[Freeipa-users] ipa-client-install failing on new ipa-server
Anthony Lanni
anthony at advertise.com
Thu Mar 26 18:09:19 UTC 2015
ah, ok. So I'm going to assume the problem with my server not being able to
get a DNS record for any of the clients is why the user can't ssh into the
clients.
Thanks for the help, everyone!
thx
anthony
On Thu, Mar 26, 2015 at 10:44 AM, Rob Crittenden <rcritten at redhat.com>
wrote:
> Anthony Lanni wrote:
> > I'm referring to the host certificate; I was looking at the web UI,
> > under Identity->Hosts in the server details page. The Host Certificate
> > section says 'No Valid Certificate'.
> > The server has a /etc/krb5.keytab file, and on the same page the
> > Enrollment section says 'Kerberos Key Present, Host Provisioned'.
>
> No, masters never got this certificate issued. It was intended to be an
> alternate way to authenticate a host to IPA. The host certificate is not
> used by IPA currently, and in 4.1 one isn't issued for clients by
> default any more.
>
> rob
>
> >
> > thx
> > anthony
> >
> > thx
> > anthony
> >
> > On Thu, Mar 26, 2015 at 10:01 AM, Martin Kosek <mkosek at redhat.com
> > <mailto:mkosek at redhat.com>> wrote:
> >
> > On 03/26/2015 05:52 PM, Anthony Lanni wrote:
> > > kinit USER works perfectly; but I can't ssh into the client
> machine from
> > > the server without it requesting a password.
> > >
> > > I think this is a DNS issue, actually. The server isn't resolving
> the name
> > > of the client, so I'm ssh'ing with the IP address, and that's not
> going to
> > > work since it's not in the Kerberos db ("Cannot determine realm
> for numeric
> > > host address").
> >
> > So it looks like you have found your problem - Kerberos tends to
> > break if DNS
> > is not set properly.
> >
> > > Except, of course, that the server did not get its own valid
> Kerberos host
> > > certificate. It should, right? during the ipa-client-install
> --on-master
> > > step of the server install?
> >
> > Are you asking about host certificate or a Kerberos keytab
> > (/etc/krb5.keytab)?
> > They are 2 distinct things.
> >
> > > In fact, the global DNS config is completely empty. But I'm going
> to have
> > > to tear down the server and rebuild because it's on the same
> domain as an
> > > AD server, and ipa-client-install finds that server rather than
> the new IPA
> > > server by default: that won't work because I want LDAP to
> dynamically
> > > update the records, and establish a trust with the AD server.
> > > Also we've got 2 linux DNS root servers that act as forwarders. I
> pointed
> > > the IPA server at them, but I don't know enough about FreeIPA or
> DNS/Bind
> > > to configure IPA to use them properly. SO I'm sure that's where
> most of my
> > > problems lie.
> > >
> > > I've got to RTFM a bit more before I really start asking the right
> > > questions, I think. At that point I'll start a new thread.
> >
> > Ok :-)
> >
> > Martin
> >
> > >
> > >
> > >
> > > thx
> > > anthony
> > >
> > > On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek <mkosek at redhat.com
> > <mailto:mkosek at redhat.com>> wrote:
> > >
> > >> I am not sure what you mean. So are you saying that "kinit USER"
> > done on
> > >> server
> > >> fails? With what error?
> > >>
> > >> On 03/26/2015 05:28 PM, Anthony Lanni wrote:
> > >>> great, thanks.
> > >>>
> > >>> On a related note: the server still doesn't get a (client)
> kerberos
> > >> ticket,
> > >>> which means I can't kinit as a user and then log into a client
> > machine
> > >>> without a password. Going the other way works fine, however.
> > >>>
> > >>> thx
> > >>> anthony
> > >>>
> > >>> On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek <mkosek at redhat.com
> > <mailto:mkosek at redhat.com>> wrote:
> > >>>
> > >>>> Ok, thanks for reaching back. BTW, next RHEL-6 minor release
> > should have
> > >>>> the
> > >>>> keyutils dependency fixed anyway :-)
> > >>>>
> > >>>> Martin
> > >>>>
> > >>>> On 03/25/2015 06:59 PM, Anthony Lanni wrote:
> > >>>>> keyutils is already installed but /bin/keyctl was 0 length
> > (!). Anyway
> > >> I
> > >>>>> reinstalled keyutils and then ran the ipa-server-install
> > again, and
> > >> this
> > >>>>> time it completed without error.
> > >>>>>
> > >>>>> Thanks very much, Martin and Dmitri!
> > >>>>>
> > >>>>> thx
> > >>>>> anthony
> > >>>>>
> > >>>>> On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek
> > <mkosek at redhat.com <mailto:mkosek at redhat.com>>
> > >> wrote:
> > >>>>>
> > >>>>>> On 03/25/2015 04:11 AM, Dmitri Pal wrote:
> > >>>>>>> On 03/24/2015 09:17 PM, Anthony Lanni wrote:
> > >>>>>>>> While running ipa-server-install, it's failing out at the
> > end with
> > >> an
> > >>>>>> error
> > >>>>>>>> regarding the client install on the server. This happens
> > regardless
> > >> of
> > >>>>>> how I
> > >>>>>>>> input the options, but here's the latest command:
> > >>>>>>>>
> > >>>>>>>> ipa-server-install --setup-dns -N --idstart=1000 -r
> > EXAMPLE.COM <http://EXAMPLE.COM>
> > >>>>>>>> <http://EXAMPLE.COM> -n example.com <http://example.com>
> > <http://example.com> -p passwd1
> > >>>> -a
> > >>>>>>>> passwd2 --hostname=ldap-server-01.example.com
> > <http://ldap-server-01.example.com>
> > >>>>>>>> <http://ldap-server-01.example.com> --forwarder=10.0.1.20
> > >>>>>>>> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
> > >>>>>>>>
> > >>>>>>>> Runs through the entire setup and gives me this:
> > >>>>>>>>
> > >>>>>>>> [...]
> > >>>>>>>> ipa : DEBUG args=/usr/sbin/ipa-client-install
> > --on-master
> > >>>>>>>> --unattended --domain example.com <http://example.com>
> > <http://example.com> --server
> > >>>>>>>> ldap-server-01.example.com
> > <http://ldap-server-01.example.com> <
> http://ldap-server-01.example.com>
> > >>>> --realm
> > >>>>>>>> EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM>
> > --hostname
> > >>>> ldap-server-01.example.com <http://ldap-server-01.example.com>
> > >>>>>>>> <http://ldap-server-01.example.com>
> > >>>>>>>> ipa : DEBUG stdout=
> > >>>>>>>>
> > >>>>>>>> ipa : DEBUG stderr=Hostname:
> > ldap-server-01.example.com <http://ldap-server-01.example.com>
> > >>>>>>>> <http://ldap-server-01.example.com>
> > >>>>>>>> Realm: EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM
> >
> > >>>>>>>> DNS Domain: example.com <http://example.com>
> > <http://example.com>
> > >>>>>>>> IPA Server: ldap-server-01.example.com
> > <http://ldap-server-01.example.com> <
> > >>>>>> http://ldap-server-01.example.com>
> > >>>>>>>> BaseDN: dc=example,dc=com
> > >>>>>>>> New SSSD config will be created
> > >>>>>>>> Configured /etc/sssd/sssd.conf
> > >>>>>>>> Traceback (most recent call last):
> > >>>>>>>> File "/usr/sbin/ipa-client-install", line 2377, in
> <module>
> > >>>>>>>> sys.exit(main())
> > >>>>>>>> File "/usr/sbin/ipa-client-install", line 2363, in main
> > >>>>>>>> rval = install(options, env, fstore, statestore)
> > >>>>>>>> File "/usr/sbin/ipa-client-install", line 2135, in install
> > >>>>>>>> delete_persistent_client_session_data(host_principal)
> > >>>>>>>> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py",
> > line 124,
> > >> in
> > >>>>>>>> delete_persistent_client_session_data
> > >>>>>>>> kernel_keyring.del_key(keyname)
> > >>>>>>>> File
> > >> "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
> > >>>>>> line
> > >>>>>>>> 99, in del_key
> > >>>>>>>> real_key = get_real_key(key)
> > >>>>>>>> File
> > >> "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
> > >>>>>> line
> > >>>>>>>> 45, in get_real_key
> > >>>>>>>> (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING,
> > >> KEYTYPE,
> > >>>>>> key],
> > >>>>>>>> raiseonerr=False)
> > >>>>>>>
> > >>>>>>> Is keyctl installed? Can you run it manually?
> > >>>>>>> Any SELinux denials?
> > >>>>>>
> > >>>>>> You are likely hitting
> > >>>>>> https://fedorahosted.org/freeipa/ticket/3808
> > >>>>>>
> > >>>>>> Please try installing keyutils before running
> > ipa-server-install. It
> > >> is
> > >>>>>> fixed
> > >>>>>> in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this
> platform
> > >> also:
> > >>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1205660
> > >>>>>>
> > >>>>>> Martin
> > >>>>>>
> > >>>>>> --
> > >>>>>> Manage your subscription for the Freeipa-users mailing list:
> > >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> > >>>>>> Go to http://freeipa.org for more info on the project
> > >>>>>>
> > >>>>>
> > >>>>
> > >>>>
> > >>>
> > >>
> > >>
> > >
> >
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150326/307b7af6/attachment.htm>
More information about the Freeipa-users
mailing list