<div dir="ltr"><div><div>great, thanks. </div>On a related note: the server still doesn't get a (client) kerberos ticket, which means I can't kinit as a user and then log into a client machine without a password. Going the other way works fine, however. </div></div><div class="gmail_extra"> <div><div class="gmail_signature"><div dir="ltr"><div>thx </div>anthony </div></div></div> <div class="gmail_quote">On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the keyutils dependency fixed anyway :-) Martin On 03/25/2015 06:59 PM, Anthony Lanni wrote: > keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I > reinstalled keyutils and then ran the ipa-server-install again, and this > time it completed without error. > > Thanks very much, Martin and Dmitri! > > thx > anthony > > On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek <<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>> wrote: > >> On 03/25/2015 04:11 AM, Dmitri Pal wrote: >>> On 03/24/2015 09:17 PM, Anthony Lanni wrote: >>>> While running ipa-server-install, it's failing out at the end with an >> error >>>> regarding the client install on the server. This happens regardless of >> how I >>>> input the options, but here's the latest command: >>>> >>>> ipa-server-install --setup-dns -N --idstart=1000 -r <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> >>>> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>> -n <a href="http://example.com" target="_blank">example.com</a> <<a href="http://example.com" target="_blank">http://example.com</a>> -p passwd1 -a >>>> passwd2 --hostname=<a href="http://ldap-server-01.example.com" target="_blank">ldap-server-01.example.com</a> >>>> <<a href="http://ldap-server-01.example.com" target="_blank">http://ldap-server-01.example.com</a>> --forwarder=10.0.1.20 >>>> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d >>>> >>>> Runs through the entire setup and gives me this: >>>> >>>> [...] >>>> ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master >>>> --unattended --domain <a href="http://example.com" target="_blank">example.com</a> <<a href="http://example.com" target="_blank">http://example.com</a>> --server >>>> <a href="http://ldap-server-01.example.com" target="_blank">ldap-server-01.example.com</a> <<a href="http://ldap-server-01.example.com" target="_blank">http://ldap-server-01.example.com</a>> --realm >>>> <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>> --hostname <a href="http://ldap-server-01.example.com" target="_blank">ldap-server-01.example.com</a> >>>> <<a href="http://ldap-server-01.example.com" target="_blank">http://ldap-server-01.example.com</a>> >>>> ipa : DEBUG stdout= >>>> >>>> ipa : DEBUG stderr=Hostname: <a href="http://ldap-server-01.example.com" target="_blank">ldap-server-01.example.com</a> >>>> <<a href="http://ldap-server-01.example.com" target="_blank">http://ldap-server-01.example.com</a>> >>>> Realm: <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>> >>>> DNS Domain: <a href="http://example.com" target="_blank">example.com</a> <<a href="http://example.com" target="_blank">http://example.com</a>> >>>> IPA Server: <a href="http://ldap-server-01.example.com" target="_blank">ldap-server-01.example.com</a> < >> <a href="http://ldap-server-01.example.com" target="_blank">http://ldap-server-01.example.com</a>> >>>> BaseDN: dc=example,dc=com >>>> New SSSD config will be created >>>> Configured /etc/sssd/sssd.conf >>>> Traceback (most recent call last): >>>> File "/usr/sbin/ipa-client-install", line 2377, in <module> >>>> sys.exit(main()) >>>> File "/usr/sbin/ipa-client-install", line 2363, in main >>>> rval = install(options, env, fstore, statestore) >>>> File "/usr/sbin/ipa-client-install", line 2135, in install >>>> delete_persistent_client_session_data(host_principal) >>>> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in >>>> delete_persistent_client_session_data >>>> kernel_keyring.del_key(keyname) >>>> File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", >> line >>>> 99, in del_key >>>> real_key = get_real_key(key) >>>> File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", >> line >>>> 45, in get_real_key >>>> (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, >> key], >>>> raiseonerr=False) >>> >>> Is keyctl installed? Can you run it manually? >>> Any SELinux denials? >> >> You are likely hitting >> <a href="https://fedorahosted.org/freeipa/ticket/3808" target="_blank">https://fedorahosted.org/freeipa/ticket/3808</a> >> >> Please try installing keyutils before running ipa-server-install. It is >> fixed >> in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also: >> <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1205660" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1205660</a> >> >> Martin >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> >> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project >> > </blockquote></div> </div>