On Wed, 16 Jul 2014, Nordgren, Bryce L -FS wrote:



On Wed, 16 Jul 2014, Nordgren, Bryce L -FS wrote:
> DNS A, SRV, and TXT
>entries are in place. Reverse DNS works.

My text DNS entry is possibly hosed, as it's in lowercase. I put in a request 
to capitalize it.

[root@ipa yum.repos.d]# host -t TXT _kerberos.usfs-i2.umt.edu
_kerberos.usfs-i2.umt.edu descriptive text "usfs-i2.umt.edu."


Check /var/log/ipaclient-install.log first, as your IPA client install did not 
finish,
thus certificates store wasn't created properly and does not contain IPA CA
certificate yet.

For someone on vacation you sure spend a lot of time geeking out. :)

From the below, I think my next thing to try is to wipe the machine
and ipa-server-install --realm=USFS-I2.UMT.EDU to override DNS until
it gets fixed. Would you concur? Thanks for pointing me at the
logfile.

2014-07-16T19:28:16Z WARNING Using existing certificate '/etc/ipa/ca.crt'.
2014-07-16T19:28:16Z DEBUG [IPA Discovery]
2014-07-16T19:28:16Z DEBUG Starting IPA discovery with domain=usfs-i2.umt.edu, 
servers=['ipa.usfs-i2.umt.edu'], hostname=ipa.usfs-i2.umt.edu
2014-07-16T19:28:16Z DEBUG Server and domain forced
2014-07-16T19:28:16Z DEBUG [Kerberos realm search]
2014-07-16T19:28:16Z DEBUG Search DNS for TXT record of 
_kerberos.usfs-i2.umt.edu
2014-07-16T19:28:16Z DEBUG DNS record found: "usfs-i2.umt.edu."
2014-07-16T19:28:16Z DEBUG Search DNS for SRV record of 
_kerberos._udp.usfs-i2.umt.edu.
2014-07-16T19:28:16Z DEBUG DNS record found: 0 100 88 ipa.usfs-i2.umt.edu.
2014-07-16T19:28:16Z DEBUG [LDAP server check]
2014-07-16T19:28:16Z DEBUG Verifying that ipa.usfs-i2.umt.edu (realm 
usfs-i2.umt.edu.) is an IPA server
2014-07-16T19:28:16Z DEBUG Init LDAP connection to: ipa.usfs-i2.umt.edu
2014-07-16T19:28:16Z DEBUG Search LDAP server for IPA base DN
2014-07-16T19:28:16Z DEBUG Check if naming context 'dc=usfs-i2,dc=umt,dc=edu' 
is for IPA
2014-07-16T19:28:16Z DEBUG Naming context 'dc=usfs-i2,dc=umt,dc=edu' is a valid 
IPA context
2014-07-16T19:28:16Z DEBUG Search for (objectClass=krbRealmContainer) in 
dc=usfs-i2,dc=umt,dc=edu (sub)
2014-07-16T19:28:16Z DEBUG Found: 
cn=USFS-I2.UMT.EDU,cn=kerberos,dc=usfs-i2,dc=umt,dc=edu
2014-07-16T19:28:16Z WARNING Skip ipa.usfs-i2.umt.edu: cannot verify if this is 
an IPA server
2014-07-16T19:28:16Z DEBUG Discovery result: REALM_NOT_FOUND; server=None, 
domain=usfs-i2.umt.edu, kdc=ipa.usfs-i2.umt.edu, basedn=dc=usfs-i2,dc=umt,dc=edu
2014-07-16T19:28:16Z DEBUG Validated servers:
2014-07-16T19:28:16Z ERROR Failed to verify that ipa.usfs-i2.umt.edu is an IPA 
Server.
This is definitely TXT record of _kerberos.usfs-i2.umt.edu issue because
when we fetch the realm value (as cn=USFS-I2.UMT.EDU), we compare the
strings "USFS-I2.UMT.EDU" and "usfs-i2.umt.edu" (of TXT record
_kerberos.usfs-i2.umt.edu) to be exact match, i.e. including case.

After all, it is Kerberos realm name, which must be upper-cased.
As a work-around, use --realm option to force the right casing of the
realm.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to