[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

Petr Spacek pspacek at redhat.com
Wed Feb 12 08:45:15 UTC 2014


On 11.2.2014 23:53, Shree wrote:
> Following ports are opened between the
> 1) Between the master and the replica (bi directional)
> 2) client machine and the ipa replica (unidirectional).
> When the replica was up it worked fine as far as syncing was concerned.
>
>   80 tcp
>   443 tcp
>   389 tcp
>   636 tcp
>   88 tcp
>   464 tcp
>   88 udp
>   464 udp
>   123 udp
>
> Shreeraj
> ----------------------------------------------------------------------------------------
>
> Change is the only Constant !
>
>
>
> On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
> On 02/11/2014 05:05 PM, Shree wrote:
> Dimitri
>> Sorry some the mail landed in my SPAM folder. Let answer your questions (thanks for your help man)
> Please republish it on the list.
> Do not reply to me directly.
>
> Did you set your first server with the CA? Does all ports that need
>      to be open in the firewall between primary or server are actually
>      open?
>
>
>
>>
>> What I have done so far is uninstalled the replica and tried to install it again using the "--setup-ca" option. Previously I had failures and when I removed the "--setup-ca" option the installation succeeded (in a way). I understand now that I really need to fix the CA installation errors first.
>>
>>
>> 1)The workaround helped me go forward a bit but I got stuck at this point see below
>> ===========
>>    [1/3]: creating directory server user
>>    [2/3]: creating directory server instance
>>    [3/3]: restarting directory server
>> Done configuring directory server for the CA (pkids).
>> ipa         : ERROR    certmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero exit status 1
>> Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>>    [1/17]: creating certificate server user
>>    [2/17]: creating pki-ca instance
>>    [3/17]: configuring certificate server instance
>> ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ldap2.macosforge.org -cs_port 9445 -client_certdb_dir /tmp/tmp-ipJSsT -client_certdb_pwd XXXXXXXX -preop_pin OlGXcjPVXoQcuuQkGgoG -
>> ===========
>> 2) No we do not use IPA for a DNS server.
>>
>>
>> 3)The reason for this could be that I had installed the replica without the "--setup-ca".
>>
>> Shreeraj
>> ----------------------------------------------------------------------------------------
>>
>>
>>
>> Change is the only Constant !
>>
>>
>>
>> On Monday, February 10, 2014 12:43 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>
>> On 02/09/2014 07:44 AM, Rob Crittenden wrote:
>>> Shree wrote:
>>>> Lukas
>>>> Perhaps I should explain the design a bit and
>                  see if FreeIPA even
>>>> supports this.Our replica is in a separate
>                  network and all the
>>>> appropriate ports are opened between the master
>                  and the replica. The
>>>> "replica" got created successfully and is in
>                  sync with the master
>>>> (except the CA services which I mentioned
>                  earlier)
>>>> Now,when I try to run ipa-client-install on
>                  hosts in the new network
>>>> using the replica, it complains that about
>                  "Cannot contact any KDC for
>>>> realm".
>>>> I am wondering it my hosts in the new network
>                  are trying to access the
>>>> "master" for certificates since the replica
>                  does not have any CA
>>>> services running? I couldn't find any obvious
>                  proof of this even running
>>>> the install in a debug mode. Do I need to open
>                  ports between the new
>>>> hosts and the master for CA services?
>>>> At this point I cannot disable or  move the
>                  master, it needs to function
>>>> in its location but I need
>>>
>>> No, the clients don't directly talk to the CA.
>>>
>>> You'd need to look in
>                  /var/log/ipaclient-install.log to see what KDC
>>> was found and we were trying to use. If you have
>                  SRV records for both
>>> but we try to contact the hidden master this will
>                  happen. You can try
>>> specifying the server on the command-line with
>                  --server but this will
>>> be hardcoding things and make it less flexible
>                  later.
>>>
>>> rob
>>>
>>>> Shreeraj
>>>>
>                  ----------------------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>> Change is the only Constant !
>>>>
>>>>
>>>> On Saturday, February 8, 2014 1:29 AM, Lukas
>                  Slebodnik
>>>> <lslebodn at redhat.com> wrote:
>>>> On (06/02/14 18:33), Shree wrote:
>>>>
>>>>> First of all, the ipa-replica-install did
>                  not allow me to use
>>>> the --setup-ca
>>>>> option complaining that a cert already
>                  exists, replicate creation was
>>>>> successful after I skipped the option.
>>>>> Seems like the replica is one except
>>>>> 1) There is no CA Service running on the
>                  replica (which I guess is
>>>> expected)
>>>>> and
>>>>> 2) I am unable to run ipa-client-install
>                  successfully on any clients
>>>> using
>>>>> the replica. (I don't have the option of
>                  using the primary master as
>>>> it is
>>>>> configured in a segregated environment.
>                  Only the master and replica
>>>> are
>>>>> allowed to sync.
>>>>> Debug shows it fails at
>>>>>
>>>>> ipa        : DEBUG    stderr=kinit: Cannot
>                  contact any KDC for realm
>>>> 'mydomainname.com' while getting initial
>                  credentials
>>>>
>>>>>
>>>>>
>>>>
>>>> I was not able to install replica witch CA on
>                  fedora 20,
>>>> Bug is already reported https://fedorahosted.org/pki/ticket/816
>>>>
>>>> Guys from dogtag found a workaround
>>>> https://fedorahosted.org/pki/ticket/816#comment:12
>>>>
>>>> Does it work for you?
>>>>
>>>> LS
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> What server provides DNS capabilities to the clients?
>> Do you use IPA DNS or some other DNS?
>> Clients seem to not be able to see replica KDC and try
>                  to access hidden
>> master but they can know about this master only via DNS.

Shree, make sure that command
$ dig -t SRV _kerberos._udp.ipa.example
on the client returns both IPA servers (in ANSWER section).

-- 
Petr^2 Spacek




More information about the Freeipa-users mailing list