<div dir="ltr"><div>Sorry for probably stupid question, but if in general <a href="http://ipaclient.staging.example.com">ipaclient.staging.example.com</a> </div>host may be a member in <a href="http://prod.example.com">prod.example.com</a> domain? <div><div><div class="gmail_extra"> <div class="gmail_quote">On Thu, Jun 20, 2013 at 10:34 AM, Vitaly <<a href="mailto:linux@karasik.org" target="_blank">linux@karasik.org</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">>Is KDC resolvable from the client? </div><div class="im">yes, there is DNS resolving for "<a href="http://serv02.prod.example.com" target="_blank">serv02.prod.example.com</a>" on client. >Do you have an AD DNS that might be actually serving records? </div>no, I don't AD DNS for <a href="http://prod.example.com" target="_blank">prod.example.com</a> <div class="im">>What version of the client and what OS are you using? </div>On the client: ipa-client-2.0-10.el5_6.1 Red Hat Enterprise Linux Server release 5.6 (Tikanga) On IPA server : ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-1.5.1-66.el6_2.3.x86_64 libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 ipa-python-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 ipa-admintools-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 Red Hat Enterprise Linux Server release 6.2 (Santiago) Thank you, Vitaly <div class="im HOEnZb"> On Wed, Jun 19, 2013 at 7:45 PM, Dmitri Pal <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>> wrote: </div><div class="HOEnZb"><div class="h5">> On 06/19/2013 10:32 AM, Vitaly wrote: > > > ipa-client-install fails with "Cannot resolve network address for KDC" > message. > I don't have SRV records, but I provide IPA server name via "--server" > param. > any ideas? > > TIA, > Vitaly > > 2013-06-19 13:58:39,113 DEBUG Loading Index file from > '/var/lib/ipa-client/sysrestore/sysrestore.index' > 2013-06-19 13:58:39,113 DEBUG [ipacheckldap] > 2013-06-19 13:58:39,113 DEBUG Init ldap with: > ldap://<a href="http://serv02.prod.example.com:389" target="_blank">serv02.prod.example.com:389</a> > 2013-06-19 13:58:39,193 DEBUG Search rootdse > 2013-06-19 13:58:39,233 DEBUG Search for (info=*) in > dc=prod,dc=example,dc=com(base) > 2013-06-19 13:58:39,272 DEBUG Found: [('dc=prod,dc=example,dc=com', > {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', > 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': > ['<a href="http://prod.example.com" target="_blank">prod.example.com</a>'], 'dc': ['prod'], 'nisDomain': ['<a href="http://prod.example.com" target="_blank">prod.example.com</a>']})] > 2013-06-19 13:58:39,272 DEBUG Search for (objectClass=krbRealmContainer) in > dc=prod,dc=example,dc=com(sub) > 2013-06-19 13:58:39,313 DEBUG Found: > [('cn=<a href="http://PROD.EXAMPLE.COM" target="_blank">PROD.EXAMPLE.COM</a>,cn=kerberos,dc=prod,dc=example,dc=com', > {'krbSubTrees': ['dc=prod,dc=example,dc=com'], 'cn': ['<a href="http://PROD.EXAMPLE.COM" target="_blank">PROD.EXAMPLE.COM</a>'], > 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', > 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', > 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], > 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', > 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', > 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', > 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', > 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], > 'krbMaxRenewableAge': ['604800']})] > 2013-06-19 13:58:52,031 INFO args=/usr/kerberos/bin/kinit > <a href="mailto:vm4.stage.example.com@PROD.EXAMPLE.COM">vm4.stage.example.com@PROD.EXAMPLE.COM</a> > 2013-06-19 13:58:52,032 INFO stdout= > 2013-06-19 13:58:52,032 INFO stderr=kinit(v5): Cannot resolve network > address for KDC in realm <a href="http://PROD.EXAMPLE.COM" target="_blank">PROD.EXAMPLE.COM</a> while getting initial credentials > > 2013-06-19 13:58:52,065 INFO args=/usr/kerberos/bin/kdestroy > 2013-06-19 13:58:52,065 INFO stdout= > 2013-06-19 13:58:52,065 INFO stderr=kdestroy: No credentials cache found > while destroying cache > ~ > ~ > ~ > ~ > ~ > ~ > ~ > > > > _______________________________________________ > Freeipa-users mailing list > <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > > > Is KDC resolvable from the client? > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> > > > > _______________________________________________ > Freeipa-users mailing list > <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </div></div></blockquote></div> </div></div></div></div>