[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Rob Crittenden
rcritten at redhat.com
Wed Feb 19 20:59:33 UTC 2014
Shree wrote:
> 1) I have got a step furthur. My replica is not running CA Service. To
> achieve this I had to remove the existing cert with this command
>
> pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
>
> Now the replica looks like this
>
> skarulkar at ldap2 tmp]$ sudo ipactl status
> [sudo] password for skarulkar:
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: RUNNING
> MEMCACHE Service: RUNNING
> HTTP Service: RUNNING
> CA Service: RUNNING
> [skarulkar at ldap2 tmp]$
The tracking failed with:
2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library:
Improper format of Kerberos configuration file.
It looks like it failed on this for most if not all the tracking. What
does /etc/krb5.conf look like?
>
> 2) I am still not able to add client using ipa-client-install using the
> replica.
The temporary krb5.conf that is used during enrollment has
dns_lookup_kdc=True so it is probably trying to contact the other KDC
and failing.
What is the output of:
$ rpm -q ipa-client
rob
More information about the Freeipa-users
mailing list