11:46 a.m.
Hello
I'm trying to roll out a new IPA server for our development environment and have
nicely automated the server installation process with Ansible but when I've come to
rolling out the clients I'm hitting this problem.
When running ipa-client-install:
ipa-client-install -N --fixed-primary --server server.domain.local --realm DOMAIN.LOCAL
--domain DOMAIN.local --principal admin --password 'adminpassword' -U
I get the following error:
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after
enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
Kerberos authentication failed: kinit: Cannot contact any KDC for realm
'DOMAIN.LOCAL' while getting initial credentials
I've disabled the firewall on both systems, DNS resolves the server name. I can nmap
and telnet to the ports listed so I don't think it's a networking issue. The ipa
server appears to be running fine:
[root@server tmp]# service ipa status
Redirecting to /bin/systemctl status ipa.service
● ipa.service - Identity, Policy, Audit
Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; preset: disabled)
Active: active (exited) since Wed 2024-04-10 15:49:49 UTC; 2 days ago
Main PID: 18336 (code=exited, status=0/SUCCESS)
CPU: 1.610s
Apr 10 15:49:48 server ipactl[18336]: Assuming stale, cleaning and proceeding
Apr 10 15:49:49 server ipactl[18336]: ipa: INFO: The ipactl command was successful
Apr 10 15:49:49 server ipactl[18336]: Starting Directory Service
Apr 10 15:49:49 server ipactl[18336]: Starting krb5kdc Service
Apr 10 15:49:49 server ipactl[18336]: Starting kadmin Service
Apr 10 15:49:49 server ipactl[18336]: Starting httpd Service
Apr 10 15:49:49 server ipactl[18336]: Starting ipa-custodia Service
Apr 10 15:49:49 server ipactl[18336]: Starting pki-tomcatd Service
Apr 10 15:49:49 server ipactl[18336]: Starting ipa-otpd Service
Apr 10 15:49:49 server systemd[1]: Finished Identity, Policy, Audit.
Looking at the ipaclient-install.log there are lines that are semi interesting but I
can't see how to progress from here to resolve the issue:
2024-04-12T16:25:51Z DEBUG stderr=kinit: Cannot contact any KDC for realm
'DOMAIN.LOCAL' while getting initial credentials
2024-04-12T16:25:51Z ERROR Installation failed. Rolling back changes.
2024-04-12T16:25:52Z DEBUG stderr=
2024-04-12T16:25:52Z DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate -
virt01.domain.local
: PR_FILE_NOT_FOUND_ERROR: File not found
but if I run `kinit admin(a)server.domain.local` it authenticates.
I seem to be at a dead end, How do I troubleshoot this further?
12:20 p.m.
New subject: ipaclient-install.log certutil: Could not find cert:
C Wilson via FreeIPA-users wrote:
Hello
I'm trying to roll out a new IPA server for our development environment and have
nicely automated the server installation process with Ansible but when I've come to
rolling out the clients I'm hitting this problem.
When running ipa-client-install:
ipa-client-install -N --fixed-primary --server server.domain.local --realm DOMAIN.LOCAL
--domain DOMAIN.local --principal admin --password 'adminpassword' -U
I get the following error:
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after
enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
Kerberos authentication failed: kinit: Cannot contact any KDC for realm
'DOMAIN.LOCAL' while getting initial credentials
I've disabled the firewall on both systems, DNS resolves the server name. I can nmap
and telnet to the ports listed so I don't think it's a networking issue. The ipa
server appears to be running fine:
[root@server tmp]# service ipa status
Redirecting to /bin/systemctl status ipa.service
● ipa.service - Identity, Policy, Audit
Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; preset: disabled)
Active: active (exited) since Wed 2024-04-10 15:49:49 UTC; 2 days ago
Main PID: 18336 (code=exited, status=0/SUCCESS)
CPU: 1.610s
Apr 10 15:49:48 server ipactl[18336]: Assuming stale, cleaning and proceeding
Apr 10 15:49:49 server ipactl[18336]: ipa: INFO: The ipactl command was successful
Apr 10 15:49:49 server ipactl[18336]: Starting Directory Service
Apr 10 15:49:49 server ipactl[18336]: Starting krb5kdc Service
Apr 10 15:49:49 server ipactl[18336]: Starting kadmin Service
Apr 10 15:49:49 server ipactl[18336]: Starting httpd Service
Apr 10 15:49:49 server ipactl[18336]: Starting ipa-custodia Service
Apr 10 15:49:49 server ipactl[18336]: Starting pki-tomcatd Service
Apr 10 15:49:49 server ipactl[18336]: Starting ipa-otpd Service
Apr 10 15:49:49 server systemd[1]: Finished Identity, Policy, Audit.
Looking at the ipaclient-install.log there are lines that are semi interesting but I
can't see how to progress from here to resolve the issue:
2024-04-12T16:25:51Z DEBUG stderr=kinit: Cannot contact any KDC for realm
'DOMAIN.LOCAL' while getting initial credentials
2024-04-12T16:25:51Z ERROR Installation failed. Rolling back changes.
2024-04-12T16:25:52Z DEBUG stderr=
2024-04-12T16:25:52Z DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate
- virt01.domain.local
: PR_FILE_NOT_FOUND_ERROR: File not found
but if I run `kinit admin(a)server.domain.local` it authenticates.
The cert error is a red herring. It is looking to see if there is one
that needs to be cleaned up (there isn't).
Do you already have krb5.conf configured? Otherwise I don't know how the
KDC is contacted.
You can find the temporary krb5.conf that is used by the installer in
the log. You can put that into a file and try something like:
KRB5_CONFIG=/tmp/krb.conf KRB5_TRACE=/dev/stderr kinit admin
This should fail since this is doing the same thing as
ipa-client-install. The output may help identify what it's doing.
rob
1:06 p.m.
New subject: ipaclient-install.log certutil: Could not find cert:
On 12/04/2024 18.46, C Wilson via FreeIPA-users wrote:
Hello
I'm trying to roll out a new IPA server for our development environment and have
nicely automated the server installation process with Ansible but when I've come to
rolling out the clients I'm hitting this problem.
When running ipa-client-install:
ipa-client-install -N --fixed-primary --server server.domain.local --realm DOMAIN.LOCAL
--domain DOMAIN.local --principal admin --password 'adminpassword' -U
I recommend against use of .local TLD for an IPA installation. The
.local addresses are reserved for link-local networks, mDNS and
zeroconf. Host lookups for .local behave differently and may result in
surprising behavior.
Instead use one of the recommended TLDs from
https://www.rfc-editor.org/rfc/rfc6762#appendix-G or
https://www.rfc-editor.org/rfc/rfc2606.html .
Christian
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
40
days inactive
40
days old
freeipa-users@lists.fedorahosted.org
2 comments
3 participants
participants (3)
-
C Wilson -
Christian Heimes -
Rob Crittenden