SOLUTION

Just to follow up, I found that SELinux was the problem.  Once I ran
"#setenforce 0"  the ipa-client-install script worked with no issue and my 
client got a valid certificate.  Thanks for looking!

Matthew Shapiro


-----Original Message-----
From: Martin Kosek [mailto:mko...@redhat.com] 
Sent: Thursday, July 18, 2013 1:15 AM
To: Shapiro, Matthew E CTR DODHRA DMDC (US)
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] help: ipa error 4301

On 07/17/2013 11:14 PM, Shapiro, Matthew E CTR DODHRA DMDC (US) wrote:
> Hi ,
> 
>  
> 
> While running the ipa-client-install script on a RHEL 6.4 server, I get the
> following output (please note the indicated line with the arrow):
> 
>  
> 
> [root@[hostname]]# ipa-client-install
> 
> Discovery was successful!
> 
> Hostname: [hostname]
> 
> Realm: example.com
> 
> DNS Domain: example.com
> 
> IPA Server: chtvm-389.example.com
> 
> BaseDN: dc=example,dc=com
> 
>  
> 
> Continue to configure the system with these values? [no]: yes
> 
> User authorized to enroll computers: admin
> 
> Password for admin example com:
> 
>  
> 
> Enrolled in IPA realm example.com
> 
> Created /etc/ipa/default.conf
> 
> Configured /etc/sssd/sssd.conf
> 
> Configured /etc/krb5.conf for IPA realm example.com
> 
> SSSD enabled
> 
> Kerberos 5 enabled
> 
> ---àUnable to find 'admin' user with 'getent passwd admin'!
> 
> Recognized configuration: SSSD
> 
> NTP enabled
> 
> Client configuration complete.
> 
>  
> 
> Also, please note that I've obfuscated the hostname, domain, and realm for
> security reasons.    I believe I've narrowed down the problem to certificate
> enrollment.  When I check my IPA Server Web UI, I have a notice in my host
> details that says "no valid certificate present."  I then checked my client
> host by running:
> 
>  
> 
> [root@hostname user]# ipa-getcert list
> 
> Number of certificates and requests being tracked: 1.
> 
> Request ID '20130717205230':
> 
>         status: CA_UNCONFIGURED
> 
>         ca-error: Error setting up ccache for local "host" service using
> default keytab: Resource temporarily unavailable.
> 
>         stuck: yes
> 
>         key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
> Machine Certificate - hostname.example.com',token='NSS Certificate DB'
> 
>         certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA 
> Machine
> Certificate - hostname.example.com '
> 
>         CA: IPA
> 
>         issuer:
> 
>         subject:
> 
>         expires: unknown
> 
>         pre-save command:
> 
>         post-save command:
> 
>         track: yes
> 
>         auto-renew: yes
> 
>  
> 
> I'm concerned about that "stuck" field, I have no idea what that means.
> 
> I have other RHEL 6.4 clients that have been able to join my IPA domain with 
> no
> issue at all, but this one client baffles me.  Any thoughts??
> 
>  
> 
> ----------------------------------------------------------------------
> 
> Matthew Shapiro
> 
> Systems Administrator
> 
>  
> 
> Trofholz Technologies, Inc.
> 
> Defense Personnel and Security Research Center (PERSEREC)
> 
> Defense Manpower Data Center (DMDC)
> 
> Office: 831.583.2828
> 
>  
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 

There seems to be something wrong with the host keytab:

...

>         ca-error: Error setting up ccache for local "host" service using
> default keytab: Resource temporarily unavailable.

Can you check if the host principal in keytab are correct?

# klist -kt /etc/krb5.keytab

Are you able to kinit with the host principal?

# kinit -kt /etc/krb5.keytab host/[hostname]@[REALM]


Another issue I saw (Unable to find 'admin' user with 'getent passwd admin') -
is this still not working?

# getent passwd admin

Martin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to