On 1/21/13 9:44 AM, Sumit Bose wrote: > This is not related to AD because it is still the step before > establishing the trust as Marco said below. The message "Outdated > Kerberos credentials. Use kdestroy and kinit to update your ticket" > indicate that we failed to connect to the local LDAP server. Maybe a > ticket should be filed to mention the local LDAP server in the message? > > Marco, have you tried to run ipa-adtrust-install without the -a option? > Can you try access your local LDAP server with: > > # kinit admin > # ldapsearch -H ldap://ipa-server.matrix.local -Y GSSAPI -b \ > 'dc=matrix,dc=local' -s base > > bye, > Sumit
I tried to run ipa-adtrust-install without the -a option - it asks for the password - then I get the same error. ldapsearch works fine (as long as I have a valid ticket) : snip_______________________________________ Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket [root@ipa-server user]# klist Ticket cache: DIR::/run/user/1000/krb5cc_508afa59f766b611435821eb50fee5d0/tktALmOIY Default principal: admin@MATRIX.LOCAL Valid starting Expires Service principal 01/22/13 20:20:56 01/23/13 20:20:56 krbtgt/MATRIX.LOCAL@MATRIX.LOCAL [root@ipa-server user]# ldapsearch -H ldap://ipa-server.matrix.local -Y GSSAPI -b \ > 'dc=matrix,dc=local' -s base SASL/GSSAPI authentication started SASL username: admin@MATRIX.LOCAL SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=matrix,dc=local> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # matrix.local dn: dc=matrix,dc=local objectClass: top objectClass: domain objectClass: pilotObject objectClass: domainRelatedObject objectClass: nisDomainObject dc: matrix info: IPA V2.0 nisDomain: matrix.local associatedDomain: matrix.local # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 _______________________________________snip I will file a bug report ... Thanks for the help so far. > On Sun, Jan 20, 2013 at 02:24:36PM -0500, Dmitri Pal wrote: >> On 01/20/2013 05:01 AM, MaSch wrote: >>> On 1/19/13 8:16 PM, Dmitri Pal wrote: >>>> What is the situation with the time on that box? >>>> Was the time and time zone set correctly? >>>> Is it a VM? >>>> Can it be that the time drifted in some way? >>>> >>> The time zone is correct for my region (Europe/Berlin) as is the current >>> time. >>> It is a VM - running inside VMware Fusion 4 on OSX. >>> I doubt that time drifted in between somehow in an unsual manner. I just >>> tried again and checked : >>> >>> [root@ipa-server user]# klist >>> Ticket cache: >>> DIR::/run/user/1000/krb5cc_1f3f8ebeec8d053aa0a2f46e50fbb20c/tkt5LELnl >>> Default principal: admin@MATRIX.LOCAL >>> >>> Valid starting Expires Service principal >>> 01/20/13 10:47:56 01/21/13 10:47:56 krbtgt/MATRIX.LOCAL@MATRIX.LOCAL >>> [root@ipa-server user]# date >>> Sun Jan 20 10:51:07 CET 2013 >>> [root@ipa-server user]# ipa-adtrust-install --netbios-name=MATRIX -a >>> mypassword1 >>> ... >>> Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket >>> [root@ipa-server user]# date >>> Sun Jan 20 10:51:12 CET 2013 >>> >>> So the "ipa-adtrust-install" is issued while the krbtgt is valid. However >>> as before kdestroy and subsequent kinit don't >>> help. >> >> Then it might be that the tgt is actually missing something that AD 2012 >> is now expecting and it is triggering a wrong message. >> Please file a ticket or BZ. > >> >>> >>> On 1/19/13 10:44 PM, Dale Macartney wrote: >>>> Critical pre-req is definitely make sure DNS resolution is working in >>>> advance. Its always a killer. >>>> >>>> If you use IPA managed DNS, use the following. >>> Thanks for the pointer Dale, but I don't even get that far to do the actual >>> trust. And as far as I can tell, DNS is >>> setup correct locally. The resolv.conf points to the IPA server itself >>> (this is automatically changed during >>> installation), atm no forwarding is done and dns resolution of the >>> ipa-server and ipa-domain work on the ipa-server itself. >>> >>> Regards Marco >>> >>> >>> >>>> On 01/19/2013 01:25 PM, MaSch wrote: >>>>> Hello all, >>>>> >>>>> I'm trying to setup FreeIPA on Fedora 18 (Final) with AD integration on a >>>>> test server. However I do not even get past >>>>> the initial (local) steps described in : http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain >>>>> The last step of the section "Install and configure IPA server" gives me >>>>> the following error : >>>>> >>>>> "Outdated Kerberos credentials. Use kdestroy and kinit to update your >>>>> ticket" >>>>> >>>>> However "kdestroy" followed by a consequent "kinit admin" does not help, >>>>> I get the error again when trying >>>>> to "ipa-adtrust-install" >>>>> >>>>> The ipaserver-install.log says : >>>>> 2013-01-19T17:19:56Z DEBUG stderr= >>>>> 2013-01-19T17:19:56Z DEBUG will use ip_address: 172.16.135.141 >>>>> >>>>> 2013-01-19T17:19:56Z DEBUG Starting external process >>>>> 2013-01-19T17:19:56Z DEBUG args=kinit admin >>>>> 2013-01-19T17:19:57Z DEBUG Process finished, return code=0 >>>>> 2013-01-19T17:19:57Z DEBUG stdout=Password for admin@MATRIX.LOCAL: >>>>> >>>>> 2013-01-19T17:19:57Z DEBUG stderr= >>>>> 2013-01-19T17:19:57Z INFO File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>>>> line 617, in >>>>> run_script >>>>> return_value = main_function() >>>>> >>>>> File "/usr/sbin/ipa-adtrust-install", line 304, in main >>>>> sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to >>>>> update your ticket") >>>>> >>>>> 2013-01-19T17:19:57Z INFO The ipa-adtrust-install command failed, >>>>> exception: SystemExit: Outdated Kerberos credentials. >>>>> Use kdestroy and kinit to update your ticket >>>>> >>>>> ______________________________________________________________________________________________________ >>>>> >>>>> >>>>> I tried to follow the instructions and stick to the plan - here is the >>>>> history of commands I executed on an fresh Fedora >>>>> 18 Installation (after installing vmware tools in the vm) (long output is >>>>> omitted and replaced by ...) : >>>>> >>>>> >>>>> [root@linux user]# yum update -y >>>>> ... >>>>> [root@linux user]# reboot >>>>> [root@linux user]# yum install -y "*ipa-server" "*ipa-server-trust-ad" >>>>> samba4-winbind-clients samba4-winbind >>>>> samba4-client bind bind-dyndb-ldap >>>>> ... >>>>> [root@linux user]# echo "172.16.135.141 ipa-server.matrix.local >>>>> ipa-server" >> /etc/hosts >>>>> [root@linux user]# hostname ipa-server.matrix.local >>>>> [root@linux user]# hostname >>>>> ipa-server.matrix.local >>>>> [root@linux user]# ping ipa-server.matrix.local >>>>> PING ipa-server.matrix.local (172.16.135.141) 56(84) bytes of data. >>>>> 64 bytes from ipa-server.matrix.local (172.16.135.141): icmp_seq=1 ttl=64 >>>>> time=0.058 ms >>>>> [root@linux user]# ipa-server-install -a mypassword1 -p mypassword2 >>>>> --domain=matrix.local --realm=MATRIX.LOCAL >>>>> --setup-dns --no-forwarders -U >>>>> ... setup completes without errors >>>>> [root@linux user]# kinit admin >>>>> Password for admin@MATRIX.LOCAL: >>>>> [root@linux user]# klist >>>>> Ticket cache: >>>>> DIR::/run/user/1000/krb5cc_c9794d10f5cd59bd63c423ac50fad257/tktT3hTsU >>>>> Default principal: admin@MATRIX.LOCAL >>>>> >>>>> Valid starting Expires Service principal >>>>> 01/19/13 12:19:06 01/20/13 12:19:02 krbtgt/MATRIX.LOCAL@MATRIX.LOCAL >>>>> [root@linux user]# id admin >>>>> uid=1396400000(admin) gid=1396400000(admins) groups=1396400000(admins) >>>>> [root@linux user]# getent passwd admin >>>>> admin:*:1396400000:1396400000:Administrator:/home/admin:/bin/bash >>>>> [root@linux user]# ipa-adtrust-install --netbios-name=MATRIX -a >>>>> mypassword1 >>>>> The log file for this installation can be found in >>>>> /var/log/ipaserver-install.log >>>>> ============================================================================== >>>>> This program will setup components needed to establish trust to AD >>>>> domains for >>>>> the FreeIPA Server. >>>>> >>>>> This includes: >>>>> * Configure Samba >>>>> * Add trust related objects to FreeIPA LDAP server >>>>> >>>>> To accept the default shown in brackets, press the Enter key. >>>>> >>>>> >>>>> The following operations may take some minutes to complete. >>>>> Please wait until the prompt is returned. >>>>> >>>>> Outdated Kerberos credentials. Use kdestroy and kinit to update your >>>>> ticket >>>>> >>>>> ______________________________________________________________________________________________________ >>>>> >>>>> The freeipa packages installed are : >>>>> >>>>> freeipa-server-trust-ad-3.1.0-2.fc18.x86_64 >>>>> freeipa-python-3.1.0-2.fc18.x86_64 >>>>> freeipa-server-selinux-3.1.0-2.fc18.x86_64 >>>>> freeipa-admintools-3.1.0-2.fc18.x86_64 >>>>> freeipa-server-3.1.0-2.fc18.x86_64 >>>>> freeipa-client-3.1.0-2.fc18.x86_64 >>>>> >>>>> >>>>> Any help would be appreciated, perhaps I'm just missing a simple step. >>>>> >>>>> >>>>> Regards >>>>> Marco >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users