<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 03/21/2014 07:44 PM, Shree wrote:
<blockquote
cite="mid:1395445491.29606.YahooMailNeo@web160105.mail.bf1.yahoo.com"
type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255,
255); font-family: HelveticaNeue,Helvetica
Neue,Helvetica,Arial,Lucida Grande,sans-serif; font-size: 8pt;">Hi<br>
Attaching the install log. It complains about unable to reach
certain ports, however my tests by using telnet were successful.
Also to refresh your memory the client should be reaching for
the replica lda2.mydomain.com and not ldap.mydomain.com which it
does for the most part but I found a couple of instances of
ldap.mydomain.com in the log. Let me know what you find. I can't
believe I migrated over 40 servers and only this one refuses to
install ipa-client.<br>
<br>
</div>
</blockquote>
<br>
If it is getting to the wrong server then it is either looking at
the wrong DNS server (see resolve.conf) which is telling it to use
the wrong IPA server (may be from some old try/POC) or it has some
explicit entries entered in /etc/hosts.<br>
<br>
<br>
<blockquote
cite="mid:1395445491.29606.YahooMailNeo@web160105.mail.bf1.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff;
font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial,
Lucida Grande, sans-serif;font-size:8pt"><br>
<div> </div>
<div>Shreeraj
<br>
----------------------------------------------------------------------------------------
<br>
<br>
Change is the only Constant !</div>
<div style="display: block;" class="yahoo_quoted"> <br>
<br>
<div style="font-family: HelveticaNeue, Helvetica Neue,
Helvetica, Arial, Lucida Grande, sans-serif; font-size:
8pt;">
<div style="font-family: HelveticaNeue, Helvetica Neue,
Helvetica, Arial, Lucida Grande, sans-serif; font-size:
12pt;">
<div dir="ltr"> <font face="Arial" size="2"> On Thursday,
March 20, 2014 4:29 AM, Martin Kosek
<a class="moz-txt-link-rfc2396E" href="mailto:mkosek@redhat.com"><mkosek@redhat.com></a> wrote:<br>
</font> </div>
<div class="y_msg_container">On 03/19/2014 10:37 PM, Shree
wrote:
<div class="yqt7252554429" id="yqtfd95788"><br
clear="none">
> Hello<br clear="none">
> I was able to successfully move all my clients to
the replica except on the process I had to upgrade the
client to "ipa-client-3.0.0-37.el6.x86_64" and some
times run a --uninstall <br clear="none">
> <br clear="none">
> . Bit it works for the most part. Have been
struggling with one last host with errors like below.
I have tested the port connectivity using telnet and
netcat commands but the install thinks these ports are
blocked? <br clear="none">
> <br clear="none">
> <br clear="none">
> <br clear="none">
> <br clear="none">
> kerberos authentication failed<br clear="none">
> kinit: Cannot contact any KDC for realm
'MYDOMAIN.COM' while getting initial credentials<br
clear="none">
> <br clear="none">
> Please make sure the following ports are opened
in the firewall settings:<br clear="none">
> TCP: 80, 88, 389<br clear="none">
> UDP: 88 (at least one of TCP/UDP ports 88
has to be open)<br clear="none">
> Also note that following ports are necessary for
ipa-client working properly after enrollment:<br
clear="none">
> TCP: 464<br clear="none">
> UDP: 464, 123 (if NTP enabled)<br
clear="none">
> Installation failed. Rolling back changes.<br
clear="none">
> Disabling client Kerberos and LDAP configurations<br
clear="none">
> Redundant SSSD configuration file
/etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted<br clear="none">
> Restoring client configuration files<br
clear="none">
> Client uninstall complete.<br clear="none">
> [<a moz-do-not-send="true" shape="rect"
ymailto="mailto:root@www" href="mailto:root@www">root@www</a>
/]#<br clear="none">
> <br clear="none">
> In the /var/log/ipaclient-install.log I also see
things like below. I get Autodiscovery failures but I
am manually entering things and they have been
working.<br clear="none">
> <br clear="none">
> 2014-03-19T21:13:47Z DEBUG Found:
cn=MYDOMAIN.COM,cn=kerberos,dc=mydomain,dc=com<br
clear="none">
> 2014-03-19T21:13:47Z DEBUG Discovery result:
Success; server=ldap2.mydomain.com,
domain=mydomain.com, kdc=ldap.mydomain.com,
basedn=dc=mydomain,dc=com<br clear="none">
> 2014-03-19T21:13:47Z DEBUG Validated servers:
ldap2.mydomain.com<br clear="none">
> 2014-03-19T21:13:47Z WARNING The failure to use
DNS to find your IPA server indicates that your
resolv.conf file is not properly configured.<br
clear="none">
> 2014-03-19T21:13:47Z INFO Autodiscovery of
servers for failover cannot work with this
configuration.<br clear="none">
> 2014-03-19T21:13:47Z INFO If you proceed with the
installation, services will be configured to always
access the discovered server for all operations and
will not fail over to other servers in case of
failure.</div>
<br clear="none">
<br clear="none">
Ok. I would guess you have some DNS issue. But it is
hard to tell without the<br clear="none">
entire ipaclient-install.log of the failed installation.<br
clear="none">
<br clear="none">
Martin
<div class="yqt7252554429" id="yqtfd45978"><br
clear="none">
</div>
<br>
<br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>