安装FreeIPA以及应用时报错汇总

                                       作者:尹正杰

版权声明:原创作品,谢绝转载!否则将追究法律责任。

一.ERROR DNS zone yinzhengjie.org.cn already exists in DNS and is handled by server(s): dns28.hichina.com., dns27.hichina.com.

  报错原因:

      根据报错信息提示我的这两个域名以及存在了,并在“dns27.hichina.com”和“dns28.hichina.com”这两台机器上有对应的解析关系。事实上我在2017时的确购买了这个域名,有效期3年,今年才2018年,因此他说的这个记录时有效的!下面是我当时在服务器端ping上图中的2个DNS服务器。

[root@node100 ~]# ping dns28.hichina.com
PING dns28.hichina.com (140.205.41.20) () bytes of data.
bytes from 140.205.41.20: icmp_seq= ttl= time=30.5 ms
^C
--- dns28.hichina.com ping statistics ---
packets transmitted, received, % packet loss, time 0ms
rtt min/avg/max/mdev = 30.573/30.573/30.573/0.000 ms
[root@node100 ~]#
[root@node100 ~]# ping dns27.hichina.com
PING dns27.hichina.com (106.11.211.69) () bytes of data.
bytes from 106.11.211.69: icmp_seq= ttl= time=17.4 ms
^C
--- dns27.hichina.com ping statistics ---
packets transmitted, received, % packet loss, time 0ms
rtt min/avg/max/mdev = 17.440/17.440/17.440/0.000 ms
[root@node100 ~]#

  解决方案:

    既然说这个域名已经存在了,那我换个域名不就得了,于是我将我的主机名改为了“node100.yinzhengjie.com”,然后重启服务器,继续安装FreeIPA时,这个报错就消失了!

二. ERROR Command '/usr/bin/ldapmodify -v -f /tmp/tmpmtA7b9 -H ldapi://%2fvar%2frun%2fslapd-YINZHENGJIE-COM.socket -Y EXTERNAL' returned non-zero exit status 1

  报错原因:

    我怀疑是缺少相应的安装包才导致以上的错误发生。

  解决方案:

    根据官方文档提示,更新yum源,安装相应的依赖包,配置主机名解析后,重新安装你会发现这个告警消除了。参考链接:https://www.globo.tech/learning-center/install-freeipa-centos-7/

[root@node100 ~]# ipa-server-install --uninstall

This is a NON REVERSIBLE operation and will delete all data and configuration!
It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding. Are you sure you want to continue with the uninstall procedure? [no]: yes
Shutting down all IPA services
Unconfiguring ntpd
Configuring certmonger to stop tracking system certificates for KRA
Configuring certmonger to stop tracking system certificates for CA
Unconfiguring directory server
ipaserver.install.dsinstance: ERROR Unable to find server cert nickname in /etc/dirsrv/slapd-YINZHENGJIE-COM/dse.ldif
Removing IPA client configuration
Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status
Removing Kerberos service principals from /etc/krb5.keytab
Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r YINZHENGJIE.COM' returned non-zero exit status
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The ipa-client-install command was successful
[root@node100 ~]#

[root@node100 ~]# ipa-server-install --uninstall              #如果你已经安装了IPA-Server,想要卸载的话咱们可以执行这条命令!

三.ERROR    Command '/bin/systemctl start certmonger.service' returned non-zero exit status 1

  报错原因:

    根据上述报错,大致的意思就是说freeIPA的“certmonger”服务没有启动成功。于是我们可以查看我们手动启动一下“certmonger”服务。发现手动去启动也失败啦!如下所示:

[root@node100 ~]# systemctl start certmonger.service
Job for certmonger.service failed because the control process exited with error code. See "systemctl status certmonger.service" and "journalctl -xe" for details.
[root@node100 ~]# systemctl start certmonger
Job for certmonger.service failed because the control process exited with error code. See "systemctl status certmonger.service" and "journalctl -xe" for details.
[root@node100 ~]# journalctl -xe
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit certmonger.service has failed.
--
-- The result is failed.
Dec :: node100.yinzhengjie.com systemd[]: Unit certmonger.service entered failed state.
Dec :: node100.yinzhengjie.com systemd[]: certmonger.service failed.
Dec :: node100.yinzhengjie.com polkitd[]: Unregistered Authentication Agent for unix-process:: (system bu
Dec :: node100.yinzhengjie.com polkitd[]: Registered Authentication Agent for unix-process:: (system bus
Dec :: node100.yinzhengjie.com systemd[]: Starting Certificate monitoring and PKI enrollment...
-- Subject: Unit certmonger.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit certmonger.service has begun starting up.
Dec :: node100.yinzhengjie.com certmonger[]: -- :: [] Unable to set well-known bus name "org.fed
Dec :: node100.yinzhengjie.com certmonger[]: Error connecting to D-Bus.
Dec :: node100.yinzhengjie.com systemd[]: certmonger.service: main process exited, code=exited, status=/FAILURE
Dec :: node100.yinzhengjie.com systemd[]: Failed to start Certificate monitoring and PKI enrollment.
-- Subject: Unit certmonger.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit certmonger.service has failed.
--
-- The result is failed.
Dec :: node100.yinzhengjie.com systemd[]: Unit certmonger.service entered failed state.
Dec :: node100.yinzhengjie.com systemd[]: certmonger.service failed.
Dec :: node100.yinzhengjie.com polkitd[]: Unregistered Authentication Agent for unix-process:: (system bu
[root@node100 ~]#

[root@node100 ~]# systemctl start certmonger.service            #手动启动“certmonger”服务

[root@node100 ~]# systemctl status certmonger                #查看certmonger服务状态!
● certmonger.service - Certificate monitoring and PKI enrollment
Loaded: loaded (/usr/lib/systemd/system/certmonger.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed -- :: EST; 1min 13s ago      #这里是启动失败啦!
Process: ExecStart=/usr/sbin/certmonger -S -p /var/run/certmonger.pid -n $OPTS (code=exited, status=/FAILURE)
Main PID: (code=exited, status=/FAILURE) Dec :: node100.yinzhengjie.com systemd[]: Starting Certificate monitoring and PKI enrollment...
Dec :: node100.yinzhengjie.com certmonger[]: -- :: [] Unable to set well-known bus name "...-1).
Dec :: node100.yinzhengjie.com certmonger[]: Error connecting to D-Bus.        #这条消息告诉我们他在启东市链接D-Bus失败啦!
Dec :: node100.yinzhengjie.com systemd[]: certmonger.service: main process exited, code=exited, status=/FAILURE
Dec :: node100.yinzhengjie.com systemd[]: Failed to start Certificate monitoring and PKI enrollment.
Dec :: node100.yinzhengjie.com systemd[]: Unit certmonger.service entered failed state.
Dec :: node100.yinzhengjie.com systemd[]: certmonger.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
[root@node100 ~]#
[root@node100 ~]#  certmonger -S -d
-- :: [] Starting up.
-- :: [] Changing to root directory.
-- :: [] Obtaining system lock.
-- :: [] CA1('SelfSign').identify starts (NEED_TO_REFRESH)
-- :: [] CA1('SelfSign').certs starts (NEED_TO_REFRESH)
-- :: [] CA1('SelfSign').profiles starts (NEED_TO_REFRESH)
-- :: [] CA1('SelfSign').default_profile starts (NEED_TO_REFRESH)
-- :: [] CA1('SelfSign').enrollment_reqs starts (NEED_TO_REFRESH)
-- :: [] CA1('SelfSign').renewal_reqs starts (NEED_TO_REFRESH)
-- :: [] CA1('SelfSign').capabilities starts (NEED_TO_REFRESH)
-- :: [] CA1('SelfSign').encryption_certs starts (NEED_TO_REFRESH)
-- :: [] CA2('IPA').identify starts (NEED_TO_REFRESH)
-- :: [] CA2('IPA').certs starts (NEED_TO_REFRESH)
-- :: [] CA2('IPA').profiles starts (NEED_TO_REFRESH)
-- :: [] CA2('IPA').default_profile starts (NEED_TO_REFRESH)
-- :: [] CA2('IPA').enrollment_reqs starts (NEED_TO_REFRESH)
-- :: [] CA2('IPA').renewal_reqs starts (NEED_TO_REFRESH)
-- :: [] CA2('IPA').capabilities starts (NEED_TO_REFRESH)
-- :: [] CA2('IPA').encryption_certs starts (NEED_TO_REFRESH)
-- :: [] CA3('certmaster').identify starts (NEED_TO_REFRESH)
-- :: [] CA3('certmaster').certs starts (NEED_TO_REFRESH)
-- :: [] CA3('certmaster').profiles starts (NEED_TO_REFRESH)
-- :: [] CA3('certmaster').default_profile starts (NEED_TO_REFRESH)
-- :: [] CA3('certmaster').enrollment_reqs starts (NEED_TO_REFRESH)
-- :: [] CA3('certmaster').renewal_reqs starts (NEED_TO_REFRESH)
-- :: [] CA3('certmaster').capabilities starts (NEED_TO_REFRESH)
-- :: [] CA3('certmaster').encryption_certs starts (NEED_TO_REFRESH)
-- :: [] CA4('dogtag-ipa-renew-agent').identify starts (NEED_TO_REFRESH)
-- :: [] CA4('dogtag-ipa-renew-agent').certs starts (NEED_TO_REFRESH)
-- :: [] CA4('dogtag-ipa-renew-agent').profiles starts (NEED_TO_REFRESH)
-- :: [] CA4('dogtag-ipa-renew-agent').default_profile starts (NEED_TO_REFRESH)
-- :: [] CA4('dogtag-ipa-renew-agent').enrollment_reqs starts (NEED_TO_REFRESH)
-- :: [] CA4('dogtag-ipa-renew-agent').renewal_reqs starts (NEED_TO_REFRESH)
-- :: [] CA4('dogtag-ipa-renew-agent').capabilities starts (NEED_TO_REFRESH)
-- :: [] CA4('dogtag-ipa-renew-agent').encryption_certs starts (NEED_TO_REFRESH)
-- :: [] CA5('local').identify starts (NEED_TO_REFRESH)
-- :: [] CA5('local').certs starts (NEED_TO_REFRESH)
-- :: [] CA5('local').profiles starts (NEED_TO_REFRESH)
-- :: [] CA5('local').default_profile starts (NEED_TO_REFRESH)
-- :: [] CA5('local').enrollment_reqs starts (NEED_TO_REFRESH)
-- :: [] CA5('local').renewal_reqs starts (NEED_TO_REFRESH)
-- :: [] CA5('local').capabilities starts (NEED_TO_REFRESH)
-- :: [] CA5('local').encryption_certs starts (NEED_TO_REFRESH)
-- :: [] Adding disabled DBus watch on FD (for Write) for 0x7f92f6727e60.
-- :: [] Adding a watch group for FD for 0x7f92f6727e60.
-- :: [] Dequeuing FD for 0x7f92f6727e60:(nil).
-- :: [] Not queuing FD for 0x7f92f6727e60.
-- :: [] Adding enabled DBus watch on FD (for Read) for 0x7f92f6727e60.
-- :: [] Dequeuing FD for 0x7f92f6727e60:(nil).
-- :: [] Queuing FD for Read for 0x7f92f6727e60:0x7f92f672ac30.
-- :: [] Unable to set well-known bus name "org.fedorahosted.certmonger": Connection ":1.60" is not allowed to own the service "org.fedorahosted.certmonger" due to security policies in the configuration file(-).
Error connecting to D-Bus.
[root@node100 ~]#

[root@node100 ~]# certmonger -S -d 10                #查看certmonger的启动日志

  解决方案:

    既然我们知道了根dbus这个服务有关,于是我们可以重启一下这个服务,具体操作如下:

[root@node100 ~]# systemctl restart dbus.socket
[root@node100 ~]#
[root@node100 ~]# systemctl restart dbus.service
[root@node100 ~]#

    重启之后,我们需要卸载之前安装到一半的IPA-Server。具体操作如下:

[root@node100 ~]# ipa-server-install --uninstall

This is a NON REVERSIBLE operation and will delete all data and configuration!
It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding. Are you sure you want to continue with the uninstall procedure? [no]: yes      #注意,这里需要输入yes来确认继续卸载服务!
Shutting down all IPA services
Unconfiguring ntpd
Configuring certmonger to stop tracking system certificates for KRA
Configuring certmonger to stop tracking system certificates for CA
Unconfiguring CA
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
ipaserver.install.dsinstance: ERROR Unable to find server cert nickname in /etc/dirsrv/slapd-YINZHENGJIE-COM/dse.ldif
Unconfiguring ipa-custodia
Removing IPA client configuration
Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The ipa-client-install command was successful
[root@node100 ~]#

  然后在执行“ipa-server-install --setup-dns”命令配置IPA-Server即可。

四.ERROR    DNS server 127.0.0.1: query '. SOA': The DNS operation timed out after 10.0014739037 seconds

  原因分析:

    根据报错信息提示,是解析域名失败啦!因此我们需要检查配置主机DNS的文件,检查配置有错误!

[root@node100 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain yinzhengjie.com
nameserver 127.0.0.1          #为了复线上述的问题,这是我故意写错的DNS地址!
nameserver 8.8.8.8
[root@node100 ~]#
[root@node100 ~]# vi /etc/resolv.conf
[root@node100 ~]#
[root@node100 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain yinzhengjie.com
nameserver 172.30.1.1        #我们可以把这行删除,也可以指定正确的DNS服务器即可!
nameserver 8.8.8.8
[root@node100 ~]#

  解决方案:

    如上所述,修改正确的DNS服务器地址即可解决问题。

五.ERROR    default_range: No local ID range and no admins group found. Cannot create default ID range

  错误分析:

    上述的这个报错我不一定能复线的出来!因为它是偶然出现的,可能咱们的FreeIPA服务依旧存在一些bug吧。卸载之前安装的程序重新安装发现这个错误又不出现了~很是奇怪的一件事情!

  解决方案:

    如上所述,卸载依旧安装的程序重新安装即可。

[root@node100 ~]# ipa-server-install --uninstall

This is a NON REVERSIBLE operation and will delete all data and configuration!
It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding. Are you sure you want to continue with the uninstall procedure? [no]: yes      #卸载依旧安装的procedure WARNING: Failed to connect to Directory Server to find information about
replication agreements. Uninstallation will continue despite the possible
existing replication agreements. If this server is the last instance of CA,
KRA, or DNSSEC master, uninstallation may result in data loss.
Are you sure you want to continue with the uninstall procedure? [no]: yes        #卸载依旧安装的CA
Shutting down all IPA services
Unconfiguring ntpd
Configuring certmonger to stop tracking system certificates for KRA
Configuring certmonger to stop tracking system certificates for CA
Unconfiguring CA
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa-custodia
Unconfiguring ipa-otpd
Removing IPA client configuration
Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The ipa-client-install command was successful
[root@node100 ~]#

六.kinit: Configuration file does not specify default realm when parsing name admin

  报错分析:

      上述报错是在我成功部署IPA-Server之后,在另外一台服务器上安装了Kerberos相关工具(“[root@node101 ~]# yum -y install ipa-admintools“)。在登录Kerberos服务器时发现报错了,根据报错信息说:“解析名称admin时,配置文件不指定默认域”。看着貌似是配置文件的锅!果不其然,我发现了安装“ipa-admintools”时会有一个“/etc/krb5.conf”的配置文件生成。

  解决方案:

    既然都说是生成了一个叫做“/etc/krb5.conf”的配置文件,于是我就把IPA-Server相同的配置文件拷贝过去,具体操作如下:

[root@node101 ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/ [logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log [libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid} [realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# } [domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
[root@node101 ~]#

[root@node101 ~]# cat /etc/krb5.conf                      #客户端安装”ipa-admintools“完毕后,默认的配置文件内容

[root@node101 ~]# hostname
node101.yinzhengjie.org.cn
[root@node101 ~]# hostname -i
172.30.1.101
[root@node101 ~]#
[root@node101 ~]# cat /etc/hosts | grep yinzhengjie
172.30.1.100 node100.yinzhengjie.com node100
172.30.1.101 node101.yinzhengjie.org.cn
172.30.1.102 node102.yinzhengjie.org.cn
172.30.1.103 node103.yinzhengjie.org.cn
[root@node101 ~]#
[root@node101 ~]# mv /etc/krb5.conf /etc/krb5.conf.`date +%F`
[root@node101 ~]#

[root@node101 ~]# mv /etc/krb5.conf /etc/krb5.conf.`date +%F`        #客户端备份配置文件,身为运维人员,一定要留下证据给大家做对比!

[root@node100 ~]# hostname
node100.yinzhengjie.com
[root@node100 ~]#
[root@node100 ~]# hostname -i
172.30.1.100
[root@node100 ~]#
[root@node100 ~]# scp /etc/krb5.conf node101.yinzhengjie.org.cn:/etc/
The authenticity of host 'node101.yinzhengjie.org.cn (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:SDslkKHyBt925hWfb2K7C+lKWcQ6PTSN3B+G5fetFQ0.
ECDSA key fingerprint is MD5:e5::dc::ee:e6:ed::de:::a8:c4:::e7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'node101.yinzhengjie.org.cn' (ECDSA) to the list of known hosts.
root@node101.yinzhengjie.org.cn's password:
krb5.conf % .6MB/s :
[root@node100 ~]#
[root@node101 ~]# cat /etc/krb5.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/ [logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log [libdefaults]
default_realm = YINZHENGJIE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit =
default_ccache_name = KEYRING:persistent:%{uid} [realms]
YINZHENGJIE.COM = {
kdc = node100.yinzhengjie.com:
master_kdc = node100.yinzhengjie.com:
admin_server = node100.yinzhengjie.com:
default_domain = yinzhengjie.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
} [domain_realm]
.yinzhengjie.com = YINZHENGJIE.COM
yinzhengjie.com = YINZHENGJIE.COM
node100.yinzhengjie.com = YINZHENGJIE.COM [dbmodules]
YINZHENGJIE.COM = {
db_library = ipadb.so
} [plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
[root@node101 ~]#

[root@node101 ~]# cat /etc/krb5.conf                    #从IPA-Server服务器上同步过的代码

[root@node101 ~]# kinit admin                        #将IPA-Server的配置文件同步过来后,发现问题得到了解决~
Password for admin@YINZHENGJIE.COM:
[root@node101 ~]#
[root@node101 ~]# klist
Ticket cache: KEYRING:persistent::
Default principal: admin@YINZHENGJIE.COM Valid starting Expires Service principal
// :: // :: krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node101 ~]#

七.IPA client is not configured on this system

  错误分析:

    根据报错信息提示:“在此系统上未配置IPA客户端”。于是我们就来配置一下IPA的客户端呗,我们可以通过“ipa-client-install”命令来进行配置。

  解决方案:

    通过“ipa-client-install”配置时,我们需要配置一些参数,具体案例如下:(你可以根据的自己的环境修改相应的参数)

[root@node101 ~]# ipa-client-install --domain=YINZHENGJIE.COM --server=node100.yinzhengjie.com --realm=YINZHENGJIE.COM  --principal=admin@YINZHENGJIE.COM --enable-dns-updates
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: node101.yinzhengjie.org.cn
Realm: YINZHENGJIE.COM
DNS Domain: yinzhengjie.com
IPA Server: node100.yinzhengjie.com
BaseDN: dc=yinzhengjie,dc=com Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
Password for admin@YINZHENGJIE.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=YINZHENGJIE.COM
Issuer: CN=Certificate Authority,O=YINZHENGJIE.COM
Valid From: -- ::
Valid Until: -- :: Enrolled in IPA realm YINZHENGJIE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm YINZHENGJIE.COM
trying https://node100.yinzhengjie.com/ipa/json
[try ]: Forwarding 'schema' to json server 'https://node100.yinzhengjie.com/ipa/json'
trying https://node100.yinzhengjie.com/ipa/session/json
[try ]: Forwarding 'ping' to json server 'https://node100.yinzhengjie.com/ipa/session/json'
[try ]: Forwarding 'ca_is_enabled' to json server 'https://node100.yinzhengjie.com/ipa/session/json'
Systemwide CA database updated.
Hostname (node101.yinzhengjie.org.cn) does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host node101.yinzhengjie.org.cn: 172.30.1.101.
Missing reverse record(s) for address(es): 172.30.1.101.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
[try ]: Forwarding 'host_mod' to json server 'https://node100.yinzhengjie.com/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring yinzhengjie.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful        #出现这一行说你配置成功啦!
[root@node101 ~]#

   注意,如果以上的客户端的安装日志默认存放在:“/var/log/ipaclient-install.log”。配置成功后,我给大家验证一下我执行的命令

[root@node101 ~]# ipa -h
Usage: ipa [global-options] COMMAND [command-options] Manage an IPA domain Options:
--version show program's version number and exit
-h, --help Show this help message and exit
-e KEY=VAL Set environment variable KEY to VAL
-c FILE Load configuration from FILE.
-d, --debug Produce full debuging output
--delegate Delegate the TGT to the IPA server
-v, --verbose Produce more verbose output. A second -v displays the
XML-RPC request
-a, --prompt-all Prompt for ALL values (even if optional)
-n, --no-prompt Prompt for NO values (even if required)
-f, --no-fallback Only use the server configured in /etc/ipa/default.conf See "ipa help topics" for available help topics.
See "ipa help <TOPIC>" for more information on a specific topic.
See "ipa help commands" for the full list of commands.
See "ipa <COMMAND> --help" for more information on a specific command.
[root@node101 ~]#
[root@node101 ~]#

[root@node101 ~]# ipa -h            #查看ipa的相关帮助信息

七.klist: No credentials cache found (filename: /tmp/krb5cc_0)

  错误分析:

    根据报错信息提示,说是找不到凭据缓存。一般情况下,当你重启了操作系统或者之前从来没有登录过,可能会爆出这样的提示,这种提示也不能算是错误。这只是告诉我们没有登陆凭据缓存,没有的话我们创建出来不就得了,很简单,直接使用kinit进行登录即可。

  解决办法:

    既然说没有之前没有登录的话, 那就简单了,我们使用Kerberos的kinit命令登录一下即可,具体操作如下:

[root@node103 ~]# kinit admin                        #查看登录信息,出现告警信息
kinit: Cannot contact any KDC for realm 'YINZHENGJIE.COM' while getting initial credentials
[root@node103 ~]#
[root@node103 ~]# kinit admin                        #使用管理员方式进行登录
Password for admin@YINZHENGJIE.COM:
[root@node103 ~]#
[root@node103 ~]# klist                           #再次查看登录信息,发现有数据出现啦!
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@YINZHENGJIE.COM Valid starting Expires Service principal
// :: // :: krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node103 ~]#

八.kinit: Cannot contact any KDC for realm 'YINZHENGJIE.COM' while getting initial credentials

  报错分析:

    根据报错的提示信息,大致意思是说:在获取初始凭据时,无法联系任何KDC获取域“YINZHENGJIE.COM”。那么我得检查是配置文件还是网络问题,咱们得检查与kdc的连通性以及本地的配置映射关系是否正确!

  解决方案:

    检查主机的配置文件,发现主机名映射没有做,导致无法链接,修改相应的主机映射文件即可。具体证据如下:

[root@node103 ~]# cat /etc/krb5.conf
#File modified by ipa-client-install includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults]
default_realm = YINZHENGJIE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit =
#default_ccache_name = KEYRING:persistent:%{uid} [realms]
YINZHENGJIE.COM = {
kdc = node100.yinzhengjie.com:
master_kdc = node100.yinzhengjie.com:
admin_server = node100.yinzhengjie.com:
kpasswd_server = node100.yinzhengjie.com:
default_domain = yinzhengjie.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm]
.yinzhengjie.com = YINZHENGJIE.COM
yinzhengjie.com = YINZHENGJIE.COM
node101.yinzhengjie.org.cn = YINZHENGJIE.COM
.yinzhengjie.org.cn = YINZHENGJIE.COM
yinzhengjie.org.cn = YINZHENGJIE.COM [root@node103 ~]#

[root@node103 ~]# cat /etc/krb5.conf                    #从Kerberos的客户端配置文件我们可以看出,KDC服务器的地址为:“node100.yinzhengjie.com”

[root@node103 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
:: localhost localhost.localdomain localhost6 localhost6.localdomain6 172.30.1.100 node100.yinzhengjie.org.cn        
172.30.1.101 node101.yinzhengjie.org.cn
172.30.1.102 node102.yinzhengjie.org.cn
172.30.1.103 node103.yinzhengjie.org.cn [root@node103 ~]#
[root@node103 ~]# vi /etc/hosts
[root@node103 ~]#
[root@node103 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
:: localhost localhost.localdomain localhost6 localhost6.localdomain6 172.30.1.100 node100.yinzhengjie.com node100            #发现没有!是由于我主机配置文件写错了的原因!你是否也犯过我这样二的问题呢?
172.30.1.101 node101.yinzhengjie.org.cn
172.30.1.102 node102.yinzhengjie.org.cn
172.30.1.103 node103.yinzhengjie.org.cn [root@node103 ~]#

九.

安装FreeIPA以及应用时报错汇总的更多相关文章

  1. CentOS 6.5安装PostgreSQL9.3.5时报错: jade: Command not found

    CentOS 6.5安装PostgreSQL9.3.5时报错: jade: Command not found 1[root@pghost1 postgresql-9.3.5]# ./configur ...

  2. 新安装的soapui启动时报错及解决方法

    今天新安装了soapui准备测试一下接口,结果安装成功后启动时报错:The JVM could not be started. The maximum heap size (-Xmx) might b ...

  3. 关于go get安装git golang项目时报错的处理办法

    关于go get安装git golang项目时报错的处理办法 使用go get安装github上的项目时一般来说,不可避免会出错.各种错误的处理办法: 必须条件: 1.安装git并配置环境变量.下载地 ...

  4. mac安装protobuf2.4.1时报错./include/gtest/internal/gtest-port.h:428:10: fatal error: 'tr1/tuple' file not found和google/protobuf/message.cc:175:16: error: implicit instantiation of undefined template

    通过网上下载的protobuf2.4.1的压缩文件,然后进行安装,./configure和make时遇到了两个问题. 正常的安装步骤如下: ./configure make  make check m ...

  5. 使用npm安装 Ant Design Vue 时报错—ant-design-vue@latest(sha1-qsf / gCIFcRYxyGmOKgx7TmHf1z4 =)seems to be corrupted.

    安装 Ant Design Vue 时报错: npm install ant-design-vue --save ant-design-vue @ latest(sha1-qsf / gCIFcRYx ...

  6. Linux(CentOS6.5)下编译安装PHP5.6.22时报错”configure: error: ZLIB extension requires gzgets in zlib”的解决方式(确定已经编译安装Zlib,并已经指定Zlib路径)

    本文地址http://comexchan.cnblogs.com/,作者Comex Chan,尊重知识产权,转载请注明出处,谢谢!   今天在CentOS6.5下编译安装PHP时,一直报错 confi ...

  7. 关于vmware 11.1安装windows 7操作系统时报错 Unist specified don’t exist. SHSUCDX can’t install

    笔者今天在vmware 11.1 虚拟机下使用光驱安装windows 7 32位操作系统时,报错: Unist specified don’t exist. SHSUCDX can’t install ...

  8. Ubuntu tar方式安装mysql5.7.21 时报错 [ERROR] Can't locate the language directory. 以及 ------ libaio.so.1: cannot open shared object file

    参考帖子: http://blog.csdn.net/ty0415/article/details/22958133 首先,在 MySQL 官方网站上下载安装包, 如图: 然后,执行安装命令 bin/ ...

  9. 安装SCOM2012在连接数据库时报错:" SQL Server 的安装版本不受支持"

       在SQL群集上有两个实例,分别为:SQLCSNET1\MSSQLSERVER1和SQLCSNET2\MSSQLSERVER2,在计算机sccmz上安装SCOM2012 SP1中的组件 管理服务器 ...

随机推荐

  1. 了解AutoCAD对象层次结构 —— 5 —— 块表

    为了清楚的了解块表的组成内容,让我们利用MgdDbg工具查看一下块表中的块表记录.在开始页面,以无样板模式新建一个.dwg文件(图 4‑7(1)),这样的话,默认的块表记录只有3条(图 4‑7(2)) ...

  2. .net core 2.0 MVC区域

    区域 创建对应的目录结构 Areas System Controllers Views 在Startup.cs 注册路由 在控制器上方加上`[Area("system")]` // ...

  3. 字符串哈希及KMP

    字符串很神奇,因为它在计算机中应用很广泛,就每一个程序都需要用到字符串,所以学好字符串是非常重要的. 接下来就介绍两个字符串的基本操作 1:字符串hash  一种可以查找几个字符串有几个不同的字符串. ...

  4. MobaXterm之取消自动关闭连接 Network error :Connection timed out

    连一会就出现连接重来的问题 配置如下.

  5. Nginx代理MysqlCluster集群(二)

    Nginx代理MySql集群本次实验采用nginx 版本1.12以上 集合了tcp代理功能只需在编译时明文开启指定的功能 --with-stream--prefix=/usr/local/ngin - ...

  6. LOJ#6282. 数列分块入门 6

    一个动态的插入过程,还需要带有查询操作. 我可以把区间先分块,然后每个块块用vector来维护它的插入和查询操作,但是如果我现在这个块里的vector太大了,我可能的操作会变的太大,所以这时候我需要把 ...

  7. shell中定义变量用双引号和单引号以及不用引号的区别

    1. 单引号 使用单引号的情况下,不管里面的是否有变量或者其他的表达是都是原样子输出 2. 双引号 如果其定义变量的时候使用双引号的话,则里面的变量或者函数会通过解析,解析完成后再输出内容,而不是把双 ...

  8. Http协议常见状态码

    206 - 断点下载时用到,客户端请求了一部分内容,服务器成功把这部分内容返回给它,这时候就是用这个状态. 301 - 永久跳转,原地址不存在了,url被指向到另一个地址.这个主要是搜索引擎相关,影响 ...

  9. 【洛谷P4462】异或序列

    题目大意:给定一个长度为 N 的序列,有 M 组询问,每组询问查询区间 [l,r] 内异或和等于给定常数 K 的区间组数. 题解:对于异或和问题,一般先进行前缀和处理,转化为两个点的的关系.因此,经过 ...

  10. Django 分页器的使用

    Django 分页器的使用 Django作为Python Web开发框架的一哥,提供了企业级网站开发所需要的几乎所有功能,其中就包括自带分页功能.利用Django自带的Paginator类,我们可以很 ...