On Wed, 16 Jul 2014, Nordgren, Bryce L -FS wrote:

On Wed, 16 Jul 2014, Nordgren, Bryce L -FS wrote:
> DNS A, SRV, and TXT
>entries are in place. Reverse DNS works.

My text DNS entry is possibly hosed, as it's in lowercase. I put in a request 
to capitalize it.

[root@ipa yum.repos.d]# host -t TXT _kerberos.usfs-i2.umt.edu
_kerberos.usfs-i2.umt.edu descriptive text "usfs-i2.umt.edu."

Check /var/log/ipaclient-install.log first, as your IPA client install did not 
thus certificates store wasn't created properly and does not contain IPA CA
certificate yet.

For someone on vacation you sure spend a lot of time geeking out. :)

From the below, I think my next thing to try is to wipe the machine
and ipa-server-install --realm=USFS-I2.UMT.EDU to override DNS until
it gets fixed. Would you concur? Thanks for pointing me at the

2014-07-16T19:28:16Z WARNING Using existing certificate '/etc/ipa/ca.crt'.
2014-07-16T19:28:16Z DEBUG [IPA Discovery]
2014-07-16T19:28:16Z DEBUG Starting IPA discovery with domain=usfs-i2.umt.edu, 
servers=['ipa.usfs-i2.umt.edu'], hostname=ipa.usfs-i2.umt.edu
2014-07-16T19:28:16Z DEBUG Server and domain forced
2014-07-16T19:28:16Z DEBUG [Kerberos realm search]
2014-07-16T19:28:16Z DEBUG Search DNS for TXT record of 
2014-07-16T19:28:16Z DEBUG DNS record found: "usfs-i2.umt.edu."
2014-07-16T19:28:16Z DEBUG Search DNS for SRV record of 
2014-07-16T19:28:16Z DEBUG DNS record found: 0 100 88 ipa.usfs-i2.umt.edu.
2014-07-16T19:28:16Z DEBUG [LDAP server check]
2014-07-16T19:28:16Z DEBUG Verifying that ipa.usfs-i2.umt.edu (realm 
usfs-i2.umt.edu.) is an IPA server
2014-07-16T19:28:16Z DEBUG Init LDAP connection to: ipa.usfs-i2.umt.edu
2014-07-16T19:28:16Z DEBUG Search LDAP server for IPA base DN
2014-07-16T19:28:16Z DEBUG Check if naming context 'dc=usfs-i2,dc=umt,dc=edu' 
is for IPA
2014-07-16T19:28:16Z DEBUG Naming context 'dc=usfs-i2,dc=umt,dc=edu' is a valid 
IPA context
2014-07-16T19:28:16Z DEBUG Search for (objectClass=krbRealmContainer) in 
dc=usfs-i2,dc=umt,dc=edu (sub)
2014-07-16T19:28:16Z DEBUG Found: 
2014-07-16T19:28:16Z WARNING Skip ipa.usfs-i2.umt.edu: cannot verify if this is 
an IPA server
2014-07-16T19:28:16Z DEBUG Discovery result: REALM_NOT_FOUND; server=None, 
domain=usfs-i2.umt.edu, kdc=ipa.usfs-i2.umt.edu, basedn=dc=usfs-i2,dc=umt,dc=edu
2014-07-16T19:28:16Z DEBUG Validated servers:
2014-07-16T19:28:16Z ERROR Failed to verify that ipa.usfs-i2.umt.edu is an IPA 
This is definitely TXT record of _kerberos.usfs-i2.umt.edu issue because
when we fetch the realm value (as cn=USFS-I2.UMT.EDU), we compare the
strings "USFS-I2.UMT.EDU" and "usfs-i2.umt.edu" (of TXT record
_kerberos.usfs-i2.umt.edu) to be exact match, i.e. including case.

After all, it is Kerberos realm name, which must be upper-cased.
As a work-around, use --realm option to force the right casing of the

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to