IPA integration issue with RHEV

Latest response

Hi Team, 

 

I have a machine named manager.rhevdemo.com and I have instlled a virtual machine by the name ad.rhevdemo.com. After that I have done authentication of AD with my manager for the user authentication.

 

Now I have installed a separate virtual machine wuth RHEL6.2  and installed the IPA server with DNS as mentioned in the reference architecture on the same server where the machine name is ipa.rhdemo.com (with a different domain name). Now when I restarted my IPA virtual machine and issued the command "kinit admin" I receieved an error "kinit: Cannot contact any KDC for realm 'RHDEMO.COM' while getting initial credentials"

 
I have already updated my managers and ipa servers with /etc/hosts entries
 
Kindly suggest how to go ahead and if I have done something worng here?
 
Thanks,
Ashish

Responses

I have a few very basic steps to offer, but I am not terribly proficient in this area yet.

I have not done the AD integration, but I don't believe that is your issue.
I am making the following assumption based on how I understand your post.

You would like your host (ipa.rhdemo.com) to be your IPA master.  However, you already had an AD system (which also makes itself a KDC, when you enable AD <i think?>).
So - I would check the following on ipa.rhdemo.com
# cat /etc/resolv.conf
search rhdemo.com
nameserver (IP of ipa.rhdemo.com)

I generally put an entry in the host file for my IPA server also
# vi /etc/hosts

Make sure BIND is running, and working
# service named status
# nslookup
> ipa.rhdemo.com
 [ result should appear here]
> exit


Make sure IPA is running
# service ipa status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
HTTP Service: RUNNING

Make sure your firewall is open (the firewall should not affect ipa.rhdemo.com itself, unless you removed the rule to allow everything on loopback interface)
# iptables -L
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                UDP Ports:
                  * 88, 464: kerberos
# dig SRV _kerberos._udp.ncell.lab
# dig SRV _kerberos._tcp.ncell.lab

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> SRV _kerberos._tcp.ncell.lab
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;_kerberos._tcp.ncell.lab.  IN  SRV

;; ANSWER SECTION:
_kerberos._tcp.ncell.lab. 3600  IN  SRV 0 100 88 rhipa01.ncell.lab.

;; AUTHORITY SECTION:
ncell.lab.      3600    IN  NS  rhevm01.ncell.lab.
ncell.lab.      3600    IN  NS  rhkvm01.ncell.lab.

;; ADDITIONAL SECTION:
rhipa01.ncell.lab.  3600    IN  A   10.10.21.201
rhevm01.ncell.lab.  3600    IN  A   10.10.21.203
rhkvm01.ncell.lab.  3600    IN  A   10.10.21.200

;; Query time: 3 msec
;; SERVER: 10.10.21.200#53(10.10.21.200)
;; WHEN: Sun Mar 18 10:46:27 2012
;; MSG SIZE  rcvd: 171

> "kinit admin" I receieved an error "kinit: Cannot contact any KDC for realm 'RHDEMO.COM' while getting initial credentials"

 

From where you are running this command? IPA server or RHEVM?

 

- Make sure that /etc/krb5.conf has configured properly.

 

- Make sure that the firewall (iptables) on the server allows connection to port 88.

Thank you all for your help. Kindly find the attached logs which explains the nslookup issue:

 

 

[root@ipas ~]# service iptables status
iptables: Firewall is not running.
[root@ipas ~]#
[root@ipas ~]#
[root@ipas ~]#
[root@ipas ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search rhdemo.com
nameserver 10.10.10.100
[root@ipas ~]#
[root@ipas ~]#
[root@ipas ~]#
[root@ipas ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.10.10.100    ipas.rhdemo.com ipas
ipas.rhdemo.com 10.10.10.100
[root@ipas ~]#
[root@ipas ~]#
[root@ipas ~]# service named status
rndc: neither /etc/rndc.conf nor /etc/rndc.key was found
named (pid  3452) is running...
[root@ipas ~]# service ipa status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
[root@ipas ~]#  nslookup
> ipas.rhdemo.com
;; connection timed out; no servers could be reached
> quit
^C
[root@ipas ~]#
[root@ipas ~]# service iptables status
iptables: Firewall is not running.
[root@ipas ~]#
[root@ipas ~]#
[root@ipas ~]#
[root@ipas ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search rhdemo.com
nameserver 10.10.10.100
[root@ipas ~]#
[root@ipas ~]#
[root@ipas ~]#
[root@ipas ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.10.10.100    ipas.rhdemo.com ipas
ipas.rhdemo.com 10.10.10.100
[root@ipas ~]#
[root@ipas ~]#
[root@ipas ~]# service named status
rndc: neither /etc/rndc.conf nor /etc/rndc.key was found
named (pid  3452) is running...
[root@ipas ~]# service ipa status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
[root@ipas ~]#  nslookup
> ipas.rhdemo.com
;; connection timed out; no servers could be reached
> quit
^C
[root@ipas ~]#
 
Kindly suggest....
 
Thanks,
Ashish 
 

 

[root@ipas ~]# service iptables status
iptables: Firewall is not running.
 
[root@ipas ~]#
[root@ipas ~]#
[root@ipas ~]#
[root@ipas ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search rhdemo.com
nameserver 10.10.10.100
[root@ipas ~]#
[root@ipas ~]#
[root@ipas ~]#
[root@ipas ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.10.10.100    ipas.rhdemo.com ipas
ipas.rhdemo.com 10.10.10.100
[root@ipas ~]#
[root@ipas ~]#
[root@ipas ~]# service named status
rndc: neither /etc/rndc.conf nor /etc/rndc.key was found
named (pid  3452) is running...
[root@ipas ~]# service ipa status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING

[root@ipas ~]#  nslookup

> ipas.rhdemo.com
;; connection timed out; no servers could be reached
> quit
^C
[root@ipas ~]#

I can't tell from your output what is causing the issue, but your configured DNS is unavailable.  We should work on correcting that first

Fixing RNDC is simple enough

Put the following in your /etc/named.conf
# START #
controls {
  inet 127.0.0.1 port 953
  allow { 127.0.0.1; }
  keys { "rndc-key"; };
};
# END #

-- Then Run the following commands

# rndc-confgen -a 
# cat /etc/rndc.key >> /etc/named.conf

# tail -f /var/log/messages
-- in another terminal
# service named restart

post what errors you get.  The next thing we will probably need to see is:
/etc/named.conf
Your 2 zone files (forward and reverse) from your /etc/named.conf

Also - when you reply, click on the Source button to format your output.  I also have issues with the format when I post ;-)

Kindly find the output of "tail -f /var/log/messages"

Mar 21 12:12:52 ipas named[3452]: shutting down
Mar 21 12:12:52 ipas named[3452]: no longer listening on 127.0.0.1#53
Mar 21 12:12:52 ipas named[3452]: no longer listening on ::1#53
Mar 21 12:12:52 ipas named[3452]: exiting
Mar 21 12:12:54 ipas named[20463]: starting BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 -u named -t /var/named/chroot
Mar 21 12:12:54 ipas named[20463]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
Mar 21 12:12:54 ipas named[20463]: adjusted limit on open files from 1024 to 1048576
Mar 21 12:12:54 ipas named[20463]: found 1 CPU, using 1 worker thread
Mar 21 12:12:54 ipas named[20463]: using up to 4096 sockets
Mar 21 12:12:54 ipas named[20463]: loading configuration from '/etc/named.conf'
Mar 21 12:12:54 ipas named[20463]: reading built-in trusted keys from file '/etc/named.iscdlv.key'
Mar 21 12:12:54 ipas named[20463]: using default UDP/IPv4 port range: [1024, 65535]
Mar 21 12:12:54 ipas named[20463]: using default UDP/IPv6 port range: [1024, 65535]
Mar 21 12:12:54 ipas named[20463]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 21 12:12:54 ipas named[20463]: listening on IPv6 interface lo, ::1#53
Mar 21 12:12:54 ipas named[20463]: generating session key for dynamic DNS
Mar 21 12:12:54 ipas named[20463]: using built-in trusted-keys for view _default
Mar 21 12:12:54 ipas named[20463]: set up managed keys zone for view _default, file 'dynamic/managed-keys.bind'
Mar 21 12:12:54 ipas named[20463]: automatic empty zone: 127.IN-ADDR.ARPA
Mar 21 12:12:54 ipas named[20463]: automatic empty zone: 254.169.IN-ADDR.ARPA
Mar 21 12:12:54 ipas named[20463]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Mar 21 12:12:54 ipas named[20463]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Mar 21 12:12:54 ipas named[20463]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Mar 21 12:12:54 ipas named[20463]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Mar 21 12:12:54 ipas named[20463]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Mar 21 12:12:54 ipas named[20463]: automatic empty zone: D.F.IP6.ARPA
Mar 21 12:12:54 ipas named[20463]: automatic empty zone: 8.E.F.IP6.ARPA
Mar 21 12:12:54 ipas named[20463]: automatic empty zone: 9.E.F.IP6.ARPA
Mar 21 12:12:54 ipas named[20463]: automatic empty zone: A.E.F.IP6.ARPA
Mar 21 12:12:54 ipas named[20463]: automatic empty zone: B.E.F.IP6.ARPA
Mar 21 12:12:54 ipas named[20463]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Mar 21 12:12:54 ipas named[20463]: command channel listening on 127.0.0.1#953
Mar 21 12:12:54 ipas named[20463]: zone 0.in-addr.arpa/IN: loaded serial 0
Mar 21 12:12:54 ipas named[20463]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Mar 21 12:12:54 ipas named[20463]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Mar 21 12:12:54 ipas named[20463]: zone localhost.localdomain/IN: loaded serial 0
Mar 21 12:12:54 ipas named[20463]: zone localhost/IN: loaded serial 0
Mar 21 12:12:54 ipas named[20463]: managed-keys-zone ./IN: loaded serial 24
Mar 21 12:12:54 ipas named[20463]: running

[root@ipas ~]# service named restart
Stopping named: . [ OK ]
Starting named: [ OK ]
[root@ipas ~]#

And also find the configuration of /etc/named.conf:

[root@ipas ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

START

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; }
keys { "rndc-key"; };
};

END

options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";

key "rndc-key" {
algorithm hmac-md5;
secret "WnumHscVwCFWGgwidBQjSA==";

Kindly suggest

It appears that your DNS does not include your own domain.

In your /etc/named.conf you should have a stanza for your forward and reverse.

Do you recall at the very end of your IPA install, it displayed a message which indicated what you should add to your DNS environment?  That output may still be there in /tmp.  I believe you could probably cd to /tmp and grep for rhdemo in the files there.

NOTE: I apologize for any typos/errors I pass along.  I am trying to go from memory and existing systems and change the data for your application.

You need to:
- update your named.conf
- create your 2 zone file
- append your IPA information the forward lookup file
- restart named
- test with the nslookup commands from before
##### NAMED.CONF 
# vi /etc/named.conf
// rhdemo.com stuff here 
zone "10.10.10.in-addr.arpa" in { 
      type master; 
      file "10.10.10.in-addr.arpa"; 
      allow-transfer { 10.10.10.100; }; 
}; 
zone "rhdemo.com" in { 
      type master; 
      file "rhdemo.com"; 
      allow-transfer { 10.10.10.100; }; 
};

##### FORWARD LOOKUP ZONE
# vi /var/named/rhdemo.com
$ORIGIN . 
$TTL 3600      ; 1 hour 
rhdemo.com               IN SOA  ipas.rhdemo.com. hostmaster.rhdemo.com.  ( 
                                2012021501 ; serial 
                                900        ; refresh (15 minutes) 
                                600        ; retry (10 minutes) 
                                86400      ; expire (1 day) 
                                3600       ; minimum (1 hour) 
                                ) 

                        NS      ipas.rhdemo.com. 
        
                        A       10.10.21.100

$ORIGIN rhdemo.com.
firewall        IN      A       10.10.10.1 
ipas           IN      A       10.10.10.100

##### REVERSE LOOKUP ZONE
# vi /var/named/10.10.10.in-addr.arpa
$ORIGIN . 
$TTL 3600      ; 1 hour 
10.10.10.in-addr.arpa   IN SOA  ipas.rhdemo.com. root.rhdemo.com. ( 
                                2012021701 ; serial 
                                900        ; refresh (15 minutes) 
                                600        ; retry (10 minutes) 
                                86400      ; expire (1 day) 
                                3600       ; minimum (1 hour) 
                                ) 
                NS      ipas.rhedmo.com. 


$ORIGIN 10.10.10.in-addr.arpa. 
1       IN      PTR     firewall.rhdemo.com. 
100     IN      PTR     ipas.rhedmo.com.


##### IPA INFORMATION FOR FORWARD ZONE
# APPEND THE FOLLOWING
# vi /var/named/rhdemo.com
; ldap servers
_ldap._tcp              IN SRV 0 100 389        ipas

;kerberos realm
_kerberos               IN TXT RHDEMO.COM

; kerberos servers
_kerberos._tcp          IN SRV 0 100 88         ipas
_kerberos._udp          IN SRV 0 100 88         ipas
_kerberos-master._tcp   IN SRV 0 100 88         ipas
_kerberos-master._udp   IN SRV 0 100 88         ipas
_kpasswd._tcp           IN SRV 0 100 464        ipas
_kpasswd._udp           IN SRV 0 100 464        ipas

# service named restart
# tail -f /var/log/messages
# host -l rhdemo.com
# dig SRV _kerberos._udp.rhdemo.com








It appears that your DNS does not include your own domain.

In your /etc/named.conf you should have a stanza for your forward and reverse.

Do you recall at the very end of your IPA install, it displayed a message which indicated what you should add to your DNS environment?  That output may still be there in /tmp.  I believe you could probably cd to /tmp and grep for rhdemo in the files there.

NOTE: I apologize for any typos/errors I pass along.  I am trying to go from memory and existing systems and change the data for your application.

You need to:
- update your named.conf
- create your 2 zone file
- append your IPA information the forward lookup file
- restart named
- test with the nslookup commands from before
##### NAMED.CONF 
# vi /etc/named.conf
// rhdemo.com stuff here 
zone "10.10.10.in-addr.arpa" in { 
      type master; 
      file "10.10.10.in-addr.arpa"; 
      allow-transfer { 10.10.10.100; }; 
}; 
zone "rhdemo.com" in { 
      type master; 
      file "rhdemo.com"; 
      allow-transfer { 10.10.10.100; }; 
};

##### FORWARD LOOKUP ZONE
# vi /var/named/rhdemo.com
$ORIGIN . 
$TTL 3600      ; 1 hour 
rhdemo.com               IN SOA  ipas.rhdemo.com. hostmaster.rhdemo.com.  ( 
                                2012021501 ; serial 
                                900        ; refresh (15 minutes) 
                                600        ; retry (10 minutes) 
                                86400      ; expire (1 day) 
                                3600       ; minimum (1 hour) 
                                ) 

                        NS      ipas.rhdemo.com. 
        
                        A       10.10.21.100

$ORIGIN rhdemo.com.
firewall        IN      A       10.10.10.1 
ipas           IN      A       10.10.10.100

##### REVERSE LOOKUP ZONE
# vi /var/named/10.10.10.in-addr.arpa
$ORIGIN . 
$TTL 3600      ; 1 hour 
10.10.10.in-addr.arpa   IN SOA  ipas.rhdemo.com. root.rhdemo.com. ( 
                                2012021701 ; serial 
                                900        ; refresh (15 minutes) 
                                600        ; retry (10 minutes) 
                                86400      ; expire (1 day) 
                                3600       ; minimum (1 hour) 
                                ) 
                NS      ipas.rhedmo.com. 


$ORIGIN 10.10.10.in-addr.arpa. 
1       IN      PTR     firewall.rhdemo.com. 
100     IN      PTR     ipas.rhedmo.com.


##### IPA INFORMATION FOR FORWARD ZONE
# APPEND THE FOLLOWING
# vi /var/named/rhdemo.com
; ldap servers
_ldap._tcp              IN SRV 0 100 389        ipas

;kerberos realm
_kerberos               IN TXT RHDEMO.COM

; kerberos servers
_kerberos._tcp          IN SRV 0 100 88         ipas
_kerberos._udp          IN SRV 0 100 88         ipas
_kerberos-master._tcp   IN SRV 0 100 88         ipas
_kerberos-master._udp   IN SRV 0 100 88         ipas
_kpasswd._tcp           IN SRV 0 100 464        ipas
_kpasswd._udp           IN SRV 0 100 464        ipas

# service named restart
# tail -f /var/log/messages
# host -l rhdemo.com
# dig SRV _kerberos._udp.rhdemo.com