On 03/08/2014 07:39 AM, [email protected] wrote: > Hello all!! > > I cannot get a RHEL5.10 client to install! > > [root@hostname ~]# ipa-client-install --hostname=hostname.domain.com > --no-ntp --ca-cert-file=/etc/ipa/ca.crt > DNS domain 'doman.com' is not configured for automatic KDC address lookup. > KDC address will be set to fixed value. > > Discovery was successful! > Hostname:hostname.com > Realm:DOMAIN.COM > DNS Domain: domain.com > IPA Server: ipaserver.com > BaseDN: dc=ipa,dc=dc,dc=sita,dc=com > > Joining realm failed: SASL Bind failed Local error (-2) ! > child exited with 9 > Installation failed. Rolling back changes. > > > This is what the krb log had to say > > Mar 08 06:24:00 [email protected] krb5kdc[29358](info): TGS_REQ (1 > etypes {18}) 10.226.124.10: ISSUE: authtime 1394259840, etypes {rep=18 > tkt=18 ses=18}, [email protected] for krbtgt/[email protected] > Mar 08 06:24:00 [email protected] krb5kdc[29357](info): TGS_REQ (4 > etypes {18 17 16 23}) 10.226.20.31: ISSUE: authtime 1394259840, etypes > {rep=18 tkt=18 ses=18}, [email protected] for > ldap/[email protected] > krb5kdc: Cannot determine realm for numeric host address - unable to find > realm of host > Mar 08 06:24:00 [email protected] krb5kdc[29358](info): TGS_REQ (7 > etypes {18 17 16 23 1 3 2}) 10.22.22.10: UNKNOWN_SERVER: authtime 0, > [email protected] for ldap/[email protected], Server not > found in Kerberos database > Mar 08 06:24:00 [email protected] krb5kdc[29357](info): TGS_REQ (7 > etypes {18 17 16 23 1 3 2}) 10.22.22.10: UNKNOWN_SERVER: authtime 0, > [email protected] for ldap/[email protected], Server not > found in Kerberos database > > > After reviewing the https://access.redhat.com/site/solutions/231543 post > IPA: Joining realm failed: SASL Bind failed Local error (-2) ! child > exited with 9. I checked all my DNS info via dig and took a working DNS > config from another server. Everything appears to be setup right. > > > What could I be overlooking?
Looking at these error messages, I would bet that reverse records are not right, notice the IPs instead of principal names in the KDC log. I would check reverse records of both master and client, asked from both master and client. Additional info here: http://www.freeipa.org/page/Troubleshooting#DNS_Issues Martin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
