Ian Levesque wrote:
On May 15, 2012, at 6:14 PM, Rob Crittenden wrote:
# /usr/sbin/ipa-client-install --domain=in.hwlab
--principal=HOST/ian-ultra24-dmz.in.hwlab -w=foobar --realm=SBGRID.ORG
--server=sbgrid-directory.in.hwlab --unattended
DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.
Discovery was successful!
Hostname: ian-ultra24-dmz.in.hwlab
Realm: SBGRID.ORG
DNS Domain: in.hwlab
IPA Server: sbgrid-directory.in.hwlab
BaseDN: dc=sbgrid,dc=org
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
kinit: Client not found in Kerberos database while getting initial credentials
Installation failed. Rolling back changes.
IPA client is not configured on this system.
Any help would be appreciated.
Don't set the principal and it will work, just drop the --principal bit. The
principal doesn't exist yet which is why things are failing (or more precisely,
the principal with that principal key doesn't exist yet).
No luck:
Joining realm failed: Incorrect password.
Installation failed. Rolling back changes.
I thought the point of doing the host-add was to setup a host principal with a
one-time password. Without specifying the host principal, isn't the
ipa-client-install trying to use the specified password to auth me, and not the
host?
Bulk enrollment is done using a one-time password. No Kerberos
credentials are created (though still works if a krbPrincipalName is set
in the host entry).
The userPassword attribute is set to the password and the client
installer does a simple bind using the dn of the host as the user and
the provided password to do the enrollment. The enrollment process
removes the userPassword attribute when a successful bind occurs.
I'd suggest resetting the password on the host and trying again.
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
