Re: [Freeipa-users] Problem installing client on server
tomasz.napier...@allegro.pl wrote: On 4 lis 2011, at 14:52, Rob Crittenden wrote: Can you provide more context from the client install log (or the whole log)? Sure: http://pastie.org/2810505 One more thing:in that domain (.dc2) there is already working IPA 1.x, and we have DNS entries pointing to that installation. It might be KDC autodiscovery issue, but how can I disable auto discovery? Regards, I'm not really sure what is going on. It could be that there is some interference from the v1 server but we pass enough arguments into the client installer that it shouldn't need to do muhc. It would help if you instrumented ipa-client-install to display the value of ret when it is failing so we can know specifically why it failed. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem installing client on server
On Fri, 2011-11-04 at 17:07 +0100, tomasz.napier...@allegro.pl wrote: > On 4 lis 2011, at 16:57, Simo Sorce wrote: > > > Not necessarily related to your problem, but in general I would > strongly > > suggest all freeipa users to: > > > > a) use domain names that are longer than a single component > > (for example in your case 'ipa.dc2' instead of just 'dc2') > > > > b) let the kerberos realm exactly match the domain name. > > (In your case let it be 'IPA.DC2') > > > > We do not enforce these rules but not following them can cause you > > additional headaches in some cases. > > > I know that from 1.x deployment. Unfortunately adding another domain > would completely destroy our infrastructure management tools ;) > You seem to be in one of those corner cases for which we decided to not enforce those rule programmatically ... Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem installing client on server
On 4 lis 2011, at 16:57, Simo Sorce wrote: > Not necessarily related to your problem, but in general I would strongly > suggest all freeipa users to: > > a) use domain names that are longer than a single component > (for example in your case 'ipa.dc2' instead of just 'dc2') > > b) let the kerberos realm exactly match the domain name. > (In your case let it be 'IPA.DC2') > > We do not enforce these rules but not following them can cause you > additional headaches in some cases. I know that from 1.x deployment. Unfortunately adding another domain would completely destroy our infrastructure management tools ;) Regards, -- Tomasz Z. Napierała Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ Grupa Allegro Sp. z o.o. z siedzibą w Poznaniu, 60-324 Poznań, przy ul. Marcelińskiej 90, wpisana do rejestru przedsiębiorców prowadzonego przez Sąd Rejonowy Poznań - Nowe Miasto i Wilda, Wydział VIII Gospodarczy Krajowego Rejestru Sądowego pod numerem KRS 268796, o kapitale zakładowym w wysokości 33 474 500 zł, posiadająca numer identyfikacji podatkowej NIP: 5272525995. smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem installing client on server
On Fri, 2011-11-04 at 16:43 +0100, tomasz.napier...@allegro.pl wrote: > On 4 lis 2011, at 14:52, Rob Crittenden wrote: > > > Can you provide more context from the client install log (or the whole log)? > > > Sure: > http://pastie.org/2810505 > > One more thing:in that domain (.dc2) there is already working IPA 1.x, and we > have DNS entries pointing to that installation. It might be KDC autodiscovery > issue, but how can I disable auto discovery? Not necessarily related to your problem, but in general I would strongly suggest all freeipa users to: a) use domain names that are longer than a single component (for example in your case 'ipa.dc2' instead of just 'dc2') b) let the kerberos realm exactly match the domain name. (In your case let it be 'IPA.DC2') We do not enforce these rules but not following them can cause you additional headaches in some cases. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem installing client on server
On 4 lis 2011, at 14:52, Rob Crittenden wrote: > Can you provide more context from the client install log (or the whole log)? Sure: http://pastie.org/2810505 One more thing:in that domain (.dc2) there is already working IPA 1.x, and we have DNS entries pointing to that installation. It might be KDC autodiscovery issue, but how can I disable auto discovery? Regards, -- Tomasz Z. Napierała Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ Grupa Allegro Sp. z o.o. z siedzibą w Poznaniu, 60-324 Poznań, przy ul. Marcelińskiej 90, wpisana do rejestru przedsiębiorców prowadzonego przez Sąd Rejonowy Poznań - Nowe Miasto i Wilda, Wydział VIII Gospodarczy Krajowego Rejestru Sądowego pod numerem KRS 268796, o kapitale zakładowym w wysokości 33 474 500 zł, posiadająca numer identyfikacji podatkowej NIP: 5272525995. smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem installing client on server
tomasz.napier...@allegro.pl wrote: Hi, We are (again) evaluationg FreeIPA 2.x and I run into troubles installing client on ipa server. It happend before on other server, but I thought it might be due to the fact, that FreeIPA was installed and uninstalled there for several times. This time it's a fresh install. [root@ipa20-test ~]# rpm -qa |grep freeipa freeipa-client-2.1.3-2.fc15.x86_64 freeipa-admintools-2.1.3-2.fc15.x86_64 freeipa-server-selinux-2.1.3-2.fc15.x86_64 freeipa-python-2.1.3-2.fc15.x86_64 freeipa-server-2.1.3-2.fc15.x86_64 Last lines form output: done configuring dirsrv. Restarting the directory server Restarting the KDC Restarting the web server Sample zone file for bind has been created in /tmp/sample.zone.iQ1QBH.db Configuration of client side components failed! ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain dc2 --server ipa20-test.dc2 --realm GATECH --hostname ipa20-test.dc2' returned non-zero exit status 1 Launching it agian: [root@ipa20-test ~]# /usr/sbin/ipa-client-install --on-master --unattended --domain dc2 --server ipa20-test.dc2 --realm GATECH --hostname ipa20-test.dc2 Failed to verify that ipa20-test.dc2 is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Installation failed. Rolling back changes. IPA client is not configured on this system. ipaclient-install..og: 2011-11-04 14:11:18,799 DEBUG Init ldap with: ldap://ipa20-test.dc2:389 2011-11-04 14:11:18,812 DEBUG Search LDAP server for IPA base DN 2011-11-04 14:11:18,814 DEBUG Check if naming context 'dc=gatech' is for IPA 2011-11-04 14:11:18,815 DEBUG Naming context 'dc=gatech' is a valid IPA context 2011-11-04 14:11:18,815 DEBUG Search for (objectClass=krbRealmContainer) in dc=gatech(sub) 2011-11-04 14:11:18,816 DEBUG Found: [('cn=GATECH,cn=kerberos,dc=gatech', {'krbSubTrees': ['dc=gatech'], 'cn': ['GATECH'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})] 2011-11-04 14:11:18,817 DEBUG will use domain: dc2 2011-11-04 14:11:18,817 DEBUG will use server: ipa20-test.dc2 Anyone have a clue what might be the reason? Regards, Can you provide more context from the client install log (or the whole log)? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users