On 07/17/2013 11:14 PM, Shapiro, Matthew E CTR DODHRA DMDC (US) wrote: > Hi , > > > > While running the ipa-client-install script on a RHEL 6.4 server, I get the > following output (please note the indicated line with the arrow): > > > > [root@[hostname]]# ipa-client-install > > Discovery was successful! > > Hostname: [hostname] > > Realm: example.com > > DNS Domain: example.com > > IPA Server: chtvm-389.example.com > > BaseDN: dc=example,dc=com > > > > Continue to configure the system with these values? [no]: yes > > User authorized to enroll computers: admin > > Password for admin example com: > > > > Enrolled in IPA realm example.com > > Created /etc/ipa/default.conf > > Configured /etc/sssd/sssd.conf > > Configured /etc/krb5.conf for IPA realm example.com > > SSSD enabled > > Kerberos 5 enabled > > ---àUnable to find 'admin' user with 'getent passwd admin'! > > Recognized configuration: SSSD > > NTP enabled > > Client configuration complete. > > > > Also, please note that I’ve obfuscated the hostname, domain, and realm for > security reasons. I believe I’ve narrowed down the problem to certificate > enrollment. When I check my IPA Server Web UI, I have a notice in my host > details that says “no valid certificate present.” I then checked my client > host by running: > > > > [root@hostname user]# ipa-getcert list > > Number of certificates and requests being tracked: 1. > > Request ID '20130717205230': > > status: CA_UNCONFIGURED > > ca-error: Error setting up ccache for local "host" service using > default keytab: Resource temporarily unavailable. > > stuck: yes > > key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA > Machine Certificate - hostname.example.com',token='NSS Certificate DB' > > certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA > Machine > Certificate - hostname.example.com ' > > CA: IPA > > issuer: > > subject: > > expires: unknown > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > > > I’m concerned about that “stuck” field, I have no idea what that means. > > I have other RHEL 6.4 clients that have been able to join my IPA domain with > no > issue at all, but this one client baffles me. Any thoughts?? > > > > ---------------------------------------------------------------------- > > Matthew Shapiro > > Systems Administrator > > > > Trofholz Technologies, Inc. > > Defense Personnel and Security Research Center (PERSEREC) > > Defense Manpower Data Center (DMDC) > > Office: 831.583.2828 > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users >
There seems to be something wrong with the host keytab: ... > ca-error: Error setting up ccache for local "host" service using > default keytab: Resource temporarily unavailable. Can you check if the host principal in keytab are correct? # klist -kt /etc/krb5.keytab Are you able to kinit with the host principal? # kinit -kt /etc/krb5.keytab host/[hostname]@[REALM] Another issue I saw (Unable to find 'admin' user with 'getent passwd admin') - is this still not working? # getent passwd admin Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users