<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt">Rob<br>You were right. After upgrading the client to the ipa-client-3.0.0-37.el6.x86_64 version I started seeing a warning during the client install that went something like <br>=================<br>Autodiscovery of servers for failover cannot work with this configuration.<br>If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.<br>Proceed with fixed values and no DNS discovery? [no]: yes<br>=================<br><div><span>I continued by saying yes because in my case the master and the replica are in different VLANs and failover is not possible for me. I have tried in two hosts successfully and am hoping that does the trick.</span></div><div style="color: rgb(0, 0, 0);
font-size: 10.6667px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 10.6667px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>However I see one issue immediately that my sudo access does not seem to work now on the newly added clients! Do you know what might be happening?<br></span></div><div> </div><div>Shreeraj
<br>----------------------------------------------------------------------------------------
<br>
<br>Change is the only Constant !</div><div style="display: block;" class="yahoo_quoted"> <br> <br> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 8pt;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12pt;"> <div dir="ltr"> <font face="Arial" size="2"> On Wednesday, February 19, 2014 2:21 PM, Rob Crittenden <rcritten@redhat.com> wrote:<br> </font> </div> <div class="y_msg_container">Shree wrote:<br clear="none">> <a shape="rect" ymailto="mailto:root@test500" href="mailto:root@test500">root@test500</a> ~]# rpm -q ipa-client<br clear="none">> ipa-client-2.2.0-16.el6.x86_64<br clear="none">> [<a shape="rect" ymailto="mailto:root@test500" href="mailto:root@test500">root@test500</a> ~]#<br clear="none"><br clear="none">You'll definitely want to update to 2.2.0-17, that fixes CVE-2012-5484<br clear="none"><br
clear="none">Unfortunately our logging around discovery was rather horrible in 2.2.x <br clear="none">so it is difficult to know exactly what is going on.<br clear="none"><br clear="none">I believe the problem is that it is still doing DNS discovery even <br clear="none">though you've passed in a server name so it is setting up Kerberos to <br clear="none">look up the KDC which it finds but can't talk to.<br clear="none"><br clear="none">This should be fixed in the 3.0 packages so updating to those is the <br clear="none">preferred solution.<br clear="none"><br clear="none">For 2.x you can try the --force option which should make it skip some <br clear="none">discovery.<br clear="none"><br clear="none">rob<br clear="none"><br clear="none">><br clear="none">><br clear="none">> Shreeraj<br clear="none">> ----------------------------------------------------------------------------------------<br clear="none">><br clear="none">><br
clear="none">> Change is the only Constant !<br clear="none">><br clear="none">><br clear="none">> On Wednesday, February 19, 2014 1:17 PM, Rob Crittenden<br clear="none">> <<a shape="rect" ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> wrote:<br clear="none">> Shree wrote:<br clear="none">> > Here are a couple of things<br clear="none">> ><br clear="none">> > [<a shape="rect" ymailto="mailto:skarulkar@ldap2" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a> <mailto:<a shape="rect" ymailto="mailto:skarulkar@ldap2" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>> ~]$ rpm -q ipa-client<br clear="none">> > ipa-client-3.0.0-26.el6_4.4.x86_64<br clear="none">><br clear="none">> What is the version on the client that is failing to enroll?<br clear="none">><br clear="none">> rob<br clear="none">><br
clear="none">> ><br clear="none">> > and my /etc/krb5.conf looks like ..........<br clear="none">> > =======================================<br clear="none">> > includedir /var/lib/sss/pubconf/krb5.include.d/<br clear="none">> ><br clear="none">> > [logging]<br clear="none">> > default = FILE:/var/log/krb5libs.log<br clear="none">> > kdc = FILE:/var/log/krb5kdc.log<br clear="none">> > admin_server = FILE:/var/log/kadmind.log<br clear="none">> ><br clear="none">> > [libdefaults]<br clear="none">> > default_realm = MYDOMAIN.COM<br clear="none">> > dns_lookup_realm = false<br clear="none">> > dns_lookup_kdc = true<br clear="none">> > rdns = false<br clear="none">> > ticket_lifetime = 24h<br clear="none">>
> forwardable = yes<br clear="none">> ><br clear="none">> > [realms]<br clear="none">> > MYDOMAIN.COM = {<br clear="none">> > kdc = ldap2.mydomain.com:88<br clear="none">> > master_kdc = ldap2.mydomain.com:88<br clear="none">> > admin_server = ldap2.mydomain.com:749<br clear="none">> > default_domain = mydomain.com<br clear="none">> > pkinit_anchors = FILE:/etc/ipa/ca.crt<br clear="none">> > default_domain = mydomain.com<br clear="none">> > pkinit_anchors = FILE:/etc/ipa/ca.crt<br clear="none">> > }<br clear="none">> ><br clear="none">> > [domain_realm]<br clear="none">> > .mydomain.com = MYDOMAIN.COM<br clear="none">> > mydomain.com = MYDOMAIN.COM<br
clear="none">> ><br clear="none">> > [dbmodules]<br clear="none">> > MYDOMAIN.COM = {<br clear="none">> > db_library = ipadb.so<br clear="none">> > }<br clear="none">> ><br clear="none">> > =======================================<br clear="none">> ><br clear="none">> ><br clear="none">> > Shreeraj<br clear="none">> ><br clear="none">> ----------------------------------------------------------------------------------------<br clear="none">> ><br clear="none">> ><br clear="none">> > Change is the only Constant !<br clear="none">> ><br clear="none">> ><br clear="none">> > On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden<br clear="none">> > <<a shape="rect"
ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a shape="rect" ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>> wrote:<br clear="none">> > Shree wrote:<br clear="none">> > > 1) I have got a step furthur. My replica is not running CA Service. To<br clear="none">> > > achieve this I had to remove the existing cert with this command<br clear="none">> > ><br clear="none">> > > pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force<br clear="none">> > ><br clear="none">> > > Now the replica looks like this<br clear="none">> > ><br clear="none">> > > <a shape="rect" ymailto="mailto:skarulkar@ldap2" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>
<mailto:<a shape="rect" ymailto="mailto:skarulkar@ldap2" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>> <mailto:<a shape="rect" ymailto="mailto:skarulkar@ldap2" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a><br clear="none">> <mailto:<a shape="rect" ymailto="mailto:skarulkar@ldap2" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>>> tmp]$ sudo ipactl status<br clear="none">> > > [sudo] password for skarulkar:<br clear="none">> > > Directory Service: RUNNING<br clear="none">> > > KDC Service: RUNNING<br clear="none">> > > KPASSWD Service: RUNNING<br clear="none">> > > MEMCACHE Service: RUNNING<br clear="none">> > > HTTP Service: RUNNING<br clear="none">> > > CA Service: RUNNING<br clear="none">> > > [<a shape="rect" ymailto="mailto:skarulkar@ldap2"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a> <mailto:<a shape="rect" ymailto="mailto:skarulkar@ldap2" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>> <mailto:<a shape="rect" ymailto="mailto:skarulkar@ldap2" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a><div class="yqt3074115429" id="yqtfd53238"><br clear="none">> <mailto:<a shape="rect" ymailto="mailto:skarulkar@ldap2" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>>> tmp]$<br clear="none">><br clear="none">> ><br clear="none">> > The tracking failed with:<br clear="none">> ><br clear="none">> > 2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library:<br clear="none">> > Improper format of Kerberos configuration file.<br clear="none">> ><br clear="none">> > It looks like it failed on this for most if not all the tracking. What<br clear="none">> > does
/etc/krb5.conf look like?<br clear="none">> ><br clear="none">> > ><br clear="none">> > > 2) I am still not able to add client using ipa-client-install<br clear="none">> using the<br clear="none">> > > replica.<br clear="none">> ><br clear="none">> > The temporary krb5.conf that is used during enrollment has<br clear="none">> > dns_lookup_kdc=True so it is probably trying to contact the other KDC<br clear="none">> > and failing.<br clear="none">> ><br clear="none">> > What is the output of:<br clear="none">> ><br clear="none">> > $ rpm -q ipa-client<br clear="none">> ><br clear="none">> ><br clear="none">> > rob<br clear="none">> ><br clear="none">> ><br clear="none">> ><br clear="none">><br
clear="none">><br clear="none">><br clear="none"><br clear="none"></div><br><br></div> </div> </div> </div> </div></body></html>