On 03/05/2021 13:58, Rob Crittenden wrote:
lejeczek via FreeIPA-users wrote:
Hi guys
I do not see any clear problems and no errors in client log but each
time I try to install client process stops:
...
No SRV records of NTP servers found and no NTP server or pool address
was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Do you want to download the CA cert from
http://c8kubermaster2.ton.mko.priv.com/ipa/config/ca.crt ?
(this is INSECURE) [no]:
---
If I go with 'yes' as the answer then:
...
Joining realm failed: SASL Bind failed
Invalid credentials
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The ipa-client-install command failed. See
/var/log/ipaclient-install.log for more information
----
One thing is new and different from all freeIPA deployments I have done
in the past, namely
REALM =! FQDN
but both share a "top level/part".
I do not think about that being the root cause.
Client install would succeed if I gave it:
--server= --domain= --realm= (which is bit weir cause those seem to get
discovered as expected)
Any thought on routes of troubleshooting very appreciated.
many thanks, L.
You need to read the client install log carefully to ensure it is
discovering the expected domain/realm/server.
After providing enrollment credentials those are used to retrieve the CA
certificate over LDAP and if that fails, it falls back to HTTP.
Given the enrollment is failing with a bind error perhaps it is as
simple as a bad password. That or you're binding to a different server
than you are expecting.
rob
Thanks.
I mentioned that if I gave client install: --server=
--domain= --realm= (using values discovered) then
installation succeeds.
I also hit, if not "Do you want to download the CA...", then:
...
Configured /etc/krb5.conf for IPA realm MKO.PRIV.COM
Major (851968): Unspecified GSS failure. Minor code may
provide more information, Minor (2529639066): Cannot find
KDC for realm "....
...
unless, I give it --ser.....
Most certainly it's not password issue.
I can reproduce it every time, including fresh deployment. I
see this when REALM =! FQDN, eg. MKO.PRIV.COM vs
ton.uk.mko.priv.com
ipa-server-4.9.2-3.module_el8.5.0+750+c59b186b.x86_64
many thanks, L.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
