It doesn't hang around, but I was able to make the install "work" by
hacking iptables via:

        iptables -t nat -A OUTPUT -d 192.168.1.100 -j DNAT
        --to-destination 12.34.56.78

Here's the generated /etc/krb5.conf on client:

        #File modified by ipa-client-install
        
        includedir /var/lib/sss/pubconf/krb5.include.d/
        
        [libdefaults]
          default_realm = EXAMPLE.COM
          dns_lookup_realm = true
          dns_lookup_kdc = true
          rdns = false
          ticket_lifetime = 24h
          forwardable = yes
          default_ccache_name = KEYRING:persistent:%{uid}
        
        [realms]
          EXAMPLE.COM = {
            pkinit_anchors = FILE:/etc/ipa/ca.crt
          }
        
        [domain_realm]
          .example.com = EXAMPLE.COM
          example.com = EXAMPLE.COM

Running kinit admin as suggested yields no errors, and the only ip
address listed is the correct one (12.34.56.78).  Of course, this is
after the iptables hack from install, but it is also post reboot so the
iptables hack is gone.

Cheers,
ToBeReplaced

On Thu, 2014-09-25 at 11:27 -0400, Nalin Dahyabhai wrote:
> On Wed, Sep 24, 2014 at 01:02:34PM -0600, ToBeReplaced wrote:
> > In details below, the domain name, server host name, and ip address has
> > been changed.
> > 
> > The server is sitting behind a router with ip 12.34.56.78. The server
> > was configured with `--enable-dns` and `192.168.1.100 ipa.example.com
> > ipa` in /etc/hosts. 
> > 
> > firewalld has been set to open up ports for ldap, ldaps, kerberos,
> > kpasswd, dns, ntp, http, https on both the client and server. Port 7389
> > is also open on the server.
> > 
> > The router has been configured to forward all of the above ports through
> > 12.34.56.78 to 192.168.1.100.
> > 
> > The client is sitting on a different network (say, behind a router with
> > ip 98.76.54.32).
> > 
> > Its /etc/hosts includes `12.34.56.78 ipa.example.com ipa`.
> > Its /etc/resolv.conf includes `nameserver 12.34.56.78`
> > 
> > ipa-client-install fails with:
> > 
> >         Discovery was successful!
> >         Hostname: laptop-1.example.com
> >         Realm: EXAMPLE.COM
> >         DNS Domain: example.com
> >         IPA Server: ipa.example.com
> >         BaseDN: dc=example,dc=com
> >         Synchronizing time with KDC...
> >         Successfully retrieved CA cert
> >             Subject:     CN=Certificate Authority,O=EXAMPLE.COM
> >             Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
> >             Valid From:  Wed Sep 24 17:44:28 2014 UTC
> >             Valid Until: Sun Sep 24 17:44:28 2034 UTC
> >         
> >         Enrolled in IPA realm EXAMPLE.COM
> >         Created /etc/ipa/default.conf
> >         New SSSD config will be created
> >         Configured /etc/sssd/sssd.conf
> >         Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
> >         trying https://ipa.example.com/ipa/xml
> >         Forwarding 'ping' to server 'https://ipa.example.com/ipa/xml'
> >         Cannot connect to the server due to Kerberos error: Kerberos
> >         error: ('Unspecified GSS failure.  Minor code may provide more
> >         information', 851968)/("Cannot contact any KDC for realm
> >         'EXAMPLE.COM'", -1765328228). Trying with delegate=True
> >         trying https://ipa.example.com/ipa/xml
> >         Forwarding 'ping' to server 'https://ipa.example.com/ipa/xml'
> >         Second connect with delegate=True also failed: Kerberos error:
> >         ('Unspecified GSS failure.  Minor code may provide more
> >         information', 851968)/("Cannot contact any KDC for realm
> >         'EXAMPLE.COM'", -1765328228)
> >         Cannot connect to the IPA server XML-RPC interface: Kerberos
> >         error: ('Unspecified GSS failure.  Minor code may provide more
> >         information', 851968)/("Cannot contact any KDC for realm
> >         'EXAMPLE.COM'", -1765328228)
> >         Installation failed. Rolling back changes.
> >         Unenrolling client from IPA server
> >         Unenrolling host failed: Error obtaining initial credentials:
> >         Cannot contact any KDC for requested realm.
> >         Removing Kerberos service principals from /etc/krb5.keytab
> >         Disabling client Kerberos and LDAP configurations
> >         Redundant SSSD configuration file /etc/sssd/sssd.conf was moved
> >         to /etc/sssd/sssd.conf.deleted
> >         Restoring client configuration files
> >         nscd daemon is not installed, skip configuration
> >         nslcd daemon is not installed, skip configuration
> >         Client uninstall complete.
> >         
> > `cat /var/log/ipaclient-install.log | grep ERROR -C 25 -m 1`
> >         2014-09-24T18:11:49Z INFO Configured /etc/krb5.conf for IPA
> >         realm EXAMPLE.COM
> >         2014-09-24T18:11:49Z DEBUG Starting external process
> >         2014-09-24T18:11:49Z DEBUG args=keyctl search @s user
> >         ipa_session_cookie:host/laptop-1.example....@example.com
> >         2014-09-24T18:11:49Z DEBUG Process finished, return code=1
> >         2014-09-24T18:11:49Z DEBUG stdout=
> >         2014-09-24T18:11:49Z DEBUG stderr=keyctl_search: Required key
> >         not available
> >         
> >         2014-09-24T18:11:49Z DEBUG Starting external process
> >         2014-09-24T18:11:49Z DEBUG args=keyctl search @s user
> >         ipa_session_cookie:host/laptop-1.example....@example.com
> >         2014-09-24T18:11:49Z DEBUG Process finished, return code=1
> >         2014-09-24T18:11:49Z DEBUG stdout=
> >         2014-09-24T18:11:49Z DEBUG stderr=keyctl_search: Required key
> >         not available
> >         
> >         2014-09-24T18:11:49Z DEBUG failed to find session_cookie in
> >         persistent storage for principal
> >         'host/laptop-1.example....@example.com'
> >         2014-09-24T18:11:49Z INFO trying https://ipa.example.com/ipa/xml
> >         2014-09-24T18:11:49Z DEBUG Created connection context.xmlclient
> >         2014-09-24T18:11:49Z DEBUG Try RPC connection
> >         2014-09-24T18:11:49Z INFO Forwarding 'ping' to server
> >         'https://ipa.example.com/ipa/xml'
> >         2014-09-24T18:12:07Z DEBUG Destroyed connection
> >         context.xmlclient
> >         2014-09-24T18:12:07Z INFO Cannot connect to the server due to
> >         Kerberos error: Kerberos error: ('Unspecified GSS failure.
> >         Minor code may provide more information', 851968)/("Cannot
> >         contact any KDC for realm 'EXAMPLE.COM'", -1765328228). Trying
> >         with delegate=True
> >         2014-09-24T18:12:07Z INFO trying https://ipa.example.com/ipa/xml
> >         2014-09-24T18:12:07Z DEBUG Created connection context.xmlclient
> >         2014-09-24T18:12:07Z DEBUG Try RPC connection
> >         2014-09-24T18:12:07Z INFO Forwarding 'ping' to server
> >         'https://ipa.example.com/ipa/xml'
> >         2014-09-24T18:12:25Z WARNING Second connect with delegate=True
> >         also failed: Kerberos error: ('Unspecified GSS failure.  Minor
> >         code may provide more information', 851968)/("Cannot contact any
> >         KDC for realm 'EXAMPLE.COM'", -1765328228)
> >         2014-09-24T18:12:25Z ERROR Cannot connect to the IPA server
> >         XML-RPC interface: Kerberos error: ('Unspecified GSS failure.
> >         Minor code may provide more information', 851968)/("Cannot
> >         contact any KDC for realm 'EXAMPLE.COM'", -1765328228)
> > 
> > One possibly worthwhile note is that running tcpdump shows that the
> > client (local IP 192.168.0.102) is trying to connect to 192.168.1.100,
> > the local IP of the server, which is on a different network and thus
> > inaccessible.
> > 
> >         14:11:49.611009 IP 192.168.0.102.57552 >
> >         192.168.1.100.kerberos: 
> >         14:11:50.645238 IP 192.168.0.102.37952 > 192.168.1.100.kerberos:
> >         Flags [S], seq 1224109057, win 14600, op
> >         tions [mss 1460,sackOK,TS val 5701517 ecr 0,nop,wscale 7],
> >         length 0
> >         14:11:51.648218 IP 192.168.0.102.37952 > 192.168.1.100.kerberos:
> >         Flags [S], seq 1224109057, win 14600, op
> >         tions [mss 1460,sackOK,TS val 5702520 ecr 0,nop,wscale 7],
> >         length 0
> >         
> > etc. etc.
> 
> Any chance the /etc/krb5.conf that the install script created is still
> around?  Based on your tcpdump data, my first guess would be that the
> Kerberos client bits ended up looking up the KDC (the Kerberos service)
> location using DNS, which would have pointed it at the non-tunneled
> address.  If it's around, running
>   env KRB5_CONFIG=/path/to/krb5.conf KRB5_TRACE=/dev/stderr kinit admin
> should provide information about how it's locating servers, allowing us
> to confirm if that's what's happening here.
> 
> HTH,
> 
> Nalin


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to