[Freeipa-users] gssapi sasl error - only picking up short hostname when running ipa-client-install (and failing)

Martin Kosek mkosek at redhat.com
Fri Nov 29 09:49:44 UTC 2013 

On 11/29/2013 09:16 AM, Les Stott wrote:
> Hi,
> 
> Recently installed freeipa on two servers in multi-master mode. We want to have a central authentication system for many hosts. Environment is RHEL 6.4 for servers, RHEL 6.1 for the first client host, standard rpm packages used - ipa-server-3.0.0-26.el6_4.4.x86_64 and  ipa-client-3.0.0-37.el6.x86_64.
> 
> I am now trying to add the first linux host to freeipa via ipa-client-install.
> 
> When I run ipa-client-install on a host in debug mode it fails with errors below  (I have changed hostnames and ip's, freeipa-1.mydomain.com 192.168.1.22 and freeipa-2.mydomain.com 192.168.1.23, host client - host1 192.168.1.15)
> 
> trying to retrieve CA cert via LDAP from ldap://freeipa-1.mydomain.com
> get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server ldap/freeipa-1 at MYDOMAIN.COM not found in Kerberos database)
> {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server ldap/freeipa-1 at MYDOMAIN.COM not found in Kerberos database)', 'desc': 'Local error'}
> 
> The Kerberos logs on the server (free-ipa-1) show
> Nov 29 01:46:14 freeipa-1.mydomain.com krb5kdc[1616](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.1.15: UNKNOWN_SERVER: authtime 0,  admin@ MYDOMAIN.COM for HTTP/ freeipa-1 at MYDOMAIN.COM, Server not found in Kerberos database
> 
> The logs indicate that the service name is being used with the short hostname (HTTP/ freeipa-1 at MYDOMAIN.COM<mailto:freeipa-1 at MYDOMAIN.COM>). The FreeIPA server has records for HTTP/ freeipa-1.mydomain.com at MYDOMAIN.COM<mailto:freeipa-1.mydomain.com at MYDOMAIN.COM>. I can see these in the web interface. I believe this is where it is stumbling.
> 
> I've been banging my head against the wall on this one for a couple of days. Everything I've found says make sure you have working dns, make sure you can reverse lookup ip's, make sure hostnames are fqdn, make sure /etc/hosts on server has ip's for servers listed with fqdn first and shortname second. I've done all that.

What about /etc/hosts on the clients? Do they also have FQDN first in case they
have server IP in there?

Martin

More information about the Freeipa-users mailing list