New subject: ipa-replica-install -- cannot get past [26/41]: creating DS keytab

30 Jan 2019


      Greetings,
I cannot get the ipa-replica-install to proceed past step 26/41 - creating DS keytab. I see the command that is to be run, and I can run that just fine before and after the ipa-replica-install command, and it creates the keytab. I am not sure how to proceed from here - the bug reports I see all pertain to earlier versions, and my files reflect those changes.
I have also tried running this with all manner of password flags, which are correct, but still getting insufficient access rights.
particulars:
centos 7 3.10.0-957.1.3.el7.x86_64
ipa-server-4.6.4-10.el7.centos.x86_64
ipa-common-4.6.4-10.el7.centos.noarch
ipa-server-common-4.6.4-10.el7.centos.noarch
ipa-client-4.6.4-10.el7.centos.x86_64
ipa-server-dns-4.6.4-10.el7.centos.noarch
ipa-client-common-4.6.4-10.el7.centos.noarch
* Note: anonymized output below
ipapython.ipautil: DEBUG    stderr=
ipalib.backend: DEBUG    Created connection context.ldap2_139891568509776
ipaserver.install.service: DEBUG      duration: 7 seconds
ipaserver.install.service: DEBUG      [26/41]: creating DS keytab
  [26/41]: creating DS keytab
ipalib.frontend: DEBUG    raw: service_add(u'ldap/<ipa-replica-host>@<domain>.NET', force=True, version=u'2.229')
ipalib.frontend: DEBUG    service_add(ipapython.kerberos.Principal('ldap/<ipa-replica-host>@<domain>.NET'), force=True, all=False, raw=False, version=u'2.229', no_members=False)
ipalib.frontend: DEBUG    raw: host_show(u'<ipa-replica-host>', version=u'2.229')
ipalib.frontend: DEBUG    host_show(u'<ipa-replica-host>', rights=False, all=False, raw=False, version=u'2.229', no_members=False)
ipalib.install.sysrestore: DEBUG    Backing up system configuration file '/etc/dirsrv/ds.keytab'
ipalib.install.sysrestore: DEBUG      -> Not backing up - '/etc/dirsrv/ds.keytab' doesn't exist
ipapython.ipautil: DEBUG    Starting external process
ipapython.ipautil: DEBUG    args=/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>
ipapython.ipautil: DEBUG    Process finished, return code=9
ipapython.ipautil: DEBUG    stdout=
ipapython.ipautil: DEBUG    stderr=Failed to parse result: Insufficient access rights
Retrying with pre-4.0 keytab retrieval method...
Failed to parse result: Insufficient access rights
Failed to get keytab!
Failed to get keytab
ipaserver.install.service: DEBUG    Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1308, in request_service_keytab
    super(DsInstance, self).request_service_keytab()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 742, in request_service_keytab
    self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 732, in run_getkeytab
    ipautil.run(args, nolog=nolog)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run
    raise CalledProcessError(p.returncode, arg_string, str(output))
CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
ipaserver.install.service: DEBUG      [error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
  [error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
ipalib.backend: DEBUG    Destroyed connection context.ldap2_139891548583120
ipalib.install.sysrestore: DEBUG    Backing up system configuration file '/etc/ipa/default.conf'
ipalib.install.sysrestore: DEBUG    Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: DEBUG      File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run
    return cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in run
    return self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 389, in execute
    for rval in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure
    next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 622, in main
    replica_install(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 406, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1431, in install
    fstore=fstore)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 113, in install_replica_ds
    setup_pkinit=not options.no_pkinit,
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 419, in create_replica
    self.start_creation(runtime=30)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1308, in request_service_keytab
    super(DsInstance, self).request_service_keytab()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 742, in request_service_keytab
    self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 732, in run_getkeytab
    ipautil.run(args, nolog=nolog)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run
    raise CalledProcessError(p.returncode, arg_string, str(output))
ipapython.admintool: DEBUG    The ipa-replica-install command failed, exception: CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
ipapython.admintool: ERROR    Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
ipapython.admintool: ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information