<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> </head> <body text="#000000" bgcolor="#FFFFFF"> Ahh!!! Sooo much better!! I was following the kickstart instructions here: <a href="http://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kickstart.html">http://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kickstart.html</a> Thanks again!! Guy <div class="moz-cite-prefix">On 05/21/2013 09:47 AM, Rob Crittenden wrote: </div> <blockquote cite="mid:519B7AFE.5040800@redhat.com" type="cite"> <pre wrap="">Guy Matz wrote: </pre> <blockquote type="cite"> <pre wrap="">Thanks for the reply. I *think* I'm doing this correctly . . . On the master: [root@ipadevmstr log]# host cpuppettest.collmedia.net cpuppettest.collmedia.net has address 192.168.8.28 [root@ipadevmstr log]# ipa host-add cpuppettest.collmedia.net --password=secret -------------------------------------- Added host "cpuppettest.collmedia.net" -------------------------------------- Host name: cpuppettest.collmedia.net Password: True Keytab: False Managed by: cpuppettest.collmedia.net But on the client: [root@cpuppettest log]# kinit <a class="moz-txt-link-abbreviated" href="mailto:HOST/cpuppettest.collmedia.net@COLLMEDIA.NET">HOST/cpuppettest.collmedia.net@COLLMEDIA.NET</a> kinit: Client '<a class="moz-txt-link-abbreviated" href="mailto:HOST/cpuppettest.collmedia.net@COLLMEDIA.NET">HOST/cpuppettest.collmedia.net@COLLMEDIA.NET</a>' not found in Kerberos database while getting initial credentials Any ideas? </pre> </blockquote> <pre wrap=""> There are two problems: 1. service principals are case-sensitive and host should be lower-case: <a class="moz-txt-link-abbreviated" href="mailto:host/cpuppettest.collmedia.net@COLLMEDIA.NET">host/cpuppettest.collmedia.net@COLLMEDIA.NET</a> 2. The host principal is not created until enrollment succeeds. When using OTP you are replacing enrolling with Kerberos credentials with a one-time password. The correct syntax when using auto-discovery is: # ipa-client-install -w secret -U You can append any other options as needed (--mkhomedir, etc). rob </pre> <blockquote type="cite"> <pre wrap=""> Thanks again, Guy On 05/20/2013 07:15 PM, Dmitri Pal wrote: </pre> <blockquote type="cite"> <pre wrap="">On 05/20/2013 05:18 PM, Guy Matz wrote: </pre> <blockquote type="cite"> <pre wrap="">Hi! I'm trying the following ipa-client-install: [root@cpuppettest log]# hostname cpuppettest [root@cpuppettest log]# hostname -f cpuppettest.collmedia.net [root@cpuppettest log]# /usr/sbin/ipa-client-install --domain=collmedia.net --enable-dns-updates --mkhomedir --principal=HOST/cpuppettest.collmedia.net -w=secret </pre> </blockquote> <pre wrap="">Did you pre create the client first yourself using ipa host-add? While creating it did you create an OTP for it? Is it 'secret'? I think it should also be -w secret without '=' For more details see: <a class="moz-txt-link-freetext" href="http://docs.fedoraproject.org/en-US/Fedora/17/html-single/FreeIPA_Guide/index.html#kickstart">http://docs.fedoraproject.org/en-US/Fedora/17/html-single/FreeIPA_Guide/index.html#kickstart</a> </pre> <blockquote type="cite"> <pre wrap="">--realm=COLLMEDIA.NET --server=ipadevmstr.collmedia.net --unattended Discovery was successful! Hostname: cpuppettest.collmedia.net Realm: COLLMEDIA.NET DNS Domain: collmedia.net IPA Server: ipadevmstr.collmedia.net BaseDN: dc=collmedia,dc=net Synchronizing time with KDC... kinit: Client '<a class="moz-txt-link-abbreviated" href="mailto:HOST/cpuppettest.collmedia.net@COLLMEDIA.NET">HOST/cpuppettest.collmedia.net@COLLMEDIA.NET</a>' not found in Kerberos database while getting initial credentials Installation failed. Rolling back changes. IPA client is not configured on this system. and krb5kdc.log on the server says: [root@ipadevmstr log]# tailf -n 1 krb5kdc.log May 20 17:12:50 ipadevmstr.collmedia.net krb5kdc[1364](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.8.28: CLIENT_NOT_FOUND: <a class="moz-txt-link-abbreviated" href="mailto:HOST/cpuppettest.collmedia.net@COLLMEDIA.NET">HOST/cpuppettest.collmedia.net@COLLMEDIA.NET</a> for <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/COLLMEDIA.NET@COLLMEDIA.NET">krbtgt/COLLMEDIA.NET@COLLMEDIA.NET</a>, Client not found in Kerberos database However my IPA server does seem to know about this new client: [root@ipadevmstr log]# ipa host-show cpuppettest.collmedia.net Host name: cpuppettest.collmedia.net Password: True Keytab: False Managed by: cpuppettest.collmedia.net Any thoughts would be greatly appreciated! Thanks a lot, Guy Matz P.S. - Does my client need to be 3.x? [root@cpuppettest log]# uname -a Linux cpuppettest 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux [root@cpuppettest log]# rpm -qa | grep ipa-client ipa-client-2.2.0-16.el6.x86_64 </pre> </blockquote> <pre wrap=""> It should work OK if it is latest patched 2.2 client. </pre> <blockquote type="cite"> <pre wrap="">and [root@ipadevmstr log]# uname -a Linux ipadevmstr.collmedia.net 2.6.32-279.22.1.el6.x86_64 #1 SMP Wed Feb 6 03:10:46 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux [root@ipadevmstr log]# rpm -qa | grep ipa-server ipa-server-3.0.0-26.el6_4.2.x86_64 _______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </pre> </blockquote> <pre wrap=""> </pre> </blockquote> <pre wrap=""> _______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </pre> </blockquote> <pre wrap=""> </pre> </blockquote> </body> </html>