I am not sure what you mean. So are you saying that "kinit USER" done on server fails? With what error?
On 03/26/2015 05:28 PM, Anthony Lanni wrote: > great, thanks. > > On a related note: the server still doesn't get a (client) kerberos ticket, > which means I can't kinit as a user and then log into a client machine > without a password. Going the other way works fine, however. > > thx > anthony > > On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek <[email protected]> wrote: > >> Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have >> the >> keyutils dependency fixed anyway :-) >> >> Martin >> >> On 03/25/2015 06:59 PM, Anthony Lanni wrote: >>> keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I >>> reinstalled keyutils and then ran the ipa-server-install again, and this >>> time it completed without error. >>> >>> Thanks very much, Martin and Dmitri! >>> >>> thx >>> anthony >>> >>> On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek <[email protected]> wrote: >>> >>>> On 03/25/2015 04:11 AM, Dmitri Pal wrote: >>>>> On 03/24/2015 09:17 PM, Anthony Lanni wrote: >>>>>> While running ipa-server-install, it's failing out at the end with an >>>> error >>>>>> regarding the client install on the server. This happens regardless of >>>> how I >>>>>> input the options, but here's the latest command: >>>>>> >>>>>> ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM >>>>>> <http://EXAMPLE.COM> -n example.com <http://example.com> -p passwd1 >> -a >>>>>> passwd2 --hostname=ldap-server-01.example.com >>>>>> <http://ldap-server-01.example.com> --forwarder=10.0.1.20 >>>>>> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d >>>>>> >>>>>> Runs through the entire setup and gives me this: >>>>>> >>>>>> [...] >>>>>> ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master >>>>>> --unattended --domain example.com <http://example.com> --server >>>>>> ldap-server-01.example.com <http://ldap-server-01.example.com> >> --realm >>>>>> EXAMPLE.COM <http://EXAMPLE.COM> --hostname >> ldap-server-01.example.com >>>>>> <http://ldap-server-01.example.com> >>>>>> ipa : DEBUG stdout= >>>>>> >>>>>> ipa : DEBUG stderr=Hostname: ldap-server-01.example.com >>>>>> <http://ldap-server-01.example.com> >>>>>> Realm: EXAMPLE.COM <http://EXAMPLE.COM> >>>>>> DNS Domain: example.com <http://example.com> >>>>>> IPA Server: ldap-server-01.example.com < >>>> http://ldap-server-01.example.com> >>>>>> BaseDN: dc=example,dc=com >>>>>> New SSSD config will be created >>>>>> Configured /etc/sssd/sssd.conf >>>>>> Traceback (most recent call last): >>>>>> File "/usr/sbin/ipa-client-install", line 2377, in <module> >>>>>> sys.exit(main()) >>>>>> File "/usr/sbin/ipa-client-install", line 2363, in main >>>>>> rval = install(options, env, fstore, statestore) >>>>>> File "/usr/sbin/ipa-client-install", line 2135, in install >>>>>> delete_persistent_client_session_data(host_principal) >>>>>> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in >>>>>> delete_persistent_client_session_data >>>>>> kernel_keyring.del_key(keyname) >>>>>> File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", >>>> line >>>>>> 99, in del_key >>>>>> real_key = get_real_key(key) >>>>>> File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", >>>> line >>>>>> 45, in get_real_key >>>>>> (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, >>>> key], >>>>>> raiseonerr=False) >>>>> >>>>> Is keyctl installed? Can you run it manually? >>>>> Any SELinux denials? >>>> >>>> You are likely hitting >>>> https://fedorahosted.org/freeipa/ticket/3808 >>>> >>>> Please try installing keyutils before running ipa-server-install. It is >>>> fixed >>>> in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also: >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1205660 >>>> >>>> Martin >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>> >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
