[Freeipa-users] FreeIPA Replica / HA Issues

Thu Jan 14 01:04:36 UTC 2016

We've deployed a FreeIPA server in a client infrastructure and now we're
working on making that setup HA.  We've created a replica and I can verify
that the replica has connectivity to the existing master and ensured that
the auto-discovery DNS records are set up for LDAP / Kerberos / etc, but
I'm having a couple of issues with clients:

1.  ipa-client-install fails with the following error whenever a server is
not explicitly specified (though explicitly specifying either the original
master OR the replica works fine):

trying https://ipa1.west-2.production.example.com/ipa/json

Cannot connect to the server due to Kerberos error: Kerberos error:
Kerberos error: ('Unspecified GSS failure.  Minor code may provide more
information', 851968)/('Cannot find KDC for realm "EXAMPLE.COM"',
-1765328230)/. Trying with delegate=True

trying https://ipa1.west-2.production.example.com/ipa/json

Second connect with delegate=True also failed: Kerberos error: Kerberos
error: ('Unspecified GSS failure.  Minor code may provide more
information', 851968)/('Cannot find KDC for realm "EXAMPLE.COM"',
-1765328230)/

Cannot connect to the IPA server RPC interface: Kerberos error: Kerberos
error: ('Unspecified GSS failure.  Minor code may provide more
information', 851968)/('Cannot find KDC for realm "EXAMPLE.COM"',
-1765328230)/

Installation failed. Rolling back changes.

Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil'
'-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255

Unenrolling client from IPA server

Unenrolling host failed: Error obtaining initial credentials: Cannot find
KDC for requested realm.

What we see in the install logs is:

2016-01-14T00:45:39Z INFO Configured /etc/krb5.conf for IPA realm
EXAMPLE.COM

2016-01-14T00:45:39Z DEBUG Starting external process

2016-01-14T00:45:39Z DEBUG args='keyctl' 'search' '@s' 'user'
'ipa_session_cookie:host/test.west-2.production.example.com at EXAMPLE.COM'

2016-01-14T00:45:39Z DEBUG Process finished, return code=1

2016-01-14T00:45:39Z DEBUG stdout=

2016-01-14T00:45:39Z DEBUG stderr=keyctl_search: Required key not available

2016-01-14T00:45:39Z DEBUG Starting external process

2016-01-14T00:45:39Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmpCJNEzU'
'-N' '-f' '/tmp/tmpPN7H8R'

2016-01-14T00:45:39Z DEBUG Process finished, return code=0

2016-01-14T00:45:39Z DEBUG stdout=

2016-01-14T00:45:39Z DEBUG stderr=

2016-01-14T00:45:39Z DEBUG Starting external process

2016-01-14T00:45:39Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmpCJNEzU'
'-A' '-n' 'CA certificate 1' '-t' 'C,,'

2016-01-14T00:45:39Z DEBUG Process finished, return code=0

2016-01-14T00:45:39Z DEBUG stdout=

2016-01-14T00:45:39Z DEBUG stderr=

2016-01-14T00:45:39Z DEBUG Starting external process

2016-01-14T00:45:39Z DEBUG args='keyctl' 'search' '@s' 'user'
'ipa_session_cookie:host/test.west-2.production.example.com at EXAMPLE.COM'

2016-01-14T00:45:39Z DEBUG Process finished, return code=1

2016-01-14T00:45:39Z DEBUG stdout=

2016-01-14T00:45:39Z DEBUG stderr=keyctl_search: Required key not available

2016-01-14T00:45:39Z DEBUG failed to find session_cookie in persistent
storage for principal 'host/test.west-2.production.example.com at EXAMPLE.COM'

2016-01-14T00:45:39Z INFO trying
https://ipa1.west-2.production.example.com/ipa/json

2016-01-14T00:45:39Z INFO Cannot connect to the server due to Kerberos
error: Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor
code may provide more information', 851968)/('Cannot find KDC for realm "
EXAMPLE.COM"', -1765328230)/. Trying with delegate=True

2016-01-14T00:45:39Z INFO trying
https://ipa1.west-2.production.example.com/ipa/json

2016-01-14T00:45:39Z WARNING Second connect with delegate=True also failed:
Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor code may
provide more information', 851968)/('Cannot find KDC for realm "EXAMPLE.COM"',
-1765328230)/

2016-01-14T00:45:39Z ERROR Cannot connect to the IPA server RPC interface:
Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor code may
provide more information', 851968)/('Cannot find KDC for realm "EXAMPLE.COM"',
-1765328230)/

2016-01-14T00:45:39Z ERROR Installation failed. Rolling back changes.

2016-01-14T00:45:39Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'

2016-01-14T00:45:39Z DEBUG Starting external process

2016-01-14T00:45:39Z DEBUG args='ipa-client-automount' '--uninstall'
'--debug'

2016-01-14T00:45:40Z DEBUG Process finished, return code=0

2016-01-14T00:45:40Z DEBUG stdout=Restoring configuration

2.  Related to this, all of our existing clients have been configured with
explicit server= statements, meaning that they don't pick up the replica
either.  Is there any way to manually fix this post installation, or will
we simply have to uninstall and reinstall the ipa client?

Thanks,

Jeff

Jeff Hallyburton
Strategic Systems Engineer
Bloomip Inc.
Web: http://www.bloomip.com

Engineering Support: support at bloomip.com
Billing Support: billing at bloomip.com
Customer Support Portal:  https://my.bloomip.com <http://my.bloomip.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160113/fb8f79f9/attachment.htm>