[Freeipa-users] Service...not found in Kerberos database
Rob Crittenden
rcritten at redhat.com
Mon Jul 1 18:16:18 UTC 2013
Petr Spacek wrote:
> On 29.6.2013 09:40, Joshua J. Kugler wrote:
>> We are trying to query an IPA server from a new IPA server (not
>> replication,
>> just trying to query to recreate accounts).
>>
>> But, when I run the query, I get this:
>>
>> [root at ipan ~]# ipa -vvv -e
>> xmlrpc_uri=https://ipa0.lab.whamcloud.com/ipa/xml
>> user-show jkugler
>> ipa: INFO: trying https://ipa0.lab.whamcloud.com/ipa/xml
>> ipa: INFO: Forwarding 'user_show' to server
>> u'https://ipa0.lab.whamcloud.com/ipa/xml'
>> ipa: ERROR: Service 'HTTP at ipa0.lab.whamcloud.com' not found in Kerberos
>> database
>>
>> I've done some googling, and what the answers I found had to do with DNS
>> issues, but I don't believe that is the cause in our case, due to DNS
>> lookups
>> seeming to work.
>>
>> [root at ipan ~]# host ipan.lab.whamcloud.com
>> ipan.lab.whamcloud.com has address 10.10.0.50
>> [root at ipan ~]# host ipa0.lab.whamcloud.com
>> ipa0.lab.whamcloud.com has address 10.10.0.4
>> [root at ipan ~]# host 10.10.0.50
>> 50.0.10.10.in-addr.arpa domain name pointer ipan.lab.whamcloud.com.
>> [root at ipan ~]# host 10.10.0.4
>> 4.0.10.10.in-addr.arpa domain name pointer ipa0.lab.whamcloud.com.
>>
>> What config do I need to tweak on the new server to allow it to query
>> the old
>> server?
>
> I guess that now you have two FreeIPA servers with different host names
> but with the same FreeIPA domain and Kerberos REALM name, right? Please
> correct me if I'm wrong.
>
> This configuration can't work with Kerberos authentication.
> Authentication to only one server will work at one time, because there
> is no reliable way how to find which KDC (old or new) you should query.
>
> IMHO the simplest way how to work around this situation is to generate
> list of users etc. on the 'old' server, save the data to a file and
> transfer files to the new server. (And then decommission the old server.)
>
> This will save you a pain caused by mis-configured Kerberos, but you
> will have to solve file parsing.
>
You can also use ipa migrate-ds command to move users and groups from
one IPA server to another.
rob
More information about the Freeipa-users
mailing list