Ahh!!! Sooo much better!! I was following the kickstart instructions here: http://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kickstart.html
Thanks again!! Guy On 05/21/2013 09:47 AM, Rob Crittenden wrote: Guy Matz wrote: Thanks for the reply. I *think* I'm doing this correctly . . . On the master: [root@ipadevmstr log]# host cpuppettest.collmedia.net cpuppettest.collmedia.net has address 192.168.8.28 [root@ipadevmstr log]# ipa host-add cpuppettest.collmedia.net --password=secret -------------------------------------- Added host "cpuppettest.collmedia.net" -------------------------------------- Host name: cpuppettest.collmedia.net Password: True Keytab: False Managed by: cpuppettest.collmedia.net But on the client: [root@cpuppettest log]# kinit HOST/[email protected]<mailto:HOST/[email protected]> kinit: Client 'HOST/[email protected]<mailto:HOST/[email protected]>' not found in Kerberos database while getting initial credentials Any ideas? There are two problems: 1. service principals are case-sensitive and host should be lower-case: host/[email protected]<mailto:host/[email protected]> 2. The host principal is not created until enrollment succeeds. When using OTP you are replacing enrolling with Kerberos credentials with a one-time password. The correct syntax when using auto-discovery is: # ipa-client-install -w secret -U You can append any other options as needed (--mkhomedir, etc). rob Thanks again, Guy On 05/20/2013 07:15 PM, Dmitri Pal wrote: On 05/20/2013 05:18 PM, Guy Matz wrote: Hi! I'm trying the following ipa-client-install: [root@cpuppettest log]# hostname cpuppettest [root@cpuppettest log]# hostname -f cpuppettest.collmedia.net [root@cpuppettest log]# /usr/sbin/ipa-client-install --domain=collmedia.net --enable-dns-updates --mkhomedir --principal=HOST/cpuppettest.collmedia.net -w=secret Did you pre create the client first yourself using ipa host-add? While creating it did you create an OTP for it? Is it 'secret'? I think it should also be -w secret without '=' For more details see: http://docs.fedoraproject.org/en-US/Fedora/17/html-single/FreeIPA_Guide/index.html#kickstart --realm=COLLMEDIA.NET --server=ipadevmstr.collmedia.net --unattended Discovery was successful! Hostname: cpuppettest.collmedia.net Realm: COLLMEDIA.NET DNS Domain: collmedia.net IPA Server: ipadevmstr.collmedia.net BaseDN: dc=collmedia,dc=net Synchronizing time with KDC... kinit: Client 'HOST/[email protected]<mailto:HOST/[email protected]>' not found in Kerberos database while getting initial credentials Installation failed. Rolling back changes. IPA client is not configured on this system. and krb5kdc.log on the server says: [root@ipadevmstr log]# tailf -n 1 krb5kdc.log May 20 17:12:50 ipadevmstr.collmedia.net krb5kdc[1364](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.8.28: CLIENT_NOT_FOUND: HOST/[email protected]<mailto:HOST/[email protected]> for krbtgt/[email protected]<mailto:krbtgt/[email protected]>, Client not found in Kerberos database However my IPA server does seem to know about this new client: [root@ipadevmstr log]# ipa host-show cpuppettest.collmedia.net Host name: cpuppettest.collmedia.net Password: True Keytab: False Managed by: cpuppettest.collmedia.net Any thoughts would be greatly appreciated! Thanks a lot, Guy Matz P.S. - Does my client need to be 3.x? [root@cpuppettest log]# uname -a Linux cpuppettest 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux [root@cpuppettest log]# rpm -qa | grep ipa-client ipa-client-2.2.0-16.el6.x86_64 It should work OK if it is latest patched 2.2 client. and [root@ipadevmstr log]# uname -a Linux ipadevmstr.collmedia.net 2.6.32-279.22.1.el6.x86_64 #1 SMP Wed Feb 6 03:10:46 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux [root@ipadevmstr log]# rpm -qa | grep ipa-server ipa-server-3.0.0-26.el6_4.2.x86_64 _______________________________________________ Freeipa-users mailing list [email protected]<mailto:[email protected]> https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected]<mailto:[email protected]> https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
