[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Shree
shreerajkarulkar at yahoo.com
Wed Feb 12 23:18:42 UTC 2014
Ok, failed at the same stage, would you like the entire /var/log/ipareplica-install.log. If yes, should I attach to the email?
pa : INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script
return_value = main_function()
File "/usr/sbin/ipa-replica-install", line 467, in main
(CA, cs) = cainstance.install_replica_ca(config)
File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 1604, in install_replica_ca
subject_base=config.subject_base)
File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instance
self.start_creation(runtime=210)
File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
method()
File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance
raise RuntimeError('Configuration of CA failed')
ipa : INFO The ipa-replica-install command failed, exception: RuntimeError: Configuration of CA failed
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Configuration of CA failed
[root at ldap2 ~]#
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Wednesday, February 12, 2014 2:55 PM, Dmitri Pal <dpal at redhat.com> wrote:
On 02/12/2014 04:57 PM, Shree wrote:
If there aren't any other tests to perform, can I go ahead and uninstall the ipa client and configure this Vm as a replica?
Thanks for trying. At least we know that certmonger can run by
itself.
When you install replica please collect all the install logs.
Is SELinux on/off?
>Shreeraj
>----------------------------------------------------------------------------------------
>
>Change is the only Constant !
>
>
>
>On Wednesday, February 12, 2014 1:40 PM, Shree <shreerajkarulkar at yahoo.com> wrote:
>
>"getcert list" returned a bunch of info, see below
>
>
>root at ldap2 ~]# getcert list
>Number of certificates and requests being tracked: 2.
>Request ID '20140206184920':
>status: MONITORING
>stuck: no
>key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
>CA: dogtag-ipa-retrieve-agent-submit
>issuer: CN=Certificate Authority,......................
>.............................
>
>
>
>Shreeraj
>----------------------------------------------------------------------------------------
>
>Change is the only Constant !
>
>
>
>On Wednesday, February 12, 2014 12:43 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
>On 02/12/2014 03:41 PM, Shree wrote:
>So I uninstalled the ipa server and installed the client (ipa-client-install) on the same VM pointing at the master and everything seems to work OK. All the sudo rules etc. Are there any tests I can do check connectivity that could be helpful before I configure this as a "replica" again.
Ask certmonger to get a certificate
>
>
>
>>
>>
>>Shreeraj
>>----------------------------------------------------------------------------------------
>>
>>Change is the only Constant !
>>
>>
>>
>>On Wednesday, February 12, 2014 11:46 AM, Dmitri Pal <dpal at redhat.com> wrote:
>>
>>On 02/12/2014 02:09 PM, Shree wrote:
>>Rob
>>>I really appreciate your help, please bear with me. At this point I need to take you back to my ipa-replica-install and what happened there.
>>>
>>>
>>>[1] My command: ipa-replica-install --setup-ca /var/tmp/replica-info-ldap2.mydomain.com.gpg
--skip-conncheck
>>> This ended with a
>>>Done configuring NTP daemon (ntpd).
>>>A CA is already configured on this system.
>>>
>>>
>>>[2] So did a pkiremove with the following command
>>># pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
>>>
>>>
>>>
>>>[3] Re ran the ipa-replica-install command in step 1
>>>The install went a little further but ended below.
>>>
>>>
>>>Configuring directory server for the CA (pkids): Estimated time 30 seconds
>>> [1/3]: creating directory server user
>>> [2/3]: creating directory server instance
>>> [3/3]: restarting directory server
>>>Done configuring directory server for the CA (pkids).
>>>ipa : ERROR certmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero exit status 1
>>>Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>>> [1/17]: creating certificate server user
>>> [2/17]: creating pki-ca instance
>>> [3/17]: configuring certificate server instance
>>>ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname .................
>>>...........................
>>>Your system may be partly configured.
>>>Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>>
>>>Configuration of CA failed
>>>
>>>
>>>If I skip the "--setup-ca" option then the replica gets created without any CA services. The "master" and "replica" are in sync but I am unable to run a ipa-client-install using the replica. Now I need to fix this to get a replica in place correctly.
>>>
>>>
>>>
>>>
>>>Shreeraj
>>>----------------------------------------------------------------------------------------
>>>
>>>
>>>
>>>
>>>On Wednesday, February 12, 2014 10:42 AM, Rob Crittenden <rcritten at redhat.com> wrote:
>>>
>>>Shree wrote:
>>>> OK I
thought CA is
a part of IPA
? Below is
from my master
IPA server
>>>>
>>>> [root at ldap ~]# ipactl status
>>>> Directory
Service:
RUNNING
>>>> KDC
Service:
RUNNING
>>>> KPASSWD
Service:
RUNNING
>>>> MEMCACHE
Service:
RUNNING
>>>> HTTP
Service:
RUNNING
>>>> CA
Service:
RUNNING
>>>> [root at ldap ~]#
>>>>
>>>> I can
certainly send
you a log if
needed.
>>>
>>>It is part of
IPA but the
IPA server
talks to it,
not the
clients
directly.
>>>
>>>I can only
speculate what
the client is
doing without
seeing the log
>>>files, but I
suspect both
masters are in
DNS and IPA is
trying to
enroll
>>>to the initial
master which
isn't
available.
>>>
>>>rob
>>>
>>>> Shreeraj
>>>>
----------------------------------------------------------------------------------------
>>>>
>>>>
>>>> Change is
the only
Constant !
>>>>
>>>>
>>>> On
Wednesday,
February 12,
2014 10:32 AM,
Rob Crittenden
>>>> <rcritten at redhat.com> wrote:
>>>> Shree
wrote:
>>>> >
Peter
>>>> >
Actually I
mentioned
earlier that
my clients are
in a separate
VLAN and
>>>> >
cannot access
the master. We
have made
provisions for
the master and
the
>>>> >
replica to
sync by
opening the
needed ports
in the
firewall. We
have
>>>> >
also opened up
ports between
the clients
and the
replica. I
have tested
>>>> > the
connectivity
for these
ports.
>>>> >
Perhaps you
can tell me if
what I am
trying to
achieve is
even possible?
>>>> > i.e
>>>> > I
seem to get
stuck with
making the
replica with
the
"--setup-ca"
>>>> >
option. Wthout
that option I
am able to
create a
replica and
have it in
>>>> >
sync with the
master.
However my
ipa-client-install
fails from
clients
>>>> > as
they try
looking for
the master for
CA part of the
install.
>>>>
>>>> Clients
don't talk to
the CA, they
talk to an IPA
server which
talks to
>>>> the CA.
>>>>
>>>> I think
we need to see
/var/log/ipaclient-install.log
to see what is
>>>> going on.
>>>>
>>>> rob
>>>>
>>>> >
Shreeraj
>>>> >
>>>>
----------------------------------------------------------------------------------------
>>>> >
>>>> >
>>>> >
Change is the
only Constant
!
>>>> >
>>>> >
>>>> > On
Wednesday,
February 12,
2014 12:45 AM,
Petr Spacek
>>>> >
<pspacek at redhat.com <mailto:pspacek at redhat.com>> wrote:
>>>> > On
11.2.2014
23:53, Shree
wrote:
>>>> >
>>>> >
> Following
ports are
opened between
the
>>>> >
> 1)
Between the
master and the
replica (bi
directional)
>>>> >
> 2) client
machine and
the ipa
replica
(unidirectional).
>>>> >
> When the
replica was up
it worked fine
as far as
syncing was
>>>>
concerned.
>>>> >
>
>>>> >
> 80 tcp
>>>> >
> 443 tcp
>>>> >
> 389 tcp
>>>> >
> 636 tcp
>>>> >
> 88 tcp
>>>> >
> 464 tcp
>>>> >
> 88 udp
>>>> >
> 464 udp
>>>> >
> 123 udp
>>>> >
>
>>>> >
> Shreeraj
>>>> >
>
>>>> >
>>>>
----------------------------------------------------------------------------------------
>>>> >
>
>>>> >
> Change is
the only
Constant !
>>>> >
>
>>>> >
>
>>>> >
>
>>>> >
> On
Tuesday,
February 11,
2014 2:22 PM,
Dmitri Pal
<dpal at redhat.com
>>>>
<mailto:dpal at redhat.com>
>>>> >
<mailto:dpal at redhat.com <mailto:dpal at redhat.com>>> wrote:
>>>> >
>
>>>> >
> On
02/11/2014
05:05 PM,
Shree wrote:
>>>> >
> Dimitri
>>>> >
>> Sorry
some the mail
landed in my
SPAM folder.
Let answer
your
>>>> >
questions
(thanks for
your help man)
>>>> >
> Please
republish it
on the list.
>>>> >
> Do not
reply to me
directly.
>>>> >
>
>>>> >
> Did you
set your first
server with
the CA? Does
all ports that
need
>>>> >
> to
be open in the
firewall
between
primary or
server are
actually
>>>> >
>
open?
>>>> >
>
>>>> >
>
>>>> >
>
>>>> >
>>
>>>> >
>> What
I have done so
far is
uninstalled
the replica
and tried to
>>>> >
install it
again using
the
"--setup-ca"
option.
Previously I
had
>>>> >
failures and
when I removed
the
"--setup-ca"
option the
installation
>>>> >
succeeded (in
a way). I
understand now
that I really
need to fix
the CA
>>>> >
installation
errors first.
>>>> >
>>
>>>> >
>>
>>>> >
>> 1)The
workaround
helped me go
forward a bit
but I got
stuck at this
>>>> >
point see
below
>>>> >
>>
===========
>>>> >
>>
[1/3]:
creating
directory
server user
>>>> >
>>
[2/3]:
creating
directory
server
instance
>>>> >
>>
[3/3]:
restarting
directory
server
>>>> >
>> Done
configuring
directory
server for the
CA (pkids).
>>>> >
>> ipa
: ERROR
certmonger
failed
starting to
track
>>>> >
certificate:
Command
'/usr/bin/ipa-getcert
start-tracking
-d
>>>> >
/etc/dirsrv/slapd-PKI-IPA
-n Server-Cert
-p
>>>> >
/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt
-C
>>>> >
/usr/lib64/ipa/certmonger/restart_dirsrv
PKI-IPA'
returned
non-zero exit
>>>> >
status 1
>>>> >
>>
Configuring
certificate
server
(pki-cad):
Estimated time
3 minutes
>>>> > 30
seconds
>>>> >
>>
[1/17]:
creating
certificate
server user
>>>> >
>>
[2/17]:
creating
pki-ca
instance
>>>> >
>>
[3/17]:
configuring
certificate
server
instance
>>>> >
>> ipa
:
CRITICAL
failed to
configure ca
instance
Command
>>>> >
'/usr/bin/perl
/usr/bin/pkisilent
ConfigureCA
-cs_hostname
>>>> >
ldap2.macosforge.org
-cs_port 9445
-client_certdb_dir
/tmp/tmp-ipJSsT
>>>> >
-client_certdb_pwd
XXXXXXXX
-preop_pin
OlGXcjPVXoQcuuQkGgoG
-
>>>> >
>>
===========
>>>> >
>> 2) No
we do not use
IPA for a DNS
server.
>>>> >
>>
>>>> >
>>
>>>> >
>> 3)The
reason for
this could be
that I had
installed the
replica
>>>> >
without the
"--setup-ca".
>>>> >
>>
>>>> >
>>
Shreeraj
>>>> >
>>
>>>> >
>>>>
----------------------------------------------------------------------------------------
>>>> >
>>
>>>> >
>>
>>>> >
>>
>>>> >
>>
Change is the
only Constant
!
>>>> >
>>
>>>> >
>>
>>>> >
>>
>>>> >
>> On
Monday,
February 10,
2014 12:43 PM,
Dmitri Pal
>>>> <dpal at redhat.com <mailto:dpal at redhat.com>
>>>> >
<mailto:dpal at redhat.com <mailto:dpal at redhat.com>>> wrote:
>>>> >
>>
>>>> >
>> On
02/09/2014
07:44 AM, Rob
Crittenden
wrote:
>>>> >
>>>
Shree wrote:
>>>> >
>>>>
Lukas
>>>> >
>>>>
Perhaps I
should explain
the design a
bit and
>>>> >
>
see if
FreeIPA even
>>>> >
>>>>
supports
this.Our
replica is in
a separate
>>>> >
>
network and
all the
>>>> >
>>>>
appropriate
ports are
opened between
the master
>>>> >
>
and
the replica.
The
>>>> >
>>>>
"replica" got
created
successfully
and is in
>>>> >
>
sync
with the
master
>>>> >
>>>>
(except the CA
services which
I mentioned
>>>> >
>
earlier)
>>>> >
>>>>
Now,when I try
to run
ipa-client-install
on
>>>> >
> hosts
in the new
network
>>>> >
>>>>
using the
replica, it
complains that
about
>>>> >
>
"Cannot
contact any
KDC for
>>>> >
>>>>
realm".
>>>> >
>>>>
I am wondering
it my hosts in
the new
network
>>>> >
>
are
trying to
access the
>>>> >
>>>>
"master" for
certificates
since the
replica
>>>> >
>
does
not have any
CA
>>>> >
>>>>
services
running? I
couldn't find
any obvious
>>>> >
>
proof
of this even
running
>>>> >
>>>>
the install in
a debug mode.
Do I need to
open
>>>> >
>
ports
between the
new
>>>> >
>>>>
hosts and the
master for CA
services?
>>>> >
>>>>
At this point
I cannot
disable or
move the
>>>> >
>
master, it
needs to
function
>>>> >
>>>>
in its
location but I
need
>>>> >
>>>
>>>> >
>>>
No, the
clients don't
directly talk
to the CA.
>>>> >
>>>
>>>> >
>>>
You'd need to
look in
>>>> >
>
/var/log/ipaclient-install.log
to see what
KDC
>>>> >
>>>
was found and
we were trying
to use. If you
have
>>>> >
>
SRV
records for
both
>>>> >
>>>
but we try to
contact the
hidden master
this will
>>>> >
>
happen. You
can try
>>>> >
>>>
specifying the
server on the
command-line
with
>>>> >
>
--server but
this will
>>>> >
>>>
be hardcoding
things and
make it less
flexible
>>>> >
>
later.
>>>> >
>>>
>>>> >
>>>
rob
>>>> >
>>>
>>>> >
>>>>
Shreeraj
>>>> >
>>>>
>>>> >
>
>>>> >
>>>>
----------------------------------------------------------------------------------------
>>>> >
>>>>
>>>> >
>>>>
>>>> >
>>>>
>>>> >
>>>>
Change is the
only Constant
!
>>>> >
>>>>
>>>> >
>>>>
>>>> >
>>>>
On Saturday,
February 8,
2014 1:29 AM,
Lukas
>>>> >
>
Slebodnik
>>>> >
>>>>
<lslebodn at redhat.com <mailto:lslebodn at redhat.com>
>>>>
<mailto:lslebodn at redhat.com <mailto:lslebodn at redhat.com>>> wrote:
>>>> >
>>>>
On (06/02/14
18:33), Shree
wrote:
>>>> >
>>>>
>>>> >
>>>>>
First of all,
the
ipa-replica-install
did
>>>> >
>
not
allow me to
use
>>>> >
>>>>
the --setup-ca
>>>> >
>>>>>
option
complaining
that a cert
already
>>>> >
>
exists,
replicate
creation was
>>>> >
>>>>>
successful
after I
skipped the
option.
>>>> >
>>>>>
Seems like the
replica is one
except
>>>> >
>>>>>
1) There is no
CA Service
running on the
>>>> >
>
replica (which
I guess is
>>>> >
>>>>
expected)
>>>> >
>>>>>
and
>>>> >
>>>>>
2) I am unable
to run
ipa-client-install
>>>> >
>
successfully
on any clients
>>>> >
>>>>
using
>>>> >
>>>>>
the replica.
(I don't have
the option of
>>>> >
>
using
the primary
master as
>>>> >
>>>>
it is
>>>> >
>>>>>
configured in
a segregated
environment.
>>>> >
>
Only
the master and
replica
>>>> >
>>>>
are
>>>> >
>>>>>
allowed to
sync.
>>>> >
>>>>>
Debug shows it
fails at
>>>> >
>>>>>
>>>> >
>>>>>
ipa :
DEBUG
stderr=kinit:
Cannot
>>>> >
>
contact any
KDC for realm
>>>> >
>>>>
'mydomainname.com'
while getting
initial
>>>> >
>
credentials
>>>> >
>>>>
>>>> >
>>>>>
>>>> >
>>>>>
>>>> >
>>>>
>>>> >
>>>>
I was not able
to install
replica witch
CA on
>>>> >
>
fedora
20,
>>>> >
>>>>
Bug is already
reported https://fedorahosted.org/pki/ticket/816
>>>> >
>>>>
>>>> >
>>>>
Guys from
dogtag found a
workaround
>>>> >
>>>> https://fedorahosted.org/pki/ticket/816#comment:12
>>>> >
>>>>
>>>> >
>>>>
Does it work
for you?
>>>> >
>>>>
>>>> >
>>>>
LS
>>>> >
>>>>
>>>> >
>>>>
>>>> >
>>>>
>>>> >
>>>>
>>>> >
>>>>
>>>> >
>>>>
_______________________________________________
>>>> >
>>>>
Freeipa-users
mailing list
>>>> >
>>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>
<mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
>>>> >
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> >
>>>>
>>>> >
>>>
>>>> >
>>>
_______________________________________________
>>>> >
>>>
Freeipa-users
mailing list
>>>> >
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>
<mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
>>>>
>>>> >
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> >
>>
>>>> >
>> What
server
provides DNS
capabilities
to the
clients?
>>>> >
>> Do
you use IPA
DNS or some
other DNS?
>>>> >
>>
Clients seem
to not be able
to see replica
KDC and try
>>>> >
>
to
access hidden
>>>> >
>>
master but
they can know
about this
master only
via DNS.
>>>> >
>>>> >
>>>> >
Shree, make
sure that
command
>>>> > $
dig -t SRV
_kerberos._udp.ipa.example
>>>> > on
the client
returns both
IPA servers
(in ANSWER
section).
>>>> >
>>>> > --
>>>> >
Petr^2 Spacek
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
_______________________________________________
>>>> >
Freeipa-users
mailing list
>>>> > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> >
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>_______________________________________________
Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
I suggest that you temporarily try to install a client in place of the replica and see why it does not install.
>>The log above
suggests that
certmonger that is a
part of the replica
fails to connect to
the first master. We
need to understand
the reason why it
fails. Then we would
be able to make your
replica be a CA.
>>I suspect that CA
related
communication
between replica and
master is not going
through for some
reasons.
>>The install log
would be really
helpful.
>>Please see
>>http://www.freeipa.org/page/Troubleshooting to collect the right logs.
>>
>>
>>--
Thank you,
Dmitri Pal Sr. Engineering Manager for IdM portfolio
Red Hat Inc. -------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
>>
>>_______________________________________________
>>Freeipa-users mailing
list
>>Freeipa-users at redhat.com
>>https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
>
>--
Thank you,
Dmitri Pal Sr. Engineering Manager for IdM portfolio
Red Hat Inc. -------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
>
>
>
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
--
Thank you,
Dmitri Pal Sr. Engineering Manager for IdM portfolio
Red Hat Inc. -------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140212/623eaa88/attachment.htm>
More information about the Freeipa-users
mailing list