[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Shree
shreerajkarulkar at yahoo.com
Wed Feb 12 21:57:24 UTC 2014
If there aren't any other tests to perform, can I go ahead and uninstall the ipa client and configure this Vm as a replica?
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Wednesday, February 12, 2014 1:40 PM, Shree <shreerajkarulkar at yahoo.com> wrote:
"getcert list" returned a bunch of info, see below
root at ldap2 ~]# getcert list
Number of certificates and requests being tracked: 2.
Request ID '20140206184920':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,......................
.............................
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Wednesday, February 12, 2014 12:43 PM, Dmitri Pal <dpal at redhat.com> wrote:
On 02/12/2014 03:41 PM, Shree wrote:
So I uninstalled the ipa server and installed the client (ipa-client-install) on the same VM pointing at the master and everything seems to work OK. All the sudo rules etc. Are there any tests I can do check connectivity that could be helpful before I configure this as a "replica" again.
Ask certmonger to get a certificate
>
>
>Shreeraj
>----------------------------------------------------------------------------------------
>
>Change is the only Constant !
>
>
>
>On Wednesday, February 12, 2014 11:46 AM, Dmitri Pal <dpal at redhat.com> wrote:
>
>On 02/12/2014 02:09 PM, Shree wrote:
>Rob
>>I really appreciate your help, please bear with me. At this point I need to take you back to my ipa-replica-install and what happened there.
>>
>>
>>[1] My command: ipa-replica-install --setup-ca /var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck
>> This ended with a
>>Done configuring NTP daemon (ntpd).
>>A CA is already configured on this system.
>>
>>
>>[2] So did a pkiremove with the following command
>># pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
>>
>>
>>
>>[3] Re ran the ipa-replica-install command in step 1
>>The install went a little further but ended below.
>>
>>
>>Configuring directory server for the CA (pkids): Estimated time 30 seconds
>> [1/3]: creating directory server user
>> [2/3]: creating directory server instance
>> [3/3]: restarting directory server
>>Done configuring directory server for the CA (pkids).
>>ipa : ERROR certmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero exit status 1
>>Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>> [1/17]: creating certificate server user
>> [2/17]: creating pki-ca instance
>> [3/17]: configuring certificate server instance
>>ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname .................
>>...........................
>>Your system may be partly configured.
>>Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>>
>>Configuration of CA failed
>>
>>
>>If I skip the "--setup-ca" option then the replica gets created without any CA services. The "master" and "replica" are in sync but I am unable to run a ipa-client-install using the replica. Now I need to fix this to get a replica in place correctly.
>>
>>
>>
>>
>>Shreeraj
>>----------------------------------------------------------------------------------------
>>
>>
>>
>>
>>On Wednesday, February 12, 2014 10:42 AM, Rob Crittenden <rcritten at redhat.com> wrote:
>>
>>Shree wrote:
>>> OK I thought CA is a part of IPA
? Below is from my master IPA server
>>>
>>> [root at ldap ~]# ipactl status
>>> Directory Service: RUNNING
>>> KDC Service: RUNNING
>>> KPASSWD Service: RUNNING
>>> MEMCACHE Service: RUNNING
>>> HTTP Service: RUNNING
>>> CA Service: RUNNING
>>> [root at ldap ~]#
>>>
>>> I can certainly send you a log if
needed.
>>
>>It is part of IPA but the IPA server
talks to it, not the clients directly.
>>
>>I can only speculate what the client
is doing without seeing the log
>>files, but I suspect both masters are
in DNS and IPA is trying to enroll
>>to the initial master which isn't
available.
>>
>>rob
>>
>>> Shreeraj
>>>
----------------------------------------------------------------------------------------
>>>
>>>
>>> Change is the only Constant !
>>>
>>>
>>> On Wednesday, February 12, 2014
10:32 AM, Rob Crittenden
>>> <rcritten at redhat.com> wrote:
>>> Shree wrote:
>>> > Peter
>>> > Actually I mentioned
earlier that my clients are in a
separate VLAN and
>>> > cannot access the master.
We have made provisions for the master
and the
>>> > replica to sync by opening
the needed ports in the firewall. We
have
>>> > also opened up ports
between the clients and the replica. I
have tested
>>> > the connectivity for these
ports.
>>> > Perhaps you can tell me if
what I am trying to achieve is even
possible?
>>> > i.e
>>> > I seem to get stuck with
making the replica with the
"--setup-ca"
>>> > option. Wthout that option
I am able to create a replica and have
it in
>>> > sync with the master.
However my ipa-client-install fails
from clients
>>> > as they try looking for the
master for CA part of the install.
>>>
>>> Clients don't talk to the CA,
they talk to an IPA server which talks
to
>>> the CA.
>>>
>>> I think we need to see
/var/log/ipaclient-install.log to see
what is
>>> going on.
>>>
>>> rob
>>>
>>> > Shreeraj
>>> >
>>>
----------------------------------------------------------------------------------------
>>> >
>>> >
>>> > Change is the only Constant
!
>>> >
>>> >
>>> > On Wednesday, February 12,
2014 12:45 AM, Petr Spacek
>>> > <pspacek at redhat.com <mailto:pspacek at redhat.com>> wrote:
>>> > On 11.2.2014 23:53, Shree
wrote:
>>> >
>>> > > Following ports are
opened between the
>>> > > 1) Between the master
and the replica (bi directional)
>>> > > 2) client machine and
the ipa replica (unidirectional).
>>> > > When the replica was
up it worked fine as far as syncing
was
>>> concerned.
>>> > >
>>> > > 80 tcp
>>> > > 443 tcp
>>> > > 389 tcp
>>> > > 636 tcp
>>> > > 88 tcp
>>> > > 464 tcp
>>> > > 88 udp
>>> > > 464 udp
>>> > > 123 udp
>>> > >
>>> > > Shreeraj
>>> > >
>>> >
>>>
----------------------------------------------------------------------------------------
>>> > >
>>> > > Change is the only
Constant !
>>> > >
>>> > >
>>> > >
>>> > > On Tuesday, February
11, 2014 2:22 PM, Dmitri Pal <dpal at redhat.com
>>> <mailto:dpal at redhat.com>
>>> > <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>> wrote:
>>> > >
>>> > > On 02/11/2014 05:05
PM, Shree wrote:
>>> > > Dimitri
>>> > >> Sorry some the
mail landed in my SPAM folder. Let
answer your
>>> > questions (thanks for your
help man)
>>> > > Please republish it
on the list.
>>> > > Do not reply to me
directly.
>>> > >
>>> > > Did you set your
first server with the CA? Does all
ports that need
>>> > > to be open in
the firewall between primary or server
are actually
>>> > > open?
>>> > >
>>> > >
>>> > >
>>> > >>
>>> > >> What I have done
so far is uninstalled the replica and
tried to
>>> > install it again using the
"--setup-ca" option. Previously I had
>>> > failures and when I removed
the "--setup-ca" option the
installation
>>> > succeeded (in a way). I
understand now that I really need to
fix the CA
>>> > installation errors first.
>>> > >>
>>> > >>
>>> > >> 1)The workaround
helped me go forward a bit but I got
stuck at this
>>> > point see below
>>> > >> ===========
>>> > >> [1/3]:
creating directory server user
>>> > >> [2/3]:
creating directory server instance
>>> > >> [3/3]:
restarting directory server
>>> > >> Done configuring
directory server for the CA (pkids).
>>> > >> ipa :
ERROR certmonger failed starting to
track
>>> > certificate: Command
'/usr/bin/ipa-getcert start-tracking
-d
>>> > /etc/dirsrv/slapd-PKI-IPA
-n Server-Cert -p
>>> >
/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt
-C
>>> >
/usr/lib64/ipa/certmonger/restart_dirsrv
PKI-IPA' returned non-zero exit
>>> > status 1
>>> > >> Configuring
certificate server (pki-cad):
Estimated time 3 minutes
>>> > 30 seconds
>>> > >> [1/17]:
creating certificate server user
>>> > >> [2/17]:
creating pki-ca instance
>>> > >> [3/17]:
configuring certificate server
instance
>>> > >> ipa :
CRITICAL failed to configure ca
instance Command
>>> > '/usr/bin/perl
/usr/bin/pkisilent ConfigureCA
-cs_hostname
>>> > ldap2.macosforge.org
-cs_port 9445 -client_certdb_dir
/tmp/tmp-ipJSsT
>>> > -client_certdb_pwd XXXXXXXX
-preop_pin OlGXcjPVXoQcuuQkGgoG -
>>> > >> ===========
>>> > >> 2) No we do not
use IPA for a DNS server.
>>> > >>
>>> > >>
>>> > >> 3)The reason for
this could be that I had installed the
replica
>>> > without the "--setup-ca".
>>> > >>
>>> > >> Shreeraj
>>> > >>
>>> >
>>>
----------------------------------------------------------------------------------------
>>> > >>
>>> > >>
>>> > >>
>>> > >> Change is the
only Constant !
>>> > >>
>>> > >>
>>> > >>
>>> > >> On Monday,
February 10, 2014 12:43 PM, Dmitri Pal
>>> <dpal at redhat.com <mailto:dpal at redhat.com>
>>> > <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>> wrote:
>>> > >>
>>> > >> On 02/09/2014
07:44 AM, Rob Crittenden wrote:
>>> > >>> Shree wrote:
>>> > >>>> Lukas
>>> > >>>> Perhaps I
should explain the design a bit and
>>> > > see
if FreeIPA even
>>> > >>>> supports
this.Our replica is in a separate
>>> > >
network and all the
>>> > >>>>
appropriate ports are opened between
the master
>>> > > and
the replica. The
>>> > >>>> "replica"
got created successfully and is in
>>> > > sync
with the master
>>> > >>>> (except
the CA services which I mentioned
>>> > >
earlier)
>>> > >>>> Now,when
I try to run ipa-client-install on
>>> > > hosts in the new
network
>>> > >>>> using the
replica, it complains that about
>>> > >
"Cannot contact any KDC for
>>> > >>>> realm".
>>> > >>>> I am
wondering it my hosts in the new
network
>>> > > are
trying to access the
>>> > >>>> "master"
for certificates since the replica
>>> > > does
not have any CA
>>> > >>>> services
running? I couldn't find any obvious
>>> > >
proof of this even running
>>> > >>>> the
install in a debug mode. Do I need to
open
>>> > >
ports between the new
>>> > >>>> hosts and
the master for CA services?
>>> > >>>> At this
point I cannot disable or move the
>>> > >
master, it needs to function
>>> > >>>> in its
location but I need
>>> > >>>
>>> > >>> No, the
clients don't directly talk to the CA.
>>> > >>>
>>> > >>> You'd need to
look in
>>> > >
/var/log/ipaclient-install.log to see
what KDC
>>> > >>> was found and
we were trying to use. If you have
>>> > > SRV
records for both
>>> > >>> but we try to
contact the hidden master this will
>>> > >
happen. You can try
>>> > >>> specifying
the server on the command-line with
>>> > >
--server but this will
>>> > >>> be hardcoding
things and make it less flexible
>>> > >
later.
>>> > >>>
>>> > >>> rob
>>> > >>>
>>> > >>>> Shreeraj
>>> > >>>>
>>> > >
>>> >
>>>
----------------------------------------------------------------------------------------
>>> > >>>>
>>> > >>>>
>>> > >>>>
>>> > >>>> Change is
the only Constant !
>>> > >>>>
>>> > >>>>
>>> > >>>> On
Saturday, February 8, 2014 1:29 AM,
Lukas
>>> > >
Slebodnik
>>> > >>>> <lslebodn at redhat.com <mailto:lslebodn at redhat.com>
>>> <mailto:lslebodn at redhat.com <mailto:lslebodn at redhat.com>>> wrote:
>>> > >>>> On
(06/02/14 18:33), Shree wrote:
>>> > >>>>
>>> > >>>>> First
of all, the ipa-replica-install did
>>> > > not
allow me to use
>>> > >>>> the
--setup-ca
>>> > >>>>>
option complaining that a cert already
>>> > >
exists, replicate creation was
>>> > >>>>>
successful after I skipped the option.
>>> > >>>>> Seems
like the replica is one except
>>> > >>>>> 1)
There is no CA Service running on the
>>> > >
replica (which I guess is
>>> > >>>> expected)
>>> > >>>>> and
>>> > >>>>> 2) I
am unable to run ipa-client-install
>>> > >
successfully on any clients
>>> > >>>> using
>>> > >>>>> the
replica. (I don't have the option of
>>> > >
using the primary master as
>>> > >>>> it is
>>> > >>>>>
configured in a segregated
environment.
>>> > > Only
the master and replica
>>> > >>>> are
>>> > >>>>>
allowed to sync.
>>> > >>>>> Debug
shows it fails at
>>> > >>>>>
>>> > >>>>> ipa
: DEBUG stderr=kinit: Cannot
>>> > >
contact any KDC for realm
>>> > >>>>
'mydomainname.com' while getting
initial
>>> > >
credentials
>>> > >>>>
>>> > >>>>>
>>> > >>>>>
>>> > >>>>
>>> > >>>> I was not
able to install replica witch CA on
>>> > >
fedora 20,
>>> > >>>> Bug is
already reported https://fedorahosted.org/pki/ticket/816
>>> > >>>>
>>> > >>>> Guys from
dogtag found a workaround
>>> > >>>> https://fedorahosted.org/pki/ticket/816#comment:12
>>> > >>>>
>>> > >>>> Does it
work for you?
>>> > >>>>
>>> > >>>> LS
>>> > >>>>
>>> > >>>>
>>> > >>>>
>>> > >>>>
>>> > >>>>
>>> > >>>>
_______________________________________________
>>> > >>>>
Freeipa-users mailing list
>>> > >>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
>>> > >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> > >>>>
>>> > >>>
>>> > >>>
_______________________________________________
>>> > >>> Freeipa-users
mailing list
>>> > >>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
>>>
>>> > >>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> > >>
>>> > >> What server
provides DNS capabilities to the
clients?
>>> > >> Do you use IPA
DNS or some other DNS?
>>> > >> Clients seem to
not be able to see replica KDC and try
>>> > > to
access hidden
>>> > >> master but they
can know about this master only via
DNS.
>>> >
>>> >
>>> > Shree, make sure that
command
>>> > $ dig -t SRV
_kerberos._udp.ipa.example
>>> > on the client returns both
IPA servers (in ANSWER section).
>>> >
>>> > --
>>> > Petr^2 Spacek
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
_______________________________________________
>>> > Freeipa-users mailing list
>>> > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>> >
>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>>_______________________________________________
Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
I suggest that you temporarily try to install a client in place of the replica and see why it does not install.
>The log above suggests that certmonger that is a
part of the replica fails to connect to the first
master. We need to understand the reason why it
fails. Then we would be able to make your replica be
a CA.
>I suspect that CA related communication between
replica and master is not going through for some
reasons.
>The install log would be really helpful.
>Please see
>http://www.freeipa.org/page/Troubleshooting to collect the right logs.
>
>
>--
Thank you,
Dmitri Pal Sr. Engineering Manager for IdM portfolio
Red Hat Inc. -------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
>
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
--
Thank you,
Dmitri Pal Sr. Engineering Manager for IdM portfolio
Red Hat Inc. -------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140212/8cf00a14/attachment.htm>
More information about the Freeipa-users
mailing list