[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Shree
shreerajkarulkar at yahoo.com
Thu Feb 20 19:58:55 UTC 2014
Can you help me figure out, below is some info on the existing working configuration one one of the clients
1)Sudo version 1.7.4p5
2)[root at test500 ~]# sssd --version
1.9.2
3)These are the uncommented lines in /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = mydomain.com
[domain/mydomain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = dns.mydomain.com
chpass_provider = ipa
ipa_server = ldap.mydomain.com
ldap_netgroup_search_base = cn=ng,cn=compat,dc=mydomain,dc=com
ldap_tls_cacert = /etc/ipa/ca.crt
=======================================
4)And these are the options in /etc/nsswitch.conf
sudoers: files ldap
passwd: files sss
shadow: files sss
group: files sss
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Thursday, February 20, 2014 7:20 AM, Dmitri Pal <dpal at redhat.com> wrote:
On 02/19/2014 06:52 PM, Shree wrote:
Rob
>You were right. After upgrading the client to the
ipa-client-3.0.0-37.el6.x86_64 version I started seeing a
warning during the client install that went something like
>=================
>Autodiscovery of servers for failover cannot work with this
configuration.
>If you proceed with the installation, services will be
configured to always access the discovered server for all
operations and will not fail over to other servers in case of
failure.
>Proceed with fixed values and no DNS discovery? [no]: yes
>=================
>
>I continued by saying yes because in my case the master and the replica are in different VLANs and failover is not possible for me. I have tried in two hosts successfully and am hoping that does the trick.
>
>
>However I see one issue immediately that my sudo access does not seem to work now on the newly added clients! Do you know what might be happening?
>
>
Are you using SSSD and SUDO integration?
What version of sudo and sssd?
See if this would help: http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
Shreeraj
>----------------------------------------------------------------------------------------
>
>Change is the only Constant !
>
>
>
>On Wednesday, February 19, 2014 2:21 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>
>Shree wrote:
>> root at test500 ~]# rpm -q ipa-client
>> ipa-client-2.2.0-16.el6.x86_64
>> [root at test500 ~]#
>
>You'll definitely want to update to 2.2.0-17, that fixes
CVE-2012-5484
>
>Unfortunately our logging around discovery was rather
horrible in 2.2.x
>so it is difficult to know exactly what is going on.
>
>I believe the problem is that it is still doing DNS
discovery even
>though you've passed in a server name so it is setting
up Kerberos to
>look up the KDC which it finds but can't talk to.
>
>This should be fixed in the 3.0 packages so updating to
those is the
>preferred solution.
>
>For 2.x you can try the --force option which should make
it skip some
>discovery.
>
>rob
>
>>
>>
>> Shreeraj
>>
----------------------------------------------------------------------------------------
>>
>>
>> Change is the only Constant !
>>
>>
>> On Wednesday, February 19, 2014 1:17 PM, Rob
Crittenden
>> <rcritten at redhat.com> wrote:
>> Shree wrote:
>> > Here are a couple of things
>> >
>> > [skarulkar at ldap2 <mailto:skarulkar at ldap2> ~]$ rpm -q ipa-client
>> > ipa-client-3.0.0-26.el6_4.4.x86_64
>>
>> What is the version on the client that is failing
to enroll?
>>
>> rob
>>
>> >
>> > and my /etc/krb5.conf looks like ..........
>> > =======================================
>> > includedir
/var/lib/sss/pubconf/krb5.include.d/
>> >
>> > [logging]
>> > default = FILE:/var/log/krb5libs.log
>> > kdc = FILE:/var/log/krb5kdc.log
>> > admin_server = FILE:/var/log/kadmind.log
>> >
>> > [libdefaults]
>> > default_realm = MYDOMAIN.COM
>> > dns_lookup_realm = false
>> > dns_lookup_kdc = true
>> > rdns = false
>> > ticket_lifetime = 24h
>> > forwardable = yes
>> >
>> > [realms]
>> > MYDOMAIN.COM = {
>> > kdc = ldap2.mydomain.com:88
>> > master_kdc = ldap2.mydomain.com:88
>> > admin_server = ldap2.mydomain.com:749
>> > default_domain = mydomain.com
>> > pkinit_anchors = FILE:/etc/ipa/ca.crt
>> > default_domain = mydomain.com
>> > pkinit_anchors = FILE:/etc/ipa/ca.crt
>> > }
>> >
>> > [domain_realm]
>> > .mydomain.com = MYDOMAIN.COM
>> > mydomain.com = MYDOMAIN.COM
>> >
>> > [dbmodules]
>> > MYDOMAIN.COM = {
>> > db_library = ipadb.so
>> > }
>> >
>> > =======================================
>> >
>> >
>> > Shreeraj
>> >
>>
----------------------------------------------------------------------------------------
>> >
>> >
>> > Change is the only Constant !
>> >
>> >
>> > On Wednesday, February 19, 2014 12:59 PM, Rob
Crittenden
>> > <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>> > Shree wrote:
>> > > 1) I have got a step furthur. My
replica is not running CA Service. To
>> > > achieve this I had to remove the
existing cert with this command
>> > >
>> > > pkiremove -pki_instance_root=/var/lib
-pki_instance_name=pki-ca -force
>> > >
>> > > Now the replica looks like this
>> > >
>> > > skarulkar at ldap2 <mailto:skarulkar at ldap2> <mailto:skarulkar at ldap2
>> <mailto:skarulkar at ldap2>> tmp]$ sudo ipactl status
>> > > [sudo] password for skarulkar:
>> > > Directory Service: RUNNING
>> > > KDC Service: RUNNING
>> > > KPASSWD Service: RUNNING
>> > > MEMCACHE Service: RUNNING
>> > > HTTP Service: RUNNING
>> > > CA Service: RUNNING
>> > > [skarulkar at ldap2 <mailto:skarulkar at ldap2> <mailto:skarulkar at ldap2
>
>> <mailto:skarulkar at ldap2>> tmp]$
>>
>> >
>> > The tracking failed with:
>> >
>> > 2014-02-18T20:20:43Z DEBUG stdout=Error
initializing Kerberos library:
>> > Improper format of Kerberos configuration
file.
>> >
>> > It looks like it failed on this for most if
not all the tracking. What
>> > does /etc/krb5.conf look like?
>> >
>> > >
>> > > 2) I am still not able to add client
using ipa-client-install
>> using the
>> > > replica.
>> >
>> > The temporary krb5.conf that is used during
enrollment has
>> > dns_lookup_kdc=True so it is probably
trying to contact the other KDC
>> > and failing.
>> >
>> > What is the output of:
>> >
>> > $ rpm -q ipa-client
>> >
>> >
>> > rob
>> >
>> >
>> >
>>
>>
>>
>
>
>
>
>
>
>_______________________________________________
Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal Sr. Engineering Manager for IdM portfolio
Red Hat Inc. -------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140220/67ad4b4e/attachment.htm>
More information about the Freeipa-users
mailing list