[Freeipa-users] ipa-client-install fails
Rob Crittenden
rcritten at redhat.com
Tue May 21 13:47:42 UTC 2013
Guy Matz wrote:
> Thanks for the reply. I *think* I'm doing this correctly . . .
>
> On the master:
> [root at ipadevmstr log]# host cpuppettest.collmedia.net
> cpuppettest.collmedia.net has address 192.168.8.28
> [root at ipadevmstr log]# ipa host-add cpuppettest.collmedia.net
> --password=secret
> --------------------------------------
> Added host "cpuppettest.collmedia.net"
> --------------------------------------
> Host name: cpuppettest.collmedia.net
> Password: True
> Keytab: False
> Managed by: cpuppettest.collmedia.net
>
> But on the client:
> [root at cpuppettest log]# kinit HOST/cpuppettest.collmedia.net at COLLMEDIA.NET
> kinit: Client 'HOST/cpuppettest.collmedia.net at COLLMEDIA.NET' not found
> in Kerberos database while getting initial credentials
>
> Any ideas?
There are two problems:
1. service principals are case-sensitive and host should be lower-case:
host/cpuppettest.collmedia.net at COLLMEDIA.NET
2. The host principal is not created until enrollment succeeds.
When using OTP you are replacing enrolling with Kerberos credentials
with a one-time password.
The correct syntax when using auto-discovery is:
# ipa-client-install -w secret -U
You can append any other options as needed (--mkhomedir, etc).
rob
>
> Thanks again,
> Guy
>
> On 05/20/2013 07:15 PM, Dmitri Pal wrote:
>> On 05/20/2013 05:18 PM, Guy Matz wrote:
>>> Hi! I'm trying the following ipa-client-install:
>>> [root at cpuppettest log]# hostname
>>> cpuppettest
>>> [root at cpuppettest log]# hostname -f
>>> cpuppettest.collmedia.net
>>> [root at cpuppettest log]# /usr/sbin/ipa-client-install
>>> --domain=collmedia.net --enable-dns-updates --mkhomedir
>>> --principal=HOST/cpuppettest.collmedia.net -w=secret
>> Did you pre create the client first yourself using ipa host-add?
>> While creating it did you create an OTP for it?
>> Is it 'secret'?
>> I think it should also be -w secret without '='
>>
>> For more details see:
>> http://docs.fedoraproject.org/en-US/Fedora/17/html-single/FreeIPA_Guide/index.html#kickstart
>>> --realm=COLLMEDIA.NET --server=ipadevmstr.collmedia.net --unattended
>>> Discovery was successful!
>>> Hostname: cpuppettest.collmedia.net
>>> Realm: COLLMEDIA.NET
>>> DNS Domain: collmedia.net
>>> IPA Server: ipadevmstr.collmedia.net
>>> BaseDN: dc=collmedia,dc=net
>>>
>>>
>>> Synchronizing time with KDC...
>>>
>>> kinit: Client 'HOST/cpuppettest.collmedia.net at COLLMEDIA.NET' not found
>>> in Kerberos database while getting initial credentials
>>>
>>> Installation failed. Rolling back changes.
>>> IPA client is not configured on this system.
>>>
>>> and krb5kdc.log on the server says:
>>> [root at ipadevmstr log]# tailf -n 1 krb5kdc.log
>>> May 20 17:12:50 ipadevmstr.collmedia.net krb5kdc[1364](info): AS_REQ (4
>>> etypes {18 17 16 23}) 192.168.8.28: CLIENT_NOT_FOUND:
>>> HOST/cpuppettest.collmedia.net at COLLMEDIA.NET for
>>> krbtgt/COLLMEDIA.NET at COLLMEDIA.NET, Client not found in Kerberos database
>>>
>>> However my IPA server does seem to know about this new client:
>>> [root at ipadevmstr log]# ipa host-show cpuppettest.collmedia.net
>>> Host name: cpuppettest.collmedia.net
>>> Password: True
>>> Keytab: False
>>> Managed by: cpuppettest.collmedia.net
>>>
>>> Any thoughts would be greatly appreciated!
>>> Thanks a lot,
>>> Guy Matz
>>>
>>> P.S. - Does my client need to be 3.x?
>>> [root at cpuppettest log]# uname -a
>>> Linux cpuppettest 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC
>>> 2012 x86_64 x86_64 x86_64 GNU/Linux
>>> [root at cpuppettest log]# rpm -qa | grep ipa-client
>>> ipa-client-2.2.0-16.el6.x86_64
>>
>> It should work OK if it is latest patched 2.2 client.
>>
>>
>>> and
>>> [root at ipadevmstr log]# uname -a
>>> Linux ipadevmstr.collmedia.net 2.6.32-279.22.1.el6.x86_64 #1 SMP Wed Feb
>>> 6 03:10:46 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
>>> [root at ipadevmstr log]# rpm -qa | grep ipa-server
>>> ipa-server-3.0.0-26.el6_4.2.x86_64
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list