[Freeipa-users] ipa-client-install failing on new ipa-server

Martin Kosek mkosek at redhat.com
Thu Mar 26 16:31:50 UTC 2015 

I am not sure what you mean. So are you saying that "kinit USER" done on server
fails? With what error?

On 03/26/2015 05:28 PM, Anthony Lanni wrote:
> great, thanks.
> 
> On a related note: the server still doesn't get a (client) kerberos ticket,
> which means I can't kinit as a user and then log into a client machine
> without a password. Going the other way works fine, however.
> 
> thx
> anthony
> 
> On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek <mkosek at redhat.com> wrote:
> 
>> Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have
>> the
>> keyutils dependency fixed anyway :-)
>>
>> Martin
>>
>> On 03/25/2015 06:59 PM, Anthony Lanni wrote:
>>> keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I
>>> reinstalled keyutils and then ran the ipa-server-install again, and this
>>> time it completed without error.
>>>
>>> Thanks very much, Martin and Dmitri!
>>>
>>> thx
>>> anthony
>>>
>>> On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek <mkosek at redhat.com> wrote:
>>>
>>>> On 03/25/2015 04:11 AM, Dmitri Pal wrote:
>>>>> On 03/24/2015 09:17 PM, Anthony Lanni wrote:
>>>>>> While running ipa-server-install, it's failing out at the end with an
>>>> error
>>>>>> regarding the client install on the server. This happens regardless of
>>>> how I
>>>>>> input the options, but here's the latest command:
>>>>>>
>>>>>> ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
>>>>>> <http://EXAMPLE.COM> -n example.com <http://example.com> -p passwd1
>> -a
>>>>>> passwd2 --hostname=ldap-server-01.example.com
>>>>>> <http://ldap-server-01.example.com> --forwarder=10.0.1.20
>>>>>> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
>>>>>>
>>>>>> Runs through the entire setup and gives me this:
>>>>>>
>>>>>> [...]
>>>>>> ipa         : DEBUG  args=/usr/sbin/ipa-client-install --on-master
>>>>>> --unattended --domain example.com <http://example.com> --server
>>>>>> ldap-server-01.example.com <http://ldap-server-01.example.com>
>> --realm
>>>>>> EXAMPLE.COM <http://EXAMPLE.COM> --hostname
>> ldap-server-01.example.com
>>>>>> <http://ldap-server-01.example.com>
>>>>>> ipa         : DEBUG    stdout=
>>>>>>
>>>>>> ipa         : DEBUG    stderr=Hostname: ldap-server-01.example.com
>>>>>> <http://ldap-server-01.example.com>
>>>>>> Realm: EXAMPLE.COM <http://EXAMPLE.COM>
>>>>>> DNS Domain: example.com <http://example.com>
>>>>>> IPA Server: ldap-server-01.example.com <
>>>> http://ldap-server-01.example.com>
>>>>>> BaseDN: dc=example,dc=com
>>>>>> New SSSD config will be created
>>>>>> Configured /etc/sssd/sssd.conf
>>>>>> Traceback (most recent call last):
>>>>>>   File "/usr/sbin/ipa-client-install", line 2377, in <module>
>>>>>>     sys.exit(main())
>>>>>>   File "/usr/sbin/ipa-client-install", line 2363, in main
>>>>>>     rval = install(options, env, fstore, statestore)
>>>>>>   File "/usr/sbin/ipa-client-install", line 2135, in install
>>>>>> delete_persistent_client_session_data(host_principal)
>>>>>>   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in
>>>>>> delete_persistent_client_session_data
>>>>>>     kernel_keyring.del_key(keyname)
>>>>>>   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
>>>> line
>>>>>> 99, in del_key
>>>>>>     real_key = get_real_key(key)
>>>>>>   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
>>>> line
>>>>>> 45, in get_real_key
>>>>>>     (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE,
>>>> key],
>>>>>> raiseonerr=False)
>>>>>
>>>>> Is keyctl installed? Can you run it manually?
>>>>> Any SELinux denials?
>>>>
>>>> You are likely hitting
>>>> https://fedorahosted.org/freeipa/ticket/3808
>>>>
>>>> Please try installing keyutils before running ipa-server-install. It is
>>>> fixed
>>>> in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also:
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1205660
>>>>
>>>> Martin
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>
>>
>>
>

More information about the Freeipa-users mailing list