Troubleshooting IPA Client issues

Subscribe
Voiced by Amazon Polly

Troubleshooting IPA

Recently I came across an issue when trying to install the ipa-client on a server.  After running ipa-client-install I would be getting the following error message, and it would roll back.  However it would partially work as the server would show it was enrolled in the IPA Server, and I would then have to delete the server before trying again.  Here is what I did for troubleshooting IPA in my environment.

Successfully retrieved CA cert
  Subject:  CN=Certificate Authority,O=EXAMPLE.COM
  Issuer:   CN=Certificate Authority,O=EXAMPLE.COM
  Valid From: Tue Jul 11 19:13:50 2017 UTC
  Valid Until: Sat Jul 11 19:13:50 2037 UTC

Enrolled in IPA realm EXAMPLE.COM
Attempting to get host TGT...
Please make sure the following ports are opened in the firewall settings:
      TCP: 80, 88, 389
      UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working
properly after enrollment:
      TCP: 464
      UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.

Now, looking into it further I couldn’t see anything under /var/log for kerberos, so I looked at the one for ipa-client-install.log

# cat /var/log/ipa-client-install.log

In there I saw a message about how keytab contains no suitable keys for host/server@EXAMPLE.COM

stderr=kinit: Keytab contains no suitable keys for host/server@EXAMPLE.COM while getting initial credentials

Resolution

Make sure the format of the entries in /etc/hosts are in the proper order of “IP FQDN Shortname”.  Looking at the host file on the impacted servers I found that indeed they only had the shortname rather than starting with the FQDN.  So I made the needed change.

# vim /etc/hosts
10.0.0.1 server.example.com server

Root Cause

The install fails due to /etc/hosts entry not being in the proper order. The keytab the install is looking for is host/server@EXAMPLE.COM. The systems keytab is host/server.example.com@EXAMPLE.COM.

Diagnostic Steps

[root@server ~]# ipa-client install -d
…
args=/usr/bin/kinit -k -t /etc/krb5.keytab host/server@EXAMPLE.COM
stdout=
stderr=kinit: Keytab contains no suitable keys for host/server@EXAMPLE.COM while getting initial credentials

Failed to obtain host TGT.
Installation failed. Rolling back changes.
IPA client is not configured on this system.

[root@server ~]#  klist -kt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp      Principal
-------------------------------------------------------
2 08/24/16 08:10:14 host/server.example.com@EXAMPLE.COM
2 08/24/16 08:10:14 host/server.example.com@EXAMPLE.COM
2 08/24/16 08:10:14 host/server.example.com@EXAMPLE.COM
2 08/24/16 08:10:14 host/server.example.com@EXAMPLE.COM

It took some time to search these issues out, based on the output of the error message at first I thought it was a firewall issue.  However, I was able to telnet to the IPA server with all the ports listed without issues.  Therefore I began to think it wasn’t really a firewall issue and started looking for other vectors that could be preventing me from joining the IPA server successfully.

Once the host file was fixed, the installation and joining to the IPA server went through without a problem.  If you end up having a similar issue in the future, hopefully, this will help you get through your problem.

If you have any questions or comments, please feel free to drop me an email or comment.

Cheers,

Ivan WindonRHCSA

Share

Ivan Windon

Ivan Windon is a Lead Engineer at Verizon Enterprise Solutions. Ivan is actively engaged in Cloud Technologies with AWS, Google, and Azure. Ivan has extensive experience with Linux and Windows administration, DNS, Networking, IDM, and Security. In his free time, he enjoys being with his wife and two children. The family enjoys hiking, and traveling when able. His favorite locations are Yosemite NPS, and San Francisco, California.

You may also like...

1 Response

  1. February 21, 2019

    […] had an irritating issue with my IPA Server, and it had puzzled me for a while. It didn’t prevent things from working, but made it more […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: