<div dir="ltr"><div><div>thanks for the inputs.. the issue was with my network, </div>I was able to resolve it adding in the <span style="color:rgb(0,0,0);font-family:verdana,geneva,lucida,"lucida grande",arial,helvetica,sans-serif,sans;font-size:11px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline;float:none;background-color:rgb(250,250,250)">NETWORKING_IPV6=no in <span style="color:rgb(0,0,0);font-family:verdana,geneva,lucida,"lucida grande",arial,helvetica,sans-serif,sans;font-size:11px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline;float:none;background-color:rgb(250,250,250)"> /etc/sysconfig/network possibly it was using IPv6 resolution and that was failing</div><span style="color:rgb(0,0,0);font-family:verdana,geneva,lucida,"lucida grande",arial,helvetica,sans-serif,sans;font-size:11px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline;float:none;background-color:rgb(250,250,250)"><div><span style="color:rgb(0,0,0);font-family:verdana,geneva,lucida,"lucida grande",arial,helvetica,sans-serif,sans;font-size:11px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline;float:none;background-color:rgb(250,250,250)"> </div></div><div class="gmail_extra"> <div class="gmail_quote">On Thu, Jul 28, 2016 at 1:37 PM, Petr Spacek <<a href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 27.7.2016 19:29, Rakesh Rajasekharan wrote: > Hi, > > I am running ipa server 4.2 and set it up without using "--setup-dns=no". > > On few clients the installation fails with the below error message. > > > I verified that the ipa master dns is resolvable. Not sure what could be > wrong here.. > > > Joining realm failed: libcurl failed to execute the HTTP POST transaction, > explaining: Could not resolve host: <a href="http://ipa-master-in.xyz.com" rel="noreferrer" target="_blank">ipa-master-in.xyz.com</a>; Unknown error > > Use ipa-getkeytab to obtain a host principal for this server. > Please make sure the following ports are opened in the firewall settings: > TCP: 80, 88, 389 > UDP: 88 (at least one of TCP/UDP ports 88 has to be open) > Also note that following ports are necessary for ipa-client working > properly after enrollment: > TCP: 464 > UDP: 464, 123 (if NTP enabled) > Failed to obtain host TGT: (-1765328203, 'Key table entry not found') > Installation failed. Force set so not rolling back changes. > > > I tried removeing /etc/ipa/ca.crt and delete any older certificates > "certutil -D -n 'IPA CA' -d /etc/pki/nssdb" > > However, no luck yet.. > > any suggestions on how can I debug this.. I would start with command: $ dig <a href="http://ipa-master-in.xyz.com" rel="noreferrer" target="_blank">ipa-master-in.xyz.com</a> It should print IPv4 address of the server <a href="http://ipa-master-in.xyz.com" rel="noreferrer" target="_blank">ipa-master-in.xyz.com</a> . If it does not print it there is a problem with DNS. In that case usual DNS debugging guides apply. I hope it helps. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project </blockquote></div> </div>