Troubleshooting IPA
Recently I came across an issue when trying to install the ipa-client on a server. After running ipa-client-install I would be getting the following error message, and it would roll back. However it would partially work as the server would show it was enrolled in the IPA Server, and I would then have to delete the server before trying again. Here is what I did for troubleshooting IPA in my environment.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: Tue Jul 11 19:13:50 2017 UTC
Valid Until: Sat Jul 11 19:13:50 2037 UTC
Enrolled in IPA realm EXAMPLE.COM
Attempting to get host TGT...
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working
properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
Now, looking into it further I couldn’t see anything under /var/log for kerberos, so I looked at the one for ipa-client-install.log
# cat /var/log/ipa-client-install.log
In there I saw a message about how keytab contains no suitable keys for host/[email protected]
stderr=kinit: Keytab contains no suitable keys for host/[email protected] while getting initial credentials
Resolution
Make sure the format of the entries in /etc/hosts are in the proper order of “IP FQDN Shortname”. Looking at the host file on the impacted servers I found that indeed they only had the
# vim /etc/hosts
10.0.0.1 server.example.com server
Root Cause
The install fails due to /etc/hosts entry not being in the proper order. The keytab the install is looking for is host/[email protected]. The systems keytab is host/[email protected].
Diagnostic Steps
[root@server ~]# ipa-client install -d … args=/usr/bin/kinit -k -t /etc/krb5.keytab host/[email protected] stdout= stderr=kinit: Keytab contains no suitable keys for host/[email protected] while getting initial credentials Failed to obtain host TGT. Installation failed. Rolling back changes. IPA client is not configured on this system. [root@server ~]# klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ------------------------------------------------------- 2 08/24/16 08:10:14 host/[email protected] 2 08/24/16 08:10:14 host/[email protected] 2 08/24/16 08:10:14 host/[email protected] 2 08/24/16 08:10:14 host/[email protected]
It took some time to search these issues out, based on the output of the error message at first I thought it was a firewall issue. However, I was able to telnet to the IPA server with all the ports listed without issues. Therefore I began to think it wasn’t really a firewall issue and started looking for other vectors that could be preventing me from joining the IPA server successfully.
Once the host file was fixed, the installation and joining to the IPA server went through without a problem. If you end up having a similar issue in the future, hopefully, this will help you get through your problem.
If you have any questions or comments, please feel free to drop me an email or comment.
Cheers,
Ivan Windon – RHCSA
1 Response
[…] had an irritating issue with my IPA Server, and it had puzzled me for a while. It didn’t prevent things from working, but made it more […]