Shree wrote:
Rob This is what I get.
Realm is case-sensitive, try skarul...@mydomain.com rob
[root@www ~]# KRB5_TRACE=/dev/stdout kinit skarul...@mydomain.com [14858] 1396278013.584391: Getting initial credentials for skarul...@mydomain.com [14858] 1396278013.584975: Sending request (188 bytes) to mydomain.com [14858] 1396278013.585470: Retrying AS request with master KDC [14858] 1396278013.585492: Getting initial credentials for skarul...@mydomain.com [14858] 1396278013.585848: Sending request (188 bytes) to mydomain.com (master) kinit: Cannot find KDC for requested realm while getting initial credentials [root@www ~]# Shreeraj ---------------------------------------------------------------------------------------- Change is the only Constant ! On Monday, March 31, 2014 7:02 AM, Rob Crittenden <rcrit...@redhat.com> wrote: Shree wrote: > Martin > First of all thank you so much for your detailed analysis. I got a > chance to finally take a look at it today. I tried your suggested > changes to the /etc/krb5.conf and I now get the following response. > > [root@www <mailto:root@www> ~]# kinit > kinit: Cannot contact any KDC for realm 'MYDOMAIN.COM' while getting > initial credentials > [root@www <mailto:root@www> ~]# kinit skarulkar > kinit: Cannot contact any KDC for realm ''MYDOMAIN.COM' while getting > initial credentials > [root@www <mailto:root@www> ~]# vi /etc/krb5.conf > [root@www <mailto:root@www> ~]# kinit skarul...@mydomain.com <mailto:skarul...@mydomain.com> > kinit: Cannot find KDC for requested realm while getting initial credentials > > Now I have seen this issue earlier in the project but I don't remember > what I did to fix this. > > ldap.mydomain.com is our primary which connects to ldap2.mydomain.com > that exists in a separate VLAN through specific ACLs in the firewall. > They sync with each other fine. My clients are only able to talk to > ldap2.mydomain.com. And out of 40 + clients that I moved from ldap to > ldap2 I only seem to have issue with this last one? > I have even tried dropping a test VM in the same VLAN and it had no > issues joining the IPA. So that rules out any ACL misconfigurations to > this VLAN. Did you try the tracing that Martin suggested? rob > > > Shreeraj > ---------------------------------------------------------------------------------------- > > > Change is the only Constant ! > > > On Tuesday, March 25, 2014 12:55 AM, Martin Kosek <mko...@redhat.com <mailto:mko...@redhat.com>> wrote: > It searching for ldap.mydomain.com because you still have DNS SRV record > _kerberos._udp.mydomain.com. pointing to it. I would start there. > > As for the failure, I would check that the generated /etc/krb5.conf is > correct: > > ~~~~~~~~~ > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [libdefaults] > default_realm = MYDOMAIN.COM > dns_lookup_realm = false > dns_lookup_kdc = false > rdns = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > MYDOMAIN.COM = { > kdc = ldap2.mydomain.com:88 > master_kdc = ldap2.mydomain.com:88 > admin_server = ldap2.mydomain.com:749 > default_domain = mydomain.com > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > [domain_realm] > .mydomain.com = MYDOMAIN.COM > mydomain.com = MYDOMAIN.COM > .mydomain.com = MYDOMAIN.COM > mydomain.com = MYDOMAIN.COM > ~~~~~~~~ > > (I assume you did more anonymizing that expected, ipa-client-install > does not > generate 2 domain_realm mappings unless client domain is different that > server > domain (e.g. client.other.mydomain.com and server.mydomain.com)). > > What I would do in your place is to: > 1) Backup your current /etc/krb5.conf > 2) Replace it with the krb5.conf which was generated during > ipa-client-install > (you can find non-anonymized version in ipaclient-install.log) > 3) Try to kinit: kinit skarul...@mydomain.com <mailto:skarul...@mydomain.com> > <mailto:skarul...@mydomain.com <mailto:skarul...@mydomain.com>> > > Then it will be easier to troubleshoot. To get more information what kinit > actually does, try enabling a trace: > > # KRB5_TRACE=/dev/stdout kinit skarul...@mydomain.com <mailto:skarul...@mydomain.com> > <mailto:skarul...@mydomain.com <mailto:skarul...@mydomain.com>> > > You will be then able to see if it really connects to right IP address which > would enable you to debug further. > > Martin > > On 03/24/2014 07:20 PM, Shree wrote: > > If you look at the attached logs, you can see it is going to the > correct dns server. dig information is also correct. There is something > else going on I can figure out what? > > > > > > > > Shreeraj > > > ---------------------------------------------------------------------------------------- > > > > > Change is the only Constant ! > > > > > > > > On Saturday, March 22, 2014 2:12 PM, Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com> > <mailto:d...@redhat.com <mailto:d...@redhat.com>>> wrote: > > > > On 03/21/2014 07:44 PM, Shree wrote: > > Hi > >> Attaching the install log. It complains about unable to reach > > certain ports, however my tests by using telnet were successful. > > Also to refresh your memory the client should be reaching for > > the replica lda2.mydomain.com and not ldap.mydomain.com which it > > does for the most part but I found a couple of instances of > > ldap.mydomain.com in the log. Let me know what you find. I can't > > believe I migrated over 40 servers and only this one refuses to > > install ipa-client. > >> > >> > > If it is getting to the wrong server then it is either looking at > > the wrong DNS server (see resolve.conf) which is telling it to use > > the wrong IPA server (may be from some old try/POC) or it has some > > explicit entries entered in /etc/hosts. > > > > > > > > > >> > >> > >> Shreeraj > >> > ---------------------------------------------------------------------------------------- > > >> > >> Change is the only Constant ! > >> > >> > >> > >> On Thursday, March 20, 2014 4:29 AM, Martin Kosek <mko...@redhat.com <mailto:mko...@redhat.com> > <mailto:mko...@redhat.com <mailto:mko...@redhat.com>>> wrote: > >> > >> On 03/19/2014 10:37 PM, Shree wrote: > >> > >>> Hello > >>> I was able to successfully move all my clients to > > the replica except on the process I had to upgrade the > > client to "ipa-client-3.0.0-37.el6.x86_64" and some > > times run a --uninstall > >>> > >>> . Bit it works for the most part. Have been > > struggling with one last host with errors like below. > > I have tested the port connectivity using telnet and > > netcat commands but the install thinks these ports are > > blocked? > >>> > >>> > >>> > >>> > >>> kerberos authentication failed > >>> kinit: Cannot contact any KDC for realm > > 'MYDOMAIN.COM' while getting initial credentials > >>> > >>> Please make sure the following ports are opened > > in the firewall settings: > >>> TCP: 80, 88, 389 > >>> UDP: 88 (at least one of TCP/UDP ports 88 > > has to be open) > >>> Also note that following ports are necessary for > > ipa-client working properly after enrollment: > >>> TCP: 464 > >>> UDP: 464, 123 (if NTP enabled) > >>> Installation failed. Rolling back changes. > >>> Disabling client Kerberos and LDAP configurations > >>> Redundant SSSD configuration file > > /etc/sssd/sssd.conf was moved to > > /etc/sssd/sssd.conf.deleted > >>> Restoring client configuration files > >>> Client uninstall complete. > >>> [root@www <mailto:root@www> <mailto:root@www <mailto:root@www>> /]# > >>> > >>> In the /var/log/ipaclient-install.log I also see > > things like below. I get Autodiscovery failures but I > > am manually entering things and they have been > > working. > >>> > >>> 2014-03-19T21:13:47Z DEBUG Found: > > cn=MYDOMAIN.COM,cn=kerberos,dc=mydomain,dc=com > >>> 2014-03-19T21:13:47Z DEBUG Discovery result: > > Success; server=ldap2.mydomain.com, > > domain=mydomain.com, kdc=ldap.mydomain.com, > > basedn=dc=mydomain,dc=com > >>> 2014-03-19T21:13:47Z DEBUG Validated servers: > > ldap2.mydomain.com > >>> 2014-03-19T21:13:47Z WARNING The failure to use > > DNS to find your IPA server indicates that your > > resolv.conf file is not properly configured. > >>> 2014-03-19T21:13:47Z INFO Autodiscovery of > > servers for failover cannot work with this > > configuration. > >>> 2014-03-19T21:13:47Z INFO If you proceed with the > > installation, services will be configured to always > > access the discovered server for all operations and > > will not fail over to other servers in case of > > failure. > >> > >> Ok. I would guess you have some DNS issue. But it is > > hard to tell without the > >> entire ipaclient-install.log of the failed installation. > >> > >> Martin > >> > >> > >> > >> > > > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users