Ian Levesque wrote:

On May 15, 2012, at 6:14 PM, Rob Crittenden wrote:

# /usr/sbin/ipa-client-install --domain=in.hwlab 
--principal=HOST/ian-ultra24-dmz.in.hwlab -w=foobar --realm=SBGRID.ORG 
--server=sbgrid-directory.in.hwlab --unattended
DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Hostname: ian-ultra24-dmz.in.hwlab
DNS Domain: in.hwlab
IPA Server: sbgrid-directory.in.hwlab
BaseDN: dc=sbgrid,dc=org

Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.

kinit: Client not found in Kerberos database while getting initial credentials

Installation failed. Rolling back changes.
IPA client is not configured on this system.

Any help would be appreciated.

Don't set the principal and it will work, just drop the --principal bit. The 
principal doesn't exist yet which is why things are failing (or more precisely, 
the principal with that principal key doesn't exist yet).

No luck:

Joining realm failed: Incorrect password.
Installation failed. Rolling back changes.

I thought the point of doing the host-add was to setup a host principal with a 
one-time password. Without specifying the host principal, isn't the 
ipa-client-install trying to use the specified password to auth me, and not the 

Bulk enrollment is done using a one-time password. No Kerberos credentials are created (though still works if a krbPrincipalName is set in the host entry).

The userPassword attribute is set to the password and the client installer does a simple bind using the dn of the host as the user and the provided password to do the enrollment. The enrollment process removes the userPassword attribute when a successful bind occurs.

I'd suggest resetting the password on the host and trying again.


Freeipa-users mailing list

Reply via email to