<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 01/15/2013 05:57 PM, Sylvain Angers wrote:
<blockquote
cite="mid:CABn0HjuYuO-q5rZ6L7=hYVUeSFeXCP7CA6kNkgHsk0Def+LHhg@mail.gmail.com"
type="cite">
<div>Hello</div>
<div><br>
</div>
<div>Please help me troubleshot this following issue, thank you in
advance!</div>
<div><br>
</div>
<div>Some rhel6.2 have problem with authenticating against IPA
v2.2 </div>
<div>while some others on same domain do not have issue but still
get the same error "Failed to init credentials: Realm not local
to KDC"</div>
<div><br>
</div>
<div>
<div>hostname of client that work = mtl-vdi02d.cnppd.lab</div>
<div>
<div>hostname of client that does not work =
mtl-vdi08d.cnppd.lab</div>
</div>
<div>all vm on RHEV</div>
<div><br>
</div>
<div>ipa server (mtl-ipa01d.unix.cnppd.lab) is on
unix.cnppd.lab because we have AD</div>
<div>ip client are on cnppd.lab</div>
<div>Windows machine are also on cnppd.lab connected to "Active
directory" </div>
</div>
<div><br>
</div>
</blockquote>
<br>
Issues like this are usually related to DNS.<br>
We recommend that you delegate a zone from AD to IPA and install IPA
with DNS to manage this zone.<br>
With the setup like yours you have a high chance of AD responding to
the UNIX client requests.<br>
You can avoid this but it would require a bit of manual
configuration.<br>
<br>
The following recommendation is written for trusts but AFAIU it is
applicable to this use case too.<br>
<br>
<div class="" id="magicdomid133"><br>
</div>
<div class="" id="magicdomid134"><span
class="author-g-wpjz122zz122ztw66t6ume8d">There are two main
options: take advantage of the IPA</span><span
class="author-g-n4if8mz122z2o1vqbuxr">'s</span><span
class="author-g-wpjz122zz122ztw66t6ume8d"> </span><span
class="author-g-n4if8mz122z2o1vqbuxr">own </span><span
class="author-g-wpjz122zz122ztw66t6ume8d">DNS or not. </span></div>
<div class="" id="magicdomid135"><br>
</div>
<div class="" id="magicdomid136"><span
class="author-g-wpjz122zz122ztw66t6ume8d">Configuration with IPA
DNS:</span></div>
<div class="" id="magicdomid137">
<ul class="list-bullet1">
<li><span class="author-g-wpjz122zz122ztw66t6ume8d">The
recommended configuration is to take advantage of the IPA
DNS and to delegate a zone from the DNS server (most likely
AD DNS) to IPA. It should be possible to resolve the names
in the AD domain via forwarders. This configuration does not
differ from the normal DNS configuration we recommend and
can be fully automated. Linux clients in this case become
machines in the IPA DNS domain.</span></li>
</ul>
</div>
<div class="" id="magicdomid138">
<ul class="list-bullet1">
<li><span class="author-g-wpjz122zz122ztw66t6ume8d">The
alternative can be that IPA would be in the completely
separate namespace.</span><span
class="author-g-srscokm1t0gno0et"> In this case the AD DNS
server needs a conditional forwarder to resolve IPA names
and the IPA DNS server needs a forwarder to resolve AD names</span><span
class="author-g-wpjz122zz122ztw66t6ume8d">.</span><span
class="author-g-04p01z122zu6nssbi965"></span></li>
</ul>
<span class="author-g-04p01z122zu6nssbi965"><br>
</span>
<ul class="list-bullet1">
<li><span class="author-g-04p01z122zu6nssbi965">An alternative
solution, which would scale better in environments with many
domains, would be a common forwarder as described in </span><span
class="author-g-04p01z122zu6nssbi965 url"><a
href="http://freeipa.org/page/IPAv3_testing_AD_trust#Adding_a_common_forwarder%29">http://freeipa.org/page/IPAv3_testing_AD_trust#Adding_a_common_forwarder)</a></span><span
class="author-g-wpjz122zz122ztw66t6ume8d">.</span><span
class="author-g-srscokm1t0gno0et"> Cross forwarding is the
only solution unless a common higher level DNS server
delegates both the AD and IPA zones to the respective
servers</span><span
class="author-g-wpjz122zz122ztw66t6ume8d">.</span></li>
</ul>
</div>
<div class="" id="magicdomid139">
<ul class="list-bullet2">
<li><span class="author-g-srscokm1t0gno0et">dns-a.example.com
has a forwarder for example.net -> dns-b.example.net</span></li>
</ul>
</div>
<div class="" id="magicdomid140">
<ul class="list-bullet2">
<li><span class="author-g-srscokm1t0gno0et">dns-b.example.net
has a forwader for example.com -> dna-a.example.com</span></li>
</ul>
</div>
<div class="" id="magicdomid141"><br>
</div>
<div class="" id="magicdomid142"><br>
</div>
<div class="" id="magicdomid143"><span
class="author-g-wpjz122zz122ztw66t6ume8d">Configuration without
IPA DNS:</span></div>
<div class="" id="magicdomid144">
<ul class="list-bullet1">
<li><span class="author-g-wpjz122zz122ztw66t6ume8d">It is
possible to use an AD DNS for the deployment and not
configure IPA DNS. In this case:</span></li>
</ul>
</div>
<blockquote>
<div class="" id="magicdomid145">
<ul class="list-bullet2">
<li><span class="author-g-wpjz122zz122ztw66t6ume8d">The AD DNS
should be updated to have all the names of the IPA servers
registe</span><span class="author-g-04p01z122zu6nssbi965">r</span><span
class="author-g-wpjz122zz122ztw66t6ume8d">ed as </span><span
class="author-g-n4if8mz122z2o1vqbuxr">A</span><span
class="author-g-wpjz122zz122ztw66t6ume8d"> records</span><span
class="author-g-n4if8mz122z2o1vqbuxr"> (PTR records are
not mandatory but are useful).</span></li>
</ul>
</div>
<div class="" id="magicdomid146">
<ul class="list-bullet2">
<li><span class="author-g-wpjz122zz122ztw66t6ume8d">The IPA
clients (SSSD) should be configured not to use service
discovery but rather use the list of the IPA server names
explicitely.</span></li>
</ul>
</div>
<div class="" id="magicdomid147">
<ul class="list-bullet2">
<li><span class="author-g-wpjz122zz122ztw66t6ume8d">Client
entries would also have to be added to the AD domain</span></li>
</ul>
</div>
</blockquote>
<div class="" id="magicdomid148">
<ul class="list-bullet1">
<li><span class="author-g-wpjz122zz122ztw66t6ume8d">If you
prefer to use service discovery a subdomain can be allocated
for IPA servers. Service </span><span
class="author-g-n4if8mz122z2o1vqbuxr">(SRV) </span><span
class="author-g-wpjz122zz122ztw66t6ume8d">records can be
created for that domain that would point to the list of the
IPA servers. The clients can be then configured to use
service discovery but every client would have to be added to
the AD DNS directly too.</span></li>
</ul>
</div>
<div class="" id="magicdomid149">
<ul class="list-bullet2">
<li><span class="author-g-q7539m1oj5dgr3jy">DNS-based service
discovery should be seen as a preferred way for
configuration without IPA DNS. There are too many places in
both Windows and on Linux where default assumptions are made
when resolving services that manual configuration should be
discouraged.</span></li>
</ul>
</div>
<div class="" id="magicdomid150"><br>
</div>
HTH<br>
<br>
<blockquote
cite="mid:CABn0HjuYuO-q5rZ6L7=hYVUeSFeXCP7CA6kNkgHsk0Def+LHhg@mail.gmail.com"
type="cite">
<div>so we have a stub that redirect request for unix.cnppd.lab
onto our ipa </div>
<div><br>
</div>
<div>client can resolve ipa and vice versa</div>
<div><br>
</div>
<div>
<div>
<div>[root@mtl-vdi08d log]# nslookup mtl-ipa01d.unix.cnppd.lab</div>
<div>Server: 165.115.58.16</div>
<div>Address: 165.115.58.16#53</div>
<div><br>
</div>
<div>Non-authoritative answer:</div>
<div>Name: mtl-ipa01d.unix.cnppd.lab</div>
<div>Address: 165.115.118.21</div>
<div><br>
</div>
<div>[root@mtl-vdi08d log]# nslookup unix.cnppd.lab</div>
<div>Server: 165.115.58.16</div>
<div>Address: 165.115.58.16#53</div>
<div><br>
</div>
<div>Non-authoritative answer:</div>
<div>Name: unix.cnppd.lab</div>
<div>Address: 165.115.118.21</div>
<div><br>
</div>
<div>[root@mtl-vdi08d log]# cat /etc/resolv.conf</div>
<div># Generated by NetworkManager</div>
<div>domain cnppd.lab</div>
<div>search cnppd.lab <a moz-do-not-send="true"
href="http://cn.ca">cn.ca</a></div>
<div>nameserver 165.115.58.16</div>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
we all get this message in our logs</div>
<div><br>
</div>
<div>(Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1943]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm
not local to KDC</div>
<div>(Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1944]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm
not local to KDC</div>
<div>(Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1945]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm
not local to KDC</div>
<div>(Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1946]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm
not local to KDC</div>
<div>(Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1947]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm
not local to KDC</div>
<div>(Tue Jan 15 17:12:55 2013) [[sssd[ldap_child[1954]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm
not local to KDC</div>
<div>(Tue Jan 15 17:12:55 2013) [[sssd[ldap_child[1955]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm
not local to KDC</div>
<div>(Tue Jan 15 17:12:56 2013) [[sssd[ldap_child[1956]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm
not local to KDC</div>
<div>(Tue Jan 15 17:12:56 2013) [[sssd[ldap_child[1957]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm
not local to KDC</div>
<div>(Tue Jan 15 17:12:56 2013) [[sssd[ldap_child[1958]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm
not local to KDC</div>
<div><br>
</div>
<div><br>
</div>
<div>while I can reinstall ipa-client on mtl-vdi02d and it will
still work</div>
<div><br>
</div>
<div>if I do the same with mtl-vdi08d, it will still not work</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div><br>
</div>
</div>
<div><br>
</div>
<div>
<div>[root@mtl-vdi08d ~]# ipa-client-install
--server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB
--mkhomedir</div>
<div>Discovery was successful!</div>
<div>Hostname: mtl-vdi08d.cnppd.lab</div>
<div>Realm: UNIX.CNPPD.LAB</div>
<div>DNS Domain: UNIX.CNPPD.LAB</div>
<div>IPA Server: mtl-ipa01d.unix.cnppd.lab</div>
<div>BaseDN: dc=unix,dc=cnppd,dc=lab</div>
<div><br>
</div>
<div><br>
</div>
<div>Continue to configure the system with these values? [no]:
yes</div>
<div>User authorized to enroll computers: admin</div>
<div>Synchronizing time with KDC...</div>
<div>Password for <a class="moz-txt-link-abbreviated" href="mailto:admin@UNIX.CNPPD.LAB:">admin@UNIX.CNPPD.LAB:</a></div>
<div><br>
</div>
<div>Enrolled in IPA realm UNIX.CNPPD.LAB</div>
<div>Created /etc/ipa/default.conf</div>
<div>Configured /etc/sssd/sssd.conf</div>
<div>Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB</div>
<div>SSSD enabled</div>
<div>Unable to find 'admin' user with 'getent passwd admin'!</div>
<div>Recognized configuration: SSSD</div>
<div>NTP enabled</div>
<div>Client configuration complete.</div>
<div>[root@mtl-vdi08d ~]#</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>see the "Unable to find 'admin' user with 'getent passwd
admin'!" message</div>
<div><br>
</div>
<div>
<div>
<div>[root@mtl-vdi08d log]# getent passwd t154793</div>
<div>[root@mtl-vdi08d log]#</div>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>[root@mtl-vdi02d t154793]# getent passwd t154793</div>
<div>
t154793:*:1947600004:1947600004:Sylvain
Angers:/home/t154793:/bin/bash</div>
<div>[root@mtl-vdi02d t154793]#</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>What could be the cause?</div>
<div>Any assistance would be appreciate </div>
<div><br>
</div>
<div>Thank you!</div>
<div><br>
</div>
<div><br>
</div>
-- <br>
Sylvain Angers<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>