[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Rob Crittenden
rcritten at redhat.com
Wed Feb 19 22:21:24 UTC 2014
Shree wrote:
> root at test500 ~]# rpm -q ipa-client
> ipa-client-2.2.0-16.el6.x86_64
> [root at test500 ~]#
You'll definitely want to update to 2.2.0-17, that fixes CVE-2012-5484
Unfortunately our logging around discovery was rather horrible in 2.2.x
so it is difficult to know exactly what is going on.
I believe the problem is that it is still doing DNS discovery even
though you've passed in a server name so it is setting up Kerberos to
look up the KDC which it finds but can't talk to.
This should be fixed in the 3.0 packages so updating to those is the
preferred solution.
For 2.x you can try the --force option which should make it skip some
discovery.
rob
>
>
> Shreeraj
> ----------------------------------------------------------------------------------------
>
>
> Change is the only Constant !
>
>
> On Wednesday, February 19, 2014 1:17 PM, Rob Crittenden
> <rcritten at redhat.com> wrote:
> Shree wrote:
> > Here are a couple of things
> >
> > [skarulkar at ldap2 <mailto:skarulkar at ldap2> ~]$ rpm -q ipa-client
> > ipa-client-3.0.0-26.el6_4.4.x86_64
>
> What is the version on the client that is failing to enroll?
>
> rob
>
> >
> > and my /etc/krb5.conf looks like ..........
> > =======================================
> > includedir /var/lib/sss/pubconf/krb5.include.d/
> >
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> > default_realm = MYDOMAIN.COM
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> > rdns = false
> > ticket_lifetime = 24h
> > forwardable = yes
> >
> > [realms]
> > MYDOMAIN.COM = {
> > kdc = ldap2.mydomain.com:88
> > master_kdc = ldap2.mydomain.com:88
> > admin_server = ldap2.mydomain.com:749
> > default_domain = mydomain.com
> > pkinit_anchors = FILE:/etc/ipa/ca.crt
> > default_domain = mydomain.com
> > pkinit_anchors = FILE:/etc/ipa/ca.crt
> > }
> >
> > [domain_realm]
> > .mydomain.com = MYDOMAIN.COM
> > mydomain.com = MYDOMAIN.COM
> >
> > [dbmodules]
> > MYDOMAIN.COM = {
> > db_library = ipadb.so
> > }
> >
> > =======================================
> >
> >
> > Shreeraj
> >
> ----------------------------------------------------------------------------------------
> >
> >
> > Change is the only Constant !
> >
> >
> > On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden
> > <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
> > Shree wrote:
> > > 1) I have got a step furthur. My replica is not running CA Service. To
> > > achieve this I had to remove the existing cert with this command
> > >
> > > pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
> > >
> > > Now the replica looks like this
> > >
> > > skarulkar at ldap2 <mailto:skarulkar at ldap2> <mailto:skarulkar at ldap2
> <mailto:skarulkar at ldap2>> tmp]$ sudo ipactl status
> > > [sudo] password for skarulkar:
> > > Directory Service: RUNNING
> > > KDC Service: RUNNING
> > > KPASSWD Service: RUNNING
> > > MEMCACHE Service: RUNNING
> > > HTTP Service: RUNNING
> > > CA Service: RUNNING
> > > [skarulkar at ldap2 <mailto:skarulkar at ldap2> <mailto:skarulkar at ldap2
> <mailto:skarulkar at ldap2>> tmp]$
>
> >
> > The tracking failed with:
> >
> > 2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library:
> > Improper format of Kerberos configuration file.
> >
> > It looks like it failed on this for most if not all the tracking. What
> > does /etc/krb5.conf look like?
> >
> > >
> > > 2) I am still not able to add client using ipa-client-install
> using the
> > > replica.
> >
> > The temporary krb5.conf that is used during enrollment has
> > dns_lookup_kdc=True so it is probably trying to contact the other KDC
> > and failing.
> >
> > What is the output of:
> >
> > $ rpm -q ipa-client
> >
> >
> > rob
> >
> >
> >
>
>
>
More information about the Freeipa-users
mailing list