On 1/21/13 9:44 AM, Sumit Bose wrote:
> This is not related to AD because it is still the step before
> establishing the trust as Marco said below. The message "Outdated
> Kerberos credentials. Use kdestroy and kinit to update your ticket"
> indicate that we failed to connect to the local LDAP server. Maybe a
> ticket should be filed to mention the local LDAP server in the message?
>
> Marco, have you tried to run ipa-adtrust-install without the -a option?
> Can you try access your local LDAP server with:
>
> # kinit admin
> # ldapsearch -H ldap://ipa-server.matrix.local -Y GSSAPI -b \
>   'dc=matrix,dc=local' -s base
>
> bye,
> Sumit

I tried to run ipa-adtrust-install without the -a option - it asks for the 
password - then I get the same error.

ldapsearch works fine (as long as I have a valid ticket) :
snip_______________________________________
Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket
[root@ipa-server user]# klist
Ticket cache: 
DIR::/run/user/1000/krb5cc_508afa59f766b611435821eb50fee5d0/tktALmOIY
Default principal: admin@MATRIX.LOCAL

Valid starting     Expires            Service principal
01/22/13 20:20:56  01/23/13 20:20:56  krbtgt/MATRIX.LOCAL@MATRIX.LOCAL
[root@ipa-server user]# ldapsearch -H ldap://ipa-server.matrix.local -Y GSSAPI 
-b \
>   'dc=matrix,dc=local' -s base
SASL/GSSAPI authentication started
SASL username: admin@MATRIX.LOCAL
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=matrix,dc=local> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# matrix.local
dn: dc=matrix,dc=local
objectClass: top
objectClass: domain
objectClass: pilotObject
objectClass: domainRelatedObject
objectClass: nisDomainObject
dc: matrix
info: IPA V2.0
nisDomain: matrix.local
associatedDomain: matrix.local

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1
_______________________________________snip

I will file a bug report ...

Thanks for the help so far.


> On Sun, Jan 20, 2013 at 02:24:36PM -0500, Dmitri Pal wrote:
>> On 01/20/2013 05:01 AM, MaSch wrote:
>>> On 1/19/13 8:16 PM, Dmitri Pal wrote:
>>>> What is the situation with the time on that box?
>>>> Was the time and time zone set correctly?
>>>> Is it a VM?
>>>> Can it be that the time drifted in some way?
>>>>
>>> The time zone is correct for my region (Europe/Berlin) as is the current 
>>> time.
>>> It is a VM - running inside VMware Fusion 4 on OSX.
>>> I doubt that time drifted in between somehow in an unsual manner. I just 
>>> tried again and checked :
>>>
>>> [root@ipa-server user]# klist
>>> Ticket cache: 
>>> DIR::/run/user/1000/krb5cc_1f3f8ebeec8d053aa0a2f46e50fbb20c/tkt5LELnl
>>> Default principal: admin@MATRIX.LOCAL
>>>
>>> Valid starting     Expires            Service principal
>>> 01/20/13 10:47:56  01/21/13 10:47:56  krbtgt/MATRIX.LOCAL@MATRIX.LOCAL
>>> [root@ipa-server user]# date
>>> Sun Jan 20 10:51:07 CET 2013
>>> [root@ipa-server user]# ipa-adtrust-install --netbios-name=MATRIX -a 
>>> mypassword1
>>> ...
>>> Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket
>>> [root@ipa-server user]# date
>>> Sun Jan 20 10:51:12 CET 2013
>>>
>>> So the "ipa-adtrust-install" is issued while the krbtgt is valid. However 
>>> as before kdestroy and subsequent kinit don't
>>> help.
>>
>> Then it might be that the tgt is actually missing something that AD 2012
>> is now expecting and it is triggering a wrong message.
>> Please file a ticket or BZ.
>
>>
>>>
>>> On 1/19/13 10:44 PM, Dale Macartney wrote:
>>>> Critical pre-req is definitely make sure DNS resolution is working in
>>>> advance. Its always a killer.
>>>>
>>>> If you use IPA managed DNS, use the following.
>>> Thanks for the pointer Dale, but I don't even get that far to do the actual 
>>> trust. And as far as I can tell, DNS is
>>> setup correct locally. The resolv.conf points to the IPA server itself 
>>> (this is automatically changed during
>>> installation), atm no forwarding is done and dns resolution of the 
>>> ipa-server and ipa-domain work on the ipa-server
itself.
>>>
>>> Regards Marco
>>>
>>>
>>>
>>>> On 01/19/2013 01:25 PM, MaSch wrote:
>>>>> Hello all,
>>>>>
>>>>> I'm trying to setup FreeIPA on Fedora 18 (Final) with AD integration on a 
>>>>> test server. However I do not even get past
>>>>> the initial (local) steps described in :
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain
>>>>> The last step of the section "Install and configure IPA server" gives me 
>>>>> the following error :
>>>>>
>>>>> "Outdated Kerberos credentials. Use kdestroy and kinit to update your 
>>>>> ticket"
>>>>>
>>>>> However "kdestroy" followed by a consequent "kinit admin" does not help, 
>>>>> I get the error again when trying
>>>>> to "ipa-adtrust-install"
>>>>>
>>>>> The ipaserver-install.log says :
>>>>> 2013-01-19T17:19:56Z DEBUG stderr=
>>>>> 2013-01-19T17:19:56Z DEBUG will use ip_address: 172.16.135.141
>>>>>
>>>>> 2013-01-19T17:19:56Z DEBUG Starting external process
>>>>> 2013-01-19T17:19:56Z DEBUG args=kinit admin
>>>>> 2013-01-19T17:19:57Z DEBUG Process finished, return code=0
>>>>> 2013-01-19T17:19:57Z DEBUG stdout=Password for admin@MATRIX.LOCAL:
>>>>>
>>>>> 2013-01-19T17:19:57Z DEBUG stderr=
>>>>> 2013-01-19T17:19:57Z INFO   File 
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", 
>>>>> line 617, in
>>>>> run_script
>>>>>     return_value = main_function()
>>>>>
>>>>>   File "/usr/sbin/ipa-adtrust-install", line 304, in main
>>>>>     sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to 
>>>>> update your ticket")
>>>>>
>>>>> 2013-01-19T17:19:57Z INFO The ipa-adtrust-install command failed, 
>>>>> exception: SystemExit: Outdated Kerberos
credentials.
>>>>> Use kdestroy and kinit to update your ticket
>>>>>
>>>>> ______________________________________________________________________________________________________
>>>>>
>>>>>
>>>>> I tried to follow the instructions and stick to the plan - here is the 
>>>>> history of commands I executed on an fresh
Fedora
>>>>> 18 Installation (after installing vmware tools in the vm) (long output is 
>>>>> omitted and replaced by ...) :
>>>>>
>>>>>
>>>>> [root@linux user]# yum update -y
>>>>> ...
>>>>> [root@linux user]# reboot
>>>>> [root@linux user]# yum install -y "*ipa-server" "*ipa-server-trust-ad" 
>>>>> samba4-winbind-clients samba4-winbind
>>>>> samba4-client bind bind-dyndb-ldap
>>>>> ...
>>>>> [root@linux user]# echo "172.16.135.141    ipa-server.matrix.local 
>>>>> ipa-server" >> /etc/hosts
>>>>> [root@linux user]# hostname ipa-server.matrix.local
>>>>> [root@linux user]# hostname
>>>>> ipa-server.matrix.local
>>>>> [root@linux user]# ping ipa-server.matrix.local
>>>>> PING ipa-server.matrix.local (172.16.135.141) 56(84) bytes of data.
>>>>> 64 bytes from ipa-server.matrix.local (172.16.135.141): icmp_seq=1 ttl=64 
>>>>> time=0.058 ms
>>>>> [root@linux user]# ipa-server-install -a mypassword1 -p mypassword2 
>>>>> --domain=matrix.local --realm=MATRIX.LOCAL
>>>>> --setup-dns --no-forwarders -U
>>>>> ... setup completes without errors
>>>>> [root@linux user]# kinit admin
>>>>> Password for admin@MATRIX.LOCAL:
>>>>> [root@linux user]# klist
>>>>> Ticket cache: 
>>>>> DIR::/run/user/1000/krb5cc_c9794d10f5cd59bd63c423ac50fad257/tktT3hTsU
>>>>> Default principal: admin@MATRIX.LOCAL
>>>>>
>>>>> Valid starting     Expires            Service principal
>>>>> 01/19/13 12:19:06  01/20/13 12:19:02  krbtgt/MATRIX.LOCAL@MATRIX.LOCAL
>>>>> [root@linux user]# id admin
>>>>> uid=1396400000(admin) gid=1396400000(admins) groups=1396400000(admins)
>>>>> [root@linux user]# getent passwd admin
>>>>> admin:*:1396400000:1396400000:Administrator:/home/admin:/bin/bash
>>>>> [root@linux user]# ipa-adtrust-install --netbios-name=MATRIX -a 
>>>>> mypassword1
>>>>> The log file for this installation can be found in 
>>>>> /var/log/ipaserver-install.log
>>>>> ==============================================================================
>>>>> This program will setup components needed to establish trust to AD 
>>>>> domains for
>>>>> the FreeIPA Server.
>>>>>
>>>>> This includes:
>>>>>   * Configure Samba
>>>>>   * Add trust related objects to FreeIPA LDAP server
>>>>>
>>>>> To accept the default shown in brackets, press the Enter key.
>>>>>
>>>>>
>>>>> The following operations may take some minutes to complete.
>>>>> Please wait until the prompt is returned.
>>>>>
>>>>> Outdated Kerberos credentials. Use kdestroy and kinit to update your 
>>>>> ticket
>>>>>
>>>>> ______________________________________________________________________________________________________
>>>>>
>>>>> The freeipa packages installed are :
>>>>>
>>>>> freeipa-server-trust-ad-3.1.0-2.fc18.x86_64
>>>>> freeipa-python-3.1.0-2.fc18.x86_64
>>>>> freeipa-server-selinux-3.1.0-2.fc18.x86_64
>>>>> freeipa-admintools-3.1.0-2.fc18.x86_64
>>>>> freeipa-server-3.1.0-2.fc18.x86_64
>>>>> freeipa-client-3.1.0-2.fc18.x86_64
>>>>>
>>>>>
>>>>> Any help would be appreciated, perhaps I'm just missing a simple step.
>>>>>
>>>>>
>>>>> Regards
>>>>> Marco
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users@redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to