On 01/20/2013 05:01 AM, MaSch wrote: > On 1/19/13 8:16 PM, Dmitri Pal wrote: >> What is the situation with the time on that box? >> Was the time and time zone set correctly? >> Is it a VM? >> Can it be that the time drifted in some way? >> > The time zone is correct for my region (Europe/Berlin) as is the current time. > It is a VM - running inside VMware Fusion 4 on OSX. > I doubt that time drifted in between somehow in an unsual manner. I just > tried again and checked : > > [root@ipa-server user]# klist > Ticket cache: > DIR::/run/user/1000/krb5cc_1f3f8ebeec8d053aa0a2f46e50fbb20c/tkt5LELnl > Default principal: admin@MATRIX.LOCAL > > Valid starting Expires Service principal > 01/20/13 10:47:56 01/21/13 10:47:56 krbtgt/MATRIX.LOCAL@MATRIX.LOCAL > [root@ipa-server user]# date > Sun Jan 20 10:51:07 CET 2013 > [root@ipa-server user]# ipa-adtrust-install --netbios-name=MATRIX -a > mypassword1 > ... > Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket > [root@ipa-server user]# date > Sun Jan 20 10:51:12 CET 2013 > > So the "ipa-adtrust-install" is issued while the krbtgt is valid. However as > before kdestroy and subsequent kinit don't > help.
Then it might be that the tgt is actually missing something that AD 2012 is now expecting and it is triggering a wrong message. Please file a ticket or BZ. > > On 1/19/13 10:44 PM, Dale Macartney wrote: >> Critical pre-req is definitely make sure DNS resolution is working in >> advance. Its always a killer. >> >> If you use IPA managed DNS, use the following. > Thanks for the pointer Dale, but I don't even get that far to do the actual > trust. And as far as I can tell, DNS is > setup correct locally. The resolv.conf points to the IPA server itself (this > is automatically changed during > installation), atm no forwarding is done and dns resolution of the ipa-server > and ipa-domain work on the ipa-server itself. > > Regards Marco > > > >> On 01/19/2013 01:25 PM, MaSch wrote: >>> Hello all, >>> >>> I'm trying to setup FreeIPA on Fedora 18 (Final) with AD integration on a >>> test server. However I do not even get past >>> the initial (local) steps described in : >>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain >>> The last step of the section "Install and configure IPA server" gives me >>> the following error : >>> >>> "Outdated Kerberos credentials. Use kdestroy and kinit to update your >>> ticket" >>> >>> However "kdestroy" followed by a consequent "kinit admin" does not help, I >>> get the error again when trying >>> to "ipa-adtrust-install" >>> >>> The ipaserver-install.log says : >>> 2013-01-19T17:19:56Z DEBUG stderr= >>> 2013-01-19T17:19:56Z DEBUG will use ip_address: 172.16.135.141 >>> >>> 2013-01-19T17:19:56Z DEBUG Starting external process >>> 2013-01-19T17:19:56Z DEBUG args=kinit admin >>> 2013-01-19T17:19:57Z DEBUG Process finished, return code=0 >>> 2013-01-19T17:19:57Z DEBUG stdout=Password for admin@MATRIX.LOCAL: >>> >>> 2013-01-19T17:19:57Z DEBUG stderr= >>> 2013-01-19T17:19:57Z INFO File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line >>> 617, in >>> run_script >>> return_value = main_function() >>> >>> File "/usr/sbin/ipa-adtrust-install", line 304, in main >>> sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to >>> update your ticket") >>> >>> 2013-01-19T17:19:57Z INFO The ipa-adtrust-install command failed, >>> exception: SystemExit: Outdated Kerberos credentials. >>> Use kdestroy and kinit to update your ticket >>> >>> ______________________________________________________________________________________________________ >>> >>> >>> I tried to follow the instructions and stick to the plan - here is the >>> history of commands I executed on an fresh Fedora >>> 18 Installation (after installing vmware tools in the vm) (long output is >>> omitted and replaced by ...) : >>> >>> >>> [root@linux user]# yum update -y >>> ... >>> [root@linux user]# reboot >>> [root@linux user]# yum install -y "*ipa-server" "*ipa-server-trust-ad" >>> samba4-winbind-clients samba4-winbind >>> samba4-client bind bind-dyndb-ldap >>> ... >>> [root@linux user]# echo "172.16.135.141 ipa-server.matrix.local >>> ipa-server" >> /etc/hosts >>> [root@linux user]# hostname ipa-server.matrix.local >>> [root@linux user]# hostname >>> ipa-server.matrix.local >>> [root@linux user]# ping ipa-server.matrix.local >>> PING ipa-server.matrix.local (172.16.135.141) 56(84) bytes of data. >>> 64 bytes from ipa-server.matrix.local (172.16.135.141): icmp_seq=1 ttl=64 >>> time=0.058 ms >>> [root@linux user]# ipa-server-install -a mypassword1 -p mypassword2 >>> --domain=matrix.local --realm=MATRIX.LOCAL >>> --setup-dns --no-forwarders -U >>> ... setup completes without errors >>> [root@linux user]# kinit admin >>> Password for admin@MATRIX.LOCAL: >>> [root@linux user]# klist >>> Ticket cache: >>> DIR::/run/user/1000/krb5cc_c9794d10f5cd59bd63c423ac50fad257/tktT3hTsU >>> Default principal: admin@MATRIX.LOCAL >>> >>> Valid starting Expires Service principal >>> 01/19/13 12:19:06 01/20/13 12:19:02 krbtgt/MATRIX.LOCAL@MATRIX.LOCAL >>> [root@linux user]# id admin >>> uid=1396400000(admin) gid=1396400000(admins) groups=1396400000(admins) >>> [root@linux user]# getent passwd admin >>> admin:*:1396400000:1396400000:Administrator:/home/admin:/bin/bash >>> [root@linux user]# ipa-adtrust-install --netbios-name=MATRIX -a mypassword1 >>> The log file for this installation can be found in >>> /var/log/ipaserver-install.log >>> ============================================================================== >>> This program will setup components needed to establish trust to AD domains >>> for >>> the FreeIPA Server. >>> >>> This includes: >>> * Configure Samba >>> * Add trust related objects to FreeIPA LDAP server >>> >>> To accept the default shown in brackets, press the Enter key. >>> >>> >>> The following operations may take some minutes to complete. >>> Please wait until the prompt is returned. >>> >>> Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket >>> >>> ______________________________________________________________________________________________________ >>> >>> The freeipa packages installed are : >>> >>> freeipa-server-trust-ad-3.1.0-2.fc18.x86_64 >>> freeipa-python-3.1.0-2.fc18.x86_64 >>> freeipa-server-selinux-3.1.0-2.fc18.x86_64 >>> freeipa-admintools-3.1.0-2.fc18.x86_64 >>> freeipa-server-3.1.0-2.fc18.x86_64 >>> freeipa-client-3.1.0-2.fc18.x86_64 >>> >>> >>> Any help would be appreciated, perhaps I'm just missing a simple step. >>> >>> >>> Regards >>> Marco >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users