[Freeipa-users] error: Realm not local to KDC

Sylvain Angers sylvainangers at gmail.com
Tue Jan 15 22:57:34 UTC 2013 

Hello

Please help me troubleshot this following issue, thank you in advance!

Some rhel6.2 have problem with authenticating against IPA v2.2
while some others on same domain do not have issue but still get the same
error "Failed to init credentials: Realm not local to KDC"

hostname of client that work = mtl-vdi02d.cnppd.lab
hostname of client that does not work = mtl-vdi08d.cnppd.lab
all vm on RHEV

ipa server (mtl-ipa01d.unix.cnppd.lab)  is on unix.cnppd.lab  because we
have AD
ip client are on cnppd.lab
Windows machine are also on cnppd.lab connected to "Active directory"

so we have a stub that redirect request for unix.cnppd.lab onto our ipa

client can resolve ipa and vice versa

[root at mtl-vdi08d log]# nslookup mtl-ipa01d.unix.cnppd.lab
Server:         165.115.58.16
Address:        165.115.58.16#53

Non-authoritative answer:
Name:   mtl-ipa01d.unix.cnppd.lab
Address: 165.115.118.21

[root at mtl-vdi08d log]# nslookup unix.cnppd.lab
Server:         165.115.58.16
Address:        165.115.58.16#53

Non-authoritative answer:
Name:   unix.cnppd.lab
Address: 165.115.118.21

[root at mtl-vdi08d log]# cat /etc/resolv.conf
# Generated by NetworkManager
domain cnppd.lab
search cnppd.lab cn.ca
nameserver 165.115.58.16



we all get this message in our logs

(Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1943]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local
to KDC
(Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1944]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local
to KDC
(Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1945]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local
to KDC
(Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1946]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local
to KDC
(Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1947]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local
to KDC
(Tue Jan 15 17:12:55 2013) [[sssd[ldap_child[1954]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local
to KDC
(Tue Jan 15 17:12:55 2013) [[sssd[ldap_child[1955]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local
to KDC
(Tue Jan 15 17:12:56 2013) [[sssd[ldap_child[1956]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local
to KDC
(Tue Jan 15 17:12:56 2013) [[sssd[ldap_child[1957]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local
to KDC
(Tue Jan 15 17:12:56 2013) [[sssd[ldap_child[1958]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local
to KDC


while I can reinstall ipa-client on mtl-vdi02d and it will still work

if I do the same with mtl-vdi08d, it will still not work




[root at mtl-vdi08d ~]# ipa-client-install  --server=mtl-ipa01d.unix.cnppd.lab
--domain=UNIX.CNPPD.LAB --mkhomedir
Discovery was successful!
Hostname: mtl-vdi08d.cnppd.lab
Realm: UNIX.CNPPD.LAB
DNS Domain: UNIX.CNPPD.LAB
IPA Server: mtl-ipa01d.unix.cnppd.lab
BaseDN: dc=unix,dc=cnppd,dc=lab


Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin at UNIX.CNPPD.LAB:

Enrolled in IPA realm UNIX.CNPPD.LAB
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB
SSSD enabled
Unable to find 'admin' user with 'getent passwd admin'!
Recognized configuration: SSSD
NTP enabled
Client configuration complete.
[root at mtl-vdi08d ~]#




see the "Unable to find 'admin' user with 'getent passwd admin'!" message

[root at mtl-vdi08d log]# getent passwd t154793
[root at mtl-vdi08d log]#


[root at mtl-vdi02d t154793]# getent passwd t154793
t154793:*:1947600004:1947600004:Sylvain Angers:/home/t154793:/bin/bash
[root at mtl-vdi02d t154793]#


What could be the cause?
Any assistance would be appreciate

Thank you!


-- 
Sylvain Angers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130115/58ef7eed/attachment.htm>

More information about the Freeipa-users mailing list