Bug 953936 - realm join --user=admin $DOMAIN fails with Couldn't join realm: Running ipa-client-install failed
realm join --user=admin $DOMAIN fails with Couldn't join realm: Running ipa-c...
Status: CLOSED DUPLICATE of bug 953286
Product: Fedora
Classification: Fedora
Component: realmd (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Stef Walter
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-04-19 11:07 EDT by Tomas Babej
Modified: 2016-05-05 00:36 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-19 15:50:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
logs (47.23 KB, text/x-log)
2013-04-19 11:07 EDT, Tomas Babej
no flags Details

  None (edit)
Description Tomas Babej 2013-04-19 11:07:55 EDT
Created attachment 737662 [details]
logs

Running realm join --user=admin $DOMAIN I got after entering admin's password:

realm: Couldn't join realm: Running ipa-client-install failed

From ipaclient-install.log:

2013-04-19T14:40:52Z DEBUG Starting external process
2013-04-19T14:40:52Z DEBUG args=/usr/sbin/authconfig --enablesssdauth --enablemkhomedir --update --enablesssd
2013-04-19T14:40:52Z DEBUG Process execution failed

After running /usr/sbin/authconfig --enablesssdauth --enablemkhomedir --update --enablesssd manually:

[root@vm-050 ~]# /usr/sbin/authconfig --enablesssdauth --enablemkhomedir --update --enablesssd
[root@vm-050 ~]# echo $?
0

However, realmd reports that host is already joined to the domain

[root@vm-050 ~]# realm join --user=admin $DOMAINrealm: Already joined to this domain

This is correct however, IPA server reports that host is joined.
Comment 1 Tomas Babej 2013-04-19 11:25:50 EDT
Leaving the realm fails with the following:

realm: Couldn't leave realm: Running ipa-client-install failed

From the log:

2013-04-19T15:12:25Z DEBUG stderr=
2013-04-19T15:12:25Z DEBUG Starting external process
2013-04-19T15:12:25Z DEBUG args=/usr/bin/certutil -L -d /etc/pki/nssdb -n IPA Machine Certificate - vm-050.idm.lab.eng.brq.redhat.com
2013-04-19T15:12:25Z DEBUG Process finished, return code=255
2013-04-19T15:12:25Z DEBUG stdout=
2013-04-19T15:12:25Z DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate - vm-050.idm.lab.eng.brq.redhat.com
: File not found

2013-04-19T15:12:25Z DEBUG Starting external process
2013-04-19T15:12:25Z DEBUG args=/bin/systemctl stop certmonger.service
2013-04-19T15:12:25Z DEBUG Process finished, return code=0
2013-04-19T15:12:25Z DEBUG stdout=
2013-04-19T15:12:25Z DEBUG stderr=
2013-04-19T15:12:29Z DEBUG Starting external process
2013-04-19T15:12:29Z DEBUG args=/bin/systemctl disable certmonger.service
2013-04-19T15:12:29Z DEBUG Process finished, return code=0
2013-04-19T15:12:29Z DEBUG stdout=
2013-04-19T15:12:29Z DEBUG stderr=
2013-04-19T15:12:29Z INFO Unenrolling client from IPA server
2013-04-19T15:12:30Z DEBUG Starting external process
2013-04-19T15:12:30Z DEBUG args=/usr/sbin/ipa-join --unenroll -h vm-050.idm.lab.eng.brq.redhat.com
2013-04-19T15:12:30Z DEBUG Process finished, return code=181
2013-04-19T15:12:30Z DEBUG stdout=
2013-04-19T15:12:30Z DEBUG stderr=Error obtaining initial credentials: Key table entry not found.

2013-04-19T15:12:30Z ERROR Unenrolling host failed: Error obtaining initial credentials: Key table entry not found.

2013-04-19T15:12:30Z INFO Removing Kerberos service principals from /etc/krb5.keytab
2013-04-19T15:12:30Z DEBUG Starting external process
2013-04-19T15:12:30Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r IDM.LAB.ENG.BRQ.REDHAT.COM
2013-04-19T15:12:30Z DEBUG Process finished, return code=5
2013-04-19T15:12:30Z DEBUG stdout=
2013-04-19T15:12:30Z DEBUG stderr=realm not found

2013-04-19T15:12:30Z ERROR Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5
2013-04-19T15:12:30Z INFO Disabling client Kerberos and LDAP configurations
2013-04-19T15:12:30Z DEBUG Starting external process
2013-04-19T15:12:30Z DEBUG args=/usr/sbin/authconfig --disablekrb5 --disablesssd --update --disablemkhomedir --disableldap --disablesssdauth
2013-04-19T15:12:30Z DEBUG Process execution failed
2013-04-19T15:12:30Z ERROR Failed to remove krb5/LDAP configuration: [Errno 13] Permission denied
Comment 2 Dmitri Pal 2013-04-19 15:42:41 EDT
Does the same sequence of the IPA commands works in case of direct invocation via script without realmd?
Comment 3 Stef Walter 2013-04-19 15:50:06 EDT
This is fixed by  selinux-policy-3.12.1-34.fc19

http://koji.fedoraproject.org/koji/buildinfo?buildID=412811

Please reopen if temporarily disabling SELinux does not solve this issue:

setenforce permissive

*** This bug has been marked as a duplicate of bug 953286 ***

Note You need to log in before you can comment on or make changes to this bug.