I am trying to install IPA client on a redhat but it is failing to install.

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 6.4
  • ipa-client-3.0.0-26.el6_4.4.x86_64

Issue

  • I configured other clients successfully from same servers.
  • I used the following command on other servers and it worked, but this time it gave the following errors.
ipa-client-install -d --domain=example.com --server=ipaserver.example.com --realm=EXAMPLE.COM --mkhomedir --ca-cert-file=/etc/openldap/certs/ca.cer

< HTTP/1.1 401 Authorization Required
< Date: Mon, 29 Jul 2013 17:09:22 GMT
< Server: Apache/2.2.15 (Red Hat)
* gss_init_sec_context() failed: : Server HTTP/<ipaServerShortname>@EXAMPLE.COM not found in Kerberos database< WWW-Authenticate: Negotiate
< Last-Modified: Tue, 21 May 2013 05:58:14 GMT
< ETag: "22b5c-55a-4dd342284a980"
< Accept-Ranges: bytes
< Content-Length: 1370
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
* Expire cleared
* Closing connection #0
HTTP response code is 401, not 200
Joining realm failed: XML-RPC CALL:
....
* Expire cleared
* Closing connection #0
HTTP response code is 401, not 200

Installation failed. Rolling back changes.
IPA client is not configured on this system.

Resolution

Change the entry in the /etc/hosts file for the IPA server and retry the installation:

Change from:
x.x.x.x      ipaclient  ipaclient.example.com
x.x.x.x      ipaserver  ipaserver.example.com

Change to the following by removing the short names from the two lines:
x.x.x.x      ipaclient.example.com
x.x.x.x      ipaserver.example.com

Root Cause

IPA uses Kerberos which depends heavily on DNS and Kerberos principal names. For hosts the principal names usually include the fully qualified domain names of the servers not the shortname. In this case the entries in /etc/hosts were resolving to the IPA server's shortname before the fully qualified domain name.

Diagnostic Steps

  • From the ipaclient-install.log there is several errors regarding the IPA server.
yyyy-mm-ddThh:mm:ssZ DEBUG trying to retrieve CA cert via LDAP from ldap://ipaserver.example.com
yyyy-mm-ddThh:mm:ssZ DEBUG get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server ldap/ipaserver@EXAMPLE.COM not found in Kerberos database)
yyyy-mm-ddThh:mm:ssZ DEBUG {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server ldap/ipaserver@EXAMPLE.COM not found in Kerberos database)', 'desc': 'Local error'}
yyyy-mm-ddThh:mm:ssZ ERROR Cannot obtain CA certificate
'ldap://ipaserver.example.com' doesn't have a certificate.
yyyy-mm-ddThh:mm:ssZ ERROR Installation failed. Rolling back changes.
yyyy-mm-ddThh:mm:ssZ ERROR IPA client is not configured on this system.

*It is possible based on the following error that your /etc/hosts may be responsible for the failure.

yyyy-mm-ddThh:mm:ssZ DEBUG get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server ldap/ipaserver@EXAMPLE.COM not found in Kerberos database)

Kerberos appears to be looking for a principal ldap/ipaserver@EXAMPLE.COM which doesn't exist, or shouldn't exist.

  • Component
  • ipa

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments