Hello
I'm trying to roll out a new IPA server for our development environment and have nicely automated the server installation process with Ansible but when I've come to rolling out the clients I'm hitting this problem.
When running ipa-client-install:
ipa-client-install -N --fixed-primary --server server.domain.local --realm DOMAIN.LOCAL --domain DOMAIN.local --principal admin --password 'adminpassword' -U
I get the following error:
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
Kerberos authentication failed: kinit: Cannot contact any KDC for realm 'DOMAIN.LOCAL' while getting initial credentials
I've disabled the firewall on both systems, DNS resolves the server name. I can nmap and telnet to the ports listed so I don't think it's a networking issue. The ipa server appears to be running fine:
[root@server tmp]# service ipa status
Redirecting to /bin/systemctl status ipa.service
● ipa.service - Identity, Policy, Audit
Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; preset: disabled)
Active: active (exited) since Wed 2024-04-10 15:49:49 UTC; 2 days ago
Main PID: 18336 (code=exited, status=0/SUCCESS)
CPU: 1.610s
Apr 10 15:49:48 server ipactl[18336]: Assuming stale, cleaning and proceeding
Apr 10 15:49:49 server ipactl[18336]: ipa: INFO: The ipactl command was successful
Apr 10 15:49:49 server ipactl[18336]: Starting Directory Service
Apr 10 15:49:49 server ipactl[18336]: Starting krb5kdc Service
Apr 10 15:49:49 server ipactl[18336]: Starting kadmin Service
Apr 10 15:49:49 server ipactl[18336]: Starting httpd Service
Apr 10 15:49:49 server ipactl[18336]: Starting ipa-custodia Service
Apr 10 15:49:49 server ipactl[18336]: Starting pki-tomcatd Service
Apr 10 15:49:49 server ipactl[18336]: Starting ipa-otpd Service
Apr 10 15:49:49 server systemd[1]: Finished Identity, Policy, Audit.
Looking at the ipaclient-install.log there are lines that are semi interesting but I can't see how to progress from here to resolve the issue:
2024-04-12T16:25:51Z DEBUG stderr=kinit: Cannot contact any KDC for realm 'DOMAIN.LOCAL' while getting initial credentials
2024-04-12T16:25:51Z ERROR Installation failed. Rolling back changes.
2024-04-12T16:25:52Z DEBUG stderr=
2024-04-12T16:25:52Z DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate - virt01.domain.local
: PR_FILE_NOT_FOUND_ERROR: File not found
but if I run `kinit admin(a)server.domain.local` it authenticates.
I seem to be at a dead end, How do I troubleshoot this further?