[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

Dmitri Pal dpal at redhat.com
Thu Feb 20 21:00:00 UTC 2014 

On 02/20/2014 02:58 PM, Shree wrote:
> Can you help me figure out, below is some info on the existing working 
> configuration one one of the clients
> 1)Sudo version 1.7.4p5
>
> 2)[root at test500 ~]# sssd --version
> 1.9.2
>
> 3)These are the uncommented lines in /etc/sssd/sssd.conf
> [sssd]
> config_file_version = 2
> services = nss, pam
> domains = mydomain.com
> [domain/mydomain.com]
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = mydomain.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = dns.mydomain.com
> chpass_provider = ipa
> ipa_server = ldap.mydomain.com
> ldap_netgroup_search_base = cn=ng,cn=compat,dc=mydomain,dc=com
> ldap_tls_cacert = /etc/ipa/ca.crt
> =======================================
> 4)And these are the options in /etc/nsswitch.conf
> sudoers:    files ldap
> passwd:     files sss
> shadow:     files sss
> group:      files sss
>
> Shreeraj
> ---------------------------------------------------------------------------------------- 
>
>
> Change is the only Constant !
>
>
> On Thursday, February 20, 2014 7:20 AM, Dmitri Pal <dpal at redhat.com> 
> wrote:
> On 02/19/2014 06:52 PM, Shree wrote:
>> Rob
>> You were right. After upgrading the client to the 
>> ipa-client-3.0.0-37.el6.x86_64 version I started seeing a warning 
>> during the client install that went something like
>> =================
>> Autodiscovery of servers for failover cannot work with this 
>> configuration.
>> If you proceed with the installation, services will be configured to 
>> always access the discovered server for all operations and will not 
>> fail over to other servers in case of failure.
>> Proceed with fixed values and no DNS discovery? [no]: yes
>> =================
>> I continued by saying yes because in my case the master and the 
>> replica are in different VLANs and failover is not possible for me. I 
>> have tried in two hosts successfully and am hoping that does the trick.
>>
>> However I see one issue immediately that my sudo access does not seem 
>> to work now on the newly added clients! Do you know what might be 
>> happening?
> Are you using SSSD and SUDO integration?
> What version of sudo and sssd?
> See if this would help: 
> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>
>
>> Shreeraj
>> ---------------------------------------------------------------------------------------- 
>>
>>
>> Change is the only Constant !
>>
>>
>> On Wednesday, February 19, 2014 2:21 PM, Rob Crittenden 
>> <rcritten at redhat.com> <mailto:rcritten at redhat.com> wrote:
>> Shree wrote:
>> > root at test500 <mailto:root at test500> ~]# rpm -q ipa-client
>> > ipa-client-2.2.0-16.el6.x86_64
>> > [root at test500 <mailto:root at test500> ~]#
>>
>> You'll definitely want to update to 2.2.0-17, that fixes CVE-2012-5484
>>
>> Unfortunately our logging around discovery was rather horrible in 2.2.x
>> so it is difficult to know exactly what is going on.
>>
>> I believe the problem is that it is still doing DNS discovery even
>> though you've passed in a server name so it is setting up Kerberos to
>> look up the KDC which it finds but can't talk to.
>>
>> This should be fixed in the 3.0 packages so updating to those is the
>> preferred solution.
>>
>> For 2.x you can try the --force option which should make it skip some
>> discovery.
>>
>> rob
>>
>> >
>> >
>> > Shreeraj
>> > 
>> ----------------------------------------------------------------------------------------
>> >
>> >
>> > Change is the only Constant !
>> >
>> >
>> > On Wednesday, February 19, 2014 1:17 PM, Rob Crittenden
>> > <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>> > Shree wrote:
>> > > Here are a couple of things
>> > >
>> > > [skarulkar at ldap2 <mailto:skarulkar at ldap2> <mailto:skarulkar at ldap2 
>> <mailto:skarulkar at ldap2>> ~]$ rpm -q ipa-client
>> > > ipa-client-3.0.0-26.el6_4.4.x86_64
>> >
>> > What is the version on the client that is failing to enroll?
>> >
>> > rob
>> >
>> > >
>> > > and my /etc/krb5.conf looks like ..........
>> > > =======================================
>> > > includedir /var/lib/sss/pubconf/krb5.include.d/
>> > >
>> > > [logging]
>> > >  default = FILE:/var/log/krb5libs.log
>> > >  kdc = FILE:/var/log/krb5kdc.log
>> > >  admin_server = FILE:/var/log/kadmind.log
>> > >
>> > > [libdefaults]
>> > >  default_realm = MYDOMAIN.COM
>> > >  dns_lookup_realm = false
>> > >  dns_lookup_kdc = true
>> > >  rdns = false
>> > >  ticket_lifetime = 24h
>> > >  forwardable = yes
>> > >
>> > > [realms]
>> > >  MYDOMAIN.COM = {
>> > >    kdc = ldap2.mydomain.com:88
>> > >    master_kdc = ldap2.mydomain.com:88
>> > >    admin_server = ldap2.mydomain.com:749
>> > >    default_domain = mydomain.com
>> > >    pkinit_anchors = FILE:/etc/ipa/ca.crt
>> > > default_domain = mydomain.com
>> > >    pkinit_anchors = FILE:/etc/ipa/ca.crt
>> > > }
>> > >
>> > > [domain_realm]
>> > >  .mydomain.com = MYDOMAIN.COM
>> > >  mydomain.com = MYDOMAIN.COM
>> > >
>> > > [dbmodules]
>> > >    MYDOMAIN.COM = {
>> > >      db_library = ipadb.so
>> > >    }
>> > >
>> > > =======================================
>> > >
>> > >
>> > > Shreeraj
>> > >
>> > 
>> ----------------------------------------------------------------------------------------
>> > >
>> > >
>> > > Change is the only Constant !
>> > >
>> > >
>> > > On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden
>> > > <rcritten at redhat.com <mailto:rcritten at redhat.com> 
>> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
>> > > Shree wrote:
>> > > > 1) I have got a step furthur. My replica is not running CA 
>> Service. To
>> > > > achieve this I had to remove the existing cert with this command
>> > > >
>> > > > pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca 
>> -force
>> > > >
>> > > > Now the replica looks like this
>> > > >
>> > > > skarulkar at ldap2 <mailto:skarulkar at ldap2> 
>> <mailto:skarulkar at ldap2 <mailto:skarulkar at ldap2>> 
>> <mailto:skarulkar at ldap2 <mailto:skarulkar at ldap2>
>> > <mailto:skarulkar at ldap2 <mailto:skarulkar at ldap2>>> tmp]$ sudo 
>> ipactl status
>> > > > [sudo] password for skarulkar:
>> > > > Directory Service: RUNNING
>> > > > KDC Service: RUNNING
>> > > > KPASSWD Service: RUNNING
>> > > > MEMCACHE Service: RUNNING
>> > > > HTTP Service: RUNNING
>> > > > CA Service: RUNNING
>> > > > [skarulkar at ldap2 <mailto:skarulkar at ldap2> 
>> <mailto:skarulkar at ldap2 <mailto:skarulkar at ldap2>> 
>> <mailto:skarulkar at ldap2 <mailto:skarulkar at ldap2>
>>
>> > <mailto:skarulkar at ldap2 <mailto:skarulkar at ldap2>>> tmp]$
>> >
>> > >
>> > > The tracking failed with:
>> > >
>> > > 2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos 
>> library:
>> > > Improper format of Kerberos configuration file.
>> > >
>> > > It looks like it failed on this for most if not all the tracking. 
>> What
>> > > does /etc/krb5.conf look like?
>> > >
>> > > >
>> > > > 2) I am still not able to add client using ipa-client-install
>> > using the
>> > > > replica.
>> > >
>> > > The temporary krb5.conf that is used during enrollment has
>> > > dns_lookup_kdc=True so it is probably trying to contact the other KDC
>> > > and failing.
>> > >
>> > > What is the output of:
>> > >
>> > > $ rpm -q ipa-client
>> > >
>> > >
>> > > rob
>> > >
>> > >
>> > >
>> >
>> >
>> >
>>
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/  <http://www.redhat.com/carveoutcosts/>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
It seems like you do not use SSSD integration so turning the debug on 
sudo and seeing what it is doing is the next step.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140220/7763ac02/attachment.htm>

More information about the Freeipa-users mailing list