[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

Shree shreerajkarulkar at yahoo.com
Wed Feb 19 23:52:23 UTC 2014 

Rob
You were right. After upgrading the client to the ipa-client-3.0.0-37.el6.x86_64 version I started seeing a warning during the client install that went something like 
=================
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
=================

I continued by saying yes because in my case the master and the replica are in different VLANs and failover is not possible for me. I have tried in two hosts successfully and am hoping that does the trick.

However I see one issue immediately that my sudo access does not seem to work now on the newly added clients! Do you know what might be happening?

 
Shreeraj 
---------------------------------------------------------------------------------------- 

Change is the only Constant !



On Wednesday, February 19, 2014 2:21 PM, Rob Crittenden <rcritten at redhat.com> wrote:
 
Shree wrote:
> root at test500 ~]# rpm -q ipa-client
> ipa-client-2.2.0-16.el6.x86_64
> [root at test500 ~]#

You'll definitely want to update to 2.2.0-17, that fixes CVE-2012-5484

Unfortunately our logging around discovery was rather horrible in 2.2.x 
so it is difficult to know exactly what is going on.

I believe the problem is that it is still doing DNS discovery even 
though you've passed in a server name so it is setting up Kerberos to 
look up the KDC which it finds but can't talk to.

This should be fixed in the 3.0 packages so updating to those is the 
preferred solution.

For 2.x you can try the --force option which should make it skip some 
discovery.

rob

>
>
> Shreeraj
> ----------------------------------------------------------------------------------------
>
>
> Change is the only Constant !
>
>
> On Wednesday, February 19, 2014 1:17 PM, Rob Crittenden
> <rcritten at redhat.com> wrote:
> Shree wrote:
>  > Here are a couple of things
>  >
>  > [skarulkar at ldap2 <mailto:skarulkar at ldap2> ~]$ rpm -q ipa-client
>  > ipa-client-3.0.0-26.el6_4.4.x86_64
>
> What is the version on the client that is failing to enroll?
>
> rob
>
>  >
>  > and my /etc/krb5.conf looks like ..........
>  > =======================================
>  > includedir /var/lib/sss/pubconf/krb5.include.d/
>  >
>  > [logging]
>  >  default = FILE:/var/log/krb5libs.log
>  >  kdc = FILE:/var/log/krb5kdc.log
>  >  admin_server = FILE:/var/log/kadmind.log
>  >
>  > [libdefaults]
>  >  default_realm = MYDOMAIN.COM
>  >  dns_lookup_realm = false
>  >  dns_lookup_kdc = true
>  >  rdns = false
>  >  ticket_lifetime = 24h
>  >  forwardable = yes
>  >
>  > [realms]
>  >  MYDOMAIN.COM = {
>  >    kdc = ldap2.mydomain.com:88
>  >    master_kdc = ldap2.mydomain.com:88
>  >    admin_server = ldap2.mydomain.com:749
>  >    default_domain = mydomain.com
>  >    pkinit_anchors = FILE:/etc/ipa/ca.crt
>  > default_domain = mydomain.com
>  >    pkinit_anchors = FILE:/etc/ipa/ca.crt
>  > }
>  >
>  > [domain_realm]
>  >  .mydomain.com = MYDOMAIN.COM
>  >  mydomain.com = MYDOMAIN.COM
>  >
>  > [dbmodules]
>  >    MYDOMAIN.COM = {
>  >      db_library = ipadb.so
>  >    }
>  >
>  > =======================================
>  >
>  >
>  > Shreeraj
>  >
> ----------------------------------------------------------------------------------------
>  >
>  >
>  > Change is the only Constant !
>  >
>  >
>  > On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden
>  > <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>  > Shree wrote:
>  >  > 1) I have got a step furthur. My replica is not running CA Service. To
>  >  > achieve this I had to remove the existing cert with this command
>  >  >
>  >  > pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
>  >  >
>  >  > Now the replica looks like this
>  >  >
>  >  > skarulkar at ldap2 <mailto:skarulkar at ldap2> <mailto:skarulkar at ldap2
> <mailto:skarulkar at ldap2>> tmp]$ sudo ipactl status
>  >  > [sudo] password for skarulkar:
>  >  > Directory Service: RUNNING
>  >  > KDC Service: RUNNING
>  >  > KPASSWD Service: RUNNING
>  >  > MEMCACHE Service: RUNNING
>  >  > HTTP Service: RUNNING
>  >  > CA Service: RUNNING
>  >  > [skarulkar at ldap2 <mailto:skarulkar at ldap2> <mailto:skarulkar at ldap2

> <mailto:skarulkar at ldap2>> tmp]$
>
>  >
>  > The tracking failed with:
>  >
>  > 2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library:
>  > Improper format of Kerberos configuration file.
>  >
>  > It looks like it failed on this for most if not all the tracking. What
>  > does /etc/krb5.conf look like?
>  >
>  >  >
>  >  > 2) I am still not able to add client using ipa-client-install
> using the
>  >  > replica.
>  >
>  > The temporary krb5.conf that is used during enrollment has
>  > dns_lookup_kdc=True so it is probably trying to contact the other KDC
>  > and failing.
>  >
>  > What is the output of:
>  >
>  > $ rpm -q ipa-client
>  >
>  >
>  > rob
>  >
>  >
>  >
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140219/3d03a7ae/attachment.htm>

More information about the Freeipa-users mailing list