[Freeipa-users] ipa-client-install fails

Guy Matz gmatz at collective.com
Tue May 21 14:01:09 UTC 2013 

Ahh!!!  Sooo much better!!   I was following the kickstart instructions here:
http://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kickstart.html

Thanks again!!

Guy


On 05/21/2013 09:47 AM, Rob Crittenden wrote:

Guy Matz wrote:


Thanks for the reply.  I *think* I'm doing this correctly . . .

On the master:
[root at ipadevmstr log]# host cpuppettest.collmedia.net
cpuppettest.collmedia.net has address 192.168.8.28
[root at ipadevmstr log]# ipa host-add cpuppettest.collmedia.net
--password=secret
--------------------------------------
Added host "cpuppettest.collmedia.net"
--------------------------------------
   Host name: cpuppettest.collmedia.net
   Password: True
   Keytab: False
   Managed by: cpuppettest.collmedia.net

But on the client:
[root at cpuppettest log]# kinit HOST/cpuppettest.collmedia.net at COLLMEDIA.NET<mailto:HOST/cpuppettest.collmedia.net at COLLMEDIA.NET>
kinit: Client 'HOST/cpuppettest.collmedia.net at COLLMEDIA.NET<mailto:HOST/cpuppettest.collmedia.net at COLLMEDIA.NET>' not found
in Kerberos database while getting initial credentials

Any ideas?



There are two problems:

1. service principals are case-sensitive and host should be lower-case:
host/cpuppettest.collmedia.net at COLLMEDIA.NET<mailto:host/cpuppettest.collmedia.net at COLLMEDIA.NET>

2. The host principal is not created until enrollment succeeds.

When using OTP you are replacing enrolling with Kerberos credentials
with a one-time password.

The correct syntax when using auto-discovery is:

# ipa-client-install -w secret -U

You can append any other options as needed (--mkhomedir, etc).

rob




Thanks again,
Guy

On 05/20/2013 07:15 PM, Dmitri Pal wrote:


On 05/20/2013 05:18 PM, Guy Matz wrote:


Hi!  I'm trying the following ipa-client-install:
[root at cpuppettest log]# hostname
cpuppettest
[root at cpuppettest log]# hostname -f
cpuppettest.collmedia.net
[root at cpuppettest log]# /usr/sbin/ipa-client-install
--domain=collmedia.net --enable-dns-updates --mkhomedir
--principal=HOST/cpuppettest.collmedia.net -w=secret


Did you pre create the client first yourself using ipa host-add?
While creating it did you create an OTP for it?
Is it 'secret'?
I think it should also be -w secret without '='

For more details see:
http://docs.fedoraproject.org/en-US/Fedora/17/html-single/FreeIPA_Guide/index.html#kickstart


--realm=COLLMEDIA.NET --server=ipadevmstr.collmedia.net --unattended
Discovery was successful!
Hostname: cpuppettest.collmedia.net
Realm: COLLMEDIA.NET
DNS Domain: collmedia.net
IPA Server: ipadevmstr.collmedia.net
BaseDN: dc=collmedia,dc=net


Synchronizing time with KDC...

kinit: Client 'HOST/cpuppettest.collmedia.net at COLLMEDIA.NET<mailto:HOST/cpuppettest.collmedia.net at COLLMEDIA.NET>' not found
in Kerberos database while getting initial credentials

Installation failed. Rolling back changes.
IPA client is not configured on this system.

and krb5kdc.log on the server says:
[root at ipadevmstr log]# tailf -n 1 krb5kdc.log
May 20 17:12:50 ipadevmstr.collmedia.net krb5kdc[1364](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.8.28: CLIENT_NOT_FOUND:
HOST/cpuppettest.collmedia.net at COLLMEDIA.NET<mailto:HOST/cpuppettest.collmedia.net at COLLMEDIA.NET> for
krbtgt/COLLMEDIA.NET at COLLMEDIA.NET<mailto:krbtgt/COLLMEDIA.NET at COLLMEDIA.NET>, Client not found in Kerberos database

However my IPA server does seem to know about this new client:
[root at ipadevmstr log]# ipa host-show cpuppettest.collmedia.net
   Host name: cpuppettest.collmedia.net
   Password: True
   Keytab: False
   Managed by: cpuppettest.collmedia.net

Any thoughts would be greatly appreciated!
Thanks a lot,
Guy Matz

P.S. - Does my client need to be 3.x?
[root at cpuppettest log]# uname -a
Linux cpuppettest 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC
2012 x86_64 x86_64 x86_64 GNU/Linux
[root at cpuppettest log]# rpm -qa | grep ipa-client
ipa-client-2.2.0-16.el6.x86_64



It should work OK if it is latest patched 2.2 client.




and
[root at ipadevmstr log]# uname -a
Linux ipadevmstr.collmedia.net 2.6.32-279.22.1.el6.x86_64 #1 SMP Wed Feb
6 03:10:46 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root at ipadevmstr log]# rpm -qa | grep ipa-server
ipa-server-3.0.0-26.el6_4.2.x86_64

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users







_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130521/a196b177/attachment.htm>

More information about the Freeipa-users mailing list