IPA integration issue with RHEV
Hi Team,
I have a machine named manager.rhevdemo.com and I have instlled a virtual machine by the name ad.rhevdemo.com. After that I have done authentication of AD with my manager for the user authentication.
Now I have installed a separate virtual machine wuth RHEL6.2 and installed the IPA server with DNS as mentioned in the reference architecture on the same server where the machine name is ipa.rhdemo.com (with a different domain name). Now when I restarted my IPA virtual machine and issued the command "kinit admin" I receieved an error "kinit: Cannot contact any KDC for realm 'RHDEMO.COM' while getting initial credentials"
Responses
I have a few very basic steps to offer, but I am not terribly proficient in this area yet. I have not done the AD integration, but I don't believe that is your issue. I am making the following assumption based on how I understand your post. You would like your host (ipa.rhdemo.com) to be your IPA master. However, you already had an AD system (which also makes itself a KDC, when you enable AD <i think?>). So - I would check the following on ipa.rhdemo.com # cat /etc/resolv.conf search rhdemo.com nameserver (IP of ipa.rhdemo.com)I generally put an entry in the host file for my IPA server also # vi /etc/hosts Make sure BIND is running, and working # service named status # nslookup > ipa.rhdemo.com [ result should appear here] > exit Make sure IPA is running # service ipa status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING HTTP Service: RUNNING Make sure your firewall is open (the firewall should not affect ipa.rhdemo.com itself, unless you removed the rule to allow everything on loopback interface) # iptables -L TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos
# dig SRV _kerberos._udp.ncell.lab # dig SRV _kerberos._tcp.ncell.lab ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> SRV _kerberos._tcp.ncell.lab ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38628 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; QUESTION SECTION: ;_kerberos._tcp.ncell.lab. IN SRV ;; ANSWER SECTION: _kerberos._tcp.ncell.lab. 3600 IN SRV 0 100 88 rhipa01.ncell.lab. ;; AUTHORITY SECTION: ncell.lab. 3600 IN NS rhevm01.ncell.lab. ncell.lab. 3600 IN NS rhkvm01.ncell.lab. ;; ADDITIONAL SECTION: rhipa01.ncell.lab. 3600 IN A 10.10.21.201 rhevm01.ncell.lab. 3600 IN A 10.10.21.203 rhkvm01.ncell.lab. 3600 IN A 10.10.21.200 ;; Query time: 3 msec ;; SERVER: 10.10.21.200#53(10.10.21.200) ;; WHEN: Sun Mar 18 10:46:27 2012 ;; MSG SIZE rcvd: 171
> "kinit admin" I receieved an error "kinit: Cannot contact any KDC for realm 'RHDEMO.COM' while getting initial credentials"
From where you are running this command? IPA server or RHEVM?
- Make sure that /etc/krb5.conf has configured properly.
- Make sure that the firewall (iptables) on the server allows connection to port 88.
I can't tell from your output what is causing the issue, but your configured DNS is unavailable. We should work on correcting that first
Fixing RNDC is simple enough
Put the following in your /etc/named.conf
# START #
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; }
keys { "rndc-key"; };
};
# END #
-- Then Run the following commands
# rndc-confgen -a
# cat /etc/rndc.key >> /etc/named.conf
# tail -f /var/log/messages
-- in another terminal
# service named restart
post what errors you get. The next thing we will probably need to see is:
/etc/named.conf
Your 2 zone files (forward and reverse) from your /etc/named.conf
Also - when you reply, click on the Source button to format your output. I also have issues with the format when I post ;-)
It appears that your DNS does not include your own domain.
In your /etc/named.conf you should have a stanza for your forward and reverse.
Do you recall at the very end of your IPA install, it displayed a message which indicated what you should add to your DNS environment? That output may still be there in /tmp. I believe you could probably cd to /tmp and grep for rhdemo in the files there.
NOTE: I apologize for any typos/errors I pass along. I am trying to go from memory and existing systems and change the data for your application.
You need to:
- update your named.conf
- create your 2 zone file
- append your IPA information the forward lookup file
- restart named
- test with the nslookup commands from before
##### NAMED.CONF
# vi /etc/named.conf
// rhdemo.com stuff here
zone "10.10.10.in-addr.arpa" in {
type master;
file "10.10.10.in-addr.arpa";
allow-transfer { 10.10.10.100; };
};
zone "rhdemo.com" in {
type master;
file "rhdemo.com";
allow-transfer { 10.10.10.100; };
};
##### FORWARD LOOKUP ZONE
# vi /var/named/rhdemo.com
$ORIGIN .
$TTL 3600 ; 1 hour
rhdemo.com IN SOA ipas.rhdemo.com. hostmaster.rhdemo.com. (
2012021501 ; serial
900 ; refresh (15 minutes)
600 ; retry (10 minutes)
86400 ; expire (1 day)
3600 ; minimum (1 hour)
)
NS ipas.rhdemo.com.
A 10.10.21.100
$ORIGIN rhdemo.com.
firewall IN A 10.10.10.1
ipas IN A 10.10.10.100
##### REVERSE LOOKUP ZONE
# vi /var/named/10.10.10.in-addr.arpa
$ORIGIN .
$TTL 3600 ; 1 hour
10.10.10.in-addr.arpa IN SOA ipas.rhdemo.com. root.rhdemo.com. (
2012021701 ; serial
900 ; refresh (15 minutes)
600 ; retry (10 minutes)
86400 ; expire (1 day)
3600 ; minimum (1 hour)
)
NS ipas.rhedmo.com.
$ORIGIN 10.10.10.in-addr.arpa.
1 IN PTR firewall.rhdemo.com.
100 IN PTR ipas.rhedmo.com.
##### IPA INFORMATION FOR FORWARD ZONE
# APPEND THE FOLLOWING
# vi /var/named/rhdemo.com
; ldap servers
_ldap._tcp IN SRV 0 100 389 ipas
;kerberos realm
_kerberos IN TXT RHDEMO.COM
; kerberos servers
_kerberos._tcp IN SRV 0 100 88 ipas
_kerberos._udp IN SRV 0 100 88 ipas
_kerberos-master._tcp IN SRV 0 100 88 ipas
_kerberos-master._udp IN SRV 0 100 88 ipas
_kpasswd._tcp IN SRV 0 100 464 ipas
_kpasswd._udp IN SRV 0 100 464 ipas
# service named restart
# tail -f /var/log/messages
# host -l rhdemo.com
# dig SRV _kerberos._udp.rhdemo.com
It appears that your DNS does not include your own domain.
In your /etc/named.conf you should have a stanza for your forward and reverse.
Do you recall at the very end of your IPA install, it displayed a message which indicated what you should add to your DNS environment? That output may still be there in /tmp. I believe you could probably cd to /tmp and grep for rhdemo in the files there.
NOTE: I apologize for any typos/errors I pass along. I am trying to go from memory and existing systems and change the data for your application.
You need to:
- update your named.conf
- create your 2 zone file
- append your IPA information the forward lookup file
- restart named
- test with the nslookup commands from before
##### NAMED.CONF
# vi /etc/named.conf
// rhdemo.com stuff here
zone "10.10.10.in-addr.arpa" in {
type master;
file "10.10.10.in-addr.arpa";
allow-transfer { 10.10.10.100; };
};
zone "rhdemo.com" in {
type master;
file "rhdemo.com";
allow-transfer { 10.10.10.100; };
};
##### FORWARD LOOKUP ZONE
# vi /var/named/rhdemo.com
$ORIGIN .
$TTL 3600 ; 1 hour
rhdemo.com IN SOA ipas.rhdemo.com. hostmaster.rhdemo.com. (
2012021501 ; serial
900 ; refresh (15 minutes)
600 ; retry (10 minutes)
86400 ; expire (1 day)
3600 ; minimum (1 hour)
)
NS ipas.rhdemo.com.
A 10.10.21.100
$ORIGIN rhdemo.com.
firewall IN A 10.10.10.1
ipas IN A 10.10.10.100
##### REVERSE LOOKUP ZONE
# vi /var/named/10.10.10.in-addr.arpa
$ORIGIN .
$TTL 3600 ; 1 hour
10.10.10.in-addr.arpa IN SOA ipas.rhdemo.com. root.rhdemo.com. (
2012021701 ; serial
900 ; refresh (15 minutes)
600 ; retry (10 minutes)
86400 ; expire (1 day)
3600 ; minimum (1 hour)
)
NS ipas.rhedmo.com.
$ORIGIN 10.10.10.in-addr.arpa.
1 IN PTR firewall.rhdemo.com.
100 IN PTR ipas.rhedmo.com.
##### IPA INFORMATION FOR FORWARD ZONE
# APPEND THE FOLLOWING
# vi /var/named/rhdemo.com
; ldap servers
_ldap._tcp IN SRV 0 100 389 ipas
;kerberos realm
_kerberos IN TXT RHDEMO.COM
; kerberos servers
_kerberos._tcp IN SRV 0 100 88 ipas
_kerberos._udp IN SRV 0 100 88 ipas
_kerberos-master._tcp IN SRV 0 100 88 ipas
_kerberos-master._udp IN SRV 0 100 88 ipas
_kpasswd._tcp IN SRV 0 100 464 ipas
_kpasswd._udp IN SRV 0 100 464 ipas
# service named restart
# tail -f /var/log/messages
# host -l rhdemo.com
# dig SRV _kerberos._udp.rhdemo.com
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
