Hello I'm trying to roll out a new IPA server for our development environment and have nicely automated the server installation process with Ansible but when I've come to rolling out the clients I'm hitting this problem.
When running ipa-client-install: ipa-client-install -N --fixed-primary --server server.domain.local --realm DOMAIN.LOCAL --domain DOMAIN.local --principal admin --password 'adminpassword' -U I get the following error: Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Installation failed. Rolling back changes. Disabling client Kerberos and LDAP configurations nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. Kerberos authentication failed: kinit: Cannot contact any KDC for realm 'DOMAIN.LOCAL' while getting initial credentials I've disabled the firewall on both systems, DNS resolves the server name. I can nmap and telnet to the ports listed so I don't think it's a networking issue. The ipa server appears to be running fine: [root@server tmp]# service ipa status Redirecting to /bin/systemctl status ipa.service ● ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; preset: disabled) Active: active (exited) since Wed 2024-04-10 15:49:49 UTC; 2 days ago Main PID: 18336 (code=exited, status=0/SUCCESS) CPU: 1.610s Apr 10 15:49:48 server ipactl[18336]: Assuming stale, cleaning and proceeding Apr 10 15:49:49 server ipactl[18336]: ipa: INFO: The ipactl command was successful Apr 10 15:49:49 server ipactl[18336]: Starting Directory Service Apr 10 15:49:49 server ipactl[18336]: Starting krb5kdc Service Apr 10 15:49:49 server ipactl[18336]: Starting kadmin Service Apr 10 15:49:49 server ipactl[18336]: Starting httpd Service Apr 10 15:49:49 server ipactl[18336]: Starting ipa-custodia Service Apr 10 15:49:49 server ipactl[18336]: Starting pki-tomcatd Service Apr 10 15:49:49 server ipactl[18336]: Starting ipa-otpd Service Apr 10 15:49:49 server systemd[1]: Finished Identity, Policy, Audit. Looking at the ipaclient-install.log there are lines that are semi interesting but I can't see how to progress from here to resolve the issue: 2024-04-12T16:25:51Z DEBUG stderr=kinit: Cannot contact any KDC for realm 'DOMAIN.LOCAL' while getting initial credentials 2024-04-12T16:25:51Z ERROR Installation failed. Rolling back changes. 2024-04-12T16:25:52Z DEBUG stderr= 2024-04-12T16:25:52Z DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate - virt01.domain.local : PR_FILE_NOT_FOUND_ERROR: File not found but if I run `kinit admin@server.domain.local` it authenticates. I seem to be at a dead end, How do I troubleshoot this further? -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue