安裝FreeIPA以及應用時報錯彙總
安裝FreeIPA以及應用時報錯彙總node
做者:尹正傑 web
版權聲明:原創做品,謝絕轉載!不然將追究法律責任。json
一.ERROR DNS zone yinzhengjie.org.cn already exists in DNS and is handled by server(s): dns28.hichina.com., dns27.hichina.com.centos
報錯緣由:api
根據報錯信息提示個人這兩個域名以及存在了,並在「dns27.hichina.com」和「dns28.hichina.com」這兩臺機器上有對應的解析關係。事實上我在2017時的確購買了這個域名,有效期3年,今年才2018年,所以他說的這個記錄時有效的!下面是我當時在服務器端ping上圖中的2個DNS服務器。緩存
[root@node100 ~]# ping dns28.hichina.com PING dns28.hichina.com (140.205.41.20) 56(84) bytes of data. 64 bytes from 140.205.41.20: icmp_seq=1 ttl=128 time=30.5 ms ^C --- dns28.hichina.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 30.573/30.573/30.573/0.000 ms [root@node100 ~]# [root@node100 ~]# ping dns27.hichina.com PING dns27.hichina.com (106.11.211.69) 56(84) bytes of data. 64 bytes from 106.11.211.69: icmp_seq=1 ttl=128 time=17.4 ms ^C --- dns27.hichina.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 17.440/17.440/17.440/0.000 ms [root@node100 ~]#
解決方案:服務器
既然說這個域名已經存在了,那我換個域名不就得了,因而我將個人主機名改成了「node100.yinzhengjie.com」,而後重啓服務器,繼續安裝FreeIPA時,這個報錯就消失了!網絡
二. ERROR Command '/usr/bin/ldapmodify -v -f /tmp/tmpmtA7b9 -H ldapi://%2fvar%2frun%2fslapd-YINZHENGJIE-COM.socket -Y EXTERNAL' returned non-zero exit status 1 session
報錯緣由:運維
我懷疑是缺乏相應的安裝包才致使以上的錯誤發生。
解決方案:
根據官方文檔提示,更新yum源,安裝相應的依賴包,配置主機名解析後,從新安裝你會發現這個告警消除了。參考連接:https://www.globo.tech/learning-center/install-freeipa-centos-7/
[root@node100 ~]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding. Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring directory server ipaserver.install.dsinstance: ERROR Unable to find server cert nickname in /etc/dirsrv/slapd-YINZHENGJIE-COM/dse.ldif Removing IPA client configuration Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1 Removing Kerberos service principals from /etc/krb5.keytab Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r YINZHENGJIE.COM' returned non-zero exit status 3 Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. The ipa-client-install command was successful [root@node100 ~]#
三.ERROR Command '/bin/systemctl start certmonger.service' returned non-zero exit status 1
報錯緣由:
根據上述報錯,大體的意思就是說freeIPA的「certmonger」服務沒有啓動成功。因而咱們能夠查看咱們手動啓動一下「certmonger」服務。發現手動去啓動也失敗啦!以下所示:
[root@node100 ~]# systemctl start certmonger.service Job for certmonger.service failed because the control process exited with error code. See "systemctl status certmonger.service" and "journalctl -xe" for details. [root@node100 ~]# systemctl start certmonger Job for certmonger.service failed because the control process exited with error code. See "systemctl status certmonger.service" and "journalctl -xe" for details. [root@node100 ~]# journalctl -xe -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit certmonger.service has failed. -- -- The result is failed. Dec 12 04:49:34 node100.yinzhengjie.com systemd[1]: Unit certmonger.service entered failed state. Dec 12 04:49:34 node100.yinzhengjie.com systemd[1]: certmonger.service failed. Dec 12 04:49:34 node100.yinzhengjie.com polkitd[3005]: Unregistered Authentication Agent for unix-process:31841:148777 (system bu Dec 12 04:49:39 node100.yinzhengjie.com polkitd[3005]: Registered Authentication Agent for unix-process:31850:149247 (system bus Dec 12 04:49:39 node100.yinzhengjie.com systemd[1]: Starting Certificate monitoring and PKI enrollment... -- Subject: Unit certmonger.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit certmonger.service has begun starting up. Dec 12 04:49:39 node100.yinzhengjie.com certmonger[31856]: 2018-12-12 04:49:39 [31856] Unable to set well-known bus name "org.fed Dec 12 04:49:39 node100.yinzhengjie.com certmonger[31856]: Error connecting to D-Bus. Dec 12 04:49:39 node100.yinzhengjie.com systemd[1]: certmonger.service: main process exited, code=exited, status=1/FAILURE Dec 12 04:49:39 node100.yinzhengjie.com systemd[1]: Failed to start Certificate monitoring and PKI enrollment. -- Subject: Unit certmonger.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit certmonger.service has failed. -- -- The result is failed. Dec 12 04:49:39 node100.yinzhengjie.com systemd[1]: Unit certmonger.service entered failed state. Dec 12 04:49:39 node100.yinzhengjie.com systemd[1]: certmonger.service failed. Dec 12 04:49:39 node100.yinzhengjie.com polkitd[3005]: Unregistered Authentication Agent for unix-process:31850:149247 (system bu [root@node100 ~]#
[root@node100 ~]# systemctl status certmonger #查看certmonger服務狀態! ● certmonger.service - Certificate monitoring and PKI enrollment Loaded: loaded (/usr/lib/systemd/system/certmonger.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2018-12-12 04:44:20 EST; 1min 13s ago #這裏是啓動失敗啦! Process: 31817 ExecStart=/usr/sbin/certmonger -S -p /var/run/certmonger.pid -n $OPTS (code=exited, status=1/FAILURE) Main PID: 31817 (code=exited, status=1/FAILURE) Dec 12 04:44:20 node100.yinzhengjie.com systemd[1]: Starting Certificate monitoring and PKI enrollment... Dec 12 04:44:20 node100.yinzhengjie.com certmonger[31817]: 2018-12-12 04:44:20 [31817] Unable to set well-known bus name "...-1). Dec 12 04:44:20 node100.yinzhengjie.com certmonger[31817]: Error connecting to D-Bus. #這條消息告訴咱們他在啓東市連接D-Bus失敗啦! Dec 12 04:44:20 node100.yinzhengjie.com systemd[1]: certmonger.service: main process exited, code=exited, status=1/FAILURE Dec 12 04:44:20 node100.yinzhengjie.com systemd[1]: Failed to start Certificate monitoring and PKI enrollment. Dec 12 04:44:20 node100.yinzhengjie.com systemd[1]: Unit certmonger.service entered failed state. Dec 12 04:44:20 node100.yinzhengjie.com systemd[1]: certmonger.service failed. Hint: Some lines were ellipsized, use -l to show in full. [root@node100 ~]#
[root@node100 ~]# certmonger -S -d 10 2018-12-12 05:56:39 [30055] Starting up. 2018-12-12 05:56:39 [30055] Changing to root directory. 2018-12-12 05:56:39 [30055] Obtaining system lock. 2018-12-12 05:56:39 [30055] CA1('SelfSign').identify starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA1('SelfSign').certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA1('SelfSign').profiles starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA1('SelfSign').default_profile starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA1('SelfSign').enrollment_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA1('SelfSign').renewal_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA1('SelfSign').capabilities starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA1('SelfSign').encryption_certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA2('IPA').identify starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA2('IPA').certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA2('IPA').profiles starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA2('IPA').default_profile starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA2('IPA').enrollment_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA2('IPA').renewal_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA2('IPA').capabilities starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA2('IPA').encryption_certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA3('certmaster').identify starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA3('certmaster').certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA3('certmaster').profiles starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA3('certmaster').default_profile starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA3('certmaster').enrollment_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA3('certmaster').renewal_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA3('certmaster').capabilities starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA3('certmaster').encryption_certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA4('dogtag-ipa-renew-agent').identify starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA4('dogtag-ipa-renew-agent').certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA4('dogtag-ipa-renew-agent').profiles starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA4('dogtag-ipa-renew-agent').default_profile starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA4('dogtag-ipa-renew-agent').enrollment_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA4('dogtag-ipa-renew-agent').renewal_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA4('dogtag-ipa-renew-agent').capabilities starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA4('dogtag-ipa-renew-agent').encryption_certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA5('local').identify starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA5('local').certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA5('local').profiles starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA5('local').default_profile starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA5('local').enrollment_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA5('local').renewal_reqs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA5('local').capabilities starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] CA5('local').encryption_certs starts (NEED_TO_REFRESH) 2018-12-12 05:56:39 [30055] Adding disabled DBus watch on FD 7 (for Write) for 0x7f92f6727e60. 2018-12-12 05:56:39 [30055] Adding a watch group for FD 7 for 0x7f92f6727e60. 2018-12-12 05:56:39 [30055] Dequeuing FD 7 for 0x7f92f6727e60:(nil). 2018-12-12 05:56:39 [30055] Not queuing FD 7 for 0x7f92f6727e60. 2018-12-12 05:56:39 [30055] Adding enabled DBus watch on FD 7 (for Read) for 0x7f92f6727e60. 2018-12-12 05:56:39 [30055] Dequeuing FD 7 for 0x7f92f6727e60:(nil). 2018-12-12 05:56:39 [30055] Queuing FD 7 for Read for 0x7f92f6727e60:0x7f92f672ac30. 2018-12-12 05:56:39 [30055] Unable to set well-known bus name "org.fedorahosted.certmonger": Connection ":1.60" is not allowed to own the service "org.fedorahosted.certmonger" due to security policies in the configuration file(-1). Error connecting to D-Bus. [root@node100 ~]#
解決方案:
既然咱們知道了根dbus這個服務有關,因而咱們能夠重啓一下這個服務,具體操做以下:
[root@node100 ~]# systemctl restart dbus.socket [root@node100 ~]# [root@node100 ~]# systemctl restart dbus.service [root@node100 ~]#
重啓以後,咱們須要卸載以前安裝到一半的IPA-Server。具體操做以下:
[root@node100 ~]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding. Are you sure you want to continue with the uninstall procedure? [no]: yes #注意,這裏須要輸入yes來確認繼續卸載服務! Shutting down all IPA services Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring CA Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server ipaserver.install.dsinstance: ERROR Unable to find server cert nickname in /etc/dirsrv/slapd-YINZHENGJIE-COM/dse.ldif Unconfiguring ipa-custodia Removing IPA client configuration Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1 Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. The ipa-client-install command was successful [root@node100 ~]#
而後在執行「ipa-server-install --setup-dns」命令配置IPA-Server便可。
四.ERROR DNS server 127.0.0.1: query '. SOA': The DNS operation timed out after 10.0014739037 seconds
緣由分析:
根據報錯信息提示,是解析域名失敗啦!所以咱們須要檢查配置主機DNS的文件,檢查配置有錯誤!
[root@node100 ~]# cat /etc/resolv.conf # Generated by NetworkManager search localdomain yinzhengjie.com nameserver 127.0.0.1 #爲了複線上述的問題,這是我故意寫錯的DNS地址! nameserver 8.8.8.8 [root@node100 ~]# [root@node100 ~]# vi /etc/resolv.conf [root@node100 ~]# [root@node100 ~]# cat /etc/resolv.conf # Generated by NetworkManager search localdomain yinzhengjie.com nameserver 172.30.1.1 #咱們能夠把這行刪除,也能夠指定正確的DNS服務器便可! nameserver 8.8.8.8 [root@node100 ~]#
解決方案:
如上所述,修改正確的DNS服務器地址便可解決問題。
五.ERROR default_range: No local ID range and no admins group found. Cannot create default ID range
錯誤分析:
上述的這個報錯我不必定能複線的出來!由於它是偶然出現的,可能我們的FreeIPA服務依舊存在一些bug吧。卸載以前安裝的程序從新安裝發現這個錯誤又不出現了~非常奇怪的一件事情!
解決方案:
如上所述,卸載依舊安裝的程序從新安裝便可。
[root@node100 ~]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding. Are you sure you want to continue with the uninstall procedure? [no]: yes #卸載依舊安裝的procedure
WARNING: Failed to connect to Directory Server to find information about replication agreements. Uninstallation will continue despite the possible existing replication agreements. If this server is the last instance of CA, KRA, or DNSSEC master, uninstallation may result in data loss. Are you sure you want to continue with the uninstall procedure? [no]: yes #卸載依舊安裝的CA Shutting down all IPA services Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring CA Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring ipa-custodia Unconfiguring ipa-otpd Removing IPA client configuration Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1 Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. The ipa-client-install command was successful [root@node100 ~]#
六.kinit: Configuration file does not specify default realm when parsing name admin
報錯分析:
上述報錯是在我成功部署IPA-Server以後,在另一臺服務器上安裝了Kerberos相關工具(「[root@node101 ~]# yum -y install ipa-admintools「)。在登陸Kerberos服務器時發現報錯了,根據報錯信息說:「解析名稱admin時,配置文件不指定默認域」。看着貌似是配置文件的鍋!果不其然,我發現了安裝「ipa-admintools」時會有一個「/etc/krb5.conf」的配置文件生成。
解決方案:
既然都說是生成了一個叫作「/etc/krb5.conf」的配置文件,因而我就把IPA-Server相同的配置文件拷貝過去,具體操做以下:
[root@node101 ~]# cat /etc/krb5.conf # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM [root@node101 ~]#
[root@node101 ~]# hostname node101.yinzhengjie.org.cn [root@node101 ~]# hostname -i 172.30.1.101 [root@node101 ~]# [root@node101 ~]# cat /etc/hosts | grep yinzhengjie 172.30.1.100 node100.yinzhengjie.com node100 172.30.1.101 node101.yinzhengjie.org.cn 172.30.1.102 node102.yinzhengjie.org.cn 172.30.1.103 node103.yinzhengjie.org.cn [root@node101 ~]# [root@node101 ~]# mv /etc/krb5.conf /etc/krb5.conf.`date +%F` [root@node101 ~]#
[root@node100 ~]# hostname node100.yinzhengjie.com [root@node100 ~]# [root@node100 ~]# hostname -i 172.30.1.100 [root@node100 ~]# [root@node100 ~]# scp /etc/krb5.conf node101.yinzhengjie.org.cn:/etc/ The authenticity of host 'node101.yinzhengjie.org.cn (<no hostip for proxy command>)' can't be established. ECDSA key fingerprint is SHA256:SDslkKHyBt925hWfb2K7C+lKWcQ6PTSN3B+G5fetFQ0. ECDSA key fingerprint is MD5:e5:24:dc:52:ee:e6:ed:83:de:45:39:a8:c4:14:27:e7. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'node101.yinzhengjie.org.cn' (ECDSA) to the list of known hosts. root@node101.yinzhengjie.org.cn's password: krb5.conf 100% 1022 1.6MB/s 00:00 [root@node100 ~]#
[root@node101 ~]# cat /etc/krb5.conf includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = YINZHENGJIE.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] YINZHENGJIE.COM = { kdc = node100.yinzhengjie.com:88 master_kdc = node100.yinzhengjie.com:88 admin_server = node100.yinzhengjie.com:749 default_domain = yinzhengjie.com pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .yinzhengjie.com = YINZHENGJIE.COM yinzhengjie.com = YINZHENGJIE.COM node100.yinzhengjie.com = YINZHENGJIE.COM [dbmodules] YINZHENGJIE.COM = { db_library = ipadb.so } [plugins] certauth = { module = ipakdb:kdb/ipadb.so enable_only = ipakdb } [root@node101 ~]#
[root@node101 ~]# kinit admin #將IPA-Server的配置文件同步過來後,發現問題獲得瞭解決~ Password for admin@YINZHENGJIE.COM: [root@node101 ~]# [root@node101 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@YINZHENGJIE.COM Valid starting Expires Service principal 12/13/2018 16:51:08 12/14/2018 16:51:06 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node101 ~]#
七.IPA client is not configured on this system
錯誤分析:
根據報錯信息提示:「在此係統上未配置IPA客戶端」。因而咱們就來配置一下IPA的客戶端唄,咱們能夠經過「ipa-client-install」命令來進行配置。
解決方案:
經過「ipa-client-install」配置時,咱們須要配置一些參數,具體案例以下:(你能夠根據的本身的環境修改相應的參數)
[root@node101 ~]# ipa-client-install --domain=YINZHENGJIE.COM --server=node100.yinzhengjie.com --realm=YINZHENGJIE.COM --principal=admin@YINZHENGJIE.COM --enable-dns-updates WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Client hostname: node101.yinzhengjie.org.cn Realm: YINZHENGJIE.COM DNS Domain: yinzhengjie.com IPA Server: node100.yinzhengjie.com BaseDN: dc=yinzhengjie,dc=com Continue to configure the system with these values? [no]: yes Skipping synchronizing time with NTP server. Password for admin@YINZHENGJIE.COM: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=YINZHENGJIE.COM Issuer: CN=Certificate Authority,O=YINZHENGJIE.COM Valid From: 2018-12-12 11:15:53 Valid Until: 2038-12-12 11:15:53 Enrolled in IPA realm YINZHENGJIE.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm YINZHENGJIE.COM trying https://node100.yinzhengjie.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://node100.yinzhengjie.com/ipa/json' trying https://node100.yinzhengjie.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://node100.yinzhengjie.com/ipa/session/json' [try 1]: Forwarding 'ca_is_enabled' to json server 'https://node100.yinzhengjie.com/ipa/session/json' Systemwide CA database updated. Hostname (node101.yinzhengjie.org.cn) does not have A/AAAA record. Failed to update DNS records. Missing A/AAAA record(s) for host node101.yinzhengjie.org.cn: 172.30.1.101. Missing reverse record(s) for address(es): 172.30.1.101. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://node100.yinzhengjie.com/ipa/session/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring yinzhengjie.com as NIS domain. Client configuration complete. The ipa-client-install command was successful #出現這一行說你配置成功啦! [root@node101 ~]#
注意,若是以上的客戶端的安裝日誌默認存放在:「/var/log/ipaclient-install.log」。配置成功後,我給你們驗證一下我執行的命令
[root@node101 ~]# ipa -h Usage: ipa [global-options] COMMAND [command-options] Manage an IPA domain Options: --version show program's version number and exit -h, --help Show this help message and exit -e KEY=VAL Set environment variable KEY to VAL -c FILE Load configuration from FILE. -d, --debug Produce full debuging output --delegate Delegate the TGT to the IPA server -v, --verbose Produce more verbose output. A second -v displays the XML-RPC request -a, --prompt-all Prompt for ALL values (even if optional) -n, --no-prompt Prompt for NO values (even if required) -f, --no-fallback Only use the server configured in /etc/ipa/default.conf See "ipa help topics" for available help topics. See "ipa help <TOPIC>" for more information on a specific topic. See "ipa help commands" for the full list of commands. See "ipa <COMMAND> --help" for more information on a specific command. [root@node101 ~]# [root@node101 ~]#
七.klist: No credentials cache found (filename: /tmp/krb5cc_0)
錯誤分析:
根據報錯信息提示,說是找不到憑據緩存。通常狀況下,當你重啓了操做系統或者以前歷來沒有登陸過,可能會爆出這樣的提示,這種提示也不能算是錯誤。這只是告訴咱們沒有登錄憑據緩存,沒有的話咱們建立出來不就得了,很簡單,直接使用kinit進行登陸便可。
解決辦法:
既然說沒有以前沒有登陸的話, 那就簡單了,咱們使用Kerberos的kinit命令登陸一下便可,具體操做以下:
[root@node103 ~]# kinit admin #查看登陸信息,出現告警信息 kinit: Cannot contact any KDC for realm 'YINZHENGJIE.COM' while getting initial credentials [root@node103 ~]# [root@node103 ~]# kinit admin #使用管理員方式進行登陸 Password for admin@YINZHENGJIE.COM: [root@node103 ~]# [root@node103 ~]# klist #再次查看登陸信息,發現有數據出現啦! Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@YINZHENGJIE.COM Valid starting Expires Service principal 12/12/2018 20:07:03 12/13/2018 20:07:00 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node103 ~]#
八.kinit: Cannot contact any KDC for realm 'YINZHENGJIE.COM' while getting initial credentials
報錯分析:
根據報錯的提示信息,大體意思是說:在獲取初始憑據時,沒法聯繫任何KDC獲取域「YINZHENGJIE.COM」。那麼我得檢查是配置文件仍是網絡問題,我們得檢查與kdc的連通性以及本地的配置映射關係是否正確!
解決方案:
檢查主機的配置文件,發現主機名映射沒有作,致使沒法連接,修改相應的主機映射文件便可。具體證據以下:
[root@node103 ~]# cat /etc/krb5.conf #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = YINZHENGJIE.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 #default_ccache_name = KEYRING:persistent:%{uid} [realms] YINZHENGJIE.COM = { kdc = node100.yinzhengjie.com:88 master_kdc = node100.yinzhengjie.com:88 admin_server = node100.yinzhengjie.com:749 kpasswd_server = node100.yinzhengjie.com:464 default_domain = yinzhengjie.com pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .yinzhengjie.com = YINZHENGJIE.COM yinzhengjie.com = YINZHENGJIE.COM node101.yinzhengjie.org.cn = YINZHENGJIE.COM .yinzhengjie.org.cn = YINZHENGJIE.COM yinzhengjie.org.cn = YINZHENGJIE.COM [root@node103 ~]#
[root@node103 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 172.30.1.100 node100.yinzhengjie.org.cn 172.30.1.101 node101.yinzhengjie.org.cn 172.30.1.102 node102.yinzhengjie.org.cn 172.30.1.103 node103.yinzhengjie.org.cn [root@node103 ~]# [root@node103 ~]# vi /etc/hosts [root@node103 ~]# [root@node103 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 172.30.1.100 node100.yinzhengjie.com node100 #發現沒有!是因爲我主機配置文件寫錯了的緣由!你是否也犯過我這樣二的問題呢? 172.30.1.101 node101.yinzhengjie.org.cn 172.30.1.102 node102.yinzhengjie.org.cn 172.30.1.103 node103.yinzhengjie.org.cn [root@node103 ~]#
九.
相關文章
- 1. Ubuntu安裝應用時報錯
- 2. python pip安裝報錯問題彙總
- 3. cxf調用webservice時報錯彙總
- 4. freeipa kinit 報錯處理
- 5. Ionic安裝應用報錯
- 6. 報錯彙總
- 7. 安裝Tomcat服務器以及錯誤彙總
- 8. ubuntu16.04下安裝caffe以及錯誤彙總
- 9. 安裝Tomcat服務器以及錯誤彙總(tomcat8.0、jdk8)
- 10. Crash以及報錯總結
- 更多相關文章...
- • Docker 資源彙總 - Docker教程
- • Maven Web 應用 - Maven教程
- • Composer 安裝與使用
- • IntelliJ IDEA安裝代碼格式化插件
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. python的安裝和Hello,World編寫
- 2. 重磅解讀:K8s Cluster Autoscaler模塊及對應華爲雲插件Deep Dive
- 3. 鴻蒙學習筆記2(永不斷更)
- 4. static關鍵字 和構造代碼塊
- 5. JVM筆記
- 6. 無法啓動 C/C++ 語言服務器。IntelliSense 功能將被禁用。錯誤: Missing binary at c:\Users\MSI-NB\.vscode\extensions\ms-vsc
- 7. 【Hive】Hive返回碼狀態含義
- 8. Java樹形結構遞歸(以時間換空間)和非遞歸(以空間換時間)
- 9. 數據預處理---缺失值
- 10. 都要2021年了,現代C++有什麼值得我們學習的?
歡迎關注本站公眾號,獲取更多信息
相關文章