[Freeipa-users] Split enrollment (adding hosts via kickstart)

[Ian Levesque]

Hi,

I'm running ipa-server-2.1.3-9, trying to perform our first bulk-add of hosts via kickstart. Unfortunately, it's not working via kickstart and when I try running the commands by hand on a freshly-installed host, it still fails with "kinit: Client not found in Kerberos database while getting initial credentials".

The freeipa docs [1] seem to indicate that this is as easy as:

  1) ipa host-add <fqdn> --password=secret
  2) ensuring ipa-client is installed in the kickstart
  3) running ipa-client-install with the principal set as host/<fqdn> and providing the password

I believe I've done what's required on the server:

# ipa host-add ian-ultra24-dmz.in.hwlab --password=foobar
 -------------------------------------
 Added host "ian-ultra24-dmz.in.hwlab"
 -------------------------------------
  Host name: ian-ultra24-dmz.in.hwlab
  Keytab: False
  Password: True
  Managed by: ian-ultra24-dmz.in.hwlab

(I've deleted and re-added the host after each ipa-client-install attempt)

And on the client:

# rpm -qa | grep ipa-client
 ipa-client-2.1.3-9.el6.x86_64

# /usr/sbin/ipa-client-install --domain=in.hwlab --principal=HOST/ian-ultra24-dmz.in.hwlab -w=foobar --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab --unattended
DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Hostname: ian-ultra24-dmz.in.hwlab
Realm: SBGRID.ORG
DNS Domain: in.hwlab
IPA Server: sbgrid-directory.in.hwlab
BaseDN: dc=sbgrid,dc=org


Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.

kinit: Client not found in Kerberos database while getting initial credentials

Installation failed. Rolling back changes.
IPA client is not configured on this system.

Any help would be appreciated.

Thanks!
Ian


--
1. http://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kickstart.html