[Freeipa-users] Fedora 18 - FreeIPA + AD

Dmitri Pal dpal at redhat.com
Sun Jan 20 19:24:36 UTC 2013 

On 01/20/2013 05:01 AM, MaSch wrote:
> On 1/19/13 8:16 PM, Dmitri Pal wrote:
>> What is the situation with the time on that box?
>> Was the time and time zone set correctly?
>> Is it a VM?
>> Can it be that the time drifted in some way?
>>
> The time zone is correct for my region (Europe/Berlin) as is the current time.
> It is a VM - running inside VMware Fusion 4 on OSX.
> I doubt that time drifted in between somehow in an unsual manner. I just tried again and checked :
>
> [root at ipa-server user]# klist
> Ticket cache: DIR::/run/user/1000/krb5cc_1f3f8ebeec8d053aa0a2f46e50fbb20c/tkt5LELnl
> Default principal: admin at MATRIX.LOCAL
>
> Valid starting     Expires            Service principal
> 01/20/13 10:47:56  01/21/13 10:47:56  krbtgt/MATRIX.LOCAL at MATRIX.LOCAL
> [root at ipa-server user]# date
> Sun Jan 20 10:51:07 CET 2013
> [root at ipa-server user]# ipa-adtrust-install --netbios-name=MATRIX -a mypassword1
> ...
> Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket
> [root at ipa-server user]# date
> Sun Jan 20 10:51:12 CET 2013
>
> So the "ipa-adtrust-install" is issued while the krbtgt is valid. However as before kdestroy and subsequent kinit don't
> help.

Then it might be that the tgt is actually missing something that AD 2012
is now expecting and it is triggering a wrong message.
Please file a ticket or BZ.

>
> On 1/19/13 10:44 PM, Dale Macartney wrote:
>> Critical pre-req is definitely make sure DNS resolution is working in
>> advance. Its always a killer.
>>
>> If you use IPA managed DNS, use the following.
> Thanks for the pointer Dale, but I don't even get that far to do the actual trust. And as far as I can tell, DNS is
> setup correct locally. The resolv.conf points to the IPA server itself (this is automatically changed during
> installation), atm no forwarding is done and dns resolution of the ipa-server and ipa-domain work on the ipa-server itself.
>
> Regards Marco
>
>
>
>> On 01/19/2013 01:25 PM, MaSch wrote:
>>> Hello all,
>>>
>>> I'm trying to setup FreeIPA on Fedora 18 (Final) with AD integration on a test server. However I do not even get past
>>> the initial (local) steps described in : http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain
>>> The last step of the section "Install and configure IPA server" gives me the following error :
>>>
>>> "Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket"
>>>
>>> However "kdestroy" followed by a consequent "kinit admin" does not help, I get the error again when trying
>>> to "ipa-adtrust-install"
>>>
>>> The ipaserver-install.log says :
>>> 2013-01-19T17:19:56Z DEBUG stderr=
>>> 2013-01-19T17:19:56Z DEBUG will use ip_address: 172.16.135.141
>>>
>>> 2013-01-19T17:19:56Z DEBUG Starting external process
>>> 2013-01-19T17:19:56Z DEBUG args=kinit admin
>>> 2013-01-19T17:19:57Z DEBUG Process finished, return code=0
>>> 2013-01-19T17:19:57Z DEBUG stdout=Password for admin at MATRIX.LOCAL:
>>>
>>> 2013-01-19T17:19:57Z DEBUG stderr=
>>> 2013-01-19T17:19:57Z INFO   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 617, in
>>> run_script
>>>     return_value = main_function()
>>>
>>>   File "/usr/sbin/ipa-adtrust-install", line 304, in main
>>>     sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket")
>>>
>>> 2013-01-19T17:19:57Z INFO The ipa-adtrust-install command failed, exception: SystemExit: Outdated Kerberos credentials.
>>> Use kdestroy and kinit to update your ticket
>>>
>>> ______________________________________________________________________________________________________
>>>
>>>
>>> I tried to follow the instructions and stick to the plan - here is the history of commands I executed on an fresh Fedora
>>> 18 Installation (after installing vmware tools in the vm) (long output is omitted and replaced by ...) :
>>>
>>>
>>> [root at linux user]# yum update -y
>>> ...
>>> [root at linux user]# reboot
>>> [root at linux user]# yum install -y "*ipa-server" "*ipa-server-trust-ad" samba4-winbind-clients samba4-winbind
>>> samba4-client bind bind-dyndb-ldap
>>> ...
>>> [root at linux user]# echo "172.16.135.141    ipa-server.matrix.local ipa-server" >> /etc/hosts
>>> [root at linux user]# hostname ipa-server.matrix.local
>>> [root at linux user]# hostname
>>> ipa-server.matrix.local
>>> [root at linux user]# ping ipa-server.matrix.local
>>> PING ipa-server.matrix.local (172.16.135.141) 56(84) bytes of data.
>>> 64 bytes from ipa-server.matrix.local (172.16.135.141): icmp_seq=1 ttl=64 time=0.058 ms
>>> [root at linux user]# ipa-server-install -a mypassword1 -p mypassword2 --domain=matrix.local --realm=MATRIX.LOCAL
>>> --setup-dns --no-forwarders -U
>>> ... setup completes without errors
>>> [root at linux user]# kinit admin
>>> Password for admin at MATRIX.LOCAL:
>>> [root at linux user]# klist
>>> Ticket cache: DIR::/run/user/1000/krb5cc_c9794d10f5cd59bd63c423ac50fad257/tktT3hTsU
>>> Default principal: admin at MATRIX.LOCAL
>>>
>>> Valid starting     Expires            Service principal
>>> 01/19/13 12:19:06  01/20/13 12:19:02  krbtgt/MATRIX.LOCAL at MATRIX.LOCAL
>>> [root at linux user]# id admin
>>> uid=1396400000(admin) gid=1396400000(admins) groups=1396400000(admins)
>>> [root at linux user]# getent passwd admin
>>> admin:*:1396400000:1396400000:Administrator:/home/admin:/bin/bash
>>> [root at linux user]# ipa-adtrust-install --netbios-name=MATRIX -a mypassword1
>>> The log file for this installation can be found in /var/log/ipaserver-install.log
>>> ==============================================================================
>>> This program will setup components needed to establish trust to AD domains for
>>> the FreeIPA Server.
>>>
>>> This includes:
>>>   * Configure Samba
>>>   * Add trust related objects to FreeIPA LDAP server
>>>
>>> To accept the default shown in brackets, press the Enter key.
>>>
>>>
>>> The following operations may take some minutes to complete.
>>> Please wait until the prompt is returned.
>>>
>>> Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket
>>>
>>> ______________________________________________________________________________________________________
>>>
>>> The freeipa packages installed are :
>>>
>>> freeipa-server-trust-ad-3.1.0-2.fc18.x86_64
>>> freeipa-python-3.1.0-2.fc18.x86_64
>>> freeipa-server-selinux-3.1.0-2.fc18.x86_64
>>> freeipa-admintools-3.1.0-2.fc18.x86_64
>>> freeipa-server-3.1.0-2.fc18.x86_64
>>> freeipa-client-3.1.0-2.fc18.x86_64
>>>
>>>
>>> Any help would be appreciated, perhaps I'm just missing a simple step.
>>>
>>>
>>> Regards
>>> Marco
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list