Jeff Hallyburton wrote: > We've deployed a FreeIPA server in a client infrastructure and now we're > working on making that setup HA. We've created a replica and I can > verify that the replica has connectivity to the existing master and > ensured that the auto-discovery DNS records are set up for LDAP / > Kerberos / etc, but I'm having a couple of issues with clients: > > 1. ipa-client-install fails with the following error whenever a server > is not explicitly specified (though explicitly specifying either the > original master OR the replica works fine): > > trying https://ipa1.west-2.production.example.com/ipa/json > > Cannot connect to the server due to Kerberos error: Kerberos error: > Kerberos error: ('Unspecified GSS failure. Minor code may provide more > information', 851968)/('Cannot find KDC for realm "EXAMPLE.COM > <http://EXAMPLE.COM>"', -1765328230)/. Trying with delegate=True > > trying https://ipa1.west-2.production.example.com/ipa/json > > Second connect with delegate=True also failed: Kerberos error: Kerberos > error: ('Unspecified GSS failure. Minor code may provide more > information', 851968)/('Cannot find KDC for realm "EXAMPLE.COM > <http://EXAMPLE.COM>"', -1765328230)/ > > Cannot connect to the IPA server RPC interface: Kerberos error: Kerberos > error: ('Unspecified GSS failure. Minor code may provide more > information', 851968)/('Cannot find KDC for realm "EXAMPLE.COM > <http://EXAMPLE.COM>"', -1765328230)/ > > Installation failed. Rolling back changes. > > Failed to list certificates in /etc/ipa/nssdb: Command > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit > status 255 > > Unenrolling client from IPA server > > Unenrolling host failed: Error obtaining initial credentials: Cannot > find KDC for requested realm. > > > What we see in the install logs is: > > 2016-01-14T00:45:39Z INFO Configured /etc/krb5.conf for IPA realm > EXAMPLE.COM <http://EXAMPLE.COM> > > 2016-01-14T00:45:39Z DEBUG Starting external process > > 2016-01-14T00:45:39Z DEBUG args='keyctl' 'search' '@s' 'user' > 'ipa_session_cookie:host/test.west-2.production.example....@example.com > <mailto:test.west-2.production.example....@example.com>' > > 2016-01-14T00:45:39Z DEBUG Process finished, return code=1 > > 2016-01-14T00:45:39Z DEBUG stdout= > > 2016-01-14T00:45:39Z DEBUG stderr=keyctl_search: Required key not available > > > 2016-01-14T00:45:39Z DEBUG Starting external process > > 2016-01-14T00:45:39Z DEBUG args='/usr/bin/certutil' '-d' > '/tmp/tmpCJNEzU' '-N' '-f' '/tmp/tmpPN7H8R' > > 2016-01-14T00:45:39Z DEBUG Process finished, return code=0 > > 2016-01-14T00:45:39Z DEBUG stdout= > > 2016-01-14T00:45:39Z DEBUG stderr= > > 2016-01-14T00:45:39Z DEBUG Starting external process > > 2016-01-14T00:45:39Z DEBUG args='/usr/bin/certutil' '-d' > '/tmp/tmpCJNEzU' '-A' '-n' 'CA certificate 1' '-t' 'C,,' > > 2016-01-14T00:45:39Z DEBUG Process finished, return code=0 > > 2016-01-14T00:45:39Z DEBUG stdout= > > 2016-01-14T00:45:39Z DEBUG stderr= > > 2016-01-14T00:45:39Z DEBUG Starting external process > > 2016-01-14T00:45:39Z DEBUG args='keyctl' 'search' '@s' 'user' > 'ipa_session_cookie:host/test.west-2.production.example....@example.com > <mailto:test.west-2.production.example....@example.com>' > > 2016-01-14T00:45:39Z DEBUG Process finished, return code=1 > > 2016-01-14T00:45:39Z DEBUG stdout= > > 2016-01-14T00:45:39Z DEBUG stderr=keyctl_search: Required key not available > > > 2016-01-14T00:45:39Z DEBUG failed to find session_cookie in persistent > storage for principal > 'host/test.west-2.production.example....@example.com > <mailto:test.west-2.production.example....@example.com>' > > 2016-01-14T00:45:39Z INFO trying > https://ipa1.west-2.production.example.com/ipa/json > > 2016-01-14T00:45:39Z INFO Cannot connect to the server due to Kerberos > error: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor > code may provide more information', 851968)/('Cannot find KDC for realm > "EXAMPLE.COM <http://EXAMPLE.COM>"', -1765328230)/. Trying with > delegate=True > > 2016-01-14T00:45:39Z INFO trying > https://ipa1.west-2.production.example.com/ipa/json > > 2016-01-14T00:45:39Z WARNING Second connect with delegate=True also > failed: Kerberos error: Kerberos error: ('Unspecified GSS failure. > Minor code may provide more information', 851968)/('Cannot find KDC for > realm "EXAMPLE.COM <http://EXAMPLE.COM>"', -1765328230)/ > > 2016-01-14T00:45:39Z ERROR Cannot connect to the IPA server RPC > interface: Kerberos error: Kerberos error: ('Unspecified GSS failure. > Minor code may provide more information', 851968)/('Cannot find KDC for > realm "EXAMPLE.COM <http://EXAMPLE.COM>"', -1765328230)/ > > 2016-01-14T00:45:39Z ERROR Installation failed. Rolling back changes. > > 2016-01-14T00:45:39Z DEBUG Loading Index file from > '/var/lib/ipa/sysrestore/sysrestore.index' > > 2016-01-14T00:45:39Z DEBUG Starting external process > > 2016-01-14T00:45:39Z DEBUG args='ipa-client-automount' '--uninstall' > '--debug' > > 2016-01-14T00:45:40Z DEBUG Process finished, return code=0 > > 2016-01-14T00:45:40Z DEBUG stdout=Restoring configuration > > > 2. Related to this, all of our existing clients have been configured > with explicit server= statements, meaning that they don't pick up the > replica either. Is there any way to manually fix this post > installation, or will we simply have to uninstall and reinstall the ipa > client?
It would be easier to see what is going on by looking at the full /var/log/ipaclient-install.log. What we need to see is how discovery went and what the contents of various configuration files, temporary and permanent, are. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project