Hi guys,
So, I'm trying to make this work:
FreeIPA server has hostname: ipa001.pri.some.network FreeIPA client has hostname: cli001.pri.some.network
The KRB Realm entered during the FreeIPA server setup is: SOME.NETWORK
Now, when I try to add the client, it looks happy and is able to look up the server using DNS, but then it stops with:
--- The ipa-client-install command failed, exception: KerberosError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639066): Cannot find KDC for realm "SOME.NETWORK"
The ipa-client-install command failed. See /var/log/ipaclient- install.log for more information ---
I've added the output from the ipa-server-install to the relevant dns zone: --- ; FreeIPA records START _kerberos-master._tcp.some.network. 86400 IN SRV 0 100 88 ipa001.pri.some.network. _kerberos-master._udp.some.network. 86400 IN SRV 0 100 88 ipa001.pri.some.network. _kerberos._tcp.some.network. 86400 IN SRV 0 100 88 ipa001.pri.some.network. _kerberos._udp.some.network. 86400 IN SRV 0 100 88 ipa001.pri.some.network. _kerberos.some.network. 86400 IN TXT "SOME.NETWORK" _kpasswd._tcp.some.network. 86400 IN SRV 0 100 464 ipa001.pri.some.network. _kpasswd._udp.some.network. 86400 IN SRV 0 100 464 ipa001.pri.some.network. _ldap._tcp.some.network. 86400 IN SRV 0 100 389 ipa001.pri.some.network. ipa-ca.some.network. 86400 IN A 192.168.15.83 ; FreeIPA records END ---
And if I make a query to the dns server, it answers as expected: --- [root@indy001 named]# dig @localhost -t TXT _kerberos.some.network
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> @localhost -t TXT _kerberos.some.network ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62456 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 8a9f13188f45d098c0a6127a5ebb846645308639d451a496 (good) ;; QUESTION SECTION: ;_kerberos.some.network. IN TXT
;; ANSWER SECTION: _kerberos.some.network. 5 IN TXT "SOME.NETWORK"
;; AUTHORITY SECTION: rpz. 10800 IN NS indy02.pri.some.network . rpz. 10800 IN NS indy001.pri.some.networ k.
;; ADDITIONAL SECTION: indy001.pri.some.network. 10800 IN A 192.168.15.52 indy002.pri.some.network. 10800 IN A 192.168.15.53
;; Query time: 11 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed May 13 07:23:50 CEST 2020 ;; MSG SIZE rcvd: 181
[root@indy001 named]# ---
So, any idea what's going on? I think it might be looking for the KDC for PRI.SOME.NETWORK, but I'm not sure and I can't figure out where to look for that info.
I've attached the ipaclient-install.log the interesting part is: --- 020-05-12T13:32:04Z DEBUG Starting external process 2020-05-12T13:32:04Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpaweq3vf2', '-A', '-n', 'CA certificate 1', '-t', 'C,,', '- a', '-f', '/tmp/t mpaweq3vf2/pwdfile.txt'] 2020-05-12T13:32:05Z DEBUG Process finished, return code=0 2020-05-12T13:32:05Z DEBUG stdout= 2020-05-12T13:32:05Z DEBUG stderr= 2020-05-12T13:32:05Z DEBUG failed to find session_cookie in persistent storage for principal 'host/cli001.pri.some.network@SOME.NETWORK' 2020-05-12T13:32:05Z DEBUG trying https://ipa001.pri.some.network/ipa/json 2020-05-12T13:32:05Z DEBUG Created connection context.rpcclient_140399463755392 2020-05-12T13:32:05Z DEBUG [try 1]: Forwarding 'schema' to json server 'https://ipa001.pri.some.network/ipa/json' 2020-05-12T13:32:05Z DEBUG New HTTP connection (ipa001.pri.some.network) 2020-05-12T13:32:05Z DEBUG HTTP connection destroyed (ipa001.pri.some.network) Traceback (most recent call last): File "/usr/lib/python3.6/site- packages/ipaclient/remote_plugins/__init__.py", line 126, in get_package plugins = api._remote_plugins AttributeError: 'API' object has no attribute '_remote_plugins' ---
Any ideas much appreciated.
/tony
On ke, 13 touko 2020, Tony Brian Albers via FreeIPA-users wrote:
Hi guys,
So, I'm trying to make this work:
FreeIPA server has hostname: ipa001.pri.some.network FreeIPA client has hostname: cli001.pri.some.network
The KRB Realm entered during the FreeIPA server setup is: SOME.NETWORK
Now, when I try to add the client, it looks happy and is able to look up the server using DNS, but then it stops with:
The ipa-client-install command failed, exception: KerberosError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639066): Cannot find KDC for realm "SOME.NETWORK"
The ipa-client-install command failed. See /var/log/ipaclient- install.log for more information
I've added the output from the ipa-server-install to the relevant dns zone:
; FreeIPA records START _kerberos-master._tcp.some.network. 86400 IN SRV 0 100 88 ipa001.pri.some.network. _kerberos-master._udp.some.network. 86400 IN SRV 0 100 88 ipa001.pri.some.network. _kerberos._tcp.some.network. 86400 IN SRV 0 100 88 ipa001.pri.some.network. _kerberos._udp.some.network. 86400 IN SRV 0 100 88 ipa001.pri.some.network. _kerberos.some.network. 86400 IN TXT "SOME.NETWORK" _kpasswd._tcp.some.network. 86400 IN SRV 0 100 464 ipa001.pri.some.network. _kpasswd._udp.some.network. 86400 IN SRV 0 100 464 ipa001.pri.some.network. _ldap._tcp.some.network. 86400 IN SRV 0 100 389 ipa001.pri.some.network. ipa-ca.some.network. 86400 IN A 192.168.15.83 ; FreeIPA records END
And if I make a query to the dns server, it answers as expected:
[root@indy001 named]# dig @localhost -t TXT _kerberos.some.network
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> @localhost -t TXT _kerberos.some.network ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62456 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 8a9f13188f45d098c0a6127a5ebb846645308639d451a496 (good) ;; QUESTION SECTION: ;_kerberos.some.network. IN TXT
;; ANSWER SECTION: _kerberos.some.network. 5 IN TXT "SOME.NETWORK"
;; AUTHORITY SECTION: rpz. 10800 IN NS indy02.pri.some.network . rpz. 10800 IN NS indy001.pri.some.networ k.
;; ADDITIONAL SECTION: indy001.pri.some.network. 10800 IN A 192.168.15.52 indy002.pri.some.network. 10800 IN A 192.168.15.53
;; Query time: 11 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed May 13 07:23:50 CEST 2020 ;; MSG SIZE rcvd: 181
[root@indy001 named]#
So, any idea what's going on? I think it might be looking for the KDC for PRI.SOME.NETWORK, but I'm not sure and I can't figure out where to look for that info.
What is going on: you installed your IPA master in a non-supported configuration and that is now breaking everything up.
This visible in the client installation log here:
2020-05-12T13:31:02Z DEBUG Kerberos realm forced 2020-05-12T13:31:02Z DEBUG Search DNS for SRV record of _kerberos._udp.pri.some.network 2020-05-12T13:31:02Z DEBUG DNS record found: 0 100 88 ipa001.pri.some.network. 2020-05-12T13:31:02Z DEBUG [LDAP server check] 2020-05-12T13:31:02Z DEBUG Verifying that ipa001.pri.some.network (realm SOME.NETWORK) is an IPA server 2020-05-12T13:31:02Z DEBUG Init LDAP connection to: ldap://ipa001.pri.some.network:389 2020-05-12T13:31:02Z DEBUG Search LDAP server for IPA base DN 2020-05-12T13:31:02Z DEBUG Check if naming context 'dc=pri,dc=some,dc=network' is for IPA 2020-05-12T13:31:02Z DEBUG Naming context 'dc=pri,dc=some,dc=network' is a valid IPA context 2020-05-12T13:31:02Z DEBUG Search for (objectClass=krbRealmContainer) in dc=pri,dc=some,dc=network (sub) 2020-05-12T13:31:02Z DEBUG Found: cn=SOME.NETWORK,cn=kerberos,dc=pri,dc=some,dc=network 2020-05-12T13:31:02Z DEBUG Discovery result: Success; server=ipa001.pri.some.network, domain=pri.some.network, kdc=ipa001.pri.some.network, basedn=dc=pri,dc=some,dc=network 2020-05-12T13:31:02Z DEBUG Validated servers: ipa001.pri.some.network 2020-05-12T13:31:02Z DEBUG will use discovered domain: pri.some.network
You have realm SOME.NETWORK and primary IPA domain pri.some.network. IPA actually expects that primary domain and realm are the same (naming context above has to be the same as the primary domain).
If you want to use SOME.NETWORK as your realm, you have to own DNS domain some.network too and set it as your primary domain when deploying the initial master. It is OK to have that master in a different DNS domain -- as long as DNS is resolvable in a normal way, that should work.
You have realm SOME.NETWORK and primary IPA domain pri.some.network. IPA actually expects that primary domain and realm are the same (naming context above has to be the same as the primary domain).
If you want to use SOME.NETWORK as your realm, you have to own DNS domain some.network too and set it as your primary domain when deploying the initial master. It is OK to have that master in a different DNS domain -- as long as DNS is resolvable in a normal way, that should work.
Thanks Alexander,
I think I might have misunderstood the relation between DNS domain and realm.
I'll get it sorted.
/tony
freeipa-users@lists.fedorahosted.org