[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Dmitri Pal
dpal at redhat.com
Thu Feb 20 15:11:20 UTC 2014
On 02/19/2014 06:52 PM, Shree wrote:
> Rob
> You were right. After upgrading the client to the
> ipa-client-3.0.0-37.el6.x86_64 version I started seeing a warning
> during the client install that went something like
> =================
> Autodiscovery of servers for failover cannot work with this configuration.
> If you proceed with the installation, services will be configured to
> always access the discovered server for all operations and will not
> fail over to other servers in case of failure.
> Proceed with fixed values and no DNS discovery? [no]: yes
> =================
> I continued by saying yes because in my case the master and the
> replica are in different VLANs and failover is not possible for me. I
> have tried in two hosts successfully and am hoping that does the trick.
>
> However I see one issue immediately that my sudo access does not seem
> to work now on the newly added clients! Do you know what might be
> happening?
Are you using SSSD and SUDO integration?
What version of sudo and sssd?
See if this would help:
http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
> Shreeraj
> ----------------------------------------------------------------------------------------
>
>
> Change is the only Constant !
>
>
> On Wednesday, February 19, 2014 2:21 PM, Rob Crittenden
> <rcritten at redhat.com> wrote:
> Shree wrote:
> > root at test500 <mailto:root at test500> ~]# rpm -q ipa-client
> > ipa-client-2.2.0-16.el6.x86_64
> > [root at test500 <mailto:root at test500> ~]#
>
> You'll definitely want to update to 2.2.0-17, that fixes CVE-2012-5484
>
> Unfortunately our logging around discovery was rather horrible in 2.2.x
> so it is difficult to know exactly what is going on.
>
> I believe the problem is that it is still doing DNS discovery even
> though you've passed in a server name so it is setting up Kerberos to
> look up the KDC which it finds but can't talk to.
>
> This should be fixed in the 3.0 packages so updating to those is the
> preferred solution.
>
> For 2.x you can try the --force option which should make it skip some
> discovery.
>
> rob
>
> >
> >
> > Shreeraj
> >
> ----------------------------------------------------------------------------------------
> >
> >
> > Change is the only Constant !
> >
> >
> > On Wednesday, February 19, 2014 1:17 PM, Rob Crittenden
> > <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
> > Shree wrote:
> > > Here are a couple of things
> > >
> > > [skarulkar at ldap2 <mailto:skarulkar at ldap2> <mailto:skarulkar at ldap2
> <mailto:skarulkar at ldap2>> ~]$ rpm -q ipa-client
> > > ipa-client-3.0.0-26.el6_4.4.x86_64
> >
> > What is the version on the client that is failing to enroll?
> >
> > rob
> >
> > >
> > > and my /etc/krb5.conf looks like ..........
> > > =======================================
> > > includedir /var/lib/sss/pubconf/krb5.include.d/
> > >
> > > [logging]
> > > default = FILE:/var/log/krb5libs.log
> > > kdc = FILE:/var/log/krb5kdc.log
> > > admin_server = FILE:/var/log/kadmind.log
> > >
> > > [libdefaults]
> > > default_realm = MYDOMAIN.COM
> > > dns_lookup_realm = false
> > > dns_lookup_kdc = true
> > > rdns = false
> > > ticket_lifetime = 24h
> > > forwardable = yes
> > >
> > > [realms]
> > > MYDOMAIN.COM = {
> > > kdc = ldap2.mydomain.com:88
> > > master_kdc = ldap2.mydomain.com:88
> > > admin_server = ldap2.mydomain.com:749
> > > default_domain = mydomain.com
> > > pkinit_anchors = FILE:/etc/ipa/ca.crt
> > > default_domain = mydomain.com
> > > pkinit_anchors = FILE:/etc/ipa/ca.crt
> > > }
> > >
> > > [domain_realm]
> > > .mydomain.com = MYDOMAIN.COM
> > > mydomain.com = MYDOMAIN.COM
> > >
> > > [dbmodules]
> > > MYDOMAIN.COM = {
> > > db_library = ipadb.so
> > > }
> > >
> > > =======================================
> > >
> > >
> > > Shreeraj
> > >
> >
> ----------------------------------------------------------------------------------------
> > >
> > >
> > > Change is the only Constant !
> > >
> > >
> > > On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden
> > > <rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
> > > Shree wrote:
> > > > 1) I have got a step furthur. My replica is not running CA
> Service. To
> > > > achieve this I had to remove the existing cert with this command
> > > >
> > > > pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca
> -force
> > > >
> > > > Now the replica looks like this
> > > >
> > > > skarulkar at ldap2 <mailto:skarulkar at ldap2> <mailto:skarulkar at ldap2
> <mailto:skarulkar at ldap2>> <mailto:skarulkar at ldap2 <mailto:skarulkar at ldap2>
> > <mailto:skarulkar at ldap2 <mailto:skarulkar at ldap2>>> tmp]$ sudo ipactl
> status
> > > > [sudo] password for skarulkar:
> > > > Directory Service: RUNNING
> > > > KDC Service: RUNNING
> > > > KPASSWD Service: RUNNING
> > > > MEMCACHE Service: RUNNING
> > > > HTTP Service: RUNNING
> > > > CA Service: RUNNING
> > > > [skarulkar at ldap2 <mailto:skarulkar at ldap2>
> <mailto:skarulkar at ldap2 <mailto:skarulkar at ldap2>>
> <mailto:skarulkar at ldap2 <mailto:skarulkar at ldap2>
>
> > <mailto:skarulkar at ldap2 <mailto:skarulkar at ldap2>>> tmp]$
> >
> > >
> > > The tracking failed with:
> > >
> > > 2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library:
> > > Improper format of Kerberos configuration file.
> > >
> > > It looks like it failed on this for most if not all the tracking. What
> > > does /etc/krb5.conf look like?
> > >
> > > >
> > > > 2) I am still not able to add client using ipa-client-install
> > using the
> > > > replica.
> > >
> > > The temporary krb5.conf that is used during enrollment has
> > > dns_lookup_kdc=True so it is probably trying to contact the other KDC
> > > and failing.
> > >
> > > What is the output of:
> > >
> > > $ rpm -q ipa-client
> > >
> > >
> > > rob
> > >
> > >
> > >
> >
> >
> >
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140220/20565100/attachment.htm>
More information about the Freeipa-users
mailing list