Shree wrote:
Rob
This is what I get.


Realm is case-sensitive, try skarul...@mydomain.com

rob


[root@www ~]# KRB5_TRACE=/dev/stdout kinit skarul...@mydomain.com
[14858] 1396278013.584391: Getting initial credentials for
skarul...@mydomain.com
[14858] 1396278013.584975: Sending request (188 bytes) to mydomain.com
[14858] 1396278013.585470: Retrying AS request with master KDC
[14858] 1396278013.585492: Getting initial credentials for
skarul...@mydomain.com
[14858] 1396278013.585848: Sending request (188 bytes) to mydomain.com
(master)
kinit: Cannot find KDC for requested realm while getting initial credentials
[root@www ~]#

Shreeraj
----------------------------------------------------------------------------------------


Change is the only Constant !
On Monday, March 31, 2014 7:02 AM, Rob Crittenden <rcrit...@redhat.com>
wrote:
Shree wrote:
 > Martin
 > First of all thank you so much for your detailed analysis. I got a
 > chance to finally take a look at it today. I tried your suggested
 > changes to the /etc/krb5.conf and I now get the following response.
 >
 > [root@www <mailto:root@www> ~]# kinit
 > kinit: Cannot contact any KDC for realm 'MYDOMAIN.COM' while getting
 > initial credentials
 > [root@www <mailto:root@www> ~]# kinit skarulkar
 > kinit: Cannot contact any KDC for realm ''MYDOMAIN.COM' while getting
 > initial credentials
 > [root@www <mailto:root@www> ~]# vi /etc/krb5.conf
 > [root@www <mailto:root@www> ~]# kinit skarul...@mydomain.com
<mailto:skarul...@mydomain.com>
 > kinit: Cannot find KDC for requested realm while getting initial
credentials
 >
 > Now I have seen this issue earlier in the project but I don't remember
 > what I did to fix this.
 >
 > ldap.mydomain.com is our primary which connects to ldap2.mydomain.com
 > that exists in a separate VLAN  through specific ACLs in the firewall.
 > They sync with each other fine. My clients are only able to talk to
 > ldap2.mydomain.com. And out of 40 + clients that I moved from ldap to
 > ldap2 I only seem to have issue with this last one?
 > I have even tried dropping a test VM in the same VLAN and it had no
 > issues joining the IPA. So that rules out any ACL misconfigurations to
 > this VLAN.

Did you try the tracing that Martin suggested?

rob

 >
 >
 > Shreeraj
 >
----------------------------------------------------------------------------------------
 >
 >
 > Change is the only Constant !
 >
 >
 > On Tuesday, March 25, 2014 12:55 AM, Martin Kosek <mko...@redhat.com
<mailto:mko...@redhat.com>> wrote:
 > It searching for ldap.mydomain.com because you still have DNS SRV record
 > _kerberos._udp.mydomain.com. pointing to it. I would start there.
 >
 > As for the failure, I would check that the generated /etc/krb5.conf is
 > correct:
 >
 > ~~~~~~~~~
 > includedir /var/lib/sss/pubconf/krb5.include.d/
 >
 > [libdefaults]
 > default_realm = MYDOMAIN.COM
 >    dns_lookup_realm = false
 >    dns_lookup_kdc = false
 >    rdns = false
 >    ticket_lifetime = 24h
 >    forwardable = yes
 >
 > [realms]
 >    MYDOMAIN.COM = {
 >      kdc = ldap2.mydomain.com:88
 >      master_kdc = ldap2.mydomain.com:88
 >      admin_server = ldap2.mydomain.com:749
 >      default_domain = mydomain.com
 >      pkinit_anchors = FILE:/etc/ipa/ca.crt
 >    }
 >
 > [domain_realm]
 >    .mydomain.com = MYDOMAIN.COM
 >    mydomain.com = MYDOMAIN.COM
 >    .mydomain.com = MYDOMAIN.COM
 >    mydomain.com = MYDOMAIN.COM
 > ~~~~~~~~
 >
 > (I assume you did more anonymizing that expected, ipa-client-install
 > does not
 > generate 2 domain_realm mappings unless client domain is different that
 > server
 > domain (e.g. client.other.mydomain.com and server.mydomain.com)).
 >
 > What I would do in your place is to:
 > 1) Backup your current /etc/krb5.conf
 > 2) Replace it with the krb5.conf which was generated during
 > ipa-client-install
 > (you can find non-anonymized version in ipaclient-install.log)
 > 3) Try to kinit: kinit skarul...@mydomain.com
<mailto:skarul...@mydomain.com>
 > <mailto:skarul...@mydomain.com <mailto:skarul...@mydomain.com>>
 >
 > Then it will be easier to troubleshoot. To get more information what
kinit
 > actually does, try enabling a trace:
 >
 > # KRB5_TRACE=/dev/stdout kinit skarul...@mydomain.com
<mailto:skarul...@mydomain.com>
 > <mailto:skarul...@mydomain.com <mailto:skarul...@mydomain.com>>
 >
 > You will be then able to see if it really connects to right IP
address which
 > would enable you to debug further.
 >
 > Martin
 >
 > On 03/24/2014 07:20 PM, Shree wrote:
 >  > If you look at the attached logs, you can see it is going to the
 > correct dns server. dig information is also correct. There is something
 > else going on I can figure out what?
 >  >
 >  >
 >  >
 >  > Shreeraj
 >  >
 >
----------------------------------------------------------------------------------------
 >
 >  >
 >  > Change is the only Constant !
 >  >
 >  >
 >  >
 >  > On Saturday, March 22, 2014 2:12 PM, Dmitri Pal <d...@redhat.com
<mailto:d...@redhat.com>
 > <mailto:d...@redhat.com <mailto:d...@redhat.com>>> wrote:
 >  >
 >  > On 03/21/2014 07:44 PM, Shree wrote:
 >  > Hi
 >  >> Attaching the install log. It complains about unable to reach
 >  >        certain ports, however my tests by using telnet were
successful.
 >  >        Also to refresh your memory the client should be reaching for
 >  >        the replica lda2.mydomain.com and not ldap.mydomain.com
which it
 >  >        does for the most part but I found a couple of instances of
 >  >     ldap.mydomain.com in the log. Let me know what you find. I can't
 >  >        believe I migrated over 40 servers and only this one refuses to
 >  >        install ipa-client.
 >  >>
 >  >>
 >  > If it is getting to the wrong server then it is either looking at
 >  >    the wrong DNS server (see resolve.conf) which is telling it to use
 >  >    the wrong IPA server (may be from some old try/POC) or it has some
 >  >    explicit entries entered in /etc/hosts.
 >  >
 >  >
 >  >
 >  >
 >  >>
 >  >>
 >  >> Shreeraj
 >  >>
 >
----------------------------------------------------------------------------------------
 >
 >  >>
 >  >> Change is the only Constant !
 >  >>
 >  >>
 >  >>
 >  >> On Thursday, March 20, 2014 4:29 AM, Martin Kosek
<mko...@redhat.com <mailto:mko...@redhat.com>
 > <mailto:mko...@redhat.com <mailto:mko...@redhat.com>>> wrote:
 >  >>
 >  >> On 03/19/2014 10:37 PM, Shree wrote:
 >  >>
 >  >>> Hello
 >  >>> I was able to successfully move all my clients to
 >  >                  the replica except on the process I had to
upgrade the
 >  >                  client to "ipa-client-3.0.0-37.el6.x86_64" and some
 >  >                  times run a --uninstall
 >  >>>
 >  >>> . Bit it works for the most part. Have been
 >  >                  struggling with one last host with errors like below.
 >  >                  I have tested the port connectivity using telnet and
 >  >               netcat commands but the install thinks these ports are
 >  >                  blocked?
 >  >>>
 >  >>>
 >  >>>
 >  >>>
 >  >>> kerberos authentication failed
 >  >>> kinit: Cannot contact any KDC for realm
 >  >                  'MYDOMAIN.COM' while getting initial credentials
 >  >>>
 >  >>> Please make sure the following ports are opened
 >  >                  in the firewall settings:
 >  >>>   TCP: 80, 88, 389
 >  >>>      UDP: 88 (at least one of TCP/UDP ports 88
 >  >                  has to be open)
 >  >>> Also note that following ports are necessary for
 >  >                  ipa-client working properly after enrollment:
 >  >>>      TCP: 464
 >  >>>      UDP: 464, 123 (if NTP enabled)
 >  >>> Installation failed. Rolling back changes.
 >  >>> Disabling client Kerberos and LDAP configurations
 >  >>> Redundant SSSD configuration file
 >  > /etc/sssd/sssd.conf was moved to
 >  >                  /etc/sssd/sssd.conf.deleted
 >  >>> Restoring client configuration files
 >  >>> Client uninstall complete.
 >  >>> [root@www <mailto:root@www> <mailto:root@www <mailto:root@www>> /]#

 >  >>>
 >  >>> In the /var/log/ipaclient-install.log I also see
 >  >                  things like below. I get Autodiscovery failures but I
 >  >                  am manually entering things and they have been
 >  >    working.
 >  >>>
 >  >>> 2014-03-19T21:13:47Z DEBUG Found:
 >  >                  cn=MYDOMAIN.COM,cn=kerberos,dc=mydomain,dc=com
 >  >>> 2014-03-19T21:13:47Z DEBUG Discovery result:
 >  >                  Success; server=ldap2.mydomain.com,
 >  >                  domain=mydomain.com, kdc=ldap.mydomain.com,
 >  >                  basedn=dc=mydomain,dc=com
 >  >>> 2014-03-19T21:13:47Z DEBUG Validated servers:
 >  >   ldap2.mydomain.com
 >  >>> 2014-03-19T21:13:47Z WARNING The failure to use
 >  >              DNS to find your IPA server indicates that your
 >  >                  resolv.conf file is not properly configured.
 >  >>> 2014-03-19T21:13:47Z INFO Autodiscovery of
 >  >                  servers for failover cannot work with this
 >  >                  configuration.
 >  >>> 2014-03-19T21:13:47Z INFO If you proceed with the
 >  >                  installation, services will be configured to always
 >  >                  access the discovered server for all operations and
 >  >                  will not fail over to other servers in case of
 >  >                  failure.
 >  >>
 >  >> Ok. I would guess you have some DNS issue. But it is
 >  >                hard to tell without the
 >  >> entire ipaclient-install.log of the failed installation.
 >  >>
 >  >> Martin
 >  >>
 >  >>
 >  >>
 >  >>
 > >
 >  >
 >
 >
 >
 >
 >
 > _______________________________________________
 > Freeipa-users mailing list
 > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
 > https://www.redhat.com/mailman/listinfo/freeipa-users
 >




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to