C Wilson via FreeIPA-users wrote: > Hello > > I'm trying to roll out a new IPA server for our development environment and > have nicely automated the server installation process with Ansible but when > I've come to rolling out the clients I'm hitting this problem. > > When running ipa-client-install: > ipa-client-install -N --fixed-primary --server server.domain.local --realm > DOMAIN.LOCAL --domain DOMAIN.local --principal admin --password > 'adminpassword' -U > > I get the following error: > Please make sure the following ports are opened in the firewall settings: > TCP: 80, 88, 389 > UDP: 88 (at least one of TCP/UDP ports 88 has to be open) > Also note that following ports are necessary for ipa-client working properly > after enrollment: > TCP: 464 > UDP: 464, 123 (if NTP enabled) > Installation failed. Rolling back changes. > Disabling client Kerberos and LDAP configurations > nscd daemon is not installed, skip configuration > nslcd daemon is not installed, skip configuration > Client uninstall complete. > Kerberos authentication failed: kinit: Cannot contact any KDC for realm > 'DOMAIN.LOCAL' while getting initial credentials > > > I've disabled the firewall on both systems, DNS resolves the server name. I > can nmap and telnet to the ports listed so I don't think it's a networking > issue. The ipa server appears to be running fine: > > [root@server tmp]# service ipa status > Redirecting to /bin/systemctl status ipa.service > ● ipa.service - Identity, Policy, Audit > Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; preset: > disabled) > Active: active (exited) since Wed 2024-04-10 15:49:49 UTC; 2 days ago > Main PID: 18336 (code=exited, status=0/SUCCESS) > CPU: 1.610s > > Apr 10 15:49:48 server ipactl[18336]: Assuming stale, cleaning and proceeding > Apr 10 15:49:49 server ipactl[18336]: ipa: INFO: The ipactl command was > successful > Apr 10 15:49:49 server ipactl[18336]: Starting Directory Service > Apr 10 15:49:49 server ipactl[18336]: Starting krb5kdc Service > Apr 10 15:49:49 server ipactl[18336]: Starting kadmin Service > Apr 10 15:49:49 server ipactl[18336]: Starting httpd Service > Apr 10 15:49:49 server ipactl[18336]: Starting ipa-custodia Service > Apr 10 15:49:49 server ipactl[18336]: Starting pki-tomcatd Service > Apr 10 15:49:49 server ipactl[18336]: Starting ipa-otpd Service > Apr 10 15:49:49 server systemd[1]: Finished Identity, Policy, Audit. > > > Looking at the ipaclient-install.log there are lines that are semi > interesting but I can't see how to progress from here to resolve the issue: > > 2024-04-12T16:25:51Z DEBUG stderr=kinit: Cannot contact any KDC for realm > 'DOMAIN.LOCAL' while getting initial credentials > 2024-04-12T16:25:51Z ERROR Installation failed. Rolling back changes. > 2024-04-12T16:25:52Z DEBUG stderr= > 2024-04-12T16:25:52Z DEBUG stderr=certutil: Could not find cert: IPA Machine > Certificate - virt01.domain.local > : PR_FILE_NOT_FOUND_ERROR: File not found > > > but if I run `kinit admin@server.domain.local` it authenticates.
The cert error is a red herring. It is looking to see if there is one that needs to be cleaned up (there isn't). Do you already have krb5.conf configured? Otherwise I don't know how the KDC is contacted. You can find the temporary krb5.conf that is used by the installer in the log. You can put that into a file and try something like: KRB5_CONFIG=/tmp/krb.conf KRB5_TRACE=/dev/stderr kinit admin This should fail since this is doing the same thing as ipa-client-install. The output may help identify what it's doing. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
