On 03/19/2014 10:37 PM, Shree wrote: > Hello > I was able to successfully move all my clients to the replica except on the > process I had to upgrade the client to "ipa-client-3.0.0-37.el6.x86_64" and > some times run a --uninstall > > . Bit it works for the most part. Have been struggling with one last host > with errors like below. I have tested the port connectivity using telnet and > netcat commands but the install thinks these ports are blocked? > > > > > kerberos authentication failed > kinit: Cannot contact any KDC for realm 'MYDOMAIN.COM' while getting initial > credentials > > Please make sure the following ports are opened in the firewall settings: > TCP: 80, 88, 389 > UDP: 88 (at least one of TCP/UDP ports 88 has to be open) > Also note that following ports are necessary for ipa-client working properly > after enrollment: > TCP: 464 > UDP: 464, 123 (if NTP enabled) > Installation failed. Rolling back changes. > Disabling client Kerberos and LDAP configurations > Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to > /etc/sssd/sssd.conf.deleted > Restoring client configuration files > Client uninstall complete. > [root@www /]# > > In the /var/log/ipaclient-install.log I also see things like below. I get > Autodiscovery failures but I am manually entering things and they have been > working. > > 2014-03-19T21:13:47Z DEBUG Found: > cn=MYDOMAIN.COM,cn=kerberos,dc=mydomain,dc=com > 2014-03-19T21:13:47Z DEBUG Discovery result: Success; > server=ldap2.mydomain.com, domain=mydomain.com, kdc=ldap.mydomain.com, > basedn=dc=mydomain,dc=com > 2014-03-19T21:13:47Z DEBUG Validated servers: ldap2.mydomain.com > 2014-03-19T21:13:47Z WARNING The failure to use DNS to find your IPA server > indicates that your resolv.conf file is not properly configured. > 2014-03-19T21:13:47Z INFO Autodiscovery of servers for failover cannot work > with this configuration. > 2014-03-19T21:13:47Z INFO If you proceed with the installation, services will > be configured to always access the discovered server for all operations and > will not fail over to other servers in case of failure.
Ok. I would guess you have some DNS issue. But it is hard to tell without the entire ipaclient-install.log of the failed installation. Martin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
