On Fri, 29 Nov 2013, Les Stott wrote:
Hi,

Recently installed freeipa on two servers in multi-master mode. We want to have 
a central authentication system for many hosts. Environment is RHEL 6.4 for 
servers, RHEL 6.1 for the first client host, standard rpm packages used - 
ipa-server-3.0.0-26.el6_4.4.x86_64 and  ipa-client-3.0.0-37.el6.x86_64.

I am now trying to add the first linux host to freeipa via ipa-client-install.

When I run ipa-client-install on a host in debug mode it fails with errors 
below  (I have changed hostnames and ip's, freeipa-1.mydomain.com 192.168.1.22 
and freeipa-2.mydomain.com 192.168.1.23, host client - host1 192.168.1.15)

trying to retrieve CA cert via LDAP from ldap://freeipa-1.mydomain.com
get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI 
Error: Unspecified GSS failure.  Minor code may provide more information 
(Server ldap/freeip...@mydomain.com not found in Kerberos database)
{'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (Server ldap/freeip...@mydomain.com not 
found in Kerberos database)', 'desc': 'Local error'}

The Kerberos logs on the server (free-ipa-1) show
Nov 29 01:46:14 freeipa-1.mydomain.com krb5kdc[1616](info): TGS_REQ (4 etypes 
{18 17 16 23}) 192.168.1.15: UNKNOWN_SERVER: authtime 0,  admin@ MYDOMAIN.COM 
for HTTP/ freeip...@mydomain.com, Server not found in Kerberos database

The logs indicate that the service name is being used with the short hostname (HTTP/ 
freeip...@mydomain.com<mailto:freeip...@mydomain.com>). The FreeIPA server has 
records for HTTP/ 
freeipa-1.mydomain....@mydomain.com<mailto:freeipa-1.mydomain....@mydomain.com>. I 
can see these in the web interface. I believe this is where it is stumbling.

I've been banging my head against the wall on this one for a couple of days. 
Everything I've found says make sure you have working dns, make sure you can 
reverse lookup ip's, make sure hostnames are fqdn, make sure /etc/hosts on 
server has ip's for servers listed with fqdn first and shortname second. I've 
done all that.

I am using external dns (not integrated with freeipa), and have populated all 
records required as per sample config files provided during install. My time 
servers are other servers too, but that shouldn't matter, everything is in sync.

; for Kerberos Auto Discovery
; ldap servers
_ldap._tcp              IN SRV 0 100 389        freeipa-1.mydomain.com.
_ldap._tcp              IN SRV 0 100 389        freeipa-2.mydomain.com.

;kerberos realm
_kerberos               IN TXT MYDOMAIN.COM

; kerberos servers
_kerberos._tcp          IN SRV 0 100 88         freeipa-1.mydomain.com.
_kerberos._tcp          IN SRV 0 100 88         freeipa-2.mydomain.com.
_kerberos._udp          IN SRV 0 100 88         freeipa-1.mydomain.com.
_kerberos._ucp          IN SRV 0 100 88         freeipa-2.mydomain.com.
_kerberos-master._tcp   IN SRV 0 100 88         freeipa-1.mydomain.com.
_kerberos-master._tcp   IN SRV 0 100 88         freeipa-2.mydomain.com.
_kerberos-master._udp   IN SRV 0 100 88         freeipa-1.mydomain.com.
_kerberos-master._udp   IN SRV 0 100 88         freeipa-2.mydomain.com.
_kpasswd._tcp           IN SRV 0 100 464        freeipa-1.mydomain.com.
_kpasswd._tcp           IN SRV 0 100 464        freeipa-2.mydomain.com.
_kpasswd._udp           IN SRV 0 100 464        freeipa-1.mydomain.com.
_kpasswd._udp           IN SRV 0 100 464        freeipa-2.mydomain.com.

;ntp server
_ntp._udp               IN SRV 0 100 123        ntp1.mydomain.com.
_ntp._udp               IN SRV 0 100 123        ntp2.mydomain.com.

Reverse dns entries are also available and both freeipa servers and the host I 
am trying to configure ipa-client on can do lookups and receive fqdn's. They 
can all do reverse lookups that resolve correctly.

I have read that when using SASL/GSSAPI (Kerberos) authentication, its possible that the 
service provider sets the principal name (SPN) to "ldap/servername" in the 
TGS_REQ based on a dns query of the PTR record. I do have PTR's configured, and they have 
FQDN's. Is it true that this happens with GSSAPI? If so how can I get around that?

Reverse Zone File for 192.168.1
22  PTR   freeipa-1.mydomain.com.
23  PTR   freeipa-2.mydomain.com.

Nslookup results for each IP:
22.1.168.192.in-addr.arpa      name = freeipa-1.mydomain.com.
23.1.168.192.in-addr.arpa      name = freeipa-2.mydomain.com.

I can authenticate using kinit before running the script and it still doesn't 
work.

The short version of running the install shows:
Discovery was successful!
Hostname: host1.mydomain.com
Realm: MYDOMAIN.COM
DNS Domain: mydomain.com
IPA Server: freeipa-1.mydomain.com
BaseDN: dc=mydomain,dc=com

It authenticates correctly with the admin user for enrolling the host, but 
joining the realm fails.

I've tried everything I can think of.
Can you show your resolv.conf?
Can it be that it actually misses
   domain mydomain.com
stanza?



--
/ Alexander Bokovoy

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to