On 03/08/2014 07:39 AM, rashard.ke...@sita.aero wrote:
> Hello all!!
> 
> I cannot get a RHEL5.10 client to install!
> 
> [root@hostname ~]# ipa-client-install --hostname=hostname.domain.com 
> --no-ntp  --ca-cert-file=/etc/ipa/ca.crt
> DNS domain 'doman.com' is not configured for automatic KDC address lookup.
> KDC address will be set to fixed value.
> 
> Discovery was successful!
> Hostname:hostname.com
> Realm:DOMAIN.COM
> DNS Domain: domain.com
> IPA Server: ipaserver.com
> BaseDN: dc=ipa,dc=dc,dc=sita,dc=com
> 
> Joining realm failed: SASL Bind failed Local error (-2) !
> child exited with 9
> Installation failed. Rolling back changes.
> 
> 
> This is what the krb log had to say
> 
> Mar 08 06:24:00 ipaser...@domain.com krb5kdc[29358](info): TGS_REQ (1 
> etypes {18}) 10.226.124.10: ISSUE: authtime 1394259840, etypes {rep=18 
> tkt=18 ses=18}, rke...@domain.com for krbtgt/domain....@domain.com
> Mar 08 06:24:00 ipaser...@domain.com krb5kdc[29357](info): TGS_REQ (4 
> etypes {18 17 16 23}) 10.226.20.31: ISSUE: authtime 1394259840, etypes 
> {rep=18 tkt=18 ses=18}, rke...@domain.com for 
> ldap/ipaserver.domain....@domain.com
> krb5kdc: Cannot determine realm for numeric host address - unable to find 
> realm of host
> Mar 08 06:24:00 ipaser...@domain.como krb5kdc[29358](info): TGS_REQ (7 
> etypes {18 17 16 23 1 3 2}) 10.22.22.10: UNKNOWN_SERVER: authtime 0, 
> rke...@ipa2.dc.sita.aero for ldap/10.226.20...@domain.com, Server not 
> found in Kerberos database
> Mar 08 06:24:00 ipaser...@domain.com krb5kdc[29357](info): TGS_REQ (7 
> etypes {18 17 16 23 1 3 2}) 10.22.22.10: UNKNOWN_SERVER: authtime 0, 
> rke...@ipa2.dc.sita.aero for ldap/10.226.20...@domain.com, Server not 
> found in Kerberos database
> 
> 
> After reviewing the https://access.redhat.com/site/solutions/231543 post 
> IPA: Joining realm failed: SASL Bind failed Local error (-2) ! child 
> exited with 9. I checked all my DNS info via dig and took a working DNS 
> config from another server. Everything appears to be setup right. 
> 
> 
> What could I be overlooking?

Looking at these error messages, I would bet that reverse records are not
right, notice the IPs instead of principal names in the KDC log. I would check
reverse records of both master and client, asked from both master and client.

Additional info here: http://www.freeipa.org/page/Troubleshooting#DNS_Issues

Martin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to