On May 16, 2012, at 10:02 AM, Rob Crittenden wrote:
> Ian Levesque wrote:
>>
>> On May 15, 2012, at 6:14 PM, Rob Crittenden wrote:
>>
>>> Don't set the principal and it will work, just drop the --principal bit.
>>> The principal doesn't exist yet which is why things are failing (or more
>>> precisely, the principal with that principal key doesn't exist yet).
>>
>> No luck:
>>
>> Joining realm failed: Incorrect password.
>> Installation failed. Rolling back changes.
>>
>> I thought the point of doing the host-add was to setup a host principal with
>> a one-time password. Without specifying the host principal, isn't the
>> ipa-client-install trying to use the specified password to auth me, and not
>> the host?
>
> Bulk enrollment is done using a one-time password. No Kerberos credentials
> are created (though still works if a krbPrincipalName is set in the host
> entry).
>
> The userPassword attribute is set to the password and the client installer
> does a simple bind using the dn of the host as the user and the provided
> password to do the enrollment. The enrollment process removes the
> userPassword attribute when a successful bind occurs.
>
> I'd suggest resetting the password on the host and trying again.
Hi Rob, et al -
I tried again, and am pasting all the output below. Is there something I'm
missing?
Cheers,
Ian
--- server ---
[sbgrid-directory]# ipa host-del ian-ultra24-dmz.in.hwlab
---------------------------------------
Deleted host "ian-ultra24-dmz.in.hwlab"
[sbgrid-directory]# ipa host-find ian-ultra24-dmz.in.hwlab
---------------
0 hosts matched
[sbgrid-directory]# ipa host-add ian-ultra24-dmz.in.hwlab --password=foobar
-------------------------------------
Added host "ian-ultra24-dmz.in.hwlab"
-------------------------------------
Host name: ian-ultra24-dmz.in.hwlab
Keytab: False
Password: True
Managed by: ian-ultra24-dmz.in.hwlab
--- client ---
[ian-ultra24-dmz]# ipa-client-install --hostname=ian-ultra24-dmz.in.hwlab
--domain=in.hwlab -w=foobar \
--realm=SBGRID.ORG
--server=sbgrid-directory.in.hwlab --unattended
DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.
Discovery was successful!
Hostname: ian-ultra24-dmz.in.hwlab
Realm: SBGRID.ORG
DNS Domain: in.hwlab
IPA Server: sbgrid-directory.in.hwlab
BaseDN: dc=sbgrid,dc=org
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Joining realm failed: Incorrect password.
Installation failed. Rolling back changes.
[ian-ultra24-dmz]# ipa-client-install --hostname=ian-ultra24-dmz.in.hwlab
--domain=in.hwlab --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab
DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.
Discovery was successful!
Hostname: ian-ultra24-dmz.in.hwlab
Realm: SBGRID.ORG
DNS Domain: in.hwlab
IPA Server: sbgrid-directory.in.hwlab
BaseDN: dc=sbgrid,dc=org
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: ian
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Password for [email protected]:
Enrolled in IPA realm SBGRID.ORG
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm SBGRID.ORG
SSSD enabled
NTP enabled
Client configuration complete.
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
