On 03/26/2015 05:52 PM, Anthony Lanni wrote: > kinit USER works perfectly; but I can't ssh into the client machine from > the server without it requesting a password. > > I think this is a DNS issue, actually. The server isn't resolving the name > of the client, so I'm ssh'ing with the IP address, and that's not going to > work since it's not in the Kerberos db ("Cannot determine realm for numeric > host address").
So it looks like you have found your problem - Kerberos tends to break if DNS is not set properly. > Except, of course, that the server did not get its own valid Kerberos host > certificate. It should, right? during the ipa-client-install --on-master > step of the server install? Are you asking about host certificate or a Kerberos keytab (/etc/krb5.keytab)? They are 2 distinct things. > In fact, the global DNS config is completely empty. But I'm going to have > to tear down the server and rebuild because it's on the same domain as an > AD server, and ipa-client-install finds that server rather than the new IPA > server by default: that won't work because I want LDAP to dynamically > update the records, and establish a trust with the AD server. > Also we've got 2 linux DNS root servers that act as forwarders. I pointed > the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind > to configure IPA to use them properly. SO I'm sure that's where most of my > problems lie. > > I've got to RTFM a bit more before I really start asking the right > questions, I think. At that point I'll start a new thread. Ok :-) Martin > > > > thx > anthony > > On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek <mko...@redhat.com> wrote: > >> I am not sure what you mean. So are you saying that "kinit USER" done on >> server >> fails? With what error? >> >> On 03/26/2015 05:28 PM, Anthony Lanni wrote: >>> great, thanks. >>> >>> On a related note: the server still doesn't get a (client) kerberos >> ticket, >>> which means I can't kinit as a user and then log into a client machine >>> without a password. Going the other way works fine, however. >>> >>> thx >>> anthony >>> >>> On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek <mko...@redhat.com> wrote: >>> >>>> Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have >>>> the >>>> keyutils dependency fixed anyway :-) >>>> >>>> Martin >>>> >>>> On 03/25/2015 06:59 PM, Anthony Lanni wrote: >>>>> keyutils is already installed but /bin/keyctl was 0 length (!). Anyway >> I >>>>> reinstalled keyutils and then ran the ipa-server-install again, and >> this >>>>> time it completed without error. >>>>> >>>>> Thanks very much, Martin and Dmitri! >>>>> >>>>> thx >>>>> anthony >>>>> >>>>> On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek <mko...@redhat.com> >> wrote: >>>>> >>>>>> On 03/25/2015 04:11 AM, Dmitri Pal wrote: >>>>>>> On 03/24/2015 09:17 PM, Anthony Lanni wrote: >>>>>>>> While running ipa-server-install, it's failing out at the end with >> an >>>>>> error >>>>>>>> regarding the client install on the server. This happens regardless >> of >>>>>> how I >>>>>>>> input the options, but here's the latest command: >>>>>>>> >>>>>>>> ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM >>>>>>>> <http://EXAMPLE.COM> -n example.com <http://example.com> -p passwd1 >>>> -a >>>>>>>> passwd2 --hostname=ldap-server-01.example.com >>>>>>>> <http://ldap-server-01.example.com> --forwarder=10.0.1.20 >>>>>>>> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d >>>>>>>> >>>>>>>> Runs through the entire setup and gives me this: >>>>>>>> >>>>>>>> [...] >>>>>>>> ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master >>>>>>>> --unattended --domain example.com <http://example.com> --server >>>>>>>> ldap-server-01.example.com <http://ldap-server-01.example.com> >>>> --realm >>>>>>>> EXAMPLE.COM <http://EXAMPLE.COM> --hostname >>>> ldap-server-01.example.com >>>>>>>> <http://ldap-server-01.example.com> >>>>>>>> ipa : DEBUG stdout= >>>>>>>> >>>>>>>> ipa : DEBUG stderr=Hostname: ldap-server-01.example.com >>>>>>>> <http://ldap-server-01.example.com> >>>>>>>> Realm: EXAMPLE.COM <http://EXAMPLE.COM> >>>>>>>> DNS Domain: example.com <http://example.com> >>>>>>>> IPA Server: ldap-server-01.example.com < >>>>>> http://ldap-server-01.example.com> >>>>>>>> BaseDN: dc=example,dc=com >>>>>>>> New SSSD config will be created >>>>>>>> Configured /etc/sssd/sssd.conf >>>>>>>> Traceback (most recent call last): >>>>>>>> File "/usr/sbin/ipa-client-install", line 2377, in <module> >>>>>>>> sys.exit(main()) >>>>>>>> File "/usr/sbin/ipa-client-install", line 2363, in main >>>>>>>> rval = install(options, env, fstore, statestore) >>>>>>>> File "/usr/sbin/ipa-client-install", line 2135, in install >>>>>>>> delete_persistent_client_session_data(host_principal) >>>>>>>> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, >> in >>>>>>>> delete_persistent_client_session_data >>>>>>>> kernel_keyring.del_key(keyname) >>>>>>>> File >> "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", >>>>>> line >>>>>>>> 99, in del_key >>>>>>>> real_key = get_real_key(key) >>>>>>>> File >> "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", >>>>>> line >>>>>>>> 45, in get_real_key >>>>>>>> (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, >> KEYTYPE, >>>>>> key], >>>>>>>> raiseonerr=False) >>>>>>> >>>>>>> Is keyctl installed? Can you run it manually? >>>>>>> Any SELinux denials? >>>>>> >>>>>> You are likely hitting >>>>>> https://fedorahosted.org/freeipa/ticket/3808 >>>>>> >>>>>> Please try installing keyutils before running ipa-server-install. It >> is >>>>>> fixed >>>>>> in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform >> also: >>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1205660 >>>>>> >>>>>> Martin >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>> >>>> >>>> >>> >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project