Shree wrote:
Here are a couple of things
[skarulkar@ldap2 ~]$ rpm -q ipa-client
ipa-client-3.0.0-26.el6_4.4.x86_64
What is the version on the client that is failing to enroll?
rob
and my /etc/krb5.conf looks like ..........
=======================================
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MYDOMAIN.COM = {
kdc = ldap2.mydomain.com:88
master_kdc = ldap2.mydomain.com:88
admin_server = ldap2.mydomain.com:749
default_domain = mydomain.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
default_domain = mydomain.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[dbmodules]
MYDOMAIN.COM = {
db_library = ipadb.so
}
=======================================
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden
<rcrit...@redhat.com> wrote:
Shree wrote:
> 1) I have got a step furthur. My replica is not running CA Service. To
> achieve this I had to remove the existing cert with this command
>
> pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
>
> Now the replica looks like this
>
> skarulkar@ldap2 <mailto:skarulkar@ldap2> tmp]$ sudo ipactl status
> [sudo] password for skarulkar:
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: RUNNING
> MEMCACHE Service: RUNNING
> HTTP Service: RUNNING
> CA Service: RUNNING
> [skarulkar@ldap2 <mailto:skarulkar@ldap2> tmp]$
The tracking failed with:
2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library:
Improper format of Kerberos configuration file.
It looks like it failed on this for most if not all the tracking. What
does /etc/krb5.conf look like?
>
> 2) I am still not able to add client using ipa-client-install using the
> replica.
The temporary krb5.conf that is used during enrollment has
dns_lookup_kdc=True so it is probably trying to contact the other KDC
and failing.
What is the output of:
$ rpm -q ipa-client
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users