Bug 2192819
| Summary: | 17.1. UNINSTALLING AN IDM CLIENT: ipa: ERROR: Ticket expired | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | nasheayahu <nasheayahu> |
| Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> |
| Status: | CLOSED NOTABUG | QA Contact: | ipa-qe |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.1 | CC: | rcritten, tscherf |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-08 12:43:13 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
nasheayahu
2023-05-03 07:28:40 UTC
The error "Ticket expired" means that you need to acquire a kerberos ticket before running the command, because the current one expired. Kerberos tickets have a limited lifetime and you can check your ticket using # klist -A If the expiration date printed in the output is already reached, the ticket is not valid anymore. Can you check if your ticket is still valid and if it is already expired, obtain a new ticket using # kinit admin (or replace admin with your user name), then re-try the ipa dnsrecord-del command? Sure, be right back.... ---------------- If the expiration date printed in the output is already reached, the ticket is not valid anymore.
----------------
[root@kbbn7idm ~]# klist -A
Ticket cache: KCM:0
Default principal: admin
Valid starting Expires Service principal
04/30/2023 03:57:28 05/01/2023 03:51:46 krbtgt/KBBN-7.COM
04/30/2023 03:58:30 05/01/2023 03:51:46 HTTP/kbbn7idm.kbbn-7.com
---------------- Can you check if your ticket is still valid and if it is already expired, obtain a new ticket using
---------------- (or replace admin with your user name), then re-try the ipa dnsrecord-del command?
----------------
[root@kbbn7idm ~]# kinit admin
Password for admin:
[root@kbbn7idm ~]# ipa dnsrecord-del
Record name: kbb7web.kbbn-7.com
Zone name: kbbn-7.com
ipa: ERROR: kbb7web.kbbn-7.com: DNS resource record not found
Question,
(1) do I always have to log in to run this command?
(2) getting this error brings me to the "Failed to update DNS records." during the client installation as you see the verbose messages below:
----------------
----------------
[root@kbbn7web etc]# ipa-client-install --enable-dns-updates --mkhomedir
This program will set up IPA client.
Version 4.10.0
DNS domain 'kbbn-7.com' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]:
Client hostname: kbbn7web.kbbn-7.com
Realm: KBBN-7.COM
DNS Domain: kbbn-7.com
IPA Server: kbbn7idm.kbbn-7.com
BaseDN: dc=kbbn-7,dc=com
Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for admin:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=KBBN-7.COM
Issuer: CN=Certificate Authority,O=KBBN-7.COM
Valid From: 2023-04-30 09:51:45
Valid Until: 2043-04-30 09:51:45
Enrolled in IPA realm KBBN-7.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
--------------------------------------------------------------------------------
Failed to update DNS records. <<----------------------------------------------<< what may have caused this to fail and how can I add this manually if need too?
--------------------------------------------------------------------------------
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring kbbn-7.com as NIS domain.
Configured /etc/krb5.conf for IPA realm KBBN-7.COM
Client configuration complete.
The ipa-client-install command was successful
----------------
----------------
Before using the ipa command-line tool one needs to have a valid Kerberos TGT. This can be obtained directly using kinit or it may be handled on login by SSSD. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/accessing_identity_management_services/logging-in-to-ipa-from-the-command-line_accessing-idm-services You need to look at /var/log/ipaclient-install.log for more details on why the DNS record failed to update. There doesn't seem to be an underlying bug here and this is turning into a more general support question. I'd prefer to close this and move this conversation to the public mailing list, https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/ Okay, thanks for your help..... |