<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt">Here are a couple of things<br><br>[skarulkar@ldap2 ~]$ rpm -q ipa-client<br>ipa-client-3.0.0-26.el6_4.4.x86_64<br><br><div><span>and my /etc/krb5.conf looks like ..........</span></div><div style="color: rgb(0, 0, 0); font-size: 10.6667px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">=======================================<br>includedir /var/lib/sss/pubconf/krb5.include.d/<br><br>[logging]<br> default = FILE:/var/log/krb5libs.log<br> kdc = FILE:/var/log/krb5kdc.log<br> admin_server = FILE:/var/log/kadmind.log<br><br>[libdefaults]<br> default_realm = MYDOMAIN.COM<br> dns_lookup_realm = false<br> dns_lookup_kdc = true<br> rdns = false<br> ticket_lifetime =
 24h<br> forwardable = yes<br><br>[realms]<br> MYDOMAIN.COM = {<br>  kdc = ldap2.mydomain.com:88<br>  master_kdc = ldap2.mydomain.com:88<br>  admin_server = ldap2.mydomain.com:749<br>  default_domain = mydomain.com<br>  pkinit_anchors = FILE:/etc/ipa/ca.crt<br>default_domain = mydomain.com<br>  pkinit_anchors = FILE:/etc/ipa/ca.crt<br>}<br><br>[domain_realm]<br> .mydomain.com = MYDOMAIN.COM<br> mydomain.com = MYDOMAIN.COM<br><br>[dbmodules]<br>  MYDOMAIN.COM = {<br>    db_library = ipadb.so<br>  }<br><br>=======================================<br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 10.6667px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 10.6667px; font-family: HelveticaNeue,Helvetica
 Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span><br></span></div><div> </div><div>Shreeraj
<br>----------------------------------------------------------------------------------------
<br>
<br>Change is the only Constant !</div><div style="display: block;" class="yahoo_quoted"> <br> <br> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 8pt;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12pt;"> <div dir="ltr"> <font face="Arial" size="2"> On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden <rcritten@redhat.com> wrote:<br> </font> </div>  <div class="y_msg_container">Shree wrote:<br clear="none">> 1) I have got a step furthur. My replica is not running CA Service. To<br clear="none">> achieve this I had to remove the existing cert with this command<br clear="none">><br clear="none">> pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force<br clear="none">><br clear="none">> Now the replica looks like this<br clear="none">><br clear="none">> <a shape="rect"
 ymailto="mailto:skarulkar@ldap2" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a> tmp]$ sudo ipactl status<br clear="none">> [sudo] password for skarulkar:<br clear="none">> Directory Service: RUNNING<br clear="none">> KDC Service: RUNNING<br clear="none">> KPASSWD Service: RUNNING<br clear="none">> MEMCACHE Service: RUNNING<br clear="none">> HTTP Service: RUNNING<br clear="none">> CA Service: RUNNING<br clear="none">> [<a shape="rect" ymailto="mailto:skarulkar@ldap2" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a> tmp]$<br clear="none"><br clear="none">The tracking failed with:<br clear="none"><br clear="none">2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library: <br clear="none">Improper format of Kerberos configuration file.<br clear="none"><br clear="none">It looks like it failed on this for most if not all the tracking. What <br clear="none">does /etc/krb5.conf look like?<br clear="none"><br
 clear="none">><br clear="none">> 2) I am still not able to add client using ipa-client-install using the<br clear="none">> replica.<br clear="none"><br clear="none">The temporary krb5.conf that is used during enrollment has <br clear="none">dns_lookup_kdc=True so it is probably trying to contact the other KDC <br clear="none">and failing.<br clear="none"><br clear="none">What is the output of:<br clear="none"><br clear="none">$ rpm -q ipa-client<div class="yqt4043215980" id="yqtfd39340"><br clear="none"><br clear="none">rob<br clear="none"><br clear="none"></div><br><br></div>  </div> </div>  </div> </div></body></html>