[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

Dmitri Pal dpal at redhat.com
Thu Feb 20 15:11:20 UTC 2014 

On 02/19/2014 06:52 PM, Shree wrote:
> Rob
> You were right. After upgrading the client to the 
> ipa-client-3.0.0-37.el6.x86_64 version I started seeing a warning 
> during the client install that went something like
> =================
> Autodiscovery of servers for failover cannot work with this configuration.
> If you proceed with the installation, services will be configured to 
> always access the discovered server for all operations and will not 
> fail over to other servers in case of failure.
> Proceed with fixed values and no DNS discovery? [no]: yes
> =================
> I continued by saying yes because in my case the master and the 
> replica are in different VLANs and failover is not possible for me. I 
> have tried in two hosts successfully and am hoping that does the trick.
>
> However I see one issue immediately that my sudo access does not seem 
> to work now on the newly added clients! Do you know what might be 
> happening?
Are you using SSSD and SUDO integration?
What version of sudo and sssd?
See if this would help: 
http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf

> Shreeraj
> ---------------------------------------------------------------------------------------- 
>
>
> Change is the only Constant !
>
>
> On Wednesday, February 19, 2014 2:21 PM, Rob Crittenden 
> <rcritten at redhat.com> wrote:
> Shree wrote:
> > root at test500 <mailto:root at test500> ~]# rpm -q ipa-client
> > ipa-client-2.2.0-16.el6.x86_64
> > [root at test500 <mailto:root at test500> ~]#
>
> You'll definitely want to update to 2.2.0-17, that fixes CVE-2012-5484
>
> Unfortunately our logging around discovery was rather horrible in 2.2.x
> so it is difficult to know exactly what is going on.
>
> I believe the problem is that it is still doing DNS discovery even
> though you've passed in a server name so it is setting up Kerberos to
> look up the KDC which it finds but can't talk to.
>
> This should be fixed in the 3.0 packages so updating to those is the
> preferred solution.
>
> For 2.x you can try the --force option which should make it skip some
> discovery.
>
> rob
>
> >
> >
> > Shreeraj
> > 
> ----------------------------------------------------------------------------------------
> >
> >
> > Change is the only Constant !
> >
> >
> > On Wednesday, February 19, 2014 1:17 PM, Rob Crittenden
> > <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
> > Shree wrote:
> > > Here are a couple of things
> > >
> > > [skarulkar at ldap2 <mailto:skarulkar at ldap2> <mailto:skarulkar at ldap2 
> <mailto:skarulkar at ldap2>> ~]$ rpm -q ipa-client
> > > ipa-client-3.0.0-26.el6_4.4.x86_64
> >
> > What is the version on the client that is failing to enroll?
> >
> > rob
> >
> > >
> > > and my /etc/krb5.conf looks like ..........
> > > =======================================
> > > includedir /var/lib/sss/pubconf/krb5.include.d/
> > >
> > > [logging]
> > >  default = FILE:/var/log/krb5libs.log
> > >  kdc = FILE:/var/log/krb5kdc.log
> > >  admin_server = FILE:/var/log/kadmind.log
> > >
> > > [libdefaults]
> > >  default_realm = MYDOMAIN.COM
> > >  dns_lookup_realm = false
> > >  dns_lookup_kdc = true
> > >  rdns = false
> > >  ticket_lifetime = 24h
> > >  forwardable = yes
> > >
> > > [realms]
> > >  MYDOMAIN.COM = {
> > >    kdc = ldap2.mydomain.com:88
> > >    master_kdc = ldap2.mydomain.com:88
> > >    admin_server = ldap2.mydomain.com:749
> > >    default_domain = mydomain.com
> > >    pkinit_anchors = FILE:/etc/ipa/ca.crt
> > > default_domain = mydomain.com
> > >    pkinit_anchors = FILE:/etc/ipa/ca.crt
> > > }
> > >
> > > [domain_realm]
> > >  .mydomain.com = MYDOMAIN.COM
> > >  mydomain.com = MYDOMAIN.COM
> > >
> > > [dbmodules]
> > >    MYDOMAIN.COM = {
> > >      db_library = ipadb.so
> > >    }
> > >
> > > =======================================
> > >
> > >
> > > Shreeraj
> > >
> > 
> ----------------------------------------------------------------------------------------
> > >
> > >
> > > Change is the only Constant !
> > >
> > >
> > > On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden
> > > <rcritten at redhat.com <mailto:rcritten at redhat.com> 
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
> > > Shree wrote:
> > > > 1) I have got a step furthur. My replica is not running CA 
> Service. To
> > > > achieve this I had to remove the existing cert with this command
> > > >
> > > > pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca 
> -force
> > > >
> > > > Now the replica looks like this
> > > >
> > > > skarulkar at ldap2 <mailto:skarulkar at ldap2> <mailto:skarulkar at ldap2 
> <mailto:skarulkar at ldap2>> <mailto:skarulkar at ldap2 <mailto:skarulkar at ldap2>
> > <mailto:skarulkar at ldap2 <mailto:skarulkar at ldap2>>> tmp]$ sudo ipactl 
> status
> > > > [sudo] password for skarulkar:
> > > > Directory Service: RUNNING
> > > > KDC Service: RUNNING
> > > > KPASSWD Service: RUNNING
> > > > MEMCACHE Service: RUNNING
> > > > HTTP Service: RUNNING
> > > > CA Service: RUNNING
> > > > [skarulkar at ldap2 <mailto:skarulkar at ldap2> 
> <mailto:skarulkar at ldap2 <mailto:skarulkar at ldap2>> 
> <mailto:skarulkar at ldap2 <mailto:skarulkar at ldap2>
>
> > <mailto:skarulkar at ldap2 <mailto:skarulkar at ldap2>>> tmp]$
> >
> > >
> > > The tracking failed with:
> > >
> > > 2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library:
> > > Improper format of Kerberos configuration file.
> > >
> > > It looks like it failed on this for most if not all the tracking. What
> > > does /etc/krb5.conf look like?
> > >
> > > >
> > > > 2) I am still not able to add client using ipa-client-install
> > using the
> > > > replica.
> > >
> > > The temporary krb5.conf that is used during enrollment has
> > > dns_lookup_kdc=True so it is probably trying to contact the other KDC
> > > and failing.
> > >
> > > What is the output of:
> > >
> > > $ rpm -q ipa-client
> > >
> > >
> > > rob
> > >
> > >
> > >
> >
> >
> >
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140220/20565100/attachment.htm>

More information about the Freeipa-users mailing list