> This is definitely TXT record of _kerberos.usfs-i2.umt.edu issue because
> when we fetch the realm value (as cn=USFS-I2.UMT.EDU), we compare the
> strings "USFS-I2.UMT.EDU" and "usfs-i2.umt.edu" (of TXT record
> _kerberos.usfs-i2.umt.edu) to be exact match, i.e. including case.
>
> After all, it is Kerberos realm name, which must be upper-cased.
> As a work-around, use --realm option to force the right casing of the realm.

Fresh reinstall. ipa-server-install --realm USFS-I2.UMT.EDU. No dice. Too late, 
it occurred to me that ipa-client-install, when run at the end of the server 
install, already has the realm command line option populated with the correct 
realm (went back and checked):

Configuration of client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' 
'--on-master' '--unattended' '--domain' 'usfs-i2.umt.edu' '--server' 
'ipa.usfs-i2.umt.edu' '--realm' 'USFS-I2.UMT.EDU' '--hostname' 
'ipa.usfs-i2.umt.edu'' returned non-zero exit status 1

So the question now is: why is DNS discovery pre-empting the specific 
parameters provided on the command line? According to the output below, it 
looks like it understands server and domain are forced, but it does a dns 
lookup on realm?


2014-07-16T21:20:51Z WARNING Using existing certificate '/etc/ipa/ca.crt'.
2014-07-16T21:20:51Z DEBUG [IPA Discovery]
2014-07-16T21:20:51Z DEBUG Starting IPA discovery with domain=usfs-i2.umt.edu, 
servers=['ipa.usfs-i2.umt.edu'], hostname=ipa.usfs-i2.umt.edu
2014-07-16T21:20:51Z DEBUG Server and domain forced
2014-07-16T21:20:51Z DEBUG [Kerberos realm search]
2014-07-16T21:20:51Z DEBUG Search DNS for TXT record of 
_kerberos.usfs-i2.umt.edu
2014-07-16T21:20:51Z DEBUG DNS record found: "usfs-i2.umt.edu."
2014-07-16T21:20:51Z DEBUG Search DNS for SRV record of 
_kerberos._udp.usfs-i2.umt.edu.
2014-07-16T21:20:51Z DEBUG DNS record found: 0 100 88 ipa.usfs-i2.umt.edu.
2014-07-16T21:20:51Z DEBUG [LDAP server check]
2014-07-16T21:20:51Z DEBUG Verifying that ipa.usfs-i2.umt.edu (realm 
usfs-i2.umt.edu.) is an IPA server
2014-07-16T21:20:51Z DEBUG Init LDAP connection to: ipa.usfs-i2.umt.edu
2014-07-16T21:20:51Z DEBUG Search LDAP server for IPA base DN
2014-07-16T21:20:51Z DEBUG Check if naming context 'dc=usfs-i2,dc=umt,dc=edu' 
is for IPA
2014-07-16T21:20:51Z DEBUG Naming context 'dc=usfs-i2,dc=umt,dc=edu' is a valid 
IPA context
2014-07-16T21:20:51Z DEBUG Search for (objectClass=krbRealmContainer) in 
dc=usfs-i2,dc=umt,dc=edu (sub)
2014-07-16T21:20:51Z DEBUG Found: 
cn=USFS-I2.UMT.EDU,cn=kerberos,dc=usfs-i2,dc=umt,dc=edu
2014-07-16T21:20:51Z WARNING Skip ipa.usfs-i2.umt.edu: cannot verify if this is 
an IPA server




This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 
immediately.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to