[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

Shree shreerajkarulkar at yahoo.com
Thu Feb 20 19:58:55 UTC 2014 

Can you help me figure out, below is some info on the existing working configuration one one of the clients
1)Sudo version 1.7.4p5

2)[root at test500 ~]# sssd --version
1.9.2

3)These are the uncommented lines in /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = mydomain.com
[domain/mydomain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = dns.mydomain.com
chpass_provider = ipa
ipa_server = ldap.mydomain.com
ldap_netgroup_search_base = cn=ng,cn=compat,dc=mydomain,dc=com
ldap_tls_cacert = /etc/ipa/ca.crt

=======================================
4)And these are the options in /etc/nsswitch.conf
sudoers:    files ldap
passwd:     files sss
shadow:     files sss
group:      files sss


Shreeraj 
---------------------------------------------------------------------------------------- 

Change is the only Constant !



On Thursday, February 20, 2014 7:20 AM, Dmitri Pal <dpal at redhat.com> wrote:
 
On 02/19/2014 06:52 PM, Shree wrote: 
Rob
>You were right. After upgrading the client to the
        ipa-client-3.0.0-37.el6.x86_64 version I started seeing a
        warning during the client install that went something like 
>=================
>Autodiscovery of servers for failover cannot work with this
        configuration.
>If you proceed with the installation, services will be
        configured to always access the discovered server for all
        operations and will not fail over to other servers in case of
        failure.
>Proceed with fixed values and no DNS discovery? [no]: yes
>=================
>
>I continued by saying yes because in my case the master and the replica are in different VLANs and failover is not possible for me. I have tried in two hosts successfully and am hoping that does the trick.
>
>
>However I see one issue immediately that my sudo access does not seem to work now on the newly added clients! Do you know what might be happening?
>
> 
Are you using SSSD and SUDO integration?
What version of sudo and sssd?
See if this would help: http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf


Shreeraj 
>---------------------------------------------------------------------------------------- 
>
>Change is the only Constant !
>
>
>
>On Wednesday, February 19, 2014 2:21 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> 
>Shree wrote:
>> root at test500 ~]# rpm -q ipa-client
>> ipa-client-2.2.0-16.el6.x86_64
>> [root at test500 ~]#
>
>You'll definitely want to update to 2.2.0-17, that fixes
                CVE-2012-5484
>
>Unfortunately our logging around discovery was rather
                horrible in 2.2.x 
>so it is difficult to know exactly what is going on.
>
>I believe the problem is that it is still doing DNS
                discovery even 
>though you've passed in a server name so it is setting
                up Kerberos to 
>look up the KDC which it finds but can't talk to.
>
>This should be fixed in the 3.0 packages so updating to
                those is the 
>preferred solution.
>
>For 2.x you can try the --force option which should make
                it skip some 
>discovery.
>
>rob
>
>>
>>
>> Shreeraj
>>
----------------------------------------------------------------------------------------
>>
>>
>> Change is the only Constant !
>>
>>
>> On Wednesday, February 19, 2014 1:17 PM, Rob
                Crittenden
>> <rcritten at redhat.com> wrote:
>> Shree wrote:
>>  > Here are a couple of things
>>  >
>>  > [skarulkar at ldap2 <mailto:skarulkar at ldap2> ~]$ rpm -q ipa-client
>>  > ipa-client-3.0.0-26.el6_4.4.x86_64
>>
>> What is the version on the client that is failing
                to enroll?
>>
>> rob
>>
>>  >
>>  > and my /etc/krb5.conf looks like ..........
>>  > =======================================
>>  > includedir
                /var/lib/sss/pubconf/krb5.include.d/
>>  >
>>  > [logging]
>>  >  default = FILE:/var/log/krb5libs.log
>>  >  kdc = FILE:/var/log/krb5kdc.log
>>  >  admin_server = FILE:/var/log/kadmind.log
>>  >
>>  > [libdefaults]
>>  >  default_realm = MYDOMAIN.COM
>>  >  dns_lookup_realm = false
>>  >  dns_lookup_kdc = true
>>  >  rdns = false
>>  >  ticket_lifetime = 24h
>>  >  forwardable = yes
>>  >
>>  > [realms]
>>  >  MYDOMAIN.COM = {
>>  >    kdc = ldap2.mydomain.com:88
>>  >    master_kdc = ldap2.mydomain.com:88
>>  >    admin_server = ldap2.mydomain.com:749
>>  >    default_domain = mydomain.com
>>  >    pkinit_anchors = FILE:/etc/ipa/ca.crt
>>  > default_domain = mydomain.com
>>  >    pkinit_anchors = FILE:/etc/ipa/ca.crt
>>  > }
>>  >
>>  > [domain_realm]
>>  >  .mydomain.com = MYDOMAIN.COM
>>  >  mydomain.com = MYDOMAIN.COM
>>  >
>>  > [dbmodules]
>>  >    MYDOMAIN.COM = {
>>  >      db_library = ipadb.so
>>  >    }
>>  >
>>  > =======================================
>>  >
>>  >
>>  > Shreeraj
>>  >
>>
----------------------------------------------------------------------------------------
>>  >
>>  >
>>  > Change is the only Constant !
>>  >
>>  >
>>  > On Wednesday, February 19, 2014 12:59 PM, Rob
                Crittenden
>>  > <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>  > Shree wrote:
>>  >  > 1) I have got a step furthur. My
                replica is not running CA Service. To
>>  >  > achieve this I had to remove the
                existing cert with this command
>>  >  >
>>  >  > pkiremove -pki_instance_root=/var/lib
                -pki_instance_name=pki-ca -force
>>  >  >
>>  >  > Now the replica looks like this
>>  >  >
>>  >  > skarulkar at ldap2 <mailto:skarulkar at ldap2> <mailto:skarulkar at ldap2
>> <mailto:skarulkar at ldap2>> tmp]$ sudo ipactl status
>>  >  > [sudo] password for skarulkar:
>>  >  > Directory Service: RUNNING
>>  >  > KDC Service: RUNNING
>>  >  > KPASSWD Service: RUNNING
>>  >  > MEMCACHE Service: RUNNING
>>  >  > HTTP Service: RUNNING
>>  >  > CA Service: RUNNING
>>  >  > [skarulkar at ldap2 <mailto:skarulkar at ldap2> <mailto:skarulkar at ldap2 
>
>> <mailto:skarulkar at ldap2>> tmp]$
>>
>>  >
>>  > The tracking failed with:
>>  >
>>  > 2014-02-18T20:20:43Z DEBUG stdout=Error
                  initializing Kerberos library:
>>  > Improper format of Kerberos configuration
                  file.
>>  >
>>  > It looks like it failed on this for most if
                  not all the tracking. What
>>  > does /etc/krb5.conf look like?
>>  >
>>  >  >
>>  >  > 2) I am still not able to add client
                  using ipa-client-install
>> using the
>>  >  > replica.
>>  >
>>  > The temporary krb5.conf that is used during
                  enrollment has
>>  > dns_lookup_kdc=True so it is probably
                  trying to contact the other KDC
>>  > and failing.
>>  >
>>  > What is the output of:
>>  >
>>  > $ rpm -q ipa-client
>>  >
>>  >
>>  > rob
>>  >
>>  >
>>  >
>>
>>
>>
>
>
>
>
>
>
>_______________________________________________
Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal Sr. Engineering Manager for IdM portfolio
Red Hat Inc. -------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140220/67ad4b4e/attachment.htm>

More information about the Freeipa-users mailing list