C Wilson via FreeIPA-users wrote:
Hello
I'm trying to roll out a new IPA server for our development environment and have
nicely automated the server installation process with Ansible but when I've come to
rolling out the clients I'm hitting this problem.
When running ipa-client-install:
ipa-client-install -N --fixed-primary --server server.domain.local --realm DOMAIN.LOCAL
--domain DOMAIN.local --principal admin --password 'adminpassword' -U
I get the following error:
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after
enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
Kerberos authentication failed: kinit: Cannot contact any KDC for realm
'DOMAIN.LOCAL' while getting initial credentials
I've disabled the firewall on both systems, DNS resolves the server name. I can nmap
and telnet to the ports listed so I don't think it's a networking issue. The ipa
server appears to be running fine:
[root@server tmp]# service ipa status
Redirecting to /bin/systemctl status ipa.service
● ipa.service - Identity, Policy, Audit
Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; preset: disabled)
Active: active (exited) since Wed 2024-04-10 15:49:49 UTC; 2 days ago
Main PID: 18336 (code=exited, status=0/SUCCESS)
CPU: 1.610s
Apr 10 15:49:48 server ipactl[18336]: Assuming stale, cleaning and proceeding
Apr 10 15:49:49 server ipactl[18336]: ipa: INFO: The ipactl command was successful
Apr 10 15:49:49 server ipactl[18336]: Starting Directory Service
Apr 10 15:49:49 server ipactl[18336]: Starting krb5kdc Service
Apr 10 15:49:49 server ipactl[18336]: Starting kadmin Service
Apr 10 15:49:49 server ipactl[18336]: Starting httpd Service
Apr 10 15:49:49 server ipactl[18336]: Starting ipa-custodia Service
Apr 10 15:49:49 server ipactl[18336]: Starting pki-tomcatd Service
Apr 10 15:49:49 server ipactl[18336]: Starting ipa-otpd Service
Apr 10 15:49:49 server systemd[1]: Finished Identity, Policy, Audit.
Looking at the ipaclient-install.log there are lines that are semi interesting but I
can't see how to progress from here to resolve the issue:
2024-04-12T16:25:51Z DEBUG stderr=kinit: Cannot contact any KDC for realm
'DOMAIN.LOCAL' while getting initial credentials
2024-04-12T16:25:51Z ERROR Installation failed. Rolling back changes.
2024-04-12T16:25:52Z DEBUG stderr=
2024-04-12T16:25:52Z DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate
- virt01.domain.local
: PR_FILE_NOT_FOUND_ERROR: File not found
but if I run `kinit admin(a)server.domain.local` it authenticates.
The cert error is a red herring. It is looking to see if there is one
that needs to be cleaned up (there isn't).
Do you already have krb5.conf configured? Otherwise I don't know how the
KDC is contacted.
You can find the temporary krb5.conf that is used by the installer in
the log. You can put that into a file and try something like:
KRB5_CONFIG=/tmp/krb.conf KRB5_TRACE=/dev/stderr kinit admin
This should fail since this is doing the same thing as
ipa-client-install. The output may help identify what it's doing.
rob