[Freeipa-users] FreeIPA Replica / HA Issues

Thu Jan 14 01:35:44 UTC 2016

Jeff Hallyburton wrote:
> We've deployed a FreeIPA server in a client infrastructure and now we're
> working on making that setup HA.  We've created a replica and I can
> verify that the replica has connectivity to the existing master and
> ensured that the auto-discovery DNS records are set up for LDAP /
> Kerberos / etc, but I'm having a couple of issues with clients:  
> 
> 1.  ipa-client-install fails with the following error whenever a server
> is not explicitly specified (though explicitly specifying either the
> original master OR the replica works fine):
> 
> trying https://ipa1.west-2.production.example.com/ipa/json
> 
> Cannot connect to the server due to Kerberos error: Kerberos error:
> Kerberos error: ('Unspecified GSS failure.  Minor code may provide more
> information', 851968)/('Cannot find KDC for realm "EXAMPLE.COM
> <http://EXAMPLE.COM>"', -1765328230)/. Trying with delegate=True
> 
> trying https://ipa1.west-2.production.example.com/ipa/json
> 
> Second connect with delegate=True also failed: Kerberos error: Kerberos
> error: ('Unspecified GSS failure.  Minor code may provide more
> information', 851968)/('Cannot find KDC for realm "EXAMPLE.COM
> <http://EXAMPLE.COM>"', -1765328230)/
> 
> Cannot connect to the IPA server RPC interface: Kerberos error: Kerberos
> error: ('Unspecified GSS failure.  Minor code may provide more
> information', 851968)/('Cannot find KDC for realm "EXAMPLE.COM
> <http://EXAMPLE.COM>"', -1765328230)/
> 
> Installation failed. Rolling back changes.
> 
> Failed to list certificates in /etc/ipa/nssdb: Command
> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
> status 255
> 
> Unenrolling client from IPA server
> 
> Unenrolling host failed: Error obtaining initial credentials: Cannot
> find KDC for requested realm.
> 
> 
> What we see in the install logs is:
> 
> 2016-01-14T00:45:39Z INFO Configured /etc/krb5.conf for IPA realm
> EXAMPLE.COM <http://EXAMPLE.COM>
> 
> 2016-01-14T00:45:39Z DEBUG Starting external process
> 
> 2016-01-14T00:45:39Z DEBUG args='keyctl' 'search' '@s' 'user'
> 'ipa_session_cookie:host/test.west-2.production.example.com at EXAMPLE.COM
> <mailto:test.west-2.production.example.com at EXAMPLE.COM>'
> 
> 2016-01-14T00:45:39Z DEBUG Process finished, return code=1
> 
> 2016-01-14T00:45:39Z DEBUG stdout=
> 
> 2016-01-14T00:45:39Z DEBUG stderr=keyctl_search: Required key not available
> 
> 
> 2016-01-14T00:45:39Z DEBUG Starting external process
> 
> 2016-01-14T00:45:39Z DEBUG args='/usr/bin/certutil' '-d'
> '/tmp/tmpCJNEzU' '-N' '-f' '/tmp/tmpPN7H8R'
> 
> 2016-01-14T00:45:39Z DEBUG Process finished, return code=0
> 
> 2016-01-14T00:45:39Z DEBUG stdout=
> 
> 2016-01-14T00:45:39Z DEBUG stderr=
> 
> 2016-01-14T00:45:39Z DEBUG Starting external process
> 
> 2016-01-14T00:45:39Z DEBUG args='/usr/bin/certutil' '-d'
> '/tmp/tmpCJNEzU' '-A' '-n' 'CA certificate 1' '-t' 'C,,'
> 
> 2016-01-14T00:45:39Z DEBUG Process finished, return code=0
> 
> 2016-01-14T00:45:39Z DEBUG stdout=
> 
> 2016-01-14T00:45:39Z DEBUG stderr=
> 
> 2016-01-14T00:45:39Z DEBUG Starting external process
> 
> 2016-01-14T00:45:39Z DEBUG args='keyctl' 'search' '@s' 'user'
> 'ipa_session_cookie:host/test.west-2.production.example.com at EXAMPLE.COM
> <mailto:test.west-2.production.example.com at EXAMPLE.COM>'
> 
> 2016-01-14T00:45:39Z DEBUG Process finished, return code=1
> 
> 2016-01-14T00:45:39Z DEBUG stdout=
> 
> 2016-01-14T00:45:39Z DEBUG stderr=keyctl_search: Required key not available
> 
> 
> 2016-01-14T00:45:39Z DEBUG failed to find session_cookie in persistent
> storage for principal
> 'host/test.west-2.production.example.com at EXAMPLE.COM
> <mailto:test.west-2.production.example.com at EXAMPLE.COM>'
> 
> 2016-01-14T00:45:39Z INFO trying
> https://ipa1.west-2.production.example.com/ipa/json
> 
> 2016-01-14T00:45:39Z INFO Cannot connect to the server due to Kerberos
> error: Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor
> code may provide more information', 851968)/('Cannot find KDC for realm
> "EXAMPLE.COM <http://EXAMPLE.COM>"', -1765328230)/. Trying with
> delegate=True
> 
> 2016-01-14T00:45:39Z INFO trying
> https://ipa1.west-2.production.example.com/ipa/json
> 
> 2016-01-14T00:45:39Z WARNING Second connect with delegate=True also
> failed: Kerberos error: Kerberos error: ('Unspecified GSS failure. 
> Minor code may provide more information', 851968)/('Cannot find KDC for
> realm "EXAMPLE.COM <http://EXAMPLE.COM>"', -1765328230)/
> 
> 2016-01-14T00:45:39Z ERROR Cannot connect to the IPA server RPC
> interface: Kerberos error: Kerberos error: ('Unspecified GSS failure. 
> Minor code may provide more information', 851968)/('Cannot find KDC for
> realm "EXAMPLE.COM <http://EXAMPLE.COM>"', -1765328230)/
> 
> 2016-01-14T00:45:39Z ERROR Installation failed. Rolling back changes.
> 
> 2016-01-14T00:45:39Z DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 
> 2016-01-14T00:45:39Z DEBUG Starting external process
> 
> 2016-01-14T00:45:39Z DEBUG args='ipa-client-automount' '--uninstall'
> '--debug'
> 
> 2016-01-14T00:45:40Z DEBUG Process finished, return code=0
> 
> 2016-01-14T00:45:40Z DEBUG stdout=Restoring configuration
> 
> 
> 2.  Related to this, all of our existing clients have been configured
> with explicit server= statements, meaning that they don't pick up the
> replica either.  Is there any way to manually fix this post
> installation, or will we simply have to uninstall and reinstall the ipa
> client?

It would be easier to see what is going on by looking at the full
/var/log/ipaclient-install.log. What we need to see is how discovery
went and what the contents of various configuration files, temporary and
permanent, are.

rob