<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 01/19/2013 04:44 PM, Dale Macartney wrote:<br>
<span style="white-space: pre;">></span><br>
<blockquote type="cite"><br>
On 01/19/2013 07:16 PM, Dmitri Pal wrote:<br>
> On 01/19/2013 01:25 PM, MaSch wrote:<br>
>> Hello all,<br>
>><br>
>> I'm trying to setup FreeIPA on Fedora 18 (Final) with AD
integration<br>
on a test server. However I do not even get past<br>
>> the initial (local) steps described in :<br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain">http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain</a><br>
>> The last step of the section "Install and configure IPA
server" gives<br>
me the following error :<br>
I am having similar issues, however I only have the problem when<br>
attempting a trust with AD 2012. Works perfectly on AD 2008r2.<br>
<br>
Critical pre-req is definitely make sure DNS resolution is working
in<br>
advance. Its always a killer.<br>
<br>
If you use IPA managed DNS, use the following.<br>
<br>
ipa dnszone-add nt.example.com --name-server=dc01.nt.example.com<br>
--admin-email=<a class="moz-txt-link-rfc2396E" href="mailto:administrator@nt.example.com">"administrator@nt.example.com"</a> --force<br>
--forwarder=10.0.2.11 --forward-policy=only<br>
<br>
the IP address is the IP of the domain controller
dc01.nt.example.com<br>
<br>
>><br>
>><br>
>> "Outdated Kerberos credentials. Use kdestroy and kinit to
update your<br>
ticket"<br>
>><br>
>> However "kdestroy" followed by a consequent "kinit admin"
does not<br>
help, I get the error again when trying<br>
>> to "ipa-adtrust-install"<br>
>><br>
>> The ipaserver-install.log says :<br>
>> 2013-01-19T17:19:56Z DEBUG stderr=<br>
>> 2013-01-19T17:19:56Z DEBUG will use ip_address:
172.16.135.141<br>
>><br>
>> 2013-01-19T17:19:56Z DEBUG Starting external process<br>
>> 2013-01-19T17:19:56Z DEBUG args=kinit admin<br>
>> 2013-01-19T17:19:57Z DEBUG Process finished, return
code=0<br>
>> 2013-01-19T17:19:57Z DEBUG stdout=Password for
<a class="moz-txt-link-abbreviated" href="mailto:admin@MATRIX.LOCAL:">admin@MATRIX.LOCAL:</a><br>
>><br>
>> 2013-01-19T17:19:57Z DEBUG stderr=<br>
>> 2013-01-19T17:19:57Z INFO File<br>
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",<br>
line 617, in<br>
>> run_script<br>
>> return_value = main_function()<br>
>><br>
>> File "/usr/sbin/ipa-adtrust-install", line 304, in main<br>
>> sys.exit("Outdated Kerberos credentials. Use kdestroy and
kinit to<br>
update your ticket")<br>
>><br>
>> 2013-01-19T17:19:57Z INFO The ipa-adtrust-install command
failed,<br>
exception: SystemExit: Outdated Kerberos credentials.<br>
>> Use kdestroy and kinit to update your ticket<br>
>><br>
>><br>
______________________________________________________________________________________________________<br>
>><br>
>><br>
>> I tried to follow the instructions and stick to the plan
- here is<br>
the history of commands I executed on an fresh Fedora<br>
>> 18 Installation (after installing vmware tools in the vm)
(long<br>
output is omitted and replaced by ...) :<br>
>><br>
>><br>
>> [root@linux user]# yum update -y<br>
>> ...<br>
>> [root@linux user]# reboot<br>
>> [root@linux user]# yum install -y "*ipa-server"<br>
"*ipa-server-trust-ad" samba4-winbind-clients samba4-winbind<br>
>> samba4-client bind bind-dyndb-ldap<br>
>> ...<br>
>> [root@linux user]# echo "172.16.135.141
ipa-server.matrix.local<br>
ipa-server" >> /etc/hosts<br>
>> [root@linux user]# hostname ipa-server.matrix.local<br>
>> [root@linux user]# hostname<br>
>> ipa-server.matrix.local<br>
>> [root@linux user]# ping ipa-server.matrix.local<br>
>> PING ipa-server.matrix.local (172.16.135.141) 56(84)
bytes of data.<br>
>> 64 bytes from ipa-server.matrix.local (172.16.135.141):
icmp_seq=1<br>
ttl=64 time=0.058 ms<br>
>> [root@linux user]# ipa-server-install -a mypassword1 -p
mypassword2<br>
--domain=matrix.local --realm=MATRIX.LOCAL<br>
>> --setup-dns --no-forwarders -U<br>
>> ... setup completes without errors<br>
>> [root@linux user]# kinit admin<br>
>> Password for <a class="moz-txt-link-abbreviated" href="mailto:admin@MATRIX.LOCAL:">admin@MATRIX.LOCAL:</a><br>
>> [root@linux user]# klist<br>
>> Ticket cache:<br>
DIR::/run/user/1000/krb5cc_c9794d10f5cd59bd63c423ac50fad257/tktT3hTsU<br>
>> Default principal: <a class="moz-txt-link-abbreviated" href="mailto:admin@MATRIX.LOCAL">admin@MATRIX.LOCAL</a><br>
>><br>
>> Valid starting Expires Service principal<br>
>> 01/19/13 12:19:06 01/20/13 12:19:02
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/MATRIX.LOCAL@MATRIX.LOCAL">krbtgt/MATRIX.LOCAL@MATRIX.LOCAL</a><br>
>> [root@linux user]# id admin<br>
>> uid=1396400000(admin) gid=1396400000(admins)
groups=1396400000(admins)<br>
>> [root@linux user]# getent passwd admin<br>
>>
admin:*:1396400000:1396400000:Administrator:/home/admin:/bin/bash<br>
>> [root@linux user]# ipa-adtrust-install
--netbios-name=MATRIX -a<br>
mypassword1<br>
>> The log file for this installation can be found in<br>
/var/log/ipaserver-install.log<br>
>><br>
==============================================================================<br>
>> This program will setup components needed to establish
trust to AD<br>
domains for<br>
>> the FreeIPA Server.<br>
>><br>
>> This includes:<br>
>> * Configure Samba<br>
>> * Add trust related objects to FreeIPA LDAP server<br>
>><br>
>> To accept the default shown in brackets, press the Enter
key.<br>
>><br>
>><br>
>> The following operations may take some minutes to
complete.<br>
>> Please wait until the prompt is returned.<br>
>><br>
>> Outdated Kerberos credentials. Use kdestroy and kinit to
update your<br>
ticket<br>
>><br>
>><br>
______________________________________________________________________________________________________<br>
>><br>
>> The freeipa packages installed are :<br>
>><br>
>> freeipa-server-trust-ad-3.1.0-2.fc18.x86_64<br>
>> freeipa-python-3.1.0-2.fc18.x86_64<br>
>> freeipa-server-selinux-3.1.0-2.fc18.x86_64<br>
>> freeipa-admintools-3.1.0-2.fc18.x86_64<br>
>> freeipa-server-3.1.0-2.fc18.x86_64<br>
>> freeipa-client-3.1.0-2.fc18.x86_64<br>
>><br>
>><br>
>> Any help would be appreciated, perhaps I'm just missing a
simple step.<br>
>><br>
>><br>
>> Regards<br>
>> Marco<br>
>><br>
>> _______________________________________________<br>
>> Freeipa-users mailing list<br>
>> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
>> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
> What is the situation with the time on that box?<br>
> Was the time and time zone set correctly?<br>
> Is it a VM?<br>
> Can it be that the time drifted in some way?<br>
<br>
<br>
</blockquote>
<span style="white-space: pre;">><br>
> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></span><br>
<br>
-- <br>
Thank you,<br>
Dmitri Pal<br>
<br>
Sr. Engineering Manager for IdM portfolio<br>
Red Hat Inc.<br>
<br>
<br>
-------------------------------<br>
Looking to carve out IT costs?<br>
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><br>
<br>
<br>
<br>
</body>
</html>