Hi! I've had an issue trying to install a client on a new server installation.
Version 3.3.3 on CentOS 7 for both client and server. In details below, the domain name, server host name, and ip address has been changed. The server is sitting behind a router with ip 12.34.56.78. The server was configured with `--enable-dns` and `192.168.1.100 ipa.example.com ipa` in /etc/hosts. firewalld has been set to open up ports for ldap, ldaps, kerberos, kpasswd, dns, ntp, http, https on both the client and server. Port 7389 is also open on the server. The router has been configured to forward all of the above ports through 12.34.56.78 to 192.168.1.100. The client is sitting on a different network (say, behind a router with ip 98.76.54.32). Its /etc/hosts includes `12.34.56.78 ipa.example.com ipa`. Its /etc/resolv.conf includes `nameserver 12.34.56.78` ipa-client-install fails with: Discovery was successful! Hostname: laptop-1.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: ipa.example.com BaseDN: dc=example,dc=com Synchronizing time with KDC... Successfully retrieved CA cert Subject: CN=Certificate Authority,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Valid From: Wed Sep 24 17:44:28 2014 UTC Valid Until: Sun Sep 24 17:44:28 2034 UTC Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM trying https://ipa.example.com/ipa/xml Forwarding 'ping' to server 'https://ipa.example.com/ipa/xml' Cannot connect to the server due to Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/("Cannot contact any KDC for realm 'EXAMPLE.COM'", -1765328228). Trying with delegate=True trying https://ipa.example.com/ipa/xml Forwarding 'ping' to server 'https://ipa.example.com/ipa/xml' Second connect with delegate=True also failed: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/("Cannot contact any KDC for realm 'EXAMPLE.COM'", -1765328228) Cannot connect to the IPA server XML-RPC interface: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/("Cannot contact any KDC for realm 'EXAMPLE.COM'", -1765328228) Installation failed. Rolling back changes. Unenrolling client from IPA server Unenrolling host failed: Error obtaining initial credentials: Cannot contact any KDC for requested realm. Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. `cat /var/log/ipaclient-install.log | grep ERROR -C 25 -m 1` 2014-09-24T18:11:49Z INFO Configured /etc/krb5.conf for IPA realm EXAMPLE.COM 2014-09-24T18:11:49Z DEBUG Starting external process 2014-09-24T18:11:49Z DEBUG args=keyctl search @s user ipa_session_cookie:host/laptop-1.example....@example.com 2014-09-24T18:11:49Z DEBUG Process finished, return code=1 2014-09-24T18:11:49Z DEBUG stdout= 2014-09-24T18:11:49Z DEBUG stderr=keyctl_search: Required key not available 2014-09-24T18:11:49Z DEBUG Starting external process 2014-09-24T18:11:49Z DEBUG args=keyctl search @s user ipa_session_cookie:host/laptop-1.example....@example.com 2014-09-24T18:11:49Z DEBUG Process finished, return code=1 2014-09-24T18:11:49Z DEBUG stdout= 2014-09-24T18:11:49Z DEBUG stderr=keyctl_search: Required key not available 2014-09-24T18:11:49Z DEBUG failed to find session_cookie in persistent storage for principal 'host/laptop-1.example....@example.com' 2014-09-24T18:11:49Z INFO trying https://ipa.example.com/ipa/xml 2014-09-24T18:11:49Z DEBUG Created connection context.xmlclient 2014-09-24T18:11:49Z DEBUG Try RPC connection 2014-09-24T18:11:49Z INFO Forwarding 'ping' to server 'https://ipa.example.com/ipa/xml' 2014-09-24T18:12:07Z DEBUG Destroyed connection context.xmlclient 2014-09-24T18:12:07Z INFO Cannot connect to the server due to Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/("Cannot contact any KDC for realm 'EXAMPLE.COM'", -1765328228). Trying with delegate=True 2014-09-24T18:12:07Z INFO trying https://ipa.example.com/ipa/xml 2014-09-24T18:12:07Z DEBUG Created connection context.xmlclient 2014-09-24T18:12:07Z DEBUG Try RPC connection 2014-09-24T18:12:07Z INFO Forwarding 'ping' to server 'https://ipa.example.com/ipa/xml' 2014-09-24T18:12:25Z WARNING Second connect with delegate=True also failed: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/("Cannot contact any KDC for realm 'EXAMPLE.COM'", -1765328228) 2014-09-24T18:12:25Z ERROR Cannot connect to the IPA server XML-RPC interface: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/("Cannot contact any KDC for realm 'EXAMPLE.COM'", -1765328228) One possibly worthwhile note is that running tcpdump shows that the client (local IP 192.168.0.102) is trying to connect to 192.168.1.100, the local IP of the server, which is on a different network and thus inaccessible. 14:11:49.611009 IP 192.168.0.102.57552 > 192.168.1.100.kerberos: 14:11:50.645238 IP 192.168.0.102.37952 > 192.168.1.100.kerberos: Flags [S], seq 1224109057, win 14600, op tions [mss 1460,sackOK,TS val 5701517 ecr 0,nop,wscale 7], length 0 14:11:51.648218 IP 192.168.0.102.37952 > 192.168.1.100.kerberos: Flags [S], seq 1224109057, win 14600, op tions [mss 1460,sackOK,TS val 5702520 ecr 0,nop,wscale 7], length 0 etc. etc. Cheers, ToBeReplaced -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project