kinit USER works perfectly; but I can't ssh into the client machine from
the server without it requesting a password.
I think this is a DNS issue, actually. The server isn't resolving the name
of the client, so I'm ssh'ing with the IP address, and that's not going to
work since it's not in the Kerberos db ("Cannot determine realm for numeric
host address").
Except, of course, that the server did not get its own valid Kerberos host
certificate. It should, right? during the ipa-client-install --on-master
step of the server install?
In fact, the global DNS config is completely empty. But I'm going to have
to tear down the server and rebuild because it's on the same domain as an
AD server, and ipa-client-install finds that server rather than the new IPA
server by default: that won't work because I want LDAP to dynamically
update the records, and establish a trust with the AD server.
Also we've got 2 linux DNS root servers that act as forwarders. I pointed
the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind
to configure IPA to use them properly. SO I'm sure that's where most of my
problems lie.
I've got to RTFM a bit more before I really start asking the right
questions, I think. At that point I'll start a new thread.
thx
anthony
On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek <mko...@redhat.com> wrote:
> I am not sure what you mean. So are you saying that "kinit USER" done on
> server
> fails? With what error?
>
> On 03/26/2015 05:28 PM, Anthony Lanni wrote:
> > great, thanks.
> >
> > On a related note: the server still doesn't get a (client) kerberos
> ticket,
> > which means I can't kinit as a user and then log into a client machine
> > without a password. Going the other way works fine, however.
> >
> > thx
> > anthony
> >
> > On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek <mko...@redhat.com> wrote:
> >
> >> Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have
> >> the
> >> keyutils dependency fixed anyway :-)
> >>
> >> Martin
> >>
> >> On 03/25/2015 06:59 PM, Anthony Lanni wrote:
> >>> keyutils is already installed but /bin/keyctl was 0 length (!). Anyway
> I
> >>> reinstalled keyutils and then ran the ipa-server-install again, and
> this
> >>> time it completed without error.
> >>>
> >>> Thanks very much, Martin and Dmitri!
> >>>
> >>> thx
> >>> anthony
> >>>
> >>> On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek <mko...@redhat.com>
> wrote:
> >>>
> >>>> On 03/25/2015 04:11 AM, Dmitri Pal wrote:
> >>>>> On 03/24/2015 09:17 PM, Anthony Lanni wrote:
> >>>>>> While running ipa-server-install, it's failing out at the end with
> an
> >>>> error
> >>>>>> regarding the client install on the server. This happens regardless
> of
> >>>> how I
> >>>>>> input the options, but here's the latest command:
> >>>>>>
> >>>>>> ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
> >>>>>> <http://EXAMPLE.COM> -n example.com <http://example.com> -p passwd1
> >> -a
> >>>>>> passwd2 --hostname=ldap-server-01.example.com
> >>>>>> <http://ldap-server-01.example.com> --forwarder=10.0.1.20
> >>>>>> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
> >>>>>>
> >>>>>> Runs through the entire setup and gives me this:
> >>>>>>
> >>>>>> [...]
> >>>>>> ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master
> >>>>>> --unattended --domain example.com <http://example.com> --server
> >>>>>> ldap-server-01.example.com <http://ldap-server-01.example.com>
> >> --realm
> >>>>>> EXAMPLE.COM <http://EXAMPLE.COM> --hostname
> >> ldap-server-01.example.com
> >>>>>> <http://ldap-server-01.example.com>
> >>>>>> ipa : DEBUG stdout=
> >>>>>>
> >>>>>> ipa : DEBUG stderr=Hostname: ldap-server-01.example.com
> >>>>>> <http://ldap-server-01.example.com>
> >>>>>> Realm: EXAMPLE.COM <http://EXAMPLE.COM>
> >>>>>> DNS Domain: example.com <http://example.com>
> >>>>>> IPA Server: ldap-server-01.example.com <
> >>>> http://ldap-server-01.example.com>
> >>>>>> BaseDN: dc=example,dc=com
> >>>>>> New SSSD config will be created
> >>>>>> Configured /etc/sssd/sssd.conf
> >>>>>> Traceback (most recent call last):
> >>>>>> File "/usr/sbin/ipa-client-install", line 2377, in <module>
> >>>>>> sys.exit(main())
> >>>>>> File "/usr/sbin/ipa-client-install", line 2363, in main
> >>>>>> rval = install(options, env, fstore, statestore)
> >>>>>> File "/usr/sbin/ipa-client-install", line 2135, in install
> >>>>>> delete_persistent_client_session_data(host_principal)
> >>>>>> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124,
> in
> >>>>>> delete_persistent_client_session_data
> >>>>>> kernel_keyring.del_key(keyname)
> >>>>>> File
> "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
> >>>> line
> >>>>>> 99, in del_key
> >>>>>> real_key = get_real_key(key)
> >>>>>> File
> "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
> >>>> line
> >>>>>> 45, in get_real_key
> >>>>>> (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING,
> KEYTYPE,
> >>>> key],
> >>>>>> raiseonerr=False)
> >>>>>
> >>>>> Is keyctl installed? Can you run it manually?
> >>>>> Any SELinux denials?
> >>>>
> >>>> You are likely hitting
> >>>> https://fedorahosted.org/freeipa/ticket/3808
> >>>>
> >>>> Please try installing keyutils before running ipa-server-install. It
> is
> >>>> fixed
> >>>> in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform
> also:
> >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1205660
> >>>>
> >>>> Martin
> >>>>
> >>>> --
> >>>> Manage your subscription for the Freeipa-users mailing list:
> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>> Go to http://freeipa.org for more info on the project
> >>>>
> >>>
> >>
> >>
> >
>
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
