[Freeipa-users] FreeIPA Replica / HA Issues

Jeff Hallyburton jeff.hallyburton at bloomip.com
Thu Jan 14 02:02:39 UTC 2016 

Rob,

Full log is attached.

Jeff

Jeff Hallyburton
Strategic Systems Engineer
Bloomip Inc.
Web: http://www.bloomip.com

Engineering Support: support at bloomip.com
Billing Support: billing at bloomip.com
Customer Support Portal:  https://my.bloomip.com <http://my.bloomip.com/>

On Wed, Jan 13, 2016 at 8:35 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Jeff Hallyburton wrote:
> > We've deployed a FreeIPA server in a client infrastructure and now we're
> > working on making that setup HA.  We've created a replica and I can
> > verify that the replica has connectivity to the existing master and
> > ensured that the auto-discovery DNS records are set up for LDAP /
> > Kerberos / etc, but I'm having a couple of issues with clients:
> >
> > 1.  ipa-client-install fails with the following error whenever a server
> > is not explicitly specified (though explicitly specifying either the
> > original master OR the replica works fine):
> >
> > trying https://ipa1.west-2.production.example.com/ipa/json
> >
> > Cannot connect to the server due to Kerberos error: Kerberos error:
> > Kerberos error: ('Unspecified GSS failure.  Minor code may provide more
> > information', 851968)/('Cannot find KDC for realm "EXAMPLE.COM
> > <http://EXAMPLE.COM>"', -1765328230)/. Trying with delegate=True
> >
> > trying https://ipa1.west-2.production.example.com/ipa/json
> >
> > Second connect with delegate=True also failed: Kerberos error: Kerberos
> > error: ('Unspecified GSS failure.  Minor code may provide more
> > information', 851968)/('Cannot find KDC for realm "EXAMPLE.COM
> > <http://EXAMPLE.COM>"', -1765328230)/
> >
> > Cannot connect to the IPA server RPC interface: Kerberos error: Kerberos
> > error: ('Unspecified GSS failure.  Minor code may provide more
> > information', 851968)/('Cannot find KDC for realm "EXAMPLE.COM
> > <http://EXAMPLE.COM>"', -1765328230)/
> >
> > Installation failed. Rolling back changes.
> >
> > Failed to list certificates in /etc/ipa/nssdb: Command
> > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
> > status 255
> >
> > Unenrolling client from IPA server
> >
> > Unenrolling host failed: Error obtaining initial credentials: Cannot
> > find KDC for requested realm.
> >
> >
> > What we see in the install logs is:
> >
> > 2016-01-14T00:45:39Z INFO Configured /etc/krb5.conf for IPA realm
> > EXAMPLE.COM <http://EXAMPLE.COM>
> >
> > 2016-01-14T00:45:39Z DEBUG Starting external process
> >
> > 2016-01-14T00:45:39Z DEBUG args='keyctl' 'search' '@s' 'user'
> > 'ipa_session_cookie:host/test.west-2.production.example.com at EXAMPLE.COM
> > <mailto:test.west-2.production.example.com at EXAMPLE.COM>'
> >
> > 2016-01-14T00:45:39Z DEBUG Process finished, return code=1
> >
> > 2016-01-14T00:45:39Z DEBUG stdout=
> >
> > 2016-01-14T00:45:39Z DEBUG stderr=keyctl_search: Required key not
> available
> >
> >
> > 2016-01-14T00:45:39Z DEBUG Starting external process
> >
> > 2016-01-14T00:45:39Z DEBUG args='/usr/bin/certutil' '-d'
> > '/tmp/tmpCJNEzU' '-N' '-f' '/tmp/tmpPN7H8R'
> >
> > 2016-01-14T00:45:39Z DEBUG Process finished, return code=0
> >
> > 2016-01-14T00:45:39Z DEBUG stdout=
> >
> > 2016-01-14T00:45:39Z DEBUG stderr=
> >
> > 2016-01-14T00:45:39Z DEBUG Starting external process
> >
> > 2016-01-14T00:45:39Z DEBUG args='/usr/bin/certutil' '-d'
> > '/tmp/tmpCJNEzU' '-A' '-n' 'CA certificate 1' '-t' 'C,,'
> >
> > 2016-01-14T00:45:39Z DEBUG Process finished, return code=0
> >
> > 2016-01-14T00:45:39Z DEBUG stdout=
> >
> > 2016-01-14T00:45:39Z DEBUG stderr=
> >
> > 2016-01-14T00:45:39Z DEBUG Starting external process
> >
> > 2016-01-14T00:45:39Z DEBUG args='keyctl' 'search' '@s' 'user'
> > 'ipa_session_cookie:host/test.west-2.production.example.com at EXAMPLE.COM
> > <mailto:test.west-2.production.example.com at EXAMPLE.COM>'
> >
> > 2016-01-14T00:45:39Z DEBUG Process finished, return code=1
> >
> > 2016-01-14T00:45:39Z DEBUG stdout=
> >
> > 2016-01-14T00:45:39Z DEBUG stderr=keyctl_search: Required key not
> available
> >
> >
> > 2016-01-14T00:45:39Z DEBUG failed to find session_cookie in persistent
> > storage for principal
> > 'host/test.west-2.production.example.com at EXAMPLE.COM
> > <mailto:test.west-2.production.example.com at EXAMPLE.COM>'
> >
> > 2016-01-14T00:45:39Z INFO trying
> > https://ipa1.west-2.production.example.com/ipa/json
> >
> > 2016-01-14T00:45:39Z INFO Cannot connect to the server due to Kerberos
> > error: Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor
> > code may provide more information', 851968)/('Cannot find KDC for realm
> > "EXAMPLE.COM <http://EXAMPLE.COM>"', -1765328230)/. Trying with
> > delegate=True
> >
> > 2016-01-14T00:45:39Z INFO trying
> > https://ipa1.west-2.production.example.com/ipa/json
> >
> > 2016-01-14T00:45:39Z WARNING Second connect with delegate=True also
> > failed: Kerberos error: Kerberos error: ('Unspecified GSS failure.
> > Minor code may provide more information', 851968)/('Cannot find KDC for
> > realm "EXAMPLE.COM <http://EXAMPLE.COM>"', -1765328230)/
> >
> > 2016-01-14T00:45:39Z ERROR Cannot connect to the IPA server RPC
> > interface: Kerberos error: Kerberos error: ('Unspecified GSS failure.
> > Minor code may provide more information', 851968)/('Cannot find KDC for
> > realm "EXAMPLE.COM <http://EXAMPLE.COM>"', -1765328230)/
> >
> > 2016-01-14T00:45:39Z ERROR Installation failed. Rolling back changes.
> >
> > 2016-01-14T00:45:39Z DEBUG Loading Index file from
> > '/var/lib/ipa/sysrestore/sysrestore.index'
> >
> > 2016-01-14T00:45:39Z DEBUG Starting external process
> >
> > 2016-01-14T00:45:39Z DEBUG args='ipa-client-automount' '--uninstall'
> > '--debug'
> >
> > 2016-01-14T00:45:40Z DEBUG Process finished, return code=0
> >
> > 2016-01-14T00:45:40Z DEBUG stdout=Restoring configuration
> >
> >
> > 2.  Related to this, all of our existing clients have been configured
> > with explicit server= statements, meaning that they don't pick up the
> > replica either.  Is there any way to manually fix this post
> > installation, or will we simply have to uninstall and reinstall the ipa
> > client?
>
> It would be easier to see what is going on by looking at the full
> /var/log/ipaclient-install.log. What we need to see is how discovery
> went and what the contents of various configuration files, temporary and
> permanent, are.
>
> rob
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160113/a01bfd1e/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipaclient-install.log
Type: application/octet-stream
Size: 54958 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160113/a01bfd1e/attachment.obj>

More information about the Freeipa-users mailing list