[Freeipa-devel] freeIPA + Fedora 9 + xen , can't get passed ipa-finduser admin

Jaakan Shorter jaakanshorter at gmail.com
Sat May 17 02:39:23 UTC 2008 

Thanks Rob for the fast reply. I'll have to look in to all that Monday.
I'm going to read up on bind, ldap, and Kerberos over the weekend. You
gave me some ideas of where to look. I can see a lot of work has gone in
to this.

BTW: this a very cool project.

On Fri, 2008-05-16 at 21:12 -0400, Rob Crittenden wrote:
> Sigh, sent this before I meant to...
> 
> Rob Crittenden wrote:
> > Jaakan Shorter wrote:
> >> I did
> >>
> >> Clean install of Fedora 9 with in a XEN guest x64_86
> >> static IP
> >>
> >> yum install ipa-server
> >> ipa-server-install --setup-bind -N
> >>
> >> I got the bind server working correctly with the following
> >> http://www.redhat.com/magazine/025nov06/features/dns/
> >>
> >>
> >> I got stopped at the test doing a find admin user
> >>
> >> #ipa-finduser admin
> >> Could not initialize GSSAPI: Unspecified GSS failure.  Minor code may
> >> provide more information/Server not found in Kerberos database
> > 
> > That definitely sounds like a DNS error. The host that it is trying to 
> > connect to can't be found in the KDC.
> 
> The trouble is identifying which server it is trying to contact. I'd 
> start by looking at what the value of 'server' is in /etc/ipa/ipa.conf 
> and make sure that resolves properly. Check /etc/hosts too because 
> Fedora is notorious for putting hostnames in the localhost entry. We try 
> to catch this as best we can.
> 
> >> # ldapsearch -Y GSSAPI -b "dc=(mydomain),dc=net" uid=admin
> >> SASL/GSSAPI authentication started
> >> ldap_sasl_interactive_bind_s: Local error (-2)
> > 
> > You might want to explicity list the
> 
> I was going to say explicitly list the host you want to connect to but 
> I'm not so sure. There wasn't anything else, just Local error (-2)?
> 
> You might check /var/log/krb5kdc to see if anything got logged there or 
> /var/log/dirsrv/slapd-INSTANCE/errors for the FDS error log (probably 
> nothing because an auth failure isn't really an error).
> 
> I assume you did a kinit?
> 
> >> Troubleshooting Guide Doesn't really help with this issue at all or
> >> does "ensure that DNS is configured correctly" in the install Guide.
> 
> There are so many ways DNS can be broken it isn't possible to iterate 
> every one.
> 
> >> Shouldn't the "--setup-bind" switch take care of configuring the DNS 
> >> correctly?
> 
> DNS was done as a best-effort on our part. It isn't fully baked (or 
> supported).
> 
> rob

More information about the Freeipa-devel mailing list