Re: [Freeipa-users] ipa-client-install failing on new ipa-server
great, thanks. On a related note: the server still doesn't get a (client) kerberos ticket, which means I can't kinit as a user and then log into a client machine without a password. Going the other way works fine, however. thx anthony On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com wrote: Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the keyutils dependency fixed anyway :-) Martin On 03/25/2015 06:59 PM, Anthony Lanni wrote: keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I reinstalled keyutils and then ran the ipa-server-install again, and this time it completed without error. Thanks very much, Martin and Dmitri! thx anthony On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com wrote: On 03/25/2015 04:11 AM, Dmitri Pal wrote: On 03/24/2015 09:17 PM, Anthony Lanni wrote: While running ipa-server-install, it's failing out at the end with an error regarding the client install on the server. This happens regardless of how I input the options, but here's the latest command: ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM http://EXAMPLE.COM -n example.com http://example.com -p passwd1 -a passwd2 --hostname=ldap-server-01.example.com http://ldap-server-01.example.com --forwarder=10.0.1.20 --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d Runs through the entire setup and gives me this: [...] ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain example.com http://example.com --server ldap-server-01.example.com http://ldap-server-01.example.com --realm EXAMPLE.COM http://EXAMPLE.COM --hostname ldap-server-01.example.com http://ldap-server-01.example.com ipa : DEBUGstdout= ipa : DEBUGstderr=Hostname: ldap-server-01.example.com http://ldap-server-01.example.com Realm: EXAMPLE.COM http://EXAMPLE.COM DNS Domain: example.com http://example.com IPA Server: ldap-server-01.example.com http://ldap-server-01.example.com BaseDN: dc=example,dc=com New SSSD config will be created Configured /etc/sssd/sssd.conf Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2377, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2363, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2135, in install delete_persistent_client_session_data(host_principal) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in delete_persistent_client_session_data kernel_keyring.del_key(keyname) File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 99, in del_key real_key = get_real_key(key) File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 45, in get_real_key (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key], raiseonerr=False) Is keyctl installed? Can you run it manually? Any SELinux denials? You are likely hitting https://fedorahosted.org/freeipa/ticket/3808 Please try installing keyutils before running ipa-server-install. It is fixed in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also: https://bugzilla.redhat.com/show_bug.cgi?id=1205660 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install failing on new ipa-server
Anthony Lanni wrote: I'm referring to the host certificate; I was looking at the web UI, under Identity-Hosts in the server details page. The Host Certificate section says 'No Valid Certificate'. The server has a /etc/krb5.keytab file, and on the same page the Enrollment section says 'Kerberos Key Present, Host Provisioned'. No, masters never got this certificate issued. It was intended to be an alternate way to authenticate a host to IPA. The host certificate is not used by IPA currently, and in 4.1 one isn't issued for clients by default any more. rob thx anthony thx anthony On Thu, Mar 26, 2015 at 10:01 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 03/26/2015 05:52 PM, Anthony Lanni wrote: kinit USER works perfectly; but I can't ssh into the client machine from the server without it requesting a password. I think this is a DNS issue, actually. The server isn't resolving the name of the client, so I'm ssh'ing with the IP address, and that's not going to work since it's not in the Kerberos db (Cannot determine realm for numeric host address). So it looks like you have found your problem - Kerberos tends to break if DNS is not set properly. Except, of course, that the server did not get its own valid Kerberos host certificate. It should, right? during the ipa-client-install --on-master step of the server install? Are you asking about host certificate or a Kerberos keytab (/etc/krb5.keytab)? They are 2 distinct things. In fact, the global DNS config is completely empty. But I'm going to have to tear down the server and rebuild because it's on the same domain as an AD server, and ipa-client-install finds that server rather than the new IPA server by default: that won't work because I want LDAP to dynamically update the records, and establish a trust with the AD server. Also we've got 2 linux DNS root servers that act as forwarders. I pointed the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind to configure IPA to use them properly. SO I'm sure that's where most of my problems lie. I've got to RTFM a bit more before I really start asking the right questions, I think. At that point I'll start a new thread. Ok :-) Martin thx anthony On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: I am not sure what you mean. So are you saying that kinit USER done on server fails? With what error? On 03/26/2015 05:28 PM, Anthony Lanni wrote: great, thanks. On a related note: the server still doesn't get a (client) kerberos ticket, which means I can't kinit as a user and then log into a client machine without a password. Going the other way works fine, however. thx anthony On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the keyutils dependency fixed anyway :-) Martin On 03/25/2015 06:59 PM, Anthony Lanni wrote: keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I reinstalled keyutils and then ran the ipa-server-install again, and this time it completed without error. Thanks very much, Martin and Dmitri! thx anthony On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 03/25/2015 04:11 AM, Dmitri Pal wrote: On 03/24/2015 09:17 PM, Anthony Lanni wrote: While running ipa-server-install, it's failing out at the end with an error regarding the client install on the server. This happens regardless of how I input the options, but here's the latest command: ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM http://EXAMPLE.COM http://EXAMPLE.COM -n example.com http://example.com http://example.com -p passwd1 -a passwd2 --hostname=ldap-server-01.example.com http://ldap-server-01.example.com http://ldap-server-01.example.com --forwarder=10.0.1.20 --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d Runs through the entire setup and gives me this: [...] ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain example.com http://example.com http://example.com --server ldap-server-01.example.com http://ldap-server-01.example.com http://ldap-server-01.example.com --realm EXAMPLE.COM
Re: [Freeipa-users] ipa-client-install failing on new ipa-server
On 03/26/2015 05:52 PM, Anthony Lanni wrote: kinit USER works perfectly; but I can't ssh into the client machine from the server without it requesting a password. I think this is a DNS issue, actually. The server isn't resolving the name of the client, so I'm ssh'ing with the IP address, and that's not going to work since it's not in the Kerberos db (Cannot determine realm for numeric host address). So it looks like you have found your problem - Kerberos tends to break if DNS is not set properly. Except, of course, that the server did not get its own valid Kerberos host certificate. It should, right? during the ipa-client-install --on-master step of the server install? Are you asking about host certificate or a Kerberos keytab (/etc/krb5.keytab)? They are 2 distinct things. In fact, the global DNS config is completely empty. But I'm going to have to tear down the server and rebuild because it's on the same domain as an AD server, and ipa-client-install finds that server rather than the new IPA server by default: that won't work because I want LDAP to dynamically update the records, and establish a trust with the AD server. Also we've got 2 linux DNS root servers that act as forwarders. I pointed the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind to configure IPA to use them properly. SO I'm sure that's where most of my problems lie. I've got to RTFM a bit more before I really start asking the right questions, I think. At that point I'll start a new thread. Ok :-) Martin thx anthony On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek mko...@redhat.com wrote: I am not sure what you mean. So are you saying that kinit USER done on server fails? With what error? On 03/26/2015 05:28 PM, Anthony Lanni wrote: great, thanks. On a related note: the server still doesn't get a (client) kerberos ticket, which means I can't kinit as a user and then log into a client machine without a password. Going the other way works fine, however. thx anthony On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com wrote: Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the keyutils dependency fixed anyway :-) Martin On 03/25/2015 06:59 PM, Anthony Lanni wrote: keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I reinstalled keyutils and then ran the ipa-server-install again, and this time it completed without error. Thanks very much, Martin and Dmitri! thx anthony On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com wrote: On 03/25/2015 04:11 AM, Dmitri Pal wrote: On 03/24/2015 09:17 PM, Anthony Lanni wrote: While running ipa-server-install, it's failing out at the end with an error regarding the client install on the server. This happens regardless of how I input the options, but here's the latest command: ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM http://EXAMPLE.COM -n example.com http://example.com -p passwd1 -a passwd2 --hostname=ldap-server-01.example.com http://ldap-server-01.example.com --forwarder=10.0.1.20 --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d Runs through the entire setup and gives me this: [...] ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain example.com http://example.com --server ldap-server-01.example.com http://ldap-server-01.example.com --realm EXAMPLE.COM http://EXAMPLE.COM --hostname ldap-server-01.example.com http://ldap-server-01.example.com ipa : DEBUGstdout= ipa : DEBUGstderr=Hostname: ldap-server-01.example.com http://ldap-server-01.example.com Realm: EXAMPLE.COM http://EXAMPLE.COM DNS Domain: example.com http://example.com IPA Server: ldap-server-01.example.com http://ldap-server-01.example.com BaseDN: dc=example,dc=com New SSSD config will be created Configured /etc/sssd/sssd.conf Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2377, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2363, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2135, in install delete_persistent_client_session_data(host_principal) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in delete_persistent_client_session_data kernel_keyring.del_key(keyname) File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 99, in del_key real_key = get_real_key(key) File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 45, in get_real_key (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key], raiseonerr=False) Is keyctl installed? Can you run it manually? Any SELinux denials? You are likely hitting https://fedorahosted.org/freeipa/ticket/3808 Please try installing keyutils before running ipa-server-install. It is fixed in
Re: [Freeipa-users] ipa-client-install failing on new ipa-server
I am not sure what you mean. So are you saying that kinit USER done on server fails? With what error? On 03/26/2015 05:28 PM, Anthony Lanni wrote: great, thanks. On a related note: the server still doesn't get a (client) kerberos ticket, which means I can't kinit as a user and then log into a client machine without a password. Going the other way works fine, however. thx anthony On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com wrote: Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the keyutils dependency fixed anyway :-) Martin On 03/25/2015 06:59 PM, Anthony Lanni wrote: keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I reinstalled keyutils and then ran the ipa-server-install again, and this time it completed without error. Thanks very much, Martin and Dmitri! thx anthony On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com wrote: On 03/25/2015 04:11 AM, Dmitri Pal wrote: On 03/24/2015 09:17 PM, Anthony Lanni wrote: While running ipa-server-install, it's failing out at the end with an error regarding the client install on the server. This happens regardless of how I input the options, but here's the latest command: ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM http://EXAMPLE.COM -n example.com http://example.com -p passwd1 -a passwd2 --hostname=ldap-server-01.example.com http://ldap-server-01.example.com --forwarder=10.0.1.20 --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d Runs through the entire setup and gives me this: [...] ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain example.com http://example.com --server ldap-server-01.example.com http://ldap-server-01.example.com --realm EXAMPLE.COM http://EXAMPLE.COM --hostname ldap-server-01.example.com http://ldap-server-01.example.com ipa : DEBUGstdout= ipa : DEBUGstderr=Hostname: ldap-server-01.example.com http://ldap-server-01.example.com Realm: EXAMPLE.COM http://EXAMPLE.COM DNS Domain: example.com http://example.com IPA Server: ldap-server-01.example.com http://ldap-server-01.example.com BaseDN: dc=example,dc=com New SSSD config will be created Configured /etc/sssd/sssd.conf Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2377, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2363, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2135, in install delete_persistent_client_session_data(host_principal) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in delete_persistent_client_session_data kernel_keyring.del_key(keyname) File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 99, in del_key real_key = get_real_key(key) File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 45, in get_real_key (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key], raiseonerr=False) Is keyctl installed? Can you run it manually? Any SELinux denials? You are likely hitting https://fedorahosted.org/freeipa/ticket/3808 Please try installing keyutils before running ipa-server-install. It is fixed in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also: https://bugzilla.redhat.com/show_bug.cgi?id=1205660 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install failing on new ipa-server
I'm referring to the host certificate; I was looking at the web UI, under Identity-Hosts in the server details page. The Host Certificate section says 'No Valid Certificate'. The server has a /etc/krb5.keytab file, and on the same page the Enrollment section says 'Kerberos Key Present, Host Provisioned'. thx anthony thx anthony On Thu, Mar 26, 2015 at 10:01 AM, Martin Kosek mko...@redhat.com wrote: On 03/26/2015 05:52 PM, Anthony Lanni wrote: kinit USER works perfectly; but I can't ssh into the client machine from the server without it requesting a password. I think this is a DNS issue, actually. The server isn't resolving the name of the client, so I'm ssh'ing with the IP address, and that's not going to work since it's not in the Kerberos db (Cannot determine realm for numeric host address). So it looks like you have found your problem - Kerberos tends to break if DNS is not set properly. Except, of course, that the server did not get its own valid Kerberos host certificate. It should, right? during the ipa-client-install --on-master step of the server install? Are you asking about host certificate or a Kerberos keytab (/etc/krb5.keytab)? They are 2 distinct things. In fact, the global DNS config is completely empty. But I'm going to have to tear down the server and rebuild because it's on the same domain as an AD server, and ipa-client-install finds that server rather than the new IPA server by default: that won't work because I want LDAP to dynamically update the records, and establish a trust with the AD server. Also we've got 2 linux DNS root servers that act as forwarders. I pointed the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind to configure IPA to use them properly. SO I'm sure that's where most of my problems lie. I've got to RTFM a bit more before I really start asking the right questions, I think. At that point I'll start a new thread. Ok :-) Martin thx anthony On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek mko...@redhat.com wrote: I am not sure what you mean. So are you saying that kinit USER done on server fails? With what error? On 03/26/2015 05:28 PM, Anthony Lanni wrote: great, thanks. On a related note: the server still doesn't get a (client) kerberos ticket, which means I can't kinit as a user and then log into a client machine without a password. Going the other way works fine, however. thx anthony On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com wrote: Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the keyutils dependency fixed anyway :-) Martin On 03/25/2015 06:59 PM, Anthony Lanni wrote: keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I reinstalled keyutils and then ran the ipa-server-install again, and this time it completed without error. Thanks very much, Martin and Dmitri! thx anthony On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com wrote: On 03/25/2015 04:11 AM, Dmitri Pal wrote: On 03/24/2015 09:17 PM, Anthony Lanni wrote: While running ipa-server-install, it's failing out at the end with an error regarding the client install on the server. This happens regardless of how I input the options, but here's the latest command: ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM http://EXAMPLE.COM -n example.com http://example.com -p passwd1 -a passwd2 --hostname=ldap-server-01.example.com http://ldap-server-01.example.com --forwarder=10.0.1.20 --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d Runs through the entire setup and gives me this: [...] ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain example.com http://example.com --server ldap-server-01.example.com http://ldap-server-01.example.com --realm EXAMPLE.COM http://EXAMPLE.COM --hostname ldap-server-01.example.com http://ldap-server-01.example.com ipa : DEBUGstdout= ipa : DEBUGstderr=Hostname: ldap-server-01.example.com http://ldap-server-01.example.com Realm: EXAMPLE.COM http://EXAMPLE.COM DNS Domain: example.com http://example.com IPA Server: ldap-server-01.example.com http://ldap-server-01.example.com BaseDN: dc=example,dc=com New SSSD config will be created Configured /etc/sssd/sssd.conf Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2377, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2363, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2135, in install delete_persistent_client_session_data(host_principal) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in delete_persistent_client_session_data kernel_keyring.del_key(keyname) File
Re: [Freeipa-users] ipa-client-install failing on new ipa-server
kinit USER works perfectly; but I can't ssh into the client machine from the server without it requesting a password. I think this is a DNS issue, actually. The server isn't resolving the name of the client, so I'm ssh'ing with the IP address, and that's not going to work since it's not in the Kerberos db (Cannot determine realm for numeric host address). Except, of course, that the server did not get its own valid Kerberos host certificate. It should, right? during the ipa-client-install --on-master step of the server install? In fact, the global DNS config is completely empty. But I'm going to have to tear down the server and rebuild because it's on the same domain as an AD server, and ipa-client-install finds that server rather than the new IPA server by default: that won't work because I want LDAP to dynamically update the records, and establish a trust with the AD server. Also we've got 2 linux DNS root servers that act as forwarders. I pointed the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind to configure IPA to use them properly. SO I'm sure that's where most of my problems lie. I've got to RTFM a bit more before I really start asking the right questions, I think. At that point I'll start a new thread. thx anthony On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek mko...@redhat.com wrote: I am not sure what you mean. So are you saying that kinit USER done on server fails? With what error? On 03/26/2015 05:28 PM, Anthony Lanni wrote: great, thanks. On a related note: the server still doesn't get a (client) kerberos ticket, which means I can't kinit as a user and then log into a client machine without a password. Going the other way works fine, however. thx anthony On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com wrote: Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the keyutils dependency fixed anyway :-) Martin On 03/25/2015 06:59 PM, Anthony Lanni wrote: keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I reinstalled keyutils and then ran the ipa-server-install again, and this time it completed without error. Thanks very much, Martin and Dmitri! thx anthony On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com wrote: On 03/25/2015 04:11 AM, Dmitri Pal wrote: On 03/24/2015 09:17 PM, Anthony Lanni wrote: While running ipa-server-install, it's failing out at the end with an error regarding the client install on the server. This happens regardless of how I input the options, but here's the latest command: ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM http://EXAMPLE.COM -n example.com http://example.com -p passwd1 -a passwd2 --hostname=ldap-server-01.example.com http://ldap-server-01.example.com --forwarder=10.0.1.20 --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d Runs through the entire setup and gives me this: [...] ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain example.com http://example.com --server ldap-server-01.example.com http://ldap-server-01.example.com --realm EXAMPLE.COM http://EXAMPLE.COM --hostname ldap-server-01.example.com http://ldap-server-01.example.com ipa : DEBUGstdout= ipa : DEBUGstderr=Hostname: ldap-server-01.example.com http://ldap-server-01.example.com Realm: EXAMPLE.COM http://EXAMPLE.COM DNS Domain: example.com http://example.com IPA Server: ldap-server-01.example.com http://ldap-server-01.example.com BaseDN: dc=example,dc=com New SSSD config will be created Configured /etc/sssd/sssd.conf Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2377, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2363, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2135, in install delete_persistent_client_session_data(host_principal) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in delete_persistent_client_session_data kernel_keyring.del_key(keyname) File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 99, in del_key real_key = get_real_key(key) File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 45, in get_real_key (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key], raiseonerr=False) Is keyctl installed? Can you run it manually? Any SELinux denials? You are likely hitting https://fedorahosted.org/freeipa/ticket/3808 Please try installing keyutils before running ipa-server-install. It is fixed in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also: https://bugzilla.redhat.com/show_bug.cgi?id=1205660 Martin -- Manage your subscription for the Freeipa-users mailing list:
Re: [Freeipa-users] ipa-client-install failing on new ipa-server
ah, ok. So I'm going to assume the problem with my server not being able to get a DNS record for any of the clients is why the user can't ssh into the clients. Thanks for the help, everyone! thx anthony On Thu, Mar 26, 2015 at 10:44 AM, Rob Crittenden rcrit...@redhat.com wrote: Anthony Lanni wrote: I'm referring to the host certificate; I was looking at the web UI, under Identity-Hosts in the server details page. The Host Certificate section says 'No Valid Certificate'. The server has a /etc/krb5.keytab file, and on the same page the Enrollment section says 'Kerberos Key Present, Host Provisioned'. No, masters never got this certificate issued. It was intended to be an alternate way to authenticate a host to IPA. The host certificate is not used by IPA currently, and in 4.1 one isn't issued for clients by default any more. rob thx anthony thx anthony On Thu, Mar 26, 2015 at 10:01 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 03/26/2015 05:52 PM, Anthony Lanni wrote: kinit USER works perfectly; but I can't ssh into the client machine from the server without it requesting a password. I think this is a DNS issue, actually. The server isn't resolving the name of the client, so I'm ssh'ing with the IP address, and that's not going to work since it's not in the Kerberos db (Cannot determine realm for numeric host address). So it looks like you have found your problem - Kerberos tends to break if DNS is not set properly. Except, of course, that the server did not get its own valid Kerberos host certificate. It should, right? during the ipa-client-install --on-master step of the server install? Are you asking about host certificate or a Kerberos keytab (/etc/krb5.keytab)? They are 2 distinct things. In fact, the global DNS config is completely empty. But I'm going to have to tear down the server and rebuild because it's on the same domain as an AD server, and ipa-client-install finds that server rather than the new IPA server by default: that won't work because I want LDAP to dynamically update the records, and establish a trust with the AD server. Also we've got 2 linux DNS root servers that act as forwarders. I pointed the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind to configure IPA to use them properly. SO I'm sure that's where most of my problems lie. I've got to RTFM a bit more before I really start asking the right questions, I think. At that point I'll start a new thread. Ok :-) Martin thx anthony On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: I am not sure what you mean. So are you saying that kinit USER done on server fails? With what error? On 03/26/2015 05:28 PM, Anthony Lanni wrote: great, thanks. On a related note: the server still doesn't get a (client) kerberos ticket, which means I can't kinit as a user and then log into a client machine without a password. Going the other way works fine, however. thx anthony On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the keyutils dependency fixed anyway :-) Martin On 03/25/2015 06:59 PM, Anthony Lanni wrote: keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I reinstalled keyutils and then ran the ipa-server-install again, and this time it completed without error. Thanks very much, Martin and Dmitri! thx anthony On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 03/25/2015 04:11 AM, Dmitri Pal wrote: On 03/24/2015 09:17 PM, Anthony Lanni wrote: While running ipa-server-install, it's failing out at the end with an error regarding the client install on the server. This happens regardless of how I input the options, but here's the latest command: ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM http://EXAMPLE.COM http://EXAMPLE.COM -n example.com http://example.com http://example.com -p passwd1 -a passwd2 --hostname=ldap-server-01.example.com http://ldap-server-01.example.com http://ldap-server-01.example.com --forwarder=10.0.1.20 --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa.
Re: [Freeipa-users] ipa-client-install failing on new ipa-server
Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the keyutils dependency fixed anyway :-) Martin On 03/25/2015 06:59 PM, Anthony Lanni wrote: keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I reinstalled keyutils and then ran the ipa-server-install again, and this time it completed without error. Thanks very much, Martin and Dmitri! thx anthony On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com wrote: On 03/25/2015 04:11 AM, Dmitri Pal wrote: On 03/24/2015 09:17 PM, Anthony Lanni wrote: While running ipa-server-install, it's failing out at the end with an error regarding the client install on the server. This happens regardless of how I input the options, but here's the latest command: ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM http://EXAMPLE.COM -n example.com http://example.com -p passwd1 -a passwd2 --hostname=ldap-server-01.example.com http://ldap-server-01.example.com --forwarder=10.0.1.20 --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d Runs through the entire setup and gives me this: [...] ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain example.com http://example.com --server ldap-server-01.example.com http://ldap-server-01.example.com --realm EXAMPLE.COM http://EXAMPLE.COM --hostname ldap-server-01.example.com http://ldap-server-01.example.com ipa : DEBUGstdout= ipa : DEBUGstderr=Hostname: ldap-server-01.example.com http://ldap-server-01.example.com Realm: EXAMPLE.COM http://EXAMPLE.COM DNS Domain: example.com http://example.com IPA Server: ldap-server-01.example.com http://ldap-server-01.example.com BaseDN: dc=example,dc=com New SSSD config will be created Configured /etc/sssd/sssd.conf Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2377, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2363, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2135, in install delete_persistent_client_session_data(host_principal) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in delete_persistent_client_session_data kernel_keyring.del_key(keyname) File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 99, in del_key real_key = get_real_key(key) File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 45, in get_real_key (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key], raiseonerr=False) Is keyctl installed? Can you run it manually? Any SELinux denials? You are likely hitting https://fedorahosted.org/freeipa/ticket/3808 Please try installing keyutils before running ipa-server-install. It is fixed in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also: https://bugzilla.redhat.com/show_bug.cgi?id=1205660 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install failing on new ipa-server
On 03/25/2015 04:11 AM, Dmitri Pal wrote: On 03/24/2015 09:17 PM, Anthony Lanni wrote: While running ipa-server-install, it's failing out at the end with an error regarding the client install on the server. This happens regardless of how I input the options, but here's the latest command: ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM http://EXAMPLE.COM -n example.com http://example.com -p passwd1 -a passwd2 --hostname=ldap-server-01.example.com http://ldap-server-01.example.com --forwarder=10.0.1.20 --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d Runs through the entire setup and gives me this: [...] ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain example.com http://example.com --server ldap-server-01.example.com http://ldap-server-01.example.com --realm EXAMPLE.COM http://EXAMPLE.COM --hostname ldap-server-01.example.com http://ldap-server-01.example.com ipa : DEBUGstdout= ipa : DEBUGstderr=Hostname: ldap-server-01.example.com http://ldap-server-01.example.com Realm: EXAMPLE.COM http://EXAMPLE.COM DNS Domain: example.com http://example.com IPA Server: ldap-server-01.example.com http://ldap-server-01.example.com BaseDN: dc=example,dc=com New SSSD config will be created Configured /etc/sssd/sssd.conf Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2377, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2363, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2135, in install delete_persistent_client_session_data(host_principal) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in delete_persistent_client_session_data kernel_keyring.del_key(keyname) File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 99, in del_key real_key = get_real_key(key) File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 45, in get_real_key (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key], raiseonerr=False) Is keyctl installed? Can you run it manually? Any SELinux denials? You are likely hitting https://fedorahosted.org/freeipa/ticket/3808 Please try installing keyutils before running ipa-server-install. It is fixed in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also: https://bugzilla.redhat.com/show_bug.cgi?id=1205660 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install failing on new ipa-server
keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I reinstalled keyutils and then ran the ipa-server-install again, and this time it completed without error. Thanks very much, Martin and Dmitri! thx anthony On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com wrote: On 03/25/2015 04:11 AM, Dmitri Pal wrote: On 03/24/2015 09:17 PM, Anthony Lanni wrote: While running ipa-server-install, it's failing out at the end with an error regarding the client install on the server. This happens regardless of how I input the options, but here's the latest command: ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM http://EXAMPLE.COM -n example.com http://example.com -p passwd1 -a passwd2 --hostname=ldap-server-01.example.com http://ldap-server-01.example.com --forwarder=10.0.1.20 --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d Runs through the entire setup and gives me this: [...] ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain example.com http://example.com --server ldap-server-01.example.com http://ldap-server-01.example.com --realm EXAMPLE.COM http://EXAMPLE.COM --hostname ldap-server-01.example.com http://ldap-server-01.example.com ipa : DEBUGstdout= ipa : DEBUGstderr=Hostname: ldap-server-01.example.com http://ldap-server-01.example.com Realm: EXAMPLE.COM http://EXAMPLE.COM DNS Domain: example.com http://example.com IPA Server: ldap-server-01.example.com http://ldap-server-01.example.com BaseDN: dc=example,dc=com New SSSD config will be created Configured /etc/sssd/sssd.conf Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2377, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2363, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2135, in install delete_persistent_client_session_data(host_principal) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in delete_persistent_client_session_data kernel_keyring.del_key(keyname) File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 99, in del_key real_key = get_real_key(key) File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 45, in get_real_key (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key], raiseonerr=False) Is keyctl installed? Can you run it manually? Any SELinux denials? You are likely hitting https://fedorahosted.org/freeipa/ticket/3808 Please try installing keyutils before running ipa-server-install. It is fixed in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also: https://bugzilla.redhat.com/show_bug.cgi?id=1205660 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install failing on new ipa-server
On 03/24/2015 09:17 PM, Anthony Lanni wrote: While running ipa-server-install, it's failing out at the end with an error regarding the client install on the server. This happens regardless of how I input the options, but here's the latest command: ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM http://EXAMPLE.COM -n example.com http://example.com -p passwd1 -a passwd2 --hostname=ldap-server-01.example.com http://ldap-server-01.example.com --forwarder=10.0.1.20 --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d Runs through the entire setup and gives me this: [...] ipa : DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain example.com http://example.com --server ldap-server-01.example.com http://ldap-server-01.example.com --realm EXAMPLE.COM http://EXAMPLE.COM --hostname ldap-server-01.example.com http://ldap-server-01.example.com ipa : DEBUGstdout= ipa : DEBUGstderr=Hostname: ldap-server-01.example.com http://ldap-server-01.example.com Realm: EXAMPLE.COM http://EXAMPLE.COM DNS Domain: example.com http://example.com IPA Server: ldap-server-01.example.com http://ldap-server-01.example.com BaseDN: dc=example,dc=com New SSSD config will be created Configured /etc/sssd/sssd.conf Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2377, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2363, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2135, in install delete_persistent_client_session_data(host_principal) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in delete_persistent_client_session_data kernel_keyring.del_key(keyname) File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 99, in del_key real_key = get_real_key(key) File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line 45, in get_real_key (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key], raiseonerr=False) Is keyctl installed? Can you run it manually? Any SELinux denials? File /usr/lib/python2.6/site-packages/ipapython/ipautil.py, line 295, in run close_fds=True, env=env, cwd=cwd) File /usr/lib64/python2.6/subprocess.py, line 642, in __init__ errread, errwrite) File /usr/lib64/python2.6/subprocess.py, line 1234, in _execute_child raise child_exception OSError: [Errno 8] Exec format error ipa : INFO File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 614, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1103, in main sys.exit(Configuration of client side components failed!\nipa-client-install returned: + str(e)) ipa : INFO The ipa-server-install command failed, exception: SystemExit: Configuration of client side components failed! ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain example.com http://example.com --server ldap-server-01.example.com http://ldap-server-01.example.com --realm EXAMPLE.COM http://EXAMPLE.COM --hostname ldap-server-01.advdc.com http://ldap-server-01.advdc.com' returned non-zero exit status 1 Same details (without the debug messages, of course) in /var/log/ipaserver-install.log. From ipaclient-install.log: [...] 2015-03-24T23:15:26Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf' 2015-03-24T23:15:26Z DEBUG - Not backing up - '/etc/sssd/sssd.conf' doesn't exist 2015-03-24T23:15:26Z INFO New SSSD config will be created 2015-03-24T23:15:26Z INFO Configured /etc/sssd/sssd.conf 2015-03-24T23:15:26Z DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt 2015-03-24T23:15:26Z DEBUG stdout= 2015-03-24T23:15:26Z DEBUG stderr= 2015-03-24T23:15:26Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/ldap-server-01.example@example.com mailto:ldap-server-01.example@example.com 2015-03-24T23:15:26Z DEBUG stdout= 2015-03-24T23:15:26Z DEBUG stderr= I'm running on CENTOS 6.5, freeipa 3.0.0.37 # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING I noticed that there's no host certificate for the server when I look at the host details in the web interface. thx anthony -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
