[Freeipa-users] error: Realm not local to KDC
Dmitri Pal
dpal at redhat.com
Tue Jan 15 23:55:15 UTC 2013
On 01/15/2013 05:57 PM, Sylvain Angers wrote:
> Hello
>
> Please help me troubleshot this following issue, thank you in advance!
>
> Some rhel6.2 have problem with authenticating against IPA v2.2
> while some others on same domain do not have issue but still get the
> same error "Failed to init credentials: Realm not local to KDC"
>
> hostname of client that work = mtl-vdi02d.cnppd.lab
> hostname of client that does not work = mtl-vdi08d.cnppd.lab
> all vm on RHEV
>
> ipa server (mtl-ipa01d.unix.cnppd.lab) is on unix.cnppd.lab because
> we have AD
> ip client are on cnppd.lab
> Windows machine are also on cnppd.lab connected to "Active directory"
>
Issues like this are usually related to DNS.
We recommend that you delegate a zone from AD to IPA and install IPA
with DNS to manage this zone.
With the setup like yours you have a high chance of AD responding to the
UNIX client requests.
You can avoid this but it would require a bit of manual configuration.
The following recommendation is written for trusts but AFAIU it is
applicable to this use case too.
There are two main options: take advantage of the IPA'sown DNS or not.
Configuration with IPA DNS:
* The recommended configuration is to take advantage of the IPA DNS
and to delegate a zone from the DNS server (most likely AD DNS) to
IPA. It should be possible to resolve the names in the AD domain via
forwarders. This configuration does not differ from the normal DNS
configuration we recommend and can be fully automated. Linux clients
in this case become machines in the IPA DNS domain.
* The alternative can be that IPA would be in the completely separate
namespace.In this case the AD DNS server needs a conditional
forwarder to resolve IPA names and the IPA DNS server needs a
forwarder to resolve AD names.
* An alternative solution, which would scale better in environments
with many domains, would be a common forwarder as described in
http://freeipa.org/page/IPAv3_testing_AD_trust#Adding_a_common_forwarder)
<http://freeipa.org/page/IPAv3_testing_AD_trust#Adding_a_common_forwarder%29>.Cross
forwarding is the only solution unless a common higher level DNS
server delegates both the AD and IPA zones to the respective servers.
* dns-a.example.com has a forwarder for example.net -> dns-b.example.net
* dns-b.example.net has a forwader for example.com -> dna-a.example.com
Configuration without IPA DNS:
* It is possible to use an AD DNS for the deployment and not configure
IPA DNS. In this case:
* The AD DNS should be updated to have all the names of the IPA
servers registered as Arecords(PTR records are not mandatory but
are useful).
* The IPA clients (SSSD) should be configured not to use service
discovery but rather use the list of the IPA server names
explicitely.
* Client entries would also have to be added to the AD domain
* If you prefer to use service discovery a subdomain can be allocated
for IPA servers. Service (SRV) records can be created for that
domain that would point to the list of the IPA servers. The clients
can be then configured to use service discovery but every client
would have to be added to the AD DNS directly too.
* DNS-based service discovery should be seen as a preferred way for
configuration without IPA DNS. There are too many places in both
Windows and on Linux where default assumptions are made when
resolving services that manual configuration should be discouraged.
HTH
> so we have a stub that redirect request for unix.cnppd.lab onto our ipa
>
> client can resolve ipa and vice versa
>
> [root at mtl-vdi08d log]# nslookup mtl-ipa01d.unix.cnppd.lab
> Server: 165.115.58.16
> Address: 165.115.58.16#53
>
> Non-authoritative answer:
> Name: mtl-ipa01d.unix.cnppd.lab
> Address: 165.115.118.21
>
> [root at mtl-vdi08d log]# nslookup unix.cnppd.lab
> Server: 165.115.58.16
> Address: 165.115.58.16#53
>
> Non-authoritative answer:
> Name: unix.cnppd.lab
> Address: 165.115.118.21
>
> [root at mtl-vdi08d log]# cat /etc/resolv.conf
> # Generated by NetworkManager
> domain cnppd.lab
> search cnppd.lab cn.ca <http://cn.ca>
> nameserver 165.115.58.16
>
>
>
> we all get this message in our logs
>
> (Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1943]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not
> local to KDC
> (Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1944]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not
> local to KDC
> (Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1945]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not
> local to KDC
> (Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1946]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not
> local to KDC
> (Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1947]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not
> local to KDC
> (Tue Jan 15 17:12:55 2013) [[sssd[ldap_child[1954]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not
> local to KDC
> (Tue Jan 15 17:12:55 2013) [[sssd[ldap_child[1955]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not
> local to KDC
> (Tue Jan 15 17:12:56 2013) [[sssd[ldap_child[1956]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not
> local to KDC
> (Tue Jan 15 17:12:56 2013) [[sssd[ldap_child[1957]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not
> local to KDC
> (Tue Jan 15 17:12:56 2013) [[sssd[ldap_child[1958]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not
> local to KDC
>
>
> while I can reinstall ipa-client on mtl-vdi02d and it will still work
>
> if I do the same with mtl-vdi08d, it will still not work
>
>
>
>
> [root at mtl-vdi08d ~]# ipa-client-install
> --server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB --mkhomedir
> Discovery was successful!
> Hostname: mtl-vdi08d.cnppd.lab
> Realm: UNIX.CNPPD.LAB
> DNS Domain: UNIX.CNPPD.LAB
> IPA Server: mtl-ipa01d.unix.cnppd.lab
> BaseDN: dc=unix,dc=cnppd,dc=lab
>
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Password for admin at UNIX.CNPPD.LAB:
>
> Enrolled in IPA realm UNIX.CNPPD.LAB
> Created /etc/ipa/default.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB
> SSSD enabled
> Unable to find 'admin' user with 'getent passwd admin'!
> Recognized configuration: SSSD
> NTP enabled
> Client configuration complete.
> [root at mtl-vdi08d ~]#
>
>
>
>
> see the "Unable to find 'admin' user with 'getent passwd admin'!" message
>
> [root at mtl-vdi08d log]# getent passwd t154793
> [root at mtl-vdi08d log]#
>
>
> [root at mtl-vdi02d t154793]# getent passwd t154793
> t154793:*:1947600004:1947600004:Sylvain Angers:/home/t154793:/bin/bash
> [root at mtl-vdi02d t154793]#
>
>
> What could be the cause?
> Any assistance would be appreciate
>
> Thank you!
>
>
> --
> Sylvain Angers
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130115/fe6a518a/attachment.htm>
More information about the Freeipa-users
mailing list