Re: [Freeipa-users] Split enrollment (adding hosts via kickstart)

Tue, 15 May 2012 15:17:57 -0700 

Ian Levesque wrote:

Hi,

I'm running ipa-server-2.1.3-9, trying to perform our first bulk-add of hosts via 
kickstart. Unfortunately, it's not working via kickstart and when I try running the 
commands by hand on a freshly-installed host, it still fails with "kinit: Client not 
found in Kerberos database while getting initial credentials".

The freeipa docs [1] seem to indicate that this is as easy as:

   1) ipa host-add<fqdn>  --password=secret
   2) ensuring ipa-client is installed in the kickstart
   3) running ipa-client-install with the principal set as host/<fqdn>  and 
providing the password

I believe I've done what's required on the server:

# ipa host-add ian-ultra24-dmz.in.hwlab --password=foobar
  -------------------------------------
  Added host "ian-ultra24-dmz.in.hwlab"
  -------------------------------------
   Host name: ian-ultra24-dmz.in.hwlab
   Keytab: False
   Password: True
   Managed by: ian-ultra24-dmz.in.hwlab

(I've deleted and re-added the host after each ipa-client-install attempt)

And on the client:

# rpm -qa | grep ipa-client
  ipa-client-2.1.3-9.el6.x86_64

# /usr/sbin/ipa-client-install --domain=in.hwlab 
--principal=HOST/ian-ultra24-dmz.in.hwlab -w=foobar --realm=SBGRID.ORG 
--server=sbgrid-directory.in.hwlab --unattended
DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Hostname: ian-ultra24-dmz.in.hwlab
Realm: SBGRID.ORG
DNS Domain: in.hwlab
IPA Server: sbgrid-directory.in.hwlab
BaseDN: dc=sbgrid,dc=org


Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.

kinit: Client not found in Kerberos database while getting initial credentials

Installation failed. Rolling back changes.
IPA client is not configured on this system.

Any help would be appreciated.
Don't set the principal and it will work, just drop the --principal bit. The principal doesn't exist yet which is why things are failing (or more precisely, the principal with that principal key doesn't exist yet). 

rob

_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to