Hello all.

First want to thank everyone for all the hard work going into
continually making this platform a better and better offering.

I'm running into some challenges though in joining clients to a
relatively fresh install for a client.  I have a pair of replicating IPA
nodes that are responding on all ports and services as expected.  If I
make manual connections to the nodes from clients, I am able to talk
successfully via the various services (LDAP, KRB, DNS, NTP).

My trouble comes when trying to join clients to the IPA servers. 

If I run the following:
=====
ipa-client-install -p admin --mkhomedir --hostname=`hostname` -d
=====

The client looks up all the name records correctly, prompts for the
admin credentials, then starts exchanging certs, making https calls, and
so on, but never completes successfully in joining the client.  I keep
getting the dreaded "Client uninstall complete." whenever the
client-install completes.

Parsing through the /var/log/ipaclient-install.log, I see what I believe
to be the culprit component of the join process:
=====
...[output truncated]...

2018-01-15T21:55:24Z DEBUG Writing Kerberos configuration to /etc/krb5.conf:
2018-01-15T21:55:24Z DEBUG #File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = IPA.XYZ.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  IPA.XYZ.COM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt

  }


[domain_realm]
  .xyz.com = IPA.XYZ.COM
  xyz.com = IPA.XYZ.COM



2018-01-15T21:55:24Z INFO Configured /etc/krb5.conf for IPA realm
IPA.XYZ.COM
2018-01-15T21:55:24Z DEBUG Starting external process
2018-01-15T21:55:24Z DEBUG args=keyctl search @s user
ipa_session_cookie:host/sfca-do-1.xyz....@ipa.xyz.com
2018-01-15T21:55:24Z DEBUG Process finished, return code=1
2018-01-15T21:55:24Z DEBUG stdout=
2018-01-15T21:55:24Z DEBUG stderr=keyctl_search: Required key not available

2018-01-15T21:55:24Z DEBUG Starting external process
2018-01-15T21:55:24Z DEBUG args=/usr/bin/certutil -d /tmp/tmpoXIXYU -N
-f /tmp/tmpfNulOs
2018-01-15T21:55:24Z DEBUG Process finished, return code=0
2018-01-15T21:55:24Z DEBUG stdout=
2018-01-15T21:55:24Z DEBUG stderr=
2018-01-15T21:55:24Z DEBUG Starting external process
2018-01-15T21:55:24Z DEBUG args=/usr/bin/certutil -d /tmp/tmpoXIXYU -A
-n CA certificate 1 -t C,,
2018-01-15T21:55:24Z DEBUG Process finished, return code=0
2018-01-15T21:55:24Z DEBUG stdout=
2018-01-15T21:55:24Z DEBUG stderr=
2018-01-15T21:55:24Z DEBUG Starting external process
2018-01-15T21:55:24Z DEBUG args=/usr/bin/certutil -d /tmp/tmpoXIXYU -A
-n CA certificate 2 -t C,,
2018-01-15T21:55:24Z DEBUG Process finished, return code=0
2018-01-15T21:55:24Z DEBUG stdout=
2018-01-15T21:55:24Z DEBUG stderr=
2018-01-15T21:55:24Z DEBUG Starting external process
2018-01-15T21:55:24Z DEBUG args=/usr/bin/certutil -d /tmp/tmpoXIXYU -A
-n CA certificate 3 -t C,,
2018-01-15T21:55:24Z DEBUG Process finished, return code=0
2018-01-15T21:55:24Z DEBUG stdout=
2018-01-15T21:55:24Z DEBUG stderr=
2018-01-15T21:55:24Z DEBUG Starting external process
2018-01-15T21:55:24Z DEBUG args=/usr/bin/certutil -d /tmp/tmpoXIXYU -A
-n CA certificate 4 -t C,,
2018-01-15T21:55:24Z DEBUG Process finished, return code=0
2018-01-15T21:55:24Z DEBUG stdout=
2018-01-15T21:55:24Z DEBUG stderr=
2018-01-15T21:55:24Z DEBUG Starting external process
2018-01-15T21:55:24Z DEBUG args=/usr/bin/certutil -d /tmp/tmpoXIXYU -A
-n CA certificate 5 -t C,,
2018-01-15T21:55:24Z DEBUG Process finished, return code=0
2018-01-15T21:55:24Z DEBUG stdout=
2018-01-15T21:55:24Z DEBUG stderr=
2018-01-15T21:55:24Z DEBUG failed to find session_cookie in persistent
storage for principal 'host/sfca-do-1.xyz....@ipa.xyz.com'
2018-01-15T21:55:24Z INFO trying https://sfca-do-4.ipa.xyz.com/ipa/json
2018-01-15T21:55:24Z DEBUG Created connection
context.rpcclient_140336485358096
2018-01-15T21:55:24Z DEBUG Try RPC connection
2018-01-15T21:55:24Z INFO Forwarding 'ping' to json server
'https://sfca-do-4.ipa.xyz.com/ipa/json'
2018-01-15T21:55:24Z DEBUG Destroyed connection
context.rpcclient_140336485358096
2018-01-15T21:55:24Z INFO Cannot connect to the server due to Kerberos
error: Major (851968): Unspecified GSS failure.  Minor code may provide
more information, Minor (2529639066): Cannot find KDC for realm
"IPA.XYZ.COM". Trying with delegate=True
2018-01-15T21:55:24Z INFO trying https://sfca-do-4.ipa.xyz.com/ipa/json
2018-01-15T21:55:24Z DEBUG Created connection
context.rpcclient_140336485358096
2018-01-15T21:55:24Z DEBUG Try RPC connection
2018-01-15T21:55:24Z INFO Forwarding 'ping' to json server
'https://sfca-do-4.ipa.xyz.com/ipa/json'
2018-01-15T21:55:24Z WARNING Second connect with delegate=True also
failed: Major (851968): Unspecified GSS failure.  Minor code may provide
more information, Minor (2529639066): Cannot find KDC for realm
"IPA.XYZ.COM"
2018-01-15T21:55:24Z ERROR Cannot connect to the IPA server RPC
interface: Major (851968): Unspecified GSS failure.  Minor code may
provide more information, Minor (2529639066): Cannot find KDC for realm
"IPA.XYZ.COM"
2018-01-15T21:55:24Z ERROR Installation failed. Rolling back changes.
=====

But where I'm confused is in why I keep hitting this 'cannot find kdc'
error.

I have tried manually setting /etc/krb5.conf to the contents that get
generated & display during the verbose client-install process (as seen
above), that manually spell out the KDC details, and am able to run a
'kinit admin' just fine from the CLI on the client, so kerberos DOES
function from the client.  It talks to the KDC beautifully and
authenticates just fine... so I'm not sure how the client-install
process is getting confused/lost when trying to find/contact the KDC.

Any hints or suggestions are greatly appreciated.  I'm essentially stuck
on finishing roll-out of these IPA servers into production because of
this one component.

Thanks,
-Chris




Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to