[Freeipa-users] ipa-client-install failing on new ipa-server
Rob Crittenden
rcritten at redhat.com
Thu Mar 26 17:44:09 UTC 2015
Anthony Lanni wrote:
> I'm referring to the host certificate; I was looking at the web UI,
> under Identity->Hosts in the server details page. The Host Certificate
> section says 'No Valid Certificate'.
> The server has a /etc/krb5.keytab file, and on the same page the
> Enrollment section says 'Kerberos Key Present, Host Provisioned'.
No, masters never got this certificate issued. It was intended to be an
alternate way to authenticate a host to IPA. The host certificate is not
used by IPA currently, and in 4.1 one isn't issued for clients by
default any more.
rob
>
> thx
> anthony
>
> thx
> anthony
>
> On Thu, Mar 26, 2015 at 10:01 AM, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>> wrote:
>
> On 03/26/2015 05:52 PM, Anthony Lanni wrote:
> > kinit USER works perfectly; but I can't ssh into the client machine from
> > the server without it requesting a password.
> >
> > I think this is a DNS issue, actually. The server isn't resolving the name
> > of the client, so I'm ssh'ing with the IP address, and that's not going to
> > work since it's not in the Kerberos db ("Cannot determine realm for numeric
> > host address").
>
> So it looks like you have found your problem - Kerberos tends to
> break if DNS
> is not set properly.
>
> > Except, of course, that the server did not get its own valid Kerberos host
> > certificate. It should, right? during the ipa-client-install --on-master
> > step of the server install?
>
> Are you asking about host certificate or a Kerberos keytab
> (/etc/krb5.keytab)?
> They are 2 distinct things.
>
> > In fact, the global DNS config is completely empty. But I'm going to have
> > to tear down the server and rebuild because it's on the same domain as an
> > AD server, and ipa-client-install finds that server rather than the new IPA
> > server by default: that won't work because I want LDAP to dynamically
> > update the records, and establish a trust with the AD server.
> > Also we've got 2 linux DNS root servers that act as forwarders. I pointed
> > the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind
> > to configure IPA to use them properly. SO I'm sure that's where most of my
> > problems lie.
> >
> > I've got to RTFM a bit more before I really start asking the right
> > questions, I think. At that point I'll start a new thread.
>
> Ok :-)
>
> Martin
>
> >
> >
> >
> > thx
> > anthony
> >
> > On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>> wrote:
> >
> >> I am not sure what you mean. So are you saying that "kinit USER"
> done on
> >> server
> >> fails? With what error?
> >>
> >> On 03/26/2015 05:28 PM, Anthony Lanni wrote:
> >>> great, thanks.
> >>>
> >>> On a related note: the server still doesn't get a (client) kerberos
> >> ticket,
> >>> which means I can't kinit as a user and then log into a client
> machine
> >>> without a password. Going the other way works fine, however.
> >>>
> >>> thx
> >>> anthony
> >>>
> >>> On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>> wrote:
> >>>
> >>>> Ok, thanks for reaching back. BTW, next RHEL-6 minor release
> should have
> >>>> the
> >>>> keyutils dependency fixed anyway :-)
> >>>>
> >>>> Martin
> >>>>
> >>>> On 03/25/2015 06:59 PM, Anthony Lanni wrote:
> >>>>> keyutils is already installed but /bin/keyctl was 0 length
> (!). Anyway
> >> I
> >>>>> reinstalled keyutils and then ran the ipa-server-install
> again, and
> >> this
> >>>>> time it completed without error.
> >>>>>
> >>>>> Thanks very much, Martin and Dmitri!
> >>>>>
> >>>>> thx
> >>>>> anthony
> >>>>>
> >>>>> On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek
> <mkosek at redhat.com <mailto:mkosek at redhat.com>>
> >> wrote:
> >>>>>
> >>>>>> On 03/25/2015 04:11 AM, Dmitri Pal wrote:
> >>>>>>> On 03/24/2015 09:17 PM, Anthony Lanni wrote:
> >>>>>>>> While running ipa-server-install, it's failing out at the
> end with
> >> an
> >>>>>> error
> >>>>>>>> regarding the client install on the server. This happens
> regardless
> >> of
> >>>>>> how I
> >>>>>>>> input the options, but here's the latest command:
> >>>>>>>>
> >>>>>>>> ipa-server-install --setup-dns -N --idstart=1000 -r
> EXAMPLE.COM <http://EXAMPLE.COM>
> >>>>>>>> <http://EXAMPLE.COM> -n example.com <http://example.com>
> <http://example.com> -p passwd1
> >>>> -a
> >>>>>>>> passwd2 --hostname=ldap-server-01.example.com
> <http://ldap-server-01.example.com>
> >>>>>>>> <http://ldap-server-01.example.com> --forwarder=10.0.1.20
> >>>>>>>> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
> >>>>>>>>
> >>>>>>>> Runs through the entire setup and gives me this:
> >>>>>>>>
> >>>>>>>> [...]
> >>>>>>>> ipa : DEBUG args=/usr/sbin/ipa-client-install
> --on-master
> >>>>>>>> --unattended --domain example.com <http://example.com>
> <http://example.com> --server
> >>>>>>>> ldap-server-01.example.com
> <http://ldap-server-01.example.com> <http://ldap-server-01.example.com>
> >>>> --realm
> >>>>>>>> EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM>
> --hostname
> >>>> ldap-server-01.example.com <http://ldap-server-01.example.com>
> >>>>>>>> <http://ldap-server-01.example.com>
> >>>>>>>> ipa : DEBUG stdout=
> >>>>>>>>
> >>>>>>>> ipa : DEBUG stderr=Hostname:
> ldap-server-01.example.com <http://ldap-server-01.example.com>
> >>>>>>>> <http://ldap-server-01.example.com>
> >>>>>>>> Realm: EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM>
> >>>>>>>> DNS Domain: example.com <http://example.com>
> <http://example.com>
> >>>>>>>> IPA Server: ldap-server-01.example.com
> <http://ldap-server-01.example.com> <
> >>>>>> http://ldap-server-01.example.com>
> >>>>>>>> BaseDN: dc=example,dc=com
> >>>>>>>> New SSSD config will be created
> >>>>>>>> Configured /etc/sssd/sssd.conf
> >>>>>>>> Traceback (most recent call last):
> >>>>>>>> File "/usr/sbin/ipa-client-install", line 2377, in <module>
> >>>>>>>> sys.exit(main())
> >>>>>>>> File "/usr/sbin/ipa-client-install", line 2363, in main
> >>>>>>>> rval = install(options, env, fstore, statestore)
> >>>>>>>> File "/usr/sbin/ipa-client-install", line 2135, in install
> >>>>>>>> delete_persistent_client_session_data(host_principal)
> >>>>>>>> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py",
> line 124,
> >> in
> >>>>>>>> delete_persistent_client_session_data
> >>>>>>>> kernel_keyring.del_key(keyname)
> >>>>>>>> File
> >> "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
> >>>>>> line
> >>>>>>>> 99, in del_key
> >>>>>>>> real_key = get_real_key(key)
> >>>>>>>> File
> >> "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
> >>>>>> line
> >>>>>>>> 45, in get_real_key
> >>>>>>>> (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING,
> >> KEYTYPE,
> >>>>>> key],
> >>>>>>>> raiseonerr=False)
> >>>>>>>
> >>>>>>> Is keyctl installed? Can you run it manually?
> >>>>>>> Any SELinux denials?
> >>>>>>
> >>>>>> You are likely hitting
> >>>>>> https://fedorahosted.org/freeipa/ticket/3808
> >>>>>>
> >>>>>> Please try installing keyutils before running
> ipa-server-install. It
> >> is
> >>>>>> fixed
> >>>>>> in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform
> >> also:
> >>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1205660
> >>>>>>
> >>>>>> Martin
> >>>>>>
> >>>>>> --
> >>>>>> Manage your subscription for the Freeipa-users mailing list:
> >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>>> Go to http://freeipa.org for more info on the project
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>>
> >>
> >>
> >
>
>
>
>
More information about the Freeipa-users
mailing list