On 03/19/2014 10:37 PM, Shree wrote:
> Hello
> I was able to successfully move all my clients to the replica except on the 
> process I had to upgrade the client to "ipa-client-3.0.0-37.el6.x86_64" and 
> some times run a --uninstall 
> 
> . Bit it works for the most part. Have been struggling with one last host 
> with errors like below. I have tested the port connectivity using telnet and 
> netcat commands but the install thinks these ports are blocked? 
> 
>  
> 
> 
> kerberos authentication failed
> kinit: Cannot contact any KDC for realm 'MYDOMAIN.COM' while getting initial 
> credentials
> 
> Please make sure the following ports are opened in the firewall settings:
>      TCP: 80, 88, 389
>      UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
> Also note that following ports are necessary for ipa-client working properly 
> after enrollment:
>      TCP: 464
>      UDP: 464, 123 (if NTP enabled)
> Installation failed. Rolling back changes.
> Disabling client Kerberos and LDAP configurations
> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
> /etc/sssd/sssd.conf.deleted
> Restoring client configuration files
> Client uninstall complete.
> [root@www /]#
> 
> In the /var/log/ipaclient-install.log I also see things like below. I get 
> Autodiscovery failures but I am manually entering things and they have been 
> working.
> 
> 2014-03-19T21:13:47Z DEBUG Found: 
> cn=MYDOMAIN.COM,cn=kerberos,dc=mydomain,dc=com
> 2014-03-19T21:13:47Z DEBUG Discovery result: Success; 
> server=ldap2.mydomain.com, domain=mydomain.com, kdc=ldap.mydomain.com, 
> basedn=dc=mydomain,dc=com
> 2014-03-19T21:13:47Z DEBUG Validated servers: ldap2.mydomain.com
> 2014-03-19T21:13:47Z WARNING The failure to use DNS to find your IPA server 
> indicates that your resolv.conf file is not properly configured.
> 2014-03-19T21:13:47Z INFO Autodiscovery of servers for failover cannot work 
> with this configuration.
> 2014-03-19T21:13:47Z INFO If you proceed with the installation, services will 
> be configured to always access the discovered server for all operations and 
> will not fail over to other servers in case of failure.

Ok. I would guess you have some DNS issue. But it is hard to tell without the
entire ipaclient-install.log of the failed installation.

Martin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to