[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

Shree shreerajkarulkar at yahoo.com
Wed Feb 19 21:09:12 UTC 2014


Here are a couple of things

[skarulkar at ldap2 ~]$ rpm -q ipa-client
ipa-client-3.0.0-26.el6_4.4.x86_64


and my /etc/krb5.conf looks like ..........
=======================================
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MYDOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 MYDOMAIN.COM = {
  kdc = ldap2.mydomain.com:88
  master_kdc = ldap2.mydomain.com:88
  admin_server = ldap2.mydomain.com:749
  default_domain = mydomain.com
  pkinit_anchors = FILE:/etc/ipa/ca.crt
default_domain = mydomain.com
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
 .mydomain.com = MYDOMAIN.COM
 mydomain.com = MYDOMAIN.COM

[dbmodules]
  MYDOMAIN.COM = {
    db_library = ipadb.so
  }

=======================================



 
Shreeraj 
---------------------------------------------------------------------------------------- 

Change is the only Constant !



On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden <rcritten at redhat.com> wrote:
 
Shree wrote:
> 1) I have got a step furthur. My replica is not running CA Service. To
> achieve this I had to remove the existing cert with this command
>
> pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
>
> Now the replica looks like this
>
> skarulkar at ldap2 tmp]$ sudo ipactl status
> [sudo] password for skarulkar:
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: RUNNING
> MEMCACHE Service: RUNNING
> HTTP Service: RUNNING
> CA Service: RUNNING
> [skarulkar at ldap2 tmp]$

The tracking failed with:

2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library: 
Improper format of Kerberos configuration file.

It looks like it failed on this for most if not all the tracking. What 
does /etc/krb5.conf look like?

>
> 2) I am still not able to add client using ipa-client-install using the
> replica.

The temporary krb5.conf that is used during enrollment has 
dns_lookup_kdc=True so it is probably trying to contact the other KDC 
and failing.

What is the output of:

$ rpm -q ipa-client


rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140219/075caa30/attachment.htm>


More information about the Freeipa-users mailing list