[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

Shree shreerajkarulkar at yahoo.com
Wed Feb 19 21:51:21 UTC 2014


root at test500 ~]# rpm -q ipa-client
ipa-client-2.2.0-16.el6.x86_64
[root at test500 ~]#



 
Shreeraj 
---------------------------------------------------------------------------------------- 

Change is the only Constant !



On Wednesday, February 19, 2014 1:17 PM, Rob Crittenden <rcritten at redhat.com> wrote:
 
Shree wrote:
> Here are a couple of things
>
> [skarulkar at ldap2 ~]$ rpm -q ipa-client
> ipa-client-3.0.0-26.el6_4.4.x86_64

What is the version on the client that is failing to enroll?

rob

>
> and my /etc/krb5.conf looks like ..........
> =======================================
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [logging]
>   default = FILE:/var/log/krb5libs.log
>   kdc = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>   default_realm = MYDOMAIN.COM
>   dns_lookup_realm = false
>   dns_lookup_kdc = true
>   rdns = false
>   ticket_lifetime = 24h
>   forwardable = yes
>
> [realms]
>   MYDOMAIN.COM = {
>    kdc = ldap2.mydomain.com:88
>    master_kdc = ldap2.mydomain.com:88
>    admin_server = ldap2.mydomain.com:749
>    default_domain = mydomain.com
>    pkinit_anchors = FILE:/etc/ipa/ca.crt
> default_domain = mydomain.com
>    pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
> [domain_realm]
>   .mydomain.com = MYDOMAIN.COM
>   mydomain.com = MYDOMAIN.COM
>
> [dbmodules]
>    MYDOMAIN.COM = {
>      db_library = ipadb.so
>    }
>
> =======================================
>
>
> Shreeraj
> ----------------------------------------------------------------------------------------
>
>
> Change is the only Constant !
>
>
> On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden
> <rcritten at redhat.com> wrote:
> Shree wrote:
>  > 1) I have got a step furthur. My replica is not running CA Service. To
>  > achieve this I had to remove the existing cert with this command
>  >
>  > pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
>  >
>  > Now the replica looks like this
>  >
>  > skarulkar at ldap2 <mailto:skarulkar at ldap2> tmp]$ sudo ipactl status
>  > [sudo] password for skarulkar:
>  > Directory Service: RUNNING
>  > KDC Service: RUNNING
>  > KPASSWD Service: RUNNING
>  > MEMCACHE Service: RUNNING
>  > HTTP Service: RUNNING
>  > CA Service: RUNNING
>  > [skarulkar at ldap2 <mailto:skarulkar at ldap2> tmp]$

>
> The tracking failed with:
>
> 2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library:
> Improper format of Kerberos configuration file.
>
> It looks like it failed on this for most if not all the tracking. What
> does /etc/krb5.conf look like?
>
>  >
>  > 2) I am still not able to add client using ipa-client-install using the
>  > replica.
>
> The temporary krb5.conf that is used during enrollment has
> dns_lookup_kdc=True so it is probably trying to contact the other KDC
> and failing.
>
> What is the output of:
>
> $ rpm -q ipa-client
>
>
> rob
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140219/37650bc4/attachment.htm>


More information about the Freeipa-users mailing list