[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Shree
shreerajkarulkar at yahoo.com
Wed Mar 19 21:37:54 UTC 2014
Hello
I was able to successfully move all my clients to the replica except on the process I had to upgrade the client to "ipa-client-3.0.0-37.el6.x86_64" and some times run a --uninstall
. Bit it works for the most part. Have been struggling with one last host with errors like below. I have tested the port connectivity using telnet and netcat commands but the install thinks these ports are blocked?
kerberos authentication failed
kinit: Cannot contact any KDC for realm 'MYDOMAIN.COM' while getting initial credentials
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Client uninstall complete.
[root at www /]#
In the /var/log/ipaclient-install.log I also see things like below. I get Autodiscovery failures but I am manually entering things and they have been working.
2014-03-19T21:13:47Z DEBUG Found: cn=MYDOMAIN.COM,cn=kerberos,dc=mydomain,dc=com
2014-03-19T21:13:47Z DEBUG Discovery result: Success; server=ldap2.mydomain.com, domain=mydomain.com, kdc=ldap.mydomain.com, basedn=dc=mydomain,dc=com
2014-03-19T21:13:47Z DEBUG Validated servers: ldap2.mydomain.com
2014-03-19T21:13:47Z WARNING The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.
2014-03-19T21:13:47Z INFO Autodiscovery of servers for failover cannot work with this configuration.
2014-03-19T21:13:47Z INFO If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Thursday, February 20, 2014 9:01 PM, Shree <shreerajkarulkar at yahoo.com> wrote:
Dmitri, Rob, Lucas et al. Thank you for all your help and patience and pointing me to the right direction. I was able to fix most of my issues. My setup is a little complex where I am trying to have a master and the replica in different networks and are in sync + each of them is serving a different set of hosts.
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Thursday, February 20, 2014 2:20 PM, Dmitri Pal <dpal at redhat.com> wrote:
On 02/20/2014 02:58 PM, Shree wrote:
Can you help me figure out, below is some info on the existing working configuration one one of the clients
>1)Sudo version 1.7.4p5
>
>2)[root at test500 ~]# sssd --version
>1.9.2
>
>3)These are the uncommented lines in /etc/sssd/sssd.conf
>[sssd]
>config_file_version = 2
>services = nss, pam
>domains = mydomain.com
>[domain/mydomain.com]
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = mydomain.com
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>ipa_hostname = dns.mydomain.com
>chpass_provider = ipa
>ipa_server = ldap.mydomain.com
>ldap_netgroup_search_base = cn=ng,cn=compat,dc=mydomain,dc=com
>ldap_tls_cacert = /etc/ipa/ca.crt
>
>=======================================
>4)And these are the options in /etc/nsswitch.conf
>sudoers: files ldap
>passwd: files sss
>shadow: files sss
>group: files sss
>
>
>Shreeraj
>----------------------------------------------------------------------------------------
>
>Change is the only Constant !
>
>
>
>On Thursday, February 20, 2014 7:20 AM, Dmitri Pal <dpal at redhat.com> wrote:
>
>On 02/19/2014 06:52 PM, Shree wrote:
>Rob
>>You were right. After upgrading the
client to the
ipa-client-3.0.0-37.el6.x86_64 version I
started seeing a warning during the
client install that went something like
>>=================
>>Autodiscovery of servers for failover
cannot work with this configuration.
>>If you proceed with the installation,
services will be configured to always
access the discovered server for all
operations and will not fail over to
other servers in case of failure.
>>Proceed with fixed values and no DNS
discovery? [no]: yes
>>=================
>>
>>I continued by saying yes because in my case the master and the replica are in different VLANs and failover is not possible for me. I have tried in two hosts successfully and am hoping that does the trick.
>>
>>
>>However I see one issue immediately that my sudo access does not seem to work now on the newly added clients! Do you know what might be happening?
>>
>>
Are you using SSSD and SUDO integration?
>What version of sudo and sssd?
>See if this would help: http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>
>
>
>Shreeraj
>>----------------------------------------------------------------------------------------
>>
>>Change is the only Constant !
>>
>>
>>
>>On Wednesday, February 19, 2014 2:21 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>
>>Shree wrote:
>>> root at test500 ~]# rpm -q ipa-client
>>>
ipa-client-2.2.0-16.el6.x86_64
>>> [root at test500 ~]#
>>
>>You'll definitely want to
update to 2.2.0-17, that fixes
CVE-2012-5484
>>
>>Unfortunately our logging
around discovery was rather
horrible in 2.2.x
>>so it is difficult to know
exactly what is going on.
>>
>>I believe the problem is that
it is still doing DNS
discovery even
>>though you've passed in a
server name so it is setting
up Kerberos to
>>look up the KDC which it finds
but can't talk to.
>>
>>This should be fixed in the
3.0 packages so updating to
those is the
>>preferred solution.
>>
>>For 2.x you can try the
--force option which should
make it skip some
>>discovery.
>>
>>rob
>>
>>>
>>>
>>> Shreeraj
>>>
----------------------------------------------------------------------------------------
>>>
>>>
>>> Change is the only
Constant !
>>>
>>>
>>> On Wednesday, February
19, 2014 1:17 PM, Rob
Crittenden
>>> <rcritten at redhat.com> wrote:
>>> Shree wrote:
>>> > Here are a couple
of things
>>> >
>>> > [skarulkar at ldap2 <mailto:skarulkar at ldap2> ~]$ rpm -q ipa-client
>>> >
ipa-client-3.0.0-26.el6_4.4.x86_64
>>>
>>> What is the version on
the client that is failing to
enroll?
>>>
>>> rob
>>>
>>> >
>>> > and my
/etc/krb5.conf looks like
..........
>>> >
=======================================
>>> > includedir
/var/lib/sss/pubconf/krb5.include.d/
>>> >
>>> > [logging]
>>> > default = FILE:/var/log/krb5libs.log
>>> > kdc = FILE:/var/log/krb5kdc.log
>>> > admin_server = FILE:/var/log/kadmind.log
>>> >
>>> > [libdefaults]
>>> > default_realm =
MYDOMAIN.COM
>>> > dns_lookup_realm =
false
>>> > dns_lookup_kdc =
true
>>> > rdns = false
>>> > ticket_lifetime =
24h
>>> > forwardable = yes
>>> >
>>> > [realms]
>>> > MYDOMAIN.COM = {
>>> > kdc =
ldap2.mydomain.com:88
>>> > master_kdc =
ldap2.mydomain.com:88
>>> > admin_server =
ldap2.mydomain.com:749
>>> > default_domain =
mydomain.com
>>> > pkinit_anchors = FILE:/etc/ipa/ca.crt
>>> > default_domain =
mydomain.com
>>> > pkinit_anchors = FILE:/etc/ipa/ca.crt
>>> > }
>>> >
>>> > [domain_realm]
>>> > .mydomain.com =
MYDOMAIN.COM
>>> > mydomain.com =
MYDOMAIN.COM
>>> >
>>> > [dbmodules]
>>> > MYDOMAIN.COM = {
>>> > db_library =
ipadb.so
>>> > }
>>> >
>>> >
=======================================
>>> >
>>> >
>>> > Shreeraj
>>> >
>>>
----------------------------------------------------------------------------------------
>>> >
>>> >
>>> > Change is the only
Constant !
>>> >
>>> >
>>> > On Wednesday,
February 19, 2014 12:59 PM,
Rob Crittenden
>>> > <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>> > Shree wrote:
>>> > > 1) I have got
a step furthur. My replica is
not running CA Service. To
>>> > > achieve this
I had to remove the existing
cert with this command
>>> > >
>>> > > pkiremove
-pki_instance_root=/var/lib
-pki_instance_name=pki-ca
-force
>>> > >
>>> > > Now the
replica looks like this
>>> > >
>>> > > skarulkar at ldap2 <mailto:skarulkar at ldap2> <mailto:skarulkar at ldap2
>>> <mailto:skarulkar at ldap2>> tmp]$ sudo ipactl status
>>> > > [sudo]
password for skarulkar:
>>> > > Directory
Service: RUNNING
>>> > > KDC Service:
RUNNING
>>> > > KPASSWD
Service: RUNNING
>>> > > MEMCACHE
Service: RUNNING
>>> > > HTTP Service:
RUNNING
>>> > > CA Service:
RUNNING
>>> > > [skarulkar at ldap2 <mailto:skarulkar at ldap2> <mailto:skarulkar at ldap2
>>
>>> <mailto:skarulkar at ldap2>> tmp]$
>>>
>>> >
>>> > The tracking
failed with:
>>> >
>>> >
2014-02-18T20:20:43Z DEBUG
stdout=Error initializing
Kerberos library:
>>> > Improper format
of Kerberos configuration
file.
>>> >
>>> > It looks like it
failed on this for most if
not all the tracking. What
>>> > does
/etc/krb5.conf look like?
>>> >
>>> > >
>>> > > 2) I am
still not able to add client
using ipa-client-install
>>> using the
>>> > > replica.
>>> >
>>> > The temporary
krb5.conf that is used
during enrollment has
>>> >
dns_lookup_kdc=True so it is
probably trying to contact
the other KDC
>>> > and failing.
>>> >
>>> > What is the
output of:
>>> >
>>> > $ rpm -q
ipa-client
>>> >
>>> >
>>> > rob
>>> >
>>> >
>>> >
>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>>_______________________________________________
Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>--
Thank you,
Dmitri Pal Sr. Engineering Manager for IdM portfolio
Red Hat Inc. -------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
>
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
It seems like you do not use SSSD integration so turning the debug on sudo and seeing what it is doing is the next step.
--
Thank you,
Dmitri Pal Sr. Engineering Manager for IdM portfolio
Red Hat Inc. -------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140319/1971858e/attachment.htm>
More information about the Freeipa-users
mailing list