Rob
You were right. After upgrading the client to the 
ipa-client-3.0.0-37.el6.x86_64 version I started seeing a warning during the 
client install that went something like 
=================
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always 
access the discovered server for all operations and will not fail over to other 
servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
=================

I continued by saying yes because in my case the master and the replica are in 
different VLANs and failover is not possible for me. I have tried in two hosts 
successfully and am hoping that does the trick.

However I see one issue immediately that my sudo access does not seem to work 
now on the newly added clients! Do you know what might be happening?

 
Shreeraj 
----------------------------------------------------------------------------------------
 

Change is the only Constant !



On Wednesday, February 19, 2014 2:21 PM, Rob Crittenden <rcrit...@redhat.com> 
wrote:
 
Shree wrote:
> root@test500 ~]# rpm -q ipa-client
> ipa-client-2.2.0-16.el6.x86_64
> [root@test500 ~]#

You'll definitely want to update to 2.2.0-17, that fixes CVE-2012-5484

Unfortunately our logging around discovery was rather horrible in 2.2.x 
so it is difficult to know exactly what is going on.

I believe the problem is that it is still doing DNS discovery even 
though you've passed in a server name so it is setting up Kerberos to 
look up the KDC which it finds but can't talk to.

This should be fixed in the 3.0 packages so updating to those is the 
preferred solution.

For 2.x you can try the --force option which should make it skip some 
discovery.

rob

>
>
> Shreeraj
> ----------------------------------------------------------------------------------------
>
>
> Change is the only Constant !
>
>
> On Wednesday, February 19, 2014 1:17 PM, Rob Crittenden
> <rcrit...@redhat.com> wrote:
> Shree wrote:
>  > Here are a couple of things
>  >
>  > [skarulkar@ldap2 <mailto:skarulkar@ldap2> ~]$ rpm -q ipa-client
>  > ipa-client-3.0.0-26.el6_4.4.x86_64
>
> What is the version on the client that is failing to enroll?
>
> rob
>
>  >
>  > and my /etc/krb5.conf looks like ..........
>  > =======================================
>  > includedir /var/lib/sss/pubconf/krb5.include.d/
>  >
>  > [logging]
>  >  default = FILE:/var/log/krb5libs.log
>  >  kdc = FILE:/var/log/krb5kdc.log
>  >  admin_server = FILE:/var/log/kadmind.log
>  >
>  > [libdefaults]
>  >  default_realm = MYDOMAIN.COM
>  >  dns_lookup_realm = false
>  >  dns_lookup_kdc = true
>  >  rdns = false
>  >  ticket_lifetime = 24h
>  >  forwardable = yes
>  >
>  > [realms]
>  >  MYDOMAIN.COM = {
>  >    kdc = ldap2.mydomain.com:88
>  >    master_kdc = ldap2.mydomain.com:88
>  >    admin_server = ldap2.mydomain.com:749
>  >    default_domain = mydomain.com
>  >    pkinit_anchors = FILE:/etc/ipa/ca.crt
>  > default_domain = mydomain.com
>  >    pkinit_anchors = FILE:/etc/ipa/ca.crt
>  > }
>  >
>  > [domain_realm]
>  >  .mydomain.com = MYDOMAIN.COM
>  >  mydomain.com = MYDOMAIN.COM
>  >
>  > [dbmodules]
>  >    MYDOMAIN.COM = {
>  >      db_library = ipadb.so
>  >    }
>  >
>  > =======================================
>  >
>  >
>  > Shreeraj
>  >
> ----------------------------------------------------------------------------------------
>  >
>  >
>  > Change is the only Constant !
>  >
>  >
>  > On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden
>  > <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote:
>  > Shree wrote:
>  >  > 1) I have got a step furthur. My replica is not running CA Service. To
>  >  > achieve this I had to remove the existing cert with this command
>  >  >
>  >  > pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
>  >  >
>  >  > Now the replica looks like this
>  >  >
>  >  > skarulkar@ldap2 <mailto:skarulkar@ldap2> <mailto:skarulkar@ldap2
> <mailto:skarulkar@ldap2>> tmp]$ sudo ipactl status
>  >  > [sudo] password for skarulkar:
>  >  > Directory Service: RUNNING
>  >  > KDC Service: RUNNING
>  >  > KPASSWD Service: RUNNING
>  >  > MEMCACHE Service: RUNNING
>  >  > HTTP Service: RUNNING
>  >  > CA Service: RUNNING
>  >  > [skarulkar@ldap2 <mailto:skarulkar@ldap2> <mailto:skarulkar@ldap2

> <mailto:skarulkar@ldap2>> tmp]$
>
>  >
>  > The tracking failed with:
>  >
>  > 2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library:
>  > Improper format of Kerberos configuration file.
>  >
>  > It looks like it failed on this for most if not all the tracking. What
>  > does /etc/krb5.conf look like?
>  >
>  >  >
>  >  > 2) I am still not able to add client using ipa-client-install
> using the
>  >  > replica.
>  >
>  > The temporary krb5.conf that is used during enrollment has
>  > dns_lookup_kdc=True so it is probably trying to contact the other KDC
>  > and failing.
>  >
>  > What is the output of:
>  >
>  > $ rpm -q ipa-client
>  >
>  >
>  > rob
>  >
>  >
>  >
>
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to