[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Rob Crittenden
rcritten at redhat.com
Wed Feb 12 18:32:14 UTC 2014
Shree wrote:
> Peter
> Actually I mentioned earlier that my clients are in a separate VLAN and
> cannot access the master. We have made provisions for the master and the
> replica to sync by opening the needed ports in the firewall. We have
> also opened up ports between the clients and the replica. I have tested
> the connectivity for these ports.
> Perhaps you can tell me if what I am trying to achieve is even possible?
> i.e
> I seem to get stuck with making the replica with the "--setup-ca"
> option. Wthout that option I am able to create a replica and have it in
> sync with the master. However my ipa-client-install fails from clients
> as they try looking for the master for CA part of the install.
Clients don't talk to the CA, they talk to an IPA server which talks to
the CA.
I think we need to see /var/log/ipaclient-install.log to see what is
going on.
rob
> Shreeraj
> ----------------------------------------------------------------------------------------
>
>
> Change is the only Constant !
>
>
> On Wednesday, February 12, 2014 12:45 AM, Petr Spacek
> <pspacek at redhat.com> wrote:
> On 11.2.2014 23:53, Shree wrote:
>
> > Following ports are opened between the
> > 1) Between the master and the replica (bi directional)
> > 2) client machine and the ipa replica (unidirectional).
> > When the replica was up it worked fine as far as syncing was concerned.
> >
> > 80 tcp
> > 443 tcp
> > 389 tcp
> > 636 tcp
> > 88 tcp
> > 464 tcp
> > 88 udp
> > 464 udp
> > 123 udp
> >
> > Shreeraj
> >
> ----------------------------------------------------------------------------------------
> >
> > Change is the only Constant !
> >
> >
> >
> > On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
> >
> > On 02/11/2014 05:05 PM, Shree wrote:
> > Dimitri
> >> Sorry some the mail landed in my SPAM folder. Let answer your
> questions (thanks for your help man)
> > Please republish it on the list.
> > Do not reply to me directly.
> >
> > Did you set your first server with the CA? Does all ports that need
> > to be open in the firewall between primary or server are actually
> > open?
> >
> >
> >
> >>
> >> What I have done so far is uninstalled the replica and tried to
> install it again using the "--setup-ca" option. Previously I had
> failures and when I removed the "--setup-ca" option the installation
> succeeded (in a way). I understand now that I really need to fix the CA
> installation errors first.
> >>
> >>
> >> 1)The workaround helped me go forward a bit but I got stuck at this
> point see below
> >> ===========
> >> [1/3]: creating directory server user
> >> [2/3]: creating directory server instance
> >> [3/3]: restarting directory server
> >> Done configuring directory server for the CA (pkids).
> >> ipa : ERROR certmonger failed starting to track
> certificate: Command '/usr/bin/ipa-getcert start-tracking -d
> /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p
> /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C
> /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero exit
> status 1
> >> Configuring certificate server (pki-cad): Estimated time 3 minutes
> 30 seconds
> >> [1/17]: creating certificate server user
> >> [2/17]: creating pki-ca instance
> >> [3/17]: configuring certificate server instance
> >> ipa : CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> ldap2.macosforge.org -cs_port 9445 -client_certdb_dir /tmp/tmp-ipJSsT
> -client_certdb_pwd XXXXXXXX -preop_pin OlGXcjPVXoQcuuQkGgoG -
> >> ===========
> >> 2) No we do not use IPA for a DNS server.
> >>
> >>
> >> 3)The reason for this could be that I had installed the replica
> without the "--setup-ca".
> >>
> >> Shreeraj
> >>
> ----------------------------------------------------------------------------------------
> >>
> >>
> >>
> >> Change is the only Constant !
> >>
> >>
> >>
> >> On Monday, February 10, 2014 12:43 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
> >>
> >> On 02/09/2014 07:44 AM, Rob Crittenden wrote:
> >>> Shree wrote:
> >>>> Lukas
> >>>> Perhaps I should explain the design a bit and
> > see if FreeIPA even
> >>>> supports this.Our replica is in a separate
> > network and all the
> >>>> appropriate ports are opened between the master
> > and the replica. The
> >>>> "replica" got created successfully and is in
> > sync with the master
> >>>> (except the CA services which I mentioned
> > earlier)
> >>>> Now,when I try to run ipa-client-install on
> > hosts in the new network
> >>>> using the replica, it complains that about
> > "Cannot contact any KDC for
> >>>> realm".
> >>>> I am wondering it my hosts in the new network
> > are trying to access the
> >>>> "master" for certificates since the replica
> > does not have any CA
> >>>> services running? I couldn't find any obvious
> > proof of this even running
> >>>> the install in a debug mode. Do I need to open
> > ports between the new
> >>>> hosts and the master for CA services?
> >>>> At this point I cannot disable or move the
> > master, it needs to function
> >>>> in its location but I need
> >>>
> >>> No, the clients don't directly talk to the CA.
> >>>
> >>> You'd need to look in
> > /var/log/ipaclient-install.log to see what KDC
> >>> was found and we were trying to use. If you have
> > SRV records for both
> >>> but we try to contact the hidden master this will
> > happen. You can try
> >>> specifying the server on the command-line with
> > --server but this will
> >>> be hardcoding things and make it less flexible
> > later.
> >>>
> >>> rob
> >>>
> >>>> Shreeraj
> >>>>
> >
> ----------------------------------------------------------------------------------------
> >>>>
> >>>>
> >>>>
> >>>> Change is the only Constant !
> >>>>
> >>>>
> >>>> On Saturday, February 8, 2014 1:29 AM, Lukas
> > Slebodnik
> >>>> <lslebodn at redhat.com <mailto:lslebodn at redhat.com>> wrote:
> >>>> On (06/02/14 18:33), Shree wrote:
> >>>>
> >>>>> First of all, the ipa-replica-install did
> > not allow me to use
> >>>> the --setup-ca
> >>>>> option complaining that a cert already
> > exists, replicate creation was
> >>>>> successful after I skipped the option.
> >>>>> Seems like the replica is one except
> >>>>> 1) There is no CA Service running on the
> > replica (which I guess is
> >>>> expected)
> >>>>> and
> >>>>> 2) I am unable to run ipa-client-install
> > successfully on any clients
> >>>> using
> >>>>> the replica. (I don't have the option of
> > using the primary master as
> >>>> it is
> >>>>> configured in a segregated environment.
> > Only the master and replica
> >>>> are
> >>>>> allowed to sync.
> >>>>> Debug shows it fails at
> >>>>>
> >>>>> ipa : DEBUG stderr=kinit: Cannot
> > contact any KDC for realm
> >>>> 'mydomainname.com' while getting initial
> > credentials
> >>>>
> >>>>>
> >>>>>
> >>>>
> >>>> I was not able to install replica witch CA on
> > fedora 20,
> >>>> Bug is already reported https://fedorahosted.org/pki/ticket/816
> >>>>
> >>>> Guys from dogtag found a workaround
> >>>> https://fedorahosted.org/pki/ticket/816#comment:12
> >>>>
> >>>> Does it work for you?
> >>>>
> >>>> LS
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Freeipa-users mailing list
> >>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>
> >>>
> >>> _______________________________________________
> >>> Freeipa-users mailing list
> >>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>
> >> What server provides DNS capabilities to the clients?
> >> Do you use IPA DNS or some other DNS?
> >> Clients seem to not be able to see replica KDC and try
> > to access hidden
> >> master but they can know about this master only via DNS.
>
>
> Shree, make sure that command
> $ dig -t SRV _kerberos._udp.ipa.example
> on the client returns both IPA servers (in ANSWER section).
>
> --
> Petr^2 Spacek
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list