[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Shree
shreerajkarulkar at yahoo.com
Wed Feb 19 21:09:12 UTC 2014
Here are a couple of things
[skarulkar at ldap2 ~]$ rpm -q ipa-client
ipa-client-3.0.0-26.el6_4.4.x86_64
and my /etc/krb5.conf looks like ..........
=======================================
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MYDOMAIN.COM = {
kdc = ldap2.mydomain.com:88
master_kdc = ldap2.mydomain.com:88
admin_server = ldap2.mydomain.com:749
default_domain = mydomain.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
default_domain = mydomain.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[dbmodules]
MYDOMAIN.COM = {
db_library = ipadb.so
}
=======================================
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden <rcritten at redhat.com> wrote:
Shree wrote:
> 1) I have got a step furthur. My replica is not running CA Service. To
> achieve this I had to remove the existing cert with this command
>
> pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
>
> Now the replica looks like this
>
> skarulkar at ldap2 tmp]$ sudo ipactl status
> [sudo] password for skarulkar:
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: RUNNING
> MEMCACHE Service: RUNNING
> HTTP Service: RUNNING
> CA Service: RUNNING
> [skarulkar at ldap2 tmp]$
The tracking failed with:
2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library:
Improper format of Kerberos configuration file.
It looks like it failed on this for most if not all the tracking. What
does /etc/krb5.conf look like?
>
> 2) I am still not able to add client using ipa-client-install using the
> replica.
The temporary krb5.conf that is used during enrollment has
dns_lookup_kdc=True so it is probably trying to contact the other KDC
and failing.
What is the output of:
$ rpm -q ipa-client
rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140219/075caa30/attachment.htm>
More information about the Freeipa-users
mailing list