<div dir="ltr"><div>ah, ok. So I'm going to assume the problem with my server not being able to get a DNS record for any of the clients is why the user can't ssh into the clients. <br><br></div>Thanks for the help, everyone!<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div>thx<br></div>anthony<br></div></div></div>
<br><div class="gmail_quote">On Thu, Mar 26, 2015 at 10:44 AM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Anthony Lanni wrote:<br>
> I'm referring to the host certificate; I was looking at the web UI,<br>
> under Identity->Hosts in the server details page. The Host Certificate<br>
> section says 'No Valid Certificate'.<br>
> The server has a /etc/krb5.keytab file, and on the same page the<br>
> Enrollment section says 'Kerberos Key Present, Host Provisioned'.<br>
<br>
</span>No, masters never got this certificate issued. It was intended to be an<br>
alternate way to authenticate a host to IPA. The host certificate is not<br>
used by IPA currently, and in 4.1 one isn't issued for clients by<br>
default any more.<br>
<br>
rob<br>
<span class=""><br>
><br>
> thx<br>
> anthony<br>
><br>
> thx<br>
> anthony<br>
><br>
> On Thu, Mar 26, 2015 at 10:01 AM, Martin Kosek <<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a><br>
</span><div><div class="h5">> <mailto:<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>>> wrote:<br>
><br>
> On 03/26/2015 05:52 PM, Anthony Lanni wrote:<br>
> > kinit USER works perfectly; but I can't ssh into the client machine from<br>
> > the server without it requesting a password.<br>
> ><br>
> > I think this is a DNS issue, actually. The server isn't resolving the name<br>
> > of the client, so I'm ssh'ing with the IP address, and that's not going to<br>
> > work since it's not in the Kerberos db ("Cannot determine realm for numeric<br>
> > host address").<br>
><br>
> So it looks like you have found your problem - Kerberos tends to<br>
> break if DNS<br>
> is not set properly.<br>
><br>
> > Except, of course, that the server did not get its own valid Kerberos host<br>
> > certificate. It should, right? during the ipa-client-install --on-master<br>
> > step of the server install?<br>
><br>
> Are you asking about host certificate or a Kerberos keytab<br>
> (/etc/krb5.keytab)?<br>
> They are 2 distinct things.<br>
><br>
> > In fact, the global DNS config is completely empty. But I'm going to have<br>
> > to tear down the server and rebuild because it's on the same domain as an<br>
> > AD server, and ipa-client-install finds that server rather than the new IPA<br>
> > server by default: that won't work because I want LDAP to dynamically<br>
> > update the records, and establish a trust with the AD server.<br>
> > Also we've got 2 linux DNS root servers that act as forwarders. I pointed<br>
> > the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind<br>
> > to configure IPA to use them properly. SO I'm sure that's where most of my<br>
> > problems lie.<br>
> ><br>
> > I've got to RTFM a bit more before I really start asking the right<br>
> > questions, I think. At that point I'll start a new thread.<br>
><br>
> Ok :-)<br>
><br>
> Martin<br>
><br>
> ><br>
> ><br>
> ><br>
> > thx<br>
> > anthony<br>
> ><br>
> > On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek <<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a><br>
</div></div><span class="">> <mailto:<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>>> wrote:<br>
> ><br>
> >> I am not sure what you mean. So are you saying that "kinit USER"<br>
> done on<br>
> >> server<br>
> >> fails? With what error?<br>
> >><br>
> >> On 03/26/2015 05:28 PM, Anthony Lanni wrote:<br>
> >>> great, thanks.<br>
> >>><br>
> >>> On a related note: the server still doesn't get a (client) kerberos<br>
> >> ticket,<br>
> >>> which means I can't kinit as a user and then log into a client<br>
> machine<br>
> >>> without a password. Going the other way works fine, however.<br>
> >>><br>
> >>> thx<br>
> >>> anthony<br>
> >>><br>
> >>> On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek <<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a><br>
</span><span class="">> <mailto:<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>>> wrote:<br>
> >>><br>
> >>>> Ok, thanks for reaching back. BTW, next RHEL-6 minor release<br>
> should have<br>
> >>>> the<br>
> >>>> keyutils dependency fixed anyway :-)<br>
> >>>><br>
> >>>> Martin<br>
> >>>><br>
> >>>> On 03/25/2015 06:59 PM, Anthony Lanni wrote:<br>
> >>>>> keyutils is already installed but /bin/keyctl was 0 length<br>
> (!). Anyway<br>
> >> I<br>
> >>>>> reinstalled keyutils and then ran the ipa-server-install<br>
> again, and<br>
> >> this<br>
> >>>>> time it completed without error.<br>
> >>>>><br>
> >>>>> Thanks very much, Martin and Dmitri!<br>
> >>>>><br>
> >>>>> thx<br>
> >>>>> anthony<br>
> >>>>><br>
> >>>>> On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek<br>
</span>> <<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a> <mailto:<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>>><br>
<div><div class="h5">> >> wrote:<br>
> >>>>><br>
> >>>>>> On 03/25/2015 04:11 AM, Dmitri Pal wrote:<br>
> >>>>>>> On 03/24/2015 09:17 PM, Anthony Lanni wrote:<br>
> >>>>>>>> While running ipa-server-install, it's failing out at the<br>
> end with<br>
> >> an<br>
> >>>>>> error<br>
> >>>>>>>> regarding the client install on the server. This happens<br>
> regardless<br>
> >> of<br>
> >>>>>> how I<br>
> >>>>>>>> input the options, but here's the latest command:<br>
> >>>>>>>><br>
> >>>>>>>> ipa-server-install --setup-dns -N --idstart=1000 -r<br>
> <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br>
> >>>>>>>> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>> -n <a href="http://example.com" target="_blank">example.com</a> <<a href="http://example.com" target="_blank">http://example.com</a>><br>
> <<a href="http://example.com" target="_blank">http://example.com</a>> -p passwd1<br>
> >>>> -a<br>
> >>>>>>>> passwd2 --hostname=<a href="http://ldap-server-01.example.com" target="_blank">ldap-server-01.example.com</a><br>
> <<a href="http://ldap-server-01.example.com" target="_blank">http://ldap-server-01.example.com</a>><br>
> >>>>>>>> <<a href="http://ldap-server-01.example.com" target="_blank">http://ldap-server-01.example.com</a>> --forwarder=10.0.1.20<br>
> >>>>>>>> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d<br>
> >>>>>>>><br>
> >>>>>>>> Runs through the entire setup and gives me this:<br>
> >>>>>>>><br>
> >>>>>>>> [...]<br>
> >>>>>>>> ipa : DEBUG args=/usr/sbin/ipa-client-install<br>
> --on-master<br>
> >>>>>>>> --unattended --domain <a href="http://example.com" target="_blank">example.com</a> <<a href="http://example.com" target="_blank">http://example.com</a>><br>
> <<a href="http://example.com" target="_blank">http://example.com</a>> --server<br>
> >>>>>>>> <a href="http://ldap-server-01.example.com" target="_blank">ldap-server-01.example.com</a><br>
</div></div>> <<a href="http://ldap-server-01.example.com" target="_blank">http://ldap-server-01.example.com</a>> <<a href="http://ldap-server-01.example.com" target="_blank">http://ldap-server-01.example.com</a>><br>
> >>>> --realm<br>
> >>>>>>>> <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br>
<span class="">> --hostname<br>
> >>>> <a href="http://ldap-server-01.example.com" target="_blank">ldap-server-01.example.com</a> <<a href="http://ldap-server-01.example.com" target="_blank">http://ldap-server-01.example.com</a>><br>
> >>>>>>>> <<a href="http://ldap-server-01.example.com" target="_blank">http://ldap-server-01.example.com</a>><br>
> >>>>>>>> ipa : DEBUG stdout=<br>
> >>>>>>>><br>
> >>>>>>>> ipa : DEBUG stderr=Hostname:<br>
> <a href="http://ldap-server-01.example.com" target="_blank">ldap-server-01.example.com</a> <<a href="http://ldap-server-01.example.com" target="_blank">http://ldap-server-01.example.com</a>><br>
> >>>>>>>> <<a href="http://ldap-server-01.example.com" target="_blank">http://ldap-server-01.example.com</a>><br>
</span>> >>>>>>>> Realm: <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br>
<div class="HOEnZb"><div class="h5">> >>>>>>>> DNS Domain: <a href="http://example.com" target="_blank">example.com</a> <<a href="http://example.com" target="_blank">http://example.com</a>><br>
> <<a href="http://example.com" target="_blank">http://example.com</a>><br>
> >>>>>>>> IPA Server: <a href="http://ldap-server-01.example.com" target="_blank">ldap-server-01.example.com</a><br>
> <<a href="http://ldap-server-01.example.com" target="_blank">http://ldap-server-01.example.com</a>> <<br>
> >>>>>> <a href="http://ldap-server-01.example.com" target="_blank">http://ldap-server-01.example.com</a>><br>
> >>>>>>>> BaseDN: dc=example,dc=com<br>
> >>>>>>>> New SSSD config will be created<br>
> >>>>>>>> Configured /etc/sssd/sssd.conf<br>
> >>>>>>>> Traceback (most recent call last):<br>
> >>>>>>>> File "/usr/sbin/ipa-client-install", line 2377, in <module><br>
> >>>>>>>> sys.exit(main())<br>
> >>>>>>>> File "/usr/sbin/ipa-client-install", line 2363, in main<br>
> >>>>>>>> rval = install(options, env, fstore, statestore)<br>
> >>>>>>>> File "/usr/sbin/ipa-client-install", line 2135, in install<br>
> >>>>>>>> delete_persistent_client_session_data(host_principal)<br>
> >>>>>>>> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py",<br>
> line 124,<br>
> >> in<br>
> >>>>>>>> delete_persistent_client_session_data<br>
> >>>>>>>> kernel_keyring.del_key(keyname)<br>
> >>>>>>>> File<br>
> >> "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",<br>
> >>>>>> line<br>
> >>>>>>>> 99, in del_key<br>
> >>>>>>>> real_key = get_real_key(key)<br>
> >>>>>>>> File<br>
> >> "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",<br>
> >>>>>> line<br>
> >>>>>>>> 45, in get_real_key<br>
> >>>>>>>> (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING,<br>
> >> KEYTYPE,<br>
> >>>>>> key],<br>
> >>>>>>>> raiseonerr=False)<br>
> >>>>>>><br>
> >>>>>>> Is keyctl installed? Can you run it manually?<br>
> >>>>>>> Any SELinux denials?<br>
> >>>>>><br>
> >>>>>> You are likely hitting<br>
> >>>>>> <a href="https://fedorahosted.org/freeipa/ticket/3808" target="_blank">https://fedorahosted.org/freeipa/ticket/3808</a><br>
> >>>>>><br>
> >>>>>> Please try installing keyutils before running<br>
> ipa-server-install. It<br>
> >> is<br>
> >>>>>> fixed<br>
> >>>>>> in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform<br>
> >> also:<br>
> >>>>>> <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1205660" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1205660</a><br>
> >>>>>><br>
> >>>>>> Martin<br>
> >>>>>><br>
> >>>>>> --<br>
> >>>>>> Manage your subscription for the Freeipa-users mailing list:<br>
> >>>>>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> >>>>>> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br>
> >>>>>><br>
> >>>>><br>
> >>>><br>
> >>>><br>
> >>><br>
> >><br>
> >><br>
> ><br>
><br>
><br>
><br>
><br>
<br>
</div></div></blockquote></div><br></div>