[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Shree
shreerajkarulkar at yahoo.com
Wed Feb 12 20:41:34 UTC 2014
So I uninstalled the ipa server and installed the client (ipa-client-install) on the same VM pointing at the master and everything seems to work OK. All the sudo rules etc. Are there any tests I can do check connectivity that could be helpful before I configure this as a "replica" again.
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Wednesday, February 12, 2014 11:46 AM, Dmitri Pal <dpal at redhat.com> wrote:
On 02/12/2014 02:09 PM, Shree wrote:
Rob
>I really appreciate your help, please bear with me. At this point I need to take you back to my ipa-replica-install and what happened there.
>
>
>[1] My command: ipa-replica-install --setup-ca /var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck
> This ended with a
>Done configuring NTP daemon (ntpd).
>A CA is already configured on this system.
>
>
>[2] So did a pkiremove with the following command
># pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
>
>
>
>[3] Re ran the ipa-replica-install command in step 1
>The install went a little further but ended below.
>
>
>Configuring directory server for the CA (pkids): Estimated time 30 seconds
> [1/3]: creating directory server user
> [2/3]: creating directory server instance
> [3/3]: restarting directory server
>Done configuring directory server for the CA (pkids).
>ipa : ERROR certmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero exit status 1
>Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
> [1/17]: creating certificate server user
> [2/17]: creating pki-ca instance
> [3/17]: configuring certificate server instance
>ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname .................
>...........................
>Your system may be partly configured.
>Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
>
>Configuration of CA failed
>
>
>If I skip the "--setup-ca" option then the replica gets created without any CA services. The "master" and "replica" are in sync but I am unable to run a ipa-client-install using the replica. Now I need to fix this to get a replica in place correctly.
>
>
>
>
>Shreeraj
>----------------------------------------------------------------------------------------
>
>
>
>
>On Wednesday, February 12, 2014 10:42 AM, Rob Crittenden <rcritten at redhat.com> wrote:
>
>Shree wrote:
>> OK I thought CA is a part of IPA ? Below is from my
master IPA server
>>
>> [root at ldap ~]# ipactl status
>> Directory Service: RUNNING
>> KDC Service: RUNNING
>> KPASSWD Service: RUNNING
>> MEMCACHE Service: RUNNING
>> HTTP Service: RUNNING
>> CA Service: RUNNING
>> [root at ldap ~]#
>>
>> I can certainly send you a log if needed.
>
>It is part of IPA but the IPA server talks to it, not
the clients directly.
>
>I can only speculate what the client is doing without
seeing the log
>files, but I suspect both masters are in DNS and IPA is
trying to enroll
>to the initial master which isn't available.
>
>rob
>
>> Shreeraj
>>
----------------------------------------------------------------------------------------
>>
>>
>> Change is the only Constant !
>>
>>
>> On Wednesday, February 12, 2014 10:32 AM, Rob
Crittenden
>> <rcritten at redhat.com> wrote:
>> Shree wrote:
>> > Peter
>> > Actually I mentioned earlier that my clients
are in a separate VLAN and
>> > cannot access the master. We have made
provisions for the master and the
>> > replica to sync by opening the needed ports
in the firewall. We have
>> > also opened up ports between the clients and
the replica. I have tested
>> > the connectivity for these ports.
>> > Perhaps you can tell me if what I am trying
to achieve is even possible?
>> > i.e
>> > I seem to get stuck with making the replica
with the "--setup-ca"
>> > option. Wthout that option I am able to
create a replica and have it in
>> > sync with the master. However my
ipa-client-install fails from clients
>> > as they try looking for the master for CA
part of the install.
>>
>> Clients don't talk to the CA, they talk to an IPA
server which talks to
>> the CA.
>>
>> I think we need to see
/var/log/ipaclient-install.log to see what is
>> going on.
>>
>> rob
>>
>> > Shreeraj
>> >
>>
----------------------------------------------------------------------------------------
>> >
>> >
>> > Change is the only Constant !
>> >
>> >
>> > On Wednesday, February 12, 2014 12:45 AM,
Petr Spacek
>> > <pspacek at redhat.com <mailto:pspacek at redhat.com>> wrote:
>> > On 11.2.2014 23:53, Shree wrote:
>> >
>> > > Following ports are opened between the
>> > > 1) Between the master and the replica
(bi directional)
>> > > 2) client machine and the ipa replica
(unidirectional).
>> > > When the replica was up it worked fine
as far as syncing was
>> concerned.
>> > >
>> > > 80 tcp
>> > > 443 tcp
>> > > 389 tcp
>> > > 636 tcp
>> > > 88 tcp
>> > > 464 tcp
>> > > 88 udp
>> > > 464 udp
>> > > 123 udp
>> > >
>> > > Shreeraj
>> > >
>> >
>>
----------------------------------------------------------------------------------------
>> > >
>> > > Change is the only Constant !
>> > >
>> > >
>> > >
>> > > On Tuesday, February 11, 2014 2:22 PM,
Dmitri Pal <dpal at redhat.com
>> <mailto:dpal at redhat.com>
>> > <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>> wrote:
>> > >
>> > > On 02/11/2014 05:05 PM, Shree wrote:
>> > > Dimitri
>> > >> Sorry some the mail landed in my
SPAM folder. Let answer your
>> > questions (thanks for your help man)
>> > > Please republish it on the list.
>> > > Do not reply to me directly.
>> > >
>> > > Did you set your first server with the
CA? Does all ports that need
>> > > to be open in the firewall between
primary or server are actually
>> > > open?
>> > >
>> > >
>> > >
>> > >>
>> > >> What I have done so far is
uninstalled the replica and tried to
>> > install it again using the "--setup-ca"
option. Previously I had
>> > failures and when I removed the "--setup-ca"
option the installation
>> > succeeded (in a way). I understand now that I
really need to fix the CA
>> > installation errors first.
>> > >>
>> > >>
>> > >> 1)The workaround helped me go
forward a bit but I got stuck at this
>> > point see below
>> > >> ===========
>> > >> [1/3]: creating directory server
user
>> > >> [2/3]: creating directory server
instance
>> > >> [3/3]: restarting directory
server
>> > >> Done configuring directory server
for the CA (pkids).
>> > >> ipa : ERROR certmonger
failed starting to track
>> > certificate: Command '/usr/bin/ipa-getcert
start-tracking -d
>> > /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p
>> > /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C
>> > /usr/lib64/ipa/certmonger/restart_dirsrv
PKI-IPA' returned non-zero exit
>> > status 1
>> > >> Configuring certificate server
(pki-cad): Estimated time 3 minutes
>> > 30 seconds
>> > >> [1/17]: creating certificate
server user
>> > >> [2/17]: creating pki-ca instance
>> > >> [3/17]: configuring certificate
server instance
>> > >> ipa : CRITICAL failed to
configure ca instance Command
>> > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA
-cs_hostname
>> > ldap2.macosforge.org -cs_port 9445
-client_certdb_dir /tmp/tmp-ipJSsT
>> > -client_certdb_pwd XXXXXXXX -preop_pin
OlGXcjPVXoQcuuQkGgoG -
>> > >> ===========
>> > >> 2) No we do not use IPA for a DNS
server.
>> > >>
>> > >>
>> > >> 3)The reason for this could be that
I had installed the replica
>> > without the "--setup-ca".
>> > >>
>> > >> Shreeraj
>> > >>
>> >
>>
----------------------------------------------------------------------------------------
>> > >>
>> > >>
>> > >>
>> > >> Change is the only Constant !
>> > >>
>> > >>
>> > >>
>> > >> On Monday, February 10, 2014 12:43
PM, Dmitri Pal
>> <dpal at redhat.com <mailto:dpal at redhat.com>
>> > <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>> wrote:
>> > >>
>> > >> On 02/09/2014 07:44 AM, Rob
Crittenden wrote:
>> > >>> Shree wrote:
>> > >>>> Lukas
>> > >>>> Perhaps I should explain
the design a bit and
>> > > see if FreeIPA even
>> > >>>> supports this.Our replica
is in a separate
>> > > network and all the
>> > >>>> appropriate ports are
opened between the master
>> > > and the replica. The
>> > >>>> "replica" got created
successfully and is in
>> > > sync with the master
>> > >>>> (except the CA services
which I mentioned
>> > > earlier)
>> > >>>> Now,when I try to run
ipa-client-install on
>> > > hosts in the new network
>> > >>>> using the replica, it
complains that about
>> > > "Cannot contact any
KDC for
>> > >>>> realm".
>> > >>>> I am wondering it my hosts
in the new network
>> > > are trying to access
the
>> > >>>> "master" for certificates
since the replica
>> > > does not have any CA
>> > >>>> services running? I
couldn't find any obvious
>> > > proof of this even
running
>> > >>>> the install in a debug
mode. Do I need to open
>> > > ports between the new
>> > >>>> hosts and the master for CA
services?
>> > >>>> At this point I cannot
disable or move the
>> > > master, it needs to
function
>> > >>>> in its location but I need
>> > >>>
>> > >>> No, the clients don't directly
talk to the CA.
>> > >>>
>> > >>> You'd need to look in
>> > >
/var/log/ipaclient-install.log to see what KDC
>> > >>> was found and we were trying to
use. If you have
>> > > SRV records for both
>> > >>> but we try to contact the
hidden master this will
>> > > happen. You can try
>> > >>> specifying the server on the
command-line with
>> > > --server but this will
>> > >>> be hardcoding things and make
it less flexible
>> > > later.
>> > >>>
>> > >>> rob
>> > >>>
>> > >>>> Shreeraj
>> > >>>>
>> > >
>> >
>>
----------------------------------------------------------------------------------------
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>> Change is the only Constant
!
>> > >>>>
>> > >>>>
>> > >>>> On Saturday, February 8,
2014 1:29 AM, Lukas
>> > > Slebodnik
>> > >>>> <lslebodn at redhat.com <mailto:lslebodn at redhat.com>
>> <mailto:lslebodn at redhat.com <mailto:lslebodn at redhat.com>>> wrote:
>> > >>>> On (06/02/14 18:33), Shree
wrote:
>> > >>>>
>> > >>>>> First of all, the
ipa-replica-install did
>> > > not allow me to use
>> > >>>> the --setup-ca
>> > >>>>> option complaining that
a cert already
>> > > exists, replicate
creation was
>> > >>>>> successful after I
skipped the option.
>> > >>>>> Seems like the replica
is one except
>> > >>>>> 1) There is no CA
Service running on the
>> > > replica (which I guess
is
>> > >>>> expected)
>> > >>>>> and
>> > >>>>> 2) I am unable to run
ipa-client-install
>> > > successfully on any
clients
>> > >>>> using
>> > >>>>> the replica. (I don't
have the option of
>> > > using the primary
master as
>> > >>>> it is
>> > >>>>> configured in a
segregated environment.
>> > > Only the master and
replica
>> > >>>> are
>> > >>>>> allowed to sync.
>> > >>>>> Debug shows it fails at
>> > >>>>>
>> > >>>>> ipa : DEBUG
stderr=kinit: Cannot
>> > > contact any KDC for
realm
>> > >>>> 'mydomainname.com' while
getting initial
>> > > credentials
>> > >>>>
>> > >>>>>
>> > >>>>>
>> > >>>>
>> > >>>> I was not able to install
replica witch CA on
>> > > fedora 20,
>> > >>>> Bug is already reported https://fedorahosted.org/pki/ticket/816
>> > >>>>
>> > >>>> Guys from dogtag found a
workaround
>> > >>>> https://fedorahosted.org/pki/ticket/816#comment:12
>> > >>>>
>> > >>>> Does it work for you?
>> > >>>>
>> > >>>> LS
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>>
_______________________________________________
>> > >>>> Freeipa-users mailing list
>> > >>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
>> > >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> > >>>>
>> > >>>
>> > >>>
_______________________________________________
>> > >>> Freeipa-users mailing list
>> > >>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
>>
>> > >>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> > >>
>> > >> What server provides DNS
capabilities to the clients?
>> > >> Do you use IPA DNS or some other
DNS?
>> > >> Clients seem to not be able to see
replica KDC and try
>> > > to access hidden
>> > >> master but they can know about this
master only via DNS.
>> >
>> >
>> > Shree, make sure that command
>> > $ dig -t SRV _kerberos._udp.ipa.example
>> > on the client returns both IPA servers (in
ANSWER section).
>> >
>> > --
>> > Petr^2 Spacek
>> >
>> >
>> >
>> >
>> >
>> >
_______________________________________________
>> > Freeipa-users mailing list
>> > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> >
>>
>>
>>
>
>
>
>
>
>
>_______________________________________________
Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
I suggest that you temporarily try to install a client in place of the replica and see why it does not install.
The log above suggests that certmonger that is a part of the replica
fails to connect to the first master. We need to understand the
reason why it fails. Then we would be able to make your replica be a
CA.
I suspect that CA related communication between replica and master
is not going through for some reasons.
The install log would be really helpful.
Please see
http://www.freeipa.org/page/Troubleshooting to collect the right logs.
--
Thank you,
Dmitri Pal Sr. Engineering Manager for IdM portfolio
Red Hat Inc. -------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140212/c91557d2/attachment.htm>
More information about the Freeipa-users
mailing list