[Freeipa-users] Fedora 18 - FreeIPA + AD

Dmitri Pal dpal at redhat.com
Sat Jan 19 22:25:49 UTC 2013 

On 01/19/2013 04:44 PM, Dale Macartney wrote:
>
>
> On 01/19/2013 07:16 PM, Dmitri Pal wrote:
> > On 01/19/2013 01:25 PM, MaSch wrote:
> >> Hello all,
> >>
> >> I'm trying to setup FreeIPA on Fedora 18 (Final) with AD integration
> on a test server. However I do not even get past
> >> the initial (local) steps described in :
> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain
> >> The last step of the section "Install and configure IPA server" gives
> me the following error :
> I am having similar issues, however I only have the problem when
> attempting a trust with AD 2012. Works perfectly on AD 2008r2.
>
> Critical pre-req is definitely make sure DNS resolution is working in
> advance. Its always a killer.
>
> If you use IPA managed DNS, use the following.
>
> ipa dnszone-add nt.example.com --name-server=dc01.nt.example.com
> --admin-email="administrator at nt.example.com" --force
> --forwarder=10.0.2.11 --forward-policy=only
>
> the IP address is the IP of the domain controller dc01.nt.example.com
>
> >>
> >>
> >> "Outdated Kerberos credentials. Use kdestroy and kinit to update your
> ticket"
> >>
> >> However "kdestroy" followed by a consequent "kinit admin" does not
> help, I get the error again when trying
> >> to "ipa-adtrust-install"
> >>
> >> The ipaserver-install.log says :
> >> 2013-01-19T17:19:56Z DEBUG stderr=
> >> 2013-01-19T17:19:56Z DEBUG will use ip_address: 172.16.135.141
> >>
> >> 2013-01-19T17:19:56Z DEBUG Starting external process
> >> 2013-01-19T17:19:56Z DEBUG args=kinit admin
> >> 2013-01-19T17:19:57Z DEBUG Process finished, return code=0
> >> 2013-01-19T17:19:57Z DEBUG stdout=Password for admin at MATRIX.LOCAL:
> >>
> >> 2013-01-19T17:19:57Z DEBUG stderr=
> >> 2013-01-19T17:19:57Z INFO File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line 617, in
> >> run_script
> >> return_value = main_function()
> >>
> >> File "/usr/sbin/ipa-adtrust-install", line 304, in main
> >> sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to
> update your ticket")
> >>
> >> 2013-01-19T17:19:57Z INFO The ipa-adtrust-install command failed,
> exception: SystemExit: Outdated Kerberos credentials.
> >> Use kdestroy and kinit to update your ticket
> >>
> >>
> ______________________________________________________________________________________________________
> >>
> >>
> >> I tried to follow the instructions and stick to the plan - here is
> the history of commands I executed on an fresh Fedora
> >> 18 Installation (after installing vmware tools in the vm) (long
> output is omitted and replaced by ...) :
> >>
> >>
> >> [root at linux user]# yum update -y
> >> ...
> >> [root at linux user]# reboot
> >> [root at linux user]# yum install -y "*ipa-server"
> "*ipa-server-trust-ad" samba4-winbind-clients samba4-winbind
> >> samba4-client bind bind-dyndb-ldap
> >> ...
> >> [root at linux user]# echo "172.16.135.141 ipa-server.matrix.local
> ipa-server" >> /etc/hosts
> >> [root at linux user]# hostname ipa-server.matrix.local
> >> [root at linux user]# hostname
> >> ipa-server.matrix.local
> >> [root at linux user]# ping ipa-server.matrix.local
> >> PING ipa-server.matrix.local (172.16.135.141) 56(84) bytes of data.
> >> 64 bytes from ipa-server.matrix.local (172.16.135.141): icmp_seq=1
> ttl=64 time=0.058 ms
> >> [root at linux user]# ipa-server-install -a mypassword1 -p mypassword2
> --domain=matrix.local --realm=MATRIX.LOCAL
> >> --setup-dns --no-forwarders -U
> >> ... setup completes without errors
> >> [root at linux user]# kinit admin
> >> Password for admin at MATRIX.LOCAL:
> >> [root at linux user]# klist
> >> Ticket cache:
> DIR::/run/user/1000/krb5cc_c9794d10f5cd59bd63c423ac50fad257/tktT3hTsU
> >> Default principal: admin at MATRIX.LOCAL
> >>
> >> Valid starting Expires Service principal
> >> 01/19/13 12:19:06 01/20/13 12:19:02 krbtgt/MATRIX.LOCAL at MATRIX.LOCAL
> >> [root at linux user]# id admin
> >> uid=1396400000(admin) gid=1396400000(admins) groups=1396400000(admins)
> >> [root at linux user]# getent passwd admin
> >> admin:*:1396400000:1396400000:Administrator:/home/admin:/bin/bash
> >> [root at linux user]# ipa-adtrust-install --netbios-name=MATRIX -a
> mypassword1
> >> The log file for this installation can be found in
> /var/log/ipaserver-install.log
> >>
> ==============================================================================
> >> This program will setup components needed to establish trust to AD
> domains for
> >> the FreeIPA Server.
> >>
> >> This includes:
> >> * Configure Samba
> >> * Add trust related objects to FreeIPA LDAP server
> >>
> >> To accept the default shown in brackets, press the Enter key.
> >>
> >>
> >> The following operations may take some minutes to complete.
> >> Please wait until the prompt is returned.
> >>
> >> Outdated Kerberos credentials. Use kdestroy and kinit to update your
> ticket
> >>
> >>
> ______________________________________________________________________________________________________
> >>
> >> The freeipa packages installed are :
> >>
> >> freeipa-server-trust-ad-3.1.0-2.fc18.x86_64
> >> freeipa-python-3.1.0-2.fc18.x86_64
> >> freeipa-server-selinux-3.1.0-2.fc18.x86_64
> >> freeipa-admintools-3.1.0-2.fc18.x86_64
> >> freeipa-server-3.1.0-2.fc18.x86_64
> >> freeipa-client-3.1.0-2.fc18.x86_64
> >>
> >>
> >> Any help would be appreciated, perhaps I'm just missing a simple step.
> >>
> >>
> >> Regards
> >> Marco
> >>
> >> _______________________________________________
> >> Freeipa-users mailing list
> >> Freeipa-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> > What is the situation with the time on that box?
> > Was the time and time zone set correctly?
> > Is it a VM?
> > Can it be that the time drifted in some way?
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130119/f825479a/attachment.htm>

More information about the Freeipa-users mailing list