Hello,

this log is weird:

On 14.1.2016 03:02, Jeff Hallyburton wrote:
>> 2016-01-14T00:45:35Z DEBUG [IPA Discovery]
>> 2016-01-14T00:45:35Z DEBUG Starting IPA discovery with 
>> domain=west-2.production.example.com, servers=None, 
>> hostname=test.west-2.production.example.com
>> 2016-01-14T00:45:35Z DEBUG Search for LDAP SRV record in 
>> west-2.production.example.com
>> 2016-01-14T00:45:35Z DEBUG Search DNS for SRV record of 
>> _ldap._tcp.west-2.production.example.com
>> 2016-01-14T00:45:35Z DEBUG DNS record found: 0 100 389 
>> ipa1.west-2.production.example.com.
>> 2016-01-14T00:45:35Z DEBUG DNS record found: 10 100 389 
>> ipa2.west-2.production.example.com.
>> 2016-01-14T00:45:35Z DEBUG [Kerberos realm search]
>> 2016-01-14T00:45:35Z DEBUG Search DNS for TXT record of 
>> _kerberos.west-2.production.example.com
>> 2016-01-14T00:45:35Z DEBUG DNS record found: "EXAMPLE.COM"
>> 2016-01-14T00:45:35Z DEBUG Search DNS for SRV record of 
>> _kerberos._udp.west-2.production.example.com
>> 2016-01-14T00:45:35Z DEBUG DNS record found: 10 100 88 
>> ipa2.west-2.production.example.com.
>> 2016-01-14T00:45:35Z DEBUG DNS record found: 0 100 88 
>> ipa1.west-2.production.example.com.
>> 2016-01-14T00:45:35Z DEBUG [LDAP server check]
>> 2016-01-14T00:45:35Z DEBUG Verifying that ipa1.west-2.production.example.com 
>> (realm EXAMPLE.COM) is an IPA server
>> 2016-01-14T00:45:35Z DEBUG Init LDAP connection to: 
>> ipa1.west-2.production.example.com
>> 2016-01-14T00:45:35Z DEBUG Search LDAP server for IPA base DN
>> 2016-01-14T00:45:35Z DEBUG Check if naming context 'dc=example,dc=com' is 
>> for IPA
>> 2016-01-14T00:45:35Z DEBUG Naming context 'dc=example,dc=com' is a valid IPA 
>> context
>> 2016-01-14T00:45:35Z DEBUG Search for (objectClass=krbRealmContainer) in 
>> dc=example,dc=com (sub)
>> 2016-01-14T00:45:35Z DEBUG Found: 
>> cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
>> 2016-01-14T00:45:35Z DEBUG Discovery result: Success; 
>> server=ipa1.west-2.production.example.com, 
>> domain=west-2.production.example.com, 
>> kdc=ipa2.west-2.production.example.com,ipa1.west-2.production.example.com, 
>> basedn=dc=example,dc=com
>> 2016-01-14T00:45:35Z DEBUG Validated servers: 
>> ipa1.west-2.production.example.com
>> 2016-01-14T00:45:35Z DEBUG will use discovered domain: 
>> west-2.production.example.com

It looks that your IPA domain & realm is "example.com" and "EXAMPLE.COM", is
that correct?

Looking further ...

> 2016-01-14T00:45:39Z DEBUG Writing Kerberos configuration to /etc/krb5.conf:
> 2016-01-14T00:45:39Z DEBUG #File modified by ipa-client-install
> 
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> [libdefaults]
>   default_realm = EXAMPLE.COM
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   rdns = false
>   ticket_lifetime = 24h
>   forwardable = yes
>   udp_preference_limit = 0
>   default_ccache_name = KEYRING:persistent:%{uid}
> 
> 
> [realms]
>   EXAMPLE.COM = {
>     pkinit_anchors = FILE:/etc/ipa/ca.crt
> 
>   }
> 
> 
> [domain_realm]
>   .west-2.production.example.com = EXAMPLE.COM
>   west-2.production.example.com = EXAMPLE.COM

Hmm, this is going to be wild guess, but let's try it:
Do you have DNS SRV records in domain west-2.production.example.com but not in
DNS domain example.com?

That would probably cause this kind of problem.

Generally it is necessary to put _kerberos TXT + SRV records into the
(primary) DNS domain specified during IPA installation. Then use --domain
option during ipa-client-install.

--server is generally discouraged as it disables DNS SRV lookup and makes
failover hard or impossible.

--domain is just a hint for the installer where to start looking for DNS SRV
records and allows full automatic failover.


The autodiscovery is quite messy and needs to be imporoved in next versions.
https://fedorahosted.org/freeipa/ticket/5270 should avoid the need to specify
--domain when Kerberos TXT record is in DNS ... Stay tuned :-)

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to