[Freeipa-users] JSON error enrolling host (Fedora 21 / IPA 4.1.2)

Martin Basti mbasti at redhat.com
Mon Feb 2 15:17:49 UTC 2015 

On 02/02/15 16:07, Martin Basti wrote:
> On 02/02/15 14:13, Gerardo Cuppari wrote:
>> Hello! I am trying to enroll one host to my IPA server (4.1.2) and I 
>> am having one problem: the ipa-client-install script keeps giving me 
>> errors at the "forwarding ping to json server" step.
>>
>> My configuration is:
>> - server.estudio.local192.168.56.2Fedora Server 21ipa 4.1.2
>> - pc01.estudio.local192.168.56.106Fedora Works. 21
>>
>> Both have firewalld down (just to test) and can reach each other. 
>> I've been trying to get this working without success (solved other 
>> minor issues) and so I'm asking for your help.
>> The only way I can make it work is by adding the --force switch to 
>> ipa-client-install script but, that way, it just disregards errors.
>>
>> Thanks in advance!!!
>>
>> Here are my tests:
>>
>> SERVER
>> ======
>> [root at server ~]# ipa ping
>> -------------------------------------------
>> IPA server version 4.1.2. API version 2.109
>> -------------------------------------------
>>
>> CLIENT
>> ======
>> [root at pc01 ~]# dig server
>>
>> ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> server
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29286
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;server.            IN      A
>>
>> ;; Query time: 10 msec
>> ;; SERVER: 192.168.56.2#53(192.168.56.2)
>> ;; WHEN: lun feb 02 09:51:07 ART 2015
>> ;; MSG SIZE  rcvd: 35
>>
>> ***********************************************
>>
>> [root at pc01 ~]# nslookup server
>> Server:         192.168.56.2
>> Address:  192.168.56.2#53
>>
>> Name:   server.estudio.local
>> Address: 192.168.56.2
>>
>> ***********************************************
>>
>> Here I disable chronyd so I can run the script without NTP sync errors:
>>
>> [root at pc01 ~]# systemctl disable chronyd
>> Removed symlink 
>> /etc/systemd/system/multi-user.target.wants/chronyd.service.
>> [root at pc01 ~]# service chronyd stop
>> Redirecting to /bin/systemctl stop  chronyd.service
>>
>> ***********************************************
>>
>> Without having "server.estudio.local" on /etc/hosts file:
>>
>> [root at pc01 ~]# ipa-client-install --enable-dns-updates --mkhomedir 
>> --ssh-trust-dns
>> Skip server.estudio.local: cannot verify if this is an IPA server
>> Provide your IPA server name (ex: ipa.example.com 
>> <http://ipa.example.com>):
>> Skip server.estudio.local: cannot verify if this is an IPA server
>> Failed to verify that server.estudio.local is an IPA Server.
>> This may mean that the remote server is not up or is not reachable 
>> due to network or firewall settings.
>> Please make sure the following ports are opened in the firewall settings:
>>      TCP: 80, 88, 389
>>      UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
>> Also note that following ports are necessary for ipa-client working 
>> properly after enrollment:
>>      TCP: 464
>>      UDP: 464, 123 (if NTP enabled)
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>>
>>
>> ***********************************************
>>
>> Here I added hostname and IP address to /etc/hosts file (don't know 
>> why it doesn't work without it):
>>
>> [root at pc01 ~]# ipa-client-install --enable-dns-updates --mkhomedir 
>> --ssh-trust-dns
>> Discovery was successful!
>> Hostname: pc01.estudio.local
>> Realm: ESTUDIO.LOCAL
>> DNS Domain: estudio.local
>> IPA Server: server.estudio.local
>> BaseDN: dc=estudio,dc=local
>>
>> Continue to configure the system with these values? [no]: yes
>> Synchronizing time with KDC...
>> User authorized to enroll computers: admin
>> Password for admin at ESTUDIO.LOCAL:
>> Successfully retrieved CA cert
>>     Subject: CN=Certificate Authority,O=ESTUDIO.LOCAL
>>     Issuer:  CN=Certificate Authority,O=ESTUDIO.LOCAL
>>     Valid From:  Fri Jan 30 12:02:01 2015 UTC
>>     Valid Until: Tue Jan 30 12:02:01 2035 UTC
>>
>> Enrolled in IPA realm ESTUDIO.LOCAL
>> Created /etc/ipa/default.conf
>> New SSSD config will be created
>> Configured sudoers in /etc/nsswitch.conf
>> Configured /etc/sssd/sssd.conf
>> Configured /etc/krb5.conf for IPA realm ESTUDIO.LOCAL
>> trying https://server.estudio.local/ipa/json
>> Forwarding 'ping' to json server 'https://server.estudio.local/ipa/json'
>> Cannot connect to the server due to Kerberos error: Kerberos error: 
>> ('Unspecified GSS failure.  Minor code may provide more information', 
>> 851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", 
>> -1765328228). Trying with delegate=True
>> trying https://server.estudio.local/ipa/json
>> Forwarding 'ping' to json server 'https://server.estudio.local/ipa/json'
>> Second connect with delegate=True also failed: Kerberos error: 
>> ('Unspecified GSS failure.  Minor code may provide more information', 
>> 851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", -1765328228)
>> Cannot connect to the IPA server RPC interface: Kerberos error: 
>> ('Unspecified GSS failure.  Minor code may provide more information', 
>> 851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", -1765328228)
>> Installation failed. Rolling back changes.
>> Failed to list certificates in /etc/ipa/nssdb: Command 
>> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero 
>> exit status 255
>> Failed to remove /etc/ipa/nssdb/cert8.db: [Errno 2] No existe el 
>> fichero o el directorio: '/etc/ipa/nssdb/cert8.db'
>> Failed to remove /etc/ipa/nssdb/key3.db: [Errno 2] No existe el 
>> fichero o el directorio: '/etc/ipa/nssdb/key3.db'
>> Failed to remove /etc/ipa/nssdb/secmod.db: [Errno 2] No existe el 
>> fichero o el directorio: '/etc/ipa/nssdb/secmod.db'
>> Failed to remove /etc/ipa/nssdb/pwdfile.txt: [Errno 2] No existe el 
>> fichero o el directorio: '/etc/ipa/nssdb/pwdfile.txt'
>> Unenrolling client from IPA server
>> Unenrolling host failed: Error getting default Kerberos realm: 
>> host/domain name not found.
>>
>> Removing Kerberos service principals from /etc/krb5.keytab
>> Disabling client Kerberos and LDAP configurations
>> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
>> /etc/sssd/sssd.conf.deleted
>> Restoring client configuration files
>> nscd daemon is not installed, skip configuration
>> nslcd daemon is not installed, skip configuration
>> Client uninstall complete.
>>
>> ***********************************************
>>
>>
>>
> Hello
>
> dig returns servfail, it may be issue.

You used dig with wrong name, please use dig server.estudio.local and 
send result?

>
> Can you check please /etc/named.conf on server, if there is 
> dnssec-validation true ?
> If yes, please set the dnssec-validation to no, because you use domain 
> name .local. it may cause troubles.
>
> If troubles persist, please send journalctl -u named-pkcs11 log.
>
> Martin^2
>
> -- 
> Martin Basti
>
>


-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150202/4db039ed/attachment.htm>

More information about the Freeipa-users mailing list