Shree wrote:
root@test500 ~]# rpm -q ipa-client
ipa-client-2.2.0-16.el6.x86_64
[root@test500 ~]#


You'll definitely want to update to 2.2.0-17, that fixes CVE-2012-5484

Unfortunately our logging around discovery was rather horrible in 2.2.x so it is difficult to know exactly what is going on.

I believe the problem is that it is still doing DNS discovery even though you've passed in a server name so it is setting up Kerberos to look up the KDC which it finds but can't talk to.

This should be fixed in the 3.0 packages so updating to those is the preferred solution.

For 2.x you can try the --force option which should make it skip some discovery.

rob



Shreeraj
----------------------------------------------------------------------------------------


Change is the only Constant !


On Wednesday, February 19, 2014 1:17 PM, Rob Crittenden
<rcrit...@redhat.com> wrote:
Shree wrote:
 > Here are a couple of things
 >
 > [skarulkar@ldap2 <mailto:skarulkar@ldap2> ~]$ rpm -q ipa-client
 > ipa-client-3.0.0-26.el6_4.4.x86_64

What is the version on the client that is failing to enroll?

rob

 >
 > and my /etc/krb5.conf looks like ..........
 > =======================================
 > includedir /var/lib/sss/pubconf/krb5.include.d/
 >
 > [logging]
 >  default = FILE:/var/log/krb5libs.log
 >  kdc = FILE:/var/log/krb5kdc.log
 >  admin_server = FILE:/var/log/kadmind.log
 >
 > [libdefaults]
 >  default_realm = MYDOMAIN.COM
 >  dns_lookup_realm = false
 >  dns_lookup_kdc = true
 >  rdns = false
 >  ticket_lifetime = 24h
 >  forwardable = yes
 >
 > [realms]
 >  MYDOMAIN.COM = {
 >    kdc = ldap2.mydomain.com:88
 >    master_kdc = ldap2.mydomain.com:88
 >    admin_server = ldap2.mydomain.com:749
 >    default_domain = mydomain.com
 >    pkinit_anchors = FILE:/etc/ipa/ca.crt
 > default_domain = mydomain.com
 >    pkinit_anchors = FILE:/etc/ipa/ca.crt
 > }
 >
 > [domain_realm]
 >  .mydomain.com = MYDOMAIN.COM
 >  mydomain.com = MYDOMAIN.COM
 >
 > [dbmodules]
 >    MYDOMAIN.COM = {
 >      db_library = ipadb.so
 >    }
 >
 > =======================================
 >
 >
 > Shreeraj
 >
----------------------------------------------------------------------------------------
 >
 >
 > Change is the only Constant !
 >
 >
 > On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden
 > <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote:
 > Shree wrote:
 >  > 1) I have got a step furthur. My replica is not running CA Service. To
 >  > achieve this I had to remove the existing cert with this command
 >  >
 >  > pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
 >  >
 >  > Now the replica looks like this
 >  >
 >  > skarulkar@ldap2 <mailto:skarulkar@ldap2> <mailto:skarulkar@ldap2
<mailto:skarulkar@ldap2>> tmp]$ sudo ipactl status
 >  > [sudo] password for skarulkar:
 >  > Directory Service: RUNNING
 >  > KDC Service: RUNNING
 >  > KPASSWD Service: RUNNING
 >  > MEMCACHE Service: RUNNING
 >  > HTTP Service: RUNNING
 >  > CA Service: RUNNING
 >  > [skarulkar@ldap2 <mailto:skarulkar@ldap2> <mailto:skarulkar@ldap2
<mailto:skarulkar@ldap2>> tmp]$

 >
 > The tracking failed with:
 >
 > 2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library:
 > Improper format of Kerberos configuration file.
 >
 > It looks like it failed on this for most if not all the tracking. What
 > does /etc/krb5.conf look like?
 >
 >  >
 >  > 2) I am still not able to add client using ipa-client-install
using the
 >  > replica.
 >
 > The temporary krb5.conf that is used during enrollment has
 > dns_lookup_kdc=True so it is probably trying to contact the other KDC
 > and failing.
 >
 > What is the output of:
 >
 > $ rpm -q ipa-client
 >
 >
 > rob
 >
 >
 >




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to