[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Shree
shreerajkarulkar at yahoo.com
Mon Mar 24 18:20:01 UTC 2014
If you look at the attached logs, you can see it is going to the correct dns server. dig information is also correct. There is something else going on I can figure out what?
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Saturday, March 22, 2014 2:12 PM, Dmitri Pal <dpal at redhat.com> wrote:
On 03/21/2014 07:44 PM, Shree wrote:
Hi
>Attaching the install log. It complains about unable to reach
certain ports, however my tests by using telnet were successful.
Also to refresh your memory the client should be reaching for
the replica lda2.mydomain.com and not ldap.mydomain.com which it
does for the most part but I found a couple of instances of
ldap.mydomain.com in the log. Let me know what you find. I can't
believe I migrated over 40 servers and only this one refuses to
install ipa-client.
>
>
If it is getting to the wrong server then it is either looking at
the wrong DNS server (see resolve.conf) which is telling it to use
the wrong IPA server (may be from some old try/POC) or it has some
explicit entries entered in /etc/hosts.
>
>
>Shreeraj
>----------------------------------------------------------------------------------------
>
>Change is the only Constant !
>
>
>
>On Thursday, March 20, 2014 4:29 AM, Martin Kosek <mkosek at redhat.com> wrote:
>
>On 03/19/2014 10:37 PM, Shree wrote:
>
>> Hello
>> I was able to successfully move all my clients to
the replica except on the process I had to upgrade the
client to "ipa-client-3.0.0-37.el6.x86_64" and some
times run a --uninstall
>>
>> . Bit it works for the most part. Have been
struggling with one last host with errors like below.
I have tested the port connectivity using telnet and
netcat commands but the install thinks these ports are
blocked?
>>
>>
>>
>>
>> kerberos authentication failed
>> kinit: Cannot contact any KDC for realm
'MYDOMAIN.COM' while getting initial credentials
>>
>> Please make sure the following ports are opened
in the firewall settings:
>> TCP: 80, 88, 389
>> UDP: 88 (at least one of TCP/UDP ports 88
has to be open)
>> Also note that following ports are necessary for
ipa-client working properly after enrollment:
>> TCP: 464
>> UDP: 464, 123 (if NTP enabled)
>> Installation failed. Rolling back changes.
>> Disabling client Kerberos and LDAP configurations
>> Redundant SSSD configuration file
/etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted
>> Restoring client configuration files
>> Client uninstall complete.
>> [root at www /]#
>>
>> In the /var/log/ipaclient-install.log I also see
things like below. I get Autodiscovery failures but I
am manually entering things and they have been
working.
>>
>> 2014-03-19T21:13:47Z DEBUG Found:
cn=MYDOMAIN.COM,cn=kerberos,dc=mydomain,dc=com
>> 2014-03-19T21:13:47Z DEBUG Discovery result:
Success; server=ldap2.mydomain.com,
domain=mydomain.com, kdc=ldap.mydomain.com,
basedn=dc=mydomain,dc=com
>> 2014-03-19T21:13:47Z DEBUG Validated servers:
ldap2.mydomain.com
>> 2014-03-19T21:13:47Z WARNING The failure to use
DNS to find your IPA server indicates that your
resolv.conf file is not properly configured.
>> 2014-03-19T21:13:47Z INFO Autodiscovery of
servers for failover cannot work with this
configuration.
>> 2014-03-19T21:13:47Z INFO If you proceed with the
installation, services will be configured to always
access the discovered server for all operations and
will not fail over to other servers in case of
failure.
>
>Ok. I would guess you have some DNS issue. But it is
hard to tell without the
>entire ipaclient-install.log of the failed installation.
>
>Martin
>
>
>
>
--
Thank you,
Dmitri Pal Sr. Engineering Manager for IdM portfolio
Red Hat Inc. -------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140324/eca56337/attachment.htm>
More information about the Freeipa-users
mailing list