On Mon, 2012-05-28 at 10:21 +0400, [email protected] wrote: > Hi All, > > This one has me stumped! > For some reason my Centos 5.8 x64 Linux server hangs during > "ipa-client-install" > > Server: > * ipa-admintools-2.1.3-9.el6.x86_64 > * ipa-client-2.1.3-9.el6.x86_64 > * ipa-pki-ca-theme-9.0.3-7.el6.noarch > * ipa-pki-common-theme-9.0.3-7.el6.noarch > * ipa-python-2.1.3-9.el6.x86_64 > * ipa-server-2.1.3-9.el6.x86_64 > * ipa-server-selinux-2.1.3-9.el6.x86_64 > > Client: > CentOS release 5.8 (Final) (x86_64) > * ipa-client-2.1.3-2.el5_8 > * sssd-client-1.5.1-49.el5_8.1 > > Questions: > * Is there a better way to diagnose the ipa-getkeytab command? Perhaps I > can run a native kerberos command? > * Any tips welcome, I've tried straces and tcpdump to work this one out, > hmm.. > > > Error: > "ipa-client-install" runs fine and then hangs (without reason): > [below is the chopped version] > > ------------------------------------------------------------------- > [libdefaults] > default_realm = EXAMPLE.COM > dns_lookup_realm = true > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > EXAMPLE.COM = { > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > [domain_realm] > .example.com = EXAMPLE.COM > example.com = EXAMPLE.COM > > > Password for [email protected]: > root : DEBUG args=kinit [email protected] > root : DEBUG stdout=Password for [email protected]: > > root : DEBUG stderr= > ------------------------------------------------------------------- > > `ps -ef` on the client side, shows that the install is getting stuck on > "ipa-getkeytab" for some reasons. > > root 15842 15814 0 15:09 pts/1 00:00:00 /usr/bin/python -E > /usr/sbin/ipa-client-install -d > > root 15852 15842 0 15:09 pts/1 00:00:00 /usr/sbin/ipa-join -s > ipa-server.example.com -b dc=example,dc=com -d > > root 15853 15852 0 15:09 pts/1 00:00:00 /usr/sbin/ipa-getkeytab > -s ipa-server.example.com -p > host/[email protected] -k /etc/krb5.keytab > > > cya > > Craig >
Hello Craig, I think that in this case, strace may be a good choice to find out where it hangs. I assume you already have the IPA server installed and you are trying to install IPA client on different machine. If you run ipa-getkeytab with strace separately from ipa-client-install you can test where it hangs. You can use any principal existing in IPA server, including host/[email protected] if the host entry exists. To authenticate with ipa-getkeytab on a machine where ipa-client-isntall was unsuccessful you can either manually configure /etc/krb5.conf to use IPA server KDC and run kinit or you could use "-D BINDDN -w PASSWORD" options to authenticate via LDAP bind. Martin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
