2023年6月25日发(作者：)

FreeIPA问题记录在FreeIPA安装使⽤的过程中，碰到了许多问题，这⾥记录。1. ipa-client-install安装失败错误信息[root@hdp140 log]# ipa-client-install

... ...

Attempting to get Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled)Failed to obtain host lation failed. Rolling back client is not configured on this system.查看⽇志：2017-11-08T05:55:19Z DEBUG Attempt 4/5 failed.2017-11-08T05:55:20Z DEBUG args=/usr/bin/kinit -k -t /etc/ host/@2017-11-08T05:55:20Z DEBUG stdout=2017-11-08T05:55:20Z DEBUG stderr=kinit: Keytab contains no suitable keys for host/@ while getting initial credential2017-11-08T05:55:20Z DEBUG Attempt 5/5 failed.2017-11-08T05:55:20Z INFO Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled)2017-11-08T05:55:20Z ERROR Failed to obtain host TGT.2017-11-08T05:55:20Z ERROR Installation failed. Rolling back changes.2017-11-08T05:55:20Z ERROR IPA client is not configured on this system.原因从⽇志看是因为kinit失败，查看/etc/的配置⽂件[realms] = { kdc = <---这个地⽅没有被修改 admin_server = }/etc/是在安装ipa client之后出现的。在执⾏ipa-client-install的时候会将它修改。⽽现在没有修改。⽽再次查看⽇志发现本机的IP是不正确的2017-11-08T05:55:20Z DEBUG args=/usr/bin/kinit -k -t /etc/ host/@本机正确的机器名应该为，⽽不是，⽽这个机器名除了本地会配置，还有⼀个地⽅就是Server端的DNS处，查看DNS配置信息，发现：[root@localhost named]# cat

... ...

140 IN PTR .

141 IN PTR .142 IN PTR .修改named的配置⽂件，然后重启named之后，再hdp140上⾯安装成功。2. ipa-client安装失败后，再次重装报Host is already joined错误信息ipa-client-install安装失败后，先执⾏uninstall再次执⾏install的时候，报错如下：[root@hdp140 log]# ipa-client-install --uninstallIPA client is not configured on this system.[root@hdp140 log]# ipa-client-install

... ...

Password for admin@:

Joining realm failed: Host is already lation failed. Rolling back client is not configured on this system.解决⽅法在FreeIPA Server节点上执⾏如下命令：

先执⾏ipa host-find命令:[root@localhost log]# ipa host-find---------------3 hosts matched--------------- Host name: Principal name: host/@ Password: False Keytab: True Managed by: 找到对应的节点，然后再在Server节点将它删除掉[root@localhost log]# ipa host-del ---------------------------------Deleted host ""---------------------------------3. 通过从节点的web 创建的⽤户，在主节点的web上⾯⽆法查找到错误信息FreeIPA有两主从两个Server，现在通过从Server节点的Web创建⼀个⽤户后，在主Server的Web上⾯⽆法查找到，查看⽇志，发现如下的错误：sasl_io_recv failed to decode packet 错误原因官⽅给出的解释是nsslapd-sasl-max-buffer-size的值太⼩，导致出错。解决⽅法1. 创建⼀个配置⽂件[root@ipa110 /]# cat

dn: cn=configchangetype: modifyreplace: nsslapd-sasl-max-buffer-sizensslapd-sasl-max-buffer-size: 20971521. 执⾏修改这个⽂件[root@ipa110 /]# ldapmodify -h localhost -D "cn=directory manager" -w hadoop123 -f -ZZ执⾏完成后，将主从两个节点的ipa都重启⼀次。4. ipa -client安装失败错误信息执⾏ipa-client-install的时候，抛出异常，查看ipa-client的安装⽇志：Unexpected error - see /var/log/ for details:UnboundLocalError: local variable 'replman' referenced before assignment修改⽅式[root@ipa111 /]# vi /usr/sbin/ipa-replica-install ldapuri = 'ldaps://%s' % _netloc(_host_name) replman = None ----------增加这⼀⾏ try: conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') t(bind_dn=DN(('cn', 'directory manager')), bind_pw=_password, tls_cacertfile=CACERT) replman = ReplicationManager(_name, _host_name, _password) found = False try: entry = _entries(u'fqdn=%s' % host, ['dn', 'fqdn'], DN(ner_host, )) print "The host %s already exists on the master should remove it before proceeding:" % host print " %% ipa host-del %s" % host found = True except nd:需要说明的是，并不是每次都会出现这种错误，⽹上提供的⼀种修改⽅式就是增加那⼀⾏记录。5. ipa-client-install重新安装是报错错误信息[root@ysbdh03 tls]# ipa-client-install

DNS discovery failed to determine your DNS domainProvide the domain name of your IPA server (ex: ): vide your IPA server name (ex: ): led to verify that is an IPA may mean that the remote server is not up or is not reachable due to network or firewall make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled)Installation failed. Rolling back client is not configured on this Error: Connect error: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert原因：ipa client是重新安装的，原来的部分配置信息没有清理⼲净。⽽对于这个问题，就将/etc/ipa/ 这个配置⽂件⼲掉6. FreeIPA Web创建的页⾯，在client节点⽆法登录问题在freeipa上⾯创建了⽤户之后，发现在client⽆法使⽤此⽤户登录。查看sssd的⽇志（在/var/log/ssssd/ ldap_）：(Wed Jul 12 12:09:15 2017) [[sssd[ldap_child[11108]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Decrypt integrity check failed分析修改sssd的⽇志级别，打印debug⽇志，修改配置⽂件/etc/sssd/：[root@hdfs142 sssd]# vi /etc/sssd/

[domain/]cache_credentials = Truedebug_level = 9 ---修改这个值然后重启sssd重启sssd[root@hdfs142 sssd]# service sssd restartStopping sssd: [ OK ]Starting sssd: [ OK ][root@hdfs142 sssd]执⾏su – user01，查看ldap_⽇志(Wed Jul 12 12:09:15 2017) [[sssd[ldap_child[11108]]]] [sss_child_krb5_trace_cb] (0x4000): [11108] 1499886555.112026: Received error from KDC: -(Wed Jul 12 12:09:15 2017) [[sssd[ldap_child[11108]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Decrypt integrity check failed(Wed Jul 12 12:09:15 2017) [[sssd[ldap_child[11108]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.从这⾥可以判断是kdc那⾥返回了错误。再次查看kdc的⽇志Jul 12 12:09:14 krb5kdc[15053](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.1.142: NEEDED_PREAUTH: host/l 12 12:09:14 krb5kdc[15052](info): preauth (encrypted_timestamp) verify failure: Decrypt integrity check failedJul 12 12:09:14 krb5kdc[15052](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.1.142: PREAUTH_FAILED: host/从这⾥可以看，客户端使⽤host/@这个princal去认证，结果出错。⽽客户端是通过/etc/来认证。

回忆之前在hadoop的配置的时候，将host/这个princal导出。所以答案很清楚。Kerberos在导出keytab⽂件之后，会将密码重置，因此之前的keytab⽂件失效。

找到导出的那个keytab⽂件，将/etc/替换掉。