[Freeipa-users] ipa-client-install hangs on ipa-getkeytab

Tue May 29 07:00:43 UTC 2012

On Mon, 2012-05-28 at 10:21 +0400, freeipa at noboost.org wrote:
> Hi All,
> 
> This one has me stumped!
> For some reason my Centos 5.8 x64 Linux server hangs during
> "ipa-client-install"
> 
> Server:
> * ipa-admintools-2.1.3-9.el6.x86_64
> * ipa-client-2.1.3-9.el6.x86_64
> * ipa-pki-ca-theme-9.0.3-7.el6.noarch
> * ipa-pki-common-theme-9.0.3-7.el6.noarch
> * ipa-python-2.1.3-9.el6.x86_64
> * ipa-server-2.1.3-9.el6.x86_64
> * ipa-server-selinux-2.1.3-9.el6.x86_64
> 
> Client:
> CentOS release 5.8 (Final) (x86_64)
> * ipa-client-2.1.3-2.el5_8
> * sssd-client-1.5.1-49.el5_8.1
> 
> Questions:
> * Is there a better way to diagnose the ipa-getkeytab command? Perhaps I
>   can run a native kerberos command? 
> * Any tips welcome, I've tried straces and tcpdump to work this one out,
>   hmm..
> 
> 
> Error:
> "ipa-client-install" runs fine and then hangs (without reason):
> [below is the chopped version]
> 
> -------------------------------------------------------------------
> [libdefaults]
>   default_realm = EXAMPLE.COM
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   rdns = false
>   ticket_lifetime = 24h
>   forwardable = yes
> 
> [realms]
>   EXAMPLE.COM = {
>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>   }
> 
> [domain_realm]
>   .example.com = EXAMPLE.COM
>   example.com = EXAMPLE.COM
> 
> 
> Password for admin at EXAMPLE.COM: 
> root        : DEBUG    args=kinit admin at EXAMPLE.COM
> root        : DEBUG    stdout=Password for admin at EXAMPLE.COM: 
> 
> root        : DEBUG    stderr=
> -------------------------------------------------------------------
> 
> `ps -ef` on the client side, shows that the install is getting stuck on
> "ipa-getkeytab" for some reasons.
> 
> root     15842 15814  0 15:09 pts/1    00:00:00 /usr/bin/python -E
> /usr/sbin/ipa-client-install -d
> 
> root     15852 15842  0 15:09 pts/1    00:00:00 /usr/sbin/ipa-join -s
> ipa-server.example.com -b dc=example,dc=com -d
> 
> root     15853 15852  0 15:09 pts/1    00:00:00 /usr/sbin/ipa-getkeytab
> -s ipa-server.example.com -p
> host/client.example.com at EXAMPLE.COM -k /etc/krb5.keytab
> 
> 
> cya
> 
> Craig
> 

Hello Craig,

I think that in this case, strace may be a good choice to find out where
it hangs. I assume you already have the IPA server installed and you are
trying to install IPA client on different machine.

If you run ipa-getkeytab with strace separately from ipa-client-install
you can test where it hangs. You can use any principal existing in IPA
server, including host/client.example.com at EXAMPLE.COM if the host entry
exists.

To authenticate with ipa-getkeytab on a machine where ipa-client-isntall
was unsuccessful you can either manually configure /etc/krb5.conf to use
IPA server KDC and run kinit or you could use "-D BINDDN -w PASSWORD"
options to authenticate via LDAP bind.

Martin