[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Shree
shreerajkarulkar at yahoo.com
Fri Feb 21 04:52:19 UTC 2014
Dmitri, Rob, Lucas et al. Thank you for all your help and patience and pointing me to the right direction. I was able to fix most of my issues. My setup is a little complex where I am trying to have a master and the replica in different networks and are in sync + each of them is serving a different set of hosts.
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Thursday, February 20, 2014 2:20 PM, Dmitri Pal <dpal at redhat.com> wrote:
On 02/20/2014 02:58 PM, Shree wrote:
Can you help me figure out, below is some info on the existing working configuration one one of the clients
>1)Sudo version 1.7.4p5
>
>2)[root at test500 ~]# sssd --version
>1.9.2
>
>3)These are the uncommented lines in /etc/sssd/sssd.conf
>[sssd]
>config_file_version = 2
>services = nss, pam
>domains = mydomain.com
>[domain/mydomain.com]
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = mydomain.com
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>ipa_hostname = dns.mydomain.com
>chpass_provider = ipa
>ipa_server = ldap.mydomain.com
>ldap_netgroup_search_base = cn=ng,cn=compat,dc=mydomain,dc=com
>ldap_tls_cacert = /etc/ipa/ca.crt
>
>=======================================
>4)And these are the options in /etc/nsswitch.conf
>sudoers: files ldap
>passwd: files sss
>shadow: files sss
>group: files sss
>
>
>Shreeraj
>----------------------------------------------------------------------------------------
>
>Change is the only Constant !
>
>
>
>On Thursday, February 20, 2014 7:20 AM, Dmitri Pal <dpal at redhat.com> wrote:
>
>On 02/19/2014 06:52 PM, Shree wrote:
>Rob
>>You were right. After upgrading the
client to the
ipa-client-3.0.0-37.el6.x86_64 version I
started seeing a warning during the
client install that went something like
>>=================
>>Autodiscovery of servers for failover
cannot work with this configuration.
>>If you proceed with the installation,
services will be configured to always
access the discovered server for all
operations and will not fail over to
other servers in case of failure.
>>Proceed with fixed values and no DNS
discovery? [no]: yes
>>=================
>>
>>I continued by saying yes because in my case the master and the replica are in different VLANs and failover is not possible for me. I have tried in two hosts successfully and am hoping that does the trick.
>>
>>
>>However I see one issue immediately that my sudo access does not seem to work now on the newly added clients! Do you know what might be happening?
>>
>>
Are you using SSSD and SUDO integration?
>What version of sudo and sssd?
>See if this would help: http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>
>
>
>Shreeraj
>>----------------------------------------------------------------------------------------
>>
>>Change is the only Constant !
>>
>>
>>
>>On Wednesday, February 19, 2014 2:21 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>
>>Shree wrote:
>>> root at test500 ~]# rpm -q ipa-client
>>>
ipa-client-2.2.0-16.el6.x86_64
>>> [root at test500 ~]#
>>
>>You'll definitely want to
update to 2.2.0-17, that fixes
CVE-2012-5484
>>
>>Unfortunately our logging
around discovery was rather
horrible in 2.2.x
>>so it is difficult to know
exactly what is going on.
>>
>>I believe the problem is that
it is still doing DNS
discovery even
>>though you've passed in a
server name so it is setting
up Kerberos to
>>look up the KDC which it finds
but can't talk to.
>>
>>This should be fixed in the
3.0 packages so updating to
those is the
>>preferred solution.
>>
>>For 2.x you can try the
--force option which should
make it skip some
>>discovery.
>>
>>rob
>>
>>>
>>>
>>> Shreeraj
>>>
----------------------------------------------------------------------------------------
>>>
>>>
>>> Change is the only
Constant !
>>>
>>>
>>> On Wednesday, February
19, 2014 1:17 PM, Rob
Crittenden
>>> <rcritten at redhat.com> wrote:
>>> Shree wrote:
>>> > Here are a couple
of things
>>> >
>>> > [skarulkar at ldap2 <mailto:skarulkar at ldap2> ~]$ rpm -q ipa-client
>>> >
ipa-client-3.0.0-26.el6_4.4.x86_64
>>>
>>> What is the version on
the client that is failing to
enroll?
>>>
>>> rob
>>>
>>> >
>>> > and my
/etc/krb5.conf looks like
..........
>>> >
=======================================
>>> > includedir
/var/lib/sss/pubconf/krb5.include.d/
>>> >
>>> > [logging]
>>> > default = FILE:/var/log/krb5libs.log
>>> > kdc = FILE:/var/log/krb5kdc.log
>>> > admin_server = FILE:/var/log/kadmind.log
>>> >
>>> > [libdefaults]
>>> > default_realm =
MYDOMAIN.COM
>>> > dns_lookup_realm =
false
>>> > dns_lookup_kdc =
true
>>> > rdns = false
>>> > ticket_lifetime =
24h
>>> > forwardable = yes
>>> >
>>> > [realms]
>>> > MYDOMAIN.COM = {
>>> > kdc =
ldap2.mydomain.com:88
>>> > master_kdc =
ldap2.mydomain.com:88
>>> > admin_server =
ldap2.mydomain.com:749
>>> > default_domain =
mydomain.com
>>> > pkinit_anchors = FILE:/etc/ipa/ca.crt
>>> > default_domain =
mydomain.com
>>> > pkinit_anchors = FILE:/etc/ipa/ca.crt
>>> > }
>>> >
>>> > [domain_realm]
>>> > .mydomain.com =
MYDOMAIN.COM
>>> > mydomain.com =
MYDOMAIN.COM
>>> >
>>> > [dbmodules]
>>> > MYDOMAIN.COM = {
>>> > db_library =
ipadb.so
>>> > }
>>> >
>>> >
=======================================
>>> >
>>> >
>>> > Shreeraj
>>> >
>>>
----------------------------------------------------------------------------------------
>>> >
>>> >
>>> > Change is the only
Constant !
>>> >
>>> >
>>> > On Wednesday,
February 19, 2014 12:59 PM,
Rob Crittenden
>>> > <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>> > Shree wrote:
>>> > > 1) I have got
a step furthur. My replica is
not running CA Service. To
>>> > > achieve this
I had to remove the existing
cert with this command
>>> > >
>>> > > pkiremove
-pki_instance_root=/var/lib
-pki_instance_name=pki-ca
-force
>>> > >
>>> > > Now the
replica looks like this
>>> > >
>>> > > skarulkar at ldap2 <mailto:skarulkar at ldap2> <mailto:skarulkar at ldap2
>>> <mailto:skarulkar at ldap2>> tmp]$ sudo ipactl status
>>> > > [sudo]
password for skarulkar:
>>> > > Directory
Service: RUNNING
>>> > > KDC Service:
RUNNING
>>> > > KPASSWD
Service: RUNNING
>>> > > MEMCACHE
Service: RUNNING
>>> > > HTTP Service:
RUNNING
>>> > > CA Service:
RUNNING
>>> > > [skarulkar at ldap2 <mailto:skarulkar at ldap2> <mailto:skarulkar at ldap2
>>
>>> <mailto:skarulkar at ldap2>> tmp]$
>>>
>>> >
>>> > The tracking
failed with:
>>> >
>>> >
2014-02-18T20:20:43Z DEBUG
stdout=Error initializing
Kerberos library:
>>> > Improper format
of Kerberos configuration
file.
>>> >
>>> > It looks like it
failed on this for most if
not all the tracking. What
>>> > does
/etc/krb5.conf look like?
>>> >
>>> > >
>>> > > 2) I am
still not able to add client
using ipa-client-install
>>> using the
>>> > > replica.
>>> >
>>> > The temporary
krb5.conf that is used
during enrollment has
>>> >
dns_lookup_kdc=True so it is
probably trying to contact
the other KDC
>>> > and failing.
>>> >
>>> > What is the
output of:
>>> >
>>> > $ rpm -q
ipa-client
>>> >
>>> >
>>> > rob
>>> >
>>> >
>>> >
>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>>_______________________________________________
Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>--
Thank you,
Dmitri Pal Sr. Engineering Manager for IdM portfolio
Red Hat Inc. -------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
>
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
It seems like you do not use SSSD integration so turning the debug on sudo and seeing what it is doing is the next step.
--
Thank you,
Dmitri Pal Sr. Engineering Manager for IdM portfolio
Red Hat Inc. -------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140220/6480c126/attachment.htm>
More information about the Freeipa-users
mailing list