[Freeipa-users] Joining realm failed: SASL Bind failed Local error (-2)
Martin Kosek
mkosek at redhat.com
Mon Mar 10 07:42:19 UTC 2014
On 03/08/2014 07:39 AM, Rashard.Kelly at sita.aero wrote:
> Hello all!!
>
> I cannot get a RHEL5.10 client to install!
>
> [root at hostname ~]# ipa-client-install --hostname=hostname.domain.com
> --no-ntp --ca-cert-file=/etc/ipa/ca.crt
> DNS domain 'doman.com' is not configured for automatic KDC address lookup.
> KDC address will be set to fixed value.
>
> Discovery was successful!
> Hostname:hostname.com
> Realm:DOMAIN.COM
> DNS Domain: domain.com
> IPA Server: ipaserver.com
> BaseDN: dc=ipa,dc=dc,dc=sita,dc=com
>
> Joining realm failed: SASL Bind failed Local error (-2) !
> child exited with 9
> Installation failed. Rolling back changes.
>
>
> This is what the krb log had to say
>
> Mar 08 06:24:00 ipaserver at domain.com krb5kdc[29358](info): TGS_REQ (1
> etypes {18}) 10.226.124.10: ISSUE: authtime 1394259840, etypes {rep=18
> tkt=18 ses=18}, rkelly at DOMAIN.COM for krbtgt/DOMAIN.COM at DOMAIN.COM
> Mar 08 06:24:00 ipaserver at domain.com krb5kdc[29357](info): TGS_REQ (4
> etypes {18 17 16 23}) 10.226.20.31: ISSUE: authtime 1394259840, etypes
> {rep=18 tkt=18 ses=18}, rkelly at DOMAIN.COM for
> ldap/ipaserver.domain.com at DOMAIN.COM
> krb5kdc: Cannot determine realm for numeric host address - unable to find
> realm of host
> Mar 08 06:24:00 ipaserver at domain.como krb5kdc[29358](info): TGS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.22.22.10: UNKNOWN_SERVER: authtime 0,
> rkelly at IPA2.DC.SITA.AERO for ldap/10.226.20.31 at DOMAIN.COM, Server not
> found in Kerberos database
> Mar 08 06:24:00 ipaserver at domain.com krb5kdc[29357](info): TGS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.22.22.10: UNKNOWN_SERVER: authtime 0,
> rkelly at IPA2.DC.SITA.AERO for ldap/10.226.20.31 at DOMAIN.COM, Server not
> found in Kerberos database
>
>
> After reviewing the https://access.redhat.com/site/solutions/231543 post
> IPA: Joining realm failed: SASL Bind failed Local error (-2) ! child
> exited with 9. I checked all my DNS info via dig and took a working DNS
> config from another server. Everything appears to be setup right.
>
>
> What could I be overlooking?
Looking at these error messages, I would bet that reverse records are not
right, notice the IPs instead of principal names in the KDC log. I would check
reverse records of both master and client, asked from both master and client.
Additional info here: http://www.freeipa.org/page/Troubleshooting#DNS_Issues
Martin
More information about the Freeipa-users
mailing list