[Freeipa-users] 3.3.3 - Unable to install remote client
ToBeReplaced
tobereplaced at gmail.com
Wed Sep 24 19:02:34 UTC 2014
Hi!
I've had an issue trying to install a client on a new server
installation.
Version 3.3.3 on CentOS 7 for both client and server.
In details below, the domain name, server host name, and ip address has
been changed.
The server is sitting behind a router with ip 12.34.56.78. The server
was configured with `--enable-dns` and `192.168.1.100 ipa.example.com
ipa` in /etc/hosts.
firewalld has been set to open up ports for ldap, ldaps, kerberos,
kpasswd, dns, ntp, http, https on both the client and server. Port 7389
is also open on the server.
The router has been configured to forward all of the above ports through
12.34.56.78 to 192.168.1.100.
The client is sitting on a different network (say, behind a router with
ip 98.76.54.32).
Its /etc/hosts includes `12.34.56.78 ipa.example.com ipa`.
Its /etc/resolv.conf includes `nameserver 12.34.56.78`
ipa-client-install fails with:
Discovery was successful!
Hostname: laptop-1.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipa.example.com
BaseDN: dc=example,dc=com
Synchronizing time with KDC...
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: Wed Sep 24 17:44:28 2014 UTC
Valid Until: Sun Sep 24 17:44:28 2034 UTC
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://ipa.example.com/ipa/xml
Forwarding 'ping' to server 'https://ipa.example.com/ipa/xml'
Cannot connect to the server due to Kerberos error: Kerberos
error: ('Unspecified GSS failure. Minor code may provide more
information', 851968)/("Cannot contact any KDC for realm
'EXAMPLE.COM'", -1765328228). Trying with delegate=True
trying https://ipa.example.com/ipa/xml
Forwarding 'ping' to server 'https://ipa.example.com/ipa/xml'
Second connect with delegate=True also failed: Kerberos error:
('Unspecified GSS failure. Minor code may provide more
information', 851968)/("Cannot contact any KDC for realm
'EXAMPLE.COM'", -1765328228)
Cannot connect to the IPA server XML-RPC interface: Kerberos
error: ('Unspecified GSS failure. Minor code may provide more
information', 851968)/("Cannot contact any KDC for realm
'EXAMPLE.COM'", -1765328228)
Installation failed. Rolling back changes.
Unenrolling client from IPA server
Unenrolling host failed: Error obtaining initial credentials:
Cannot contact any KDC for requested realm.
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved
to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
`cat /var/log/ipaclient-install.log | grep ERROR -C 25 -m 1`
2014-09-24T18:11:49Z INFO Configured /etc/krb5.conf for IPA
realm EXAMPLE.COM
2014-09-24T18:11:49Z DEBUG Starting external process
2014-09-24T18:11:49Z DEBUG args=keyctl search @s user
ipa_session_cookie:host/laptop-1.example.com at EXAMPLE.COM
2014-09-24T18:11:49Z DEBUG Process finished, return code=1
2014-09-24T18:11:49Z DEBUG stdout=
2014-09-24T18:11:49Z DEBUG stderr=keyctl_search: Required key
not available
2014-09-24T18:11:49Z DEBUG Starting external process
2014-09-24T18:11:49Z DEBUG args=keyctl search @s user
ipa_session_cookie:host/laptop-1.example.com at EXAMPLE.COM
2014-09-24T18:11:49Z DEBUG Process finished, return code=1
2014-09-24T18:11:49Z DEBUG stdout=
2014-09-24T18:11:49Z DEBUG stderr=keyctl_search: Required key
not available
2014-09-24T18:11:49Z DEBUG failed to find session_cookie in
persistent storage for principal
'host/laptop-1.example.com at EXAMPLE.COM'
2014-09-24T18:11:49Z INFO trying https://ipa.example.com/ipa/xml
2014-09-24T18:11:49Z DEBUG Created connection context.xmlclient
2014-09-24T18:11:49Z DEBUG Try RPC connection
2014-09-24T18:11:49Z INFO Forwarding 'ping' to server
'https://ipa.example.com/ipa/xml'
2014-09-24T18:12:07Z DEBUG Destroyed connection
context.xmlclient
2014-09-24T18:12:07Z INFO Cannot connect to the server due to
Kerberos error: Kerberos error: ('Unspecified GSS failure.
Minor code may provide more information', 851968)/("Cannot
contact any KDC for realm 'EXAMPLE.COM'", -1765328228). Trying
with delegate=True
2014-09-24T18:12:07Z INFO trying https://ipa.example.com/ipa/xml
2014-09-24T18:12:07Z DEBUG Created connection context.xmlclient
2014-09-24T18:12:07Z DEBUG Try RPC connection
2014-09-24T18:12:07Z INFO Forwarding 'ping' to server
'https://ipa.example.com/ipa/xml'
2014-09-24T18:12:25Z WARNING Second connect with delegate=True
also failed: Kerberos error: ('Unspecified GSS failure. Minor
code may provide more information', 851968)/("Cannot contact any
KDC for realm 'EXAMPLE.COM'", -1765328228)
2014-09-24T18:12:25Z ERROR Cannot connect to the IPA server
XML-RPC interface: Kerberos error: ('Unspecified GSS failure.
Minor code may provide more information', 851968)/("Cannot
contact any KDC for realm 'EXAMPLE.COM'", -1765328228)
One possibly worthwhile note is that running tcpdump shows that the
client (local IP 192.168.0.102) is trying to connect to 192.168.1.100,
the local IP of the server, which is on a different network and thus
inaccessible.
14:11:49.611009 IP 192.168.0.102.57552 >
192.168.1.100.kerberos:
14:11:50.645238 IP 192.168.0.102.37952 > 192.168.1.100.kerberos:
Flags [S], seq 1224109057, win 14600, op
tions [mss 1460,sackOK,TS val 5701517 ecr 0,nop,wscale 7],
length 0
14:11:51.648218 IP 192.168.0.102.37952 > 192.168.1.100.kerberos:
Flags [S], seq 1224109057, win 14600, op
tions [mss 1460,sackOK,TS val 5702520 ecr 0,nop,wscale 7],
length 0
etc. etc.
Cheers,
ToBeReplaced
More information about the Freeipa-users
mailing list