subject:"\[Freeipa\-users\] ipa\-client\-install failing on new ipa\-server"

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-26 Thread Anthony Lanni

ah, ok. So I'm going to assume the problem with my server not being able to
get a DNS record for any of the clients is why the user can't ssh into the
clients.

Thanks for the help, everyone!

thx
anthony

On Thu, Mar 26, 2015 at 10:44 AM, Rob Crittenden 
wrote:

> Anthony Lanni wrote:
> > I'm referring to the host certificate; I was looking at the web UI,
> > under Identity->Hosts in the server details page. The Host Certificate
> > section says 'No Valid Certificate'.
> > The server has a /etc/krb5.keytab file, and on the same page the
> > Enrollment section says 'Kerberos Key Present, Host Provisioned'.
>
> No, masters never got this certificate issued. It was intended to be an
> alternate way to authenticate a host to IPA. The host certificate is not
> used by IPA currently, and in 4.1 one isn't issued for clients by
> default any more.
>
> rob
>
> >
> > thx
> > anthony
> >
> > thx
> > anthony
> >
> > On Thu, Mar 26, 2015 at 10:01 AM, Martin Kosek  > > wrote:
> >
> > On 03/26/2015 05:52 PM, Anthony Lanni wrote:
> > > kinit USER works perfectly; but I can't ssh into the client
> machine from
> > > the server without it requesting a password.
> > >
> > > I think this is a DNS issue, actually. The server isn't resolving
> the name
> > > of the client, so I'm ssh'ing with the IP address, and that's not
> going to
> > > work since it's not in the Kerberos db ("Cannot determine realm
> for numeric
> > > host address").
> >
> > So it looks like you have found your problem - Kerberos tends to
> > break if DNS
> > is not set properly.
> >
> > > Except, of course, that the server did not get its own valid
> Kerberos host
> > > certificate. It should, right? during the ipa-client-install
> --on-master
> > > step of the server install?
> >
> > Are you asking about host certificate or a Kerberos keytab
> > (/etc/krb5.keytab)?
> > They are 2 distinct things.
> >
> > > In fact, the global DNS config is completely empty. But I'm going
> to have
> > > to tear down the server and rebuild because it's on the same
> domain as an
> > > AD server, and ipa-client-install finds that server rather than
> the new IPA
> > > server by default: that won't work because I want LDAP to
> dynamically
> > > update the records, and establish a trust with the AD server.
> > > Also we've got 2 linux DNS root servers that act as forwarders. I
> pointed
> > > the IPA server at them, but I don't know enough about FreeIPA or
> DNS/Bind
> > > to configure IPA to use them properly. SO I'm sure that's where
> most of my
> > > problems lie.
> > >
> > > I've got to RTFM a bit more before I really start asking the right
> > > questions, I think. At that point I'll start a new thread.
> >
> > Ok :-)
> >
> > Martin
> >
> > >
> > >
> > >
> > > thx
> > > anthony
> > >
> > > On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek  > > wrote:
> > >
> > >> I am not sure what you mean. So are you saying that "kinit USER"
> > done on
> > >> server
> > >> fails? With what error?
> > >>
> > >> On 03/26/2015 05:28 PM, Anthony Lanni wrote:
> > >>> great, thanks.
> > >>>
> > >>> On a related note: the server still doesn't get a (client)
> kerberos
> > >> ticket,
> > >>> which means I can't kinit as a user and then log into a client
> > machine
> > >>> without a password. Going the other way works fine, however.
> > >>>
> > >>> thx
> > >>> anthony
> > >>>
> > >>> On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek  > > wrote:
> > >>>
> >  Ok, thanks for reaching back. BTW, next RHEL-6 minor release
> > should have
> >  the
> >  keyutils dependency fixed anyway :-)
> > 
> >  Martin
> > 
> >  On 03/25/2015 06:59 PM, Anthony Lanni wrote:
> > > keyutils is already installed but /bin/keyctl was 0 length
> > (!). Anyway
> > >> I
> > > reinstalled keyutils and then ran the ipa-server-install
> > again, and
> > >> this
> > > time it completed without error.
> > >
> > > Thanks very much, Martin and Dmitri!
> > >
> > > thx
> > > anthony
> > >
> > > On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek
> > mailto:mko...@redhat.com>>
> > >> wrote:
> > >
> > >> On 03/25/2015 04:11 AM, Dmitri Pal wrote:
> > >>> On 03/24/2015 09:17 PM, Anthony Lanni wrote:
> >  While running ipa-server-install, it's failing out at the
> > end with
> > >> an
> > >> error
> >  regarding the client install on the server. This happens
> > regardless
> > >> of
> > >> how I
> >  input the options, but here's the latest command:
> > 
> >

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-26 Thread Rob Crittenden

Anthony Lanni wrote:
> I'm referring to the host certificate; I was looking at the web UI,
> under Identity->Hosts in the server details page. The Host Certificate
> section says 'No Valid Certificate'.
> The server has a /etc/krb5.keytab file, and on the same page the
> Enrollment section says 'Kerberos Key Present, Host Provisioned'.

No, masters never got this certificate issued. It was intended to be an
alternate way to authenticate a host to IPA. The host certificate is not
used by IPA currently, and in 4.1 one isn't issued for clients by
default any more.

rob

> 
> thx
> anthony
> 
> thx
> anthony
> 
> On Thu, Mar 26, 2015 at 10:01 AM, Martin Kosek  > wrote:
> 
> On 03/26/2015 05:52 PM, Anthony Lanni wrote:
> > kinit USER works perfectly; but I can't ssh into the client machine from
> > the server without it requesting a password.
> >
> > I think this is a DNS issue, actually. The server isn't resolving the 
> name
> > of the client, so I'm ssh'ing with the IP address, and that's not going 
> to
> > work since it's not in the Kerberos db ("Cannot determine realm for 
> numeric
> > host address").
> 
> So it looks like you have found your problem - Kerberos tends to
> break if DNS
> is not set properly.
> 
> > Except, of course, that the server did not get its own valid Kerberos 
> host
> > certificate. It should, right? during the ipa-client-install --on-master
> > step of the server install?
> 
> Are you asking about host certificate or a Kerberos keytab
> (/etc/krb5.keytab)?
> They are 2 distinct things.
> 
> > In fact, the global DNS config is completely empty. But I'm going to 
> have
> > to tear down the server and rebuild because it's on the same domain as 
> an
> > AD server, and ipa-client-install finds that server rather than the new 
> IPA
> > server by default: that won't work because I want LDAP to dynamically
> > update the records, and establish a trust with the AD server.
> > Also we've got 2 linux DNS root servers that act as forwarders. I 
> pointed
> > the IPA server at them, but I don't know enough about FreeIPA or 
> DNS/Bind
> > to configure IPA to use them properly. SO I'm sure that's where most of 
> my
> > problems lie.
> >
> > I've got to RTFM a bit more before I really start asking the right
> > questions, I think. At that point I'll start a new thread.
> 
> Ok :-)
> 
> Martin
> 
> >
> >
> >
> > thx
> > anthony
> >
> > On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek  > wrote:
> >
> >> I am not sure what you mean. So are you saying that "kinit USER"
> done on
> >> server
> >> fails? With what error?
> >>
> >> On 03/26/2015 05:28 PM, Anthony Lanni wrote:
> >>> great, thanks.
> >>>
> >>> On a related note: the server still doesn't get a (client) kerberos
> >> ticket,
> >>> which means I can't kinit as a user and then log into a client
> machine
> >>> without a password. Going the other way works fine, however.
> >>>
> >>> thx
> >>> anthony
> >>>
> >>> On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek  > wrote:
> >>>
>  Ok, thanks for reaching back. BTW, next RHEL-6 minor release
> should have
>  the
>  keyutils dependency fixed anyway :-)
> 
>  Martin
> 
>  On 03/25/2015 06:59 PM, Anthony Lanni wrote:
> > keyutils is already installed but /bin/keyctl was 0 length
> (!). Anyway
> >> I
> > reinstalled keyutils and then ran the ipa-server-install
> again, and
> >> this
> > time it completed without error.
> >
> > Thanks very much, Martin and Dmitri!
> >
> > thx
> > anthony
> >
> > On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek
> mailto:mko...@redhat.com>>
> >> wrote:
> >
> >> On 03/25/2015 04:11 AM, Dmitri Pal wrote:
> >>> On 03/24/2015 09:17 PM, Anthony Lanni wrote:
>  While running ipa-server-install, it's failing out at the
> end with
> >> an
> >> error
>  regarding the client install on the server. This happens
> regardless
> >> of
> >> how I
>  input the options, but here's the latest command:
> 
>  ipa-server-install --setup-dns -N --idstart=1000 -r
> EXAMPLE.COM 
>   -n example.com 
>  -p passwd1
>  -a
>  passwd2 --hostname=ldap-server-01.example.com
> 
>   --forwarder=10.0.1.20
>  --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
> 
>  Runs thr

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-26 Thread Anthony Lanni

I'm referring to the host certificate; I was looking at the web UI, under
Identity->Hosts in the server details page. The Host Certificate section
says 'No Valid Certificate'.
The server has a /etc/krb5.keytab file, and on the same page the Enrollment
section says 'Kerberos Key Present, Host Provisioned'.

thx
anthony

thx
anthony

On Thu, Mar 26, 2015 at 10:01 AM, Martin Kosek  wrote:

> On 03/26/2015 05:52 PM, Anthony Lanni wrote:
> > kinit USER works perfectly; but I can't ssh into the client machine from
> > the server without it requesting a password.
> >
> > I think this is a DNS issue, actually. The server isn't resolving the
> name
> > of the client, so I'm ssh'ing with the IP address, and that's not going
> to
> > work since it's not in the Kerberos db ("Cannot determine realm for
> numeric
> > host address").
>
> So it looks like you have found your problem - Kerberos tends to break if
> DNS
> is not set properly.
>
> > Except, of course, that the server did not get its own valid Kerberos
> host
> > certificate. It should, right? during the ipa-client-install --on-master
> > step of the server install?
>
> Are you asking about host certificate or a Kerberos keytab
> (/etc/krb5.keytab)?
> They are 2 distinct things.
>
> > In fact, the global DNS config is completely empty. But I'm going to have
> > to tear down the server and rebuild because it's on the same domain as an
> > AD server, and ipa-client-install finds that server rather than the new
> IPA
> > server by default: that won't work because I want LDAP to dynamically
> > update the records, and establish a trust with the AD server.
> > Also we've got 2 linux DNS root servers that act as forwarders. I pointed
> > the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind
> > to configure IPA to use them properly. SO I'm sure that's where most of
> my
> > problems lie.
> >
> > I've got to RTFM a bit more before I really start asking the right
> > questions, I think. At that point I'll start a new thread.
>
> Ok :-)
>
> Martin
>
> >
> >
> >
> > thx
> > anthony
> >
> > On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek  wrote:
> >
> >> I am not sure what you mean. So are you saying that "kinit USER" done on
> >> server
> >> fails? With what error?
> >>
> >> On 03/26/2015 05:28 PM, Anthony Lanni wrote:
> >>> great, thanks.
> >>>
> >>> On a related note: the server still doesn't get a (client) kerberos
> >> ticket,
> >>> which means I can't kinit as a user and then log into a client machine
> >>> without a password. Going the other way works fine, however.
> >>>
> >>> thx
> >>> anthony
> >>>
> >>> On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek 
> wrote:
> >>>
>  Ok, thanks for reaching back. BTW, next RHEL-6 minor release should
> have
>  the
>  keyutils dependency fixed anyway :-)
> 
>  Martin
> 
>  On 03/25/2015 06:59 PM, Anthony Lanni wrote:
> > keyutils is already installed but /bin/keyctl was 0 length (!).
> Anyway
> >> I
> > reinstalled keyutils and then ran the ipa-server-install again, and
> >> this
> > time it completed without error.
> >
> > Thanks very much, Martin and Dmitri!
> >
> > thx
> > anthony
> >
> > On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek 
> >> wrote:
> >
> >> On 03/25/2015 04:11 AM, Dmitri Pal wrote:
> >>> On 03/24/2015 09:17 PM, Anthony Lanni wrote:
>  While running ipa-server-install, it's failing out at the end with
> >> an
> >> error
>  regarding the client install on the server. This happens
> regardless
> >> of
> >> how I
>  input the options, but here's the latest command:
> 
>  ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
>   -n example.com  -p
> passwd1
>  -a
>  passwd2 --hostname=ldap-server-01.example.com
>   --forwarder=10.0.1.20
>  --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
> 
>  Runs through the entire setup and gives me this:
> 
>  [...]
>  ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
>  --unattended --domain example.com  --server
>  ldap-server-01.example.com 
>  --realm
>  EXAMPLE.COM  --hostname
>  ldap-server-01.example.com
>  
>  ipa : DEBUGstdout=
> 
>  ipa : DEBUGstderr=Hostname:
> ldap-server-01.example.com
>  
>  Realm: EXAMPLE.COM 
>  DNS Domain: example.com 
>  IPA Server: ldap-server-01.example.com <
> >> http://ldap-server-01.example.com>
>  BaseDN: dc=example,dc=com
>  New SSSD config will be created
>  Configured /etc/sssd/

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-26 Thread Martin Kosek

On 03/26/2015 05:52 PM, Anthony Lanni wrote:
> kinit USER works perfectly; but I can't ssh into the client machine from
> the server without it requesting a password.
> 
> I think this is a DNS issue, actually. The server isn't resolving the name
> of the client, so I'm ssh'ing with the IP address, and that's not going to
> work since it's not in the Kerberos db ("Cannot determine realm for numeric
> host address").

So it looks like you have found your problem - Kerberos tends to break if DNS
is not set properly.

> Except, of course, that the server did not get its own valid Kerberos host
> certificate. It should, right? during the ipa-client-install --on-master
> step of the server install?

Are you asking about host certificate or a Kerberos keytab (/etc/krb5.keytab)?
They are 2 distinct things.

> In fact, the global DNS config is completely empty. But I'm going to have
> to tear down the server and rebuild because it's on the same domain as an
> AD server, and ipa-client-install finds that server rather than the new IPA
> server by default: that won't work because I want LDAP to dynamically
> update the records, and establish a trust with the AD server.
> Also we've got 2 linux DNS root servers that act as forwarders. I pointed
> the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind
> to configure IPA to use them properly. SO I'm sure that's where most of my
> problems lie.
> 
> I've got to RTFM a bit more before I really start asking the right
> questions, I think. At that point I'll start a new thread.

Ok :-)

Martin

> 
> 
> 
> thx
> anthony
> 
> On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek  wrote:
> 
>> I am not sure what you mean. So are you saying that "kinit USER" done on
>> server
>> fails? With what error?
>>
>> On 03/26/2015 05:28 PM, Anthony Lanni wrote:
>>> great, thanks.
>>>
>>> On a related note: the server still doesn't get a (client) kerberos
>> ticket,
>>> which means I can't kinit as a user and then log into a client machine
>>> without a password. Going the other way works fine, however.
>>>
>>> thx
>>> anthony
>>>
>>> On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek  wrote:
>>>
 Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have
 the
 keyutils dependency fixed anyway :-)

 Martin

 On 03/25/2015 06:59 PM, Anthony Lanni wrote:
> keyutils is already installed but /bin/keyctl was 0 length (!). Anyway
>> I
> reinstalled keyutils and then ran the ipa-server-install again, and
>> this
> time it completed without error.
>
> Thanks very much, Martin and Dmitri!
>
> thx
> anthony
>
> On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek 
>> wrote:
>
>> On 03/25/2015 04:11 AM, Dmitri Pal wrote:
>>> On 03/24/2015 09:17 PM, Anthony Lanni wrote:
 While running ipa-server-install, it's failing out at the end with
>> an
>> error
 regarding the client install on the server. This happens regardless
>> of
>> how I
 input the options, but here's the latest command:

 ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
  -n example.com  -p passwd1
 -a
 passwd2 --hostname=ldap-server-01.example.com
  --forwarder=10.0.1.20
 --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d

 Runs through the entire setup and gives me this:

 [...]
 ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
 --unattended --domain example.com  --server
 ldap-server-01.example.com 
 --realm
 EXAMPLE.COM  --hostname
 ldap-server-01.example.com
 
 ipa : DEBUGstdout=

 ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
 
 Realm: EXAMPLE.COM 
 DNS Domain: example.com 
 IPA Server: ldap-server-01.example.com <
>> http://ldap-server-01.example.com>
 BaseDN: dc=example,dc=com
 New SSSD config will be created
 Configured /etc/sssd/sssd.conf
 Traceback (most recent call last):
   File "/usr/sbin/ipa-client-install", line 2377, in 
 sys.exit(main())
   File "/usr/sbin/ipa-client-install", line 2363, in main
 rval = install(options, env, fstore, statestore)
   File "/usr/sbin/ipa-client-install", line 2135, in install
 delete_persistent_client_session_data(host_principal)
   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124,
>> in
 delete_persistent_client_session_data
 kernel_keyring.del_key(keyname)
   File
>> "/usr/lib/python2.6/site-packages/ipapytho

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-26 Thread Anthony Lanni

kinit USER works perfectly; but I can't ssh into the client machine from
the server without it requesting a password.

I think this is a DNS issue, actually. The server isn't resolving the name
of the client, so I'm ssh'ing with the IP address, and that's not going to
work since it's not in the Kerberos db ("Cannot determine realm for numeric
host address").

Except, of course, that the server did not get its own valid Kerberos host
certificate. It should, right? during the ipa-client-install --on-master
step of the server install?

In fact, the global DNS config is completely empty. But I'm going to have
to tear down the server and rebuild because it's on the same domain as an
AD server, and ipa-client-install finds that server rather than the new IPA
server by default: that won't work because I want LDAP to dynamically
update the records, and establish a trust with the AD server.
Also we've got 2 linux DNS root servers that act as forwarders. I pointed
the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind
to configure IPA to use them properly. SO I'm sure that's where most of my
problems lie.

I've got to RTFM a bit more before I really start asking the right
questions, I think. At that point I'll start a new thread.



thx
anthony

On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek  wrote:

> I am not sure what you mean. So are you saying that "kinit USER" done on
> server
> fails? With what error?
>
> On 03/26/2015 05:28 PM, Anthony Lanni wrote:
> > great, thanks.
> >
> > On a related note: the server still doesn't get a (client) kerberos
> ticket,
> > which means I can't kinit as a user and then log into a client machine
> > without a password. Going the other way works fine, however.
> >
> > thx
> > anthony
> >
> > On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek  wrote:
> >
> >> Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have
> >> the
> >> keyutils dependency fixed anyway :-)
> >>
> >> Martin
> >>
> >> On 03/25/2015 06:59 PM, Anthony Lanni wrote:
> >>> keyutils is already installed but /bin/keyctl was 0 length (!). Anyway
> I
> >>> reinstalled keyutils and then ran the ipa-server-install again, and
> this
> >>> time it completed without error.
> >>>
> >>> Thanks very much, Martin and Dmitri!
> >>>
> >>> thx
> >>> anthony
> >>>
> >>> On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek 
> wrote:
> >>>
>  On 03/25/2015 04:11 AM, Dmitri Pal wrote:
> > On 03/24/2015 09:17 PM, Anthony Lanni wrote:
> >> While running ipa-server-install, it's failing out at the end with
> an
>  error
> >> regarding the client install on the server. This happens regardless
> of
>  how I
> >> input the options, but here's the latest command:
> >>
> >> ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
> >>  -n example.com  -p passwd1
> >> -a
> >> passwd2 --hostname=ldap-server-01.example.com
> >>  --forwarder=10.0.1.20
> >> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
> >>
> >> Runs through the entire setup and gives me this:
> >>
> >> [...]
> >> ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
> >> --unattended --domain example.com  --server
> >> ldap-server-01.example.com 
> >> --realm
> >> EXAMPLE.COM  --hostname
> >> ldap-server-01.example.com
> >> 
> >> ipa : DEBUGstdout=
> >>
> >> ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
> >> 
> >> Realm: EXAMPLE.COM 
> >> DNS Domain: example.com 
> >> IPA Server: ldap-server-01.example.com <
>  http://ldap-server-01.example.com>
> >> BaseDN: dc=example,dc=com
> >> New SSSD config will be created
> >> Configured /etc/sssd/sssd.conf
> >> Traceback (most recent call last):
> >>   File "/usr/sbin/ipa-client-install", line 2377, in 
> >> sys.exit(main())
> >>   File "/usr/sbin/ipa-client-install", line 2363, in main
> >> rval = install(options, env, fstore, statestore)
> >>   File "/usr/sbin/ipa-client-install", line 2135, in install
> >> delete_persistent_client_session_data(host_principal)
> >>   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124,
> in
> >> delete_persistent_client_session_data
> >> kernel_keyring.del_key(keyname)
> >>   File
> "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
>  line
> >> 99, in del_key
> >> real_key = get_real_key(key)
> >>   File
> "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
>  line
> >> 45, in get_real_key
> >> (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING,
> KEYTYPE,
>  key],
> >> raiseonerr=False)

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-26 Thread Martin Kosek

I am not sure what you mean. So are you saying that "kinit USER" done on server
fails? With what error?

On 03/26/2015 05:28 PM, Anthony Lanni wrote:
> great, thanks.
> 
> On a related note: the server still doesn't get a (client) kerberos ticket,
> which means I can't kinit as a user and then log into a client machine
> without a password. Going the other way works fine, however.
> 
> thx
> anthony
> 
> On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek  wrote:
> 
>> Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have
>> the
>> keyutils dependency fixed anyway :-)
>>
>> Martin
>>
>> On 03/25/2015 06:59 PM, Anthony Lanni wrote:
>>> keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I
>>> reinstalled keyutils and then ran the ipa-server-install again, and this
>>> time it completed without error.
>>>
>>> Thanks very much, Martin and Dmitri!
>>>
>>> thx
>>> anthony
>>>
>>> On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek  wrote:
>>>
 On 03/25/2015 04:11 AM, Dmitri Pal wrote:
> On 03/24/2015 09:17 PM, Anthony Lanni wrote:
>> While running ipa-server-install, it's failing out at the end with an
 error
>> regarding the client install on the server. This happens regardless of
 how I
>> input the options, but here's the latest command:
>>
>> ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
>>  -n example.com  -p passwd1
>> -a
>> passwd2 --hostname=ldap-server-01.example.com
>>  --forwarder=10.0.1.20
>> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
>>
>> Runs through the entire setup and gives me this:
>>
>> [...]
>> ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
>> --unattended --domain example.com  --server
>> ldap-server-01.example.com 
>> --realm
>> EXAMPLE.COM  --hostname
>> ldap-server-01.example.com
>> 
>> ipa : DEBUGstdout=
>>
>> ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
>> 
>> Realm: EXAMPLE.COM 
>> DNS Domain: example.com 
>> IPA Server: ldap-server-01.example.com <
 http://ldap-server-01.example.com>
>> BaseDN: dc=example,dc=com
>> New SSSD config will be created
>> Configured /etc/sssd/sssd.conf
>> Traceback (most recent call last):
>>   File "/usr/sbin/ipa-client-install", line 2377, in 
>> sys.exit(main())
>>   File "/usr/sbin/ipa-client-install", line 2363, in main
>> rval = install(options, env, fstore, statestore)
>>   File "/usr/sbin/ipa-client-install", line 2135, in install
>> delete_persistent_client_session_data(host_principal)
>>   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in
>> delete_persistent_client_session_data
>> kernel_keyring.del_key(keyname)
>>   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
 line
>> 99, in del_key
>> real_key = get_real_key(key)
>>   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
 line
>> 45, in get_real_key
>> (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE,
 key],
>> raiseonerr=False)
>
> Is keyctl installed? Can you run it manually?
> Any SELinux denials?

 You are likely hitting
 https://fedorahosted.org/freeipa/ticket/3808

 Please try installing keyutils before running ipa-server-install. It is
 fixed
 in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also:
 https://bugzilla.redhat.com/show_bug.cgi?id=1205660

 Martin

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

>>>
>>
>>
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-26 Thread Anthony Lanni

great, thanks.

On a related note: the server still doesn't get a (client) kerberos ticket,
which means I can't kinit as a user and then log into a client machine
without a password. Going the other way works fine, however.

thx
anthony

On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek  wrote:

> Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have
> the
> keyutils dependency fixed anyway :-)
>
> Martin
>
> On 03/25/2015 06:59 PM, Anthony Lanni wrote:
> > keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I
> > reinstalled keyutils and then ran the ipa-server-install again, and this
> > time it completed without error.
> >
> > Thanks very much, Martin and Dmitri!
> >
> > thx
> > anthony
> >
> > On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek  wrote:
> >
> >> On 03/25/2015 04:11 AM, Dmitri Pal wrote:
> >>> On 03/24/2015 09:17 PM, Anthony Lanni wrote:
>  While running ipa-server-install, it's failing out at the end with an
> >> error
>  regarding the client install on the server. This happens regardless of
> >> how I
>  input the options, but here's the latest command:
> 
>  ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
>   -n example.com  -p passwd1
> -a
>  passwd2 --hostname=ldap-server-01.example.com
>   --forwarder=10.0.1.20
>  --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
> 
>  Runs through the entire setup and gives me this:
> 
>  [...]
>  ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
>  --unattended --domain example.com  --server
>  ldap-server-01.example.com 
> --realm
>  EXAMPLE.COM  --hostname
> ldap-server-01.example.com
>  
>  ipa : DEBUGstdout=
> 
>  ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
>  
>  Realm: EXAMPLE.COM 
>  DNS Domain: example.com 
>  IPA Server: ldap-server-01.example.com <
> >> http://ldap-server-01.example.com>
>  BaseDN: dc=example,dc=com
>  New SSSD config will be created
>  Configured /etc/sssd/sssd.conf
>  Traceback (most recent call last):
>    File "/usr/sbin/ipa-client-install", line 2377, in 
>  sys.exit(main())
>    File "/usr/sbin/ipa-client-install", line 2363, in main
>  rval = install(options, env, fstore, statestore)
>    File "/usr/sbin/ipa-client-install", line 2135, in install
>  delete_persistent_client_session_data(host_principal)
>    File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in
>  delete_persistent_client_session_data
>  kernel_keyring.del_key(keyname)
>    File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
> >> line
>  99, in del_key
>  real_key = get_real_key(key)
>    File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
> >> line
>  45, in get_real_key
>  (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE,
> >> key],
>  raiseonerr=False)
> >>>
> >>> Is keyctl installed? Can you run it manually?
> >>> Any SELinux denials?
> >>
> >> You are likely hitting
> >> https://fedorahosted.org/freeipa/ticket/3808
> >>
> >> Please try installing keyutils before running ipa-server-install. It is
> >> fixed
> >> in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also:
> >> https://bugzilla.redhat.com/show_bug.cgi?id=1205660
> >>
> >> Martin
> >>
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go to http://freeipa.org for more info on the project
> >>
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-26 Thread Martin Kosek

Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the
keyutils dependency fixed anyway :-)

Martin

On 03/25/2015 06:59 PM, Anthony Lanni wrote:
> keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I
> reinstalled keyutils and then ran the ipa-server-install again, and this
> time it completed without error.
> 
> Thanks very much, Martin and Dmitri!
> 
> thx
> anthony
> 
> On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek  wrote:
> 
>> On 03/25/2015 04:11 AM, Dmitri Pal wrote:
>>> On 03/24/2015 09:17 PM, Anthony Lanni wrote:
 While running ipa-server-install, it's failing out at the end with an
>> error
 regarding the client install on the server. This happens regardless of
>> how I
 input the options, but here's the latest command:

 ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
  -n example.com  -p passwd1 -a
 passwd2 --hostname=ldap-server-01.example.com
  --forwarder=10.0.1.20
 --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d

 Runs through the entire setup and gives me this:

 [...]
 ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
 --unattended --domain example.com  --server
 ldap-server-01.example.com  --realm
 EXAMPLE.COM  --hostname ldap-server-01.example.com
 
 ipa : DEBUGstdout=

 ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
 
 Realm: EXAMPLE.COM 
 DNS Domain: example.com 
 IPA Server: ldap-server-01.example.com <
>> http://ldap-server-01.example.com>
 BaseDN: dc=example,dc=com
 New SSSD config will be created
 Configured /etc/sssd/sssd.conf
 Traceback (most recent call last):
   File "/usr/sbin/ipa-client-install", line 2377, in 
 sys.exit(main())
   File "/usr/sbin/ipa-client-install", line 2363, in main
 rval = install(options, env, fstore, statestore)
   File "/usr/sbin/ipa-client-install", line 2135, in install
 delete_persistent_client_session_data(host_principal)
   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in
 delete_persistent_client_session_data
 kernel_keyring.del_key(keyname)
   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
>> line
 99, in del_key
 real_key = get_real_key(key)
   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
>> line
 45, in get_real_key
 (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE,
>> key],
 raiseonerr=False)
>>>
>>> Is keyctl installed? Can you run it manually?
>>> Any SELinux denials?
>>
>> You are likely hitting
>> https://fedorahosted.org/freeipa/ticket/3808
>>
>> Please try installing keyutils before running ipa-server-install. It is
>> fixed
>> in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1205660
>>
>> Martin
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-25 Thread Anthony Lanni

keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I
reinstalled keyutils and then ran the ipa-server-install again, and this
time it completed without error.

Thanks very much, Martin and Dmitri!

thx
anthony

On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek  wrote:

> On 03/25/2015 04:11 AM, Dmitri Pal wrote:
> > On 03/24/2015 09:17 PM, Anthony Lanni wrote:
> >> While running ipa-server-install, it's failing out at the end with an
> error
> >> regarding the client install on the server. This happens regardless of
> how I
> >> input the options, but here's the latest command:
> >>
> >> ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
> >>  -n example.com  -p passwd1 -a
> >> passwd2 --hostname=ldap-server-01.example.com
> >>  --forwarder=10.0.1.20
> >> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
> >>
> >> Runs through the entire setup and gives me this:
> >>
> >> [...]
> >> ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
> >> --unattended --domain example.com  --server
> >> ldap-server-01.example.com  --realm
> >> EXAMPLE.COM  --hostname ldap-server-01.example.com
> >> 
> >> ipa : DEBUGstdout=
> >>
> >> ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
> >> 
> >> Realm: EXAMPLE.COM 
> >> DNS Domain: example.com 
> >> IPA Server: ldap-server-01.example.com <
> http://ldap-server-01.example.com>
> >> BaseDN: dc=example,dc=com
> >> New SSSD config will be created
> >> Configured /etc/sssd/sssd.conf
> >> Traceback (most recent call last):
> >>   File "/usr/sbin/ipa-client-install", line 2377, in 
> >> sys.exit(main())
> >>   File "/usr/sbin/ipa-client-install", line 2363, in main
> >> rval = install(options, env, fstore, statestore)
> >>   File "/usr/sbin/ipa-client-install", line 2135, in install
> >> delete_persistent_client_session_data(host_principal)
> >>   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in
> >> delete_persistent_client_session_data
> >> kernel_keyring.del_key(keyname)
> >>   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
> line
> >> 99, in del_key
> >> real_key = get_real_key(key)
> >>   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
> line
> >> 45, in get_real_key
> >> (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE,
> key],
> >> raiseonerr=False)
> >
> > Is keyctl installed? Can you run it manually?
> > Any SELinux denials?
>
> You are likely hitting
> https://fedorahosted.org/freeipa/ticket/3808
>
> Please try installing keyutils before running ipa-server-install. It is
> fixed
> in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also:
> https://bugzilla.redhat.com/show_bug.cgi?id=1205660
>
> Martin
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-25 Thread Martin Kosek

On 03/25/2015 04:11 AM, Dmitri Pal wrote:
> On 03/24/2015 09:17 PM, Anthony Lanni wrote:
>> While running ipa-server-install, it's failing out at the end with an error
>> regarding the client install on the server. This happens regardless of how I
>> input the options, but here's the latest command:
>>
>> ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
>>  -n example.com  -p passwd1 -a
>> passwd2 --hostname=ldap-server-01.example.com
>>  --forwarder=10.0.1.20
>> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
>>
>> Runs through the entire setup and gives me this:
>>
>> [...]
>> ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
>> --unattended --domain example.com  --server
>> ldap-server-01.example.com  --realm
>> EXAMPLE.COM  --hostname ldap-server-01.example.com
>> 
>> ipa : DEBUGstdout=
>>
>> ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
>> 
>> Realm: EXAMPLE.COM 
>> DNS Domain: example.com 
>> IPA Server: ldap-server-01.example.com 
>> BaseDN: dc=example,dc=com
>> New SSSD config will be created
>> Configured /etc/sssd/sssd.conf
>> Traceback (most recent call last):
>>   File "/usr/sbin/ipa-client-install", line 2377, in 
>> sys.exit(main())
>>   File "/usr/sbin/ipa-client-install", line 2363, in main
>> rval = install(options, env, fstore, statestore)
>>   File "/usr/sbin/ipa-client-install", line 2135, in install
>> delete_persistent_client_session_data(host_principal)
>>   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in
>> delete_persistent_client_session_data
>> kernel_keyring.del_key(keyname)
>>   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", line
>> 99, in del_key
>> real_key = get_real_key(key)
>>   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", line
>> 45, in get_real_key
>> (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key],
>> raiseonerr=False)
> 
> Is keyctl installed? Can you run it manually?
> Any SELinux denials?

You are likely hitting
https://fedorahosted.org/freeipa/ticket/3808

Please try installing keyutils before running ipa-server-install. It is fixed
in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also:
https://bugzilla.redhat.com/show_bug.cgi?id=1205660

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-24 Thread Dmitri Pal


On 03/24/2015 09:17 PM, Anthony Lanni wrote:
While running ipa-server-install, it's failing out at the end with an 
error regarding the client install on the server. This happens 
regardless of how I input the options, but here's the latest command:


ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM 
 -n example.com  -p passwd1 -a 
passwd2 --hostname=ldap-server-01.example.com 
 --forwarder=10.0.1.20 
--forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d


Runs through the entire setup and gives me this:

[...]
ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master 
--unattended --domain example.com  --server 
ldap-server-01.example.com  --realm 
EXAMPLE.COM  --hostname ldap-server-01.example.com 


ipa : DEBUGstdout=

ipa : DEBUGstderr=Hostname: ldap-server-01.example.com 


Realm: EXAMPLE.COM 
DNS Domain: example.com 
IPA Server: ldap-server-01.example.com 
BaseDN: dc=example,dc=com
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 2377, in 
sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 2363, in main
rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 2135, in install
delete_persistent_client_session_data(host_principal)
  File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in 
delete_persistent_client_session_data

kernel_keyring.del_key(keyname)
  File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", 
line 99, in del_key

real_key = get_real_key(key)
  File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", 
line 45, in get_real_key
(stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, 
key], raiseonerr=False)


Is keyctl installed? Can you run it manually?
Any SELinux denials?

  File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 
295, in run

close_fds=True, env=env, cwd=cwd)
  File "/usr/lib64/python2.6/subprocess.py", line 642, in __init__
errread, errwrite)
  File "/usr/lib64/python2.6/subprocess.py", line 1234, in _execute_child
raise child_exception
OSError: [Errno 8] Exec format error

ipa : INFO   File 
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", 
line 614, in run_script

return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 1103, in main
sys.exit("Configuration of client side components 
failed!\nipa-client-install returned: " + str(e))


ipa : INFO The ipa-server-install command failed, 
exception: SystemExit: Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install 
--on-master --unattended --domain example.com  
--server ldap-server-01.example.com 
 --realm EXAMPLE.COM 
 --hostname ldap-server-01.advdc.com 
' returned non-zero exit status 1



Same details (without the debug messages, of course) in 
/var/log/ipaserver-install.log. From ipaclient-install.log:

[...]
2015-03-24T23:15:26Z DEBUG Backing up system configuration file 
'/etc/sssd/sssd.conf'
2015-03-24T23:15:26Z DEBUG   -> Not backing up - '/etc/sssd/sssd.conf' 
doesn't exist

2015-03-24T23:15:26Z INFO New SSSD config will be created
2015-03-24T23:15:26Z INFO Configured /etc/sssd/sssd.conf
2015-03-24T23:15:26Z DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb 
-n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt

2015-03-24T23:15:26Z DEBUG stdout=
2015-03-24T23:15:26Z DEBUG stderr=
2015-03-24T23:15:26Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab 
host/ldap-server-01.example@example.com 


2015-03-24T23:15:26Z DEBUG stdout=
2015-03-24T23:15:26Z DEBUG stderr=

I'm running on CENTOS 6.5, freeipa 3.0.0.37

#> ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING

I noticed that there's no host certificate for the server when I look 
at the host details in the web interface.


thx
anthony





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-24 Thread Anthony Lanni

While running ipa-server-install, it's failing out at the end with an error
regarding the client install on the server. This happens regardless of how
I input the options, but here's the latest command:

ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM -n
example.com -p passwd1 -a passwd2 --hostname=ldap-server-01.example.com
--forwarder=10.0.1.20 --forwarder=10.0.1.21
--reverse-zone=1.0.10.in-addr.arpa. -d

Runs through the entire setup and gives me this:

[...]
ipa : DEBUGargs=/usr/sbin/ipa-client-install --on-master
--unattended --domain example.com --server ldap-server-01.example.com
--realm EXAMPLE.COM --hostname ldap-server-01.example.com
ipa : DEBUGstdout=

ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ldap-server-01.example.com
BaseDN: dc=example,dc=com
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 2377, in 
sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 2363, in main
rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 2135, in install
delete_persistent_client_session_data(host_principal)
  File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in
delete_persistent_client_session_data
kernel_keyring.del_key(keyname)
  File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", line
99, in del_key
real_key = get_real_key(key)
  File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", line
45, in get_real_key
(stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key],
raiseonerr=False)
  File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 295,
in run
close_fds=True, env=env, cwd=cwd)
  File "/usr/lib64/python2.6/subprocess.py", line 642, in __init__
errread, errwrite)
  File "/usr/lib64/python2.6/subprocess.py", line 1234, in _execute_child
raise child_exception
OSError: [Errno 8] Exec format error

ipa : INFO   File
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line
614, in run_script
return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 1103, in main
sys.exit("Configuration of client side components
failed!\nipa-client-install returned: " + str(e))

ipa : INFO The ipa-server-install command failed, exception:
SystemExit: Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install
--on-master --unattended --domain example.com --server
ldap-server-01.example.com --realm EXAMPLE.COM --hostname
ldap-server-01.advdc.com' returned non-zero exit status 1


Same details (without the debug messages, of course) in
/var/log/ipaserver-install.log. From ipaclient-install.log:
[...]
2015-03-24T23:15:26Z DEBUG Backing up system configuration file
'/etc/sssd/sssd.conf'
2015-03-24T23:15:26Z DEBUG   -> Not backing up - '/etc/sssd/sssd.conf'
doesn't exist
2015-03-24T23:15:26Z INFO New SSSD config will be created
2015-03-24T23:15:26Z INFO Configured /etc/sssd/sssd.conf
2015-03-24T23:15:26Z DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n
IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
2015-03-24T23:15:26Z DEBUG stdout=
2015-03-24T23:15:26Z DEBUG stderr=
2015-03-24T23:15:26Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/
ldap-server-01.example@example.com
2015-03-24T23:15:26Z DEBUG stdout=
2015-03-24T23:15:26Z DEBUG stderr=

I'm running on CENTOS 6.5, freeipa 3.0.0.37

#> ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING

I noticed that there's no host certificate for the server when I look at
the host details in the web interface.

thx
anthony
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

[Freeipa-users] ipa-client-install failing on new ipa-server

12 matches

Site Navigation

Mail list logo

Footer information