Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 952741

Summary: unattended ipa-client installation fails when anonymous access to LDAP is disabled on IPA servers
Product: Red Hat Enterprise Linux 6 Reporter: Libor Miksik <lmiksik>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: high Docs Contact:
Priority: high    
Version: 6.4CC: dpal, mkosek, pasteur, pgustafs, pm-eus, rcritten, sgoveas, sigbjorn
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-3.0.0-26.el6_4.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-13 08:09:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 922843    
Bug Blocks:    

Description Libor Miksik 2013-04-16 15:15:41 UTC
This bug has been copied from bug #922843 and has been proposed
to be backported to 6.4 z-stream (EUS).

Comment 4 Martin Kosek 2013-04-22 10:26:49 UTC
*** Bug 952745 has been marked as a duplicate of this bug. ***

Comment 5 Martin Kosek 2013-04-22 10:28:40 UTC
Upstream fix:

master:
be54d1deb5e40945e4ead5b34d9acde88c1e8264 ipa-client discovery with anonymous access off

ipa-3-1:
dda3cd1b1c94c764d774110789dff8899ff873c8 ipa-client discovery with anonymous access off

Comment 7 Steeve Goveas 2013-05-22 14:21:18 UTC
Verified with
ipa-server-3.0.0-26.el6_4.4.x86_64
ipa-client-3.0.0-26.el6_4.4.x86_64

On Server
[root@server1 ~]# rpm -q ipa-server
ipa-server-3.0.0-26.el6_4.4.x86_64


[root@server1 ~]# ldapmodify -x -D "cn=Directory Manager" -w Secret123 -h localhost -p 389 << EOF
> dn: cn=config
> changetype: modify
> replace: nsslapd-allow-anonymous-access
> nsslapd-allow-anonymous-access: rootdse
> EOF
modifying entry "cn=config"

On Client
[root@client1 ~]# rpm -q ipa-client
ipa-client-3.0.0-26.el6_4.4.x86_64

[root@client1 ~]# ipa-client-install -p admin -w Secret123 --mkhomedir -dd -U
/usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': 'admin', 'hostname': None, 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False, 'realm_name': None, 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None, hostname=client1.ipalab.qe
Start searching for LDAP SRV record in "ipalab.qe" (domain of the hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.ipalab.qe.
DNS record found: DNSResult::name:_ldap._tcp.ipalab.qe.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:server1.ipalab.qe.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.ipalab.qe.
DNS record found: DNSResult::name:_kerberos.ipalab.qe.,type:16,class:1,rdata={data:IPALAB.QE}
Search DNS for SRV record of _kerberos._udp.ipalab.qe.
DNS record found: DNSResult::name:_kerberos._udp.ipalab.qe.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:server1.ipalab.qe.}
[LDAP server check]
Verifying that server1.ipalab.qe (realm IPALAB.QE) is an IPA server
Init LDAP connection with: ldap://server1.ipalab.qe:389
Search LDAP server for IPA base DN
Check if naming context 'dc=ipalab,dc=qe' is for IPA
LDAP Error: Anonymous access not allowed
Generated basedn from realm: dc=ipalab,dc=qe
Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=ipalab.qe, kdc=server1.ipalab.qe, basedn=dc=ipalab,dc=qe
Validated servers: server1.ipalab.qe
will use discovered domain: ipalab.qe
Start searching for LDAP SRV record in "ipalab.qe" (Validating DNS Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.ipalab.qe.
DNS record found: DNSResult::name:_ldap._tcp.ipalab.qe.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:server1.ipalab.qe.}
DNS validated, enabling discovery
will use discovered server: server1.ipalab.qe
Discovery was successful!
will use discovered realm: IPALAB.QE
will use discovered basedn: dc=ipalab,dc=qe
Hostname: client1.ipalab.qe
Hostname source: Machine's FQDN
Realm: IPALAB.QE
Realm source: Discovered Kerberos DNS records from ipalab.qe
DNS Domain: ipalab.qe
DNS Domain source: Discovered LDAP SRV records from ipalab.qe (domain of the hostname)
IPA Server: server1.ipalab.qe
IPA Server source: Discovered LDAP SRV records from ipalab.qe (domain of the hostname)
BaseDN: dc=ipalab,dc=qe
BaseDN source: Generated from Kerberos realm

args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r IPALAB.QE
stdout=
stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory

Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.ipalab.qe.
DNS record found: DNSResult::name:_ntp._udp.ipalab.qe.,type:33,class:1,rdata={priority:0,port:123,weight:100,server:server1.ipalab.qe.}
args=/usr/sbin/ntpdate -U ntp -s -b -v server1.ipalab.qe
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v server1.ipalab.qe
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v server1.ipalab.qe
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v server1.ipalab.qe
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v server1.ipalab.qe
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v server1.ipalab.qe
stdout=
stderr=
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Writing Kerberos configuration to /tmp/tmprew_HU:
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = IPALAB.QE
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  IPALAB.QE = {
    kdc = server1.ipalab.qe:88
    master_kdc = server1.ipalab.qe:88
    admin_server = server1.ipalab.qe:749
    default_domain = ipalab.qe
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .ipalab.qe = IPALAB.QE
  ipalab.qe = IPALAB.QE

args=kinit admin
stdout=Password for admin: 

stderr=
trying to retrieve CA cert via LDAP from ldap://server1.ipalab.qe
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=IPALAB.QE
    Issuer:      CN=Certificate Authority,O=IPALAB.QE
    Valid From:  Wed May 22 13:07:49 2013 UTC
    Valid Until: Sun May 22 13:07:49 2033 UTC

args=/usr/sbin/ipa-join -s server1.ipalab.qe -b dc=ipalab,dc=qe -d
stdout=
stderr=XML-RPC CALL:

<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>client1.ipalab.qe</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-358.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n

* About to connect() to server1.ipalab.qe port 443 (#0)
*   Trying 10.16.65.2... * Connected to server1.ipalab.qe (10.16.65.2) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/ipa/ca.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=server1.ipalab.qe,O=IPALAB.QE
* 	start date: May 22 13:11:11 2013 GMT
* 	expire date: May 23 13:11:11 2015 GMT
* 	common name: server1.ipalab.qe
* 	issuer: CN=Certificate Authority,O=IPALAB.QE
> POST /ipa/xml HTTP/1.1
Host: server1.ipalab.qe
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: https://server1.ipalab.qe/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 473

< HTTP/1.1 401 Authorization Required
< Date: Wed, 22 May 2013 14:16:47 GMT
< Server: Apache/2.2.15 (Red Hat)
< WWW-Authenticate: Negotiate
< Last-Modified: Tue, 21 May 2013 05:58:14 GMT
< ETag: "2a07b0-55a-4dd342284a980"
< Accept-Ranges: bytes
< Content-Length: 1370
< Connection: close
< Content-Type: text/html; charset=UTF-8
< 
* Closing connection #0
* Issue another request to this URL: 'https://server1.ipalab.qe:443/ipa/xml'
* About to connect() to server1.ipalab.qe port 443 (#0)
*   Trying 10.16.65.2... * Connected to server1.ipalab.qe (10.16.65.2) port 443 (#0)
*   CAfile: /etc/ipa/ca.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=server1.ipalab.qe,O=IPALAB.QE
* 	start date: May 22 13:11:11 2013 GMT
* 	expire date: May 23 13:11:11 2015 GMT
* 	common name: server1.ipalab.qe
* 	issuer: CN=Certificate Authority,O=IPALAB.QE
* Server auth using GSS-Negotiate with user ''
> POST /ipa/xml HTTP/1.1
Authorization: Negotiate YIIE6AYJKoZIhvcSAQICAQBuggTXMIIE06ADAgEFoQMCAQ6iBwMFAAAAAACjggFUYYIBUDCCAUygAwIBBaELGwlJUEFMQUIuUUWiJDAioAMCAQOhGzAZGwRIVFRQGxFzZXJ2ZXIxLmlwYWxhYi5xZaOCARAwggEMoAMCARKhAwIBAqKB/wSB/FLnZa/P5lLLocJqrOt2r3st8YUYdAik7Lsa5rg6LA3QdpExSf5uKL1q8XIKJj0FnusUvtzSid8vFE3IQiCMvkEk/KnyGj8Nho4PY49me/K57MVx9o57rAm1Yucfi1bhkYi+tTNNryIDAgphkTGl0sE34pI8rcDlO0aiaw83fYQdUhIaBDp+AuCxTC1eCgJ/x3+zWaQxBpIEEVzMqPeSnQcs0f8hBomtTpbEZc+Zr2mixT7TOr9/Vd7ynjrVLjRPFqO85yas3VKQc/XNSViJlZ5n8tlCK+YN3Ny0Ql7xtgWK88h2tGNP/SsDN1MCfzz0hz/gAl3YWiYV+ncxnKSCA2QwggNgoAMCARKiggNXBIIDU/zkk+e0LkTORYHLXaIZwb42sYyE9dTRQFmfDzOC6lyPy2G4gFG0pOHxGeJxh7t0iRU54YD23PvMTobJw6wsa6igYynZFy0W1SkURnrXS15zpfw7s3y4LlliDue8cmuKCGtXri6wnh8KYiH24stBIdiN4rC8cRm1cCi0CLpOuA6NoaTigjMYN2LclETDhJZI9z0YuLfS1X0U3e5ve7G2ScigG0EZ4ODL44p79RxG6jhczxXAQxfsD2xPdAX9Q48wgOV7lf2aPDZO6+KQ2Lt3R8xu6bTCpWure9i23WYr9aYwiEtHOtJ9R/Hmkjy5jFZxgfu0FsFSepO0YBzxNvjgiWqvvXDff50pW58hahMbD54YgYKC8OBZGmzpJ0t/LR9lVVxFNZ1f87TKdVwGErXZLklmvz2BnsU9BH7JYHH+M2t3E8zL3R8J7a5mwVDLxuNHKGJHNiVoR0S2PA7m5m1kRy9IsgVqGQUPQDgqbEZ0Rke4lniSCL/O4aZ7f2bL2nFMdH3xZZgBLIezez/TORYhlRW5crGbWeLcZBFXEP9DyQdMDkWTlDwr9UPwX5k1iK/p0j7iHOZD0YGhHFAwCG88TIYa3ilFVaT0YFn8EKwk7kZOxg3z4TtlfyDba7ERK5B7HpWTjWQx0ykBzhU6JuVLR2tvhIsBP4NMRljGlVgsRk3409dI88mQbi/+44nphVTc/NjwuPczPD4dAYTTF0BWn3Wy5M6fVGBK3V/U7yfwsYHuHPQv/nXNqveDw+zfpogxXOjO8t+xqyULCZ45OwbgP3Alpqhiz3qChRZk2LgPLPC6IvpDWhrHud9dBDCxUhElm6IhrveW84862a6zKUaSfylA0uueYkFVqlGDDYGwt7se7P1MzQQgOlVKDI/aEuFwRLVe3crXJiQLIVfpIexu5IXYVWT/0cn5d/2P7ZD3JlNiOPtT+J1se0r+bCCJYWlombVByxcGDmA7ZrBojeA9saZMzAHAXYgCC5gcVUuYo8FcXTvI5mZboa7hzeQTN7dyPXstvk9Cgo7DPlDo1699/Wm7lIzvrPYDonrVHlLyKf6blApUewk9NBg+32M9hw7f5EdNG07mLVHUWtPT2ORfE5a7VpSPubVEECt2yeBE2y0cEP10
Host: server1.ipalab.qe
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: https://server1.ipalab.qe/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 473

< HTTP/1.1 200 Success
< Date: Wed, 22 May 2013 14:16:47 GMT
< Server: Apache/2.2.15 (Red Hat)
* Added cookie ipa_session="9f38c1a4bfe5aee52f7b4ea6eebfa547" for domain server1.ipalab.qe, path /ipa, expire 1369233407
< Set-Cookie: ipa_session=9f38c1a4bfe5aee52f7b4ea6eebfa547; Domain=server1.ipalab.qe; Path=/ipa; Expires=Wed, 22 May 2013 14:36:47 GMT; Secure; HttpOnly
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: text/plain; charset=UTF-8
< 
* Expire cleared
* Closing connection #0
XML-RPC RESPONSE:

<?xml version='1.0' encoding='UTF-8'?>\n
<methodResponse>\n
<params>\n
<param>\n
<value><array><data>\n
<value><string>fqdn=client1.ipalab.qe,cn=computers,cn=accounts,dc=ipalab,dc=qe</string></value>\n
<value><struct>\n
<member>\n
<name>dn</name>\n
<value><string>fqdn=client1.ipalab.qe,cn=computers,cn=accounts,dc=ipalab,dc=qe</string></value>\n
</member>\n
<member>\n
<name>ipacertificatesubjectbase</name>\n
<value><array><data>\n
<value><string>O=IPALAB.QE</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>has_keytab</name>\n
<value><boolean>0</boolean></value>\n
</member>\n
<member>\n
<name>objectclass</name>\n
<value><array><data>\n
<value><string>ipaobject</string></value>\n
<value><string>nshost</string></value>\n
<value><string>ipahost</string></value>\n
<value><string>pkiuser</string></value>\n
<value><string>ipaservice</string></value>\n
<value><string>krbprincipalaux</string></value>\n
<value><string>krbprincipal</string></value>\n
<value><string>ieee802device</string></value>\n
<value><string>ipasshhost</string></value>\n
<value><string>top</string></value>\n
<value><string>ipaSshGroupOfPubKeys</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>fqdn</name>\n
<value><array><data>\n
<value><string>client1.ipalab.qe</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>has_password</name>\n
<value><boolean>0</boolean></value>\n
</member>\n
<member>\n
<name>ipauniqueid</name>\n
<value><array><data>\n
<value><string>3d0e26d4-c2ea-11e2-acf3-0019bb497d5a</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>krbprincipalname</name>\n
<value><array><data>\n
<value><string>host/client1.ipalab.qe</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>managedby_host</name>\n
<value><array><data>\n
<value><string>client1.ipalab.qe</string></value>\n
</data></array></value>\n
</member>\n
</struct></value>\n
</data></array></value>\n
</param>\n
</params>\n
</methodResponse>\n

Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=IPALAB.QE

Enrolled in IPA realm IPALAB.QE
args=kdestroy
stdout=
stderr=
args=/usr/bin/kinit -k -t /etc/krb5.keytab host/client1.ipalab.qe
stdout=
stderr=
Backing up system configuration file '/etc/ipa/default.conf'
  -> Not backing up - '/etc/ipa/default.conf' doesn't exist
Created /etc/ipa/default.conf
importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'...
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
args=klist -V
stdout=Kerberos 5 version 1.10.3

stderr=
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
Backing up system configuration file '/etc/sssd/sssd.conf'
  -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist
New SSSD config will be created
Configured /etc/sssd/sssd.conf
args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
stdout=
stderr=
Backing up system configuration file '/etc/krb5.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
Writing Kerberos configuration to /etc/krb5.conf:
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = IPALAB.QE
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  IPALAB.QE = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .ipalab.qe = IPALAB.QE
  ipalab.qe = IPALAB.QE

Configured /etc/krb5.conf for IPA realm IPALAB.QE
args=keyctl search @s user ipa_session_cookie:host/client1.ipalab.qe
stdout=
stderr=keyctl_search: Required key not available

args=keyctl search @s user ipa_session_cookie:host/client1.ipalab.qe
stdout=
stderr=keyctl_search: Required key not available

failed to find session_cookie in persistent storage for principal 'host/client1.ipalab.qe'
trying https://server1.ipalab.qe/ipa/xml
Created connection context.xmlclient
Hostname (client1.ipalab.qe) not found in DNS
Writing nsupdate commands to /etc/ipa/.dns_update.txt:

zone ipalab.qe.
update delete client1.ipalab.qe. IN A
send
update add client1.ipalab.qe. 1200 IN A 10.16.64.60
send

args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
stdout=
stderr=
DNS server record set to: client1.ipalab.qe -> 10.16.64.60
args=/sbin/service messagebus start 
stdout=Starting system message bus: 

stderr=
args=/sbin/service messagebus status 
stdout=messagebus (pid  7583) is running...

stderr=
args=/sbin/service certmonger restart 
stdout=Stopping certmonger: [FAILED]
Starting certmonger: [  OK  ]

stderr=
args=/sbin/service certmonger status 
stdout=certmonger (pid  20196) is running...

stderr=
args=/sbin/service certmonger restart 
stdout=Stopping certmonger: [  OK  ]
Starting certmonger: [  OK  ]

stderr=
args=/sbin/service certmonger status 
stdout=certmonger (pid  20220) is running...

stderr=
args=/sbin/chkconfig certmonger on
stdout=
stderr=
args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - client1.ipalab.qe -N CN=client1.ipalab.qe,O=IPALAB.QE -K host/client1.ipalab.qe
stdout=New signing request "20130522141652" added.

stderr=
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
raw: host_mod(u'client1.ipalab.qe', ipasshpubkey=[u'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAySF11Ihb8hBcS3ZtYQvEhDLEPaZpPo3lMBTEHFhBmIc6vb12Yt4A3ogz5IQIlB9zoXEA7gEeFa8EdyLF8jGPXvAATQUH/HOaOvcBNWu0pfOt6o7+daP8ths6GG03TWnX22ET93CIKXRMM8zogenx2PygEpGdilG+Ok/rsEacyY1PtXYyBHlzmpNIlxWNmYvPbPxHSTXNtmLvwXx0osd6oLthjaLzuuGlFmt+isdV+mssAI+hbhjgjVAVJkP+JZJVumEZqFt06iUYRuVlxHqG5anN6vyoChG2ShgVlOAVp7kn50UfvEtSocmuKgSfBEqxQa8+oEJNEEtlh+QGLop0yQ==', u'ssh-dss AAAAB3NzaC1kc3MAAACBAN5gttQnHcFGRWbl/iz2/edqes9R1P+sLlhiWjQZaCBFx8PSgsJmR0aeD6LIhO/3hNLiClakTnxVXZqtBQW0GDFn5Uu1ZcSPgBATpcPcut1sfTHz1Jo6e+2eT5QCeo62owU8KppJiq98hhvxjIizaM5yZEACXDtFwQSuzKTqEMSFAAAAFQD0byTHe7d8KRzJLwWaWfY/C7PtsQAAAIEAuOpt9Wv9ehznahHxBMo+dqD1H4EuGzkkHa3NdL64MTi3EBxSFMkVLSXD2M3PqFArhbQlMm80aiDilPvg2y47+NJKy5qDfgK+F/vXOOhE6P3lX7ol7UDO2quFPLGqw17fBYlS8kbp4ihtlpq52mpPqeTxcNyD00EBkMhgitW/ne4AAACACQBVAxvXFW+Qb8SF/zvtme7aFZQ7HVv/PkhOGz54SquddWOivLAlNcdg9RQQr9zozevJVlcait7HBV+DIAl0nrJUzR3DjqVPw/Wh3CZ1H48HcObkn8alvazPrMixmv3iS6KAAbzE4/qGF4iyDnyASKzLd/HKstywybAfBGIEo+U='], updatedns=False)
host_mod(u'client1.ipalab.qe', random=False, ipasshpubkey=(u'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAySF11Ihb8hBcS3ZtYQvEhDLEPaZpPo3lMBTEHFhBmIc6vb12Yt4A3ogz5IQIlB9zoXEA7gEeFa8EdyLF8jGPXvAATQUH/HOaOvcBNWu0pfOt6o7+daP8ths6GG03TWnX22ET93CIKXRMM8zogenx2PygEpGdilG+Ok/rsEacyY1PtXYyBHlzmpNIlxWNmYvPbPxHSTXNtmLvwXx0osd6oLthjaLzuuGlFmt+isdV+mssAI+hbhjgjVAVJkP+JZJVumEZqFt06iUYRuVlxHqG5anN6vyoChG2ShgVlOAVp7kn50UfvEtSocmuKgSfBEqxQa8+oEJNEEtlh+QGLop0yQ==', u'ssh-dss AAAAB3NzaC1kc3MAAACBAN5gttQnHcFGRWbl/iz2/edqes9R1P+sLlhiWjQZaCBFx8PSgsJmR0aeD6LIhO/3hNLiClakTnxVXZqtBQW0GDFn5Uu1ZcSPgBATpcPcut1sfTHz1Jo6e+2eT5QCeo62owU8KppJiq98hhvxjIizaM5yZEACXDtFwQSuzKTqEMSFAAAAFQD0byTHe7d8KRzJLwWaWfY/C7PtsQAAAIEAuOpt9Wv9ehznahHxBMo+dqD1H4EuGzkkHa3NdL64MTi3EBxSFMkVLSXD2M3PqFArhbQlMm80aiDilPvg2y47+NJKy5qDfgK+F/vXOOhE6P3lX7ol7UDO2quFPLGqw17fBYlS8kbp4ihtlpq52mpPqeTxcNyD00EBkMhgitW/ne4AAACACQBVAxvXFW+Qb8SF/zvtme7aFZQ7HVv/PkhOGz54SquddWOivLAlNcdg9RQQr9zozevJVlcait7HBV+DIAl0nrJUzR3DjqVPw/Wh3CZ1H48HcObkn8alvazPrMixmv3iS6KAAbzE4/qGF4iyDnyASKzLd/HKstywybAfBGIEo+U='), rights=False, updatedns=False, all=False, raw=False)
Forwarding 'host_mod' to server u'https://server1.ipalab.qe/ipa/xml'
NSSConnection init server1.ipalab.qe
Connecting: 10.16.65.2:0
auth_certificate_callback: check_sig=True is_server=False
Data:
        Version:       3 (0x2)
        Serial Number: 10 (0xa)
        Signature Algorithm:
            Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: CN=Certificate Authority,O=IPALAB.QE
        Validity:
            Not Before: Wed May 22 13:11:11 2013 UTC
            Not After:  Sat May 23 13:11:11 2015 UTC
        Subject: CN=server1.ipalab.qe,O=IPALAB.QE
        Subject Public Key Info:
            Public Key Algorithm:
                Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    be:15:6c:3d:74:b4:03:7c:bf:1b:6d:a1:36:c5:57:60:
                    0a:81:21:42:9e:8e:9c:04:5d:c0:b7:f2:1b:e6:f5:01:
                    d6:e6:24:d1:44:e8:c0:cb:16:88:e1:15:00:f0:bb:2a:
                    c5:16:8f:db:ba:7f:80:c7:4f:fc:a3:fe:37:78:a1:c2:
                    f7:3f:b6:19:be:ae:2f:20:fe:a2:00:f5:c7:65:b2:c3:
                    4e:6a:ed:3d:24:d5:89:51:73:16:07:69:a3:20:05:a7:
                    30:bd:53:d7:ba:2a:e9:dc:d3:0f:f0:e3:ab:94:51:61:
                    1e:d1:e0:58:7e:f9:43:c5:a9:fd:29:b8:19:69:e8:b3:
                    60:31:10:e0:7c:6e:3a:54:ca:b0:42:bb:3c:ad:6e:cc:
                    27:a9:c6:ea:f6:8e:f5:8f:92:ca:42:fa:89:03:14:3f:
                    e5:d3:62:bd:ba:da:73:0e:6e:73:04:34:ba:76:11:0b:
                    d8:12:14:d3:e4:58:0a:7d:7a:50:00:82:3e:3c:59:c9:
                    d9:61:a7:f6:49:67:b9:a4:7e:f2:b2:8f:fe:c9:68:9f:
                    29:63:16:51:3f:78:6f:eb:d8:fd:4b:71:25:62:b6:47:
                    86:b2:07:2f:18:4c:09:36:f2:2f:e8:11:4d:7d:f1:69:
                    7f:a6:73:33:71:06:fa:c8:2c:48:f7:32:b8:ff:e6:d5
                Exponent:
                    65537 (0x10001)
    Signed Extensions: (5)
        Name:     Certificate Authority Key Identifier
        Critical: False
        Key ID:
            b8:e9:ae:92:d0:90:46:a4:1e:2a:12:09:4c:34:64:37:
            a9:33:d3:89
        Serial Number: None
        General Names: [0 total]

        Name:     Authority Information Access
        Critical: False

        Name:     Certificate Key Usage
        Critical: True
        Usages:
            Digital Signature
            Non-Repudiation
            Key Encipherment
            Data Encipherment

        Name:     Extended Key Usage
        Critical: False
        Usages:
            TLS Web Server Authentication Certificate
            TLS Web Client Authentication Certificate

        Name:     Certificate Subject Key ID
        Critical: False
        Data:
            d5:40:3f:87:5b:54:af:ce:a0:0b:81:40:70:53:ea:cc:
            13:b0:d7:d7

    Signature:
        Signature Algorithm:
            Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Signature:
            b2:27:8b:73:a3:a5:09:82:4f:a5:ad:f0:3c:77:28:0f:
            37:93:16:b5:17:b1:fa:9b:c2:0d:19:40:98:63:1e:5a:
            67:e6:27:e1:40:6d:bc:bd:bd:c7:34:40:22:87:ee:41:
            70:d1:34:6b:b8:92:cb:83:e1:14:48:8b:8e:90:04:eb:
            ca:be:77:f0:da:65:d3:c5:97:31:89:c0:5d:48:2b:2c:
            e5:1a:8a:ed:f9:e9:9f:1b:15:ac:09:19:b2:33:8e:4c:
            eb:6a:b5:d6:6f:0c:63:c7:f6:f9:52:a2:e1:8c:63:19:
            e4:32:bc:44:64:45:9d:ec:43:4e:e5:e8:c9:73:6f:af:
            8d:05:c3:c9:77:cd:5b:e4:32:f4:31:27:62:f3:84:9a:
            31:3a:e5:62:13:ae:52:58:2f:14:40:16:40:81:97:e1:
            b9:f4:4a:39:71:1b:af:bc:60:0f:28:0f:1c:3a:ef:b0:
            94:2b:ac:a2:a6:6c:5c:77:f6:a1:18:59:b7:df:d6:3d:
            e6:83:6f:d9:08:5a:87:99:89:11:97:84:e3:c7:f1:8f:
            14:e3:1e:04:19:ea:21:8e:b9:a6:92:1d:4b:02:12:a4:
            88:11:5e:9f:3c:c8:53:cd:52:7d:13:36:03:bb:74:8b:
            d7:8a:9b:c5:fd:eb:0e:ca:74:9c:ce:dc:a4:a0:ba:de
        Fingerprint (MD5):
            0d:ca:05:2e:5d:82:34:14:84:64:90:2e:41:0b:39:cc
        Fingerprint (SHA1):
            f9:5a:4c:9c:9c:5c:ba:1b:31:fa:a9:3d:91:9c:5d:3b:
            db:b5:42:37
approved_usage = SSLServer intended_usage = SSLServer
cert valid True for "CN=server1.ipalab.qe,O=IPALAB.QE"
handshake complete, peer = 10.16.65.2:443
received Set-Cookie 'ipa_session=b7239f268a67aa37a8f3f35a2dbefce0; Domain=server1.ipalab.qe; Path=/ipa; Expires=Wed, 22 May 2013 14:36:52 GMT; Secure; HttpOnly'
storing cookie 'ipa_session=b7239f268a67aa37a8f3f35a2dbefce0; Domain=server1.ipalab.qe; Path=/ipa; Expires=Wed, 22 May 2013 14:36:52 GMT; Secure; HttpOnly' for principal host/client1.ipalab.qe
args=keyctl search @s user ipa_session_cookie:host/client1.ipalab.qe
stdout=
stderr=keyctl_search: Required key not available

args=keyctl search @s user ipa_session_cookie:host/client1.ipalab.qe
stdout=
stderr=keyctl_search: Required key not available

args=keyctl padd user ipa_session_cookie:host/client1.ipalab.qe @s
stdout=969704379

stderr=
Writing nsupdate commands to /etc/ipa/.dns_update.txt:
zone ipalab.qe.
update delete client1.ipalab.qe. IN SSHFP
send
update add client1.ipalab.qe. 1200 IN SSHFP 1 1 6CE3F4CAFCE1D05ED6ED1BEC86AE2A84B493D6CF
update add client1.ipalab.qe. 1200 IN SSHFP 2 1 7CD5C7CA0A4C41C3CA6BABAE489D3ACFD8020D50
send

args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
stdout=
stderr=
args=/sbin/service nscd status
stdout=
stderr=nscd: unrecognized service

Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
args=/usr/sbin/authconfig --enablesssdauth --enablemkhomedir --update --enablesssd
stdout=Starting oddjobd: [  OK  ]

stderr=
SSSD enabled
args=/sbin/service sssd restart 
stdout=Stopping sssd: [FAILED]
[  OK  ] sssd: [  OK  ]

stderr=cat: /var/run/sssd.pid: No such file or directory

args=/sbin/service sssd status 
stdout=sssd (pid  20324) is running...

stderr=
args=/sbin/chkconfig sssd on
stdout=
stderr=
Backing up system configuration file '/etc/openldap/ldap.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
Configured /etc/openldap/ldap.conf
args=getent passwd admin
stdout=admin:*:1553800000:1553800000:Administrator:/home/admin:/bin/bash

stderr=
Backing up system configuration file '/etc/ntp/step-tickers'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=/usr/sbin/selinuxenabled
stdout=
stderr=
args=/sbin/restorecon /etc/ntp/step-tickers
stdout=
stderr=
args=/sbin/chkconfig ntpd
stdout=
stderr=
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Backing up system configuration file '/etc/ntp.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=/usr/sbin/selinuxenabled
stdout=
stderr=
args=/sbin/restorecon /etc/ntp.conf
stdout=
stderr=
Backing up system configuration file '/etc/sysconfig/ntpd'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=/usr/sbin/selinuxenabled
stdout=
stderr=
args=/sbin/restorecon /etc/sysconfig/ntpd
stdout=
stderr=
args=/sbin/chkconfig ntpd on
stdout=
stderr=
args=/sbin/service ntpd restart 
stdout=Shutting down ntpd: [  OK  ]
Starting ntpd: [  OK  ]

stderr=
args=/sbin/service ntpd status 
stdout=ntpd (pid  20364) is running...

stderr=
NTP enabled
Backing up system configuration file '/etc/ssh/ssh_config'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
Configured /etc/ssh/ssh_config
Backing up system configuration file '/etc/ssh/sshd_config'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=sshd -t -f /dev/null -o AuthorizedKeysCommand=
stdout=
stderr=
Configured /etc/ssh/sshd_config
args=/sbin/service sshd status 
stdout=openssh-daemon (pid  7713) is running...

stderr=
args=/sbin/service sshd restart 
stdout=Stopping sshd: [  OK  ]
Starting sshd: [  OK  ]

stderr=
args=/sbin/service sshd status 
stdout=openssh-daemon (pid  20403) is running...

stderr=
Client configuration complete.
[root@client1 ~]#

Comment 9 errata-xmlrpc 2013-06-13 08:09:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0945.html