Ondrej Valousek wrote:
  Hi List,

I have just noticed that the ipa-client-install fails miserably if the
clients /etc/resolv.conf points to some foreign DNS server. The symptoms
are that KDC (on the IPA server) fails to locate self in Kerberos database:

The KDC is just trying to look up a service that was requested, it was the client that requested this host. Note that the host name used is the detected IPA server. This can often be wrong if there is another server in your network with SRV records (such as AD).

Jun 30 11:11:48 polaris krb5kdc[1279](info): AS_REQ (4 etypes {18 17 16
23}) NEEDED_PREAUTH: ad...@example.com for
krbtgt/example....@example.com, Additional pre-authentication required
Jun 30 11:11:48 polaris krb5kdc[1279](info): AS_REQ (4 etypes {18 17 16
23}) ISSUE: authtime 1309425108, etypes {rep=18 tkt=18
ses=18}, ad...@example.com for krbtgt/example....@example.com
Jun 30 11:11:49 polaris krb5kdc[1279](info): TGS_REQ (4 etypes {18 17 16
23}) UNKNOWN_SERVER: authtime 0, ad...@example.com for
HTTP/polaris.prague.s3group....@example.com, Server not found in
Kerberos database

Question: Should probably try to autoconfigure /etc/resolv.conf as well
or at least warn user that join might fail?

The resolver is a bit of a chicken and egg problem. Hard to look anything up if you don't have one configured.

The installer should prompt that the detected settings are ok. Were they ok and we still went to the wrong place?


Freeipa-users mailing list

Reply via email to