DNS Administrators adding new entry "cn=DNS Administrators,cn=privileges,cn=pbac,dc=testipa,dc=dom" modify complete add objectClass: top groupofnames nestedgroup add cn: DNS Servers add description: DNS Servers adding new entry "cn=DNS Servers,cn=privileges,cn=pbac,dc=testipa,dc=dom" modify complete add objectClass: top groupofnames nestedgroup add cn: Service Administrators add description: Service Administrators adding new entry "cn=Service Administrators,cn=privileges,cn=pbac,dc=testipa,dc=dom" modify complete add objectClass: top groupofnames nestedgroup add cn: Automount Administrators add description: Automount Administrators adding new entry "cn=Automount Administrators,cn=privileges,cn=pbac,dc=testipa,dc=dom" modify complete add objectClass: top groupofnames nestedgroup add cn: Netgroups Administrators add description: Netgroups Administrators adding new entry "cn=Netgroups Administrators,cn=privileges,cn=pbac,dc=testipa,dc=dom" modify complete add objectClass: top groupofnames nestedgroup add cn: Certificate Administrators add description: Certificate Administrators adding new entry "cn=Certificate Administrators,cn=privileges,cn=pbac,dc=testipa,dc=dom" modify complete add objectClass: top groupofnames nestedgroup add cn: Replication Administrators add description: Replication Administrators add member: cn=admins,cn=groups,cn=accounts,dc=testipa,dc=dom adding new entry "cn=Replication Administrators,cn=privileges,cn=pbac,dc=testipa,dc=dom" modify complete add objectClass: top groupofnames nestedgroup add cn: Host Enrollment add description: Host Enrollment adding new entry "cn=Host Enrollment,cn=privileges,cn=pbac,dc=testipa,dc=dom" modify complete add objectClass: top groupofnames nestedgroup add cn: Stage User Administrators add description: Stage User Administrators adding new entry "cn=Stage User Administrators,cn=privileges,cn=pbac,dc=testipa,dc=dom" modify complete add objectClass: top groupofnames nestedgroup add cn: Stage User Provisioning add description: Stage User Provisioning adding new entry "cn=Stage User Provisioning,cn=privileges,cn=pbac,dc=testipa,dc=dom" modify complete add objectClass: top groupofnames ipapermission add cn: Add Replication Agreements add ipapermissiontype: SYSTEM add member: cn=Replication Administrators,cn=privileges,cn=pbac,dc=testipa,dc=dom adding new entry "cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=testipa,dc=dom" modify complete add objectClass: top groupofnames ipapermission add cn: Modify Replication Agreements add ipapermissiontype: SYSTEM add member: cn=Replication Administrators,cn=privileges,cn=pbac,dc=testipa,dc=dom adding new entry "cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=testipa,dc=dom" modify complete add objectClass: top groupofnames ipapermission add cn: Read Replication Agreements add ipapermissiontype: SYSTEM add member: cn=Replication Administrators,cn=privileges,cn=pbac,dc=testipa,dc=dom adding new entry "cn=Read Replication Agreements,cn=permissions,cn=pbac,dc=testipa,dc=dom" modify complete add objectClass: top groupofnames ipapermission add cn: Remove Replication Agreements add ipapermissiontype: SYSTEM add member: cn=Replication Administrators,cn=privileges,cn=pbac,dc=testipa,dc=dom adding new entry "cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=testipa,dc=dom" modify complete add objectClass: top groupofnames ipapermission add cn: Modify DNA Range add ipapermissiontype: SYSTEM add member: cn=Replication Administrators,cn=privileges,cn=pbac,dc=testipa,dc=dom adding new entry "cn=Modify DNA Range,cn=permissions,cn=pbac,dc=testipa,dc=dom" modify complete add objectClass: top nsContainer add cn: virtual operations adding new entry "cn=virtual operations,cn=etc,dc=testipa,dc=dom" modify complete add objectClass: top groupofnames ipapermission add cn: Retrieve Certificates from the CA add member: cn=Certificate Administrators,cn=privileges,cn=pbac,dc=testipa,dc=dom adding new entry "cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=testipa,dc=dom" modify complete add aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,dc=testipa,dc=dom" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=testipa,dc=dom";) modifying entry "dc=testipa,dc=dom" modify complete add objectClass: top groupofnames ipapermission add cn: Request Certificate add member: cn=Certificate Administrators,cn=privileges,cn=pbac,dc=testipa,dc=dom adding new entry "cn=Request Certificate,cn=permissions,cn=pbac,dc=testipa,dc=dom" modify complete add aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,dc=testipa,dc=dom" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,dc=testipa,dc=dom";) modifying entry "dc=testipa,dc=dom" modify complete add objectClass: top groupofnames ipapermission add cn: Request Certificates from a different host add member: cn=Certificate Administrators,cn=privileges,cn=pbac,dc=testipa,dc=dom adding new entry "cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=testipa,dc=dom" modify complete add aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,dc=testipa,dc=dom" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=testipa,dc=dom";) modifying entry "dc=testipa,dc=dom" modify complete add objectClass: top groupofnames ipapermission add cn: Get Certificates status from the CA add member: cn=Certificate Administrators,cn=privileges,cn=pbac,dc=testipa,dc=dom adding new entry "cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=testipa,dc=dom" modify complete add aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=testipa,dc=dom" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=testipa,dc=dom";) modifying entry "dc=testipa,dc=dom" modify complete add objectClass: top groupofnames ipapermission add cn: Revoke Certificate add member: cn=Certificate Administrators,cn=privileges,cn=pbac,dc=testipa,dc=dom adding new entry "cn=Revoke Certificate,cn=permissions,cn=pbac,dc=testipa,dc=dom" modify complete add aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,dc=testipa,dc=dom" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,dc=testipa,dc=dom";) modifying entry "dc=testipa,dc=dom" modify complete add objectClass: top groupofnames ipapermission add cn: Certificate Remove Hold add member: cn=Certificate Administrators,cn=privileges,cn=pbac,dc=testipa,dc=dom adding new entry "cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=testipa,dc=dom" modify complete add aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,dc=testipa,dc=dom" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=testipa,dc=dom";) modifying entry "dc=testipa,dc=dom" modify complete 2021-10-05T12:07:10Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:10Z DEBUG step duration: dirsrv __add_delegation_layout 0.48 sec 2021-10-05T12:07:10Z DEBUG [26/41]: creating container for managed entries 2021-10-05T12:07:10Z DEBUG Starting external process 2021-10-05T12:07:10Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpop06zldk', '-H', 'ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket', '-Y', 'EXTERNAL'] 2021-10-05T12:07:10Z DEBUG Process finished, return code=0 2021-10-05T12:07:10Z DEBUG stdout=add objectClass: nsContainer top add cn: Managed Entries adding new entry "cn=Managed Entries,cn=etc,dc=testipa,dc=dom" modify complete add objectClass: nsContainer top add cn: Templates adding new entry "cn=Templates,cn=Managed Entries,cn=etc,dc=testipa,dc=dom" modify complete add objectClass: nsContainer top add cn: Definitions adding new entry "cn=Definitions,cn=Managed Entries,cn=etc,dc=testipa,dc=dom" modify complete 2021-10-05T12:07:10Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:10Z DEBUG step duration: dirsrv __managed_entries 0.03 sec 2021-10-05T12:07:10Z DEBUG [27/41]: configuring user private groups 2021-10-05T12:07:10Z DEBUG Starting external process 2021-10-05T12:07:10Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpk6yv81ld', '-H', 'ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket', '-Y', 'EXTERNAL'] 2021-10-05T12:07:10Z DEBUG Process finished, return code=0 2021-10-05T12:07:10Z DEBUG stdout=add objectclass: mepTemplateEntry add cn: UPG Template add mepRDNAttr: cn add mepStaticAttr: objectclass: posixgroup objectclass: ipaobject ipaUniqueId: autogenerate add mepMappedAttr: cn: $uid gidNumber: $uidNumber description: User private group for $uid adding new entry "cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,dc=testipa,dc=dom" modify complete add objectclass: extensibleObject add cn: UPG Definition add originScope: cn=users,cn=accounts,dc=testipa,dc=dom add originFilter: (&(objectclass=posixAccount)(!(description=__no_upg__))) add managedBase: cn=groups,cn=accounts,dc=testipa,dc=dom add managedTemplate: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,dc=testipa,dc=dom adding new entry "cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=testipa,dc=dom" modify complete 2021-10-05T12:07:10Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:10Z DEBUG step duration: dirsrv __user_private_groups 0.03 sec 2021-10-05T12:07:10Z DEBUG [28/41]: configuring netgroups from hostgroups 2021-10-05T12:07:10Z DEBUG Starting external process 2021-10-05T12:07:10Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpsuv8d988', '-H', 'ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket', '-Y', 'EXTERNAL'] 2021-10-05T12:07:10Z DEBUG Process finished, return code=0 2021-10-05T12:07:10Z DEBUG stdout=add objectclass: mepTemplateEntry add cn: NGP HGP Template add mepRDNAttr: cn add mepStaticAttr: ipaUniqueId: autogenerate objectclass: ipanisnetgroup objectclass: ipaobject nisDomainName: testipa.dom add mepMappedAttr: cn: $cn memberHost: $dn description: ipaNetgroup $cn adding new entry "cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,dc=testipa,dc=dom" modify complete add objectclass: extensibleObject add cn: NGP Definition add originScope: cn=hostgroups,cn=accounts,dc=testipa,dc=dom add originFilter: objectclass=ipahostgroup add managedBase: cn=ng,cn=alt,dc=testipa,dc=dom add managedTemplate: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,dc=testipa,dc=dom adding new entry "cn=NGP Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=testipa,dc=dom" modify complete 2021-10-05T12:07:10Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:10Z DEBUG step duration: dirsrv __host_nis_groups 0.03 sec 2021-10-05T12:07:10Z DEBUG [29/41]: creating default Sudo bind user 2021-10-05T12:07:10Z DEBUG Starting external process 2021-10-05T12:07:10Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmp4vu3odb4', '-H', 'ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket', '-Y', 'EXTERNAL'] 2021-10-05T12:07:10Z DEBUG Process finished, return code=0 2021-10-05T12:07:10Z DEBUG stdout=add objectclass: account simplesecurityobject add uid: sudo add userPassword: XXXXXXXX add passwordExpirationTime: 20380119031407Z add nsIdleTimeout: 0 adding new entry "uid=sudo,cn=sysaccounts,cn=etc,dc=testipa,dc=dom" modify complete 2021-10-05T12:07:10Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:10Z DEBUG step duration: dirsrv __add_sudo_binduser 0.06 sec 2021-10-05T12:07:10Z DEBUG [30/41]: creating default Auto Member layout 2021-10-05T12:07:10Z DEBUG Starting external process 2021-10-05T12:07:10Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpzerlh15t', '-H', 'ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket', '-Y', 'EXTERNAL'] 2021-10-05T12:07:10Z DEBUG Process finished, return code=0 2021-10-05T12:07:10Z DEBUG stdout=add nsslapd-pluginConfigArea: cn=automember,cn=etc,dc=testipa,dc=dom modifying entry "cn=Auto Membership Plugin,cn=plugins,cn=config" modify complete add objectClass: top nsContainer add cn: automember adding new entry "cn=automember,cn=etc,dc=testipa,dc=dom" modify complete add objectclass: autoMemberDefinition add cn: Hostgroup add autoMemberScope: cn=computers,cn=accounts,dc=testipa,dc=dom add autoMemberFilter: objectclass=ipaHost add autoMemberGroupingAttr: member:dn adding new entry "cn=Hostgroup,cn=automember,cn=etc,dc=testipa,dc=dom" modify complete add objectclass: autoMemberDefinition add cn: Group add autoMemberScope: cn=users,cn=accounts,dc=testipa,dc=dom add autoMemberFilter: objectclass=posixAccount add autoMemberGroupingAttr: member:dn adding new entry "cn=Group,cn=automember,cn=etc,dc=testipa,dc=dom" modify complete 2021-10-05T12:07:10Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:10Z DEBUG step duration: dirsrv __add_automember_config 0.07 sec 2021-10-05T12:07:10Z DEBUG [31/41]: adding range check plugin 2021-10-05T12:07:10Z DEBUG Starting external process 2021-10-05T12:07:10Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpmbp7ypi0', '-H', 'ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket', '-Y', 'EXTERNAL'] 2021-10-05T12:07:10Z DEBUG Process finished, return code=0 2021-10-05T12:07:10Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: IPA Range-Check add nsslapd-pluginpath: libipa_range_check add nsslapd-plugininitfunc: ipa_range_check_init add nsslapd-plugintype: preoperation add nsslapd-pluginenabled: on add nsslapd-pluginid: ipa_range_check_version add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: Red Hat, Inc. add nsslapd-plugindescription: IPA Range-Check plugin add nsslapd-plugin-depends-on-type: database add nsslapd-basedn: dc=testipa,dc=dom adding new entry "cn=IPA Range-Check,cn=plugins,cn=config" modify complete 2021-10-05T12:07:10Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:10Z DEBUG step duration: dirsrv __add_range_check_plugin 0.04 sec 2021-10-05T12:07:10Z DEBUG [32/41]: creating default HBAC rule allow_all 2021-10-05T12:07:10Z DEBUG Starting external process 2021-10-05T12:07:10Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmp9u_ulxz_', '-H', 'ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket', '-Y', 'EXTERNAL'] 2021-10-05T12:07:10Z DEBUG Process finished, return code=0 2021-10-05T12:07:10Z DEBUG stdout=add objectclass: ipaassociation ipahbacrule add cn: allow_all add accessruletype: allow add usercategory: all add hostcategory: all add servicecategory: all add ipaenabledflag: TRUE add description: Allow all users to access any host from any host add ipauniqueid: autogenerate adding new entry "ipauniqueid=autogenerate,cn=hbac,dc=testipa,dc=dom" modify complete add objectclass: ipaassociation ipahbacrule add cn: allow_systemd-user add accessruletype: allow add usercategory: all add hostcategory: all add memberService: cn=systemd-user,cn=hbacservices,cn=hbac,dc=testipa,dc=dom add ipaenabledflag: TRUE add description: Allow pam_systemd to run user@.service to create a system user session add ipauniqueid: autogenerate adding new entry "ipauniqueid=autogenerate,cn=hbac,dc=testipa,dc=dom" modify complete 2021-10-05T12:07:10Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:10Z DEBUG step duration: dirsrv add_hbac 0.06 sec 2021-10-05T12:07:10Z DEBUG [33/41]: adding entries for topology management 2021-10-05T12:07:10Z DEBUG Starting external process 2021-10-05T12:07:10Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmp89twltdo', '-H', 'ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket', '-Y', 'EXTERNAL'] 2021-10-05T12:07:10Z DEBUG Process finished, return code=0 2021-10-05T12:07:10Z DEBUG stdout=add objectclass: top nsContainer add cn: topology adding new entry "cn=topology,cn=ipa,cn=etc,dc=testipa,dc=dom" modify complete add objectclass: top iparepltopoconf add ipaReplTopoConfRoot: dc=testipa,dc=dom add nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount add nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount add nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp add cn: domain adding new entry "cn=domain,cn=topology,cn=ipa,cn=etc,dc=testipa,dc=dom" modify complete 2021-10-05T12:07:10Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:10Z DEBUG step duration: dirsrv __add_topology_entries 0.03 sec 2021-10-05T12:07:10Z DEBUG [34/41]: initializing group membership 2021-10-05T12:07:10Z DEBUG Starting external process 2021-10-05T12:07:10Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpkqgc6a2n', '-H', 'ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket', '-Y', 'EXTERNAL'] 2021-10-05T12:07:10Z DEBUG Process finished, return code=0 2021-10-05T12:07:10Z DEBUG stdout=add objectClass: top extensibleObject add cn: IPA install add basedn: dc=testipa,dc=dom add filter: (objectclass=*) add ttl: 10 adding new entry "cn=IPA install 1633435608, cn=memberof task, cn=tasks, cn=config" modify complete 2021-10-05T12:07:10Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:10Z DEBUG Waiting for memberof task to complete. 2021-10-05T12:07:11Z DEBUG step duration: dirsrv init_memberof 1.04 sec 2021-10-05T12:07:11Z DEBUG [35/41]: adding master entry 2021-10-05T12:07:11Z DEBUG Starting external process 2021-10-05T12:07:11Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmp8b18x89k', '-H', 'ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket', '-Y', 'EXTERNAL'] 2021-10-05T12:07:11Z DEBUG Process finished, return code=0 2021-10-05T12:07:11Z DEBUG stdout=add objectclass: top nsContainer ipaReplTopoManagedServer ipaConfigObject ipaSupportedDomainLevelConfig add cn: dc1.testipa.dom add ipaReplTopoManagedSuffix: dc=testipa,dc=dom add ipaMinDomainLevel: 1 add ipaMaxDomainLevel: 1 adding new entry "cn=dc1.testipa.dom,cn=masters,cn=ipa,cn=etc,dc=testipa,dc=dom" modify complete 2021-10-05T12:07:11Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:11Z DEBUG step duration: dirsrv __add_master_entry 0.03 sec 2021-10-05T12:07:11Z DEBUG [36/41]: initializing domain level 2021-10-05T12:07:11Z DEBUG Starting external process 2021-10-05T12:07:11Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmps_grm2u3', '-H', 'ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket', '-Y', 'EXTERNAL'] 2021-10-05T12:07:11Z DEBUG Process finished, return code=0 2021-10-05T12:07:11Z DEBUG stdout=add objectClass: top nsContainer ipaDomainLevelConfig add ipaDomainLevel: 1 adding new entry "cn=Domain Level,cn=ipa,cn=etc,dc=testipa,dc=dom" modify complete 2021-10-05T12:07:11Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:11Z DEBUG step duration: dirsrv __set_domain_level 0.03 sec 2021-10-05T12:07:11Z DEBUG [37/41]: configuring Posix uid/gid generation 2021-10-05T12:07:11Z DEBUG Starting external process 2021-10-05T12:07:11Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpcob_kef_', '-H', 'ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket', '-Y', 'EXTERNAL'] 2021-10-05T12:07:11Z DEBUG Process finished, return code=0 2021-10-05T12:07:11Z DEBUG stdout=add objectclass: top extensibleObject add cn: Posix IDs add dnaType: uidNumber gidNumber add dnaNextValue: 1870800000 add dnaMaxValue: 1870999999 add dnaMagicRegen: -1 add dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject)) add dnaScope: dc=testipa,dc=dom add dnaThreshold: 500 add dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=testipa,dc=dom add dnaExcludeScope: cn=provisioning,dc=testipa,dc=dom adding new entry "cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" modify complete add objectclass: top extensibleObject add cn: Subordinate IDs add dnaType: ipasubuidnumber ipasubgidnumber add dnaNextValue: 2147483648 add dnaMaxValue: 4294836224 add dnaMagicRegen: -1 add dnaFilter: (objectClass=ipaSubordinateId) add dnaScope: dc=testipa,dc=dom add dnaThreshold: 500 add dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,dc=testipa,dc=dom add dnaExcludeScope: cn=provisioning,dc=testipa,dc=dom add dnaInterval: 65536 adding new entry "cn=Subordinate IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" modify complete replace nsslapd-pluginEnabled: on modifying entry "cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" modify complete 2021-10-05T12:07:11Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:11Z DEBUG step duration: dirsrv __config_uidgid_gen 0.07 sec 2021-10-05T12:07:11Z DEBUG [38/41]: adding replication acis 2021-10-05T12:07:11Z DEBUG Starting external process 2021-10-05T12:07:11Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpfji6d249', '-H', 'ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket', '-Y', 'EXTERNAL'] 2021-10-05T12:07:11Z DEBUG Process finished, return code=0 2021-10-05T12:07:11Z DEBUG stdout=add aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,dc=testipa,dc=dom";) modifying entry "cn=mapping tree,cn=config" modify complete add aci: (targetattr = "*")(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=testipa,dc=dom";) modifying entry "cn=mapping tree,cn=config" modify complete add aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=testipa,dc=dom";) modifying entry "cn=mapping tree,cn=config" modify complete add aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=testipa,dc=dom";) modifying entry "cn=mapping tree,cn=config" modify complete add aci: (targetattr = "dnaNextRange || dnaNextValue || dnaMaxValue")(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=testipa,dc=dom";) modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" modify complete add aci: (targetattr = "nsslapd-readonly")(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=testipa,dc=dom";) modifying entry "cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add aci: (targetattr = "*")(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=testipa,dc=dom";) modifying entry "cn=tasks,cn=config" modify complete 2021-10-05T12:07:11Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:11Z DEBUG step duration: dirsrv __add_replication_acis 0.13 sec 2021-10-05T12:07:11Z DEBUG [39/41]: activating sidgen plugin 2021-10-05T12:07:12Z DEBUG Starting external process 2021-10-05T12:07:12Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmprrpwtzwu', '-H', 'ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket', '-Y', 'EXTERNAL'] 2021-10-05T12:07:12Z DEBUG Process finished, return code=0 2021-10-05T12:07:12Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: IPA SIDGEN add nsslapd-pluginpath: libipa_sidgen add nsslapd-plugininitfunc: ipa_sidgen_init add nsslapd-plugintype: postoperation add nsslapd-pluginenabled: on add nsslapd-pluginid: ipa_sidgen_postop add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: Red Hat, Inc. add nsslapd-plugindescription: IPA SIDGEN post operation add nsslapd-plugin-depends-on-type: database add nsslapd-basedn: dc=testipa,dc=dom adding new entry "cn=IPA SIDGEN,cn=plugins,cn=config" modify complete 2021-10-05T12:07:12Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:12Z DEBUG step duration: dirsrv _add_sidgen_plugin 0.14 sec 2021-10-05T12:07:12Z DEBUG [40/41]: activating extdom plugin 2021-10-05T12:07:12Z DEBUG Starting external process 2021-10-05T12:07:12Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpo2i3tip7', '-H', 'ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket', '-Y', 'EXTERNAL'] 2021-10-05T12:07:12Z DEBUG Process finished, return code=0 2021-10-05T12:07:12Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: ipa_extdom_extop add nsslapd-pluginpath: libipa_extdom_extop add nsslapd-plugininitfunc: ipa_extdom_init add nsslapd-plugintype: extendedop add nsslapd-pluginenabled: on add nsslapd-pluginid: ipa_extdom_extop add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: RedHat add nsslapd-plugindescription: Support resolving IDs in trusted domains to names and back add nsslapd-plugin-depends-on-type: database add nsslapd-basedn: dc=testipa,dc=dom adding new entry "cn=ipa_extdom_extop,cn=plugins,cn=config" modify complete 2021-10-05T12:07:12Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:12Z DEBUG step duration: dirsrv _add_extdom_plugin 0.04 sec 2021-10-05T12:07:12Z DEBUG [41/41]: configuring directory to start on boot 2021-10-05T12:07:12Z DEBUG Starting external process 2021-10-05T12:07:12Z DEBUG args=['/bin/systemctl', 'is-enabled', 'dirsrv@TESTIPA-DOM.service'] 2021-10-05T12:07:12Z DEBUG Process finished, return code=0 2021-10-05T12:07:12Z DEBUG stdout=enabled 2021-10-05T12:07:12Z DEBUG stderr= 2021-10-05T12:07:12Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:12Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:12Z DEBUG Starting external process 2021-10-05T12:07:12Z DEBUG args=['/bin/systemctl', 'disable', 'dirsrv@TESTIPA-DOM.service'] 2021-10-05T12:07:12Z DEBUG Process finished, return code=0 2021-10-05T12:07:12Z DEBUG stdout= 2021-10-05T12:07:12Z DEBUG stderr=Removed /etc/systemd/system/dirsrv.target.wants/dirsrv@TESTIPA-DOM.service. Removed /etc/systemd/system/multi-user.target.wants/dirsrv@TESTIPA-DOM.service. 2021-10-05T12:07:12Z DEBUG step duration: dirsrv __enable 0.80 sec 2021-10-05T12:07:12Z DEBUG Done configuring directory server (dirsrv). 2021-10-05T12:07:12Z DEBUG service duration: dirsrv 24.86 sec 2021-10-05T12:07:12Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:12Z DEBUG Starting external process 2021-10-05T12:07:12Z DEBUG args=['/usr/bin/keyctl', 'get_persistent', '@s', '0'] 2021-10-05T12:07:12Z DEBUG Process finished, return code=0 2021-10-05T12:07:12Z DEBUG stdout=845135086 2021-10-05T12:07:12Z DEBUG stderr= 2021-10-05T12:07:12Z DEBUG Enabling persistent keyring CCACHE 2021-10-05T12:07:12Z DEBUG Starting external process 2021-10-05T12:07:12Z DEBUG args=['/bin/systemctl', 'is-active', 'krb5kdc.service'] 2021-10-05T12:07:13Z DEBUG Process finished, return code=3 2021-10-05T12:07:13Z DEBUG stdout=inactive 2021-10-05T12:07:13Z DEBUG stderr= 2021-10-05T12:07:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:13Z DEBUG Starting external process 2021-10-05T12:07:13Z DEBUG args=['/bin/systemctl', 'stop', 'krb5kdc.service'] 2021-10-05T12:07:13Z DEBUG Process finished, return code=0 2021-10-05T12:07:13Z DEBUG stdout= 2021-10-05T12:07:13Z DEBUG stderr= 2021-10-05T12:07:13Z DEBUG Stop of krb5kdc.service complete 2021-10-05T12:07:13Z DEBUG Configuring Kerberos KDC (krb5kdc) 2021-10-05T12:07:13Z DEBUG [1/10]: adding kerberos container to the directory 2021-10-05T12:07:13Z DEBUG Starting external process 2021-10-05T12:07:13Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpqz05r7bw', '-H', 'ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket', '-Y', 'EXTERNAL'] 2021-10-05T12:07:13Z DEBUG Process finished, return code=0 2021-10-05T12:07:13Z DEBUG stdout=add objectClass: krbContainer top add cn: kerberos adding new entry "cn=kerberos,dc=testipa,dc=dom" modify complete add cn: TESTIPA.DOM add objectClass: top krbrealmcontainer krbticketpolicyaux add krbSubTrees: dc=testipa,dc=dom add krbSearchScope: 2 add krbSupportedEncSaltTypes: aes256-cts:normal aes256-cts:special aes128-cts:normal aes128-cts:special aes128-sha2:normal aes128-sha2:special aes256-sha2:normal aes256-sha2:special camellia128-cts-cmac:normal camellia128-cts-cmac:special camellia256-cts-cmac:normal camellia256-cts-cmac:special add krbMaxTicketLife: 86400 add krbMaxRenewableAge: 604800 add krbDefaultEncSaltTypes: aes256-cts:special aes128-cts:special adding new entry "cn=TESTIPA.DOM,cn=kerberos,dc=testipa,dc=dom" modify complete add objectClass: top nsContainer krbPwdPolicy add krbMinPwdLife: 3600 add krbPwdMinDiffChars: 0 add krbPwdMinLength: 8 add krbPwdHistoryLength: 0 add krbMaxPwdLife: 7776000 add krbPwdMaxFailure: 6 add krbPwdFailureCountInterval: 60 add krbPwdLockoutDuration: 600 adding new entry "cn=global_policy,cn=TESTIPA.DOM,cn=kerberos,dc=testipa,dc=dom" modify complete 2021-10-05T12:07:13Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:13Z DEBUG step duration: krb5kdc __add_krb_container 0.03 sec 2021-10-05T12:07:13Z DEBUG [2/10]: configuring KDC 2021-10-05T12:07:13Z DEBUG Backing up system configuration file '/var/kerberos/krb5kdc/kdc.conf' 2021-10-05T12:07:13Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2021-10-05T12:07:13Z DEBUG Backing up system configuration file '/etc/krb5.conf' 2021-10-05T12:07:13Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2021-10-05T12:07:13Z DEBUG Backing up system configuration file '/etc/krb5.conf.d/freeipa-server' 2021-10-05T12:07:13Z DEBUG -> Not backing up - '/etc/krb5.conf.d/freeipa-server' doesn't exist 2021-10-05T12:07:13Z DEBUG Backing up system configuration file '/etc/krb5.conf.d/freeipa' 2021-10-05T12:07:13Z DEBUG -> Not backing up - '/etc/krb5.conf.d/freeipa' doesn't exist 2021-10-05T12:07:13Z DEBUG Backing up system configuration file '/usr/share/ipa/html/krb5.ini' 2021-10-05T12:07:13Z DEBUG -> Not backing up - '/usr/share/ipa/html/krb5.ini' doesn't exist 2021-10-05T12:07:13Z DEBUG Backing up system configuration file '/usr/share/ipa/html/krb.con' 2021-10-05T12:07:13Z DEBUG -> Not backing up - '/usr/share/ipa/html/krb.con' doesn't exist 2021-10-05T12:07:13Z DEBUG Backing up system configuration file '/usr/share/ipa/html/krbrealm.con' 2021-10-05T12:07:13Z DEBUG -> Not backing up - '/usr/share/ipa/html/krbrealm.con' doesn't exist 2021-10-05T12:07:13Z DEBUG Starting external process 2021-10-05T12:07:13Z DEBUG args=['/usr/bin/klist', '-V'] 2021-10-05T12:07:13Z DEBUG Process finished, return code=0 2021-10-05T12:07:13Z DEBUG stdout=Kerberos 5 version 1.18.2 2021-10-05T12:07:13Z DEBUG stderr= 2021-10-05T12:07:13Z DEBUG Backing up system configuration file '/etc/sysconfig/krb5kdc' 2021-10-05T12:07:13Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2021-10-05T12:07:13Z DEBUG Starting external process 2021-10-05T12:07:13Z DEBUG args=['/usr/sbin/selinuxenabled'] 2021-10-05T12:07:13Z DEBUG Process finished, return code=1 2021-10-05T12:07:13Z DEBUG stdout= 2021-10-05T12:07:13Z DEBUG stderr= 2021-10-05T12:07:13Z DEBUG step duration: krb5kdc __configure_instance 0.06 sec 2021-10-05T12:07:13Z DEBUG [3/10]: initialize kerberos container 2021-10-05T12:07:13Z DEBUG Starting external process 2021-10-05T12:07:13Z DEBUG args=['kdb5_util', 'create', '-s', '-r', 'TESTIPA.DOM', '-x', 'ipa-setup-override-restrictions'] 2021-10-05T12:07:13Z DEBUG Process finished, return code=0 2021-10-05T12:07:13Z DEBUG stdout=Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'TESTIPA.DOM', master key name 'K/M@TESTIPA.DOM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: 2021-10-05T12:07:13Z DEBUG stderr= 2021-10-05T12:07:13Z DEBUG step duration: krb5kdc __init_ipa_kdb 0.18 sec 2021-10-05T12:07:13Z DEBUG [4/10]: adding default ACIs 2021-10-05T12:07:13Z DEBUG Starting external process 2021-10-05T12:07:13Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpsqcw2q8z', '-H', 'ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket', '-Y', 'EXTERNAL'] 2021-10-05T12:07:13Z DEBUG Process finished, return code=0 2021-10-05T12:07:13Z DEBUG stdout=add aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";) modifying entry "dc=testipa,dc=dom" modify complete add aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";) (targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";) (targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";) modifying entry "dc=testipa,dc=dom" modify complete add aci: (targetfilter = "(objectClass=ipaGuiConfig)")(targetattr != "aci")(version 3.0;acl "Admins can change GUI config"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=testipa,dc=dom";) modifying entry "cn=etc,dc=testipa,dc=dom" modify complete add aci: (targetfilter = "(|(objectClass=ipaConfigObject)(dnahostname=*))")(version 3.0;acl "Admins can change GUI config"; allow (delete) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=testipa,dc=dom";) modifying entry "cn=ipa,cn=etc,dc=testipa,dc=dom" modify complete add aci: (targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=testipa,dc=dom";) (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow (write, delete) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=testipa,dc=dom";) (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Users allowed to retrieve keytab keys"; allow(read) userattr="ipaAllowedToPerform;read_keys#USERDN";) (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Groups allowed to retrieve keytab keys"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";) (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Users allowed to create keytab keys"; allow(write) userattr="ipaAllowedToPerform;write_keys#USERDN";) (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Groups allowed to create keytab keys"; allow(write) userattr="ipaAllowedToPerform;write_keys#GROUPDN";) (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey themselves"; allow(write) userdn="ldap:///self";) (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Admins are allowed to rekey any entity"; allow(write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=testipa,dc=dom";) (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey managed entries"; allow(write) userattr="managedby#USERDN";) modifying entry "cn=accounts,dc=testipa,dc=dom" modify complete add aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=testipa,dc=dom")(version 3.0;acl "Admins can manage service keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=testipa,dc=dom";) modifying entry "cn=services,cn=accounts,dc=testipa,dc=dom" modify complete add aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts can manage service Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";) modifying entry "cn=services,cn=accounts,dc=testipa,dc=dom" modify complete add aci: (targetattr="usercertificate || krblastpwdchange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";) (targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";) modifying entry "cn=computers,cn=accounts,dc=testipa,dc=dom" modify complete add aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts can manage other host Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";) (targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";) modifying entry "cn=computers,cn=accounts,dc=testipa,dc=dom" modify complete add aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=testipa,dc=dom")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=testipa,dc=dom";) modifying entry "cn=computers,cn=accounts,dc=testipa,dc=dom" modify complete add aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";) modifying entry "cn=groups,cn=accounts,dc=testipa,dc=dom" modify complete add aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";) modifying entry "cn=hostgroups,cn=accounts,dc=testipa,dc=dom" modify complete add aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";) modifying entry "cn=accounts,dc=testipa,dc=dom" modify complete add aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || description || managedBy || ipatokenUniqueID || ipatokenDisabled || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial || ipatokenOwner")(version 3.0; acl "Users/managers can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";) (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPtimeStep")(version 3.0; acl "Users/managers can see TOTP details"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";) (targetfilter = "(objectClass=ipatokenHOTP)")(targetattrs = "ipatokenOTPalgorithm || ipatokenOTPdigits")(version 3.0; acl "Users/managers can see HOTP details"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";) (targetfilter = "(objectClass=ipaToken)")(targetattrs = "description || ipatokenDisabled || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Managers can write basic token info"; allow (write) userattr = "managedBy#USERDN";) (targetfilter = "(objectClass=ipaToken)")(version 3.0; acl "Managers can delete tokens"; allow (delete) userattr = "managedBy#USERDN";) (target = "ldap:///ipatokenuniqueid=*,cn=otp,dc=testipa,dc=dom")(targetfilter = "(objectClass=ipaToken)")(version 3.0; acl "Users can create self-managed tokens"; allow (add) userattr = "ipatokenOwner#SELFDN" and userattr = "managedBy#SELFDN";) modifying entry "dc=testipa,dc=dom" modify complete 2021-10-05T12:07:13Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:13Z DEBUG step duration: krb5kdc __add_default_acis 0.07 sec 2021-10-05T12:07:13Z DEBUG [5/10]: creating a keytab for the directory 2021-10-05T12:07:13Z DEBUG Starting external process 2021-10-05T12:07:13Z DEBUG args=['/usr/sbin/kadmin.local', '-q', 'addprinc -randkey ldap/dc1.testipa.dom@TESTIPA.DOM', '-x', 'ipa-setup-override-restrictions'] 2021-10-05T12:07:13Z DEBUG Process finished, return code=0 2021-10-05T12:07:13Z DEBUG stdout=Authenticating as principal user/admin@TESTIPA.DOM with password. Principal "ldap/dc1.testipa.dom@TESTIPA.DOM" created. 2021-10-05T12:07:13Z DEBUG stderr=No policy specified for ldap/dc1.testipa.dom@TESTIPA.DOM; defaulting to no policy 2021-10-05T12:07:13Z DEBUG Backing up system configuration file '/etc/dirsrv/ds.keytab' 2021-10-05T12:07:13Z DEBUG -> Not backing up - '/etc/dirsrv/ds.keytab' doesn't exist 2021-10-05T12:07:13Z DEBUG Starting external process 2021-10-05T12:07:13Z DEBUG args=['/usr/sbin/kadmin.local', '-q', 'ktadd -k /etc/dirsrv/ds.keytab ldap/dc1.testipa.dom@TESTIPA.DOM', '-x', 'ipa-setup-override-restrictions'] 2021-10-05T12:07:13Z DEBUG Process finished, return code=0 2021-10-05T12:07:13Z DEBUG stdout=Authenticating as principal user/admin@TESTIPA.DOM with password. Entry for principal ldap/dc1.testipa.dom@TESTIPA.DOM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/dirsrv/ds.keytab. Entry for principal ldap/dc1.testipa.dom@TESTIPA.DOM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/dirsrv/ds.keytab. Entry for principal ldap/dc1.testipa.dom@TESTIPA.DOM with kvno 2, encryption type aes128-cts-hmac-sha256-128 added to keytab WRFILE:/etc/dirsrv/ds.keytab. Entry for principal ldap/dc1.testipa.dom@TESTIPA.DOM with kvno 2, encryption type aes256-cts-hmac-sha384-192 added to keytab WRFILE:/etc/dirsrv/ds.keytab. Entry for principal ldap/dc1.testipa.dom@TESTIPA.DOM with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/dirsrv/ds.keytab. Entry for principal ldap/dc1.testipa.dom@TESTIPA.DOM with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/dirsrv/ds.keytab. 2021-10-05T12:07:13Z DEBUG stderr= 2021-10-05T12:07:13Z DEBUG step duration: krb5kdc __create_ds_keytab 0.23 sec 2021-10-05T12:07:13Z DEBUG [6/10]: creating a keytab for the machine 2021-10-05T12:07:13Z DEBUG Starting external process 2021-10-05T12:07:13Z DEBUG args=['/usr/sbin/kadmin.local', '-q', 'addprinc -randkey host/dc1.testipa.dom@TESTIPA.DOM', '-x', 'ipa-setup-override-restrictions'] 2021-10-05T12:07:13Z DEBUG Process finished, return code=0 2021-10-05T12:07:13Z DEBUG stdout=Authenticating as principal user/admin@TESTIPA.DOM with password. Principal "host/dc1.testipa.dom@TESTIPA.DOM" created. 2021-10-05T12:07:13Z DEBUG stderr=No policy specified for host/dc1.testipa.dom@TESTIPA.DOM; defaulting to no policy 2021-10-05T12:07:13Z DEBUG Backing up system configuration file '/etc/krb5.keytab' 2021-10-05T12:07:13Z DEBUG -> Not backing up - '/etc/krb5.keytab' doesn't exist 2021-10-05T12:07:13Z DEBUG Starting external process 2021-10-05T12:07:13Z DEBUG args=['/usr/sbin/kadmin.local', '-q', 'ktadd -k /etc/krb5.keytab host/dc1.testipa.dom@TESTIPA.DOM', '-x', 'ipa-setup-override-restrictions'] 2021-10-05T12:07:13Z DEBUG Process finished, return code=0 2021-10-05T12:07:13Z DEBUG stdout=Authenticating as principal user/admin@TESTIPA.DOM with password. Entry for principal host/dc1.testipa.dom@TESTIPA.DOM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/dc1.testipa.dom@TESTIPA.DOM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/dc1.testipa.dom@TESTIPA.DOM with kvno 2, encryption type aes128-cts-hmac-sha256-128 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/dc1.testipa.dom@TESTIPA.DOM with kvno 2, encryption type aes256-cts-hmac-sha384-192 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/dc1.testipa.dom@TESTIPA.DOM with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/dc1.testipa.dom@TESTIPA.DOM with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab. 2021-10-05T12:07:13Z DEBUG stderr= 2021-10-05T12:07:13Z DEBUG importing all plugin modules in ipaserver.plugins... 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.aci 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.automember 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.automount 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.baseldap 2021-10-05T12:07:13Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.baseuser 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.batch 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.ca 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.caacl 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.cert 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.certmap 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.certprofile 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.config 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.delegation 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.dns 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.dnsserver 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.dogtag 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.domainlevel 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.group 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.hbac 2021-10-05T12:07:13Z DEBUG ipaserver.plugins.hbac is not a valid plugin module 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.hbacrule 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.hbacsvc 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.hbactest 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.host 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.hostgroup 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.idrange 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.idviews 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.internal 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.join 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.ldap2 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.location 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.migration 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.misc 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.netgroup 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.otp 2021-10-05T12:07:13Z DEBUG ipaserver.plugins.otp is not a valid plugin module 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.otpconfig 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.otptoken 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.passwd 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.permission 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.ping 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.pkinit 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.privilege 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.pwpolicy 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.rabase 2021-10-05T12:07:13Z DEBUG ipaserver.plugins.rabase is not a valid plugin module 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.radiusproxy 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.realmdomains 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.role 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.schema 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.selfservice 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.server 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.serverrole 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.serverroles 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.service 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.servicedelegation 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.session 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.stageuser 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.subid 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.sudo 2021-10-05T12:07:13Z DEBUG ipaserver.plugins.sudo is not a valid plugin module 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.sudocmd 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.sudorule 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.topology 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.trust 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.user 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.vault 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.virtual 2021-10-05T12:07:13Z DEBUG ipaserver.plugins.virtual is not a valid plugin module 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.whoami 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2021-10-05T12:07:13Z DEBUG importing all plugin modules in ipaserver.install.plugins... 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.adtrust 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.dns 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.fix_kra_people_entry 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.update_ca_topology 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.update_changelog_maxage 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.update_dna_shared_config 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.update_fix_duplicate_cacrt_in_ldap 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.update_ldap_server_list 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.update_nis 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.update_pwpolicy 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.update_ra_cert_store 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.update_referint 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.update_services 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.update_unhashed_password 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2021-10-05T12:07:13Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2021-10-05T12:07:17Z DEBUG Created connection context.ldap2_139948225480256 2021-10-05T12:07:17Z DEBUG raw: idrange_show('TESTIPA.DOM_id_range', version='2.243') 2021-10-05T12:07:17Z DEBUG idrange_show('TESTIPA.DOM_id_range', rights=False, all=False, raw=False, version='2.243') 2021-10-05T12:07:17Z DEBUG flushing ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket from SchemaCache 2021-10-05T12:07:17Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket conn= 2021-10-05T12:07:17Z DEBUG Parsing update file '/usr/share/ipa/updates/20-ipaservers_hostgroup.update' 2021-10-05T12:07:17Z DEBUG Updating existing entry: cn=ipaservers,cn=hostgroups,cn=accounts,dc=testipa,dc=dom 2021-10-05T12:07:17Z DEBUG --------------------------------------------- 2021-10-05T12:07:17Z DEBUG Initial value 2021-10-05T12:07:17Z DEBUG dn: cn=ipaservers,cn=hostgroups,cn=accounts,dc=testipa,dc=dom 2021-10-05T12:07:17Z DEBUG objectClass: 2021-10-05T12:07:17Z DEBUG top 2021-10-05T12:07:17Z DEBUG groupOfNames 2021-10-05T12:07:17Z DEBUG nestedGroup 2021-10-05T12:07:17Z DEBUG ipaobject 2021-10-05T12:07:17Z DEBUG ipahostgroup 2021-10-05T12:07:17Z DEBUG description: 2021-10-05T12:07:17Z DEBUG IPA server hosts 2021-10-05T12:07:17Z DEBUG cn: 2021-10-05T12:07:17Z DEBUG ipaservers 2021-10-05T12:07:17Z DEBUG ipaUniqueID: 2021-10-05T12:07:17Z DEBUG c41b2d88-25d4-11ec-a74a-08002747e0bc 2021-10-05T12:07:17Z DEBUG --------------------------------------------- 2021-10-05T12:07:17Z DEBUG Final value after applying updates 2021-10-05T12:07:17Z DEBUG dn: cn=ipaservers,cn=hostgroups,cn=accounts,dc=testipa,dc=dom 2021-10-05T12:07:17Z DEBUG objectClass: 2021-10-05T12:07:17Z DEBUG top 2021-10-05T12:07:17Z DEBUG groupOfNames 2021-10-05T12:07:17Z DEBUG nestedGroup 2021-10-05T12:07:17Z DEBUG ipaobject 2021-10-05T12:07:17Z DEBUG ipahostgroup 2021-10-05T12:07:17Z DEBUG description: 2021-10-05T12:07:17Z DEBUG IPA server hosts 2021-10-05T12:07:17Z DEBUG cn: 2021-10-05T12:07:17Z DEBUG ipaservers 2021-10-05T12:07:17Z DEBUG ipaUniqueID: 2021-10-05T12:07:17Z DEBUG c41b2d88-25d4-11ec-a74a-08002747e0bc 2021-10-05T12:07:17Z DEBUG [] 2021-10-05T12:07:17Z DEBUG Updated 0 2021-10-05T12:07:17Z DEBUG Done 2021-10-05T12:07:17Z DEBUG Updating existing entry: cn=ipaservers,cn=hostgroups,cn=accounts,dc=testipa,dc=dom 2021-10-05T12:07:17Z DEBUG --------------------------------------------- 2021-10-05T12:07:17Z DEBUG Initial value 2021-10-05T12:07:17Z DEBUG dn: cn=ipaservers,cn=hostgroups,cn=accounts,dc=testipa,dc=dom 2021-10-05T12:07:17Z DEBUG objectClass: 2021-10-05T12:07:17Z DEBUG top 2021-10-05T12:07:17Z DEBUG groupOfNames 2021-10-05T12:07:17Z DEBUG nestedGroup 2021-10-05T12:07:17Z DEBUG ipaobject 2021-10-05T12:07:17Z DEBUG ipahostgroup 2021-10-05T12:07:17Z DEBUG description: 2021-10-05T12:07:17Z DEBUG IPA server hosts 2021-10-05T12:07:17Z DEBUG cn: 2021-10-05T12:07:17Z DEBUG ipaservers 2021-10-05T12:07:17Z DEBUG ipaUniqueID: 2021-10-05T12:07:17Z DEBUG c41b2d88-25d4-11ec-a74a-08002747e0bc 2021-10-05T12:07:17Z DEBUG add: 'fqdn=dc1.testipa.dom,cn=computers,cn=accounts,dc=testipa,dc=dom' to member, current value [] 2021-10-05T12:07:17Z DEBUG add: updated value ['fqdn=dc1.testipa.dom,cn=computers,cn=accounts,dc=testipa,dc=dom'] 2021-10-05T12:07:17Z DEBUG --------------------------------------------- 2021-10-05T12:07:17Z DEBUG Final value after applying updates 2021-10-05T12:07:17Z DEBUG dn: cn=ipaservers,cn=hostgroups,cn=accounts,dc=testipa,dc=dom 2021-10-05T12:07:17Z DEBUG objectClass: 2021-10-05T12:07:17Z DEBUG top 2021-10-05T12:07:17Z DEBUG groupOfNames 2021-10-05T12:07:17Z DEBUG nestedGroup 2021-10-05T12:07:17Z DEBUG ipaobject 2021-10-05T12:07:17Z DEBUG ipahostgroup 2021-10-05T12:07:17Z DEBUG description: 2021-10-05T12:07:17Z DEBUG IPA server hosts 2021-10-05T12:07:17Z DEBUG cn: 2021-10-05T12:07:17Z DEBUG ipaservers 2021-10-05T12:07:17Z DEBUG ipaUniqueID: 2021-10-05T12:07:17Z DEBUG c41b2d88-25d4-11ec-a74a-08002747e0bc 2021-10-05T12:07:17Z DEBUG member: 2021-10-05T12:07:17Z DEBUG fqdn=dc1.testipa.dom,cn=computers,cn=accounts,dc=testipa,dc=dom 2021-10-05T12:07:17Z DEBUG [(2, 'member', ['fqdn=dc1.testipa.dom,cn=computers,cn=accounts,dc=testipa,dc=dom'])] 2021-10-05T12:07:17Z DEBUG Updated 1 2021-10-05T12:07:17Z DEBUG update_entry modlist [(2, 'member', [b'fqdn=dc1.testipa.dom,cn=computers,cn=accounts,dc=testipa,dc=dom'])] 2021-10-05T12:07:17Z DEBUG Done 2021-10-05T12:07:17Z DEBUG LDAP update duration: /usr/share/ipa/updates/20-ipaservers_hostgroup.update 0.029 sec 2021-10-05T12:07:17Z DEBUG Destroyed connection context.ldap2_139948225480256 2021-10-05T12:07:17Z DEBUG step duration: krb5kdc __create_host_keytab 4.25 sec 2021-10-05T12:07:17Z DEBUG [7/10]: adding the password extension to the directory 2021-10-05T12:07:17Z DEBUG Starting external process 2021-10-05T12:07:17Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpdfl2kcnq', '-H', 'ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket', '-Y', 'EXTERNAL'] 2021-10-05T12:07:17Z DEBUG Process finished, return code=0 2021-10-05T12:07:17Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: ipa_pwd_extop add nsslapd-pluginpath: libipa_pwd_extop add nsslapd-plugininitfunc: ipapwd_init add nsslapd-plugintype: extendedop add nsslapd-pluginbetxn: on add nsslapd-pluginenabled: on add nsslapd-pluginid: ipa_pwd_extop add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: RedHat add nsslapd-plugindescription: Support saving passwords in multiple formats for different consumers (krb5, samba, freeradius, etc.) add nsslapd-plugin-depends-on-type: database add nsslapd-realmTree: dc=testipa,dc=dom adding new entry "cn=ipa_pwd_extop,cn=plugins,cn=config" modify complete 2021-10-05T12:07:17Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:17Z DEBUG step duration: krb5kdc __add_pwd_extop_module 0.03 sec 2021-10-05T12:07:17Z DEBUG [8/10]: creating anonymous principal 2021-10-05T12:07:17Z DEBUG Starting external process 2021-10-05T12:07:17Z DEBUG args=['/usr/sbin/kadmin.local', '-q', 'addprinc -randkey WELLKNOWN/ANONYMOUS@TESTIPA.DOM', '-x', 'ipa-setup-override-restrictions'] 2021-10-05T12:07:18Z DEBUG Process finished, return code=0 2021-10-05T12:07:18Z DEBUG stdout=Authenticating as principal user/admin@TESTIPA.DOM with password. Principal "WELLKNOWN/ANONYMOUS@TESTIPA.DOM" created. 2021-10-05T12:07:18Z DEBUG stderr=No policy specified for WELLKNOWN/ANONYMOUS@TESTIPA.DOM; defaulting to no policy 2021-10-05T12:07:18Z DEBUG Starting external process 2021-10-05T12:07:18Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpqnj4cirg', '-H', 'ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket', '-Y', 'EXTERNAL'] 2021-10-05T12:07:18Z DEBUG Process finished, return code=0 2021-10-05T12:07:18Z DEBUG stdout=add objectclass: ipaAllowedOperations add aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Allow to retrieve keytab keys of the anonymous user"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";) add ipaAllowedToPerform;read_keys: cn=ipaservers,cn=hostgroups,cn=accounts,dc=testipa,dc=dom modifying entry "krbPrincipalName=WELLKNOWN/ANONYMOUS@TESTIPA.DOM,cn=TESTIPA.DOM,cn=kerberos,dc=testipa,dc=dom" modify complete 2021-10-05T12:07:18Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2021-10-05T12:07:18Z DEBUG step duration: krb5kdc add_anonymous_principal 0.21 sec 2021-10-05T12:07:18Z DEBUG [9/10]: starting the KDC 2021-10-05T12:07:18Z DEBUG Starting external process 2021-10-05T12:07:18Z DEBUG args=['/bin/systemctl', 'start', 'krb5kdc.service'] 2021-10-05T12:07:18Z DEBUG Process finished, return code=0 2021-10-05T12:07:18Z DEBUG stdout= 2021-10-05T12:07:18Z DEBUG stderr= 2021-10-05T12:07:18Z DEBUG Starting external process 2021-10-05T12:07:18Z DEBUG args=['/bin/systemctl', 'is-active', 'krb5kdc.service'] 2021-10-05T12:07:18Z DEBUG Process finished, return code=0 2021-10-05T12:07:18Z DEBUG stdout=active 2021-10-05T12:07:18Z DEBUG stderr= 2021-10-05T12:07:18Z DEBUG Start of krb5kdc.service complete 2021-10-05T12:07:18Z DEBUG step duration: krb5kdc __start_instance 0.18 sec 2021-10-05T12:07:18Z DEBUG [10/10]: configuring KDC to start on boot 2021-10-05T12:07:18Z DEBUG Starting external process 2021-10-05T12:07:18Z DEBUG args=['/bin/systemctl', 'is-enabled', 'krb5kdc.service'] 2021-10-05T12:07:18Z DEBUG Process finished, return code=1 2021-10-05T12:07:18Z DEBUG stdout=disabled 2021-10-05T12:07:18Z DEBUG stderr= 2021-10-05T12:07:18Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:18Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:18Z DEBUG Starting external process 2021-10-05T12:07:18Z DEBUG args=['/bin/systemctl', 'unmask', 'krb5kdc.service'] 2021-10-05T12:07:19Z DEBUG Process finished, return code=0 2021-10-05T12:07:19Z DEBUG stdout= 2021-10-05T12:07:19Z DEBUG stderr= 2021-10-05T12:07:19Z DEBUG Starting external process 2021-10-05T12:07:19Z DEBUG args=['/bin/systemctl', 'disable', 'krb5kdc.service'] 2021-10-05T12:07:19Z DEBUG Process finished, return code=0 2021-10-05T12:07:19Z DEBUG stdout= 2021-10-05T12:07:19Z DEBUG stderr= 2021-10-05T12:07:19Z DEBUG step duration: krb5kdc __enable 1.58 sec 2021-10-05T12:07:19Z DEBUG Done configuring Kerberos KDC (krb5kdc). 2021-10-05T12:07:19Z DEBUG service duration: krb5kdc 6.85 sec 2021-10-05T12:07:19Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:19Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2021-10-05T12:07:19Z DEBUG Configuring kadmin 2021-10-05T12:07:19Z DEBUG [1/2]: starting kadmin 2021-10-05T12:07:19Z DEBUG Starting external process 2021-10-05T12:07:19Z DEBUG args=['/bin/systemctl', 'is-active', 'kadmin.service'] 2021-10-05T12:07:19Z DEBUG Process finished, return code=3 2021-10-05T12:07:19Z DEBUG stdout=inactive 2021-10-05T12:07:19Z DEBUG stderr= 2021-10-05T12:07:19Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:19Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:19Z DEBUG Starting external process 2021-10-05T12:07:19Z DEBUG args=['/bin/systemctl', 'restart', 'kadmin.service'] 2021-10-05T12:07:20Z DEBUG Process finished, return code=0 2021-10-05T12:07:20Z DEBUG stdout= 2021-10-05T12:07:20Z DEBUG stderr= 2021-10-05T12:07:20Z DEBUG Starting external process 2021-10-05T12:07:20Z DEBUG args=['/bin/systemctl', 'is-active', 'kadmin.service'] 2021-10-05T12:07:20Z DEBUG Process finished, return code=0 2021-10-05T12:07:20Z DEBUG stdout=active 2021-10-05T12:07:20Z DEBUG stderr= 2021-10-05T12:07:20Z DEBUG Restart of kadmin.service complete 2021-10-05T12:07:20Z DEBUG step duration: kadmin __start 0.16 sec 2021-10-05T12:07:20Z DEBUG [2/2]: configuring kadmin to start on boot 2021-10-05T12:07:20Z DEBUG Starting external process 2021-10-05T12:07:20Z DEBUG args=['/bin/systemctl', 'is-enabled', 'kadmin.service'] 2021-10-05T12:07:20Z DEBUG Process finished, return code=1 2021-10-05T12:07:20Z DEBUG stdout=disabled 2021-10-05T12:07:20Z DEBUG stderr= 2021-10-05T12:07:20Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:20Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:20Z DEBUG Starting external process 2021-10-05T12:07:20Z DEBUG args=['/bin/systemctl', 'unmask', 'kadmin.service'] 2021-10-05T12:07:20Z DEBUG Process finished, return code=0 2021-10-05T12:07:20Z DEBUG stdout= 2021-10-05T12:07:20Z DEBUG stderr= 2021-10-05T12:07:20Z DEBUG Starting external process 2021-10-05T12:07:20Z DEBUG args=['/bin/systemctl', 'disable', 'kadmin.service'] 2021-10-05T12:07:21Z DEBUG Process finished, return code=0 2021-10-05T12:07:21Z DEBUG stdout= 2021-10-05T12:07:21Z DEBUG stderr= 2021-10-05T12:07:21Z DEBUG step duration: kadmin __enable 1.67 sec 2021-10-05T12:07:21Z DEBUG Done configuring kadmin. 2021-10-05T12:07:21Z DEBUG service duration: kadmin 1.85 sec 2021-10-05T12:07:21Z DEBUG Custodia client for '' with promotion no. 2021-10-05T12:07:21Z DEBUG Custodia uses LDAPI. 2021-10-05T12:07:21Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:21Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2021-10-05T12:07:21Z DEBUG Configuring ipa-custodia 2021-10-05T12:07:21Z DEBUG [1/5]: Making sure custodia container exists 2021-10-05T12:07:21Z DEBUG importing all plugin modules in ipaserver.plugins... 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.aci 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.automember 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.automount 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.baseldap 2021-10-05T12:07:21Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.baseuser 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.batch 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.ca 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.caacl 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.cert 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.certmap 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.certprofile 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.config 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.delegation 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.dns 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.dnsserver 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.dogtag 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.domainlevel 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.group 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.hbac 2021-10-05T12:07:21Z DEBUG ipaserver.plugins.hbac is not a valid plugin module 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.hbacrule 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.hbacsvc 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.hbactest 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.host 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.hostgroup 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.idrange 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.idviews 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.internal 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.join 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.ldap2 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.location 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.migration 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.misc 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.netgroup 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.otp 2021-10-05T12:07:21Z DEBUG ipaserver.plugins.otp is not a valid plugin module 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.otpconfig 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.otptoken 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.passwd 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.permission 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.ping 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.pkinit 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.privilege 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.pwpolicy 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.rabase 2021-10-05T12:07:21Z DEBUG ipaserver.plugins.rabase is not a valid plugin module 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.radiusproxy 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.realmdomains 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.role 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.schema 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.selfservice 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.server 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.serverrole 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.serverroles 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.service 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.servicedelegation 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.session 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.stageuser 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.subid 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.sudo 2021-10-05T12:07:21Z DEBUG ipaserver.plugins.sudo is not a valid plugin module 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.sudocmd 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.sudorule 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.topology 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.trust 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.user 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.vault 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.virtual 2021-10-05T12:07:21Z DEBUG ipaserver.plugins.virtual is not a valid plugin module 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.whoami 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2021-10-05T12:07:21Z DEBUG importing all plugin modules in ipaserver.install.plugins... 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.adtrust 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.dns 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.fix_kra_people_entry 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.update_ca_topology 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.update_changelog_maxage 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.update_dna_shared_config 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.update_fix_duplicate_cacrt_in_ldap 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.update_ldap_server_list 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.update_nis 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.update_pwpolicy 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.update_ra_cert_store 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.update_referint 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.update_services 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.update_unhashed_password 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2021-10-05T12:07:21Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2021-10-05T12:07:25Z DEBUG Created connection context.ldap2_139948234241456 2021-10-05T12:07:25Z DEBUG raw: idrange_show('TESTIPA.DOM_id_range', version='2.243') 2021-10-05T12:07:25Z DEBUG idrange_show('TESTIPA.DOM_id_range', rights=False, all=False, raw=False, version='2.243') 2021-10-05T12:07:25Z DEBUG flushing ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket from SchemaCache 2021-10-05T12:07:25Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-TESTIPA-DOM.socket conn= 2021-10-05T12:07:25Z DEBUG Parsing update file '/usr/share/ipa/updates/73-custodia.update' 2021-10-05T12:07:25Z DEBUG Updating existing entry: cn=custodia,cn=ipa,cn=etc,dc=testipa,dc=dom 2021-10-05T12:07:25Z DEBUG --------------------------------------------- 2021-10-05T12:07:25Z DEBUG Initial value 2021-10-05T12:07:25Z DEBUG dn: cn=custodia,cn=ipa,cn=etc,dc=testipa,dc=dom 2021-10-05T12:07:25Z DEBUG objectClass: 2021-10-05T12:07:25Z DEBUG nsContainer 2021-10-05T12:07:25Z DEBUG top 2021-10-05T12:07:25Z DEBUG cn: 2021-10-05T12:07:25Z DEBUG custodia 2021-10-05T12:07:25Z DEBUG --------------------------------------------- 2021-10-05T12:07:25Z DEBUG Final value after applying updates 2021-10-05T12:07:25Z DEBUG dn: cn=custodia,cn=ipa,cn=etc,dc=testipa,dc=dom 2021-10-05T12:07:25Z DEBUG objectClass: 2021-10-05T12:07:25Z DEBUG nsContainer 2021-10-05T12:07:25Z DEBUG top 2021-10-05T12:07:25Z DEBUG cn: 2021-10-05T12:07:25Z DEBUG custodia 2021-10-05T12:07:25Z DEBUG [] 2021-10-05T12:07:25Z DEBUG Updated 0 2021-10-05T12:07:25Z DEBUG Done 2021-10-05T12:07:25Z DEBUG Updating existing entry: cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=testipa,dc=dom 2021-10-05T12:07:25Z DEBUG --------------------------------------------- 2021-10-05T12:07:25Z DEBUG Initial value 2021-10-05T12:07:25Z DEBUG dn: cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=testipa,dc=dom 2021-10-05T12:07:25Z DEBUG objectClass: 2021-10-05T12:07:25Z DEBUG nsContainer 2021-10-05T12:07:25Z DEBUG top 2021-10-05T12:07:25Z DEBUG cn: 2021-10-05T12:07:25Z DEBUG dogtag 2021-10-05T12:07:25Z DEBUG --------------------------------------------- 2021-10-05T12:07:25Z DEBUG Final value after applying updates 2021-10-05T12:07:25Z DEBUG dn: cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=testipa,dc=dom 2021-10-05T12:07:25Z DEBUG objectClass: 2021-10-05T12:07:25Z DEBUG nsContainer 2021-10-05T12:07:25Z DEBUG top 2021-10-05T12:07:25Z DEBUG cn: 2021-10-05T12:07:25Z DEBUG dogtag 2021-10-05T12:07:25Z DEBUG [] 2021-10-05T12:07:25Z DEBUG Updated 0 2021-10-05T12:07:25Z DEBUG Done 2021-10-05T12:07:25Z DEBUG LDAP update duration: /usr/share/ipa/updates/73-custodia.update 0.008 sec 2021-10-05T12:07:25Z DEBUG Destroyed connection context.ldap2_139948234241456 2021-10-05T12:07:25Z DEBUG step duration: ipa-custodia __create_container 4.15 sec 2021-10-05T12:07:25Z DEBUG [2/5]: Generating ipa-custodia config file 2021-10-05T12:07:25Z DEBUG step duration: ipa-custodia __config_file 0.00 sec 2021-10-05T12:07:25Z DEBUG [3/5]: Generating ipa-custodia keys 2021-10-05T12:07:26Z DEBUG step duration: ipa-custodia __gen_keys 0.36 sec 2021-10-05T12:07:26Z DEBUG [4/5]: starting ipa-custodia 2021-10-05T12:07:26Z DEBUG Starting external process 2021-10-05T12:07:26Z DEBUG args=['/bin/systemctl', 'is-active', 'ipa-custodia.service'] 2021-10-05T12:07:26Z DEBUG Process finished, return code=3 2021-10-05T12:07:26Z DEBUG stdout=inactive 2021-10-05T12:07:26Z DEBUG stderr= 2021-10-05T12:07:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:26Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:26Z DEBUG Starting external process 2021-10-05T12:07:26Z DEBUG args=['/bin/systemctl', 'restart', 'ipa-custodia.service'] 2021-10-05T12:07:27Z DEBUG Process finished, return code=0 2021-10-05T12:07:27Z DEBUG stdout= 2021-10-05T12:07:27Z DEBUG stderr= 2021-10-05T12:07:27Z DEBUG Starting external process 2021-10-05T12:07:27Z DEBUG args=['/bin/systemctl', 'is-active', 'ipa-custodia.service'] 2021-10-05T12:07:27Z DEBUG Process finished, return code=0 2021-10-05T12:07:27Z DEBUG stdout=active 2021-10-05T12:07:27Z DEBUG stderr= 2021-10-05T12:07:27Z DEBUG Restart of ipa-custodia.service complete 2021-10-05T12:07:27Z DEBUG step duration: ipa-custodia __start 1.62 sec 2021-10-05T12:07:27Z DEBUG [5/5]: configuring ipa-custodia to start on boot 2021-10-05T12:07:27Z DEBUG Starting external process 2021-10-05T12:07:27Z DEBUG args=['/bin/systemctl', 'is-enabled', 'ipa-custodia.service'] 2021-10-05T12:07:27Z DEBUG Process finished, return code=1 2021-10-05T12:07:27Z DEBUG stdout=disabled 2021-10-05T12:07:27Z DEBUG stderr= 2021-10-05T12:07:27Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:27Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:27Z DEBUG Starting external process 2021-10-05T12:07:27Z DEBUG args=['/bin/systemctl', 'unmask', 'ipa-custodia.service'] 2021-10-05T12:07:28Z DEBUG Process finished, return code=0 2021-10-05T12:07:28Z DEBUG stdout= 2021-10-05T12:07:28Z DEBUG stderr= 2021-10-05T12:07:28Z DEBUG Starting external process 2021-10-05T12:07:28Z DEBUG args=['/bin/systemctl', 'disable', 'ipa-custodia.service'] 2021-10-05T12:07:29Z DEBUG Process finished, return code=0 2021-10-05T12:07:29Z DEBUG stdout= 2021-10-05T12:07:29Z DEBUG stderr= 2021-10-05T12:07:29Z DEBUG step duration: ipa-custodia __enable 1.60 sec 2021-10-05T12:07:29Z DEBUG Done configuring ipa-custodia. 2021-10-05T12:07:29Z DEBUG service duration: ipa-custodia 7.75 sec 2021-10-05T12:07:29Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2021-10-05T12:07:29Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2021-10-05T12:07:29Z DEBUG update_entry modlist [(2, 'ipacertificatesubjectbase', [b'O=TESTIPA.DOM'])] 2021-10-05T12:07:29Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2021-10-05T12:07:29Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2021-10-05T12:07:29Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:29Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2021-10-05T12:07:29Z DEBUG Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 2021-10-05T12:07:29Z DEBUG [1/28]: configuring certificate server instance 2021-10-05T12:07:29Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:29Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:29Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:29Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:29Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:29Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2021-10-05T12:07:29Z DEBUG Contents of pkispawn configuration file (/tmp/tmp2y20r0lg): [CA] pki_admin_cert_file = /root/.dogtag/pki-tomcat/ca_admin.cert pki_admin_cert_request_type = pkcs10 pki_admin_dualkey = False pki_admin_email = root@localhost pki_admin_name = admin pki_admin_nickname = ipa-ca-agent pki_admin_password = XXXXXXXX pki_admin_subject_dn = cn=ipa-ca-agent,O=TESTIPA.DOM pki_admin_uid = admin pki_ajp_host_ipv4 = 127.0.0.1 pki_ajp_host_ipv6 = ::1 pki_ajp_secret = 0Dfkt0RAOcpNpf7uRcN04NdAvoRvzWFjYxr0BZyfGgj1 pki_audit_group = pkiaudit pki_audit_signing_key_algorithm = SHA256withRSA pki_audit_signing_key_size = 2048 pki_audit_signing_key_type = rsa pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_audit_signing_signing_algorithm = SHA256withRSA pki_audit_signing_subject_dn = cn=CA Audit,O=TESTIPA.DOM pki_audit_signing_token = internal pki_backup_keys = True pki_backup_password = XXXXXXXX pki_ca_hostname = dc1.testipa.dom pki_ca_port = 443 pki_ca_signing_cert_path = /etc/pki/pki-tomcat/external_ca.cert pki_ca_signing_csr_path = /root/ipa.csr pki_ca_signing_key_algorithm = SHA256withRSA pki_ca_signing_key_size = 3072 pki_ca_signing_key_type = rsa pki_ca_signing_nickname = caSigningCert cert-pki-ca pki_ca_signing_record_create = True pki_ca_signing_serial_number = 1 pki_ca_signing_signing_algorithm = SHA256withRSA pki_ca_signing_subject_dn = CN=Certificate Authority,O=TESTIPA.DOM pki_ca_signing_token = internal pki_ca_starting_crl_number = 0 pki_cert_chain_nickname = caSigningCert External CA pki_cert_chain_path = /etc/pki/pki-tomcat/external_ca_chain.cert pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_client_database_password = pki_client_database_purge = True pki_client_dir = /root/.dogtag/pki-tomcat pki_client_pkcs12_password = XXXXXXXX pki_configuration_path = /etc/pki pki_default_ocsp_uri = http://ipa-ca.testipa.dom/ca/ocsp pki_dns_domainname = testipa.dom pki_ds_base_dn = o=ipaca pki_ds_bind_dn = cn=Directory Manager pki_ds_database = ipaca pki_ds_hostname = dc1.testipa.dom pki_ds_ldap_port = 389 pki_ds_ldaps_port = 636 pki_ds_password = XXXXXXXX pki_ds_remove_data = True pki_ds_secure_connection = False pki_ds_secure_connection_ca_nickname = Directory Server CA certificate pki_ds_secure_connection_ca_pem_file = /etc/ipa/ca.crt pki_enable_proxy = True pki_existing = False pki_external = False pki_external_pkcs12_password = pki_external_pkcs12_path = pki_external_step_two = False pki_group = pkiuser pki_hostname = dc1.testipa.dom pki_hsm_enable = False pki_hsm_libfile = pki_hsm_modulename = pki_import_admin_cert = False pki_instance_configuration_path = /etc/pki/pki-tomcat pki_instance_name = pki-tomcat pki_issuing_ca = https://dc1.testipa.dom:443 pki_issuing_ca_hostname = dc1.testipa.dom pki_issuing_ca_https_port = 443 pki_issuing_ca_uri = https://dc1.testipa.dom:443 pki_master_crl_enable = True pki_ocsp_signing_key_algorithm = SHA256withRSA pki_ocsp_signing_key_size = 2048 pki_ocsp_signing_key_type = rsa pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ocsp_signing_signing_algorithm = SHA256withRSA pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=TESTIPA.DOM pki_ocsp_signing_token = internal pki_pkcs12_password = pki_pkcs12_path = pki_profiles_in_ldap = True pki_random_serial_numbers_enable = False pki_replica_number_range_end = 100 pki_replica_number_range_start = 1 pki_replication_password = pki_request_number_range_end = 10000000 pki_request_number_range_start = 1 pki_restart_configured_instance = False pki_san_for_server_cert = pki_san_inject = False pki_security_domain_hostname = dc1.testipa.dom pki_security_domain_https_port = 443 pki_security_domain_name = IPA pki_security_domain_password = XXXXXXXX pki_security_domain_user = admin pki_self_signed_token = internal pki_serial_number_range_end = 10000000 pki_serial_number_range_start = 1 pki_server_database_password = XXXXXXXX pki_share_db = False pki_skip_configuration = False pki_skip_ds_verify = False pki_skip_installation = False pki_skip_sd_verify = False pki_sslserver_key_algorithm = SHA256withRSA pki_sslserver_key_size = 2048 pki_sslserver_key_type = rsa pki_sslserver_nickname = Server-Cert cert-pki-ca pki_sslserver_subject_dn = cn=dc1.testipa.dom,O=TESTIPA.DOM pki_sslserver_token = internal pki_status_request_timeout = 15 pki_subordinate = False pki_subordinate_create_new_security_domain = False pki_subsystem = CA pki_subsystem_key_algorithm = SHA256withRSA pki_subsystem_key_size = 2048 pki_subsystem_key_type = rsa pki_subsystem_nickname = subsystemCert cert-pki-ca pki_subsystem_subject_dn = cn=CA Subsystem,O=TESTIPA.DOM pki_subsystem_token = internal pki_subsystem_type = ca pki_theme_enable = True pki_theme_server_dir = /usr/share/pki/common-ui pki_token_name = internal pki_user = pkiuser 2021-10-05T12:07:29Z DEBUG Starting external process 2021-10-05T12:07:29Z DEBUG args=['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp2y20r0lg'] 2021-10-05T12:09:45Z DEBUG Process finished, return code=1 2021-10-05T12:09:45Z DEBUG stdout=Installation log: /var/log/pki/pki-ca-spawn.20211005150730.log Loading deployment configuration from /tmp/tmp2y20r0lg. Installing CA into /var/lib/pki/pki-tomcat. Installation failed: [Errno 2] No such file or directory: 'pki-server' 2021-10-05T12:09:45Z DEBUG stderr=Notice: Trust flag u is set automatically if the private key is present. ERROR: FileNotFoundError: [Errno 2] No such file or directory: 'pki-server' File "/usr/lib/python3.8/site-packages/pki/server/pkispawn.py", line 562, in main scriptlet.spawn(deployer) File "/usr/lib/python3.8/site-packages/pki/server/deployment/scriptlets/configuration.py", line 915, in spawn deployer.backup_keys(instance, subsystem) File "/usr/lib/python3.8/site-packages/pki/server/deployment/__init__.py", line 337, in backup_keys subprocess.run(cmd, check=True) File "/usr/lib64/python3.8/subprocess.py", line 493, in run with Popen(*popenargs, **kwargs) as process: File "/usr/lib64/python3.8/subprocess.py", line 858, in __init__ self._execute_child(args, executable, preexec_fn, close_fds, File "/usr/lib64/python3.8/subprocess.py", line 1704, in _execute_child raise child_exception_type(errno_num, err_msg, err_filename) 2021-10-05T12:09:45Z CRITICAL Failed to configure CA instance 2021-10-05T12:09:45Z CRITICAL See the installation logs and the following files/directories for more information: 2021-10-05T12:09:45Z CRITICAL /var/log/pki/pki-tomcat 2021-10-05T12:09:45Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.8/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.8/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.8/site-packages/ipaserver/install/cainstance.py", line 626, in __spawn_instance DogtagInstance.spawn_instance( File "/usr/lib/python3.8/site-packages/ipaserver/install/dogtaginstance.py", line 211, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.8/site-packages/ipaserver/install/dogtaginstance.py", line 563, in handle_setup_error raise RuntimeError( RuntimeError: CA configuration failed. 2021-10-05T12:09:45Z DEBUG [error] RuntimeError: CA configuration failed. 2021-10-05T12:09:45Z DEBUG Removing /root/.dogtag/pki-tomcat/ca 2021-10-05T12:09:45Z DEBUG File "/usr/lib/python3.8/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.8/site-packages/ipapython/install/cli.py", line 342, in run return cfgr.run() File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.8/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.__gen) File "/usr/lib/python3.8/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.8/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.8/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.8/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.8/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.__gen) File "/usr/lib/python3.8/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.8/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.8/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.8/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.8/site-packages/ipaserver/install/server/__init__.py", line 575, in main master_install(self) File "/usr/lib/python3.8/site-packages/ipaserver/install/server/install.py", line 275, in decorated func(installer) File "/usr/lib/python3.8/site-packages/ipaserver/install/server/install.py", line 909, in install ca.install_step_0(False, None, options, custodia=custodia) File "/usr/lib/python3.8/site-packages/ipaserver/install/ca.py", line 338, in install_step_0 ca.configure_instance( File "/usr/lib/python3.8/site-packages/ipaserver/install/cainstance.py", line 502, in configure_instance self.start_creation(runtime=runtime) File "/usr/lib/python3.8/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.8/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.8/site-packages/ipaserver/install/cainstance.py", line 626, in __spawn_instance DogtagInstance.spawn_instance( File "/usr/lib/python3.8/site-packages/ipaserver/install/dogtaginstance.py", line 211, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.8/site-packages/ipaserver/install/dogtaginstance.py", line 563, in handle_setup_error raise RuntimeError( 2021-10-05T12:09:45Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed. 2021-10-05T12:09:45Z ERROR CA configuration failed. 2021-10-05T12:09:45Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information dc1 ~ #