[Freeipa-users] Fedora 18 - FreeIPA + AD

Dale Macartney dale at themacartneyclan.com
Sat Jan 19 21:44:20 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 01/19/2013 07:16 PM, Dmitri Pal wrote:
> On 01/19/2013 01:25 PM, MaSch wrote:
>> Hello all,
>>
>> I'm trying to setup FreeIPA on Fedora 18 (Final) with AD integration
on a test server. However I do not even get past
>> the initial (local) steps described in :
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain
>> The last step of the section "Install and configure IPA server" gives
me the following error :
I am having similar issues, however I only have the problem when
attempting a trust with AD 2012. Works perfectly on AD 2008r2.

Critical pre-req is definitely make sure DNS resolution is working in
advance. Its always a killer.

If you use IPA managed DNS, use the following.

ipa dnszone-add nt.example.com --name-server=dc01.nt.example.com
--admin-email="administrator at nt.example.com" --force
--forwarder=10.0.2.11 --forward-policy=only

the IP address is the IP of the domain controller dc01.nt.example.com

>>
>>
>> "Outdated Kerberos credentials. Use kdestroy and kinit to update your
ticket"
>>
>> However "kdestroy" followed by a consequent "kinit admin" does not
help, I get the error again when trying
>> to "ipa-adtrust-install"
>>
>> The ipaserver-install.log says :
>> 2013-01-19T17:19:56Z DEBUG stderr=
>> 2013-01-19T17:19:56Z DEBUG will use ip_address: 172.16.135.141
>>
>> 2013-01-19T17:19:56Z DEBUG Starting external process
>> 2013-01-19T17:19:56Z DEBUG args=kinit admin
>> 2013-01-19T17:19:57Z DEBUG Process finished, return code=0
>> 2013-01-19T17:19:57Z DEBUG stdout=Password for admin at MATRIX.LOCAL:
>>
>> 2013-01-19T17:19:57Z DEBUG stderr=
>> 2013-01-19T17:19:57Z INFO File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 617, in
>> run_script
>> return_value = main_function()
>>
>> File "/usr/sbin/ipa-adtrust-install", line 304, in main
>> sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to
update your ticket")
>>
>> 2013-01-19T17:19:57Z INFO The ipa-adtrust-install command failed,
exception: SystemExit: Outdated Kerberos credentials.
>> Use kdestroy and kinit to update your ticket
>>
>>
______________________________________________________________________________________________________
>>
>>
>> I tried to follow the instructions and stick to the plan - here is
the history of commands I executed on an fresh Fedora
>> 18 Installation (after installing vmware tools in the vm) (long
output is omitted and replaced by ...) :
>>
>>
>> [root at linux user]# yum update -y
>> ...
>> [root at linux user]# reboot
>> [root at linux user]# yum install -y "*ipa-server"
"*ipa-server-trust-ad" samba4-winbind-clients samba4-winbind
>> samba4-client bind bind-dyndb-ldap
>> ...
>> [root at linux user]# echo "172.16.135.141 ipa-server.matrix.local
ipa-server" >> /etc/hosts
>> [root at linux user]# hostname ipa-server.matrix.local
>> [root at linux user]# hostname
>> ipa-server.matrix.local
>> [root at linux user]# ping ipa-server.matrix.local
>> PING ipa-server.matrix.local (172.16.135.141) 56(84) bytes of data.
>> 64 bytes from ipa-server.matrix.local (172.16.135.141): icmp_seq=1
ttl=64 time=0.058 ms
>> [root at linux user]# ipa-server-install -a mypassword1 -p mypassword2
--domain=matrix.local --realm=MATRIX.LOCAL
>> --setup-dns --no-forwarders -U
>> ... setup completes without errors
>> [root at linux user]# kinit admin
>> Password for admin at MATRIX.LOCAL:
>> [root at linux user]# klist
>> Ticket cache:
DIR::/run/user/1000/krb5cc_c9794d10f5cd59bd63c423ac50fad257/tktT3hTsU
>> Default principal: admin at MATRIX.LOCAL
>>
>> Valid starting Expires Service principal
>> 01/19/13 12:19:06 01/20/13 12:19:02 krbtgt/MATRIX.LOCAL at MATRIX.LOCAL
>> [root at linux user]# id admin
>> uid=1396400000(admin) gid=1396400000(admins) groups=1396400000(admins)
>> [root at linux user]# getent passwd admin
>> admin:*:1396400000:1396400000:Administrator:/home/admin:/bin/bash
>> [root at linux user]# ipa-adtrust-install --netbios-name=MATRIX -a
mypassword1
>> The log file for this installation can be found in
/var/log/ipaserver-install.log
>>
==============================================================================
>> This program will setup components needed to establish trust to AD
domains for
>> the FreeIPA Server.
>>
>> This includes:
>> * Configure Samba
>> * Add trust related objects to FreeIPA LDAP server
>>
>> To accept the default shown in brackets, press the Enter key.
>>
>>
>> The following operations may take some minutes to complete.
>> Please wait until the prompt is returned.
>>
>> Outdated Kerberos credentials. Use kdestroy and kinit to update your
ticket
>>
>>
______________________________________________________________________________________________________
>>
>> The freeipa packages installed are :
>>
>> freeipa-server-trust-ad-3.1.0-2.fc18.x86_64
>> freeipa-python-3.1.0-2.fc18.x86_64
>> freeipa-server-selinux-3.1.0-2.fc18.x86_64
>> freeipa-admintools-3.1.0-2.fc18.x86_64
>> freeipa-server-3.1.0-2.fc18.x86_64
>> freeipa-client-3.1.0-2.fc18.x86_64
>>
>>
>> Any help would be appreciated, perhaps I'm just missing a simple step.
>>
>>
>> Regards
>> Marco
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> What is the situation with the time on that box?
> Was the time and time zone set correctly?
> Is it a VM?
> Can it be that the time drifted in some way?
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJQ+xOhAAoJEAJsWS61tB+qr2wP/2R0TsmXDJinGZcIRpx1Cuil
Zspb/omJNaKqbWPsvw6aMsdYBTMe2lrzLpiYUbVd3QK7Pf4NV5NnqYmHbsX42b/C
D6soYoBE+bG8ja24tXLgbbOJNbg/0x6vZ/tR29xYy1SC75u3HoTMZvxkRIZPas4h
SVfavv9NHrC7pxmR6FFjULyby6/yszymghgwN3N8jQxOau5NGA/310WV+MgYPOZX
x+G0mLfbRxNbQ0//JdbsV81c0NjMBnSd484p4QsjZcMTuOMRQwULZCatKQKH/7yN
2SIYaZCxnS21vpUFV9vRgOXuwAG3J9Sd4ZvzDv8B5oZDR7TVqTUitOhC1GiGzaAZ
VnGJxKjsanknbmfzeOjfew1Qseh4tOHUnbjaV5l4gbNcNkjI+pSI3O9bS2+nQAha
OfkiIQZSKrjMPyKwZJCm63s5gptC55KSJCr8uizxcbBWUOne7EEv0v328CnPVx7I
MIdzB1ILWovwOTOMIOg+ayS/U2n4l+BiFUf1LwUwYwVt3Ny5DJgmaoyL8I3Vjins
dXTVuMo1NU+lxsSGIGbFBqYXyI6XZs7GxR6mI3KUFlz8p65UfvyrhXfMKucl8RbO
3tBCNTAOPM9qxouUo3PySixFw1Cj2kFAVjwbICfazMamW00V0F0cVPO73O7TQWaX
P0BeGErR7zhrrXewCk+f
=6BNw
-----END PGP SIGNATURE-----

More information about the Freeipa-users mailing list