<div dir="ltr">We've deployed a FreeIPA server in a client infrastructure and now we're working on making that setup HA.  We've created a replica and I can verify that the replica has connectivity to the existing master and ensured that the auto-discovery DNS records are set up for LDAP / Kerberos / etc, but I'm having a couple of issues with clients:  <div><br></div><div>1.  ipa-client-install fails with the following error whenever a server is not explicitly specified (though explicitly specifying either the original master OR the replica works fine):</div><div><br></div><div><p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">trying <a href="https://ipa1.west-2.production.example.com/ipa/json">https://ipa1.west-2.production.example.com/ipa/json</a></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">Cannot connect to the server due to Kerberos error: Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('Cannot find KDC for realm "<a href="http://EXAMPLE.COM">EXAMPLE.COM</a>"', -1765328230)/. Trying with delegate=True</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">trying <a href="https://ipa1.west-2.production.example.com/ipa/json">https://ipa1.west-2.production.example.com/ipa/json</a></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">Second connect with delegate=True also failed: Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('Cannot find KDC for realm "<a href="http://EXAMPLE.COM">EXAMPLE.COM</a>"', -1765328230)/</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">Cannot connect to the IPA server RPC interface: Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('Cannot find KDC for realm "<a href="http://EXAMPLE.COM">EXAMPLE.COM</a>"', -1765328230)/</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">Installation failed. Rolling back changes.</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">Unenrolling client from IPA server</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">Unenrolling host failed: Error obtaining initial credentials: Cannot find KDC for requested realm.</p><div><br></div><div>What we see in the install logs is:</div><div><br></div><div><p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z INFO Configured /etc/krb5.conf for IPA realm <a href="http://EXAMPLE.COM">EXAMPLE.COM</a></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG Starting external process</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG args='keyctl' 'search' '@s' 'user' 'ipa_session_cookie:host/<a href="mailto:test.west-2.production.example.com@EXAMPLE.COM">test.west-2.production.example.com@EXAMPLE.COM</a>'</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG Process finished, return code=1</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG stdout=</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG stderr=keyctl_search: Required key not available</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0);min-height:14px"><br></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG Starting external process</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmpCJNEzU' '-N' '-f' '/tmp/tmpPN7H8R'</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG Process finished, return code=0</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG stdout=</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG stderr=</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG Starting external process</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmpCJNEzU' '-A' '-n' 'CA certificate 1' '-t' 'C,,'</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG Process finished, return code=0</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG stdout=</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG stderr=</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG Starting external process</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG args='keyctl' 'search' '@s' 'user' 'ipa_session_cookie:host/<a href="mailto:test.west-2.production.example.com@EXAMPLE.COM">test.west-2.production.example.com@EXAMPLE.COM</a>'</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG Process finished, return code=1</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG stdout=</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG stderr=keyctl_search: Required key not available</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0);min-height:14px"><br></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG failed to find session_cookie in persistent storage for principal 'host/<a href="mailto:test.west-2.production.example.com@EXAMPLE.COM">test.west-2.production.example.com@EXAMPLE.COM</a>'</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z INFO trying <a href="https://ipa1.west-2.production.example.com/ipa/json">https://ipa1.west-2.production.example.com/ipa/json</a></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z INFO Cannot connect to the server due to Kerberos error: Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('Cannot find KDC for realm "<a href="http://EXAMPLE.COM">EXAMPLE.COM</a>"', -1765328230)/. Trying with delegate=True</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z INFO trying <a href="https://ipa1.west-2.production.example.com/ipa/json">https://ipa1.west-2.production.example.com/ipa/json</a></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z WARNING Second connect with delegate=True also failed: Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('Cannot find KDC for realm "<a href="http://EXAMPLE.COM">EXAMPLE.COM</a>"', -1765328230)/</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z ERROR Cannot connect to the IPA server RPC interface: Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('Cannot find KDC for realm "<a href="http://EXAMPLE.COM">EXAMPLE.COM</a>"', -1765328230)/</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z ERROR Installation failed. Rolling back changes.</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG Starting external process</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:39Z DEBUG args='ipa-client-automount' '--uninstall' '--debug'</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:40Z DEBUG Process finished, return code=0</p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">2016-01-14T00:45:40Z DEBUG stdout=Restoring configuration</p></div><div><br></div><div>2.  Related to this, all of our existing clients have been configured with explicit server= statements, meaning that they don't pick up the replica either.  Is there any way to manually fix this post installation, or will we simply have to uninstall and reinstall the ipa client?</div><div><br></div><div>Thanks,</div><div><br></div><div>Jeff</div><div><br></div><div><div class="gmail_signature"><div dir="ltr"><span style="font-family:Arial,sans-serif">Jeff Hallyburton</span><span style="font-size:10pt;font-family:Arial,sans-serif"><br></span><span style="font-size:10pt;font-family:Arial,sans-serif">Strategic Systems Engineer<br><span style="">Bloomip Inc.</span></span><span><span style="font-size:10pt;font-family:Arial,sans-serif"><br><span style="">Web: </span></span><a href="http://www.bloomip.com/" style="color:rgb(17,85,204)" target="_blank"><span style="font-size:10pt;font-family:Arial,sans-serif">http://www.bloomip.com</span></a><span style="font-size:10pt;font-family:Arial,sans-serif"><br><br><span style="">Engineering Support: </span></span><a href="mailto:support@bloomip.com" style="color:rgb(17,85,204)" target="_blank"><span style="font-size:10pt;font-family:Arial,sans-serif">support@bloomip.com</span></a><span style="font-size:10pt;font-family:Arial,sans-serif"><br><span style="">Billing Support: </span></span><a href="mailto:billing@bloomip.com" style="color:rgb(17,85,204)" target="_blank"><span style="font-size:10pt;font-family:Arial,sans-serif">billing@bloomip.com</span></a><span style="font-size:10pt;font-family:Arial,sans-serif"><br><span style="">Customer Support Portal:  </span></span><a href="http://my.bloomip.com/" style="color:rgb(17,85,204)" target="_blank"><span style="font-size:10pt;font-family:Arial,sans-serif">https://my.bloomip.com</span></a></span><span style="font-size:10pt;font-family:Arial,sans-serif"><br></span></div></div></div>
</div></div>