[Freeipa-users] ipa-client-install failed to join the IPA realm if DNS setting is incorrect
Rob Crittenden
rcritten at redhat.com
Thu Jun 30 13:27:32 UTC 2011
Ondrej Valousek wrote:
> Hi List,
>
> I have just noticed that the ipa-client-install fails miserably if the
> clients /etc/resolv.conf points to some foreign DNS server. The symptoms
> are that KDC (on the IPA server) fails to locate self in Kerberos database:
The KDC is just trying to look up a service that was requested, it was
the client that requested this host. Note that the host name used is the
detected IPA server. This can often be wrong if there is another server
in your network with SRV records (such as AD).
>
> Jun 30 11:11:48 polaris krb5kdc[1279](info): AS_REQ (4 etypes {18 17 16
> 23}) 192.168.60.135: NEEDED_PREAUTH: admin at EXAMPLE.COM for
> krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication required
> Jun 30 11:11:48 polaris krb5kdc[1279](info): AS_REQ (4 etypes {18 17 16
> 23}) 192.168.60.135: ISSUE: authtime 1309425108, etypes {rep=18 tkt=18
> ses=18}, admin at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM
> Jun 30 11:11:49 polaris krb5kdc[1279](info): TGS_REQ (4 etypes {18 17 16
> 23}) 192.168.60.135: UNKNOWN_SERVER: authtime 0, admin at EXAMPLE.COM for
> HTTP/polaris.prague.s3group.com at EXAMPLE.COM, Server not found in
> Kerberos database
>
> Question: Should probably try to autoconfigure /etc/resolv.conf as well
> or at least warn user that join might fail?
The resolver is a bit of a chicken and egg problem. Hard to look
anything up if you don't have one configured.
The installer should prompt that the detected settings are ok. Were they
ok and we still went to the wrong place?
rob
More information about the Freeipa-users
mailing list