
I've had an issue trying to install a client on a new server

Version 3.3.3 on CentOS 7 for both client and server.

In details below, the domain name, server host name, and ip address has
been changed.

The server is sitting behind a router with ip The server
was configured with `--enable-dns` and ` ipa.example.com
ipa` in /etc/hosts. 

firewalld has been set to open up ports for ldap, ldaps, kerberos,
kpasswd, dns, ntp, http, https on both the client and server. Port 7389
is also open on the server.

The router has been configured to forward all of the above ports through to

The client is sitting on a different network (say, behind a router with

Its /etc/hosts includes ` ipa.example.com ipa`.
Its /etc/resolv.conf includes `nameserver`

ipa-client-install fails with:

        Discovery was successful!
        Hostname: laptop-1.example.com
        Realm: EXAMPLE.COM
        DNS Domain: example.com
        IPA Server: ipa.example.com
        BaseDN: dc=example,dc=com
        Synchronizing time with KDC...
        Successfully retrieved CA cert
            Subject:     CN=Certificate Authority,O=EXAMPLE.COM
            Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
            Valid From:  Wed Sep 24 17:44:28 2014 UTC
            Valid Until: Sun Sep 24 17:44:28 2034 UTC
        Enrolled in IPA realm EXAMPLE.COM
        Created /etc/ipa/default.conf
        New SSSD config will be created
        Configured /etc/sssd/sssd.conf
        Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
        trying https://ipa.example.com/ipa/xml
        Forwarding 'ping' to server 'https://ipa.example.com/ipa/xml'
        Cannot connect to the server due to Kerberos error: Kerberos
        error: ('Unspecified GSS failure.  Minor code may provide more
        information', 851968)/("Cannot contact any KDC for realm
        'EXAMPLE.COM'", -1765328228). Trying with delegate=True
        trying https://ipa.example.com/ipa/xml
        Forwarding 'ping' to server 'https://ipa.example.com/ipa/xml'
        Second connect with delegate=True also failed: Kerberos error:
        ('Unspecified GSS failure.  Minor code may provide more
        information', 851968)/("Cannot contact any KDC for realm
        'EXAMPLE.COM'", -1765328228)
        Cannot connect to the IPA server XML-RPC interface: Kerberos
        error: ('Unspecified GSS failure.  Minor code may provide more
        information', 851968)/("Cannot contact any KDC for realm
        'EXAMPLE.COM'", -1765328228)
        Installation failed. Rolling back changes.
        Unenrolling client from IPA server
        Unenrolling host failed: Error obtaining initial credentials:
        Cannot contact any KDC for requested realm.
        Removing Kerberos service principals from /etc/krb5.keytab
        Disabling client Kerberos and LDAP configurations
        Redundant SSSD configuration file /etc/sssd/sssd.conf was moved
        to /etc/sssd/sssd.conf.deleted
        Restoring client configuration files
        nscd daemon is not installed, skip configuration
        nslcd daemon is not installed, skip configuration
        Client uninstall complete.
`cat /var/log/ipaclient-install.log | grep ERROR -C 25 -m 1`
        2014-09-24T18:11:49Z INFO Configured /etc/krb5.conf for IPA
        realm EXAMPLE.COM
        2014-09-24T18:11:49Z DEBUG Starting external process
        2014-09-24T18:11:49Z DEBUG args=keyctl search @s user
        2014-09-24T18:11:49Z DEBUG Process finished, return code=1
        2014-09-24T18:11:49Z DEBUG stdout=
        2014-09-24T18:11:49Z DEBUG stderr=keyctl_search: Required key
        not available
        2014-09-24T18:11:49Z DEBUG Starting external process
        2014-09-24T18:11:49Z DEBUG args=keyctl search @s user
        2014-09-24T18:11:49Z DEBUG Process finished, return code=1
        2014-09-24T18:11:49Z DEBUG stdout=
        2014-09-24T18:11:49Z DEBUG stderr=keyctl_search: Required key
        not available
        2014-09-24T18:11:49Z DEBUG failed to find session_cookie in
        persistent storage for principal
        2014-09-24T18:11:49Z INFO trying https://ipa.example.com/ipa/xml
        2014-09-24T18:11:49Z DEBUG Created connection context.xmlclient
        2014-09-24T18:11:49Z DEBUG Try RPC connection
        2014-09-24T18:11:49Z INFO Forwarding 'ping' to server
        2014-09-24T18:12:07Z DEBUG Destroyed connection
        2014-09-24T18:12:07Z INFO Cannot connect to the server due to
        Kerberos error: Kerberos error: ('Unspecified GSS failure.
        Minor code may provide more information', 851968)/("Cannot
        contact any KDC for realm 'EXAMPLE.COM'", -1765328228). Trying
        with delegate=True
        2014-09-24T18:12:07Z INFO trying https://ipa.example.com/ipa/xml
        2014-09-24T18:12:07Z DEBUG Created connection context.xmlclient
        2014-09-24T18:12:07Z DEBUG Try RPC connection
        2014-09-24T18:12:07Z INFO Forwarding 'ping' to server
        2014-09-24T18:12:25Z WARNING Second connect with delegate=True
        also failed: Kerberos error: ('Unspecified GSS failure.  Minor
        code may provide more information', 851968)/("Cannot contact any
        KDC for realm 'EXAMPLE.COM'", -1765328228)
        2014-09-24T18:12:25Z ERROR Cannot connect to the IPA server
        XML-RPC interface: Kerberos error: ('Unspecified GSS failure.
        Minor code may provide more information', 851968)/("Cannot
        contact any KDC for realm 'EXAMPLE.COM'", -1765328228)

One possibly worthwhile note is that running tcpdump shows that the
client (local IP is trying to connect to,
the local IP of the server, which is on a different network and thus

        14:11:49.611009 IP > 
        14:11:50.645238 IP >
        Flags [S], seq 1224109057, win 14600, op
        tions [mss 1460,sackOK,TS val 5701517 ecr 0,nop,wscale 7],
        length 0
        14:11:51.648218 IP >
        Flags [S], seq 1224109057, win 14600, op
        tions [mss 1460,sackOK,TS val 5702520 ecr 0,nop,wscale 7],
        length 0
etc. etc.


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to