On 29.11.2013 14:20, Les Stott wrote:

there is no entries in /etc/hosts for the freeipa servers on the client.
the clients hosts own entry is there with fqdn first.

Because you mentioned it, i added the hostname of both freeipa server to the 
hosts file on the client. It actually ran and setup the client. However it did 
get the following errors at the end after it did kerberos config....

Configured /etc/krb5.conf for IPA realm MYDOMAIN.COM
Traceback (most recent call last):
   File "/usr/sbin/ipa-client-install", line 2377, in <module>
   File "/usr/sbin/ipa-client-install", line 2363, in main
     rval = install(options, env, fstore, statestore)
   File "/usr/sbin/ipa-client-install", line 2135, in install
   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in 
   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", line 
99, in del_key
     real_key = get_real_key(key)
   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", line 
45, in get_real_key
     (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key], 
   File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 295, in 
     close_fds=True, env=env, cwd=cwd)
   File "/usr/lib64/python2.6/subprocess.py", line 639, in __init__
     errread, errwrite)
   File "/usr/lib64/python2.6/subprocess.py", line 1220, in _execute_child
     raise child_exception
OSError: [Errno 2] No such file or directory

Is that normal?
No, absolutely not. I will let people knowledgeable about kernel keyrings to chime in.

Do i need to add entries to the hosts file on every client?

Could you try this?
0) Restore your original /etc/hosts file (i.e. delete the line for IPA servers).
1) Run command "tcpdump -s 65535 -w /tmp/some_writeable_file -i any" on the client.
2) Run ipa-client-install
3) Stop tcpdump and send us the /tmp/some_writeable_file file. You can do it privately (for example to me or mkosek).

The network capture will not contain any password but it will reveal domain names and IP addresses. Your problem is most probably related to name resolution but I can't see where the problem is from your description, I hope that the network trace will reveal it.

Note: If you have some local caching DNS resolver *on the client* (unbound, BIND etc.), please flush it's caches before you start.

Petr^2 Spacek

From: Martin Kosek [mko...@redhat.com]
Sent: Friday, November 29, 2013 8:49 PM
To: Les Stott; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] gssapi sasl error - only picking up short hostname 
when running ipa-client-install (and failing)

On 11/29/2013 09:16 AM, Les Stott wrote:

Recently installed freeipa on two servers in multi-master mode. We want to have 
a central authentication system for many hosts. Environment is RHEL 6.4 for 
servers, RHEL 6.1 for the first client host, standard rpm packages used - 
ipa-server-3.0.0-26.el6_4.4.x86_64 and  ipa-client-3.0.0-37.el6.x86_64.

I am now trying to add the first linux host to freeipa via ipa-client-install.

When I run ipa-client-install on a host in debug mode it fails with errors 
below  (I have changed hostnames and ip's, freeipa-1.mydomain.com 
and freeipa-2.mydomain.com, host client - host1

trying to retrieve CA cert via LDAP from ldap://freeipa-1.mydomain.com
get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI 
Error: Unspecified GSS failure.  Minor code may provide more information 
(Server ldap/freeip...@mydomain.com not found in Kerberos database)
{'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (Server ldap/freeip...@mydomain.com not 
found in Kerberos database)', 'desc': 'Local error'}

The Kerberos logs on the server (free-ipa-1) show
Nov 29 01:46:14 freeipa-1.mydomain.com krb5kdc[1616](info): TGS_REQ (4 etypes 
{18 17 16 23}) UNKNOWN_SERVER: authtime 0,  admin@ MYDOMAIN.COM 
for HTTP/ freeip...@mydomain.com, Server not found in Kerberos database

The logs indicate that the service name is being used with the short hostname (HTTP/ 
freeip...@mydomain.com<mailto:freeip...@mydomain.com>). The FreeIPA server has 
records for HTTP/ 
freeipa-1.mydomain....@mydomain.com<mailto:freeipa-1.mydomain....@mydomain.com>. I 
can see these in the web interface. I believe this is where it is stumbling.

I've been banging my head against the wall on this one for a couple of days. 
Everything I've found says make sure you have working dns, make sure you can 
reverse lookup ip's, make sure hostnames are fqdn, make sure /etc/hosts on 
server has ip's for servers listed with fqdn first and shortname second. I've 
done all that.

What about /etc/hosts on the clients? Do they also have FQDN first in case they
have server IP in there?

Freeipa-users mailing list

Reply via email to