Excellent Rob
I see that it is trying the IP address on the main master (ldap.mydomain) and
not the ldap2.mydomain. So how do I fix it or where do I find that?
Shreeraj
----------------------------------------------------------------------------------------
Change is the only Constant !
On Monday, March 31, 2014 8:09 AM, Rob Crittenden <rcrit...@redhat.com> wrote:
Shree wrote:
> Rob
> This is what I get.
Realm is case-sensitive, try skarul...@mydomain.com
rob
>
> [root@www ~]# KRB5_TRACE=/dev/stdout kinit skarul...@mydomain.com
> [14858] 1396278013.584391: Getting initial credentials for
> skarul...@mydomain.com
> [14858] 1396278013.584975: Sending request (188 bytes) to mydomain.com
> [14858] 1396278013.585470: Retrying AS request with master KDC
> [14858] 1396278013.585492: Getting initial credentials for
> skarul...@mydomain.com
> [14858] 1396278013.585848: Sending request (188 bytes) to mydomain.com
> (master)
> kinit: Cannot find KDC for requested realm while getting initial credentials
> [root@www ~]#
>
> Shreeraj
> ----------------------------------------------------------------------------------------
>
>
> Change is the only Constant !
> On Monday, March 31, 2014 7:02 AM, Rob Crittenden <rcrit...@redhat.com>
> wrote:
> Shree wrote:
> > Martin
> > First of all thank you so much for your detailed analysis. I got a
> > chance to finally take a look at it today. I tried your suggested
> > changes to the /etc/krb5.conf and I now get the following response.
> >
> > [root@www <mailto:root@www> ~]# kinit
> > kinit: Cannot contact any KDC for realm 'MYDOMAIN.COM' while getting
> > initial credentials
> > [root@www <mailto:root@www> ~]# kinit skarulkar
> > kinit: Cannot contact any KDC for realm ''MYDOMAIN.COM' while getting
> > initial credentials
> > [root@www <mailto:root@www> ~]# vi /etc/krb5.conf
> > [root@www <mailto:root@www> ~]# kinit skarul...@mydomain.com
> <mailto:skarul...@mydomain.com>
> > kinit: Cannot find KDC for requested realm while getting initial
> credentials
> >
> > Now I have seen this issue earlier in the project but I don't remember
> > what I did to fix this.
> >
> > ldap.mydomain.com is our primary which connects to ldap2.mydomain.com
> > that exists in a separate VLAN through specific ACLs in the firewall.
> > They sync with each other fine. My clients are only able to talk to
> > ldap2.mydomain.com. And out of 40 + clients that I moved from ldap to
> > ldap2 I only seem to have issue with this last one?
> > I have even tried dropping a test VM in the same VLAN and it had no
> > issues joining the IPA. So that rules out any ACL misconfigurations to
> > this VLAN.
>
> Did you try the tracing that Martin suggested?
>
> rob
>
> >
> >
> > Shreeraj
> >
> ----------------------------------------------------------------------------------------
> >
> >
> > Change is the only Constant !
> >
> >
> > On Tuesday, March 25, 2014 12:55 AM, Martin Kosek <mko...@redhat.com
> <mailto:mko...@redhat.com>> wrote:
> > It searching for ldap.mydomain.com because you still have DNS SRV record
> > _kerberos._udp.mydomain.com. pointing to it. I would start there.
> >
> > As for the failure, I would check that the generated /etc/krb5.conf is
> > correct:
> >
> > ~~~~~~~~~
> > includedir /var/lib/sss/pubconf/krb5.include.d/
> >
> > [libdefaults]
> > default_realm = MYDOMAIN.COM
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> > rdns = false
> > ticket_lifetime = 24h
> > forwardable = yes
> >
> > [realms]
> > MYDOMAIN.COM = {
> > kdc = ldap2.mydomain.com:88
> > master_kdc = ldap2.mydomain.com:88
> > admin_server = ldap2.mydomain.com:749
> > default_domain = mydomain.com
> > pkinit_anchors = FILE:/etc/ipa/ca.crt
> > }
> >
> > [domain_realm]
> > .mydomain.com = MYDOMAIN.COM
> > mydomain.com = MYDOMAIN.COM
> > .mydomain.com = MYDOMAIN.COM
> > mydomain.com = MYDOMAIN.COM
> > ~~~~~~~~
> >
> > (I assume you did more anonymizing that expected, ipa-client-install
> > does not
> > generate 2 domain_realm mappings unless client domain is different that
> > server
> > domain (e.g. client.other.mydomain.com and server.mydomain.com)).
> >
> > What I would do in your place is to:
> > 1) Backup your current /etc/krb5.conf
> > 2) Replace it with the krb5.conf which was generated during
> > ipa-client-install
> > (you can find non-anonymized version in ipaclient-install.log)
> > 3) Try to kinit: kinit skarul...@mydomain.com
> <mailto:skarul...@mydomain.com>
> > <mailto:skarul...@mydomain.com <mailto:skarul...@mydomain.com>>
> >
> > Then it will be easier to troubleshoot. To get more information what
> kinit
> > actually does, try enabling a trace:
> >
> > # KRB5_TRACE=/dev/stdout kinit skarul...@mydomain.com
> <mailto:skarul...@mydomain.com>
> > <mailto:skarul...@mydomain.com <mailto:skarul...@mydomain.com>>
> >
> > You will be then able to see if it really connects to right IP
> address which
> > would enable you to debug further.
> >
> > Martin
> >
> > On 03/24/2014 07:20 PM, Shree wrote:
> > > If you look at the attached logs, you can see it is going to the
> > correct dns server. dig information is also correct. There is something
> > else going on I can figure out what?
> > >
> > >
> > >
> > > Shreeraj
> > >
> >
> ----------------------------------------------------------------------------------------
> >
> > >
> > > Change is the only Constant !
> > >
> > >
> > >
> > > On Saturday, March 22, 2014 2:12 PM, Dmitri Pal <d...@redhat.com
> <mailto:d...@redhat.com>
> > <mailto:d...@redhat.com <mailto:d...@redhat.com>>> wrote:
> > >
> > > On 03/21/2014 07:44 PM, Shree wrote:
> > > Hi
> > >> Attaching the install log. It complains about unable to reach
> > > certain ports, however my tests by using telnet were
> successful.
> > > Also to refresh your memory the client should be reaching for
> > > the replica lda2.mydomain.com and not ldap.mydomain.com
> which it
> > > does for the most part but I found a couple of instances of
> > > ldap.mydomain.com in the log. Let me know what you find. I can't
> > > believe I migrated over 40 servers and only this one refuses to
> > > install ipa-client.
> > >>
> > >>
> > > If it is getting to the wrong server then it is either looking at
> > > the wrong DNS server (see resolve.conf) which is telling it to use
> > > the wrong IPA server (may be from some old try/POC) or it has some
> > > explicit entries entered in /etc/hosts.
> > >
> > >
> > >
> > >
> > >>
> > >>
> > >> Shreeraj
> > >>
> >
> ----------------------------------------------------------------------------------------
> >
> > >>
> > >> Change is the only Constant !
> > >>
> > >>
> > >>
> > >> On Thursday, March 20, 2014 4:29 AM, Martin Kosek
> <mko...@redhat.com <mailto:mko...@redhat.com>
> > <mailto:mko...@redhat.com <mailto:mko...@redhat.com>>> wrote:
> > >>
> > >> On 03/19/2014 10:37 PM, Shree wrote:
> > >>
> > >>> Hello
> > >>> I was able to successfully move all my clients to
> > > the replica except on the process I had to
> upgrade the
> > > client to "ipa-client-3.0.0-37.el6.x86_64" and some
> > > times run a --uninstall
> > >>>
> > >>> . Bit it works for the most part. Have been
> > > struggling with one last host with errors like below.
> > > I have tested the port connectivity using telnet and
> > > netcat commands but the install thinks these ports are
> > > blocked?
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> kerberos authentication failed
> > >>> kinit: Cannot contact any KDC for realm
> > > 'MYDOMAIN.COM' while getting initial credentials
> > >>>
> > >>> Please make sure the following ports are opened
> > > in the firewall settings:
> > >>> TCP: 80, 88, 389
> > >>> UDP: 88 (at least one of TCP/UDP ports 88
> > > has to be open)
> > >>> Also note that following ports are necessary for
> > > ipa-client working properly after enrollment:
> > >>> TCP: 464
> > >>> UDP: 464, 123 (if NTP enabled)
> > >>> Installation failed. Rolling back changes.
> > >>> Disabling client Kerberos and LDAP configurations
> > >>> Redundant SSSD configuration file
> > > /etc/sssd/sssd.conf was moved to
> > > /etc/sssd/sssd.conf.deleted
> > >>> Restoring client configuration files
> > >>> Client uninstall complete.
> > >>> [root@www <mailto:root@www> <mailto:root@www <mailto:root@www>> /]#
>
> > >>>
> > >>> In the /var/log/ipaclient-install.log I also see
> > > things like below. I get Autodiscovery failures but I
> > > am manually entering things and they have been
> > > working.
> > >>>
> > >>> 2014-03-19T21:13:47Z DEBUG Found:
> > > cn=MYDOMAIN.COM,cn=kerberos,dc=mydomain,dc=com
> > >>> 2014-03-19T21:13:47Z DEBUG Discovery result:
> > > Success; server=ldap2.mydomain.com,
> > > domain=mydomain.com, kdc=ldap.mydomain.com,
> > > basedn=dc=mydomain,dc=com
> > >>> 2014-03-19T21:13:47Z DEBUG Validated servers:
> > > ldap2.mydomain.com
> > >>> 2014-03-19T21:13:47Z WARNING The failure to use
> > > DNS to find your IPA server indicates that your
> > > resolv.conf file is not properly configured.
> > >>> 2014-03-19T21:13:47Z INFO Autodiscovery of
> > > servers for failover cannot work with this
> > > configuration.
> > >>> 2014-03-19T21:13:47Z INFO If you proceed with the
> > > installation, services will be configured to always
> > > access the discovered server for all operations and
> > > will not fail over to other servers in case of
> > > failure.
> > >>
> > >> Ok. I would guess you have some DNS issue. But it is
> > > hard to tell without the
> > >> entire ipaclient-install.log of the failed installation.
> > >>
> > >> Martin
> > >>
> > >>
> > >>
> > >>
> > >
> > >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
>
>
>_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
