[Freeipa-users] help: ipa error 4301
Martin Kosek
mkosek at redhat.com
Thu Jul 18 16:11:50 UTC 2013
I am glad to hear that.
Can you just please send me the respective AVCs from /var/log/audit/audit.log?
FreeIPA software is supposed to be run with SELinux enforced and we do our best
so that it really works with SELinux enforced.
Thanks,
Martin
On 07/18/2013 06:09 PM, Shapiro, Matthew E CTR DODHRA DMDC (US) wrote:
> SOLUTION
>
> Just to follow up, I found that SELinux was the problem. Once I ran
> "#setenforce 0" the ipa-client-install script worked with no issue and my client got a valid certificate. Thanks for looking!
>
> Matthew Shapiro
>
>
> -----Original Message-----
> From: Martin Kosek [mailto:mkosek at redhat.com]
> Sent: Thursday, July 18, 2013 1:15 AM
> To: Shapiro, Matthew E CTR DODHRA DMDC (US)
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] help: ipa error 4301
>
> On 07/17/2013 11:14 PM, Shapiro, Matthew E CTR DODHRA DMDC (US) wrote:
>> Hi ,
>>
>>
>>
>> While running the ipa-client-install script on a RHEL 6.4 server, I get the
>> following output (please note the indicated line with the arrow):
>>
>>
>>
>> [root@[hostname]]# ipa-client-install
>>
>> Discovery was successful!
>>
>> Hostname: [hostname]
>>
>> Realm: example.com
>>
>> DNS Domain: example.com
>>
>> IPA Server: chtvm-389.example.com
>>
>> BaseDN: dc=example,dc=com
>>
>>
>>
>> Continue to configure the system with these values? [no]: yes
>>
>> User authorized to enroll computers: admin
>>
>> Password for admin example com:
>>
>>
>>
>> Enrolled in IPA realm example.com
>>
>> Created /etc/ipa/default.conf
>>
>> Configured /etc/sssd/sssd.conf
>>
>> Configured /etc/krb5.conf for IPA realm example.com
>>
>> SSSD enabled
>>
>> Kerberos 5 enabled
>>
>> ---àUnable to find 'admin' user with 'getent passwd admin'!
>>
>> Recognized configuration: SSSD
>>
>> NTP enabled
>>
>> Client configuration complete.
>>
>>
>>
>> Also, please note that I've obfuscated the hostname, domain, and realm for
>> security reasons. I believe I've narrowed down the problem to certificate
>> enrollment. When I check my IPA Server Web UI, I have a notice in my host
>> details that says "no valid certificate present." I then checked my client
>> host by running:
>>
>>
>>
>> [root at hostname user]# ipa-getcert list
>>
>> Number of certificates and requests being tracked: 1.
>>
>> Request ID '20130717205230':
>>
>> status: CA_UNCONFIGURED
>>
>> ca-error: Error setting up ccache for local "host" service using
>> default keytab: Resource temporarily unavailable.
>>
>> stuck: yes
>>
>> key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
>> Machine Certificate - hostname.example.com',token='NSS Certificate DB'
>>
>> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
>> Certificate - hostname.example.com '
>>
>> CA: IPA
>>
>> issuer:
>>
>> subject:
>>
>> expires: unknown
>>
>> pre-save command:
>>
>> post-save command:
>>
>> track: yes
>>
>> auto-renew: yes
>>
>>
>>
>> I'm concerned about that "stuck" field, I have no idea what that means.
>>
>> I have other RHEL 6.4 clients that have been able to join my IPA domain with no
>> issue at all, but this one client baffles me. Any thoughts??
>>
>>
>>
>> ----------------------------------------------------------------------
>>
>> Matthew Shapiro
>>
>> Systems Administrator
>>
>>
>>
>> Trofholz Technologies, Inc.
>>
>> Defense Personnel and Security Research Center (PERSEREC)
>>
>> Defense Manpower Data Center (DMDC)
>>
>> Office: 831.583.2828
>>
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
> There seems to be something wrong with the host keytab:
>
> ...
>
>> ca-error: Error setting up ccache for local "host" service using
>> default keytab: Resource temporarily unavailable.
>
> Can you check if the host principal in keytab are correct?
>
> # klist -kt /etc/krb5.keytab
>
> Are you able to kinit with the host principal?
>
> # kinit -kt /etc/krb5.keytab host/[hostname]@[REALM]
>
>
> Another issue I saw (Unable to find 'admin' user with 'getent passwd admin') -
> is this still not working?
>
> # getent passwd admin
>
> Martin
>
More information about the Freeipa-users
mailing list