ah, ok. So I'm going to assume the problem with my server not being able to get a DNS record for any of the clients is why the user can't ssh into the clients.
Thanks for the help, everyone! thx anthony On Thu, Mar 26, 2015 at 10:44 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Anthony Lanni wrote: > > I'm referring to the host certificate; I was looking at the web UI, > > under Identity->Hosts in the server details page. The Host Certificate > > section says 'No Valid Certificate'. > > The server has a /etc/krb5.keytab file, and on the same page the > > Enrollment section says 'Kerberos Key Present, Host Provisioned'. > > No, masters never got this certificate issued. It was intended to be an > alternate way to authenticate a host to IPA. The host certificate is not > used by IPA currently, and in 4.1 one isn't issued for clients by > default any more. > > rob > > > > > thx > > anthony > > > > thx > > anthony > > > > On Thu, Mar 26, 2015 at 10:01 AM, Martin Kosek <mko...@redhat.com > > <mailto:mko...@redhat.com>> wrote: > > > > On 03/26/2015 05:52 PM, Anthony Lanni wrote: > > > kinit USER works perfectly; but I can't ssh into the client > machine from > > > the server without it requesting a password. > > > > > > I think this is a DNS issue, actually. The server isn't resolving > the name > > > of the client, so I'm ssh'ing with the IP address, and that's not > going to > > > work since it's not in the Kerberos db ("Cannot determine realm > for numeric > > > host address"). > > > > So it looks like you have found your problem - Kerberos tends to > > break if DNS > > is not set properly. > > > > > Except, of course, that the server did not get its own valid > Kerberos host > > > certificate. It should, right? during the ipa-client-install > --on-master > > > step of the server install? > > > > Are you asking about host certificate or a Kerberos keytab > > (/etc/krb5.keytab)? > > They are 2 distinct things. > > > > > In fact, the global DNS config is completely empty. But I'm going > to have > > > to tear down the server and rebuild because it's on the same > domain as an > > > AD server, and ipa-client-install finds that server rather than > the new IPA > > > server by default: that won't work because I want LDAP to > dynamically > > > update the records, and establish a trust with the AD server. > > > Also we've got 2 linux DNS root servers that act as forwarders. I > pointed > > > the IPA server at them, but I don't know enough about FreeIPA or > DNS/Bind > > > to configure IPA to use them properly. SO I'm sure that's where > most of my > > > problems lie. > > > > > > I've got to RTFM a bit more before I really start asking the right > > > questions, I think. At that point I'll start a new thread. > > > > Ok :-) > > > > Martin > > > > > > > > > > > > > > thx > > > anthony > > > > > > On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek <mko...@redhat.com > > <mailto:mko...@redhat.com>> wrote: > > > > > >> I am not sure what you mean. So are you saying that "kinit USER" > > done on > > >> server > > >> fails? With what error? > > >> > > >> On 03/26/2015 05:28 PM, Anthony Lanni wrote: > > >>> great, thanks. > > >>> > > >>> On a related note: the server still doesn't get a (client) > kerberos > > >> ticket, > > >>> which means I can't kinit as a user and then log into a client > > machine > > >>> without a password. Going the other way works fine, however. > > >>> > > >>> thx > > >>> anthony > > >>> > > >>> On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek <mko...@redhat.com > > <mailto:mko...@redhat.com>> wrote: > > >>> > > >>>> Ok, thanks for reaching back. BTW, next RHEL-6 minor release > > should have > > >>>> the > > >>>> keyutils dependency fixed anyway :-) > > >>>> > > >>>> Martin > > >>>> > > >>>> On 03/25/2015 06:59 PM, Anthony Lanni wrote: > > >>>>> keyutils is already installed but /bin/keyctl was 0 length > > (!). Anyway > > >> I > > >>>>> reinstalled keyutils and then ran the ipa-server-install > > again, and > > >> this > > >>>>> time it completed without error. > > >>>>> > > >>>>> Thanks very much, Martin and Dmitri! > > >>>>> > > >>>>> thx > > >>>>> anthony > > >>>>> > > >>>>> On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek > > <mko...@redhat.com <mailto:mko...@redhat.com>> > > >> wrote: > > >>>>> > > >>>>>> On 03/25/2015 04:11 AM, Dmitri Pal wrote: > > >>>>>>> On 03/24/2015 09:17 PM, Anthony Lanni wrote: > > >>>>>>>> While running ipa-server-install, it's failing out at the > > end with > > >> an > > >>>>>> error > > >>>>>>>> regarding the client install on the server. This happens > > regardless > > >> of > > >>>>>> how I > > >>>>>>>> input the options, but here's the latest command: > > >>>>>>>> > > >>>>>>>> ipa-server-install --setup-dns -N --idstart=1000 -r > > EXAMPLE.COM <http://EXAMPLE.COM> > > >>>>>>>> <http://EXAMPLE.COM> -n example.com <http://example.com> > > <http://example.com> -p passwd1 > > >>>> -a > > >>>>>>>> passwd2 --hostname=ldap-server-01.example.com > > <http://ldap-server-01.example.com> > > >>>>>>>> <http://ldap-server-01.example.com> --forwarder=10.0.1.20 > > >>>>>>>> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d > > >>>>>>>> > > >>>>>>>> Runs through the entire setup and gives me this: > > >>>>>>>> > > >>>>>>>> [...] > > >>>>>>>> ipa : DEBUG args=/usr/sbin/ipa-client-install > > --on-master > > >>>>>>>> --unattended --domain example.com <http://example.com> > > <http://example.com> --server > > >>>>>>>> ldap-server-01.example.com > > <http://ldap-server-01.example.com> < > http://ldap-server-01.example.com> > > >>>> --realm > > >>>>>>>> EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM> > > --hostname > > >>>> ldap-server-01.example.com <http://ldap-server-01.example.com> > > >>>>>>>> <http://ldap-server-01.example.com> > > >>>>>>>> ipa : DEBUG stdout= > > >>>>>>>> > > >>>>>>>> ipa : DEBUG stderr=Hostname: > > ldap-server-01.example.com <http://ldap-server-01.example.com> > > >>>>>>>> <http://ldap-server-01.example.com> > > >>>>>>>> Realm: EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM > > > > >>>>>>>> DNS Domain: example.com <http://example.com> > > <http://example.com> > > >>>>>>>> IPA Server: ldap-server-01.example.com > > <http://ldap-server-01.example.com> < > > >>>>>> http://ldap-server-01.example.com> > > >>>>>>>> BaseDN: dc=example,dc=com > > >>>>>>>> New SSSD config will be created > > >>>>>>>> Configured /etc/sssd/sssd.conf > > >>>>>>>> Traceback (most recent call last): > > >>>>>>>> File "/usr/sbin/ipa-client-install", line 2377, in > <module> > > >>>>>>>> sys.exit(main()) > > >>>>>>>> File "/usr/sbin/ipa-client-install", line 2363, in main > > >>>>>>>> rval = install(options, env, fstore, statestore) > > >>>>>>>> File "/usr/sbin/ipa-client-install", line 2135, in install > > >>>>>>>> delete_persistent_client_session_data(host_principal) > > >>>>>>>> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", > > line 124, > > >> in > > >>>>>>>> delete_persistent_client_session_data > > >>>>>>>> kernel_keyring.del_key(keyname) > > >>>>>>>> File > > >> "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", > > >>>>>> line > > >>>>>>>> 99, in del_key > > >>>>>>>> real_key = get_real_key(key) > > >>>>>>>> File > > >> "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", > > >>>>>> line > > >>>>>>>> 45, in get_real_key > > >>>>>>>> (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, > > >> KEYTYPE, > > >>>>>> key], > > >>>>>>>> raiseonerr=False) > > >>>>>>> > > >>>>>>> Is keyctl installed? Can you run it manually? > > >>>>>>> Any SELinux denials? > > >>>>>> > > >>>>>> You are likely hitting > > >>>>>> https://fedorahosted.org/freeipa/ticket/3808 > > >>>>>> > > >>>>>> Please try installing keyutils before running > > ipa-server-install. It > > >> is > > >>>>>> fixed > > >>>>>> in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this > platform > > >> also: > > >>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1205660 > > >>>>>> > > >>>>>> Martin > > >>>>>> > > >>>>>> -- > > >>>>>> Manage your subscription for the Freeipa-users mailing list: > > >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > > >>>>>> Go to http://freeipa.org for more info on the project > > >>>>>> > > >>>>> > > >>>> > > >>>> > > >>> > > >> > > >> > > > > > > > > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project