Hi guys, I'm running this version of FreeIPA: [root@freeipa03 ~]# rpm -qa|grep freeipa freeipa-server-selinux-2.1.90.rc1-0.fc16.x86_64 freeipa-server-2.1.90.rc1-0.fc16.x86_64 freeipa-admintools-2.1.90.rc1-0.fc16.x86_64 freeipa-client-2.1.90.rc1-0.fc16.x86_64 freeipa-python-2.1.90.rc1-0.fc16.x86_64
I'm having this problem: [root@freeipa03 ~]# ipa-replica-install --setup-dns --no-forwarders /var/lib/ipa/replica-info-freeipa03.unix.mydomain.it.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'freeipa01.unix.mydomain.it': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@unix.mydomain.it password: Cannot acquire Kerberos ticket: kinit: Invalid message type while getting initial credentials Connection check failed! Please fix your network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter. ------------------- I don't have any firewall between freeipa03 and freeipa01. This is what I have in my /var/log/messages file: Mar 20 12:03:51 freeipa03 sssd: Starting up Mar 20 12:03:51 freeipa03 sssd[be[unix.mydomain.it]]: Starting up Mar 20 12:03:52 freeipa03 ntpd_intres[773]: host name not found: 0.fedora.pool.ntp.org Mar 20 12:03:52 freeipa03 ntpd_intres[773]: host name not found: 1.fedora.pool.ntp.org Mar 20 12:03:52 freeipa03 ntpd_intres[773]: host name not found: 2.fedora.pool.ntp.org Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Successfully called chroot(). Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Successfully dropped remaining capabilities. Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Loading service file /services/ssh.service. Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Loading service file /services/udisks.service. Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Network interface enumeration completed. Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Registering HINFO record with values 'X86_64'/'LINUX'. Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Server startup complete. Host name is freeipa03.local. Local service cookie is 3668475942. Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Service "freeipa03" (/services/udisks.service) successfully established. Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Service "freeipa03" (/services/ssh.service) successfully established. Mar 20 12:03:52 freeipa03 systemd-logind[764]: New seat seat0. Mar 20 12:03:53 freeipa03 sssd[pam]: Starting up Mar 20 12:03:53 freeipa03 sssd[nss]: Starting up Mar 20 12:03:53 freeipa03 network[765]: Bringing up loopback interface: [ OK ] Mar 20 12:03:54 freeipa03 kernel: [ 25.724015] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None Mar 20 12:03:55 freeipa03 avahi-daemon[734]: Registering new address record for fe80::20c:29ff:fedc:9788 on eth0.*. Mar 20 12:03:56 freeipa03 avahi-daemon[734]: Joining mDNS multicast group on interface eth0.IPv4 with address 192.168.146.134. Mar 20 12:03:56 freeipa03 avahi-daemon[734]: New relevant interface eth0.IPv4 for mDNS. Mar 20 12:03:56 freeipa03 avahi-daemon[734]: Registering new address record for 192.168.146.134 on eth0.IPv4. Mar 20 12:03:56 freeipa03 network[765]: Bringing up interface eth0: [ OK ] Mar 20 12:03:57 freeipa03 kernel: [ 28.697268] 8021q: 802.1Q VLAN Support v1.8 Mar 20 12:03:57 freeipa03 kernel: [ 28.697283] 8021q: adding VLAN 0 to HW filter on device eth0 Mar 20 12:03:57 freeipa03 rpc.statd[994]: Version 1.2.5 starting Mar 20 12:03:57 freeipa03 ntpd[741]: Listen normally on 4 eth0 192.168.146.134 UDP 123 Mar 20 12:03:57 freeipa03 ntpd[741]: Listen normally on 5 eth0 fe80::20c:29ff:fedc:9788 UDP 123 Mar 20 12:03:57 freeipa03 ntpd[741]: peers refreshed Mar 20 12:03:57 freeipa03 sm-notify[995]: Version 1.2.5 starting Mar 20 12:03:58 freeipa03 systemd[1]: PID file /run/sendmail.pid not readable (yet?) after start. Mar 20 12:04:04 freeipa03 ntpd_intres[773]: host name not found: 0.fedora.pool.ntp.org Mar 20 12:04:07 freeipa03 systemd[1]: PID file /var/run/krb5kdc.pid not readable (yet?) after start. Mar 20 12:04:09 freeipa03 ntpd_intres[773]: host name not found: 1.fedora.pool.ntp.org Mar 20 12:04:10 freeipa03 named[1113]: starting BIND 9.8.2rc2-RedHat-9.8.2-0.4.rc2.fc16 -u named Mar 20 12:04:10 freeipa03 named[1113]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--with-pkcs11=/usr/lib64/pkcs11/PKCS11_API.so' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' Mar 20 12:04:10 freeipa03 named[1113]: ---------------------------------------------------- Mar 20 12:04:10 freeipa03 named[1113]: BIND 9 is maintained by Internet Systems Consortium, Mar 20 12:04:10 freeipa03 named[1113]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Mar 20 12:04:10 freeipa03 named[1113]: corporation. Support and training for BIND 9 are Mar 20 12:04:10 freeipa03 named[1113]: available at https://www.isc.org/support Mar 20 12:04:10 freeipa03 named[1113]: ---------------------------------------------------- Mar 20 12:04:10 freeipa03 named[1113]: adjusted limit on open files from 4096 to 1048576 Mar 20 12:04:10 freeipa03 named[1113]: found 1 CPU, using 1 worker thread Mar 20 12:04:10 freeipa03 named[1113]: using up to 4096 sockets Mar 20 12:04:10 freeipa03 named[1113]: loading configuration from '/etc/named.conf' Mar 20 12:04:10 freeipa03 named[1113]: using default UDP/IPv4 port range: [1024, 65535] Mar 20 12:04:10 freeipa03 named[1113]: using default UDP/IPv6 port range: [1024, 65535] Mar 20 12:04:10 freeipa03 named[1113]: listening on IPv6 interfaces, port 53 Mar 20 12:04:10 freeipa03 named[1113]: listening on IPv4 interface lo, 127.0.0.1#53 Mar 20 12:04:10 freeipa03 named[1113]: listening on IPv4 interface eth0, 192.168.146.134#53 Mar 20 12:04:10 freeipa03 named[1113]: generating session key for dynamic DNS Mar 20 12:04:10 freeipa03 named[1113]: sizing zone task pool based on 6 zones Mar 20 12:04:10 freeipa03 named[1113]: set up managed keys zone for view _default, file 'managed-keys.bind' Mar 20 12:04:10 freeipa03 named[1113]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: 127.IN-ADDR.ARPA Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: 254.169.IN-ADDR.ARPA Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: 2.0.192.IN-ADDR.ARPA Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: 100.51.198.IN-ADDR.ARPA Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: 113.0.203.IN-ADDR.ARPA Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: D.F.IP6.ARPA Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: 8.E.F.IP6.ARPA Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: 9.E.F.IP6.ARPA Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: A.E.F.IP6.ARPA Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: B.E.F.IP6.ARPA Mar 20 12:04:10 freeipa03 named[1113]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Mar 20 12:04:11 freeipa03 named[1113]: command channel listening on 127.0.0.1#953 Mar 20 12:04:11 freeipa03 named[1113]: command channel listening on ::1#953 Mar 20 12:04:11 freeipa03 named[1113]: zone 0.in-addr.arpa/IN: loaded serial 0 Mar 20 12:04:11 freeipa03 named[1113]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Mar 20 12:04:11 freeipa03 named[1113]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Mar 20 12:04:11 freeipa03 named[1113]: zone localhost.localdomain/IN: loaded serial 0 Mar 20 12:04:11 freeipa03 named[1113]: zone localhost/IN: loaded serial 0 Mar 20 12:04:11 freeipa03 named[1113]: managed-keys-zone ./IN: loaded serial 0 Mar 20 12:04:11 freeipa03 named[1113]: running Mar 20 12:04:11 freeipa03 named[1107]: Starting named: [ OK ] Mar 20 12:04:12 freeipa03 systemd[1]: PID file /var/run/httpd/httpd.pid not readable (yet?) after start. Mar 20 12:04:13 freeipa03 ipactl[974]: Starting Directory Service Mar 20 12:04:13 freeipa03 ipactl[974]: Starting KDC Service Mar 20 12:04:13 freeipa03 ipactl[974]: Starting KPASSWD Service Mar 20 12:04:13 freeipa03 ipactl[974]: Starting DNS Service Mar 20 12:04:13 freeipa03 ipactl[974]: Starting HTTP Service Mar 20 12:04:13 freeipa03 ipactl[974]: Starting CA Service Mar 20 12:04:14 freeipa03 ntpd_intres[773]: host name not found: 2.fedora.pool.ntp.org Mar 20 12:04:17 freeipa03 kernel: [ 49.099554] hrtimer: interrupt took 17369081 ns Mar 20 12:05:15 freeipa03 systemd[1]: Startup finished in 2s 98ms 878us (kernel) + 5s 40ms 620us (initrd) + 1min 40s 13ms 749us (userspace) = 1min 47s 153ms 247us. Mar 20 12:06:18 freeipa03 ntpd_intres[773]: host name not found: 0.fedora.pool.ntp.org Mar 20 12:06:23 freeipa03 ntpd_intres[773]: host name not found: 1.fedora.pool.ntp.org Mar 20 12:06:28 freeipa03 ntpd_intres[773]: host name not found: 2.fedora.pool.ntp.org Mar 20 12:09:59 freeipa03 systemd-logind[764]: New session 1 of user root. Mar 20 12:10:35 freeipa03 ntpd_intres[773]: host name not found: 0.fedora.pool.ntp.org Mar 20 12:10:40 freeipa03 ntpd_intres[773]: host name not found: 1.fedora.pool.ntp.org Mar 20 12:10:45 freeipa03 ntpd_intres[773]: host name not found: 2.fedora.pool.ntp.org Mar 20 12:16:31 freeipa03 python: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_0' not found) Mar 20 12:18:28 freeipa03 systemd-tmpfiles[1438]: Successfully loaded SELinux database in 232ms 225us, size on heap is 485K. Mar 20 12:18:29 freeipa03 systemd-tmpfiles[1438]: Two or more conflicting lines for /var/run/dirsrv configured, ignoring. Mar 20 12:18:29 freeipa03 systemd-tmpfiles[1438]: Two or more conflicting lines for /var/lock/dirsrv configured, ignoring. Mar 20 12:18:48 freeipa03 ntpd_intres[773]: DNS 0.fedora.pool.ntp.org -> 212.45.144.206 Mar 20 12:18:49 freeipa03 ntpd_intres[773]: DNS 1.fedora.pool.ntp.org -> 212.45.144.88 Mar 20 12:18:49 freeipa03 ntpd_intres[773]: DNS 2.fedora.pool.ntp.org -> 77.242.176.254 Mar 20 12:19:49 freeipa03 ntpd[741]: frequency error 531 PPM exceeds tolerance 500 PPM Mar 20 12:24:45 freeipa03 systemd-logind[764]: New session 2 of user root. Mar 20 12:24:46 freeipa03 systemd-logind[764]: Removed session 2. Mar 20 12:27:46 freeipa03 ntpd[741]: frequency error 558 PPM exceeds tolerance 500 PPM Mar 20 12:29:56 freeipa03 ntpd[741]: frequency error 516 PPM exceeds tolerance 500 PPM Mar 20 12:32:08 freeipa03 systemd[1]: pki-cad@pki-ca.service: main process exited, code=exited, status=143 Mar 20 12:32:08 freeipa03 systemd[1]: Unit pki-cad@pki-ca.service entered failed state. Mar 20 12:32:21 freeipa03 named[1113]: received control channel command 'stop' Mar 20 12:32:21 freeipa03 named[1113]: shutting down: flushing changes Mar 20 12:32:21 freeipa03 named[1113]: stopping command channel on 127.0.0.1#953 Mar 20 12:32:21 freeipa03 named[1113]: stopping command channel on ::1#953 Mar 20 12:32:21 freeipa03 named[1113]: no longer listening on ::#53 Mar 20 12:32:21 freeipa03 named[1113]: no longer listening on 127.0.0.1#53 Mar 20 12:32:21 freeipa03 named[1113]: no longer listening on 192.168.146.134#53 Mar 20 12:32:22 freeipa03 named[1113]: exiting Mar 20 12:32:23 freeipa03 named[1538]: Stopping named: .[ OK ] Mar 20 12:32:24 freeipa03 systemd[1]: kadmin.service: main process exited, code=exited, status=2 Mar 20 12:32:24 freeipa03 systemd[1]: Unit kadmin.service entered failed state. Mar 20 12:32:28 freeipa03 ipactl[1458]: Stopping CA Service Mar 20 12:32:28 freeipa03 ipactl[1458]: Stopping HTTP Service Mar 20 12:32:28 freeipa03 ipactl[1458]: Stopping DNS Service Mar 20 12:32:28 freeipa03 ipactl[1458]: Stopping KPASSWD Service Mar 20 12:32:28 freeipa03 ipactl[1458]: Stopping KDC Service Mar 20 12:32:28 freeipa03 ipactl[1458]: Stopping Directory Service Mar 20 12:36:43 freeipa03 ntpd[741]: frequency error 546 PPM exceeds tolerance 500 PPM Mar 20 12:48:50 freeipa03 ntpd[741]: frequency error 579 PPM exceeds tolerance 500 PPM I can add this info: [root@freeipa03 ~]# kinit admin kinit: Cannot contact any KDC for realm 'UNIX.MYDOMAIN.IT' while getting initial credentials [root@freeipa03 ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = UNIX.MYDOMAIN.IT dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] UNIX.MYDOMAIN.IT = { kdc = freeipa03.unix.mydomain.it:88 admin_server = freeipa03.unix.mydomain.it:749 default_domain = unix.mydomain.it pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .unix.mydomain.it = UNIX.MYDOMAIN.IT unix.mydomain.it = UNIX.MYDOMAIN.IT [dbmodules] # UNIX.MYDOMAIN.IT = { # db_library = kldap # ldap_servers = ldapi://%2fvar%2frun%2fslapd-UNIX-MYDOMAIN-IT.socket # ldap_kerberos_container_dn = cn=kerberos,dc=unix,dc=mydomain,dc=it # ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=unix,dc=mydomain,dc=it # ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=unix,dc=mydomain,dc=it # ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd # } UNIX.MYDOMAIN.IT = { db_library = ipadb.so } Thanks as usual Marco
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users