great, thanks.

On a related note: the server still doesn't get a (client) kerberos ticket,
which means I can't kinit as a user and then log into a client machine
without a password. Going the other way works fine, however.

thx
anthony

On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek <mko...@redhat.com> wrote:

> Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have
> the
> keyutils dependency fixed anyway :-)
>
> Martin
>
> On 03/25/2015 06:59 PM, Anthony Lanni wrote:
> > keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I
> > reinstalled keyutils and then ran the ipa-server-install again, and this
> > time it completed without error.
> >
> > Thanks very much, Martin and Dmitri!
> >
> > thx
> > anthony
> >
> > On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek <mko...@redhat.com> wrote:
> >
> >> On 03/25/2015 04:11 AM, Dmitri Pal wrote:
> >>> On 03/24/2015 09:17 PM, Anthony Lanni wrote:
> >>>> While running ipa-server-install, it's failing out at the end with an
> >> error
> >>>> regarding the client install on the server. This happens regardless of
> >> how I
> >>>> input the options, but here's the latest command:
> >>>>
> >>>> ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
> >>>> <http://EXAMPLE.COM> -n example.com <http://example.com> -p passwd1
> -a
> >>>> passwd2 --hostname=ldap-server-01.example.com
> >>>> <http://ldap-server-01.example.com> --forwarder=10.0.1.20
> >>>> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
> >>>>
> >>>> Runs through the entire setup and gives me this:
> >>>>
> >>>> [...]
> >>>> ipa         : DEBUG  args=/usr/sbin/ipa-client-install --on-master
> >>>> --unattended --domain example.com <http://example.com> --server
> >>>> ldap-server-01.example.com <http://ldap-server-01.example.com>
> --realm
> >>>> EXAMPLE.COM <http://EXAMPLE.COM> --hostname
> ldap-server-01.example.com
> >>>> <http://ldap-server-01.example.com>
> >>>> ipa         : DEBUG    stdout=
> >>>>
> >>>> ipa         : DEBUG    stderr=Hostname: ldap-server-01.example.com
> >>>> <http://ldap-server-01.example.com>
> >>>> Realm: EXAMPLE.COM <http://EXAMPLE.COM>
> >>>> DNS Domain: example.com <http://example.com>
> >>>> IPA Server: ldap-server-01.example.com <
> >> http://ldap-server-01.example.com>
> >>>> BaseDN: dc=example,dc=com
> >>>> New SSSD config will be created
> >>>> Configured /etc/sssd/sssd.conf
> >>>> Traceback (most recent call last):
> >>>>   File "/usr/sbin/ipa-client-install", line 2377, in <module>
> >>>>     sys.exit(main())
> >>>>   File "/usr/sbin/ipa-client-install", line 2363, in main
> >>>>     rval = install(options, env, fstore, statestore)
> >>>>   File "/usr/sbin/ipa-client-install", line 2135, in install
> >>>> delete_persistent_client_session_data(host_principal)
> >>>>   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in
> >>>> delete_persistent_client_session_data
> >>>>     kernel_keyring.del_key(keyname)
> >>>>   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
> >> line
> >>>> 99, in del_key
> >>>>     real_key = get_real_key(key)
> >>>>   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
> >> line
> >>>> 45, in get_real_key
> >>>>     (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE,
> >> key],
> >>>> raiseonerr=False)
> >>>
> >>> Is keyctl installed? Can you run it manually?
> >>> Any SELinux denials?
> >>
> >> You are likely hitting
> >> https://fedorahosted.org/freeipa/ticket/3808
> >>
> >> Please try installing keyutils before running ipa-server-install. It is
> >> fixed
> >> in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also:
> >> https://bugzilla.redhat.com/show_bug.cgi?id=1205660
> >>
> >> Martin
> >>
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go to http://freeipa.org for more info on the project
> >>
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to