[Freeipa-users] [SOLVED] Re: gssapi sasl error - only picking up short hostname when running ipa-client-install (and failing) - SOLVED

2013-12-01 Thread Dmitri Pal 
On 12/01/2013 06:34 PM, Les Stott wrote:
> Alexander, Petr, Martin,
>
> Sorry for the delay, was the weekend. 
>
> With your guidance I have figured out the issue. Using tcpdump I saw some 
> references to a NIS domain that had been setup on the box. This was different 
> to the domain name I setup for freeipa. Arp was also only showing short 
> hostnames.
>
> I modified /etc/nsswitch.conf so that nis was not in the picture
>
> Hosts files dns
>
> Then the ipa-client-install ran without problems. (It reset nsswitch.conf 
> back to include nis afterwards)
>
> Installing keyutils fixed the other error too.
>
> Thanks for all your help.
>
> Regards,
>
> Les
>
> -Original Message-
> From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
> Sent: Saturday, 30 November 2013 12:32 AM
> To: Les Stott
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] gssapi sasl error - only picking up short 
> hostname when running ipa-client-install (and failing)
>
> On Fri, 29 Nov 2013, Les Stott wrote:
>> Hi,
>>
>> Recently installed freeipa on two servers in multi-master mode. We want to 
>> have a central authentication system for many hosts. Environment is RHEL 6.4 
>> for servers, RHEL 6.1 for the first client host, standard rpm packages used 
>> - ipa-server-3.0.0-26.el6_4.4.x86_64 and  ipa-client-3.0.0-37.el6.x86_64.
>>
>> I am now trying to add the first linux host to freeipa via 
>> ipa-client-install.
>>
>> When I run ipa-client-install on a host in debug mode it fails with 
>> errors below  (I have changed hostnames and ip's, 
>> freeipa-1.mydomain.com 192.168.1.22 and freeipa-2.mydomain.com 
>> 192.168.1.23, host client - host1 192.168.1.15)
>>
>> trying to retrieve CA cert via LDAP from ldap://freeipa-1.mydomain.com
>> get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: 
>> GSSAPI Error: Unspecified GSS failure.  Minor code may provide more 
>> information (Server ldap/freeip...@mydomain.com not found in Kerberos 
>> database)
>> {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS 
>> failure.  Minor code may provide more information (Server 
>> ldap/freeip...@mydomain.com not found in Kerberos database)', 'desc': 
>> 'Local error'}
>>
>> The Kerberos logs on the server (free-ipa-1) show Nov 29 01:46:14 
>> freeipa-1.mydomain.com krb5kdc[1616](info): TGS_REQ (4 etypes {18 17 16 
>> 23}) 192.168.1.15: UNKNOWN_SERVER: authtime 0,  admin@ MYDOMAIN.COM for 
>> HTTP/ freeip...@mydomain.com, Server not found in Kerberos database
>>
>> The logs indicate that the service name is being used with the short 
>> hostname (HTTP/ freeip...@mydomain.com). The 
>> FreeIPA server has records for HTTP/ 
>> freeipa-1.mydomain@mydomain.com.
>>  I can see these in the web interface. I believe this is where it is 
>> stumbling.
>>
>> I've been banging my head against the wall on this one for a couple of days. 
>> Everything I've found says make sure you have working dns, make sure you can 
>> reverse lookup ip's, make sure hostnames are fqdn, make sure /etc/hosts on 
>> server has ip's for servers listed with fqdn first and shortname second. 
>> I've done all that.
>>
>> I am using external dns (not integrated with freeipa), and have populated 
>> all records required as per sample config files provided during install. My 
>> time servers are other servers too, but that shouldn't matter, everything is 
>> in sync.
>>
>> ; for Kerberos Auto Discovery
>> ; ldap servers
>> _ldap._tcp  IN SRV 0 100 389freeipa-1.mydomain.com.
>> _ldap._tcp  IN SRV 0 100 389freeipa-2.mydomain.com.
>>
>> ;kerberos realm
>> _kerberos   IN TXT MYDOMAIN.COM
>>
>> ; kerberos servers
>> _kerberos._tcp  IN SRV 0 100 88 freeipa-1.mydomain.com.
>> _kerberos._tcp  IN SRV 0 100 88 freeipa-2.mydomain.com.
>> _kerberos._udp  IN SRV 0 100 88 freeipa-1.mydomain.com.
>> _kerberos._ucp  IN SRV 0 100 88 freeipa-2.mydomain.com.
>> _kerberos-master._tcp   IN SRV 0 100 88 freeipa-1.mydomain.com.
>> _kerberos-master._tcp   IN SRV 0 100 88 freeipa-2.mydomain.com.
>> _kerberos-master._udp   IN SRV 0 100 88 freeipa-1.mydomain.com.
>> _kerberos-master._udp   IN SRV 0 100 88 freeipa-2.mydomain.com.
>> _kpasswd._tcp   IN SRV 0 100 464freeipa-1.mydomain.com.
>> _kpasswd._tcp   IN SRV 0 100 464freeipa-2.mydomain.com.
>> _kpasswd._udp   IN SRV 0 100 464freeipa-1.mydomain.com.
>> _kpasswd._udp   IN SRV 0 100 464freeipa-2.mydomain.com.
>>
>> ;ntp server
>> _ntp._udp   IN SRV 0 100 123ntp1.mydomain.com.
>> _ntp._udp   IN SRV 0 100 123ntp2.mydomain.com.
>>
>> Reverse dns entries are also available and both freeipa servers and the host 
>> I am trying to configure ipa-client on can do lookups and receive fqdn's. 
>>

Re: [Freeipa-users] gssapi sasl error - only picking up short hostname when running ipa-client-install (and failing) - SOLVED

2013-12-01 Thread Les Stott 
Alexander, Petr, Martin,

Sorry for the delay, was the weekend. 

With your guidance I have figured out the issue. Using tcpdump I saw some 
references to a NIS domain that had been setup on the box. This was different 
to the domain name I setup for freeipa. Arp was also only showing short 
hostnames.

I modified /etc/nsswitch.conf so that nis was not in the picture

Hosts files dns

Then the ipa-client-install ran without problems. (It reset nsswitch.conf back 
to include nis afterwards)

Installing keyutils fixed the other error too.

Thanks for all your help.

Regards,

Les

-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Sent: Saturday, 30 November 2013 12:32 AM
To: Les Stott
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] gssapi sasl error - only picking up short hostname 
when running ipa-client-install (and failing)

On Fri, 29 Nov 2013, Les Stott wrote:
>Hi,
>
>Recently installed freeipa on two servers in multi-master mode. We want to 
>have a central authentication system for many hosts. Environment is RHEL 6.4 
>for servers, RHEL 6.1 for the first client host, standard rpm packages used - 
>ipa-server-3.0.0-26.el6_4.4.x86_64 and  ipa-client-3.0.0-37.el6.x86_64.
>
>I am now trying to add the first linux host to freeipa via ipa-client-install.
>
>When I run ipa-client-install on a host in debug mode it fails with 
>errors below  (I have changed hostnames and ip's, 
>freeipa-1.mydomain.com 192.168.1.22 and freeipa-2.mydomain.com 
>192.168.1.23, host client - host1 192.168.1.15)
>
>trying to retrieve CA cert via LDAP from ldap://freeipa-1.mydomain.com
>get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: 
>GSSAPI Error: Unspecified GSS failure.  Minor code may provide more 
>information (Server ldap/freeip...@mydomain.com not found in Kerberos 
>database)
>{'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS 
>failure.  Minor code may provide more information (Server 
>ldap/freeip...@mydomain.com not found in Kerberos database)', 'desc': 
>'Local error'}
>
>The Kerberos logs on the server (free-ipa-1) show Nov 29 01:46:14 
>freeipa-1.mydomain.com krb5kdc[1616](info): TGS_REQ (4 etypes {18 17 16 
>23}) 192.168.1.15: UNKNOWN_SERVER: authtime 0,  admin@ MYDOMAIN.COM for 
>HTTP/ freeip...@mydomain.com, Server not found in Kerberos database
>
>The logs indicate that the service name is being used with the short hostname 
>(HTTP/ freeip...@mydomain.com). The FreeIPA 
>server has records for HTTP/ 
>freeipa-1.mydomain@mydomain.com.
> I can see these in the web interface. I believe this is where it is stumbling.
>
>I've been banging my head against the wall on this one for a couple of days. 
>Everything I've found says make sure you have working dns, make sure you can 
>reverse lookup ip's, make sure hostnames are fqdn, make sure /etc/hosts on 
>server has ip's for servers listed with fqdn first and shortname second. I've 
>done all that.
>
>I am using external dns (not integrated with freeipa), and have populated all 
>records required as per sample config files provided during install. My time 
>servers are other servers too, but that shouldn't matter, everything is in 
>sync.
>
>; for Kerberos Auto Discovery
>; ldap servers
>_ldap._tcp  IN SRV 0 100 389freeipa-1.mydomain.com.
>_ldap._tcp  IN SRV 0 100 389freeipa-2.mydomain.com.
>
>;kerberos realm
>_kerberos   IN TXT MYDOMAIN.COM
>
>; kerberos servers
>_kerberos._tcp  IN SRV 0 100 88 freeipa-1.mydomain.com.
>_kerberos._tcp  IN SRV 0 100 88 freeipa-2.mydomain.com.
>_kerberos._udp  IN SRV 0 100 88 freeipa-1.mydomain.com.
>_kerberos._ucp  IN SRV 0 100 88 freeipa-2.mydomain.com.
>_kerberos-master._tcp   IN SRV 0 100 88 freeipa-1.mydomain.com.
>_kerberos-master._tcp   IN SRV 0 100 88 freeipa-2.mydomain.com.
>_kerberos-master._udp   IN SRV 0 100 88 freeipa-1.mydomain.com.
>_kerberos-master._udp   IN SRV 0 100 88 freeipa-2.mydomain.com.
>_kpasswd._tcp   IN SRV 0 100 464freeipa-1.mydomain.com.
>_kpasswd._tcp   IN SRV 0 100 464freeipa-2.mydomain.com.
>_kpasswd._udp   IN SRV 0 100 464freeipa-1.mydomain.com.
>_kpasswd._udp   IN SRV 0 100 464freeipa-2.mydomain.com.
>
>;ntp server
>_ntp._udp   IN SRV 0 100 123ntp1.mydomain.com.
>_ntp._udp   IN SRV 0 100 123ntp2.mydomain.com.
>
>Reverse dns entries are also available and both freeipa servers and the host I 
>am trying to configure ipa-client on can do lookups and receive fqdn's. They 
>can all do reverse lookups that resolve correctly.
>
>I have read that when using SASL/GSSAPI (Kerberos) authentication, its 
>possible that the service provider sets the principal name (SPN) to 
>"ldap/servername" in the TGS_REQ based