I'm referring to the host certificate; I was looking at the web UI, under Identity->Hosts in the server details page. The Host Certificate section says 'No Valid Certificate'. The server has a /etc/krb5.keytab file, and on the same page the Enrollment section says 'Kerberos Key Present, Host Provisioned'.
thx anthony thx anthony On Thu, Mar 26, 2015 at 10:01 AM, Martin Kosek <mko...@redhat.com> wrote: > On 03/26/2015 05:52 PM, Anthony Lanni wrote: > > kinit USER works perfectly; but I can't ssh into the client machine from > > the server without it requesting a password. > > > > I think this is a DNS issue, actually. The server isn't resolving the > name > > of the client, so I'm ssh'ing with the IP address, and that's not going > to > > work since it's not in the Kerberos db ("Cannot determine realm for > numeric > > host address"). > > So it looks like you have found your problem - Kerberos tends to break if > DNS > is not set properly. > > > Except, of course, that the server did not get its own valid Kerberos > host > > certificate. It should, right? during the ipa-client-install --on-master > > step of the server install? > > Are you asking about host certificate or a Kerberos keytab > (/etc/krb5.keytab)? > They are 2 distinct things. > > > In fact, the global DNS config is completely empty. But I'm going to have > > to tear down the server and rebuild because it's on the same domain as an > > AD server, and ipa-client-install finds that server rather than the new > IPA > > server by default: that won't work because I want LDAP to dynamically > > update the records, and establish a trust with the AD server. > > Also we've got 2 linux DNS root servers that act as forwarders. I pointed > > the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind > > to configure IPA to use them properly. SO I'm sure that's where most of > my > > problems lie. > > > > I've got to RTFM a bit more before I really start asking the right > > questions, I think. At that point I'll start a new thread. > > Ok :-) > > Martin > > > > > > > > > thx > > anthony > > > > On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek <mko...@redhat.com> wrote: > > > >> I am not sure what you mean. So are you saying that "kinit USER" done on > >> server > >> fails? With what error? > >> > >> On 03/26/2015 05:28 PM, Anthony Lanni wrote: > >>> great, thanks. > >>> > >>> On a related note: the server still doesn't get a (client) kerberos > >> ticket, > >>> which means I can't kinit as a user and then log into a client machine > >>> without a password. Going the other way works fine, however. > >>> > >>> thx > >>> anthony > >>> > >>> On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek <mko...@redhat.com> > wrote: > >>> > >>>> Ok, thanks for reaching back. BTW, next RHEL-6 minor release should > have > >>>> the > >>>> keyutils dependency fixed anyway :-) > >>>> > >>>> Martin > >>>> > >>>> On 03/25/2015 06:59 PM, Anthony Lanni wrote: > >>>>> keyutils is already installed but /bin/keyctl was 0 length (!). > Anyway > >> I > >>>>> reinstalled keyutils and then ran the ipa-server-install again, and > >> this > >>>>> time it completed without error. > >>>>> > >>>>> Thanks very much, Martin and Dmitri! > >>>>> > >>>>> thx > >>>>> anthony > >>>>> > >>>>> On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek <mko...@redhat.com> > >> wrote: > >>>>> > >>>>>> On 03/25/2015 04:11 AM, Dmitri Pal wrote: > >>>>>>> On 03/24/2015 09:17 PM, Anthony Lanni wrote: > >>>>>>>> While running ipa-server-install, it's failing out at the end with > >> an > >>>>>> error > >>>>>>>> regarding the client install on the server. This happens > regardless > >> of > >>>>>> how I > >>>>>>>> input the options, but here's the latest command: > >>>>>>>> > >>>>>>>> ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM > >>>>>>>> <http://EXAMPLE.COM> -n example.com <http://example.com> -p > passwd1 > >>>> -a > >>>>>>>> passwd2 --hostname=ldap-server-01.example.com > >>>>>>>> <http://ldap-server-01.example.com> --forwarder=10.0.1.20 > >>>>>>>> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d > >>>>>>>> > >>>>>>>> Runs through the entire setup and gives me this: > >>>>>>>> > >>>>>>>> [...] > >>>>>>>> ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master > >>>>>>>> --unattended --domain example.com <http://example.com> --server > >>>>>>>> ldap-server-01.example.com <http://ldap-server-01.example.com> > >>>> --realm > >>>>>>>> EXAMPLE.COM <http://EXAMPLE.COM> --hostname > >>>> ldap-server-01.example.com > >>>>>>>> <http://ldap-server-01.example.com> > >>>>>>>> ipa : DEBUG stdout= > >>>>>>>> > >>>>>>>> ipa : DEBUG stderr=Hostname: > ldap-server-01.example.com > >>>>>>>> <http://ldap-server-01.example.com> > >>>>>>>> Realm: EXAMPLE.COM <http://EXAMPLE.COM> > >>>>>>>> DNS Domain: example.com <http://example.com> > >>>>>>>> IPA Server: ldap-server-01.example.com < > >>>>>> http://ldap-server-01.example.com> > >>>>>>>> BaseDN: dc=example,dc=com > >>>>>>>> New SSSD config will be created > >>>>>>>> Configured /etc/sssd/sssd.conf > >>>>>>>> Traceback (most recent call last): > >>>>>>>> File "/usr/sbin/ipa-client-install", line 2377, in <module> > >>>>>>>> sys.exit(main()) > >>>>>>>> File "/usr/sbin/ipa-client-install", line 2363, in main > >>>>>>>> rval = install(options, env, fstore, statestore) > >>>>>>>> File "/usr/sbin/ipa-client-install", line 2135, in install > >>>>>>>> delete_persistent_client_session_data(host_principal) > >>>>>>>> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, > >> in > >>>>>>>> delete_persistent_client_session_data > >>>>>>>> kernel_keyring.del_key(keyname) > >>>>>>>> File > >> "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", > >>>>>> line > >>>>>>>> 99, in del_key > >>>>>>>> real_key = get_real_key(key) > >>>>>>>> File > >> "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", > >>>>>> line > >>>>>>>> 45, in get_real_key > >>>>>>>> (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, > >> KEYTYPE, > >>>>>> key], > >>>>>>>> raiseonerr=False) > >>>>>>> > >>>>>>> Is keyctl installed? Can you run it manually? > >>>>>>> Any SELinux denials? > >>>>>> > >>>>>> You are likely hitting > >>>>>> https://fedorahosted.org/freeipa/ticket/3808 > >>>>>> > >>>>>> Please try installing keyutils before running ipa-server-install. It > >> is > >>>>>> fixed > >>>>>> in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform > >> also: > >>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1205660 > >>>>>> > >>>>>> Martin > >>>>>> > >>>>>> -- > >>>>>> Manage your subscription for the Freeipa-users mailing list: > >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>> Go to http://freeipa.org for more info on the project > >>>>>> > >>>>> > >>>> > >>>> > >>> > >> > >> > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project