First of all thank you so much for your detailed analysis. I got a chance to 
finally take a look at it today. I tried your suggested changes to the 
/etc/krb5.conf and I now get the following response.

[root@www ~]# kinit
kinit: Cannot contact any KDC for realm 'MYDOMAIN.COM' while getting initial 
[root@www ~]# kinit skarulkar
kinit: Cannot contact any KDC for realm ''MYDOMAIN.COM' while getting initial 
[root@www ~]# vi /etc/krb5.conf
[root@www ~]# kinit
kinit: Cannot find KDC for requested realm while getting initial credentials

Now I have seen this issue earlier in the project but I don't remember what I 
did to fix this. is our primary which connects to that 
exists in a separate VLAN  through specific ACLs in the firewall. They sync 
with each other fine. My clients are only able to talk to 
And out of 40 + clients that I moved from ldap to ldap2 I only seem to have 
issue with this last one?
I have even tried dropping a test VM in the same VLAN and it had no issues 
joining the IPA. So that rules out any ACL misconfigurations to this VLAN.


Change is the only Constant !

On Tuesday, March 25, 2014 12:55 AM, Martin Kosek <> wrote:
It searching for because you still have DNS SRV record pointing to it. I would start there.

As for the failure, I would check that the generated /etc/krb5.conf is correct:

includedir /var/lib/sss/pubconf/krb5.include.d/

  default_realm = MYDOMAIN.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

    kdc =
    master_kdc =
    admin_server =
    default_domain =
    pkinit_anchors = FILE:/etc/ipa/ca.crt


(I assume you did more anonymizing that expected, ipa-client-install does not
generate 2 domain_realm mappings unless client domain is different that server
domain (e.g. and

What I would do in your place is to:
1) Backup your current /etc/krb5.conf
2) Replace it with the krb5.conf which was generated during ipa-client-install
(you can find non-anonymized version in ipaclient-install.log)
3) Try to kinit: kinit

Then it will be easier to troubleshoot. To get more information what kinit
actually does, try enabling a trace:

# KRB5_TRACE=/dev/stdout kinit

You will be then able to see if it really connects to right IP address which
would enable you to debug further.


On 03/24/2014 07:20 PM, Shree wrote:
> If you look at the attached logs, you can see it is going to the correct dns 
> server. dig information is also correct. There is something else going on I 
> can figure out what?
> Shreeraj 
> ----------------------------------------------------------------------------------------
> Change is the only Constant !
> On Saturday, March 22, 2014 2:12 PM, Dmitri Pal <> wrote:
> On 03/21/2014 07:44 PM, Shree wrote: 
> Hi
>> Attaching the install log. It complains about unable to reach
>         certain ports, however my tests by using telnet were successful.
>         Also to refresh your memory the client should be reaching for
>         the replica and not which it
>         does for the most part but I found a couple of instances of
> in the log. Let me know what you find. I can't
>         believe I migrated over 40 servers and only this one refuses to
>         install ipa-client.
> If it is getting to the wrong server then it is either looking at
>     the wrong DNS server (see resolve.conf) which is telling it to use
>     the wrong IPA server (may be from some old try/POC) or it has some
>     explicit entries entered in /etc/hosts.
>> Shreeraj 
>> ----------------------------------------------------------------------------------------
>> Change is the only Constant !
>> On Thursday, March 20, 2014 4:29 AM, Martin Kosek <> wrote:
>> On 03/19/2014 10:37 PM, Shree wrote: 
>>> Hello
>>> I was able to successfully move all my clients to
>                   the replica except on the process I had to upgrade the
>                   client to "ipa-client-3.0.0-37.el6.x86_64" and some
>                   times run a --uninstall 
>>> . Bit it works for the most part. Have been
>                   struggling with one last host with errors like below.
>                   I have tested the port connectivity using telnet and
>                   netcat commands but the install thinks these ports are
>                   blocked? 
>>> kerberos authentication failed
>>> kinit: Cannot contact any KDC for realm
>                   'MYDOMAIN.COM' while getting initial credentials
>>> Please make sure the following ports are opened
>                   in the firewall settings:
>>>       TCP: 80, 88, 389
>>>       UDP: 88 (at least one of TCP/UDP ports 88
>                   has to be open)
>>> Also note that following ports are necessary for
>                   ipa-client working properly after enrollment:
>>>       TCP: 464
>>>       UDP: 464, 123 (if NTP enabled)
>>> Installation failed. Rolling back changes.
>>> Disabling client Kerberos and LDAP configurations
>>> Redundant SSSD configuration file
>                   /etc/sssd/sssd.conf was moved to
>                   /etc/sssd/sssd.conf.deleted
>>> Restoring client configuration files
>>> Client uninstall complete.
>>> [root@www /]#
>>> In the /var/log/ipaclient-install.log I also see
>                   things like below. I get Autodiscovery failures but I
>                   am manually entering things and they have been
>                   working.
>>> 2014-03-19T21:13:47Z DEBUG Found:
>                   cn=MYDOMAIN.COM,cn=kerberos,dc=mydomain,dc=com
>>> 2014-03-19T21:13:47Z DEBUG Discovery result:
>                   Success;,
>         ,,
>                   basedn=dc=mydomain,dc=com
>>> 2014-03-19T21:13:47Z DEBUG Validated servers:
>>> 2014-03-19T21:13:47Z WARNING The failure to use
>                   DNS to find your IPA server indicates that your
>                   resolv.conf file is not properly configured.
>>> 2014-03-19T21:13:47Z INFO Autodiscovery of
>                   servers for failover cannot work with this
>                   configuration.
>>> 2014-03-19T21:13:47Z INFO If you proceed with the
>                   installation, services will be configured to always
>                   access the discovered server for all operations and
>                   will not fail over to other servers in case of
>                   failure.
>> Ok. I would guess you have some DNS issue. But it is
>                 hard to tell without the
>> entire ipaclient-install.log of the failed installation.
>> Martin 
Freeipa-users mailing list

Reply via email to