On 29.11.2013 14:20, Les Stott wrote:
Martin,

there is no entries in /etc/hosts for the freeipa servers on the client.
the clients hosts own entry is there with fqdn first.

Because you mentioned it, i added the hostname of both freeipa server to the 
hosts file on the client. It actually ran and setup the client. However it did 
get the following errors at the end after it did kerberos config....

=======
Configured /etc/krb5.conf for IPA realm MYDOMAIN.COM
Traceback (most recent call last):
   File "/usr/sbin/ipa-client-install", line 2377, in <module>
     sys.exit(main())
   File "/usr/sbin/ipa-client-install", line 2363, in main
     rval = install(options, env, fstore, statestore)
   File "/usr/sbin/ipa-client-install", line 2135, in install
     delete_persistent_client_session_data(host_principal)
   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in 
delete_persistent_client_session_data
     kernel_keyring.del_key(keyname)
   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", line 
99, in del_key
     real_key = get_real_key(key)
   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", line 
45, in get_real_key
     (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key], 
raiseonerr=False)
   File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 295, in 
run
     close_fds=True, env=env, cwd=cwd)
   File "/usr/lib64/python2.6/subprocess.py", line 639, in __init__
     errread, errwrite)
   File "/usr/lib64/python2.6/subprocess.py", line 1220, in _execute_child
     raise child_exception
OSError: [Errno 2] No such file or directory
=======

Is that normal?
No, absolutely not. I will let people knowledgeable about kernel keyrings to chime in.

Do i need to add entries to the hosts file on every client?

Could you try this?
0) Restore your original /etc/hosts file (i.e. delete the line for IPA servers).
1) Run command "tcpdump -s 65535 -w /tmp/some_writeable_file -i any" on the client.
2) Run ipa-client-install
3) Stop tcpdump and send us the /tmp/some_writeable_file file. You can do it privately (for example to me or mkosek).

The network capture will not contain any password but it will reveal domain names and IP addresses. Your problem is most probably related to name resolution but I can't see where the problem is from your description, I hope that the network trace will reveal it.

Note: If you have some local caching DNS resolver *on the client* (unbound, BIND etc.), please flush it's caches before you start.

Petr^2 Spacek

________________________________________
From: Martin Kosek [mko...@redhat.com]
Sent: Friday, November 29, 2013 8:49 PM
To: Les Stott; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] gssapi sasl error - only picking up short hostname 
when running ipa-client-install (and failing)

On 11/29/2013 09:16 AM, Les Stott wrote:
Hi,

Recently installed freeipa on two servers in multi-master mode. We want to have 
a central authentication system for many hosts. Environment is RHEL 6.4 for 
servers, RHEL 6.1 for the first client host, standard rpm packages used - 
ipa-server-3.0.0-26.el6_4.4.x86_64 and  ipa-client-3.0.0-37.el6.x86_64.

I am now trying to add the first linux host to freeipa via ipa-client-install.

When I run ipa-client-install on a host in debug mode it fails with errors 
below  (I have changed hostnames and ip's, freeipa-1.mydomain.com 192.168.1.22 
and freeipa-2.mydomain.com 192.168.1.23, host client - host1 192.168.1.15)

trying to retrieve CA cert via LDAP from ldap://freeipa-1.mydomain.com
get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI 
Error: Unspecified GSS failure.  Minor code may provide more information 
(Server ldap/freeip...@mydomain.com not found in Kerberos database)
{'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (Server ldap/freeip...@mydomain.com not 
found in Kerberos database)', 'desc': 'Local error'}

The Kerberos logs on the server (free-ipa-1) show
Nov 29 01:46:14 freeipa-1.mydomain.com krb5kdc[1616](info): TGS_REQ (4 etypes 
{18 17 16 23}) 192.168.1.15: UNKNOWN_SERVER: authtime 0,  admin@ MYDOMAIN.COM 
for HTTP/ freeip...@mydomain.com, Server not found in Kerberos database

The logs indicate that the service name is being used with the short hostname (HTTP/ 
freeip...@mydomain.com<mailto:freeip...@mydomain.com>). The FreeIPA server has 
records for HTTP/ 
freeipa-1.mydomain....@mydomain.com<mailto:freeipa-1.mydomain....@mydomain.com>. I 
can see these in the web interface. I believe this is where it is stumbling.

I've been banging my head against the wall on this one for a couple of days. 
Everything I've found says make sure you have working dns, make sure you can 
reverse lookup ip's, make sure hostnames are fqdn, make sure /etc/hosts on 
server has ip's for servers listed with fqdn first and shortname second. I've 
done all that.

What about /etc/hosts on the clients? Do they also have FQDN first in case they
have server IP in there?

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to