Hi. I am aware that there have been many discussions regarding fully load balancing FreeIPA replicas, but I am doing it for the sake of experimentation. For my tests, I mainly rely on this article - https://mrgecko.org/blog/2022/freeipa-load-balance, although I am using nginx instead of HAProxy.
Currently, I have only one replica that is behind an nginx proxy, and I am able to access the FreeIPA WebUI via the load balancer's hostname and perform usual operations without any issues. However, I am now trying to enroll a host using the "--server=<loadbalancer_hostname>" option, but the installation fails. I have collected two types of ipaclient-install logs - one that fails when I try to add the host with "--server=<loadbalancer>", and one "healthy" log from the enrollment of the same host, bypassing the proxy directly to the ipa-server (as in the usual operation). with "--server=<loadbalancer>": >failed to find session_cookie in persistent storage for principal >'host/[email protected]' >trying https://lb.ipa.edu.novalocal/ipa/json >Created connection context.rpcclient_140218712782800 >[try 1]: Forwarding 'schema' to json server >'https://lb.ipa.edu.novalocal/ipa/json' >New HTTP connection (lb.ipa.edu.novalocal) >[4637] 1690357386.007597: ccselect module realm chose cache >FILE:/etc/ipa/.dns_ccache with client principal >host/[email protected] for server principal >HTTP/[email protected] >[4637] 1690357386.007598: Getting credentials >host/[email protected] -> >HTTP/[email protected] using ccache >FILE:/etc/ipa/.dns_ccache >[4637] 1690357386.007599: Retrieving >host/[email protected] -> >HTTP/[email protected] from FILE:/etc/ipa/.dns_ccache >with result: -1765328243/Matching credential not found (filename: >/etc/ipa/.dns_ccache) >[4637] 1690357386.007600: Retrieving >host/[email protected] -> >krbtgt/[email protected] from FILE:/etc/ipa/.dns_ccache with >result: 0/Success >[4637] 1690357386.007601: Starting with TGT for client realm: >host/[email protected] -> >krbtgt/[email protected] >[4637] 1690357386.007602: Requesting tickets for >HTTP/[email protected], referrals on >[4637] 1690357386.007603: Generated subkey for TGS request: aes256-cts/F148 >[4637] 1690357386.007604: etypes requested in TGS request: aes256-cts, >aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, >camellia128-cts, camellia256-cts >[4637] 1690357386.007606: Encoding request body and padata into FAST request >[4637] 1690357386.007607: Sending request (2338 bytes) to EDU-IPA.NOVALOCAL >[4637] 1690357386.007608: Initiating TCP connection to stream 172.28.19.159:88 >[4637] 1690357386.007609: Sending TCP request to stream 172.28.19.159:88 >[4637] 1690357386.007610: Received answer (2307 bytes) from stream >172.28.19.159:88 >[4637] 1690357386.007611: Terminating TCP connection to stream 172.28.19.159:88 >[4637] 1690357386.007612: Response was from master KDC >[4637] 1690357386.007613: Decoding FAST response >[4637] 1690357386.007614: FAST reply key: aes256-cts/2EEF >[4637] 1690357386.007615: TGS reply is for >host/[email protected] -> >HTTP/[email protected] with session key aes256-cts/011A >[4637] 1690357386.007616: TGS request result: 0/Success >[4637] 1690357386.007617: Received creds for desired service >HTTP/[email protected] >[4637] 1690357386.007618: Storing >host/[email protected] -> >HTTP/[email protected] in FILE:/etc/ipa/.dns_ccache >[4637] 1690357386.007620: Creating authenticator for >host/[email protected] -> >HTTP/[email protected], seqnum 355879243, subkey >aes256-cts/2361, session key aes256-cts/011A >[4637] 1690357386.007625: Read AP-REP, time 1690357386.7621, subkey >aes256-cts/9ABD, seqnum 40531156 >received Set-Cookie (<class >'list'>)'['ipa_session=MagBearerToken=%2bhag7JQJbAfw2IDK9dAniiDEoewHlMpUXT5bjUBYHxr4jsjVz7FOJdB7Ch8KsOBwJAOlnf6NAdJOJik2a%2buW%2bRhvchtk3puGPk0Q6PZ34UESQLVyelSgVzjsWPeybbNKAwa%2f6pQJoCYWd5drZDbxnv%2fz0qxNkJ2niQikaXi1ZkgndV7z5r00gPluZhJS9Mb6Nrl9T1JWUVc0UZJAk0LaJGTjjEBUxcpDaXs6QMq1LvY8BYfmff3KLkm%2b8JyfX6hRkUA088wimKQsLsHnHKbInDtgt2SwQCntfKIXQt9YEbvyOr9w1%2bWNEXDXLtGMxQT3;path=/ipa;httponly;secure;']' >storing cookie >'ipa_session=MagBearerToken=%2bhag7JQJbAfw2IDK9dAniiDEoewHlMpUXT5bjUBYHxr4jsjVz7FOJdB7Ch8KsOBwJAOlnf6NAdJOJik2a%2buW%2bRhvchtk3puGPk0Q6PZ34UESQLVyelSgVzjsWPeybbNKAwa%2f6pQJoCYWd5drZDbxnv%2fz0qxNkJ2niQikaXi1ZkgndV7z5r00gPluZhJS9Mb6Nrl9T1JWUVc0UZJAk0LaJGTjjEBUxcpDaXs6QMq1LvY8BYfmff3KLkm%2b8JyfX6hRkUA088wimKQsLsHnHKbInDtgt2SwQCntfKIXQt9YEbvyOr9w1%2bWNEXDXLtGMxQT3;' > for principal host/[email protected] >[4637] 1690357386.007629: Storing config in FILE:/etc/ipa/.dns_ccache for >host/[email protected]: X-IPA-Session-Cookie: >ipa_session=MagBearerToken=%2bhag7JQJbAfw2IDK9dAniiDEoewHlMpUXT5bjUBYHxr4jsjVz7FOJdB7Ch8KsOBwJAOlnf6NAdJOJik2a%2buW%2bRhvchtk3puGPk0Q6PZ34UESQLVyelSgVzjsWPeybbNKAwa%2f6pQJoCYWd5drZDbxnv%2fz0qxNkJ2niQikaXi1ZkgndV7z5r00gPluZhJS9Mb6Nrl9T1JWUVc0UZJAk0LaJGTjjEBUxcpDaXs6QMq1LvY8BYfmff3KLkm%2b8JyfX6hRkUA088wimKQsLsHnHKbInDtgt2SwQCntfKIXQt9YEbvyOr9w1%2bWNEXDXLtGMxQT3;\x00 >[4637] 1690357386.007630: Storing >host/[email protected] -> >krb5_ccache_conf_data/X-IPA-Session-Cookie/host\/test-lb-enroll.edu.novalocal\@EDU-IPA.NOVALOCAL@X-CACHECONF: > in FILE:/etc/ipa/.dns_ccache >Destroyed connection context.rpcclient_140218712782800 > File "/usr/lib64/python3/site-packages/ipapython/admintool.py", line 180, in > execute > return_value = self.run() > File "/usr/lib64/python3/site-packages/ipapython/install/cli.py", line 342, > in run > return cfgr.run() > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 360, > in run > return self.execute() > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 386, > in execute > for rval in self._executor(): > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 431, > in __runner > exc_handler(exc_info) > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 460, > in _handle_execute_exception > self._handle_exception(exc_info) > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 450, > in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 421, > in __runner > step() > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 418, > in <lambda> > step = lambda: next(self.__gen) > File "/usr/lib64/python3/site-packages/ipapython/install/util.py", line 81, > in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python3/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib64/python3/site-packages/ipapython/install/util.py", line 59, > in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 655, > in _configure > next(executor) > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 431, > in __runner > exc_handler(exc_info) > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 460, > in _handle_execute_exception > self._handle_exception(exc_info) > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 518, > in _handle_exception > self.__parent._handle_exception(exc_info) > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 450, > in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 515, > in _handle_exception > super(ComponentBase, self)._handle_exception(exc_info) > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 450, > in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 421, > in __runner > step() > File "/usr/lib64/python3/site-packages/ipapython/install/core.py", line 418, > in <lambda> > step = lambda: next(self.__gen) > File "/usr/lib64/python3/site-packages/ipapython/install/util.py", line 81, > in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python3/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib64/python3/site-packages/ipapython/install/util.py", line 59, > in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib64/python3/site-packages/ipapython/install/common.py", line > 65, in _install > for unused in self._installer(self.parent): > File "/usr/lib64/python3/site-packages/ipaclient/install/client.py", line > 3833, in main > install(self) > File "/usr/lib64/python3/site-packages/ipaclient/install/client.py", line > 2520, in install > _install(options) > File "/usr/lib64/python3/site-packages/ipaclient/install/client.py", line > 2846, in _install > api.finalize() > File "/usr/lib64/python3/site-packages/ipalib/plugable.py", line 751, in > finalize > self.__do_if_not_done('load_plugins') > File "/usr/lib64/python3/site-packages/ipalib/plugable.py", line 438, in > __do_if_not_done > getattr(self, name)() > File "/usr/lib64/python3/site-packages/ipalib/plugable.py", line 630, in > load_plugins > for package in self.packages: > File "/usr/lib64/python3/site-packages/ipalib/__init__.py", line 949, in > packages > ipaclient.remote_plugins.get_package(self), > File > "/usr/lib64/python3/site-packages/ipaclient/remote_plugins/__init__.py", line > 134, in get_package > plugins = schema.get_package(server_info, client) > File "/usr/lib64/python3/site-packages/ipaclient/remote_plugins/schema.py", > line 553, in get_package > schema = Schema(client) > File "/usr/lib64/python3/site-packages/ipaclient/remote_plugins/schema.py", > line 402, in __init__ > fingerprint, ttl = self._fetch(client, ignore_cache=read_failed) > File "/usr/lib64/python3/site-packages/ipaclient/remote_plugins/schema.py", > line 427, in _fetch > schema = client.forward(u'schema', **kwargs)['result'] > File "/usr/lib64/python3/site-packages/ipalib/rpc.py", line 1151, in forward > return self._call_command(command, params) > File "/usr/lib64/python3/site-packages/ipalib/rpc.py", line 1127, in > _call_command > return command(*params) > File "/usr/lib64/python3/site-packages/ipalib/rpc.py", line 1281, in _call > return self.__request(name, args) > File "/usr/lib64/python3/site-packages/ipalib/rpc.py", line 1275, in > __request > raise error_class(**kw) > >The ipa-client-install command failed, exception: ACIError: Insufficient >access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >Minor code may provide more information (Credential cache is empty) >Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >failure. Minor code may provide more information (Credential cache is empty) normal enrollment (same spot in the logs): >restart of certmonger.service complete >Adding SSH public key from /etc/openssh/ssh_host_rsa_key.pub >Adding SSH public key from /etc/openssh/ssh_host_dsa_key.pub >Adding SSH public key from /etc/openssh/ssh_host_ecdsa_key.pub >Adding SSH public key from /etc/openssh/ssh_host_ed25519_key.pub >[try 1]: Forwarding 'host_mod' to json server >'https://infra-ipa-master-01.edu-ipa.novalocal/ipa/json' >HTTP connection keep-alive (infra-ipa-master-01.edu-ipa.novalocal) >[3825] 1690356381.860222: ccselect module realm chose cache >FILE:/etc/ipa/.dns_ccache with client principal >host/[email protected] for server principal >HTTP/[email protected] >[3825] 1690356381.860223: Getting credentials >host/[email protected] -> >HTTP/infra-ipa-master-01.edu-ipa.novalocal@ using ccache >FILE:/etc/ipa/.dns_ccache >[3825] 1690356381.860224: Retrieving >host/[email protected] -> >HTTP/infra-ipa-master-01.edu-ipa.novalocal@ from FILE:/etc/ipa/.dns_ccache >with result: 0/Success >[3825] 1690356381.860226: Creating authenticator for >host/[email protected] -> >HTTP/infra-ipa-master-01.edu-ipa.novalocal@, seqnum 279994011, subkey >aes256-cts/E278, session key aes256-cts/B2AD >[3825] 1690356381.860231: Read AP-REP, time 1690356381.860227, subkey >aes256-cts/6032, seqnum 235082758 >received Set-Cookie (<class >'list'>)'['ipa_session=MagBearerToken=5XuhX%2bo07hp5qHnzynQMGsdohzfvuaAYlilcKWmx%2fE2xeBKvvbqvWVEsk2gPHGr7hdQoDcXXirlgzgHDsIKEk7gNOuDHYO8fo%2fuXzYsTQU4osh4GhNtfZu7sZvnWoZz8uKe3ggoF%2b5%2fdZIy7Sao%2b6GnrEKTVzmHBNCPUUyyMBMBOX83eGmJO2WunWXMoJw4NEM%2buSPWwkpUtp4nuniTxuFzEtoyDnBGuJqMB93dTA7hkE7ASNy3o5TjbvXBjIuM3Y1R9ecbfWxI4psuQfnkQKOaCTidU3xRDyY72%2brrH2U5N0yBggeL3CEExSm%2fWQadG;path=/ipa;httponly;secure;']' >storing cookie >'ipa_session=MagBearerToken=5XuhX%2bo07hp5qHnzynQMGsdohzfvuaAYlilcKWmx%2fE2xeBKvvbqvWVEsk2gPHGr7hdQoDcXXirlgzgHDsIKEk7gNOuDHYO8fo%2fuXzYsTQU4osh4GhNtfZu7sZvnWoZz8uKe3ggoF%2b5%2fdZIy7Sao%2b6GnrEKTVzmHBNCPUUyyMBMBOX83eGmJO2WunWXMoJw4NEM%2buSPWwkpUtp4nuniTxuFzEtoyDnBGuJqMB93dTA7hkE7ASNy3o5TjbvXBjIuM3Y1R9ecbfWxI4psuQfnkQKOaCTidU3xRDyY72%2brrH2U5N0yBggeL3CEExSm%2fWQadG;' > for principal host/[email protected] >[3825] 1690356381.860235: Storing config in FILE:/etc/ipa/.dns_ccache for >host/[email protected]: X-IPA-Session-Cookie: >ipa_session=MagBearerToken=5XuhX%2bo07hp5qHnzynQMGsdohzfvuaAYlilcKWmx%2fE2xeBKvvbqvWVEsk2gPHGr7hdQoDcXXirlgzgHDsIKEk7gNOuDHYO8fo%2fuXzYsTQU4osh4GhNtfZu7sZvnWoZz8uKe3ggoF%2b5%2fdZIy7Sao%2b6GnrEKTVzmHBNCPUUyyMBMBOX83eGmJO2WunWXMoJw4NEM%2buSPWwkpUtp4nuniTxuFzEtoyDnBGuJqMB93dTA7hkE7ASNy3o5TjbvXBjIuM3Y1R9ecbfWxI4psuQfnkQKOaCTidU3xRDyY72%2brrH2U5N0yBggeL3CEExSm%2fWQadG;\x00 >[3825] 1690356381.860236: Storing >host/[email protected] -> >krb5_ccache_conf_data/X-IPA-Session-Cookie/host\/test-lb-enroll.edu.novalocal\@EDU-IPA.NOVALOCAL@X-CACHECONF: > in FILE:/etc/ipa/.dns_ccache > > >Found zone name: edu.novalocal >The master is: infra-ipa-master-01.edu-ipa.novalocal >start_gssrequest >[3898] 1690356381.745962: ccselect module realm chose cache >FILE:/etc/ipa/.dns_ccache with client principal >host/[email protected] for server principal >DNS/[email protected] >[3898] 1690356381.745963: Getting credentials >host/[email protected] -> >DNS/[email protected] using ccache >FILE:/etc/ipa/.dns_ccache >[3898] 1690356381.745964: Retrieving >host/[email protected] -> >DNS/[email protected] from >FILE:/etc/ipa/.dns_ccache with result: 0/Success >[3898] 1690356381.745966: Creating authenticator for >host/[email protected] -> >DNS/[email protected], seqnum 15181654, >subkey aes256-cts/ECC7, session key aes256-cts/607C >send_gssrequest > > >Process finished, return code=1 >stdout= >stderr= >[3825] 1690356380.148934: ccselect module realm chose cache >FILE:/etc/ipa/.dns_ccache with client principal >host/[email protected] for server principal >ldap/[email protected] >[3825] 1690356380.148935: Getting credentials >host/[email protected] -> >ldap/infra-ipa-master-01.edu-ipa.novalocal@ using ccache >FILE:/etc/ipa/.dns_ccache >[3825] 1690356380.148936: Retrieving >host/[email protected] -> >ldap/infra-ipa-master-01.edu-ipa.novalocal@ from FILE:/etc/ipa/.dns_ccache >with result: -1765328243/Matching credential not found (filename: >/etc/ipa/.dns_ccache) >[3825] 1690356380.148937: Retrying >host/[email protected] -> >ldap/[email protected] with result: >-1765328243/Matching credential not found (filename: /etc/ipa/.dns_ccache) >[3825] 1690356380.148938: Server has referral realm; starting with >ldap/[email protected] >[3825] 1690356380.148939: Retrieving >host/[email protected] -> >krbtgt/[email protected] from FILE:/etc/ipa/.dns_ccache with >result: 0/Success >[3825] 1690356380.148940: Starting with TGT for client realm: >host/[email protected] -> >krbtgt/[email protected] >[3825] 1690356380.148941: Requesting tickets for >ldap/[email protected], referrals on >[3825] 1690356380.148942: Generated subkey for TGS request: aes256-cts/3DE8 >[3825] 1690356380.148943: etypes requested in TGS request: aes256-cts, >aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, >camellia128-cts, camellia256-cts >[3825] 1690356380.148945: Encoding request body and padata into FAST request >[3825] 1690356380.148946: Sending request (2377 bytes) to EDU-IPA.NOVALOCAL >[3825] 1690356380.148947: Initiating TCP connection to stream 172.28.19.159:88 >[3825] 1690356380.148948: Sending TCP request to stream 172.28.19.159:88 >[3825] 1690356380.148949: Received answer (2302 bytes) from stream >172.28.19.159:88 >[3825] 1690356380.148950: Terminating TCP connection to stream 172.28.19.159:88 >[3825] 1690356380.148951: Response was from master KDC >[3825] 1690356380.148952: Decoding FAST response >[3825] 1690356380.148953: FAST reply key: aes256-cts/BBE7 >[3825] 1690356380.148954: TGS reply is for >host/[email protected] -> >ldap/[email protected] with session key >aes256-cts/207E >[3825] 1690356380.148955: TGS request result: 0/Success >[3825] 1690356380.148956: Received creds for desired service >ldap/[email protected] >[3825] 1690356380.148957: Storing >host/[email protected] -> >ldap/infra-ipa-master-01.edu-ipa.novalocal@ in FILE:/etc/ipa/.dns_ccache >[3825] 1690356380.148958: Also storing >host/[email protected] -> >ldap/[email protected] based on ticket >[3825] 1690356380.148959: Removing >host/[email protected] -> >ldap/[email protected] from >FILE:/etc/ipa/.dns_ccache >[3825] 1690356380.148961: Creating authenticator for >host/[email protected] -> >ldap/infra-ipa-master-01.edu-ipa.novalocal@, seqnum 224156792, subkey >aes256-cts/6EF9, session key aes256-cts/207E >[3825] 1690356380.148966: Read AP-REP, time 1690356380.148962, subkey >aes256-cts/4E53, seqnum 820684970 >Adding CA certificates to the IPA NSS database. > > >failed to find session_cookie in persistent storage for principal >'host/[email protected]' >trying https://infra-ipa-master-01.edu-ipa.novalocal/ipa/json >Created connection context.rpcclient_139803356784400 >Try RPC connection >[try 1]: Forwarding 'ping' to json server >'https://infra-ipa-master-01.edu-ipa.novalocal/ipa/json' >New HTTP connection (infra-ipa-master-01.edu-ipa.novalocal) >[3825] 1690356380.148857: ccselect module realm chose cache >FILE:/etc/ipa/.dns_ccache with client principal >host/[email protected] for server principal >HTTP/[email protected] >[3825] 1690356380.148858: Getting credentials >host/[email protected] -> >HTTP/infra-ipa-master-01.edu-ipa.novalocal@ using ccache >FILE:/etc/ipa/.dns_ccache >[3825] 1690356380.148859: Retrieving >host/[email protected] -> >HTTP/infra-ipa-master-01.edu-ipa.novalocal@ from FILE:/etc/ipa/.dns_ccache >with result: -1765328243/Matching credential not found (filename: >/etc/ipa/.dns_ccache) >[3825] 1690356380.148860: Retrying >host/[email protected] -> >HTTP/[email protected] with result: >-1765328243/Matching credential not found (filename: /etc/ipa/.dns_ccache) >[3825] 1690356380.148861: Server has referral realm; starting with >HTTP/[email protected] >[3825] 1690356380.148862: Retrieving >host/[email protected] -> >krbtgt/[email protected] from FILE:/etc/ipa/.dns_ccache with >result: 0/Success >[3825] 1690356380.148863: Starting with TGT for client realm: >host/[email protected] -> >krbtgt/[email protected] >[3825] 1690356380.148864: Requesting tickets for >HTTP/[email protected], referrals on >[3825] 1690356380.148865: Generated subkey for TGS request: aes256-cts/46AB >[3825] 1690356380.148866: etypes requested in TGS request: aes256-cts, >aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, >camellia128-cts, camellia256-cts >[3825] 1690356380.148868: Encoding request body and padata into FAST request >[3825] 1690356380.148869: Sending request (2377 bytes) to EDU-IPA.NOVALOCAL >[3825] 1690356380.148870: Initiating TCP connection to stream 172.28.19.159:88 >[3825] 1690356380.148871: Sending TCP request to stream 172.28.19.159:88 >[3825] 1690356380.148872: Received answer (2345 bytes) from stream >172.28.19.159:88 >[3825] 1690356380.148873: Terminating TCP connection to stream 172.28.19.159:88 >[3825] 1690356380.148874: Response was from master KDC >[3825] 1690356380.148875: Decoding FAST response >[3825] 1690356380.148876: FAST reply key: aes256-cts/4ACD >[3825] 1690356380.148877: TGS reply is for >host/[email protected] -> >HTTP/[email protected] with session key >aes256-cts/B2AD >[3825] 1690356380.148878: TGS request result: 0/Success >[3825] 1690356380.148879: Received creds for desired service >HTTP/[email protected] >[3825] 1690356380.148880: Storing >host/[email protected] -> >HTTP/infra-ipa-master-01.edu-ipa.novalocal@ in FILE:/etc/ipa/.dns_ccache >[3825] 1690356380.148881: Also storing >host/[email protected] -> >HTTP/[email protected] based on ticket >[3825] 1690356380.148882: Removing >host/[email protected] -> >HTTP/[email protected] from >FILE:/etc/ipa/.dns_ccache >[3825] 1690356380.148884: Creating authenticator for >host/[email protected] -> >HTTP/infra-ipa-master-01.edu-ipa.novalocal@, seqnum 232117189, subkey >aes256-cts/E5F8, session key aes256-cts/B2AD >[3825] 1690356380.148889: Read AP-REP, time 1690356380.148885, subkey >aes256-cts/9C66, seqnum 920243718 >received Set-Cookie (<class >'list'>)'['ipa_session=MagBearerToken=nBJ5K%2f0zqcv8v2%2bivGh1TAlnIQEQXaojxHZZL6lPgVtAEv%2f6j%2bEclnVBY6dlnoUVRkyvnAkIVuxLx6HNXZsVsLxhbOZmYkyspRIE59scDW0R%2bBuRiTeBmDKza6GUSTW%2b53ppLozZH8ijT88lpy3%2fnbZKk607ez97vomrVzBCduj0G2y9u6wXyJdnw1TjBtjpr8VThkN46%2fS%2fK8qqf81s6xZiFHretceNwbPgzZFWJVSfUd7LGe%2bR5xGJ2XhNx5%2fVOZGzbhQhigkgullEuxQgV6oordsRg4DsIrOa542JTGTaV%2bvFRAbQ48XXEp1Jj5UV;path=/ipa;httponly;secure;']' >storing cookie >'ipa_session=MagBearerToken=nBJ5K%2f0zqcv8v2%2bivGh1TAlnIQEQXaojxHZZL6lPgVtAEv%2f6j%2bEclnVBY6dlnoUVRkyvnAkIVuxLx6HNXZsVsLxhbOZmYkyspRIE59scDW0R%2bBuRiTeBmDKza6GUSTW%2b53ppLozZH8ijT88lpy3%2fnbZKk607ez97vomrVzBCduj0G2y9u6wXyJdnw1TjBtjpr8VThkN46%2fS%2fK8qqf81s6xZiFHretceNwbPgzZFWJVSfUd7LGe%2bR5xGJ2XhNx5%2fVOZGzbhQhigkgullEuxQgV6oordsRg4DsIrOa542JTGTaV%2bvFRAbQ48XXEp1Jj5UV;' > for principal host/[email protected] >[3825] 1690356380.148893: Storing config in FILE:/etc/ipa/.dns_ccache for >host/[email protected]: X-IPA-Session-Cookie: >ipa_session=MagBearerToken=nBJ5K%2f0zqcv8v2%2bivGh1TAlnIQEQXaojxHZZL6lPgVtAEv%2f6j%2bEclnVBY6dlnoUVRkyvnAkIVuxLx6HNXZsVsLxhbOZmYkyspRIE59scDW0R%2bBuRiTeBmDKza6GUSTW%2b53ppLozZH8ijT88lpy3%2fnbZKk607ez97vomrVzBCduj0G2y9u6wXyJdnw1TjBtjpr8VThkN46%2fS%2fK8qqf81s6xZiFHretceNwbPgzZFWJVSfUd7LGe%2bR5xGJ2XhNx5%2fVOZGzbhQhigkgullEuxQgV6oordsRg4DsIrOa542JTGTaV%2bvFRAbQ48XXEp1Jj5UV;\x00 >[3825] 1690356380.148894: Storing >host/[email protected] -> >krb5_ccache_conf_data/X-IPA-Session-Cookie/host\/test-lb-enroll.edu.novalocal\@EDU-IPA.NOVALOCAL@X-CACHECONF: > in FILE:/etc/ipa/.dns_ccache >[try 1]: Forwarding 'ca_is_enabled' to json server >'https://infra-ipa-master-01.edu-ipa.novalocal/ipa/json' >HTTP connection keep-alive (infra-ipa-master-01.edu-ipa.novalocal) >[3825] 1690356380.148898: ccselect module realm chose cache >FILE:/etc/ipa/.dns_ccache with client principal >host/[email protected] for server principal >HTTP/[email protected] >[3825] 1690356380.148899: Getting credentials >host/[email protected] -> >HTTP/infra-ipa-master-01.edu-ipa.novalocal@ using ccache >FILE:/etc/ipa/.dns_ccache >[3825] 1690356380.148900: Retrieving >host/[email protected] -> >HTTP/infra-ipa-master-01.edu-ipa.novalocal@ from FILE:/etc/ipa/.dns_ccache >with result: 0/Success >[3825] 1690356380.148902: Creating authenticator for >host/[email protected] -> >HTTP/infra-ipa-master-01.edu-ipa.novalocal@, seqnum 678605449, subkey >aes256-cts/747F, session key aes256-cts/B2AD >[3825] 1690356380.148907: Read AP-REP, time 1690356380.148903, subkey >aes256-cts/C2C1, seqnum 37258182 >received Set-Cookie (<class >'list'>)'['ipa_session=MagBearerToken=mVqhYtLqfVgBwvixoFSlHLw2nOQULW20e%2f4LOsro2xvfKooihP%2bgVAkKlaRvnN2XMVs66AyoibsKmvEgzMKK07HwnPLuzetxHpHYHtK8NkDD7%2f%2bJB0W00ME%2bj153OQTv8qRRvzyWHUBEb56AucOvopC%2bHIBUNLUpN342m4Jjl754AR2c4gTcoy7vR3fkO9vop4CMSPIq5OsnOsEfUYz6DkkcOMb06axmoRZY%2f1JbF3ohIVOXC1Uvtjy5uVk7uQiszSegQDdwOrRBZlkeeShvAma6vyc%2b7MCDnpPAN0KuZ4Y1M6LeVo5JH3J6UwrZz0M%2f;path=/ipa;httponly;secure;']' >storing cookie >'ipa_session=MagBearerToken=mVqhYtLqfVgBwvixoFSlHLw2nOQULW20e%2f4LOsro2xvfKooihP%2bgVAkKlaRvnN2XMVs66AyoibsKmvEgzMKK07HwnPLuzetxHpHYHtK8NkDD7%2f%2bJB0W00ME%2bj153OQTv8qRRvzyWHUBEb56AucOvopC%2bHIBUNLUpN342m4Jjl754AR2c4gTcoy7vR3fkO9vop4CMSPIq5OsnOsEfUYz6DkkcOMb06axmoRZY%2f1JbF3ohIVOXC1Uvtjy5uVk7uQiszSegQDdwOrRBZlkeeShvAma6vyc%2b7MCDnpPAN0KuZ4Y1M6LeVo5JH3J6UwrZz0M%2f;' > for principal host/[email protected] >[3825] 1690356380.148911: Storing config in FILE:/etc/ipa/.dns_ccache for >host/[email protected]: X-IPA-Session-Cookie: >ipa_session=MagBearerToken=mVqhYtLqfVgBwvixoFSlHLw2nOQULW20e%2f4LOsro2xvfKooihP%2bgVAkKlaRvnN2XMVs66AyoibsKmvEgzMKK07HwnPLuzetxHpHYHtK8NkDD7%2f%2bJB0W00ME%2bj153OQTv8qRRvzyWHUBEb56AucOvopC%2bHIBUNLUpN342m4Jjl754AR2c4gTcoy7vR3fkO9vop4CMSPIq5OsnOsEfUYz6DkkcOMb06axmoRZY%2f1JbF3ohIVOXC1Uvtjy5uVk7uQiszSegQDdwOrRBZlkeeShvAma6vyc%2b7MCDnpPAN0KuZ4Y1M6LeVo5JH3J6UwrZz0M%2f;\x00 >[3825] 1690356380.148912: Storing >host/[email protected] -> >krb5_ccache_conf_data/X-IPA-Session-Cookie/host\/test-lb-enroll.edu.novalocal\@EDU-IPA.NOVALOCAL@X-CACHECONF: > in FILE:/etc/ipa/.dns_ccache >[try 1]: Forwarding 'config_show' to json server >'https://infra-ipa-master-01.edu-ipa.novalocal/ipa/json' >HTTP connection keep-alive (infra-ipa-master-01.edu-ipa.novalocal) >[3825] 1690356380.148916: ccselect module realm chose cache >FILE:/etc/ipa/.dns_ccache with client principal >host/[email protected] for server principal >HTTP/[email protected] >[3825] 1690356380.148917: Getting credentials >host/[email protected] -> >HTTP/infra-ipa-master-01.edu-ipa.novalocal@ using ccache >FILE:/etc/ipa/.dns_ccache >[3825] 1690356380.148918: Retrieving >host/[email protected] -> >HTTP/infra-ipa-master-01.edu-ipa.novalocal@ from FILE:/etc/ipa/.dns_ccache >with result: 0/Success >[3825] 1690356380.148920: Creating authenticator for >host/[email protected] -> >HTTP/infra-ipa-master-01.edu-ipa.novalocal@, seqnum 896576105, subkey >aes256-cts/02A5, session key aes256-cts/B2AD >[3825] 1690356380.148925: Read AP-REP, time 1690356380.148921, subkey >aes256-cts/D3B7, seqnum 175125735 >received Set-Cookie (<class >'list'>)'['ipa_session=MagBearerToken=%2fh0A2rAP%2b9B%2fKydCZfB9jTvCngqGmE4PpTSutwiDNm7LVxbA7pFr6WhMuHRuEnSo%2bzl8KEoelocipvUzAlZV2pvwelwygtqV0moRYWM6YlfEVX82J5o8DatYvaw24CksBRIH1DYZJJZPNrkC2MUj7XQdyPSr7RY8zF%2fw53iAdx3LFd2yyB2juwkxAp47eNVdLX%2fI4pFgBSFukOQKE0DSmv89qT7NSWvBGzb4PfO9mxMpGIkOqhawSYV%2ftLwpxg4dMOx64sCXnjdbVaghABYKzYzQkQ9UeJZOuvl3EH5xz6PomnG5crEQVjIi1UxbyDfX;path=/ipa;httponly;secure;']' >storing cookie >'ipa_session=MagBearerToken=%2fh0A2rAP%2b9B%2fKydCZfB9jTvCngqGmE4PpTSutwiDNm7LVxbA7pFr6WhMuHRuEnSo%2bzl8KEoelocipvUzAlZV2pvwelwygtqV0moRYWM6YlfEVX82J5o8DatYvaw24CksBRIH1DYZJJZPNrkC2MUj7XQdyPSr7RY8zF%2fw53iAdx3LFd2yyB2juwkxAp47eNVdLX%2fI4pFgBSFukOQKE0DSmv89qT7NSWvBGzb4PfO9mxMpGIkOqhawSYV%2ftLwpxg4dMOx64sCXnjdbVaghABYKzYzQkQ9UeJZOuvl3EH5xz6PomnG5crEQVjIi1UxbyDfX;' > for principal host/[email protected] >[3825] 1690356380.148929: Storing config in FILE:/etc/ipa/.dns_ccache for >host/[email protected]: X-IPA-Session-Cookie: >ipa_session=MagBearerToken=%2fh0A2rAP%2b9B%2fKydCZfB9jTvCngqGmE4PpTSutwiDNm7LVxbA7pFr6WhMuHRuEnSo%2bzl8KEoelocipvUzAlZV2pvwelwygtqV0moRYWM6YlfEVX82J5o8DatYvaw24CksBRIH1DYZJJZPNrkC2MUj7XQdyPSr7RY8zF%2fw53iAdx3LFd2yyB2juwkxAp47eNVdLX%2fI4pFgBSFukOQKE0DSmv89qT7NSWvBGzb4PfO9mxMpGIkOqhawSYV%2ftLwpxg4dMOx64sCXnjdbVaghABYKzYzQkQ9UeJZOuvl3EH5xz6PomnG5crEQVjIi1UxbyDfX;\x00 >[3825] 1690356380.148930: Storing >host/[email protected] -> >krb5_ccache_conf_data/X-IPA-Session-Cookie/host\/test-lb-enroll.edu.novalocal\@EDU-IPA.NOVALOCAL@X-CACHECONF: > in FILE:/etc/ipa/.dns_ccache >Starting external process >args=['/usr/bin/certutil', '-d', '/etc/ipa/nssdb', '-N', '-f', >'/etc/ipa/nssdb/pwdfile.txt', '-@', '/etc/ipa/nssdb/pwdfile.txt'] Seems like for some reason install script is unable to save credentials to /etc/ipa/.dns_ccache in the first case. Any ideas why it can be happenning? Despite obvious permissions issues, cause I specifically ran normal installation in the same environment, to eliminate any host setup problems. Client version is: freeipa-client-4.8.9-alt4.c9f2.3.x86_64 _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
