[Freeipa-devel] freeIPA + Fedora 9 + xen , can't get passed ipa-finduser admin
Rob Crittenden
rcritten at redhat.com
Sat May 17 01:12:08 UTC 2008
Sigh, sent this before I meant to...
Rob Crittenden wrote:
> Jaakan Shorter wrote:
>> I did
>>
>> Clean install of Fedora 9 with in a XEN guest x64_86
>> static IP
>>
>> yum install ipa-server
>> ipa-server-install --setup-bind -N
>>
>> I got the bind server working correctly with the following
>> http://www.redhat.com/magazine/025nov06/features/dns/
>>
>>
>> I got stopped at the test doing a find admin user
>>
>> #ipa-finduser admin
>> Could not initialize GSSAPI: Unspecified GSS failure. Minor code may
>> provide more information/Server not found in Kerberos database
>
> That definitely sounds like a DNS error. The host that it is trying to
> connect to can't be found in the KDC.
The trouble is identifying which server it is trying to contact. I'd
start by looking at what the value of 'server' is in /etc/ipa/ipa.conf
and make sure that resolves properly. Check /etc/hosts too because
Fedora is notorious for putting hostnames in the localhost entry. We try
to catch this as best we can.
>> # ldapsearch -Y GSSAPI -b "dc=(mydomain),dc=net" uid=admin
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Local error (-2)
>
> You might want to explicity list the
I was going to say explicitly list the host you want to connect to but
I'm not so sure. There wasn't anything else, just Local error (-2)?
You might check /var/log/krb5kdc to see if anything got logged there or
/var/log/dirsrv/slapd-INSTANCE/errors for the FDS error log (probably
nothing because an auth failure isn't really an error).
I assume you did a kinit?
>> Troubleshooting Guide Doesn't really help with this issue at all or
>> does "ensure that DNS is configured correctly" in the install Guide.
There are so many ways DNS can be broken it isn't possible to iterate
every one.
>> Shouldn't the "--setup-bind" switch take care of configuring the DNS
>> correctly?
DNS was done as a best-effort on our part. It isn't fully baked (or
supported).
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080516/c0771e3e/attachment.bin>
More information about the Freeipa-devel
mailing list