[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

Shree shreerajkarulkar at yahoo.com
Mon Feb 10 18:46:42 UTC 2014 


Lucas (sorry my previous email may have got sent improperly edited.


My typical command looks like this (domain name changed due to disclosure reasons)

# ipa-client-install --domain=mydomain.com --server=ldap2.mydomain.com --hostname=test500.mydomain.com -d

master = ldap.mydomain.com
replica = ldap2.mydomain.com

I ran lsof while running a ipa-client-install and found the following "kinit" instances trying to access my "master"
=====================

ipa-clien 10443      root  mem       REG              253,0   334040    1704353 /lib64/libldap_r-2.4.so.2.5.6
ipa-clien 10443      root  mem       REG              253,0    61896    1444372 /usr/lib64/python2.6/site-packages/_ldap.so
kinit     10545      root    3u     IPv4             143621      0t0        UDP test500.mydomain.com:57166->ldap.mydomain.com:kerberos
kinit     10545      root    4u     IPv4             143636      0t0        TCP test500.mydomain.com:35574->ldap.mydomain.com:kerberos (SYN_SENT)
=====================

the client install also finds issue with syncing time during client install, but only gives warning. The time difference between master and client is within seconds.

 
the client install also finds issue with 
 
Shreeraj
----------------------------------------------------------------------------------------


Change is the only Constant !



On Sunday, February 9, 2014 4:44 AM, Rob Crittenden <rcritten at redhat.com> wrote:
 
Shree wrote:
> Lukas
> Perhaps I should explain the design a bit and see if FreeIPA even
> supports this.Our replica is in a separate network and all the
> appropriate ports are opened between the master and the replica. The
> "replica" got created successfully and is in sync with the master
> (except the CA services which I mentioned earlier)
> Now,when I try to run ipa-client-install on hosts in the new network
> using the replica, it complains that about "Cannot contact any KDC for
> realm".
> I am wondering it my hosts in the new network are trying to access the
> "master" for certificates since the replica does not have any CA
> services running? I couldn't find any obvious proof of
 this even running
> the install in a debug mode. Do I need to open ports between the new
> hosts and the master for CA services?
> At this point I
 cannot disable or  move the master, it needs to function
> in its location but I need

No, the clients don't directly talk to the CA.

You'd need to look in /var/log/ipaclient-install.log to see what KDC was 
found and we were trying to use. If you have SRV records for both but we 
try to contact the hidden master this will happen. You can try 
specifying the server on the command-line with --server but this will be 
hardcoding things and make it less flexible later.

rob

> Shreeraj
> ----------------------------------------------------------------------------------------
>
>
> Change is the only Constant !
>
>
> On Saturday, February 8, 2014 1:29 AM, Lukas Slebodnik
> <lslebodn at redhat.com> wrote:
> On (06/02/14 18:33), Shree wrote:
>
>  >First of
 all, the ipa-replica-install did not allow me to use
> the --setup-ca
>  > option complaining that a cert already exists, replicate creation was
>  > successful after I skipped the option.
>  >Seems like the replica is one except
>  >1) There is no CA Service running on the replica (which I guess is
> expected)
>  >and
>  >2) I am unable to run ipa-client-install successfully on any clients using
>  > the replica. (I don't have the option of using the primary master as
> it is
>  > configured in a segregated environment. Only the master and replica are
>  > allowed to sync.
>  >Debug shows it fails at
> 
 >
>  >ipa         : DEBUG    stderr=kinit: Cannot contact any KDC for realm
> 'mydomainname.com' while getting initial
 credentials
>
>  >
>  >
>
> I was not able to install replica witch CA on fedora 20,
> Bug is already reported https://fedorahosted.org/pki/ticket/816
>
> Guys from dogtag found a workaround
> https://fedorahosted.org/pki/ticket/816#comment:12
>
> Does it work for you?
>
> LS
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing
 list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140210/acb04533/attachment.htm>

More information about the Freeipa-users mailing list