[Freeipa-users] Split enrollment (adding hosts via kickstart)

Rob Crittenden rcritten at redhat.com
Tue May 15 22:14:33 UTC 2012 

Ian Levesque wrote:
> Hi,
>
> I'm running ipa-server-2.1.3-9, trying to perform our first bulk-add of hosts via kickstart. Unfortunately, it's not working via kickstart and when I try running the commands by hand on a freshly-installed host, it still fails with "kinit: Client not found in Kerberos database while getting initial credentials".
>
> The freeipa docs [1] seem to indicate that this is as easy as:
>
>    1) ipa host-add<fqdn>  --password=secret
>    2) ensuring ipa-client is installed in the kickstart
>    3) running ipa-client-install with the principal set as host/<fqdn>  and providing the password
>
> I believe I've done what's required on the server:
>
> # ipa host-add ian-ultra24-dmz.in.hwlab --password=foobar
>   -------------------------------------
>   Added host "ian-ultra24-dmz.in.hwlab"
>   -------------------------------------
>    Host name: ian-ultra24-dmz.in.hwlab
>    Keytab: False
>    Password: True
>    Managed by: ian-ultra24-dmz.in.hwlab
>
> (I've deleted and re-added the host after each ipa-client-install attempt)
>
> And on the client:
>
> # rpm -qa | grep ipa-client
>   ipa-client-2.1.3-9.el6.x86_64
>
> # /usr/sbin/ipa-client-install --domain=in.hwlab --principal=HOST/ian-ultra24-dmz.in.hwlab -w=foobar --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab --unattended
> DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup.
> KDC address will be set to fixed value.
>
> Discovery was successful!
> Hostname: ian-ultra24-dmz.in.hwlab
> Realm: SBGRID.ORG
> DNS Domain: in.hwlab
> IPA Server: sbgrid-directory.in.hwlab
> BaseDN: dc=sbgrid,dc=org
>
>
> Synchronizing time with KDC...
> Unable to sync time with IPA NTP server, assuming the time is in sync.
>
> kinit: Client not found in Kerberos database while getting initial credentials
>
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
> Any help would be appreciated.

Don't set the principal and it will work, just drop the --principal bit. 
The principal doesn't exist yet which is why things are failing (or more 
precisely, the principal with that principal key doesn't exist yet).

rob

More information about the Freeipa-users mailing list