On Wed, May 30, 2012 at 12:01:21PM -0400, Rob Crittenden wrote: > [email protected] wrote: > >On Tue, May 29, 2012 at 09:00:43AM +0200, Martin Kosek wrote: > >>On Mon, 2012-05-28 at 10:21 +0400, [email protected] wrote: > >>>Hi All, > >>> > >>>This one has me stumped! > >>>For some reason my Centos 5.8 x64 Linux server hangs during > >>>"ipa-client-install" > >>> > >>>Server: > >>>* ipa-admintools-2.1.3-9.el6.x86_64 > >>>* ipa-client-2.1.3-9.el6.x86_64 > >>>* ipa-pki-ca-theme-9.0.3-7.el6.noarch > >>>* ipa-pki-common-theme-9.0.3-7.el6.noarch > >>>* ipa-python-2.1.3-9.el6.x86_64 > >>>* ipa-server-2.1.3-9.el6.x86_64 > >>>* ipa-server-selinux-2.1.3-9.el6.x86_64 > >>> > >>>Client: > >>>CentOS release 5.8 (Final) (x86_64) > >>>* ipa-client-2.1.3-2.el5_8 > >>>* sssd-client-1.5.1-49.el5_8.1 > >>> > >>>Questions: > >>>* Is there a better way to diagnose the ipa-getkeytab command? Perhaps I > >>> can run a native kerberos command? > >>>* Any tips welcome, I've tried straces and tcpdump to work this one out, > >>> hmm.. > >>> > >>> > >>>Error: > >>>"ipa-client-install" runs fine and then hangs (without reason): > >>>[below is the chopped version] > >>> > >>>------------------------------------------------------------------- > >>>[libdefaults] > >>> default_realm = EXAMPLE.COM > >>> dns_lookup_realm = true > >>> dns_lookup_kdc = true > >>> rdns = false > >>> ticket_lifetime = 24h > >>> forwardable = yes > >>> > >>>[realms] > >>> EXAMPLE.COM = { > >>> pkinit_anchors = FILE:/etc/ipa/ca.crt > >>> } > >>> > >>>[domain_realm] > >>> .example.com = EXAMPLE.COM > >>> example.com = EXAMPLE.COM > >>> > >>> > >>>Password for [email protected]: > >>>root : DEBUG args=kinit [email protected] > >>>root : DEBUG stdout=Password for [email protected]: > >>> > >>>root : DEBUG stderr= > >>>------------------------------------------------------------------- > >>> > >>>`ps -ef` on the client side, shows that the install is getting stuck on > >>>"ipa-getkeytab" for some reasons. > >>> > >>>root 15842 15814 0 15:09 pts/1 00:00:00 /usr/bin/python -E > >>>/usr/sbin/ipa-client-install -d > >>> > >>>root 15852 15842 0 15:09 pts/1 00:00:00 /usr/sbin/ipa-join -s > >>>ipa-server.example.com -b dc=example,dc=com -d > >>> > >>>root 15853 15852 0 15:09 pts/1 00:00:00 /usr/sbin/ipa-getkeytab > >>>-s ipa-server.example.com -p > >>>host/[email protected] -k /etc/krb5.keytab > >>> > >>> > >>>cya > >>> > >>>Craig > >>> > >> > >>Hello Craig, > >> > >>I think that in this case, strace may be a good choice to find out where > >>it hangs. I assume you already have the IPA server installed and you are > >>trying to install IPA client on different machine. > >yes that is correct > >> > >>If you run ipa-getkeytab with strace separately from ipa-client-install > >>you can test where it hangs. You can use any principal existing in IPA > >>server, including host/[email protected] if the host entry > >>exists. > >> > >>To authenticate with ipa-getkeytab on a machine where ipa-client-isntall > >>was unsuccessful you can either manually configure /etc/krb5.conf to use > >>IPA server KDC and run kinit or you could use "-D BINDDN -w PASSWORD" > >>options to authenticate via LDAP bind. > >Heres what I did, I'm not sure which part fixed it. But everything works > >fine now! > > > >Steps followed: > > > >1) Found an old policy referring to this client in the kerberos > >database, Naturally I deleted this. > > > >2) Fixed up the /etc/krb5.conf on the client& ran the ipa-getkeytab > >command (using an existing host principal). To my surprise this worked. > > > ># /usr/sbin/ipa-getkeytab -s sysvm-ipa.example.com -p \ > ># host/[email protected] -k /etc/krb5.keytab > ># Keytab successfully retrieved and stored in: /etc/krb5.keytab > > > >3) re-run the ipa-client-install > >It worked first time and problem solved. > > > >Any thoughts on the actual issue? could it have been the old policy > >entry? > > Can you provide any more information on what this policy was and > where it was stored? It was just a simple HBAC policy which allowed a couple of users to that host, on all services and from any client. At this stage I don't have an ldap dump to send you. But if I get time, I'll restore it from backup and send it over.
cya Craig > > rob > > > > >4) local keytab file > >The local keytab file looks fine now, I assume that there is an easy way > >to delete the craigpc principal entry? > > > >$ sudo klist -k /etc/krb5.keytab > >Keytab name: FILE:/etc/krb5.keytab > >KVNO Principal > >---- > >-------------------------------------------------------------------------- > > 2 host/[email protected] > > 2 host/[email protected] > > 2 host/[email protected] > > 2 host/[email protected] > > 2 host/[email protected] > > 1 host/[email protected] > > 1 host/[email protected] > > 1 host/[email protected] > > 1 host/[email protected] > > 1 host/[email protected] > > > >> > >>Martin > >> > > > >cya > > > >Craig > > > >_______________________________________________ > >Freeipa-users mailing list > >[email protected] > >https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
