[Freeipa-users] Split enrollment (adding hosts via kickstart)

[Rob Crittenden]

Ian Levesque wrote:
>
> On May 15, 2012, at 6:14 PM, Rob Crittenden wrote:
>
>>> # /usr/sbin/ipa-client-install --domain=in.hwlab --principal=HOST/ian-ultra24-dmz.in.hwlab -w=foobar --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab --unattended
>>> DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup.
>>> KDC address will be set to fixed value.
>>>
>>> Discovery was successful!
>>> Hostname: ian-ultra24-dmz.in.hwlab
>>> Realm: SBGRID.ORG
>>> DNS Domain: in.hwlab
>>> IPA Server: sbgrid-directory.in.hwlab
>>> BaseDN: dc=sbgrid,dc=org
>>>
>>>
>>> Synchronizing time with KDC...
>>> Unable to sync time with IPA NTP server, assuming the time is in sync.
>>>
>>> kinit: Client not found in Kerberos database while getting initial credentials
>>>
>>> Installation failed. Rolling back changes.
>>> IPA client is not configured on this system.
>>>
>>> Any help would be appreciated.
>>
>> Don't set the principal and it will work, just drop the --principal bit. The principal doesn't exist yet which is why things are failing (or more precisely, the principal with that principal key doesn't exist yet).
>
> No luck:
>
> Joining realm failed: Incorrect password.
> Installation failed. Rolling back changes.
>
> I thought the point of doing the host-add was to setup a host principal with a one-time password. Without specifying the host principal, isn't the ipa-client-install trying to use the specified password to auth me, and not the host?

Bulk enrollment is done using a one-time password. No Kerberos 
credentials are created (though still works if a krbPrincipalName is set 
in the host entry).

The userPassword attribute is set to the password and the client 
installer does a simple bind using the dn of the host as the user and 
the provided password to do the enrollment. The enrollment process 
removes the userPassword attribute when a successful bind occurs.

I'd suggest resetting the password on the host and trying again.

rob