Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

Wed, 19 Feb 2014 13:19:56 -0800 

Shree wrote:

Here are a couple of things

[skarulkar@ldap2 ~]$ rpm -q ipa-client
ipa-client-3.0.0-26.el6_4.4.x86_64


What is the version on the client that is failing to enroll?

rob



and my /etc/krb5.conf looks like ..........
=======================================
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = MYDOMAIN.COM
  dns_lookup_realm = false
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  MYDOMAIN.COM = {
   kdc = ldap2.mydomain.com:88
   master_kdc = ldap2.mydomain.com:88
   admin_server = ldap2.mydomain.com:749
   default_domain = mydomain.com
   pkinit_anchors = FILE:/etc/ipa/ca.crt
default_domain = mydomain.com
   pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
  .mydomain.com = MYDOMAIN.COM
  mydomain.com = MYDOMAIN.COM

[dbmodules]
   MYDOMAIN.COM = {
     db_library = ipadb.so
   }

=======================================


Shreeraj
----------------------------------------------------------------------------------------


Change is the only Constant !


On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden
<rcrit...@redhat.com> wrote:
Shree wrote:
 > 1) I have got a step furthur. My replica is not running CA Service. To
 > achieve this I had to remove the existing cert with this command
 >
 > pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
 >
 > Now the replica looks like this
 >
 > skarulkar@ldap2 <mailto:skarulkar@ldap2> tmp]$ sudo ipactl status
 > [sudo] password for skarulkar:
 > Directory Service: RUNNING
 > KDC Service: RUNNING
 > KPASSWD Service: RUNNING
 > MEMCACHE Service: RUNNING
 > HTTP Service: RUNNING
 > CA Service: RUNNING
 > [skarulkar@ldap2 <mailto:skarulkar@ldap2> tmp]$

The tracking failed with:

2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library:
Improper format of Kerberos configuration file.

It looks like it failed on this for most if not all the tracking. What
does /etc/krb5.conf look like?

 >
 > 2) I am still not able to add client using ipa-client-install using the
 > replica.

The temporary krb5.conf that is used during enrollment has
dns_lookup_kdc=True so it is probably trying to contact the other KDC
and failing.

What is the output of:

$ rpm -q ipa-client


rob





_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to