[Freeipa-users] ipa-client-install hangs on ipa-getkeytab
Martin Kosek
mkosek at redhat.com
Tue May 29 07:00:43 UTC 2012
On Mon, 2012-05-28 at 10:21 +0400, freeipa at noboost.org wrote:
> Hi All,
>
> This one has me stumped!
> For some reason my Centos 5.8 x64 Linux server hangs during
> "ipa-client-install"
>
> Server:
> * ipa-admintools-2.1.3-9.el6.x86_64
> * ipa-client-2.1.3-9.el6.x86_64
> * ipa-pki-ca-theme-9.0.3-7.el6.noarch
> * ipa-pki-common-theme-9.0.3-7.el6.noarch
> * ipa-python-2.1.3-9.el6.x86_64
> * ipa-server-2.1.3-9.el6.x86_64
> * ipa-server-selinux-2.1.3-9.el6.x86_64
>
> Client:
> CentOS release 5.8 (Final) (x86_64)
> * ipa-client-2.1.3-2.el5_8
> * sssd-client-1.5.1-49.el5_8.1
>
> Questions:
> * Is there a better way to diagnose the ipa-getkeytab command? Perhaps I
> can run a native kerberos command?
> * Any tips welcome, I've tried straces and tcpdump to work this one out,
> hmm..
>
>
> Error:
> "ipa-client-install" runs fine and then hangs (without reason):
> [below is the chopped version]
>
> -------------------------------------------------------------------
> [libdefaults]
> default_realm = EXAMPLE.COM
> dns_lookup_realm = true
> dns_lookup_kdc = true
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> EXAMPLE.COM = {
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
> [domain_realm]
> .example.com = EXAMPLE.COM
> example.com = EXAMPLE.COM
>
>
> Password for admin at EXAMPLE.COM:
> root : DEBUG args=kinit admin at EXAMPLE.COM
> root : DEBUG stdout=Password for admin at EXAMPLE.COM:
>
> root : DEBUG stderr=
> -------------------------------------------------------------------
>
> `ps -ef` on the client side, shows that the install is getting stuck on
> "ipa-getkeytab" for some reasons.
>
> root 15842 15814 0 15:09 pts/1 00:00:00 /usr/bin/python -E
> /usr/sbin/ipa-client-install -d
>
> root 15852 15842 0 15:09 pts/1 00:00:00 /usr/sbin/ipa-join -s
> ipa-server.example.com -b dc=example,dc=com -d
>
> root 15853 15852 0 15:09 pts/1 00:00:00 /usr/sbin/ipa-getkeytab
> -s ipa-server.example.com -p
> host/client.example.com at EXAMPLE.COM -k /etc/krb5.keytab
>
>
> cya
>
> Craig
>
Hello Craig,
I think that in this case, strace may be a good choice to find out where
it hangs. I assume you already have the IPA server installed and you are
trying to install IPA client on different machine.
If you run ipa-getkeytab with strace separately from ipa-client-install
you can test where it hangs. You can use any principal existing in IPA
server, including host/client.example.com at EXAMPLE.COM if the host entry
exists.
To authenticate with ipa-getkeytab on a machine where ipa-client-isntall
was unsuccessful you can either manually configure /etc/krb5.conf to use
IPA server KDC and run kinit or you could use "-D BINDDN -w PASSWORD"
options to authenticate via LDAP bind.
Martin
More information about the Freeipa-users
mailing list