Bug 1508053

Summary: IPA client install kinit cannot contact any KDC
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED DUPLICATE QA Contact: ipa-qe <ipa-qe>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.5CC: jpazdziora, ksiddiqu, mreznik, nsoman, pvoborni, rcritten, ssorce, tscherf
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1514033 (view as bug list) Environment:
Last Closed: 2017-11-30 14:52:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1514033    
Bug Blocks:    

Description Scott Poore 2017-10-31 18:23:28 UTC 
Description of problem:

In new installs, I'm seeing the client install fail in many cases with this (or very similar) error:

kinit: Cannot contact any KDC for realm 'TESTRELM.TEST' while getting initial credentials

This has been seen during ipa-client-install, ipa-replica-install, and even during ipa-master-install.

Firewall in all cases is stopped.

Version-Release number of selected component (if applicable):

krb5-server-1.15.1-15.el7.x86_64
ipa-server-4.5.4-3.el7.x86_64

How reproducible:
unknown but, has happened multiple times now in testing.

Steps to Reproduce:
1.  ipa-server-install (on one host)
2.  ipa-replica-install (on second host)
3.  ipa-client-install (on third host)

Actual results:
We see the failure mentioned above.

Expected results:
No failure and IPA installs cleanly.


Additional info:
Comment 2 Scott Poore 2017-10-31 18:27:08 UTC 
It should also be noted that I saw the same issue post ipa-client-install failure by using krb5.conf settings from ipaclient-install.log.  

[root@kvm-02-guest23 ~]# KRB5_TRACE=/dev/stdout kinit admin
[13194] 1509467592.143370: Getting initial credentials for admin
[13194] 1509467592.143372: Sending request (175 bytes) to TESTRELM.TEST
[13194] 1509467592.143373: Resolving hostname kvm-02-guest22.testrelm.test
[13194] 1509467592.143374: Initiating TCP connection to stream <IPv6_ADDR>:88
[13194] 1509467592.143375: Sending TCP request to stream <IPv6_ADDR>:88
[13194] 1509467602.159363: Initiating TCP connection to stream <IPv4_ADDR>:88
[13194] 1509467602.159364: Sending TCP request to stream <IPv4_ADDR>:88
[13194] 1509467612.169731: Sending initial UDP request to dgram <IPv6_ADDR>:88
[13194] 1509467613.170910: Sending initial UDP request to dgram <IPv4_ADDR>:88
[13194] 1509467616.174070: Sending retry UDP request to dgram <IPv6_ADDR>:88
[13194] 1509467617.175222: Sending retry UDP request to dgram <IPv4_ADDR>:88
[13194] 1509467622.180371: Sending retry UDP request to dgram <IPv6_ADDR>:88
[13194] 1509467623.181466: Sending retry UDP request to dgram <IPv4_ADDR>:88
[13194] 1509467632.190622: Terminating TCP connection to stream <IPv6_ADDR>:88
[13194] 1509467632.190623: Terminating TCP connection to stream <IPv4_ADDR>:88
kinit: Cannot contact any KDC for realm 'TESTRELM.TEST' while getting initial credentials

But, I was able to see port 88 running krb5kdc on replica and that the firewall was stopped on all hosts.  

Also, ausearch -m avc showed no AVC denials.
Comment 6 Simo Sorce 2017-10-31 19:18:27 UTC 
This is the upstream bug you are hitting, I think:
https://pagure.io/389-ds-base/issue/49410
Comment 9 Florence Blanc-Renaud 2017-11-15 10:11:14 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7165
Comment 10 Petr Vobornik 2017-11-21 15:52:21 UTC 
Should be fixed in DS in bug 1514033. Scott, could you retry with 389-ds-base-1.3.7.5-10.el7 ?
Comment 11 Scott Poore 2017-11-28 03:37:01 UTC 
I re-ran 10 tests to be sure and all 10 passed with no failures.  I was seeing failures about 1 in 3 before so I think we're good.  So, with no IPA changes, do we mark this dup?
Comment 12 Scott Poore 2017-11-30 14:52:54 UTC 

*** This bug has been marked as a duplicate of bug 1514033 ***