I am glad to hear that. Can you just please send me the respective AVCs from /var/log/audit/audit.log? FreeIPA software is supposed to be run with SELinux enforced and we do our best so that it really works with SELinux enforced.
Thanks, Martin On 07/18/2013 06:09 PM, Shapiro, Matthew E CTR DODHRA DMDC (US) wrote: > SOLUTION > > Just to follow up, I found that SELinux was the problem. Once I ran > "#setenforce 0" the ipa-client-install script worked with no issue and my > client got a valid certificate. Thanks for looking! > > Matthew Shapiro > > > -----Original Message----- > From: Martin Kosek [mailto:[email protected]] > Sent: Thursday, July 18, 2013 1:15 AM > To: Shapiro, Matthew E CTR DODHRA DMDC (US) > Cc: [email protected] > Subject: Re: [Freeipa-users] help: ipa error 4301 > > On 07/17/2013 11:14 PM, Shapiro, Matthew E CTR DODHRA DMDC (US) wrote: >> Hi , >> >> >> >> While running the ipa-client-install script on a RHEL 6.4 server, I get the >> following output (please note the indicated line with the arrow): >> >> >> >> [root@[hostname]]# ipa-client-install >> >> Discovery was successful! >> >> Hostname: [hostname] >> >> Realm: example.com >> >> DNS Domain: example.com >> >> IPA Server: chtvm-389.example.com >> >> BaseDN: dc=example,dc=com >> >> >> >> Continue to configure the system with these values? [no]: yes >> >> User authorized to enroll computers: admin >> >> Password for admin example com: >> >> >> >> Enrolled in IPA realm example.com >> >> Created /etc/ipa/default.conf >> >> Configured /etc/sssd/sssd.conf >> >> Configured /etc/krb5.conf for IPA realm example.com >> >> SSSD enabled >> >> Kerberos 5 enabled >> >> ---àUnable to find 'admin' user with 'getent passwd admin'! >> >> Recognized configuration: SSSD >> >> NTP enabled >> >> Client configuration complete. >> >> >> >> Also, please note that I've obfuscated the hostname, domain, and realm for >> security reasons. I believe I've narrowed down the problem to certificate >> enrollment. When I check my IPA Server Web UI, I have a notice in my host >> details that says "no valid certificate present." I then checked my client >> host by running: >> >> >> >> [root@hostname user]# ipa-getcert list >> >> Number of certificates and requests being tracked: 1. >> >> Request ID '20130717205230': >> >> status: CA_UNCONFIGURED >> >> ca-error: Error setting up ccache for local "host" service using >> default keytab: Resource temporarily unavailable. >> >> stuck: yes >> >> key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA >> Machine Certificate - hostname.example.com',token='NSS Certificate DB' >> >> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA >> Machine >> Certificate - hostname.example.com ' >> >> CA: IPA >> >> issuer: >> >> subject: >> >> expires: unknown >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> >> >> I'm concerned about that "stuck" field, I have no idea what that means. >> >> I have other RHEL 6.4 clients that have been able to join my IPA domain with >> no >> issue at all, but this one client baffles me. Any thoughts?? >> >> >> >> ---------------------------------------------------------------------- >> >> Matthew Shapiro >> >> Systems Administrator >> >> >> >> Trofholz Technologies, Inc. >> >> Defense Personnel and Security Research Center (PERSEREC) >> >> Defense Manpower Data Center (DMDC) >> >> Office: 831.583.2828 >> >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > There seems to be something wrong with the host keytab: > > ... > >> ca-error: Error setting up ccache for local "host" service using >> default keytab: Resource temporarily unavailable. > > Can you check if the host principal in keytab are correct? > > # klist -kt /etc/krb5.keytab > > Are you able to kinit with the host principal? > > # kinit -kt /etc/krb5.keytab host/[hostname]@[REALM] > > > Another issue I saw (Unable to find 'admin' user with 'getent passwd admin') - > is this still not working? > > # getent passwd admin > > Martin > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
