Hi, Running FreeIPA in a container is tricky, I suggest you reach https://github.com/freeipa/freeipa-container
They have some guidance on running FreeIPA in containers. Rafael On Wed, Jul 12, 2023 at 2:30 AM dweller dweller via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Introduction: We are currently using the Altlinux system, and the freeipa package is maintained in the repository provided at https://packages.altlinux.org/en/p10/srpms/freeipa/. To meet our specific requirements, I decided to create a container package based on the Altlinux p10 distribution. However, I have now encountered a problem while trying to install ipa-client inside the container. It seems that I am not receiving a session cookie for some reason. Although the logs indicate that the Ticket Granting Ticket (TGT) is successfully issued and stored at /etc/ipa/.dns_ccache (TGT for the host principal), there is a warning stating that the ipa_session cookie cannot be found. As a result, the request to /ipa/json fails with a 401 error. > > Despite the fact that this distribution is not based on RHEL and therefore not officially supported, I would appreciate any guidance. Precisely what should happen in normal sutiation without error. Any hints on where to investigate in the source code would also be helpful. > > ipaclient-install logs: https://pastebin.com/8NbieLK3 > > the error part is: > > >2023-07-12T03:50:08Z DEBUG Initializing principal host/ipamaster.ipa-test.novalocal@IPA-TEST-NOTLIKEDOMAIN.NOVALOCAL using keytab /data/etc/krb5.keytab > >2023-07-12T03:50:08Z DEBUG using ccache /etc/ipa/.dns_ccache > >2023-07-12T03:50:08Z DEBUG Attempt 1/5: success > >2023-07-12T03:50:08Z DEBUG Starting external process > >2023-07-12T03:50:08Z DEBUG args=['/usr/bin/certutil', '-d', '/tmp/tmpgi6acve3', '-N', '-f', '/tmp/tmpgi6acve3/pwdfile.txt', '-@', '/tmp/tmpgi6acve3/pwdfile.txt'] > >2023-07-12T03:50:08Z DEBUG Process finished, return code=0 > >2023-07-12T03:50:08Z DEBUG stdout= > >2023-07-12T03:50:08Z DEBUG stderr= > >2023-07-12T03:50:08Z DEBUG Starting external process > >2023-07-12T03:50:08Z DEBUG args=['/usr/sbin/selinuxenabled'] > >2023-07-12T03:50:08Z DEBUG Process execution failed > >2023-07-12T03:50:08Z DEBUG Starting external process > >2023-07-12T03:50:08Z DEBUG args=['/usr/sbin/selinuxenabled'] > >2023-07-12T03:50:08Z DEBUG Process execution failed > >2023-07-12T03:50:08Z DEBUG Starting external process > >2023-07-12T03:50:08Z DEBUG args=['/usr/sbin/selinuxenabled'] > >2023-07-12T03:50:08Z DEBUG Process execution failed > >2023-07-12T03:50:08Z DEBUG Starting external process > >2023-07-12T03:50:08Z DEBUG args=['/usr/sbin/selinuxenabled'] > >2023-07-12T03:50:08Z DEBUG Process execution failed > >2023-07-12T03:50:08Z DEBUG Starting external process > >2023-07-12T03:50:08Z DEBUG args=['/usr/sbin/selinuxenabled'] > >2023-07-12T03:50:08Z DEBUG Process execution failed > >2023-07-12T03:50:08Z DEBUG Starting external process > >2023-07-12T03:50:08Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpgi6acve3', '-A', '-n', 'CA certificate 1', '-t', 'C,,', '-a', '-f', '/tmp/tmpgi6acve3/pwdfile.txt'] > >2023-07-12T03:50:08Z DEBUG Process finished, return code=0 > >2023-07-12T03:50:08Z DEBUG stdout= > >2023-07-12T03:50:08Z DEBUG stderr= > >2023-07-12T03:50:08Z DEBUG failed to find session_cookie in persistent storage for principal 'host/ipamaster.ipa-test.novalocal@IPA-TEST-NOTLIKEDOMAIN.NOVALOCAL' > >2023-07-12T03:50:08Z DEBUG trying https://ipamaster.ipa-test.novalocal/ipa/json > >2023-07-12T03:50:08Z DEBUG Created connection context.rpcclient_139827748309840 > >2023-07-12T03:50:08Z DEBUG [try 1]: Forwarding 'schema' to json server ' https://ipamaster.ipa-test.novalocal/ipa/json' > >2023-07-12T03:50:08Z DEBUG ENTERING SINGLE_REQUEST > >2023-07-12T03:50:08Z DEBUG HOST:i (ipamaster.ipa-test.novalocal) > >2023-07-12T03:50:08Z DEBUG HANDLER: (/ipa/json) > >2023-07-12T03:50:08Z DEBUG REQUEST_BODY: (b'{"method": "schema", "params": [[], {"version": "2.170"}], "id": 0}') > >2023-07-12T03:50:08Z DEBUG New HTTP connection (ipamaster.ipa-test.novalocal) > >2023-07-12T03:50:08Z DEBUG HTTP connection destroyed (ipamaster.ipa-test.novalocal) > >Traceback (most recent call last): > > File "/usr/lib64/python3/site-packages/ipaclient/remote_plugins/__init__.py", line 120, in get_package > > plugins = api._remote_plugins > >AttributeError: 'API' object has no attribute '_remote_plugins' > > > >During handling of the above exception, another exception occurred: > > > >Traceback (most recent call last): > > File "/usr/lib64/python3/site-packages/ipalib/rpc.py", line 727, in single_request > > if not self._auth_complete(response): > > File "/usr/lib64/python3/site-packages/ipalib/rpc.py", line 673, in _auth_complete > > raise errors.KerberosError( > >ipalib.errors.KerberosError: No valid Negotiate header in server response > >2023-07-12T03:50:08Z DEBUG Destroyed connection context.rpcclient_139827748309840 > >2023-07-12T03:50:08Z DEBUG File "/usr/lib64/python3/site-packages/ipapython/admintool.py", line 180, in execute > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
