[Freeipa-users] help: ipa error 4301

Martin Kosek mkosek at redhat.com
Thu Jul 18 16:11:50 UTC 2013 

I am glad to hear that.

Can you just please send me the respective AVCs from /var/log/audit/audit.log?
FreeIPA software is supposed to be run with SELinux enforced and we do our best
so that it really works with SELinux enforced.

Thanks,
Martin

On 07/18/2013 06:09 PM, Shapiro, Matthew E CTR DODHRA DMDC (US) wrote:
> SOLUTION
> 
> Just to follow up, I found that SELinux was the problem.  Once I ran
> "#setenforce 0"  the ipa-client-install script worked with no issue and my client got a valid certificate.  Thanks for looking!
> 
> Matthew Shapiro
> 
> 
> -----Original Message-----
> From: Martin Kosek [mailto:mkosek at redhat.com] 
> Sent: Thursday, July 18, 2013 1:15 AM
> To: Shapiro, Matthew E CTR DODHRA DMDC (US)
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] help: ipa error 4301
> 
> On 07/17/2013 11:14 PM, Shapiro, Matthew E CTR DODHRA DMDC (US) wrote:
>> Hi ,
>>
>>  
>>
>> While running the ipa-client-install script on a RHEL 6.4 server, I get the
>> following output (please note the indicated line with the arrow):
>>
>>  
>>
>> [root@[hostname]]# ipa-client-install
>>
>> Discovery was successful!
>>
>> Hostname: [hostname]
>>
>> Realm: example.com
>>
>> DNS Domain: example.com
>>
>> IPA Server: chtvm-389.example.com
>>
>> BaseDN: dc=example,dc=com
>>
>>  
>>
>> Continue to configure the system with these values? [no]: yes
>>
>> User authorized to enroll computers: admin
>>
>> Password for admin example com:
>>
>>  
>>
>> Enrolled in IPA realm example.com
>>
>> Created /etc/ipa/default.conf
>>
>> Configured /etc/sssd/sssd.conf
>>
>> Configured /etc/krb5.conf for IPA realm example.com
>>
>> SSSD enabled
>>
>> Kerberos 5 enabled
>>
>> ---àUnable to find 'admin' user with 'getent passwd admin'!
>>
>> Recognized configuration: SSSD
>>
>> NTP enabled
>>
>> Client configuration complete.
>>
>>  
>>
>> Also, please note that I've obfuscated the hostname, domain, and realm for
>> security reasons.    I believe I've narrowed down the problem to certificate
>> enrollment.  When I check my IPA Server Web UI, I have a notice in my host
>> details that says "no valid certificate present."  I then checked my client
>> host by running:
>>
>>  
>>
>> [root at hostname user]# ipa-getcert list
>>
>> Number of certificates and requests being tracked: 1.
>>
>> Request ID '20130717205230':
>>
>>         status: CA_UNCONFIGURED
>>
>>         ca-error: Error setting up ccache for local "host" service using
>> default keytab: Resource temporarily unavailable.
>>
>>         stuck: yes
>>
>>         key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
>> Machine Certificate - hostname.example.com',token='NSS Certificate DB'
>>
>>         certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
>> Certificate - hostname.example.com '
>>
>>         CA: IPA
>>
>>         issuer:
>>
>>         subject:
>>
>>         expires: unknown
>>
>>         pre-save command:
>>
>>         post-save command:
>>
>>         track: yes
>>
>>         auto-renew: yes
>>
>>  
>>
>> I'm concerned about that "stuck" field, I have no idea what that means.
>>
>> I have other RHEL 6.4 clients that have been able to join my IPA domain with no
>> issue at all, but this one client baffles me.  Any thoughts??
>>
>>  
>>
>> ----------------------------------------------------------------------
>>
>> Matthew Shapiro
>>
>> Systems Administrator
>>
>>  
>>
>> Trofholz Technologies, Inc.
>>
>> Defense Personnel and Security Research Center (PERSEREC)
>>
>> Defense Manpower Data Center (DMDC)
>>
>> Office: 831.583.2828
>>
>>  
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
> 
> There seems to be something wrong with the host keytab:
> 
> ...
> 
>>         ca-error: Error setting up ccache for local "host" service using
>> default keytab: Resource temporarily unavailable.
> 
> Can you check if the host principal in keytab are correct?
> 
> # klist -kt /etc/krb5.keytab
> 
> Are you able to kinit with the host principal?
> 
> # kinit -kt /etc/krb5.keytab host/[hostname]@[REALM]
> 
> 
> Another issue I saw (Unable to find 'admin' user with 'getent passwd admin') -
> is this still not working?
> 
> # getent passwd admin
> 
> Martin
>

More information about the Freeipa-users mailing list