Hi guys,
So, I'm trying to make this work:
FreeIPA server has hostname: ipa001.pri.some.network
FreeIPA client has hostname: cli001.pri.some.network
The KRB Realm entered during the FreeIPA server setup is: SOME.NETWORK
Now, when I try to add the client, it looks happy and is able to look
up the server using DNS, but then it stops with:
---
The ipa-client-install command failed, exception: KerberosError: Major
(851968): Unspecified GSS failure. Minor code may provide more
information, Minor (2529639066): Cannot find KDC for realm
"SOME.NETWORK"
The ipa-client-install command failed. See /var/log/ipaclient-
install.log for more information
---
I've added the output from the ipa-server-install to the relevant dns
zone:
---
; FreeIPA records START
_kerberos-master._tcp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos-master._udp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos._tcp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos._udp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos.some.network. 86400 IN TXT "SOME.NETWORK"
_kpasswd._tcp.some.network. 86400 IN SRV 0 100 464
ipa001.pri.some.network.
_kpasswd._udp.some.network. 86400 IN SRV 0 100 464
ipa001.pri.some.network.
_ldap._tcp.some.network. 86400 IN SRV 0 100 389
ipa001.pri.some.network.
ipa-ca.some.network. 86400 IN A 192.168.15.83
; FreeIPA records END
---
And if I make a query to the dns server, it answers as expected:
---
[root@indy001 named]# dig @localhost -t TXT _kerberos.some.network
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> @localhost -t
TXT
_kerberos.some.network
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62456
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 8a9f13188f45d098c0a6127a5ebb846645308639d451a496 (good)
;; QUESTION SECTION:
;_kerberos.some.network. IN TXT
;; ANSWER SECTION:
_kerberos.some.network. 5 IN TXT "SOME.NETWORK"
;; AUTHORITY SECTION:
rpz. 10800 IN NS indy02.pri.some.network
.
rpz. 10800 IN NS indy001.pri.some.networ
k.
;; ADDITIONAL SECTION:
indy001.pri.some.network. 10800 IN A 192.168.15.52
indy002.pri.some.network. 10800 IN A 192.168.15.53
;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 13 07:23:50 CEST 2020
;; MSG SIZE rcvd: 181
[root@indy001 named]#
---
So, any idea what's going on? I think it might be looking for the KDC
for PRI.SOME.NETWORK, but I'm not sure and I can't figure out where to
look for that info.
I've attached the ipaclient-install.log the interesting part is:
---
020-05-12T13:32:04Z DEBUG Starting external process
2020-05-12T13:32:04Z DEBUG args=['/usr/bin/certutil', '-d',
'sql:/tmp/tmpaweq3vf2', '-A', '-n', 'CA certificate 1',
'-t', 'C,,', '-
a', '-f', '/tmp/t
mpaweq3vf2/pwdfile.txt']
2020-05-12T13:32:05Z DEBUG Process finished, return code=0
2020-05-12T13:32:05Z DEBUG stdout=
2020-05-12T13:32:05Z DEBUG stderr=
2020-05-12T13:32:05Z DEBUG failed to find session_cookie in persistent
storage for principal 'host/cli001.pri.some.network(a)SOME.NETWORK'
2020-05-12T13:32:05Z DEBUG trying
https://ipa001.pri.some.network/ipa/json
2020-05-12T13:32:05Z DEBUG Created connection
context.rpcclient_140399463755392
2020-05-12T13:32:05Z DEBUG [try 1]: Forwarding 'schema' to json server
'https://ipa001.pri.some.network/ipa/json'
2020-05-12T13:32:05Z DEBUG New HTTP connection
(ipa001.pri.some.network)
2020-05-12T13:32:05Z DEBUG HTTP connection destroyed
(ipa001.pri.some.network)
Traceback (most recent call last):
File "/usr/lib/python3.6/site-
packages/ipaclient/remote_plugins/__init__.py", line 126, in
get_package
plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'
---
Any ideas much appreciated.
/tony
--
Tony Albers - Systems Architect - IT Development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark
Tel: +45 2566 2383 - CVR/SE: 2898 8842 - EAN: 5798000792142