On 01/19/2013 01:25 PM, MaSch wrote: > Hello all, > > I'm trying to setup FreeIPA on Fedora 18 (Final) with AD integration on a > test server. However I do not even get past > the initial (local) steps described in : > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain > The last step of the section "Install and configure IPA server" gives me the > following error : > > "Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket" > > However "kdestroy" followed by a consequent "kinit admin" does not help, I > get the error again when trying > to "ipa-adtrust-install" > > The ipaserver-install.log says : > 2013-01-19T17:19:56Z DEBUG stderr= > 2013-01-19T17:19:56Z DEBUG will use ip_address: 172.16.135.141 > > 2013-01-19T17:19:56Z DEBUG Starting external process > 2013-01-19T17:19:56Z DEBUG args=kinit admin > 2013-01-19T17:19:57Z DEBUG Process finished, return code=0 > 2013-01-19T17:19:57Z DEBUG stdout=Password for admin@MATRIX.LOCAL: > > 2013-01-19T17:19:57Z DEBUG stderr= > 2013-01-19T17:19:57Z INFO File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line > 617, in > run_script > return_value = main_function() > > File "/usr/sbin/ipa-adtrust-install", line 304, in main > sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update > your ticket") > > 2013-01-19T17:19:57Z INFO The ipa-adtrust-install command failed, exception: > SystemExit: Outdated Kerberos credentials. > Use kdestroy and kinit to update your ticket > > ______________________________________________________________________________________________________ > > > I tried to follow the instructions and stick to the plan - here is the > history of commands I executed on an fresh Fedora > 18 Installation (after installing vmware tools in the vm) (long output is > omitted and replaced by ...) : > > > [root@linux user]# yum update -y > ... > [root@linux user]# reboot > [root@linux user]# yum install -y "*ipa-server" "*ipa-server-trust-ad" > samba4-winbind-clients samba4-winbind > samba4-client bind bind-dyndb-ldap > ... > [root@linux user]# echo "172.16.135.141 ipa-server.matrix.local > ipa-server" >> /etc/hosts > [root@linux user]# hostname ipa-server.matrix.local > [root@linux user]# hostname > ipa-server.matrix.local > [root@linux user]# ping ipa-server.matrix.local > PING ipa-server.matrix.local (172.16.135.141) 56(84) bytes of data. > 64 bytes from ipa-server.matrix.local (172.16.135.141): icmp_seq=1 ttl=64 > time=0.058 ms > [root@linux user]# ipa-server-install -a mypassword1 -p mypassword2 > --domain=matrix.local --realm=MATRIX.LOCAL > --setup-dns --no-forwarders -U > ... setup completes without errors > [root@linux user]# kinit admin > Password for admin@MATRIX.LOCAL: > [root@linux user]# klist > Ticket cache: > DIR::/run/user/1000/krb5cc_c9794d10f5cd59bd63c423ac50fad257/tktT3hTsU > Default principal: admin@MATRIX.LOCAL > > Valid starting Expires Service principal > 01/19/13 12:19:06 01/20/13 12:19:02 krbtgt/MATRIX.LOCAL@MATRIX.LOCAL > [root@linux user]# id admin > uid=1396400000(admin) gid=1396400000(admins) groups=1396400000(admins) > [root@linux user]# getent passwd admin > admin:*:1396400000:1396400000:Administrator:/home/admin:/bin/bash > [root@linux user]# ipa-adtrust-install --netbios-name=MATRIX -a mypassword1 > The log file for this installation can be found in > /var/log/ipaserver-install.log > ============================================================================== > This program will setup components needed to establish trust to AD domains for > the FreeIPA Server. > > This includes: > * Configure Samba > * Add trust related objects to FreeIPA LDAP server > > To accept the default shown in brackets, press the Enter key. > > > The following operations may take some minutes to complete. > Please wait until the prompt is returned. > > Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket > > ______________________________________________________________________________________________________ > > The freeipa packages installed are : > > freeipa-server-trust-ad-3.1.0-2.fc18.x86_64 > freeipa-python-3.1.0-2.fc18.x86_64 > freeipa-server-selinux-3.1.0-2.fc18.x86_64 > freeipa-admintools-3.1.0-2.fc18.x86_64 > freeipa-server-3.1.0-2.fc18.x86_64 > freeipa-client-3.1.0-2.fc18.x86_64 > > > Any help would be appreciated, perhaps I'm just missing a simple step. > > > Regards > Marco > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users
What is the situation with the time on that box? Was the time and time zone set correctly? Is it a VM? Can it be that the time drifted in some way? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users