Martin First of all thank you so much for your detailed analysis. I got a chance to finally take a look at it today. I tried your suggested changes to the /etc/krb5.conf and I now get the following response.
[root@www ~]# kinit kinit: Cannot contact any KDC for realm 'MYDOMAIN.COM' while getting initial credentials [root@www ~]# kinit skarulkar kinit: Cannot contact any KDC for realm ''MYDOMAIN.COM' while getting initial credentials [root@www ~]# vi /etc/krb5.conf [root@www ~]# kinit [email protected] kinit: Cannot find KDC for requested realm while getting initial credentials Now I have seen this issue earlier in the project but I don't remember what I did to fix this. ldap.mydomain.com is our primary which connects to ldap2.mydomain.com that exists in a separate VLAN through specific ACLs in the firewall. They sync with each other fine. My clients are only able to talk to ldap2.mydomain.com. And out of 40 + clients that I moved from ldap to ldap2 I only seem to have issue with this last one? I have even tried dropping a test VM in the same VLAN and it had no issues joining the IPA. So that rules out any ACL misconfigurations to this VLAN. Shreeraj ---------------------------------------------------------------------------------------- Change is the only Constant ! On Tuesday, March 25, 2014 12:55 AM, Martin Kosek <[email protected]> wrote: It searching for ldap.mydomain.com because you still have DNS SRV record _kerberos._udp.mydomain.com. pointing to it. I would start there. As for the failure, I would check that the generated /etc/krb5.conf is correct: ~~~~~~~~~ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = MYDOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] MYDOMAIN.COM = { kdc = ldap2.mydomain.com:88 master_kdc = ldap2.mydomain.com:88 admin_server = ldap2.mydomain.com:749 default_domain = mydomain.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM ~~~~~~~~ (I assume you did more anonymizing that expected, ipa-client-install does not generate 2 domain_realm mappings unless client domain is different that server domain (e.g. client.other.mydomain.com and server.mydomain.com)). What I would do in your place is to: 1) Backup your current /etc/krb5.conf 2) Replace it with the krb5.conf which was generated during ipa-client-install (you can find non-anonymized version in ipaclient-install.log) 3) Try to kinit: kinit [email protected] Then it will be easier to troubleshoot. To get more information what kinit actually does, try enabling a trace: # KRB5_TRACE=/dev/stdout kinit [email protected] You will be then able to see if it really connects to right IP address which would enable you to debug further. Martin On 03/24/2014 07:20 PM, Shree wrote: > If you look at the attached logs, you can see it is going to the correct dns > server. dig information is also correct. There is something else going on I > can figure out what? > > > > Shreeraj > ---------------------------------------------------------------------------------------- > > > Change is the only Constant ! > > > > On Saturday, March 22, 2014 2:12 PM, Dmitri Pal <[email protected]> wrote: > > On 03/21/2014 07:44 PM, Shree wrote: > Hi >> Attaching the install log. It complains about unable to reach > certain ports, however my tests by using telnet were successful. > Also to refresh your memory the client should be reaching for > the replica lda2.mydomain.com and not ldap.mydomain.com which it > does for the most part but I found a couple of instances of > ldap.mydomain.com in the log. Let me know what you find. I can't > believe I migrated over 40 servers and only this one refuses to > install ipa-client. >> >> > If it is getting to the wrong server then it is either looking at > the wrong DNS server (see resolve.conf) which is telling it to use > the wrong IPA server (may be from some old try/POC) or it has some > explicit entries entered in /etc/hosts. > > > > >> >> >> Shreeraj >> ---------------------------------------------------------------------------------------- >> >> >> Change is the only Constant ! >> >> >> >> On Thursday, March 20, 2014 4:29 AM, Martin Kosek <[email protected]> wrote: >> >> On 03/19/2014 10:37 PM, Shree wrote: >> >>> Hello >>> I was able to successfully move all my clients to > the replica except on the process I had to upgrade the > client to "ipa-client-3.0.0-37.el6.x86_64" and some > times run a --uninstall >>> >>> . Bit it works for the most part. Have been > struggling with one last host with errors like below. > I have tested the port connectivity using telnet and > netcat commands but the install thinks these ports are > blocked? >>> >>> >>> >>> >>> kerberos authentication failed >>> kinit: Cannot contact any KDC for realm > 'MYDOMAIN.COM' while getting initial credentials >>> >>> Please make sure the following ports are opened > in the firewall settings: >>> TCP: 80, 88, 389 >>> UDP: 88 (at least one of TCP/UDP ports 88 > has to be open) >>> Also note that following ports are necessary for > ipa-client working properly after enrollment: >>> TCP: 464 >>> UDP: 464, 123 (if NTP enabled) >>> Installation failed. Rolling back changes. >>> Disabling client Kerberos and LDAP configurations >>> Redundant SSSD configuration file > /etc/sssd/sssd.conf was moved to > /etc/sssd/sssd.conf.deleted >>> Restoring client configuration files >>> Client uninstall complete. >>> [root@www /]# >>> >>> In the /var/log/ipaclient-install.log I also see > things like below. I get Autodiscovery failures but I > am manually entering things and they have been > working. >>> >>> 2014-03-19T21:13:47Z DEBUG Found: > cn=MYDOMAIN.COM,cn=kerberos,dc=mydomain,dc=com >>> 2014-03-19T21:13:47Z DEBUG Discovery result: > Success; server=ldap2.mydomain.com, > domain=mydomain.com, kdc=ldap.mydomain.com, > basedn=dc=mydomain,dc=com >>> 2014-03-19T21:13:47Z DEBUG Validated servers: > ldap2.mydomain.com >>> 2014-03-19T21:13:47Z WARNING The failure to use > DNS to find your IPA server indicates that your > resolv.conf file is not properly configured. >>> 2014-03-19T21:13:47Z INFO Autodiscovery of > servers for failover cannot work with this > configuration. >>> 2014-03-19T21:13:47Z INFO If you proceed with the > installation, services will be configured to always > access the discovered server for all operations and > will not fail over to other servers in case of > failure. >> >> Ok. I would guess you have some DNS issue. But it is > hard to tell without the >> entire ipaclient-install.log of the failed installation. >> >> Martin >> >> >> >> > >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
