Shree wrote:
First of all thank you so much for your detailed analysis. I got a
chance to finally take a look at it today. I tried your suggested
changes to the /etc/krb5.conf and I now get the following response.

[root@www ~]# kinit
kinit: Cannot contact any KDC for realm 'MYDOMAIN.COM' while getting
initial credentials
[root@www ~]# kinit skarulkar
kinit: Cannot contact any KDC for realm ''MYDOMAIN.COM' while getting
initial credentials
[root@www ~]# vi /etc/krb5.conf
[root@www ~]# kinit
kinit: Cannot find KDC for requested realm while getting initial credentials

Now I have seen this issue earlier in the project but I don't remember
what I did to fix this. is our primary which connects to
that exists in a separate VLAN  through specific ACLs in the firewall.
They sync with each other fine. My clients are only able to talk to And out of 40 + clients that I moved from ldap to
ldap2 I only seem to have issue with this last one?
I have even tried dropping a test VM in the same VLAN and it had no
issues joining the IPA. So that rules out any ACL misconfigurations to
this VLAN.

Did you try the tracing that Martin suggested?



Change is the only Constant !

On Tuesday, March 25, 2014 12:55 AM, Martin Kosek <> wrote:
It searching for because you still have DNS SRV record pointing to it. I would start there.

As for the failure, I would check that the generated /etc/krb5.conf is

includedir /var/lib/sss/pubconf/krb5.include.d/

default_realm = MYDOMAIN.COM
   dns_lookup_realm = false
   dns_lookup_kdc = false
   rdns = false
   ticket_lifetime = 24h
   forwardable = yes

     kdc =
     master_kdc =
     admin_server =
     default_domain =
     pkinit_anchors = FILE:/etc/ipa/ca.crt


(I assume you did more anonymizing that expected, ipa-client-install
does not
generate 2 domain_realm mappings unless client domain is different that
domain (e.g. and

What I would do in your place is to:
1) Backup your current /etc/krb5.conf
2) Replace it with the krb5.conf which was generated during
(you can find non-anonymized version in ipaclient-install.log)
3) Try to kinit: kinit

Then it will be easier to troubleshoot. To get more information what kinit
actually does, try enabling a trace:

# KRB5_TRACE=/dev/stdout kinit

You will be then able to see if it really connects to right IP address which
would enable you to debug further.


On 03/24/2014 07:20 PM, Shree wrote:
 > If you look at the attached logs, you can see it is going to the
correct dns server. dig information is also correct. There is something
else going on I can figure out what?
 > Shreeraj

 > Change is the only Constant !
 > On Saturday, March 22, 2014 2:12 PM, Dmitri Pal <
<>> wrote:
 > On 03/21/2014 07:44 PM, Shree wrote:
 > Hi
 >> Attaching the install log. It complains about unable to reach
 >        certain ports, however my tests by using telnet were successful.
 >        Also to refresh your memory the client should be reaching for
 >        the replica and not which it
 >        does for the most part but I found a couple of instances of
 > in the log. Let me know what you find. I can't
 >        believe I migrated over 40 servers and only this one refuses to
 >        install ipa-client.
 > If it is getting to the wrong server then it is either looking at
 >    the wrong DNS server (see resolve.conf) which is telling it to use
 >    the wrong IPA server (may be from some old try/POC) or it has some
 >    explicit entries entered in /etc/hosts.
 >> Shreeraj

 >> Change is the only Constant !
 >> On Thursday, March 20, 2014 4:29 AM, Martin Kosek <
<>> wrote:
 >> On 03/19/2014 10:37 PM, Shree wrote:
 >>> Hello
 >>> I was able to successfully move all my clients to
 >                  the replica except on the process I had to upgrade the
 >                  client to "ipa-client-3.0.0-37.el6.x86_64" and some
 >                  times run a --uninstall
 >>> . Bit it works for the most part. Have been
 >                  struggling with one last host with errors like below.
 >                  I have tested the port connectivity using telnet and
 >                  netcat commands but the install thinks these ports are
 >                  blocked?
 >>> kerberos authentication failed
 >>> kinit: Cannot contact any KDC for realm
 >                  'MYDOMAIN.COM' while getting initial credentials
 >>> Please make sure the following ports are opened
 >                  in the firewall settings:
 >>>      TCP: 80, 88, 389
 >>>      UDP: 88 (at least one of TCP/UDP ports 88
 >                  has to be open)
 >>> Also note that following ports are necessary for
 >                  ipa-client working properly after enrollment:
 >>>      TCP: 464
 >>>      UDP: 464, 123 (if NTP enabled)
 >>> Installation failed. Rolling back changes.
 >>> Disabling client Kerberos and LDAP configurations
 >>> Redundant SSSD configuration file
 >                  /etc/sssd/sssd.conf was moved to
 >                  /etc/sssd/sssd.conf.deleted
 >>> Restoring client configuration files
 >>> Client uninstall complete.
 >>> [root@www <mailto:root@www> /]#
 >>> In the /var/log/ipaclient-install.log I also see
 >                  things like below. I get Autodiscovery failures but I
 >                  am manually entering things and they have been
 >     working.
 >>> 2014-03-19T21:13:47Z DEBUG Found:
 >                  cn=MYDOMAIN.COM,cn=kerberos,dc=mydomain,dc=com
 >>> 2014-03-19T21:13:47Z DEBUG Discovery result:
 >                  Success;,
 >        ,,
 >                  basedn=dc=mydomain,dc=com
 >>> 2014-03-19T21:13:47Z DEBUG Validated servers:
 >>> 2014-03-19T21:13:47Z WARNING The failure to use
 >               DNS to find your IPA server indicates that your
 >                  resolv.conf file is not properly configured.
 >>> 2014-03-19T21:13:47Z INFO Autodiscovery of
 >                  servers for failover cannot work with this
 >                  configuration.
 >>> 2014-03-19T21:13:47Z INFO If you proceed with the
 >                  installation, services will be configured to always
 >                  access the discovered server for all operations and
 >                  will not fail over to other servers in case of
 >                  failure.
 >> Ok. I would guess you have some DNS issue. But it is
 >                hard to tell without the
 >> entire ipaclient-install.log of the failed installation.
 >> Martin

Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to