[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

Shree shreerajkarulkar at yahoo.com
Mon Mar 24 18:20:01 UTC 2014 

If you look at the attached logs, you can see it is going to the correct dns server. dig information is also correct. There is something else going on I can figure out what?


 
Shreeraj 
---------------------------------------------------------------------------------------- 

Change is the only Constant !



On Saturday, March 22, 2014 2:12 PM, Dmitri Pal <dpal at redhat.com> wrote:
 
On 03/21/2014 07:44 PM, Shree wrote: 
Hi
>Attaching the install log. It complains about unable to reach
        certain ports, however my tests by using telnet were successful.
        Also to refresh your memory the client should be reaching for
        the replica lda2.mydomain.com and not ldap.mydomain.com which it
        does for the most part but I found a couple of instances of
        ldap.mydomain.com in the log. Let me know what you find. I can't
        believe I migrated over 40 servers and only this one refuses to
        install ipa-client.
>
>
If it is getting to the wrong server then it is either looking at
    the wrong DNS server (see resolve.conf) which is telling it to use
    the wrong IPA server (may be from some old try/POC) or it has some
    explicit entries entered in /etc/hosts.




>
> 
>Shreeraj 
>---------------------------------------------------------------------------------------- 
>
>Change is the only Constant !
>
>
>
>On Thursday, March 20, 2014 4:29 AM, Martin Kosek <mkosek at redhat.com> wrote:
> 
>On 03/19/2014 10:37 PM, Shree wrote: 
>
>> Hello
>> I was able to successfully move all my clients to
                  the replica except on the process I had to upgrade the
                  client to "ipa-client-3.0.0-37.el6.x86_64" and some
                  times run a --uninstall 
>> 
>> . Bit it works for the most part. Have been
                  struggling with one last host with errors like below.
                  I have tested the port connectivity using telnet and
                  netcat commands but the install thinks these ports are
                  blocked? 
>> 
>>  
>> 
>> 
>> kerberos authentication failed
>> kinit: Cannot contact any KDC for realm
                  'MYDOMAIN.COM' while getting initial credentials
>> 
>> Please make sure the following ports are opened
                  in the firewall settings:
>>      TCP: 80, 88, 389
>>      UDP: 88 (at least one of TCP/UDP ports 88
                  has to be open)
>> Also note that following ports are necessary for
                  ipa-client working properly after enrollment:
>>      TCP: 464
>>      UDP: 464, 123 (if NTP enabled)
>> Installation failed. Rolling back changes.
>> Disabling client Kerberos and LDAP configurations
>> Redundant SSSD configuration file
                  /etc/sssd/sssd.conf was moved to
                  /etc/sssd/sssd.conf.deleted
>> Restoring client configuration files
>> Client uninstall complete.
>> [root at www /]#
>> 
>> In the /var/log/ipaclient-install.log I also see
                  things like below. I get Autodiscovery failures but I
                  am manually entering things and they have been
                  working.
>> 
>> 2014-03-19T21:13:47Z DEBUG Found:
                  cn=MYDOMAIN.COM,cn=kerberos,dc=mydomain,dc=com
>> 2014-03-19T21:13:47Z DEBUG Discovery result:
                  Success; server=ldap2.mydomain.com,
                  domain=mydomain.com, kdc=ldap.mydomain.com,
                  basedn=dc=mydomain,dc=com
>> 2014-03-19T21:13:47Z DEBUG Validated servers:
                  ldap2.mydomain.com
>> 2014-03-19T21:13:47Z WARNING The failure to use
                  DNS to find your IPA server indicates that your
                  resolv.conf file is not properly configured.
>> 2014-03-19T21:13:47Z INFO Autodiscovery of
                  servers for failover cannot work with this
                  configuration.
>> 2014-03-19T21:13:47Z INFO If you proceed with the
                  installation, services will be configured to always
                  access the discovered server for all operations and
                  will not fail over to other servers in case of
                  failure.
>
>Ok. I would guess you have some DNS issue. But it is
                hard to tell without the
>entire ipaclient-install.log of the failed installation.
>
>Martin 
>
>
>
>


-- 
Thank you,
Dmitri Pal Sr. Engineering Manager for IdM portfolio
Red Hat Inc. -------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140324/eca56337/attachment.htm>

More information about the Freeipa-users mailing list