On May 16, 2012, at 10:02 AM, Rob Crittenden wrote:

> Ian Levesque wrote:
>> 
>> On May 15, 2012, at 6:14 PM, Rob Crittenden wrote:
>> 
>>> Don't set the principal and it will work, just drop the --principal bit. 
>>> The principal doesn't exist yet which is why things are failing (or more 
>>> precisely, the principal with that principal key doesn't exist yet).
>> 
>> No luck:
>> 
>> Joining realm failed: Incorrect password.
>> Installation failed. Rolling back changes.
>> 
>> I thought the point of doing the host-add was to setup a host principal with 
>> a one-time password. Without specifying the host principal, isn't the 
>> ipa-client-install trying to use the specified password to auth me, and not 
>> the host?
> 
> Bulk enrollment is done using a one-time password. No Kerberos credentials 
> are created (though still works if a krbPrincipalName is set in the host 
> entry).
> 
> The userPassword attribute is set to the password and the client installer 
> does a simple bind using the dn of the host as the user and the provided 
> password to do the enrollment. The enrollment process removes the 
> userPassword attribute when a successful bind occurs.
> 
> I'd suggest resetting the password on the host and trying again.


Hi Rob, et al -

I tried again, and am pasting all the output below. Is there something I'm 
missing? 

Cheers,
Ian


--- server ---

[sbgrid-directory]# ipa host-del ian-ultra24-dmz.in.hwlab
---------------------------------------
Deleted host "ian-ultra24-dmz.in.hwlab"

[sbgrid-directory]# ipa host-find ian-ultra24-dmz.in.hwlab
---------------
0 hosts matched

[sbgrid-directory]# ipa host-add ian-ultra24-dmz.in.hwlab --password=foobar
-------------------------------------
Added host "ian-ultra24-dmz.in.hwlab"
-------------------------------------
  Host name: ian-ultra24-dmz.in.hwlab
  Keytab: False
  Password: True
  Managed by: ian-ultra24-dmz.in.hwlab

--- client ---

[ian-ultra24-dmz]# ipa-client-install --hostname=ian-ultra24-dmz.in.hwlab 
--domain=in.hwlab -w=foobar \
                                        --realm=SBGRID.ORG 
--server=sbgrid-directory.in.hwlab --unattended
DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Hostname: ian-ultra24-dmz.in.hwlab
Realm: SBGRID.ORG
DNS Domain: in.hwlab
IPA Server: sbgrid-directory.in.hwlab
BaseDN: dc=sbgrid,dc=org


Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Joining realm failed: Incorrect password.
Installation failed. Rolling back changes.


[ian-ultra24-dmz]# ipa-client-install --hostname=ian-ultra24-dmz.in.hwlab 
--domain=in.hwlab --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab
DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Hostname: ian-ultra24-dmz.in.hwlab
Realm: SBGRID.ORG
DNS Domain: in.hwlab
IPA Server: sbgrid-directory.in.hwlab
BaseDN: dc=sbgrid,dc=org


Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: ian
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Password for i...@sbgrid.org: 

Enrolled in IPA realm SBGRID.ORG
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm SBGRID.ORG
SSSD enabled
NTP enabled
Client configuration complete.



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to