Server:
=====
[root@sfca-do-4 ~]# ipa --version
VERSION: 4.4.4, API_VERSION: 2.215

[root@sfca-do-4 ~]# cat /etc/fedora-release
Fedora release 25 (Twenty Five)


Client Node:
=====
root@sfca-do-1:~# ipa-client-install --version
4.3.1

root@sfca-do-1:~# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04


I should also mention that my Ubuntu 14.04 nodes cannot join either, and
they have different freeipa-client versions in their repos and are
throwing some different log data if that's of any possible help.  The
only system that's been able to ipa-client-install join is the IPA
replication mate which is running the same rev of Fedora and
ipa-client/server.


Some more background, these servers for this client were recently built
and configured to use letsencrypt certificates so they can provide
public and ssl-accepted interfaces to users that this client services. 
Not sure if certificates and CAs could perhaps be playing into a
client-join (since I see no complaint about them in the install logs on
this client), but wanted to mention it anyway just in case there's some
reason that letsencrypt issued certs are perhaps factoring in.  Other
clients I service have successfully used similar setups to what I'm
trying to build currently, but were running on the 3.x services of IPA. 
This is my first pass at standing up functioning 4.x IPA servers.


Other replies inline.

On 1/17/18 2:36 PM, Rob Crittenden via FreeIPA-users wrote:
> Chris Moody wrote:
>> Thanks for taking a look gents.  Ask and ye shall receive.  :)
>>
> What version of IPA is this and what platform?
>
> Before an install can you ensure that there is nothing in
> /etc/krb5.conf.d/ (except may be crypto-policies)?
There is no /etc/krb5.conf.d/ dir on the client node.  I have tried with
both the system defaults in the /etc/krb5.conf file as well as with the
contents generated/output by the ipa-client-install command as I
mentioned initially if that's the component you're questioning.
>
> Same with /var/lib/sss/pubconf/krb5.include.d/
On client node:
root@sfca-do-1:~# ls -l /var/lib/sss/pubconf/krb5.include.d/
total 0

>
> Might also be interesting to try to force a specific master by adding
> --server <fqdn of master> to the install line, just to see.
>
> I'm guessing the client is old as it doesn't appear to support the
> newer-style ipa-getkeytab:
Hmm... This client is fully updated/upgraded for any packages installed
via the Ubuntu repos.  Is the client version 4.3.1 not recent?  I can
manually add a different repo or pull source if need be to get whichever
client version you think might help.
>
> 2018-01-17T02:11:50Z DEBUG args=/usr/sbin/ipa-join -s
> sfca-do-4.ipa.xyz.com -b dc=ipa,dc=xyz,dc=com -h sfca-do-1.xyz.com
> 2018-01-17T02:11:51Z DEBUG Process finished, return code=0
> 2018-01-17T02:11:51Z DEBUG stdout=
> 2018-01-17T02:11:51Z DEBUG stderr=Failed to parse result: Failed to
> decode GetKeytab Control.
>
> Retrying with pre-4.0 keytab retrieval method...
> Keytab successfully retrieved and stored in: /etc/krb5.keytab
> Certificate subject base is: O=IPA.xyz.COM
>
> 2018-01-17T02:11:51Z INFO Enrolled in IPA realm IPA.xyz.COM
>
> It does look like it enrolls ok and gets a keytab.
>
> Note too that just about this it is able to get a TGT for the admin user
> via kinit:
>
> 2018-01-17T02:11:50Z DEBUG args=/usr/bin/kinit ad...@ipa.xyz.com -c
> /tmp/krbccCNSUmS/ccache
>
> The only difference between Kerberos usage between the enrollment and
> the rest is that during enrollment a fixed KDC is defined in the
> temporary krb5.conf:
>
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [libdefaults]
>   default_realm = IPA.xyz.COM
>   dns_lookup_realm = false
>   dns_lookup_kdc = false
>   rdns = false
>   ticket_lifetime = 24h
>   forwardable = true
>   udp_preference_limit = 0
>   default_ccache_name = KEYRING:persistent:%{uid}
>
>
> [realms]
>   IPA.xyz.COM = {
>     kdc = sfca-do-4.ipa.xyz.com:88
>     master_kdc = sfca-do-4.ipa.xyz.com:88
>     admin_server = sfca-do-4.ipa.xyz.com:749
>     default_domain = xyz.com
>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>
>   }
>
> [domain_realm]
>   .xyz.com = IPA.xyz.COM
>   xyz.com = IPA.xyz.COM
>
>
> It is failing trying to autodiscover things later:
>
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [libdefaults]
>   default_realm = IPA.xyz.COM
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   rdns = false
>   ticket_lifetime = 24h
>   forwardable = true
>   udp_preference_limit = 0
>   default_ccache_name = KEYRING:persistent:%{uid}
>
>
> [realms]
>   IPA.xyz.COM = {
>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>
>   }
>
>
> [domain_realm]
>   .xyz.com = IPA.xyz.COM
>   xyz.com = IPA.xyz.COM
>
> Discovery appears to be working as expected:
>
> 2018-01-17T02:11:41Z DEBUG Search DNS for TXT record of _kerberos.xyz.com
> 2018-01-17T02:11:41Z DEBUG DNS record found: "IPA.xyz.COM"
> 2018-01-17T02:11:41Z DEBUG Search DNS for SRV record of
> _kerberos._udp.xyz.com
> 2018-01-17T02:11:41Z DEBUG DNS record found: 10 100 88
> sfca-do-4.ipa.xyz.com.
>
> So I'm not entirely sure what is happening.
>
> rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to