Alexander, Petr, Martin,

Sorry for the delay, was the weekend. 

With your guidance I have figured out the issue. Using tcpdump I saw some 
references to a NIS domain that had been setup on the box. This was different 
to the domain name I setup for freeipa. Arp was also only showing short 

I modified /etc/nsswitch.conf so that nis was not in the picture....

Hosts files dns

Then the ipa-client-install ran without problems. (It reset nsswitch.conf back 
to include nis afterwards)

Installing keyutils fixed the other error too.

Thanks for all your help.



-----Original Message-----
From: Alexander Bokovoy [] 
Sent: Saturday, 30 November 2013 12:32 AM
To: Les Stott
Subject: Re: [Freeipa-users] gssapi sasl error - only picking up short hostname 
when running ipa-client-install (and failing)

On Fri, 29 Nov 2013, Les Stott wrote:
>Recently installed freeipa on two servers in multi-master mode. We want to 
>have a central authentication system for many hosts. Environment is RHEL 6.4 
>for servers, RHEL 6.1 for the first client host, standard rpm packages used - 
>ipa-server-3.0.0-26.el6_4.4.x86_64 and  ipa-client-3.0.0-37.el6.x86_64.
>I am now trying to add the first linux host to freeipa via ipa-client-install.
>When I run ipa-client-install on a host in debug mode it fails with 
>errors below  (I have changed hostnames and ip's, 
> and 
>, host client - host1
>trying to retrieve CA cert via LDAP from ldap://
>get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: 
>GSSAPI Error: Unspecified GSS failure.  Minor code may provide more 
>information (Server ldap/ not found in Kerberos 
>{'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS 
>failure.  Minor code may provide more information (Server 
>ldap/ not found in Kerberos database)', 'desc': 
>'Local error'}
>The Kerberos logs on the server (free-ipa-1) show Nov 29 01:46:14 
> krb5kdc[1616](info): TGS_REQ (4 etypes {18 17 16 
>23}) UNKNOWN_SERVER: authtime 0,  admin@ MYDOMAIN.COM for 
>HTTP/, Server not found in Kerberos database
>The logs indicate that the service name is being used with the short hostname 
>(HTTP/<>). The FreeIPA 
>server has records for HTTP/ 
> I can see these in the web interface. I believe this is where it is stumbling.
>I've been banging my head against the wall on this one for a couple of days. 
>Everything I've found says make sure you have working dns, make sure you can 
>reverse lookup ip's, make sure hostnames are fqdn, make sure /etc/hosts on 
>server has ip's for servers listed with fqdn first and shortname second. I've 
>done all that.
>I am using external dns (not integrated with freeipa), and have populated all 
>records required as per sample config files provided during install. My time 
>servers are other servers too, but that shouldn't matter, everything is in 
>; for Kerberos Auto Discovery
>; ldap servers
>_ldap._tcp              IN SRV 0 100 389
>_ldap._tcp              IN SRV 0 100 389
>;kerberos realm
>_kerberos               IN TXT MYDOMAIN.COM
>; kerberos servers
>_kerberos._tcp          IN SRV 0 100 88
>_kerberos._tcp          IN SRV 0 100 88
>_kerberos._udp          IN SRV 0 100 88
>_kerberos._ucp          IN SRV 0 100 88
>_kerberos-master._tcp   IN SRV 0 100 88
>_kerberos-master._tcp   IN SRV 0 100 88
>_kerberos-master._udp   IN SRV 0 100 88
>_kerberos-master._udp   IN SRV 0 100 88
>_kpasswd._tcp           IN SRV 0 100 464
>_kpasswd._tcp           IN SRV 0 100 464
>_kpasswd._udp           IN SRV 0 100 464
>_kpasswd._udp           IN SRV 0 100 464
>;ntp server
>_ntp._udp               IN SRV 0 100 123
>_ntp._udp               IN SRV 0 100 123
>Reverse dns entries are also available and both freeipa servers and the host I 
>am trying to configure ipa-client on can do lookups and receive fqdn's. They 
>can all do reverse lookups that resolve correctly.
>I have read that when using SASL/GSSAPI (Kerberos) authentication, its 
>possible that the service provider sets the principal name (SPN) to 
>"ldap/servername" in the TGS_REQ based on a dns query of the PTR record. I do 
>have PTR's configured, and they have FQDN's. Is it true that this happens with 
>GSSAPI? If so how can I get around that?
>Reverse Zone File for 192.168.1
>22  PTR
>23  PTR
>Nslookup results for each IP:
>      name =
>      name =
>I can authenticate using kinit before running the script and it still doesn't 
>The short version of running the install shows:
>Discovery was successful!
>DNS Domain:
>IPA Server:
>BaseDN: dc=mydomain,dc=com
>It authenticates correctly with the admin user for enrolling the host, but 
>joining the realm fails.
>I've tried everything I can think of.
Can you show your resolv.conf?
Can it be that it actually misses

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to