[Freeipa-users] ipa-client-install failing on new ipa-server
Martin Kosek
mkosek at redhat.com
Thu Mar 26 17:01:01 UTC 2015
On 03/26/2015 05:52 PM, Anthony Lanni wrote:
> kinit USER works perfectly; but I can't ssh into the client machine from
> the server without it requesting a password.
>
> I think this is a DNS issue, actually. The server isn't resolving the name
> of the client, so I'm ssh'ing with the IP address, and that's not going to
> work since it's not in the Kerberos db ("Cannot determine realm for numeric
> host address").
So it looks like you have found your problem - Kerberos tends to break if DNS
is not set properly.
> Except, of course, that the server did not get its own valid Kerberos host
> certificate. It should, right? during the ipa-client-install --on-master
> step of the server install?
Are you asking about host certificate or a Kerberos keytab (/etc/krb5.keytab)?
They are 2 distinct things.
> In fact, the global DNS config is completely empty. But I'm going to have
> to tear down the server and rebuild because it's on the same domain as an
> AD server, and ipa-client-install finds that server rather than the new IPA
> server by default: that won't work because I want LDAP to dynamically
> update the records, and establish a trust with the AD server.
> Also we've got 2 linux DNS root servers that act as forwarders. I pointed
> the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind
> to configure IPA to use them properly. SO I'm sure that's where most of my
> problems lie.
>
> I've got to RTFM a bit more before I really start asking the right
> questions, I think. At that point I'll start a new thread.
Ok :-)
Martin
>
>
>
> thx
> anthony
>
> On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek <mkosek at redhat.com> wrote:
>
>> I am not sure what you mean. So are you saying that "kinit USER" done on
>> server
>> fails? With what error?
>>
>> On 03/26/2015 05:28 PM, Anthony Lanni wrote:
>>> great, thanks.
>>>
>>> On a related note: the server still doesn't get a (client) kerberos
>> ticket,
>>> which means I can't kinit as a user and then log into a client machine
>>> without a password. Going the other way works fine, however.
>>>
>>> thx
>>> anthony
>>>
>>> On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek <mkosek at redhat.com> wrote:
>>>
>>>> Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have
>>>> the
>>>> keyutils dependency fixed anyway :-)
>>>>
>>>> Martin
>>>>
>>>> On 03/25/2015 06:59 PM, Anthony Lanni wrote:
>>>>> keyutils is already installed but /bin/keyctl was 0 length (!). Anyway
>> I
>>>>> reinstalled keyutils and then ran the ipa-server-install again, and
>> this
>>>>> time it completed without error.
>>>>>
>>>>> Thanks very much, Martin and Dmitri!
>>>>>
>>>>> thx
>>>>> anthony
>>>>>
>>>>> On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek <mkosek at redhat.com>
>> wrote:
>>>>>
>>>>>> On 03/25/2015 04:11 AM, Dmitri Pal wrote:
>>>>>>> On 03/24/2015 09:17 PM, Anthony Lanni wrote:
>>>>>>>> While running ipa-server-install, it's failing out at the end with
>> an
>>>>>> error
>>>>>>>> regarding the client install on the server. This happens regardless
>> of
>>>>>> how I
>>>>>>>> input the options, but here's the latest command:
>>>>>>>>
>>>>>>>> ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
>>>>>>>> <http://EXAMPLE.COM> -n example.com <http://example.com> -p passwd1
>>>> -a
>>>>>>>> passwd2 --hostname=ldap-server-01.example.com
>>>>>>>> <http://ldap-server-01.example.com> --forwarder=10.0.1.20
>>>>>>>> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
>>>>>>>>
>>>>>>>> Runs through the entire setup and gives me this:
>>>>>>>>
>>>>>>>> [...]
>>>>>>>> ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master
>>>>>>>> --unattended --domain example.com <http://example.com> --server
>>>>>>>> ldap-server-01.example.com <http://ldap-server-01.example.com>
>>>> --realm
>>>>>>>> EXAMPLE.COM <http://EXAMPLE.COM> --hostname
>>>> ldap-server-01.example.com
>>>>>>>> <http://ldap-server-01.example.com>
>>>>>>>> ipa : DEBUG stdout=
>>>>>>>>
>>>>>>>> ipa : DEBUG stderr=Hostname: ldap-server-01.example.com
>>>>>>>> <http://ldap-server-01.example.com>
>>>>>>>> Realm: EXAMPLE.COM <http://EXAMPLE.COM>
>>>>>>>> DNS Domain: example.com <http://example.com>
>>>>>>>> IPA Server: ldap-server-01.example.com <
>>>>>> http://ldap-server-01.example.com>
>>>>>>>> BaseDN: dc=example,dc=com
>>>>>>>> New SSSD config will be created
>>>>>>>> Configured /etc/sssd/sssd.conf
>>>>>>>> Traceback (most recent call last):
>>>>>>>> File "/usr/sbin/ipa-client-install", line 2377, in <module>
>>>>>>>> sys.exit(main())
>>>>>>>> File "/usr/sbin/ipa-client-install", line 2363, in main
>>>>>>>> rval = install(options, env, fstore, statestore)
>>>>>>>> File "/usr/sbin/ipa-client-install", line 2135, in install
>>>>>>>> delete_persistent_client_session_data(host_principal)
>>>>>>>> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124,
>> in
>>>>>>>> delete_persistent_client_session_data
>>>>>>>> kernel_keyring.del_key(keyname)
>>>>>>>> File
>> "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
>>>>>> line
>>>>>>>> 99, in del_key
>>>>>>>> real_key = get_real_key(key)
>>>>>>>> File
>> "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
>>>>>> line
>>>>>>>> 45, in get_real_key
>>>>>>>> (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING,
>> KEYTYPE,
>>>>>> key],
>>>>>>>> raiseonerr=False)
>>>>>>>
>>>>>>> Is keyctl installed? Can you run it manually?
>>>>>>> Any SELinux denials?
>>>>>>
>>>>>> You are likely hitting
>>>>>> https://fedorahosted.org/freeipa/ticket/3808
>>>>>>
>>>>>> Please try installing keyutils before running ipa-server-install. It
>> is
>>>>>> fixed
>>>>>> in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform
>> also:
>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1205660
>>>>>>
>>>>>> Martin
>>>>>>
>>>>>> --
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
>
More information about the Freeipa-users
mailing list