Rob, Full log is attached.
Jeff Jeff Hallyburton Strategic Systems Engineer Bloomip Inc. Web: http://www.bloomip.com Engineering Support: [email protected] Billing Support: [email protected] Customer Support Portal: https://my.bloomip.com <http://my.bloomip.com/> On Wed, Jan 13, 2016 at 8:35 PM, Rob Crittenden <[email protected]> wrote: > Jeff Hallyburton wrote: > > We've deployed a FreeIPA server in a client infrastructure and now we're > > working on making that setup HA. We've created a replica and I can > > verify that the replica has connectivity to the existing master and > > ensured that the auto-discovery DNS records are set up for LDAP / > > Kerberos / etc, but I'm having a couple of issues with clients: > > > > 1. ipa-client-install fails with the following error whenever a server > > is not explicitly specified (though explicitly specifying either the > > original master OR the replica works fine): > > > > trying https://ipa1.west-2.production.example.com/ipa/json > > > > Cannot connect to the server due to Kerberos error: Kerberos error: > > Kerberos error: ('Unspecified GSS failure. Minor code may provide more > > information', 851968)/('Cannot find KDC for realm "EXAMPLE.COM > > <http://EXAMPLE.COM>"', -1765328230)/. Trying with delegate=True > > > > trying https://ipa1.west-2.production.example.com/ipa/json > > > > Second connect with delegate=True also failed: Kerberos error: Kerberos > > error: ('Unspecified GSS failure. Minor code may provide more > > information', 851968)/('Cannot find KDC for realm "EXAMPLE.COM > > <http://EXAMPLE.COM>"', -1765328230)/ > > > > Cannot connect to the IPA server RPC interface: Kerberos error: Kerberos > > error: ('Unspecified GSS failure. Minor code may provide more > > information', 851968)/('Cannot find KDC for realm "EXAMPLE.COM > > <http://EXAMPLE.COM>"', -1765328230)/ > > > > Installation failed. Rolling back changes. > > > > Failed to list certificates in /etc/ipa/nssdb: Command > > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit > > status 255 > > > > Unenrolling client from IPA server > > > > Unenrolling host failed: Error obtaining initial credentials: Cannot > > find KDC for requested realm. > > > > > > What we see in the install logs is: > > > > 2016-01-14T00:45:39Z INFO Configured /etc/krb5.conf for IPA realm > > EXAMPLE.COM <http://EXAMPLE.COM> > > > > 2016-01-14T00:45:39Z DEBUG Starting external process > > > > 2016-01-14T00:45:39Z DEBUG args='keyctl' 'search' '@s' 'user' > > 'ipa_session_cookie:host/[email protected] > > <mailto:[email protected]>' > > > > 2016-01-14T00:45:39Z DEBUG Process finished, return code=1 > > > > 2016-01-14T00:45:39Z DEBUG stdout= > > > > 2016-01-14T00:45:39Z DEBUG stderr=keyctl_search: Required key not > available > > > > > > 2016-01-14T00:45:39Z DEBUG Starting external process > > > > 2016-01-14T00:45:39Z DEBUG args='/usr/bin/certutil' '-d' > > '/tmp/tmpCJNEzU' '-N' '-f' '/tmp/tmpPN7H8R' > > > > 2016-01-14T00:45:39Z DEBUG Process finished, return code=0 > > > > 2016-01-14T00:45:39Z DEBUG stdout= > > > > 2016-01-14T00:45:39Z DEBUG stderr= > > > > 2016-01-14T00:45:39Z DEBUG Starting external process > > > > 2016-01-14T00:45:39Z DEBUG args='/usr/bin/certutil' '-d' > > '/tmp/tmpCJNEzU' '-A' '-n' 'CA certificate 1' '-t' 'C,,' > > > > 2016-01-14T00:45:39Z DEBUG Process finished, return code=0 > > > > 2016-01-14T00:45:39Z DEBUG stdout= > > > > 2016-01-14T00:45:39Z DEBUG stderr= > > > > 2016-01-14T00:45:39Z DEBUG Starting external process > > > > 2016-01-14T00:45:39Z DEBUG args='keyctl' 'search' '@s' 'user' > > 'ipa_session_cookie:host/[email protected] > > <mailto:[email protected]>' > > > > 2016-01-14T00:45:39Z DEBUG Process finished, return code=1 > > > > 2016-01-14T00:45:39Z DEBUG stdout= > > > > 2016-01-14T00:45:39Z DEBUG stderr=keyctl_search: Required key not > available > > > > > > 2016-01-14T00:45:39Z DEBUG failed to find session_cookie in persistent > > storage for principal > > 'host/[email protected] > > <mailto:[email protected]>' > > > > 2016-01-14T00:45:39Z INFO trying > > https://ipa1.west-2.production.example.com/ipa/json > > > > 2016-01-14T00:45:39Z INFO Cannot connect to the server due to Kerberos > > error: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor > > code may provide more information', 851968)/('Cannot find KDC for realm > > "EXAMPLE.COM <http://EXAMPLE.COM>"', -1765328230)/. Trying with > > delegate=True > > > > 2016-01-14T00:45:39Z INFO trying > > https://ipa1.west-2.production.example.com/ipa/json > > > > 2016-01-14T00:45:39Z WARNING Second connect with delegate=True also > > failed: Kerberos error: Kerberos error: ('Unspecified GSS failure. > > Minor code may provide more information', 851968)/('Cannot find KDC for > > realm "EXAMPLE.COM <http://EXAMPLE.COM>"', -1765328230)/ > > > > 2016-01-14T00:45:39Z ERROR Cannot connect to the IPA server RPC > > interface: Kerberos error: Kerberos error: ('Unspecified GSS failure. > > Minor code may provide more information', 851968)/('Cannot find KDC for > > realm "EXAMPLE.COM <http://EXAMPLE.COM>"', -1765328230)/ > > > > 2016-01-14T00:45:39Z ERROR Installation failed. Rolling back changes. > > > > 2016-01-14T00:45:39Z DEBUG Loading Index file from > > '/var/lib/ipa/sysrestore/sysrestore.index' > > > > 2016-01-14T00:45:39Z DEBUG Starting external process > > > > 2016-01-14T00:45:39Z DEBUG args='ipa-client-automount' '--uninstall' > > '--debug' > > > > 2016-01-14T00:45:40Z DEBUG Process finished, return code=0 > > > > 2016-01-14T00:45:40Z DEBUG stdout=Restoring configuration > > > > > > 2. Related to this, all of our existing clients have been configured > > with explicit server= statements, meaning that they don't pick up the > > replica either. Is there any way to manually fix this post > > installation, or will we simply have to uninstall and reinstall the ipa > > client? > > It would be easier to see what is going on by looking at the full > /var/log/ipaclient-install.log. What we need to see is how discovery > went and what the contents of various configuration files, temporary and > permanent, are. > > rob > >
ipaclient-install.log
Description: Binary data
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
