great, thanks. On a related note: the server still doesn't get a (client) kerberos ticket, which means I can't kinit as a user and then log into a client machine without a password. Going the other way works fine, however.
thx anthony On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek <[email protected]> wrote: > Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have > the > keyutils dependency fixed anyway :-) > > Martin > > On 03/25/2015 06:59 PM, Anthony Lanni wrote: > > keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I > > reinstalled keyutils and then ran the ipa-server-install again, and this > > time it completed without error. > > > > Thanks very much, Martin and Dmitri! > > > > thx > > anthony > > > > On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek <[email protected]> wrote: > > > >> On 03/25/2015 04:11 AM, Dmitri Pal wrote: > >>> On 03/24/2015 09:17 PM, Anthony Lanni wrote: > >>>> While running ipa-server-install, it's failing out at the end with an > >> error > >>>> regarding the client install on the server. This happens regardless of > >> how I > >>>> input the options, but here's the latest command: > >>>> > >>>> ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM > >>>> <http://EXAMPLE.COM> -n example.com <http://example.com> -p passwd1 > -a > >>>> passwd2 --hostname=ldap-server-01.example.com > >>>> <http://ldap-server-01.example.com> --forwarder=10.0.1.20 > >>>> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d > >>>> > >>>> Runs through the entire setup and gives me this: > >>>> > >>>> [...] > >>>> ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master > >>>> --unattended --domain example.com <http://example.com> --server > >>>> ldap-server-01.example.com <http://ldap-server-01.example.com> > --realm > >>>> EXAMPLE.COM <http://EXAMPLE.COM> --hostname > ldap-server-01.example.com > >>>> <http://ldap-server-01.example.com> > >>>> ipa : DEBUG stdout= > >>>> > >>>> ipa : DEBUG stderr=Hostname: ldap-server-01.example.com > >>>> <http://ldap-server-01.example.com> > >>>> Realm: EXAMPLE.COM <http://EXAMPLE.COM> > >>>> DNS Domain: example.com <http://example.com> > >>>> IPA Server: ldap-server-01.example.com < > >> http://ldap-server-01.example.com> > >>>> BaseDN: dc=example,dc=com > >>>> New SSSD config will be created > >>>> Configured /etc/sssd/sssd.conf > >>>> Traceback (most recent call last): > >>>> File "/usr/sbin/ipa-client-install", line 2377, in <module> > >>>> sys.exit(main()) > >>>> File "/usr/sbin/ipa-client-install", line 2363, in main > >>>> rval = install(options, env, fstore, statestore) > >>>> File "/usr/sbin/ipa-client-install", line 2135, in install > >>>> delete_persistent_client_session_data(host_principal) > >>>> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in > >>>> delete_persistent_client_session_data > >>>> kernel_keyring.del_key(keyname) > >>>> File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", > >> line > >>>> 99, in del_key > >>>> real_key = get_real_key(key) > >>>> File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", > >> line > >>>> 45, in get_real_key > >>>> (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, > >> key], > >>>> raiseonerr=False) > >>> > >>> Is keyctl installed? Can you run it manually? > >>> Any SELinux denials? > >> > >> You are likely hitting > >> https://fedorahosted.org/freeipa/ticket/3808 > >> > >> Please try installing keyutils before running ipa-server-install. It is > >> fixed > >> in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also: > >> https://bugzilla.redhat.com/show_bug.cgi?id=1205660 > >> > >> Martin > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > >> > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
