[Freeipa-users] Re: ipa-replica-install fails during initial replication

Markus Rexhepi-Lindberg via FreeIPA-users Thu, 29 Feb 2024 01:41:52 -0800

Hi,

Thank you Fabian, your suggested commands lead me to the answer and a solution!


```
[root@se-rhidm01x ~]# ldapsearch -Y GSSAPI -H 
ldap://usidc1-rhidm01x.idc1.us.example.com -b "" -s base
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (Server 
krbtgt/example....@lnx.example.com not found in Kerberos database)
```

We are using lnx.example.com as the IPA domain and not example.com since 
example.com is already an AD domain. We did not define a Kerberos realm for the 
idc1.us.example.com domain so Kerberos defaulted to example.com and translated 
it into the EXAMPLE.COM Kerberos realm which does exist and is reachable but it 
is the incorrect one for the IPA hosts since they are using the LNX.EXAMPLE.COM 
Kerberos realm.

This could be seen by using Kerberos commands on the masters.

```
[root@se-rhidm01x ~]# ldapsearch -Y GSSAPI -H 
ldap://usidc1-rhidm01x.idc1.us.example.com -b "" -s base
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (Server 
krbtgt/example....@lnx.example.com not found in Kerberos database)
```

Here krbtgt/example....@lnx.example.com should be 
krbtgt/lnx.example....@lnx.example.com.

To fix this I added the following to the /etc/krb5.conf file on all the masters:
```
...
[domain_realm]
...
 .idc1.us.example.com = LNX.EXAMPLE.COM
 idc1.us.example.com = LNX.EXAMPLE.COM
...
```

Ultimately we should probably define it as such to "catch all":
```
...
[domain_realm]
.example.com = LNX.EXAMPLE.COM
example.com = LNX.EXAMPLE.COM
...
```

--
Markus
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa-replica-install fails during initial replication

Reply via email to