ipa-client-install fails with error "* gss_init_sec_context() failed: : Request is a replay"
Issue
ipa-client-install fails with error:
* gss_init_sec_context() failed: : Request is a replay< WWW-Authenticate: Negotiate
Debug logs from ipa-client-install
ipa-client-install --domain=example.com --server=ipa1.example.com --realm=EXAMPLE.COM --hostname=dns2-no-srv2.example.com --principal=admin@EXAMPLE.COM --mkhomedir --debug --ca-cert-file=/etc/ipa/ca.crt
/usr/sbin/ipa-client-install was invoked with options: {'domain': 'example.com', 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': '/etc/ipa/ca.crt', 'ntp_server': None, 'principal': 'admin@EXAMPLE.COM', 'hostname': 'dns2-no-srv2.example.com', 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False, 'realm_name': 'EXAMPLE.COM', 'conf_ssh': True, 'server': ['ipa1.example.com'], 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=example.com, server=['ipa1.example.com'], hostname=dns2-no-srv2.example.com
Server and domain forced
[Kerberos realm search]
Search DNS for TXT record of _kerberos.example.com.
DNS record found: DNSResult::name:_kerberos.example.com.,type:16,class:1,rdata={data:EXAMPLE.COM}
Search DNS for SRV record of _kerberos._udp.example.com.
DNS record found: DNSResult::name:_kerberos._udp.example.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa2.example.com.}
DNS record found: DNSResult::name:_kerberos._udp.example.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa1.example.com.}
[LDAP server check]
Verifying that ipa1.example.com (realm EXAMPLE.COM) is an IPA server
Init LDAP connection with: ldap://ipa1.example.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=example,dc=com' is for IPA
Naming context 'dc=example,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub)
Found: cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
Discovery result: Success; server=ipa1.example.com, domain=example.com, kdc=ipa2.example.com,ipa1.example.com, basedn=dc=example,dc=com
will use discovered domain: example.com
Using servers from command line, disabling DNS discovery
will use provided server: ipa1.example.com
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
will use discovered realm: EXAMPLE.COM
will use discovered basedn: dc=example,dc=com
Hostname: dns2-no-srv2.example.com
Hostname source: Provided as option
Realm: EXAMPLE.COM
Realm source: Discovered from LDAP DNS records in ipa1.example.com
DNS Domain: example.com
DNS Domain source: Forced
IPA Server: ipa1.example.com
IPA Server source: Provided as option
BaseDN: dc=example,dc=com
BaseDN source: From IPA server ldap://ipa1.example.com:389
Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r EXAMPLE.COM
stdout=
stderr=Failed to open keytab '/etc/krb5.keytab': Ingen slik fil eller filkatalog
args=/bin/hostname dns2-no-srv2.example.com
stdout=
stderr=
Backing up system configuration file '/etc/sysconfig/network'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=/usr/sbin/selinuxenabled
stdout=
stderr=
args=/sbin/restorecon /etc/sysconfig/network
stdout=
stderr=
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.example.com.
DNS record found: DNSResult::name:_ntp._udp.example.com.,type:33,class:1,rdata={priority:0,port:123,weight:100,server:ntp3.example.com.}
DNS record found: DNSResult::name:_ntp._udp.example.com.,type:33,class:1,rdata={priority:0,port:123,weight:100,server:ntp1.example.com.}
DNS record found: DNSResult::name:_ntp._udp.example.com.,type:33,class:1,rdata={priority:0,port:123,weight:100,server:ntp2.example.com.}
args=/usr/sbin/ntpdate -U ntp -s -b -v ntp3.example.com
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Writing Kerberos configuration to /tmp/tmp7sl_CN:
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = ipa1.example.com:88
master_kdc = ipa1.example.com:88
admin_server = ipa1.example.com:749
default_domain = example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Password for admin@EXAMPLE.COM:
args=kinit admin@EXAMPLE.COM
stdout=Password for admin@EXAMPLE.COM:
stderr=
trying to retrieve CA cert from file /etc/ipa/ca.crt
CA cert provided by user, use it!
args=/usr/sbin/ipa-join -s ipa1.example.com -b dc=example,dc=com -d -h dns2-no-srv2.example.com
stdout=
stderr=XML-RPC CALL:
<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>dns2-no-srv2.example.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-358.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n
* About to connect() to ipa1.example.com port 443 (#0)
* Trying 10.65.211.213... * Connected to ipa1.example.com (10.65.211.213) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=ipa1.example.com,O=EXAMPLE.COM
* start date: May 15 06:42:31 2012 GMT
* expire date: May 16 06:42:31 2014 GMT
* common name: ipa1.example.com
* issuer: CN=Certificate Authority,O=EXAMPLE.COM
> POST /ipa/xml HTTP/1.1
Host: ipa1.example.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: https://ipa1.example.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 481
< HTTP/1.1 401 Authorization Required
< Date: Tue, 26 Feb 2013 13:56:34 GMT
< Server: Apache/2.2.15 (Red Hat)
* gss_init_sec_context() failed: : Request is a replay< WWW-Authenticate: Negotiate
< Last-Modified: Mon, 10 Dec 2012 15:28:07 GMT
< ETag: "3582-740-4d0813649afc0"
< Accept-Ranges: bytes
< Content-Length: 1856
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
* Expire cleared
* Closing connection #0
HTTP response code is 401, not 200
Environment
- Red Hat Enterprise Linux 6
- ipa-client
- IdM 2.2
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Close
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.