Re: [Freeipa-users] Problem installing client on server

[Rob Crittenden]

tomasz.napier...@allegro.pl wrote:

Hi,

We are (again) evaluationg FreeIPA 2.x and I run into troubles installing 
client on ipa server. It happend before on other server, but I thought it might 
be due to the fact, that FreeIPA was installed and uninstalled there for 
several times. This time it's a fresh install.
[root@ipa20-test ~]# rpm -qa |grep freeipa
freeipa-client-2.1.3-2.fc15.x86_64
freeipa-admintools-2.1.3-2.fc15.x86_64
freeipa-server-selinux-2.1.3-2.fc15.x86_64
freeipa-python-2.1.3-2.fc15.x86_64
freeipa-server-2.1.3-2.fc15.x86_64

Last lines form output:
done configuring dirsrv.
Restarting the directory server
Restarting the KDC
Restarting the web server
Sample zone file for bind has been created in /tmp/sample.zone.iQ1QBH.db
Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master 
--unattended --domain dc2 --server ipa20-test.dc2 --realm GATECH --hostname 
ipa20-test.dc2' returned non-zero exit status 1

Launching it agian:
[root@ipa20-test ~]# /usr/sbin/ipa-client-install --on-master --unattended 
--domain dc2 --server ipa20-test.dc2 --realm GATECH --hostname ipa20-test.dc2
Failed to verify that ipa20-test.dc2 is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.
Installation failed. Rolling back changes.
IPA client is not configured on this system.

ipaclient-install..og:
2011-11-04 14:11:18,799 DEBUG Init ldap with: ldap://ipa20-test.dc2:389
2011-11-04 14:11:18,812 DEBUG Search LDAP server for IPA base DN
2011-11-04 14:11:18,814 DEBUG Check if naming context 'dc=gatech' is for IPA
2011-11-04 14:11:18,815 DEBUG Naming context 'dc=gatech' is a valid IPA context
2011-11-04 14:11:18,815 DEBUG Search for (objectClass=krbRealmContainer) in 
dc=gatech(sub)
2011-11-04 14:11:18,816 DEBUG Found: [('cn=GATECH,cn=kerberos,dc=gatech', 
{'krbSubTrees': ['dc=gatech'], 'cn': ['GATECH'], 'krbDefaultEncSaltTypes': 
['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 
'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 
'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': 
['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 
'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 
'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 
'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 
'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': 
['604800']})]
2011-11-04 14:11:18,817 DEBUG will use domain: dc2

2011-11-04 14:11:18,817 DEBUG will use server: ipa20-test.dc2

Anyone have a clue what might be the reason?

Regards,


Can you provide more context from the client install log (or the whole log)?

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem installing client on server

[tomasz.napier...@allegro.pl]

On 4 lis 2011, at 14:52, Rob Crittenden wrote:

 Can you provide more context from the client install log (or the whole log)?


Sure:
http://pastie.org/2810505

One more thing:in that domain (.dc2) there is already working IPA 1.x, and we 
have DNS entries pointing to that installation. It might be KDC autodiscovery 
issue, but how can I disable auto discovery?

Regards,
-- 
Tomasz Z. Napierała
Systems Architecture Engineer,
IT Infrastructure Department
Allegro Team
http://www.allegro.pl/

Grupa Allegro Sp. z o.o. z siedzibą w Poznaniu, 60-324 Poznań, przy ul. 
Marcelińskiej 90, wpisana do rejestru przedsiębiorców prowadzonego przez Sąd 
Rejonowy Poznań - Nowe Miasto i Wilda, Wydział VIII Gospodarczy Krajowego 
Rejestru Sądowego pod numerem KRS 268796, o kapitale zakładowym w wysokości 
33 474 500 zł, posiadająca numer identyfikacji podatkowej NIP: 5272525995.



smime.p7s
Description: S/MIME cryptographic signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem installing client on server

[Simo Sorce]

On Fri, 2011-11-04 at 16:43 +0100, tomasz.napier...@allegro.pl wrote:
 On 4 lis 2011, at 14:52, Rob Crittenden wrote:
 
  Can you provide more context from the client install log (or the whole log)?
 
 
 Sure:
 http://pastie.org/2810505
 
 One more thing:in that domain (.dc2) there is already working IPA 1.x, and we 
 have DNS entries pointing to that installation. It might be KDC autodiscovery 
 issue, but how can I disable auto discovery?


Not necessarily related to your problem, but in general I would strongly
suggest all freeipa users to:

a) use domain names that are longer than a single component
   (for example in your case 'ipa.dc2' instead of just 'dc2')

b) let the kerberos realm exactly match the domain name.
   (In your case let it be 'IPA.DC2')

We do not enforce these rules but not following them can cause you
additional headaches in some cases.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users