FreeIPA问题记录

在FreeIPA安装使用的过程中，碰到了许多问题，这里记录。

1. ipa-client-install安装失败

错误信息

[root@hdp140 log]# ipa-client-install
... ...
Attempting to get host TGT...
Please make sure the following ports are opened in the firewall settings:TCP: 80, 88, 389UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:TCP: 464UDP: 464, 123 (if NTP enabled)
Failed to obtain host TGT.
Installation failed. Rolling back changes.
IPA client is not configured on this system.

查看日志：

2017-11-08T05:55:19Z DEBUG Attempt 4/5 failed.
2017-11-08T05:55:20Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/ipa140.example.com@EXAMPLE.COM
2017-11-08T05:55:20Z DEBUG stdout=
2017-11-08T05:55:20Z DEBUG stderr=kinit: Keytab contains no suitable keys for host/ipa140.example.com@EXAMPLE.COM while getting initial credentials2017-11-08T05:55:20Z DEBUG Attempt 5/5 failed.
2017-11-08T05:55:20Z INFO Please make sure the following ports are opened in the firewall settings:TCP: 80, 88, 389UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:TCP: 464UDP: 464, 123 (if NTP enabled)
2017-11-08T05:55:20Z ERROR Failed to obtain host TGT.
2017-11-08T05:55:20Z ERROR Installation failed. Rolling back changes.
2017-11-08T05:55:20Z ERROR IPA client is not configured on this system.

原因

从日志看是因为kinit失败，查看/etc/krb5.conf的配置文件

[realms]EXAMPLE.COM = {kdc = kerberos.example.com  <---这个地方没有被修改admin_server = kerberos.example.com}

/etc/krb5.conf是在安装ipa client之后出现的。在执行ipa-client-install的时候会将它修改。而现在没有修改。而再次查看日志发现本机的IP是不正确的

2017-11-08T05:55:20Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/ipa140.example.com@EXAMPLE.COM

本机正确的机器名应该为hdp140.example.com，而不是ipa140.example.com，而这个机器名除了本地会配置，还有一个地方就是Server端的DNS处，查看DNS配置信息，发现：

[root@localhost named]# cat 1.168.192.file ... ...
140     IN PTR  ipa140.example.com.
141     IN PTR  ipa141.example.com.
142     IN PTR  ipa142.example.com.

修改named的配置文件，然后重启named之后，再hdp140上面安装成功。

2. ipa-client安装失败后，再次重装报Host is already joined

错误信息

ipa-client-install安装失败后，先执行uninstall再次执行install的时候，报错如下：

[root@hdp140 log]# ipa-client-install --uninstall
IPA client is not configured on this system.
[root@hdp140 log]# ipa-client-install
... ...
Password for admin@EXAMPLE.COM:
Joining realm failed: Host is already joined.Installation failed. Rolling back changes.
IPA client is not configured on this system.

解决方法

在FreeIPA Server节点上执行如下命令：
先执行ipa host-find命令:

[root@localhost log]# ipa host-find
---------------
3 hosts matched
---------------
  Host name: hdp140.example.com
  Principal name: host/hdp140.example.com@EXAMPLE.COM
  Password: False
  Keytab: True
  Managed by: hdp140.example.com

找到对应的节点，然后再在Server节点将它删除掉

[root@localhost log]# ipa host-del hdp140.example.com
---------------------------------
Deleted host "hdp140.example.com"
---------------------------------

3. 通过从节点的web 创建的用户，在主节点的web上面无法查找到

错误信息

FreeIPA有两主从两个Server，现在通过从Server节点的Web创建一个用户后，在主Server的Web上面无法查找到，查看日志，发现如下的错误：

sasl_io_recv failed to decode packet for connection....

错误原因

官方给出的解释是nsslapd-sasl-max-buffer-size的值太小，导致出错。

解决方法

创建一个配置文件

[root@ipa110 /]# cat package.ldif
dn: cn=config
changetype: modify
replace: nsslapd-sasl-max-buffer-size
nsslapd-sasl-max-buffer-size: 2097152

执行修改这个文件

[root@ipa110 /]# ldapmodify -h localhost -D "cn=directory manager" -w hadoop123 -f package.ldif -ZZ

执行完成后，将主从两个节点的ipa都重启一次。

4. ipa -client安装失败

错误信息

执行ipa-client-install的时候，抛出异常，查看ipa-client的安装日志：

Unexpected error - see /var/log/ipareplica-install.log for details:
UnboundLocalError: local variable 'replman' referenced before assignment

修改方式

[root@ipa111 /]# vi /usr/sbin/ipa-replica-installldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)replman = None   ----------增加这一行try:conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')conn.connect(bind_dn=DN(('cn', 'directory manager')),bind_pw=config.dirman_password,tls_cacertfile=CACERT)replman = ReplicationManager(config.realm_name, config.master_host_name,config.dirman_password)found = Falsetry:entry = conn.find_entries(u'fqdn=%s' % host, ['dn', 'fqdn'], DN(api.env.container_host, api.env.basedn))print "The host %s already exists on the master server.\nYou should remove it before proceeding:" % hostprint "    %% ipa host-del %s" % hostfound = Trueexcept errors.NotFound:

需要说明的是，并不是每次都会出现这种错误，网上提供的一种修改方式就是增加那一行记录。

5. ipa-client-install重新安装是报错

错误信息

[root@ysbdh03 tls]# ipa-client-install
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): gdbd.com
Provide your IPA server name (ex: ipa.example.com): ysbdh06.gdbd.com
LDAP Error: Connect error: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
Failed to verify that ysbdh06.gdbd.com is an IPA Server.
This may mean that the remote server is not up or is not reachable due to network or firewall settings.
Please make sure the following ports are opened in the firewall settings:TCP: 80, 88, 389UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:TCP: 464UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.

原因：

ipa client是重新安装的，原来的部分配置信息没有清理干净。而对于这个问题，就将/etc/ipa/ca.crt 这个配置文件干掉

6. FreeIPA Web创建的页面，在client节点无法登录

问题

在freeipa上面创建了用户之后，发现在client无法使用此用户登录。查看sssd的日志（在/var/log/ssssd/ ldap_child.log）：

(Wed Jul 12 12:09:15 2017) [[sssd[ldap_child[11108]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Decrypt integrity check failed

分析

修改sssd的日志级别，打印debug日志，修改配置文件/etc/sssd/sssd.conf：

[root@hdfs142 sssd]# vi /etc/sssd/sssd.conf [domain/example.com]cache_credentials = True
debug_level = 9    ---修改这个值然后重启sssd

重启sssd

[root@hdfs142 sssd]# service sssd restart
Stopping sssd:                                             [  OK  ]
Starting sssd:                                             [  OK  ]
[root@hdfs142 sssd]

执行su – user01，查看ldap_child.log日志

(Wed Jul 12 12:09:15 2017) [[sssd[ldap_child[11108]]]] [sss_child_krb5_trace_cb] (0x4000): [11108] 1499886555.112026: Received error from KDC: -1765328353/Decrypt integrity check failed(Wed Jul 12 12:09:15 2017) [[sssd[ldap_child[11108]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Decrypt integrity check failed
(Wed Jul 12 12:09:15 2017) [[sssd[ldap_child[11108]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.

从这里可以判断是kdc那里返回了错误。再次查看kdc的日志

Jul 12 12:09:14 freeipa138.example.com krb5kdc[15053](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.1.142: NEEDED_PREAUTH: host/hdfs142.example.com@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required
Jul 12 12:09:14 freeipa138.example.com krb5kdc[15052](info): preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed
Jul 12 12:09:14 freeipa138.example.com krb5kdc[15052](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.1.142: PREAUTH_FAILED: host/hdfs142.example.com@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Decrypt integrity check failed

从这里可以看，客户端使用host/hdfs142.example.com@EXAMPLE.COM这个princal去认证，结果出错。而客户端是通过/etc/krb5.keytab来认证。
回忆之前在hadoop的配置的时候，将host/hdfs142.example.com这个princal导出。所以答案很清楚。Kerberos在导出keytab文件之后，会将密码重置，因此之前的keytab文件失效。
找到导出的那个keytab文件，将/etc/krb5.keytab替换掉。