[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Rob Crittenden
rcritten at redhat.com
Thu Feb 13 14:41:49 UTC 2014
Shree wrote:
> Ok, failed at the same stage, would you like the entire
> /var/log/ipareplica-install.log. If yes, should I attach to the email?
>
>
>
> pa : INFO File
> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
> line 614, in run_script
> return_value = main_function()
>
> File "/usr/sbin/ipa-replica-install", line 467, in main
> (CA, cs) = cainstance.install_replica_ca(config)
>
> File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line
> 1604, in install_replica_ca
> subject_base=config.subject_base)
>
> File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line
> 617, in configure_instance
> self.start_creation(runtime=210)
>
> File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
> line 358, in start_creation
> method()
>
> File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line
> 879, in __configure_instance
> raise RuntimeError('Configuration of CA failed')
>
> ipa : INFO The ipa-replica-install command failed,
> exception: RuntimeError: Configuration of CA failed
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Configuration of CA failed
> [root at ldap2 ~]#
>
We need to see the full /var/log/ipareplica-install.log and the debug
log from /var/log/pki-ca.
rob
> Shreeraj
> ----------------------------------------------------------------------------------------
>
>
> Change is the only Constant !
>
>
> On Wednesday, February 12, 2014 2:55 PM, Dmitri Pal <dpal at redhat.com> wrote:
> On 02/12/2014 04:57 PM, Shree wrote:
>> If there aren't any other tests to perform, can I go ahead and
>> uninstall the ipa client and configure this Vm as a replica?
>
> Thanks for trying. At least we know that certmonger can run by itself.
> When you install replica please collect all the install logs.
> Is SELinux on/off?
>
>> Shreeraj
>> ----------------------------------------------------------------------------------------
>>
>>
>> Change is the only Constant !
>>
>>
>> On Wednesday, February 12, 2014 1:40 PM, Shree
>> <shreerajkarulkar at yahoo.com> <mailto:shreerajkarulkar at yahoo.com> wrote:
>> "getcert list" returned a bunch of info, see below
>>
>> root at ldap2 ~]# getcert list
>> Number of certificates and requests being tracked: 2.
>> Request ID '20140206184920':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-retrieve-agent-submit
>> issuer: CN=Certificate Authority,......................
>> .............................
>>
>> Shreeraj
>> ----------------------------------------------------------------------------------------
>>
>>
>> Change is the only Constant !
>>
>>
>> On Wednesday, February 12, 2014 12:43 PM, Dmitri Pal <dpal at redhat.com>
>> <mailto:dpal at redhat.com> wrote:
>> On 02/12/2014 03:41 PM, Shree wrote:
>>> So I uninstalled the ipa server and installed the client
>>> (ipa-client-install) on the same VM pointing at the master and
>>> everything seems to work OK. All the sudo rules etc. Are there any
>>> tests I can do check connectivity that could be helpful before I
>>> configure this as a "replica" again.
>> Ask certmonger to get a certificate
>>
>>>
>>> Shreeraj
>>> ----------------------------------------------------------------------------------------
>>>
>>>
>>> Change is the only Constant !
>>>
>>>
>>> On Wednesday, February 12, 2014 11:46 AM, Dmitri Pal
>>> <dpal at redhat.com> <mailto:dpal at redhat.com> wrote:
>>> On 02/12/2014 02:09 PM, Shree wrote:
>>>> Rob
>>>> I really appreciate your help, please bear with me. At this point I
>>>> need to take you back to my ipa-replica-install and what happened
>>>> there.
>>>>
>>>> [1] My command: ipa-replica-install --setup-ca
>>>> /var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck
>>>> This ended with a
>>>> Done configuring NTP daemon (ntpd).
>>>> A CA is already configured on this system.
>>>>
>>>> [2] So did a pkiremove with the following command
>>>> # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
>>>>
>>>> [3] Re ran the ipa-replica-install command in step 1
>>>> The install went a little further but ended below.
>>>>
>>>> Configuring directory server for the CA (pkids): Estimated time 30
>>>> seconds
>>>> [1/3]: creating directory server user
>>>> [2/3]: creating directory server instance
>>>> [3/3]: restarting directory server
>>>> Done configuring directory server for the CA (pkids).
>>>> ipa : ERROR certmonger failed starting to track certificate:
>>>> Command '/usr/bin/ipa-getcert start-tracking -d
>>>> /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p
>>>> /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C
>>>> /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero
>>>> exit status 1
>>>> Configuring certificate server (pki-cad): Estimated time 3 minutes
>>>> 30 seconds
>>>> [1/17]: creating certificate server user
>>>> [2/17]: creating pki-ca instance
>>>> [3/17]: configuring certificate server instance
>>>> ipa : CRITICAL failed to configure ca instance Command
>>>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
>>>> .................
>>>> ...........................
>>>> Your system may be partly configured.
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>
>>>> Configuration of CA failed
>>>>
>>>> If I skip the "--setup-ca" option then the replica gets created
>>>> without any CA services. The "master" and "replica" are in sync but
>>>> I am unable to run a ipa-client-install using the replica. Now I
>>>> need to fix this to get a replica in place correctly.
>>>>
>>>>
>>>> Shreeraj
>>>> ----------------------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>> On Wednesday, February 12, 2014 10:42 AM, Rob Crittenden
>>>> <rcritten at redhat.com> <mailto:rcritten at redhat.com> wrote:
>>>> Shree wrote:
>>>> > OK I thought CA is a part of IPA ? Below is from my master IPA server
>>>> >
>>>> > [root at ldap <mailto:root at ldap> ~]# ipactl status
>>>> > Directory Service: RUNNING
>>>> > KDC Service: RUNNING
>>>> > KPASSWD Service: RUNNING
>>>> > MEMCACHE Service: RUNNING
>>>> > HTTP Service: RUNNING
>>>> > CA Service: RUNNING
>>>> > [root at ldap <mailto:root at ldap> ~]#
>>>> >
>>>> > I can certainly send you a log if needed.
>>>>
>>>> It is part of IPA but the IPA server talks to it, not the clients
>>>> directly.
>>>>
>>>> I can only speculate what the client is doing without seeing the log
>>>> files, but I suspect both masters are in DNS and IPA is trying to
>>>> enroll
>>>> to the initial master which isn't available.
>>>>
>>>> rob
>>>>
>>>> > Shreeraj
>>>> >
>>>> ----------------------------------------------------------------------------------------
>>>> >
>>>> >
>>>> > Change is the only Constant !
>>>> >
>>>> >
>>>> > On Wednesday, February 12, 2014 10:32 AM, Rob Crittenden
>>>> > <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>>> > Shree wrote:
>>>> > > Peter
>>>> > > Actually I mentioned earlier that my clients are in a separate
>>>> VLAN and
>>>> > > cannot access the master. We have made provisions for the
>>>> master and the
>>>> > > replica to sync by opening the needed ports in the firewall. We
>>>> have
>>>> > > also opened up ports between the clients and the replica. I
>>>> have tested
>>>> > > the connectivity for these ports.
>>>> > > Perhaps you can tell me if what I am trying to achieve is even
>>>> possible?
>>>> > > i.e
>>>> > > I seem to get stuck with making the replica with the "--setup-ca"
>>>> > > option. Wthout that option I am able to create a replica and
>>>> have it in
>>>> > > sync with the master. However my ipa-client-install fails from
>>>> clients
>>>> > > as they try looking for the master for CA part of the install.
>>>> >
>>>> > Clients don't talk to the CA, they talk to an IPA server which
>>>> talks to
>>>> > the CA.
>>>> >
>>>> > I think we need to see /var/log/ipaclient-install.log to see what is
>>>> > going on.
>>>> >
>>>> > rob
>>>> >
>>>> > > Shreeraj
>>>> > >
>>>> >
>>>> ----------------------------------------------------------------------------------------
>>>> > >
>>>> > >
>>>> > > Change is the only Constant !
>>>> > >
>>>> > >
>>>> > > On Wednesday, February 12, 2014 12:45 AM, Petr Spacek
>>>> > > <pspacek at redhat.com <mailto:pspacek at redhat.com>
>>>> <mailto:pspacek at redhat.com <mailto:pspacek at redhat.com>>> wrote:
>>>> > > On 11.2.2014 23:53, Shree wrote:
>>>> > >
>>>> > > > Following ports are opened between the
>>>> > > > 1) Between the master and the replica (bi directional)
>>>> > > > 2) client machine and the ipa replica (unidirectional).
>>>> > > > When the replica was up it worked fine as far as syncing was
>>>> > concerned.
>>>> > > >
>>>> > > > 80 tcp
>>>> > > > 443 tcp
>>>> > > > 389 tcp
>>>> > > > 636 tcp
>>>> > > > 88 tcp
>>>> > > > 464 tcp
>>>> > > > 88 udp
>>>> > > > 464 udp
>>>> > > > 123 udp
>>>> > > >
>>>> > > > Shreeraj
>>>> > > >
>>>> > >
>>>> >
>>>> ----------------------------------------------------------------------------------------
>>>> > > >
>>>> > > > Change is the only Constant !
>>>> > > >
>>>> > > >
>>>> > > >
>>>> > > > On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal
>>>> <dpal at redhat.com <mailto:dpal at redhat.com>
>>>> > <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>
>>>> > > <mailto:dpal at redhat.com <mailto:dpal at redhat.com>
>>>> <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>>> wrote:
>>>> > > >
>>>> > > > On 02/11/2014 05:05 PM, Shree wrote:
>>>> > > > Dimitri
>>>> > > >> Sorry some the mail landed in my SPAM folder. Let answer your
>>>> > > questions (thanks for your help man)
>>>> > > > Please republish it on the list.
>>>> > > > Do not reply to me directly.
>>>> > > >
>>>> > > > Did you set your first server with the CA? Does all ports
>>>> that need
>>>> > > > to be open in the firewall between primary or server are
>>>> actually
>>>> > > > open?
>>>> > > >
>>>> > > >
>>>> > > >
>>>> > > >>
>>>> > > >> What I have done so far is uninstalled the replica and tried to
>>>> > > install it again using the "--setup-ca" option. Previously I had
>>>> > > failures and when I removed the "--setup-ca" option the
>>>> installation
>>>> > > succeeded (in a way). I understand now that I really need to
>>>> fix the CA
>>>> > > installation errors first.
>>>> > > >>
>>>> > > >>
>>>> > > >> 1)The workaround helped me go forward a bit but I got stuck
>>>> at this
>>>> > > point see below
>>>> > > >> ===========
>>>> > > >> [1/3]: creating directory server user
>>>> > > >> [2/3]: creating directory server instance
>>>> > > >> [3/3]: restarting directory server
>>>> > > >> Done configuring directory server for the CA (pkids).
>>>> > > >> ipa : ERROR certmonger failed starting to track
>>>> > > certificate: Command '/usr/bin/ipa-getcert start-tracking -d
>>>> > > /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p
>>>> > > /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C
>>>> > > /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned
>>>> non-zero exit
>>>> > > status 1
>>>> > > >> Configuring certificate server (pki-cad): Estimated time 3
>>>> minutes
>>>> > > 30 seconds
>>>> > > >> [1/17]: creating certificate server user
>>>> > > >> [2/17]: creating pki-ca instance
>>>> > > >> [3/17]: configuring certificate server instance
>>>> > > >> ipa : CRITICAL failed to configure ca instance Command
>>>> > > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
>>>> > > ldap2.macosforge.org -cs_port 9445 -client_certdb_dir
>>>> /tmp/tmp-ipJSsT
>>>> > > -client_certdb_pwd XXXXXXXX -preop_pin OlGXcjPVXoQcuuQkGgoG -
>>>> > > >> ===========
>>>> > > >> 2) No we do not use IPA for a DNS server.
>>>> > > >>
>>>> > > >>
>>>> > > >> 3)The reason for this could be that I had installed the replica
>>>> > > without the "--setup-ca".
>>>> > > >>
>>>> > > >> Shreeraj
>>>> > > >>
>>>> > >
>>>> >
>>>> ----------------------------------------------------------------------------------------
>>>> > > >>
>>>> > > >>
>>>> > > >>
>>>> > > >> Change is the only Constant !
>>>> > > >>
>>>> > > >>
>>>> > > >>
>>>> > > >> On Monday, February 10, 2014 12:43 PM, Dmitri Pal
>>>> > <dpal at redhat.com <mailto:dpal at redhat.com> <mailto:dpal at redhat.com
>>>> <mailto:dpal at redhat.com>>
>>>> > > <mailto:dpal at redhat.com <mailto:dpal at redhat.com>
>>>> <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>>> wrote:
>>>> > > >>
>>>> > > >> On 02/09/2014 07:44 AM, Rob Crittenden wrote:
>>>> > > >>> Shree wrote:
>>>> > > >>>> Lukas
>>>> > > >>>> Perhaps I should explain the design a bit and
>>>> > > > see if FreeIPA even
>>>> > > >>>> supports this.Our replica is in a separate
>>>> > > > network and all the
>>>> > > >>>> appropriate ports are opened between the master
>>>> > > > and the replica. The
>>>> > > >>>> "replica" got created successfully and is in
>>>> > > > sync with the master
>>>> > > >>>> (except the CA services which I mentioned
>>>> > > > earlier)
>>>> > > >>>> Now,when I try to run ipa-client-install on
>>>> > > > hosts in the new network
>>>> > > >>>> using the replica, it complains that about
>>>> > > > "Cannot contact any KDC for
>>>> > > >>>> realm".
>>>> > > >>>> I am wondering it my hosts in the new network
>>>> > > > are trying to access the
>>>> > > >>>> "master" for certificates since the replica
>>>> > > > does not have any CA
>>>> > > >>>> services running? I couldn't find any obvious
>>>> > > > proof of this even running
>>>> > > >>>> the install in a debug mode. Do I need to open
>>>> > > > ports between the new
>>>> > > >>>> hosts and the master for CA services?
>>>> > > >>>> At this point I cannot disable or move the
>>>> > > > master, it needs to function
>>>> > > >>>> in its location but I need
>>>> > > >>>
>>>> > > >>> No, the clients don't directly talk to the CA.
>>>> > > >>>
>>>> > > >>> You'd need to look in
>>>> > > > /var/log/ipaclient-install.log to see what KDC
>>>> > > >>> was found and we were trying to use. If you have
>>>> > > > SRV records for both
>>>> > > >>> but we try to contact the hidden master this will
>>>> > > > happen. You can try
>>>> > > >>> specifying the server on the command-line with
>>>> > > > --server but this will
>>>> > > >>> be hardcoding things and make it less flexible
>>>> > > > later.
>>>> > > >>>
>>>> > > >>> rob
>>>> > > >>>
>>>> > > >>>> Shreeraj
>>>> > > >>>>
>>>> > > >
>>>> > >
>>>> >
>>>> ----------------------------------------------------------------------------------------
>>>> > > >>>>
>>>> > > >>>>
>>>> > > >>>>
>>>> > > >>>> Change is the only Constant !
>>>> > > >>>>
>>>> > > >>>>
>>>> > > >>>> On Saturday, February 8, 2014 1:29 AM, Lukas
>>>> > > > Slebodnik
>>>> > > >>>> <lslebodn at redhat.com <mailto:lslebodn at redhat.com>
>>>> <mailto:lslebodn at redhat.com <mailto:lslebodn at redhat.com>>
>>>> > <mailto:lslebodn at redhat.com <mailto:lslebodn at redhat.com>
>>>> <mailto:lslebodn at redhat.com <mailto:lslebodn at redhat.com>>>> wrote:
>>>> > > >>>> On (06/02/14 18:33), Shree wrote:
>>>> > > >>>>
>>>> > > >>>>> First of all, the ipa-replica-install did
>>>> > > > not allow me to use
>>>> > > >>>> the --setup-ca
>>>> > > >>>>> option complaining that a cert already
>>>> > > > exists, replicate creation was
>>>> > > >>>>> successful after I skipped the option.
>>>> > > >>>>> Seems like the replica is one except
>>>> > > >>>>> 1) There is no CA Service running on the
>>>> > > > replica (which I guess is
>>>> > > >>>> expected)
>>>> > > >>>>> and
>>>> > > >>>>> 2) I am unable to run ipa-client-install
>>>> > > > successfully on any clients
>>>> > > >>>> using
>>>> > > >>>>> the replica. (I don't have the option of
>>>> > > > using the primary master as
>>>> > > >>>> it is
>>>> > > >>>>> configured in a segregated environment.
>>>> > > > Only the master and replica
>>>> > > >>>> are
>>>> > > >>>>> allowed to sync.
>>>> > > >>>>> Debug shows it fails at
>>>> > > >>>>>
>>>> > > >>>>> ipa : DEBUG stderr=kinit: Cannot
>>>> > > > contact any KDC for realm
>>>> > > >>>> 'mydomainname.com' while getting initial
>>>> > > > credentials
>>>> > > >>>>
>>>> > > >>>>>
>>>> > > >>>>>
>>>> > > >>>>
>>>> > > >>>> I was not able to install replica witch CA on
>>>> > > > fedora 20,
>>>> > > >>>> Bug is already reported
>>>> https://fedorahosted.org/pki/ticket/816
>>>> > > >>>>
>>>> > > >>>> Guys from dogtag found a workaround
>>>> > > >>>> https://fedorahosted.org/pki/ticket/816#comment:12
>>>> > > >>>>
>>>> > > >>>> Does it work for you?
>>>> > > >>>>
>>>> > > >>>> LS
>>>> > > >>>>
>>>> > > >>>>
>>>> > > >>>>
>>>> > > >>>>
>>>> > > >>>>
>>>> > > >>>> _______________________________________________
>>>> > > >>>> Freeipa-users mailing list
>>>> > > >>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
>>>> > <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>>
>>>> > > >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> > > >>>>
>>>> > > >>>
>>>> > > >>> _______________________________________________
>>>> > > >>> Freeipa-users mailing list
>>>> > > >>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
>>>> > <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>>
>>>> >
>>>> > > >>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> > > >>
>>>> > > >> What server provides DNS capabilities to the clients?
>>>> > > >> Do you use IPA DNS or some other DNS?
>>>> > > >> Clients seem to not be able to see replica KDC and try
>>>> > > > to access hidden
>>>> > > >> master but they can know about this master only via DNS.
>>>> > >
>>>> > >
>>>> > > Shree, make sure that command
>>>> > > $ dig -t SRV _kerberos._udp.ipa.example
>>>> > > on the client returns both IPA servers (in ANSWER section).
>>>> > >
>>>> > > --
>>>> > > Petr^2 Spacek
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > _______________________________________________
>>>> > > Freeipa-users mailing list
>>>> > > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> > >
>>>> >
>>>> >
>>>> >
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> I suggest that you temporarily try to install a client in place of
>>> the replica and see why it does not install.
>>> The log above suggests that certmonger that is a part of the replica
>>> fails to connect to the first master. We need to understand the
>>> reason why it fails. Then we would be able to make your replica be a CA.
>>> I suspect that CA related communication between replica and master is
>>> not going through for some reasons.
>>> The install log would be really helpful.
>>> Please see
>>> http://www.freeipa.org/page/Troubleshooting to collect the right logs.
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager for IdM portfolio
>>> Red Hat Inc.
>>>
>>>
>>> -------------------------------
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list