On ke, 13 touko 2020, Tony Brian Albers via FreeIPA-users wrote:
Hi guys,
So, I'm trying to make this work:
FreeIPA server has hostname: ipa001.pri.some.network
FreeIPA client has hostname: cli001.pri.some.network
The KRB Realm entered during the FreeIPA server setup is: SOME.NETWORK
Now, when I try to add the client, it looks happy and is able to look
up the server using DNS, but then it stops with:
---
The ipa-client-install command failed, exception: KerberosError: Major
(851968): Unspecified GSS failure. Minor code may provide more
information, Minor (2529639066): Cannot find KDC for realm
"SOME.NETWORK"
The ipa-client-install command failed. See /var/log/ipaclient-
install.log for more information
---
I've added the output from the ipa-server-install to the relevant dns
zone:
---
; FreeIPA records START
_kerberos-master._tcp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos-master._udp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos._tcp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos._udp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos.some.network. 86400 IN TXT "SOME.NETWORK"
_kpasswd._tcp.some.network. 86400 IN SRV 0 100 464
ipa001.pri.some.network.
_kpasswd._udp.some.network. 86400 IN SRV 0 100 464
ipa001.pri.some.network.
_ldap._tcp.some.network. 86400 IN SRV 0 100 389
ipa001.pri.some.network.
ipa-ca.some.network. 86400 IN A 192.168.15.83
; FreeIPA records END
---
And if I make a query to the dns server, it answers as expected:
---
[root@indy001 named]# dig @localhost -t TXT _kerberos.some.network
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> @localhost -t
TXT
_kerberos.some.network
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62456
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 8a9f13188f45d098c0a6127a5ebb846645308639d451a496 (good)
;; QUESTION SECTION:
;_kerberos.some.network. IN TXT
;; ANSWER SECTION:
_kerberos.some.network. 5 IN TXT "SOME.NETWORK"
;; AUTHORITY SECTION:
rpz. 10800 IN NS indy02.pri.some.network
.
rpz. 10800 IN NS indy001.pri.some.networ
k.
;; ADDITIONAL SECTION:
indy001.pri.some.network. 10800 IN A 192.168.15.52
indy002.pri.some.network. 10800 IN A 192.168.15.53
;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 13 07:23:50 CEST 2020
;; MSG SIZE rcvd: 181
[root@indy001 named]#
---
So, any idea what's going on? I think it might be looking for the KDC
for PRI.SOME.NETWORK, but I'm not sure and I can't figure out where to
look for that info.
What is going on: you installed your IPA master in a non-supported
configuration and that is now breaking everything up.
This visible in the client installation log here:
2020-05-12T13:31:02Z DEBUG Kerberos realm forced
2020-05-12T13:31:02Z DEBUG Search DNS for SRV record of _kerberos._udp.pri.some.network
2020-05-12T13:31:02Z DEBUG DNS record found: 0 100 88 ipa001.pri.some.network.
2020-05-12T13:31:02Z DEBUG [LDAP server check]
2020-05-12T13:31:02Z DEBUG Verifying that ipa001.pri.some.network (realm SOME.NETWORK) is
an IPA server
2020-05-12T13:31:02Z DEBUG Init LDAP connection to: ldap://ipa001.pri.some.network:389
2020-05-12T13:31:02Z DEBUG Search LDAP server for IPA base DN
2020-05-12T13:31:02Z DEBUG Check if naming context 'dc=pri,dc=some,dc=network' is
for IPA
2020-05-12T13:31:02Z DEBUG Naming context 'dc=pri,dc=some,dc=network' is a valid
IPA context
2020-05-12T13:31:02Z DEBUG Search for (objectClass=krbRealmContainer) in
dc=pri,dc=some,dc=network (sub)
2020-05-12T13:31:02Z DEBUG Found: cn=SOME.NETWORK,cn=kerberos,dc=pri,dc=some,dc=network
2020-05-12T13:31:02Z DEBUG Discovery result: Success; server=ipa001.pri.some.network,
domain=pri.some.network, kdc=ipa001.pri.some.network, basedn=dc=pri,dc=some,dc=network
2020-05-12T13:31:02Z DEBUG Validated servers: ipa001.pri.some.network
2020-05-12T13:31:02Z DEBUG will use discovered domain: pri.some.network
You have realm SOME.NETWORK and primary IPA domain pri.some.network. IPA
actually expects that primary domain and realm are the same (naming
context above has to be the same as the primary domain).
If you want to use SOME.NETWORK as your realm, you have to own DNS
domain some.network too and set it as your primary domain when deploying
the initial master. It is OK to have that master in a different DNS
domain -- as long as DNS is resolvable in a normal way, that should
work.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland