BIND DNS server will be configured to serve IPA domain with:
19:53:13 Forwarders:       10.11.5.19
19:53:13 Forward policy:   only
19:53:13 Reverse zone(s):  169.16.172.in-addr.arpa.
19:53:13 
19:53:13 Configuring NTP daemon (ntpd)
19:53:13   [1/4]: stopping ntpd
19:53:13   [2/4]: writing configuration
19:53:13   [3/4]: configuring ntpd to start on boot
19:53:13   [4/4]: starting ntpd
19:53:13 Done configuring NTP daemon (ntpd).
19:53:13 Configuring directory server (dirsrv). Estimated time: 30 seconds
19:53:13   [1/45]: creating directory server instance
19:53:15   [2/45]: enabling ldapi
19:53:15   [3/45]: configure autobind for root
19:53:15   [4/45]: stopping directory server
19:53:16   [5/45]: updating configuration in dse.ldif
19:53:16   [6/45]: starting directory server
19:53:16   [7/45]: adding default schema
19:53:16   [8/45]: enabling memberof plugin
19:53:16   [9/45]: enabling winsync plugin
19:53:16   [10/45]: configuring replication version plugin
19:53:16   [11/45]: enabling IPA enrollment plugin
19:53:16   [12/45]: configuring uniqueness plugin
19:53:16   [13/45]: configuring uuid plugin
19:53:16   [14/45]: configuring modrdn plugin
19:53:16   [15/45]: configuring DNS plugin
19:53:16   [16/45]: enabling entryUSN plugin
19:53:16   [17/45]: configuring lockout plugin
19:53:16   [18/45]: configuring topology plugin
19:53:16   [19/45]: creating indices
19:53:16   [20/45]: enabling referential integrity plugin
19:53:16   [21/45]: configuring certmap.conf
19:53:16   [22/45]: configure new location for managed entries
19:53:16   [23/45]: configure dirsrv ccache
19:53:16   [24/45]: enabling SASL mapping fallback
19:53:16   [25/45]: restarting directory server
19:53:17   [26/45]: adding sasl mappings to the directory
19:53:17   [27/45]: adding default layout
19:53:18   [28/45]: adding delegation layout
19:53:18   [29/45]: creating container for managed entries
19:53:18   [30/45]: configuring user private groups
19:53:18   [31/45]: configuring netgroups from hostgroups
19:53:18   [32/45]: creating default Sudo bind user
19:53:18   [33/45]: creating default Auto Member layout
19:53:18   [34/45]: adding range check plugin
19:53:18   [35/45]: creating default HBAC rule allow_all
19:53:18   [36/45]: adding entries for topology management
19:53:18   [37/45]: initializing group membership
19:53:19 *** Current Time: Sun May 21 15:54:48 2017 Localwatchdog at: Sun May 21 18:52:49 2017
19:53:19   [38/45]: adding master entry
19:53:19   [39/45]: initializing domain level
19:53:19   [40/45]: configuring Posix uid/gid generation
19:53:19   [41/45]: adding replication acis
19:53:19   [42/45]: activating sidgen plugin
19:53:19   [43/45]: activating extdom plugin
19:53:19   [44/45]: tuning directory server
19:53:21   [45/45]: configuring directory to start on boot
19:53:21 Done configuring directory server (dirsrv).
19:53:21 Configuring Kerberos KDC (krb5kdc)
19:53:21   [1/10]: adding kerberos container to the directory
19:53:21   [2/10]: configuring KDC
19:53:21   [3/10]: initialize kerberos container
19:53:21   [4/10]: adding default ACIs
19:53:21   [5/10]: creating a keytab for the directory
19:53:21   [6/10]: creating a keytab for the machine
19:53:23   [7/10]: adding the password extension to the directory
19:53:23   [8/10]: creating anonymous principal
19:53:23   [9/10]: starting the KDC
19:53:23   [10/10]: configuring KDC to start on boot
19:53:23 Done configuring Kerberos KDC (krb5kdc).
19:53:23 Configuring kadmin
19:53:23   [1/2]: starting kadmin 
19:53:24   [2/2]: configuring kadmin to start on boot
19:53:24 Done configuring kadmin.
19:53:24 Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
19:53:24   [1/29]: configuring certificate server instance
19:54:19 *** Current Time: Sun May 21 15:55:48 2017 Localwatchdog at: Sun May 21 18:52:49 2017
19:54:24   [2/29]: exporting Dogtag certificate store pin
19:54:24   [3/29]: stopping certificate server instance to update CS.cfg
19:54:25   [4/29]: backing up CS.cfg
19:54:25   [5/29]: disabling nonces
19:54:25   [6/29]: set up CRL publishing
19:54:25   [7/29]: enable PKIX certificate path discovery and validation
19:54:25   [8/29]: starting certificate server instance
19:54:37   [9/29]: configure certmonger for renewals
19:54:38   [10/29]: requesting RA certificate from CA
19:55:00   [11/29]: setting up signing cert profile
19:55:00   [12/29]: setting audit signing renewal to 2 years
19:55:00   [13/29]: restarting certificate server
19:55:19 *** Current Time: Sun May 21 15:56:48 2017 Localwatchdog at: Sun May 21 18:52:49 2017
19:55:27   [14/29]: publishing the CA certificate
19:55:27   [15/29]: adding RA agent as a trusted user
19:55:27   [16/29]: authorizing RA to modify profiles
19:55:27   [17/29]: authorizing RA to manage lightweight CAs
19:55:27   [18/29]: Ensure lightweight CAs container exists
19:55:28   [19/29]: configure certificate renewals
19:55:31   [20/29]: configure Server-Cert certificate renewal
19:55:32   [21/29]: Configure HTTP to proxy connections
19:55:32   [22/29]: restarting certificate server
19:55:45   [23/29]: updating IPA configuration
19:55:45   [24/29]: enabling CA instance
19:55:45   [25/29]: migrating certificate profiles to LDAP
19:55:53   [26/29]: importing IPA certificate profiles
19:55:54   [27/29]: adding default CA ACL
19:55:54   [28/29]: adding 'ipa' CA entry
19:55:55   [29/29]: configuring certmonger renewal for lightweight CAs
19:55:55 Done configuring certificate server (pki-tomcatd).
19:55:55 Configuring directory server (dirsrv)
19:55:55   [1/3]: configuring TLS for DS instance
19:56:01   [2/3]: adding CA certificate entry
19:56:01   [3/3]: restarting directory server
19:56:02 Done configuring directory server (dirsrv).
19:56:14 Configuring ipa-otpd
19:56:14   [1/2]: starting ipa-otpd 
19:56:14   [2/2]: configuring ipa-otpd to start on boot
19:56:15 Done configuring ipa-otpd.
19:56:15 Configuring ipa-custodia
19:56:15   [1/5]: Generating ipa-custodia config file
19:56:15   [2/5]: Making sure custodia container exists
19:56:16   [3/5]: Generating ipa-custodia keys
19:56:16   [4/5]: starting ipa-custodia 
19:56:16   [5/5]: configuring ipa-custodia to start on boot
19:56:17 Done configuring ipa-custodia.
19:56:17 Configuring the web interface (httpd)
19:56:17   [1/22]: stopping httpd
19:56:17   [2/22]: setting mod_nss port to 443
19:56:17   [3/22]: setting mod_nss cipher suite
19:56:17   [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
19:56:17   [5/22]: setting mod_nss password file
19:56:17   [6/22]: enabling mod_nss renegotiate
19:56:17   [7/22]: enabling mod_nss OCSP
19:56:17   [8/22]: adding URL rewriting rules
19:56:17   [9/22]: configuring httpd
19:56:17   [10/22]: setting up httpd keytab
19:56:17   [11/22]: configuring Gssproxy
19:56:17   [12/22]: setting up ssl
19:56:18 *** Current Time: Sun May 21 15:57:48 2017 Localwatchdog at: Sun May 21 18:52:49 2017
19:56:23   [13/22]: configure certmonger for renewals
19:56:23   [14/22]: importing CA certificates from LDAP
19:56:24   [15/22]: publish CA cert
19:56:25   [16/22]: clean up any existing httpd ccaches
19:56:25   [17/22]: configuring SELinux for httpd
19:56:26   [18/22]: create KDC proxy config
19:56:26   [19/22]: enable KDC proxy
19:56:26   [20/22]: starting httpd
19:56:27   [21/22]: configuring httpd to start on boot
19:56:28   [22/22]: enabling oddjobd
19:56:28 Done configuring the web interface (httpd).
19:56:28 Configuring Kerberos KDC (krb5kdc)
19:56:28   [1/1]: installing X509 Certificate for PKINIT
19:56:34 Done configuring Kerberos KDC (krb5kdc).
19:56:35 Applying LDAP updates
19:56:35 Upgrading IPA:. Estimated time: 1 minute 30 seconds
19:56:35   [1/9]: stopping directory server
19:56:37   [2/9]: saving configuration
19:56:37   [3/9]: disabling listeners
19:56:37   [4/9]: enabling DS global lock
19:56:37   [5/9]: starting directory server
19:56:37   [6/9]: upgrading server
19:57:18 *** Current Time: Sun May 21 15:58:48 2017 Localwatchdog at: Sun May 21 18:52:49 2017
19:57:45   [7/9]: stopping directory server
19:57:46   [8/9]: restoring configuration
19:57:46   [9/9]: starting directory server
19:57:47 Done.
19:57:47 Restarting the KDC
19:57:47 Configuring DNS (named)
19:57:47   [1/12]: generating rndc key file
19:57:47   [2/12]: adding DNS container
19:57:48   [3/12]: setting up our zone
19:57:48   [4/12]: setting up reverse zone
19:57:48   [5/12]: setting up our own record
19:57:48   [6/12]: setting up records for other masters
19:57:48   [7/12]: adding NS record to the zones
19:57:48   [8/12]: setting up kerberos principal
19:57:48   [9/12]: setting up named.conf
19:57:48   [10/12]: setting up server configuration
19:57:48   [11/12]: configuring named to start on boot
19:57:49   [12/12]: changing resolv.conf to point to ourselves
19:57:49 Done configuring DNS (named).
19:57:51 Restarting the web server to pick up resolv.conf changes
19:57:51 Configuring DNS key synchronization service (ipa-dnskeysyncd)
19:57:51   [1/7]: checking status
19:57:51   [2/7]: setting up bind-dyndb-ldap working directory
19:57:51   [3/7]: setting up kerberos principal
19:57:53   [4/7]: setting up SoftHSM
19:57:53   [5/7]: adding DNSSEC containers
19:57:53   [6/7]: creating replica keys
19:57:55   [7/7]: configuring ipa-dnskeysyncd to start on boot
19:57:55 Done configuring DNS key synchronization service (ipa-dnskeysyncd).
19:57:55 Restarting ipa-dnskeysyncd
19:57:55 Restarting named
19:57:56 Updating DNS system records
19:57:58 Configuring client side components
19:57:59 Using existing certificate '/etc/ipa/ca.crt'.
19:57:59 Client hostname: host-8-178-58.testrelm.test
19:57:59 Realm: TESTRELM.TEST
19:57:59 DNS Domain: testrelm.test
19:57:59 IPA Server: host-8-178-58.testrelm.test
19:57:59 BaseDN: dc=testrelm,dc=test
19:57:59 Skipping synchronizing time with NTP server.
19:57:59 New SSSD config will be created
19:57:59 Configured sudoers in /etc/nsswitch.conf
19:57:59 Configured /etc/sssd/sssd.conf
19:57:59 trying https://host-8-178-58.testrelm.test/ipa/json
19:57:59 Forwarding 'schema' to json server 'https://host-8-178-58.testrelm.test/ipa/json'
19:58:03 trying https://host-8-178-58.testrelm.test/ipa/session/json
19:58:03 Forwarding 'ping' to json server 'https://host-8-178-58.testrelm.test/ipa/session/json'
19:58:03 Forwarding 'ca_is_enabled' to json server 'https://host-8-178-58.testrelm.test/ipa/session/json'
19:58:05 Systemwide CA database updated.
19:58:05 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
19:58:05 Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
19:58:05 Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
19:58:05 Forwarding 'host_mod' to json server 'https://host-8-178-58.testrelm.test/ipa/session/json'
19:58:05 SSSD enabled
19:58:06 Configured /etc/openldap/ldap.conf
19:58:06 Configured /etc/ssh/ssh_config
19:58:06 Configured /etc/ssh/sshd_config
19:58:06 Configuring testrelm.test as NIS domain.
19:58:06 Client configuration complete.
19:58:06 The ipa-client-install command was successful
19:58:06 
19:58:09 
19:58:09 ==============================================================================
19:58:09 Setup complete
19:58:09 
19:58:09 Next steps:
19:58:09 	1. You must make sure these network ports are open:
19:58:09 		TCP Ports:
19:58:09 		  * 80, 443: HTTP/HTTPS
19:58:09 		  * 389, 636: LDAP/LDAPS
19:58:09 		  * 88, 464: kerberos
19:58:09 		  * 53: bind
19:58:09 		UDP Ports:
19:58:09 		  * 88, 464: kerberos
19:58:09 		  * 53: bind
19:58:09 		  * 123: ntp
19:58:09 
19:58:09 	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
19:58:09 	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
19:58:09 	   and the web user interface.
19:58:09 
19:58:09 Be sure to back up the CA certificates stored in /root/cacert.p12
19:58:09 These files are required to create replicas. The password for these
19:58:09 files is the Directory Manager password
19:58:10 :: [   PASS   ] :: Command ' /usr/sbin/ipa-server-install --setup-dns --forwarder=10.11.5.19 --reverse-zone=169.16.172.in-addr.arpa. --allow-zone-overlap --hostname=host-8-178-58.testrelm.test -r TESTRELM.TEST -n testrelm.test -p xxx -a xxx --ip-address=172.16.169.175 -U' (Expected 0, got 0)

$ ssh root@10.8.178.58
The authenticity of host '10.8.178.58 (10.8.178.58)' can't be established.
ECDSA key fingerprint is 94:ec:08:d2:bd:d4:e1:7e:f0:7d:3e:f3:0f:99:86:ea.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.8.178.58' (ECDSA) to the list of known hosts.
Password: 
Last login: Sun May 21 16:03:09 2017 from 10.8.177.88
Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.4-candidate-runtest-i18n/35/
[root@host-8-178-58 ~]#

Comment 25 errata-xmlrpc 2017-08-01 07:27:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2285


Note You need to log in before you can comment on or make changes to this bug.