3:26 a.m.
Hi guys,
So, I'm trying to make this work:
FreeIPA server has hostname: ipa001.pri.some.network
FreeIPA client has hostname: cli001.pri.some.network
The KRB Realm entered during the FreeIPA server setup is: SOME.NETWORK
Now, when I try to add the client, it looks happy and is able to look
up the server using DNS, but then it stops with:
---
The ipa-client-install command failed, exception: KerberosError: Major
(851968): Unspecified GSS failure. Minor code may provide more
information, Minor (2529639066): Cannot find KDC for realm
"SOME.NETWORK"
The ipa-client-install command failed. See /var/log/ipaclient-
install.log for more information
---
I've added the output from the ipa-server-install to the relevant dns
zone:
---
; FreeIPA records START
_kerberos-master._tcp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos-master._udp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos._tcp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos._udp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos.some.network. 86400 IN TXT "SOME.NETWORK"
_kpasswd._tcp.some.network. 86400 IN SRV 0 100 464
ipa001.pri.some.network.
_kpasswd._udp.some.network. 86400 IN SRV 0 100 464
ipa001.pri.some.network.
_ldap._tcp.some.network. 86400 IN SRV 0 100 389
ipa001.pri.some.network.
ipa-ca.some.network. 86400 IN A 192.168.15.83
; FreeIPA records END
---
And if I make a query to the dns server, it answers as expected:
---
[root@indy001 named]# dig @localhost -t TXT _kerberos.some.network
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> @localhost -t
TXT
_kerberos.some.network
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62456
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 8a9f13188f45d098c0a6127a5ebb846645308639d451a496 (good)
;; QUESTION SECTION:
;_kerberos.some.network. IN TXT
;; ANSWER SECTION:
_kerberos.some.network. 5 IN TXT "SOME.NETWORK"
;; AUTHORITY SECTION:
rpz. 10800 IN NS indy02.pri.some.network
.
rpz. 10800 IN NS indy001.pri.some.networ
k.
;; ADDITIONAL SECTION:
indy001.pri.some.network. 10800 IN A 192.168.15.52
indy002.pri.some.network. 10800 IN A 192.168.15.53
;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 13 07:23:50 CEST 2020
;; MSG SIZE rcvd: 181
[root@indy001 named]#
---
So, any idea what's going on? I think it might be looking for the KDC
for PRI.SOME.NETWORK, but I'm not sure and I can't figure out where to
look for that info.
I've attached the ipaclient-install.log the interesting part is:
---
020-05-12T13:32:04Z DEBUG Starting external process
2020-05-12T13:32:04Z DEBUG args=['/usr/bin/certutil', '-d',
'sql:/tmp/tmpaweq3vf2', '-A', '-n', 'CA certificate 1',
'-t', 'C,,', '-
a', '-f', '/tmp/t
mpaweq3vf2/pwdfile.txt']
2020-05-12T13:32:05Z DEBUG Process finished, return code=0
2020-05-12T13:32:05Z DEBUG stdout=
2020-05-12T13:32:05Z DEBUG stderr=
2020-05-12T13:32:05Z DEBUG failed to find session_cookie in persistent
storage for principal 'host/cli001.pri.some.network(a)SOME.NETWORK'
2020-05-12T13:32:05Z DEBUG trying
https://ipa001.pri.some.network/ipa/json
2020-05-12T13:32:05Z DEBUG Created connection
context.rpcclient_140399463755392
2020-05-12T13:32:05Z DEBUG [try 1]: Forwarding 'schema' to json server
'https://ipa001.pri.some.network/ipa/json'
2020-05-12T13:32:05Z DEBUG New HTTP connection
(ipa001.pri.some.network)
2020-05-12T13:32:05Z DEBUG HTTP connection destroyed
(ipa001.pri.some.network)
Traceback (most recent call last):
File "/usr/lib/python3.6/site-
packages/ipaclient/remote_plugins/__init__.py", line 126, in
get_package
plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'
---
Any ideas much appreciated.
/tony
--
Tony Albers - Systems Architect - IT Development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark
Tel: +45 2566 2383 - CVR/SE: 2898 8842 - EAN: 5798000792142
3:51 a.m.
New subject: Cannot find KDC for realm (dns on another machine)
On ke, 13 touko 2020, Tony Brian Albers via FreeIPA-users wrote:
Hi guys,
So, I'm trying to make this work:
FreeIPA server has hostname: ipa001.pri.some.network
FreeIPA client has hostname: cli001.pri.some.network
The KRB Realm entered during the FreeIPA server setup is: SOME.NETWORK
Now, when I try to add the client, it looks happy and is able to look
up the server using DNS, but then it stops with:
---
The ipa-client-install command failed, exception: KerberosError: Major
(851968): Unspecified GSS failure. Minor code may provide more
information, Minor (2529639066): Cannot find KDC for realm
"SOME.NETWORK"
The ipa-client-install command failed. See /var/log/ipaclient-
install.log for more information
---
I've added the output from the ipa-server-install to the relevant dns
zone:
---
; FreeIPA records START
_kerberos-master._tcp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos-master._udp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos._tcp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos._udp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos.some.network. 86400 IN TXT "SOME.NETWORK"
_kpasswd._tcp.some.network. 86400 IN SRV 0 100 464
ipa001.pri.some.network.
_kpasswd._udp.some.network. 86400 IN SRV 0 100 464
ipa001.pri.some.network.
_ldap._tcp.some.network. 86400 IN SRV 0 100 389
ipa001.pri.some.network.
ipa-ca.some.network. 86400 IN A 192.168.15.83
; FreeIPA records END
---
And if I make a query to the dns server, it answers as expected:
---
[root@indy001 named]# dig @localhost -t TXT _kerberos.some.network
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> @localhost -t
TXT
_kerberos.some.network
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62456
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 8a9f13188f45d098c0a6127a5ebb846645308639d451a496 (good)
;; QUESTION SECTION:
;_kerberos.some.network. IN TXT
;; ANSWER SECTION:
_kerberos.some.network. 5 IN TXT "SOME.NETWORK"
;; AUTHORITY SECTION:
rpz. 10800 IN NS indy02.pri.some.network
.
rpz. 10800 IN NS indy001.pri.some.networ
k.
;; ADDITIONAL SECTION:
indy001.pri.some.network. 10800 IN A 192.168.15.52
indy002.pri.some.network. 10800 IN A 192.168.15.53
;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 13 07:23:50 CEST 2020
;; MSG SIZE rcvd: 181
[root@indy001 named]#
---
So, any idea what's going on? I think it might be looking for the KDC
for PRI.SOME.NETWORK, but I'm not sure and I can't figure out where to
look for that info.
What is going on: you installed your IPA master in a non-supported
configuration and that is now breaking everything up.
This visible in the client installation log here:
2020-05-12T13:31:02Z DEBUG Kerberos realm forced
2020-05-12T13:31:02Z DEBUG Search DNS for SRV record of _kerberos._udp.pri.some.network
2020-05-12T13:31:02Z DEBUG DNS record found: 0 100 88 ipa001.pri.some.network.
2020-05-12T13:31:02Z DEBUG [LDAP server check]
2020-05-12T13:31:02Z DEBUG Verifying that ipa001.pri.some.network (realm SOME.NETWORK) is
an IPA server
2020-05-12T13:31:02Z DEBUG Init LDAP connection to: ldap://ipa001.pri.some.network:389
2020-05-12T13:31:02Z DEBUG Search LDAP server for IPA base DN
2020-05-12T13:31:02Z DEBUG Check if naming context 'dc=pri,dc=some,dc=network' is
for IPA
2020-05-12T13:31:02Z DEBUG Naming context 'dc=pri,dc=some,dc=network' is a valid
IPA context
2020-05-12T13:31:02Z DEBUG Search for (objectClass=krbRealmContainer) in
dc=pri,dc=some,dc=network (sub)
2020-05-12T13:31:02Z DEBUG Found: cn=SOME.NETWORK,cn=kerberos,dc=pri,dc=some,dc=network
2020-05-12T13:31:02Z DEBUG Discovery result: Success; server=ipa001.pri.some.network,
domain=pri.some.network, kdc=ipa001.pri.some.network, basedn=dc=pri,dc=some,dc=network
2020-05-12T13:31:02Z DEBUG Validated servers: ipa001.pri.some.network
2020-05-12T13:31:02Z DEBUG will use discovered domain: pri.some.network
You have realm SOME.NETWORK and primary IPA domain pri.some.network. IPA
actually expects that primary domain and realm are the same (naming
context above has to be the same as the primary domain).
If you want to use SOME.NETWORK as your realm, you have to own DNS
domain some.network too and set it as your primary domain when deploying
the initial master. It is OK to have that master in a different DNS
domain -- as long as DNS is resolvable in a normal way, that should
work.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
5:18 a.m.
New subject: Cannot find KDC for realm (dns on another machine)
You have realm SOME.NETWORK and primary IPA domain
pri.some.network.
IPA
actually expects that primary domain and realm are the same (naming
context above has to be the same as the primary domain).
If you want to use SOME.NETWORK as your realm, you have to own DNS
domain some.network too and set it as your primary domain when
deploying
the initial master. It is OK to have that master in a different DNS
domain -- as long as DNS is resolvable in a normal way, that should
work.
Thanks Alexander,
I think I might have misunderstood the relation between DNS domain and
realm.
I'll get it sorted.
/tony
--
Tony Albers - Systems Architect - IT Development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark
Tel: +45 2566 2383 - CVR/SE: 2898 8842 - EAN: 5798000792142
1437
days inactive
1437
days old
freeipa-users@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
Alexander Bokovoy -
Tony Brian Albers