When user session does not have a valid ticket, ipa-getkeytab which is executed as a part of ipa-adtrust-install fails:
ipa-getkeytab
ipa-adtrust-install
# ipa-adtrust-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the FreeIPA Server. This includes: * Configure Samba * Add trust related objects to FreeIPA LDAP server To accept the default shown in brackets, press the Enter key. The following operations may take some minutes to complete. Please wait until the prompt is returned. Enter the NetBIOS name for the IPA domain. Only up to 15 uppercase ASCII letters and digits are allowed. Example: EXAMPLE. NetBIOS domain name [IDM]: Directory Manager password: Directory Manager password: Configuring smbd: [1/12]: stopping smbd [2/12]: creating samba domain object [3/12]: creating samba config registry [4/12]: writing samba config file [5/12]: adding cifs Kerberos principal ipa : CRITICAL Failed to add key for cifs/vm-125.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM [6/12]: adding admin(group) SIDs [7/12]: activating CLDAP plugin [8/12]: configuring smbd to start on boot [9/12]: adding special DNS service records [10/12]: restarting KDC to take MS PAC changes into account [11/12]: setting SELinux booleans [12/12]: starting smbd done configuring smb. ============================================================================== Setup complete You must make sure these network ports are open: TCP Ports: * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds Additionally you have to make sure the FreeIPA LDAP server cannot be reached by any domain controller in the Active Directory domain by closing the following ports for these servers: TCP Ports: * 389, 636: LDAP/LDAPS You may want to choose to REJECT the network packets instead of DROPing them to avoid timeouts on the AD domain controllers. WARNING: you MUST re-kinit admin user before using 'ipa trust-*' commands family in order to re-generate Kerberos tickets to include AD-specific information
ipaserver-install.log:
2012-06-07T05:08:16Z DEBUG [5/12]: adding cifs Kerberos principal 2012-06-07T05:08:16Z DEBUG raw: service_add(u'cifs/vm-125.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT. COM') 2012-06-07T05:08:16Z DEBUG service_add(u'cifs/vm-125.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM', force=False, all=False, raw=False) 2012-06-07T05:08:16Z DEBUG raw: host_show(u'vm-125.idm.lab.bos.redhat.com') 2012-06-07T05:08:16Z DEBUG host_show(u'vm-125.idm.lab.bos.redhat.com', rights=False, all=False, raw=False) 2012-06-07T05:08:16Z DEBUG IPA: found 1 records for vm-125.idm.lab.bos.redhat.com: 10.16.78.125 2012-06-07T05:08:17Z DEBUG args=ipa-rmkeytab --principal cifs/vm-125.idm.lab.bos.redhat.com@IDM.LAB. BOS.REDHAT.COM -k /etc/samba/samba.keytab 2012-06-07T05:08:17Z DEBUG stdout= 2012-06-07T05:08:17Z DEBUG stderr=Removing principal cifs/vm-125.idm.lab.bos.redhat.com@IDM.LAB.BOS. REDHAT.COM 2012-06-07T05:08:17Z DEBUG args=ipa-getkeytab --server vm-125.idm.lab.bos.redhat.com --principal cifs/ vm-125.idm.lab.bos.redhat.com@IDM.LAB.BOS.REDHAT.COM -k /etc/samba/samba.keytab 2012-06-07T05:08:17Z DEBUG stdout= 2012-06-07T05:08:17Z DEBUG stderr=SASL Bind failed Local error (-2) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed)! 2012-06-07T05:08:17Z CRITICAL Failed to add key for cifs/vm-125.idm.lab.bos.redhat.com@IDM.LAB.BOS. REDHAT.COM 2012-06-07T05:08:17Z DEBUG duration: 0 seconds
Patch sent for review: https://www.redhat.com/archives/freeipa-devel/2012-July/msg00147.html
Note that '-p' option for ipa-adtrust-install is removed as Directory Manager password is not required anymore
master: 68d5fe1
Metadata Update from @mkosek: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 3.0 Beta 2
Login to comment on this ticket.