On 11/29/2013 09:16 AM, Les Stott wrote:
> Hi,
> 
> Recently installed freeipa on two servers in multi-master mode. We want to 
> have a central authentication system for many hosts. Environment is RHEL 6.4 
> for servers, RHEL 6.1 for the first client host, standard rpm packages used - 
> ipa-server-3.0.0-26.el6_4.4.x86_64 and  ipa-client-3.0.0-37.el6.x86_64.
> 
> I am now trying to add the first linux host to freeipa via ipa-client-install.
> 
> When I run ipa-client-install on a host in debug mode it fails with errors 
> below  (I have changed hostnames and ip's, freeipa-1.mydomain.com 
> 192.168.1.22 and freeipa-2.mydomain.com 192.168.1.23, host client - host1 
> 192.168.1.15)
> 
> trying to retrieve CA cert via LDAP from ldap://freeipa-1.mydomain.com
> get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI 
> Error: Unspecified GSS failure.  Minor code may provide more information 
> (Server ldap/freeip...@mydomain.com not found in Kerberos database)
> {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
> Minor code may provide more information (Server ldap/freeip...@mydomain.com 
> not found in Kerberos database)', 'desc': 'Local error'}
> 
> The Kerberos logs on the server (free-ipa-1) show
> Nov 29 01:46:14 freeipa-1.mydomain.com krb5kdc[1616](info): TGS_REQ (4 etypes 
> {18 17 16 23}) 192.168.1.15: UNKNOWN_SERVER: authtime 0,  admin@ MYDOMAIN.COM 
> for HTTP/ freeip...@mydomain.com, Server not found in Kerberos database
> 
> The logs indicate that the service name is being used with the short hostname 
> (HTTP/ freeip...@mydomain.com<mailto:freeip...@mydomain.com>). The FreeIPA 
> server has records for HTTP/ 
> freeipa-1.mydomain....@mydomain.com<mailto:freeipa-1.mydomain....@mydomain.com>.
>  I can see these in the web interface. I believe this is where it is 
> stumbling.
> 
> I've been banging my head against the wall on this one for a couple of days. 
> Everything I've found says make sure you have working dns, make sure you can 
> reverse lookup ip's, make sure hostnames are fqdn, make sure /etc/hosts on 
> server has ip's for servers listed with fqdn first and shortname second. I've 
> done all that.

What about /etc/hosts on the clients? Do they also have FQDN first in case they
have server IP in there?

Martin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to