[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

Martin Kosek mkosek at redhat.com
Thu Mar 20 07:51:35 UTC 2014 

On 03/19/2014 10:37 PM, Shree wrote:
> Hello
> I was able to successfully move all my clients to the replica except on the process I had to upgrade the client to "ipa-client-3.0.0-37.el6.x86_64" and some times run a --uninstall 
> 
> . Bit it works for the most part. Have been struggling with one last host with errors like below. I have tested the port connectivity using telnet and netcat commands but the install thinks these ports are blocked? 
> 
>  
> 
> 
> kerberos authentication failed
> kinit: Cannot contact any KDC for realm 'MYDOMAIN.COM' while getting initial credentials
> 
> Please make sure the following ports are opened in the firewall settings:
>      TCP: 80, 88, 389
>      UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
> Also note that following ports are necessary for ipa-client working properly after enrollment:
>      TCP: 464
>      UDP: 464, 123 (if NTP enabled)
> Installation failed. Rolling back changes.
> Disabling client Kerberos and LDAP configurations
> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
> Restoring client configuration files
> Client uninstall complete.
> [root at www /]#
> 
> In the /var/log/ipaclient-install.log I also see things like below. I get Autodiscovery failures but I am manually entering things and they have been working.
> 
> 2014-03-19T21:13:47Z DEBUG Found: cn=MYDOMAIN.COM,cn=kerberos,dc=mydomain,dc=com
> 2014-03-19T21:13:47Z DEBUG Discovery result: Success; server=ldap2.mydomain.com, domain=mydomain.com, kdc=ldap.mydomain.com, basedn=dc=mydomain,dc=com
> 2014-03-19T21:13:47Z DEBUG Validated servers: ldap2.mydomain.com
> 2014-03-19T21:13:47Z WARNING The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.
> 2014-03-19T21:13:47Z INFO Autodiscovery of servers for failover cannot work with this configuration.
> 2014-03-19T21:13:47Z INFO If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.

Ok. I would guess you have some DNS issue. But it is hard to tell without the
entire ipaclient-install.log of the failed installation.

Martin

More information about the Freeipa-users mailing list