[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Martin Kosek
mkosek at redhat.com
Tue Mar 25 07:50:20 UTC 2014
It searching for ldap.mydomain.com because you still have DNS SRV record
_kerberos._udp.mydomain.com. pointing to it. I would start there.
As for the failure, I would check that the generated /etc/krb5.conf is correct:
~~~~~~~~~
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MYDOMAIN.COM = {
kdc = ldap2.mydomain.com:88
master_kdc = ldap2.mydomain.com:88
admin_server = ldap2.mydomain.com:749
default_domain = mydomain.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
~~~~~~~~
(I assume you did more anonymizing that expected, ipa-client-install does not
generate 2 domain_realm mappings unless client domain is different that server
domain (e.g. client.other.mydomain.com and server.mydomain.com)).
What I would do in your place is to:
1) Backup your current /etc/krb5.conf
2) Replace it with the krb5.conf which was generated during ipa-client-install
(you can find non-anonymized version in ipaclient-install.log)
3) Try to kinit: kinit skarulkar at MYDOMAIN.COM
Then it will be easier to troubleshoot. To get more information what kinit
actually does, try enabling a trace:
# KRB5_TRACE=/dev/stdout kinit skarulkar at MYDOMAIN.COM
You will be then able to see if it really connects to right IP address which
would enable you to debug further.
Martin
On 03/24/2014 07:20 PM, Shree wrote:
> If you look at the attached logs, you can see it is going to the correct dns server. dig information is also correct. There is something else going on I can figure out what?
>
>
>
> Shreeraj
> ----------------------------------------------------------------------------------------
>
> Change is the only Constant !
>
>
>
> On Saturday, March 22, 2014 2:12 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
> On 03/21/2014 07:44 PM, Shree wrote:
> Hi
>> Attaching the install log. It complains about unable to reach
> certain ports, however my tests by using telnet were successful.
> Also to refresh your memory the client should be reaching for
> the replica lda2.mydomain.com and not ldap.mydomain.com which it
> does for the most part but I found a couple of instances of
> ldap.mydomain.com in the log. Let me know what you find. I can't
> believe I migrated over 40 servers and only this one refuses to
> install ipa-client.
>>
>>
> If it is getting to the wrong server then it is either looking at
> the wrong DNS server (see resolve.conf) which is telling it to use
> the wrong IPA server (may be from some old try/POC) or it has some
> explicit entries entered in /etc/hosts.
>
>
>
>
>>
>>
>> Shreeraj
>> ----------------------------------------------------------------------------------------
>>
>> Change is the only Constant !
>>
>>
>>
>> On Thursday, March 20, 2014 4:29 AM, Martin Kosek <mkosek at redhat.com> wrote:
>>
>> On 03/19/2014 10:37 PM, Shree wrote:
>>
>>> Hello
>>> I was able to successfully move all my clients to
> the replica except on the process I had to upgrade the
> client to "ipa-client-3.0.0-37.el6.x86_64" and some
> times run a --uninstall
>>>
>>> . Bit it works for the most part. Have been
> struggling with one last host with errors like below.
> I have tested the port connectivity using telnet and
> netcat commands but the install thinks these ports are
> blocked?
>>>
>>>
>>>
>>>
>>> kerberos authentication failed
>>> kinit: Cannot contact any KDC for realm
> 'MYDOMAIN.COM' while getting initial credentials
>>>
>>> Please make sure the following ports are opened
> in the firewall settings:
>>> TCP: 80, 88, 389
>>> UDP: 88 (at least one of TCP/UDP ports 88
> has to be open)
>>> Also note that following ports are necessary for
> ipa-client working properly after enrollment:
>>> TCP: 464
>>> UDP: 464, 123 (if NTP enabled)
>>> Installation failed. Rolling back changes.
>>> Disabling client Kerberos and LDAP configurations
>>> Redundant SSSD configuration file
> /etc/sssd/sssd.conf was moved to
> /etc/sssd/sssd.conf.deleted
>>> Restoring client configuration files
>>> Client uninstall complete.
>>> [root at www /]#
>>>
>>> In the /var/log/ipaclient-install.log I also see
> things like below. I get Autodiscovery failures but I
> am manually entering things and they have been
> working.
>>>
>>> 2014-03-19T21:13:47Z DEBUG Found:
> cn=MYDOMAIN.COM,cn=kerberos,dc=mydomain,dc=com
>>> 2014-03-19T21:13:47Z DEBUG Discovery result:
> Success; server=ldap2.mydomain.com,
> domain=mydomain.com, kdc=ldap.mydomain.com,
> basedn=dc=mydomain,dc=com
>>> 2014-03-19T21:13:47Z DEBUG Validated servers:
> ldap2.mydomain.com
>>> 2014-03-19T21:13:47Z WARNING The failure to use
> DNS to find your IPA server indicates that your
> resolv.conf file is not properly configured.
>>> 2014-03-19T21:13:47Z INFO Autodiscovery of
> servers for failover cannot work with this
> configuration.
>>> 2014-03-19T21:13:47Z INFO If you proceed with the
> installation, services will be configured to always
> access the discovered server for all operations and
> will not fail over to other servers in case of
> failure.
>>
>> Ok. I would guess you have some DNS issue. But it is
> hard to tell without the
>> entire ipaclient-install.log of the failed installation.
>>
>> Martin
>>
>>
>>
>>
>
>
More information about the Freeipa-users
mailing list