[Freeipa-users] DNS discovery failed to determine your DNS domain
Pete Brown
rendhalver at gmail.com
Mon May 20 03:38:37 UTC 2013
On 19 May 2013 02:57, Endre Karlson <endre.karlson at gmail.com> wrote:
> So I am trying to enrull Ubuntu into FreeIPA.
>
> But I am getting a number of issues:
> 1. DNS autodiscovery isn't working.
> 2. certutils fails at the end?
>
> In my setup I currently have 1 IPA server running DNS and all of it.
>
> What can be wrong?
>
I have to ask.
Is the host you are enrolling using dns server from freeipa?
If it is it should find the srv records and set it up.
See further comments inline.
>
> Endre.
>
> sudo ipa-client-install -d --enable-dns-updates
> root : DEBUG /usr/sbin/ipa-client-install was invoked with
> options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force':
> False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None,
> 'preserve_sssd': False, 'server': None, 'prompt_password': False,
> 'mkhomedir': False, 'dns_updates': True, 'permit': False, 'debug': True,
> 'on_master': False, 'ntp_server': None, 'realm_name': None, 'unattended':
> None, 'principal': None}
> root : DEBUG missing options might be asked for interactively
> later
>
> root : DEBUG Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> root : DEBUG Loading StateFile from
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> root : DEBUG [ipadnssearchldap(coretrek.net)]
> root : DEBUG [ipadnssearchldap(net)]
> root : DEBUG [ipadnssearchldap(coretrek.net)]
> root : DEBUG [ipadnssearchldap(net)]
> root : DEBUG Domain not found
> DNS discovery failed to determine your DNS domain
> Provide the domain name of your IPA server (ex: example.com): coretrek.net
> root : DEBUG will use domain: coretrek.net
>
> root : DEBUG [ipadnssearchldap]
> root : DEBUG IPA Server not found
> DNS discovery failed to find the IPA Server
> Provide your IPA server name (ex: ipa.example.com):
> st-vidm001.coretrek.net
> root : DEBUG will use server: st-vidm001.coretrek.net
>
> root : DEBUG [ipadnssearchkrb]
> root : DEBUG [ipacheckldap]
> root : DEBUG args=/usr/bin/wget -O /tmp/tmp1RBeGA/ca.crt -T 15
> -t 2 http://st-vidm001.coretrek.net/ipa/config/ca.crt
> root : DEBUG stdout=
> root : DEBUG stderr=--2013-05-18 18:40:05--
> http://st-vidm001.coretrek.net/ipa/config/ca.crt
> Resolving st-vidm001.coretrek.net (st-vidm001.coretrek.net)...
> 172.16.200.5
> Connecting to st-vidm001.coretrek.net (st-vidm001.coretrek.net)|172.16.200.5|:80...
> connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 1321 (1.3K) [application/x-x509-ca-cert]
> Saving to: `/tmp/tmp1RBeGA/ca.crt'
>
> 0K . 100% 69.1M=0s
>
> 2013-05-18 18:40:05 (69.1 MB/s) - `/tmp/tmp1RBeGA/ca.crt' saved [1321/1321]
>
>
> root : DEBUG Init ldap with: ldap://st-vidm001.coretrek.net:389
> root : DEBUG Search LDAP server for IPA base DN
> root : DEBUG Check if naming context 'dc=coretrek,dc=net' is for
> IPA
> root : DEBUG Naming context 'dc=coretrek,dc=net' is a valid IPA
> context
> root : DEBUG Search for (objectClass=krbRealmContainer) in
> dc=coretrek,dc=net(sub)
> root : DEBUG Found: [('cn=CORETREK.NET,cn=kerberos,dc=coretrek,dc=net',
> {'krbSubTrees': ['dc=coretrek,dc=net'], 'cn': ['CORETREK.NET'],
> 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special',
> 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top',
> 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'],
> 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
> 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
> 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special'],
> 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})]
>
> The failure to use DNS to find your IPA server indicates that your
> resolv.conf file is not properly configured.
>
This message would suggest it isn't using the dns server on your freeipa
server.
>
> Autodiscovery of servers for failover cannot work with this configuration.
>
> If you proceed with the installation, services will be configured to always
> access the discovered server for all operation and will not fail over to
> other servers in case of failure.
>
> Proceed with fixed values and no DNS discovery? [no]: yes
> root : DEBUG will use cli_realm: CORETREK.NET
>
> root : DEBUG will use cli_basedn: dc=coretrek,dc=net
>
> Hostname: st-posctrl001.coretrek.net
> Realm: CORETREK.NET
> DNS Domain: coretrek.net
> IPA Server: st-vidm001.coretrek.net
> BaseDN: dc=coretrek,dc=net
>
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admin
> root : DEBUG will use principal: admin
>
> root : DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
> http://st-vidm001.coretrek.net/ipa/config/ca.crt
> root : DEBUG stdout=
> root : DEBUG stderr=--2013-05-18 18:40:28--
> http://st-vidm001.coretrek.net/ipa/config/ca.crt
> Resolving st-vidm001.coretrek.net (st-vidm001.coretrek.net)...
> 172.16.200.5
> Connecting to st-vidm001.coretrek.net (st-vidm001.coretrek.net)|172.16.200.5|:80...
> connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 1321 (1.3K) [application/x-x509-ca-cert]
> Saving to: `/etc/ipa/ca.crt'
>
> 0K . 100% 66.7M=0s
>
> 2013-05-18 18:40:28 (66.7 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321]
>
>
> Synchronizing time with KDC...
> root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b
> st-vidm001.coretrek.net
> root : DEBUG stdout=
> root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U
> usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p
> samples] [-o version#] [-t timeo] server ...
>
> root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b
> st-vidm001.coretrek.net
> root : DEBUG stdout=
> root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U
> usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p
> samples] [-o version#] [-t timeo] server ...
>
> root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b
> st-vidm001.coretrek.net
> root : DEBUG stdout=
> root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U
> usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p
> samples] [-o version#] [-t timeo] server ...
>
> Unable to sync time with IPA NTP server, assuming the time is in sync.
> root : DEBUG Writing Kerberos configuration to /tmp/tmpdGLoJb:
> #File modified by ipa-client-install
>
> [libdefaults]
> default_realm = CORETREK.NET
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> CORETREK.NET = {
> kdc = st-vidm001.coretrek.net:88
> admin_server = st-vidm001.coretrek.net:749
> default_domain = coretrek.net
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
> [domain_realm]
> .coretrek.net = CORETREK.NET
> coretrek.net = CORETREK.NET
>
>
> Password for admin at CORETREK.NET:
>
> root : DEBUG args=kinit admin at CORETREK.NET
> root : DEBUG stdout=Password for admin at CORETREK.NET:
>
> root : DEBUG stderr=
>
> root : DEBUG args=/usr/sbin/ipa-join -s st-vidm001.coretrek.net-b dc=coretrek,dc=net -d
> root : DEBUG stdout=
> root : DEBUG stderr=XML-RPC CALL:
>
> <?xml version="1.0" encoding="UTF-8"?>\r\n
> <methodCall>\r\n
> <methodName>join</methodName>\r\n
> <params>\r\n
> <param><value><array><data>\r\n
> <value><string>st-posctrl001.coretrek.net</string></value>\r\n
> </data></array></value></param>\r\n
> <param><value><struct>\r\n
> <member><name>nsosversion</name>\r\n
> <value><string>3.2.0-43-generic</string></value></member>\r\n
> <member><name>nshardwareplatform</name>\r\n
> <value><string>x86_64</string></value></member>\r\n
> </struct></value></param>\r\n
> </params>\r\n
> </methodCall>\r\n
>
> XML-RPC RESPONSE:
>
> <?xml version='1.0' encoding='UTF-8'?>\n
> <methodResponse>\n
> <params>\n
> <param>\n
> <value><array><data>\n
> <value><string>fqdn=st-posctrl001.coretrek.net
> ,cn=computers,cn=accounts,dc=coretrek,dc=net</string></value>\n
> <value><struct>\n
> <member>\n
> <name>dn</name>\n
> <value><string>fqdn=st-posctrl001.coretrek.net
> ,cn=computers,cn=accounts,dc=coretrek,dc=net</string></value>\n
> </member>\n
> <member>\n
> <name>ipacertificatesubjectbase</name>\n
> <value><array><data>\n
> <value><string>O=CORETREK.NET</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>krbextradata</name>\n
> <value><array><data>\n
> <value><base64>\n
> AAKuqZdRaG9zdC9zdC1wb3NjdHJsMDAxLmNvcmV0cmVrLm5ldEBDT1JFVFJFSy5ORVQA\n
> </base64></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>cn</name>\n
> <value><array><data>\n
> <value><string>st-posctrl001.coretrek.net</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>objectclass</name>\n
> <value><array><data>\n
> <value><string>ipaobject</string></value>\n
> <value><string>nshost</string></value>\n
> <value><string>ipahost</string></value>\n
> <value><string>pkiuser</string></value>\n
> <value><string>ipaservice</string></value>\n
> <value><string>krbprincipalaux</string></value>\n
> <value><string>krbprincipal</string></value>\n
> <value><string>ieee802device</string></value>\n
> <value><string>ipasshhost</string></value>\n
> <value><string>top</string></value>\n
> <value><string>ipaSshGroupOfPubKeys</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>fqdn</name>\n
> <value><array><data>\n
> <value><string>st-posctrl001.coretrek.net</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>managing_host</name>\n
> <value><array><data>\n
> <value><string>st-posctrl001.coretrek.net</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>krblastsuccessfulauth</name>\n
> <value><array><data>\n
> <value><string>20130518162120Z</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>has_keytab</name>\n
> <value><boolean>0</boolean></value>\n
> </member>\n
> <member>\n
> <name>has_password</name>\n
> <value><boolean>0</boolean></value>\n
> </member>\n
> <member>\n
> <name>ipauniqueid</name>\n
> <value><array><data>\n
> <value><string>88f1ad52-bfd2-11e2-81f5-525400d79980</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>krbprincipalname</name>\n
> <value><array><data>\n
> <value><string>host/st-posctrl001.coretrek.net at CORETREK.NET
> </string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>managedby_host</name>\n
> <value><array><data>\n
> <value><string>st-posctrl001.coretrek.net</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>serverhostname</name>\n
> <value><array><data>\n
> <value><string>st-posctrl001</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>enrolledby_user</name>\n
> <value><array><data>\n
> <value><string>admin</string></value>\n
> </data></array></value>\n
> </member>\n
> </struct></value>\n
> </data></array></value>\n
> </param>\n
> </params>\n
> </methodResponse>\n
>
> Keytab successfully retrieved and stored in: /etc/krb5.keytab
> Certificate subject base is: O=CORETREK.NET
> Enrolled in IPA realm CORETREK.NET
> root : DEBUG args=kdestroy
> root : DEBUG stdout=
> root : DEBUG stderr=
> root : DEBUG Backing up system configuration file
> '/etc/ipa/default.conf'
> root : DEBUG -> Not backing up - '/etc/ipa/default.conf'
> doesn't exist
> Created /etc/ipa/default.conf
> root : DEBUG Backing up system configuration file
> '/etc/sssd/sssd.conf'
> root : DEBUG Saving Index File to
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> Domain coretrek.net is already configured in existing SSSD config,
> creating a new one.
> The old /etc/sssd/sssd.conf is backed up and will be restored during
> uninstall.
> root : DEBUG Domain coretrek.net is already configured in
> existing SSSD config, creating a new one.
> Configured /etc/sssd/sssd.conf
> root : DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA
> CA -t CT,C,C -a -i /etc/ipa/ca.crt
> root : DEBUG stdout=
> root : DEBUG stderr=certutil: function failed: The
> certificate/key database is in an old, unsupported format.
>
> Traceback (most recent call last):
> File "/usr/sbin/ipa-client-install", line 1292, in <module>
> sys.exit(main())
> File "/usr/sbin/ipa-client-install", line 1279, in main
> rval = install(options, env, fstore, statestore)
> File "/usr/sbin/ipa-client-install", line 1124, in install
> run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA
> CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"])
> File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 273,
> in run
> raise CalledProcessError(p.returncode, args)
> subprocess.CalledProcessError: Command '/usr/bin/certutil -A -d
> /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt' returned non-zero
> exit status 255
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130520/7a24dbb9/attachment.htm>
More information about the Freeipa-users
mailing list