<div dir="ltr">Rob,<div><br></div><div>Full log is attached.</div><div><br></div><div>Jeff</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><span style="font-family:Arial,sans-serif">Jeff Hallyburton</span><span style="font-size:10pt;font-family:Arial,sans-serif"><br></span><span style="font-size:10pt;font-family:Arial,sans-serif">Strategic Systems Engineer<br><span style="background-image:initial;background-repeat:initial">Bloomip Inc.</span></span><span><span style="font-size:10pt;font-family:Arial,sans-serif"><br><span style="background-image:initial;background-repeat:initial">Web: </span></span><a href="http://www.bloomip.com/" style="color:rgb(17,85,204)" target="_blank"><span style="font-size:10pt;font-family:Arial,sans-serif;background-image:initial;background-repeat:initial">http://www.bloomip.com</span></a><span style="font-size:10pt;font-family:Arial,sans-serif"><br><br><span style="background-image:initial;background-repeat:initial">Engineering Support: </span></span><a href="mailto:support@bloomip.com" style="color:rgb(17,85,204)" target="_blank"><span style="font-size:10pt;font-family:Arial,sans-serif;background-image:initial;background-repeat:initial">support@bloomip.com</span></a><span style="font-size:10pt;font-family:Arial,sans-serif"><br><span style="background-image:initial;background-repeat:initial">Billing Support: </span></span><a href="mailto:billing@bloomip.com" style="color:rgb(17,85,204)" target="_blank"><span style="font-size:10pt;font-family:Arial,sans-serif;background-image:initial;background-repeat:initial">billing@bloomip.com</span></a><span style="font-size:10pt;font-family:Arial,sans-serif"><br><span style="background-image:initial;background-repeat:initial">Customer Support Portal:  </span></span><a href="http://my.bloomip.com/" style="color:rgb(17,85,204)" target="_blank"><span style="font-size:10pt;font-family:Arial,sans-serif;background-image:initial;background-repeat:initial">https://my.bloomip.com</span></a></span><span style="font-size:10pt;font-family:Arial,sans-serif"><br></span></div></div></div>
<br><div class="gmail_quote">On Wed, Jan 13, 2016 at 8:35 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Jeff Hallyburton wrote:<br>
> We've deployed a FreeIPA server in a client infrastructure and now we're<br>
> working on making that setup HA.  We've created a replica and I can<br>
> verify that the replica has connectivity to the existing master and<br>
> ensured that the auto-discovery DNS records are set up for LDAP /<br>
> Kerberos / etc, but I'm having a couple of issues with clients:<br>
><br>
> 1.  ipa-client-install fails with the following error whenever a server<br>
> is not explicitly specified (though explicitly specifying either the<br>
> original master OR the replica works fine):<br>
><br>
> trying <a href="https://ipa1.west-2.production.example.com/ipa/json" rel="noreferrer" target="_blank">https://ipa1.west-2.production.example.com/ipa/json</a><br>
><br>
> Cannot connect to the server due to Kerberos error: Kerberos error:<br>
> Kerberos error: ('Unspecified GSS failure.  Minor code may provide more<br>
> information', 851968)/('Cannot find KDC for realm "<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a><br>
</span>> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>>"', -1765328230)/. Trying with delegate=True<br>
<span class="">><br>
> trying <a href="https://ipa1.west-2.production.example.com/ipa/json" rel="noreferrer" target="_blank">https://ipa1.west-2.production.example.com/ipa/json</a><br>
><br>
> Second connect with delegate=True also failed: Kerberos error: Kerberos<br>
> error: ('Unspecified GSS failure.  Minor code may provide more<br>
> information', 851968)/('Cannot find KDC for realm "<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a><br>
</span>> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>>"', -1765328230)/<br>
<span class="">><br>
> Cannot connect to the IPA server RPC interface: Kerberos error: Kerberos<br>
> error: ('Unspecified GSS failure.  Minor code may provide more<br>
> information', 851968)/('Cannot find KDC for realm "<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a><br>
</span>> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>>"', -1765328230)/<br>
<span class="">><br>
> Installation failed. Rolling back changes.<br>
><br>
> Failed to list certificates in /etc/ipa/nssdb: Command<br>
> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit<br>
> status 255<br>
><br>
> Unenrolling client from IPA server<br>
><br>
> Unenrolling host failed: Error obtaining initial credentials: Cannot<br>
> find KDC for requested realm.<br>
><br>
><br>
> What we see in the install logs is:<br>
><br>
> 2016-01-14T00:45:39Z INFO Configured /etc/krb5.conf for IPA realm<br>
</span>> <a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>><br>
<span class="">><br>
> 2016-01-14T00:45:39Z DEBUG Starting external process<br>
><br>
> 2016-01-14T00:45:39Z DEBUG args='keyctl' 'search' '@s' 'user'<br>
> 'ipa_session_cookie:host/<a href="mailto:test.west-2.production.example.com@EXAMPLE.COM">test.west-2.production.example.com@EXAMPLE.COM</a><br>
</span>> <mailto:<a href="mailto:test.west-2.production.example.com@EXAMPLE.COM">test.west-2.production.example.com@EXAMPLE.COM</a>>'<br>
<span class="">><br>
> 2016-01-14T00:45:39Z DEBUG Process finished, return code=1<br>
><br>
> 2016-01-14T00:45:39Z DEBUG stdout=<br>
><br>
> 2016-01-14T00:45:39Z DEBUG stderr=keyctl_search: Required key not available<br>
><br>
><br>
> 2016-01-14T00:45:39Z DEBUG Starting external process<br>
><br>
> 2016-01-14T00:45:39Z DEBUG args='/usr/bin/certutil' '-d'<br>
> '/tmp/tmpCJNEzU' '-N' '-f' '/tmp/tmpPN7H8R'<br>
><br>
> 2016-01-14T00:45:39Z DEBUG Process finished, return code=0<br>
><br>
> 2016-01-14T00:45:39Z DEBUG stdout=<br>
><br>
> 2016-01-14T00:45:39Z DEBUG stderr=<br>
><br>
> 2016-01-14T00:45:39Z DEBUG Starting external process<br>
><br>
> 2016-01-14T00:45:39Z DEBUG args='/usr/bin/certutil' '-d'<br>
> '/tmp/tmpCJNEzU' '-A' '-n' 'CA certificate 1' '-t' 'C,,'<br>
><br>
> 2016-01-14T00:45:39Z DEBUG Process finished, return code=0<br>
><br>
> 2016-01-14T00:45:39Z DEBUG stdout=<br>
><br>
> 2016-01-14T00:45:39Z DEBUG stderr=<br>
><br>
> 2016-01-14T00:45:39Z DEBUG Starting external process<br>
><br>
> 2016-01-14T00:45:39Z DEBUG args='keyctl' 'search' '@s' 'user'<br>
> 'ipa_session_cookie:host/<a href="mailto:test.west-2.production.example.com@EXAMPLE.COM">test.west-2.production.example.com@EXAMPLE.COM</a><br>
</span>> <mailto:<a href="mailto:test.west-2.production.example.com@EXAMPLE.COM">test.west-2.production.example.com@EXAMPLE.COM</a>>'<br>
<span class="">><br>
> 2016-01-14T00:45:39Z DEBUG Process finished, return code=1<br>
><br>
> 2016-01-14T00:45:39Z DEBUG stdout=<br>
><br>
> 2016-01-14T00:45:39Z DEBUG stderr=keyctl_search: Required key not available<br>
><br>
><br>
> 2016-01-14T00:45:39Z DEBUG failed to find session_cookie in persistent<br>
> storage for principal<br>
> 'host/<a href="mailto:test.west-2.production.example.com@EXAMPLE.COM">test.west-2.production.example.com@EXAMPLE.COM</a><br>
</span>> <mailto:<a href="mailto:test.west-2.production.example.com@EXAMPLE.COM">test.west-2.production.example.com@EXAMPLE.COM</a>>'<br>
<span class="">><br>
> 2016-01-14T00:45:39Z INFO trying<br>
> <a href="https://ipa1.west-2.production.example.com/ipa/json" rel="noreferrer" target="_blank">https://ipa1.west-2.production.example.com/ipa/json</a><br>
><br>
> 2016-01-14T00:45:39Z INFO Cannot connect to the server due to Kerberos<br>
> error: Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor<br>
> code may provide more information', 851968)/('Cannot find KDC for realm<br>
</span>> "<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>>"', -1765328230)/. Trying with<br>
<span class="">> delegate=True<br>
><br>
> 2016-01-14T00:45:39Z INFO trying<br>
> <a href="https://ipa1.west-2.production.example.com/ipa/json" rel="noreferrer" target="_blank">https://ipa1.west-2.production.example.com/ipa/json</a><br>
><br>
> 2016-01-14T00:45:39Z WARNING Second connect with delegate=True also<br>
> failed: Kerberos error: Kerberos error: ('Unspecified GSS failure.<br>
> Minor code may provide more information', 851968)/('Cannot find KDC for<br>
</span>> realm "<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>>"', -1765328230)/<br>
<span class="">><br>
> 2016-01-14T00:45:39Z ERROR Cannot connect to the IPA server RPC<br>
> interface: Kerberos error: Kerberos error: ('Unspecified GSS failure.<br>
> Minor code may provide more information', 851968)/('Cannot find KDC for<br>
</span>> realm "<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">http://EXAMPLE.COM</a>>"', -1765328230)/<br>
<span class="">><br>
> 2016-01-14T00:45:39Z ERROR Installation failed. Rolling back changes.<br>
><br>
> 2016-01-14T00:45:39Z DEBUG Loading Index file from<br>
> '/var/lib/ipa/sysrestore/sysrestore.index'<br>
><br>
> 2016-01-14T00:45:39Z DEBUG Starting external process<br>
><br>
> 2016-01-14T00:45:39Z DEBUG args='ipa-client-automount' '--uninstall'<br>
> '--debug'<br>
><br>
> 2016-01-14T00:45:40Z DEBUG Process finished, return code=0<br>
><br>
> 2016-01-14T00:45:40Z DEBUG stdout=Restoring configuration<br>
><br>
><br>
> 2.  Related to this, all of our existing clients have been configured<br>
> with explicit server= statements, meaning that they don't pick up the<br>
> replica either.  Is there any way to manually fix this post<br>
> installation, or will we simply have to uninstall and reinstall the ipa<br>
> client?<br>
<br>
</span>It would be easier to see what is going on by looking at the full<br>
/var/log/ipaclient-install.log. What we need to see is how discovery<br>
went and what the contents of various configuration files, temporary and<br>
permanent, are.<br>
<span class="HOEnZb"><font color="#888888"><br>
rob<br>
<br>
</font></span></blockquote></div><br></div>