[Freeipa-users] ipa-client-install failure

Roberto Cornacchia roberto.cornacchia at gmail.com
Thu Mar 19 20:46:07 UTC 2015 

Hi,

This should really work like a charm, and I'm sure it is a stupid mistake
of mine if it doesn't, but I really can't find out what goes wrong.

Both IPA server and client are on FC21, very up to date.
Server installation (standard, with dns) worked well. Required ports open
in the firewall. Everything seems to work.

I did try to use the IPA server as a DNS (with forwarders) and NTP server
from non-ipa clients, no problem.
I also tried to use it as LDAP server, from a non-fedora machine (a
synology). It worked well and I could see users.

When trying to enroll a client, the enrollment itself seems to succeed, but:
- Unable to sync time with NTP server
- Unable to update DNS
- Unable to find users

I include below the short installation log (I changed the real domain into
hq.example.com), and in attachment, the full log with debug on.

>From the debug log, about the DNS update failure, I can see this:

  ; Communication with 192.168.0.72#53 failed: operation canceled
  could not reach any name server

I'm not sure what communication problem this could be, as the server (which
is both the IPA and the DNS servers), clearly can be reached.

Any idea where to look at?

Thanks,
Roberto


[root at meson ~]# ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
--hostname=meson.hq.example.com
Discovery was successful!
Hostname: meson.hq.example.com
Realm: HQ.EXAMPLE.COM
DNS Domain: hq.example.com
IPA Server: ipa.hq.example.com
BaseDN: dc=hq,dc=example,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
*Unable to sync time with IPA NTP server, assuming the time is in sync.
Please check that 123 UDP port is opened.*
User authorized to enroll computers: admin
Password for admin at HQ.EXAMPLE.COM:
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=HQ.EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=HQ.EXAMPLE.COM
    Valid From:  Mon Mar 16 18:44:35 2015 UTC
    Valid Until: Fri Mar 16 18:44:35 2035 UTC

Enrolled in IPA realm HQ.EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
trying https://ipa.hq.example.com/ipa/json
Forwarding 'ping' to json server 'https://ipa.hq.example.com/ipa/json'
Forwarding 'ca_is_enabled' to json server '
https://ipa.hq.example.com/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Hostname (meson.hq.example.com) not found in DNS
*Failed to update DNS records.*
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to json server 'https://ipa.hq.example.com/ipa/json'
*Could not update DNS SSHFP records.*
SSSD enabled
Configured /etc/openldap/ldap.conf
*Unable to find 'admin' user with 'getent passwd admin at hq.example.com
<admin at hq.example.com>'!*
*Unable to reliably detect configuration. Check NSS setup manually.*
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring hq.example.com as NIS domain.
Client configuration complete.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150319/f0fc10e6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-client-install_debug.log
Type: text/x-log
Size: 92883 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150319/f0fc10e6/attachment.bin>

More information about the Freeipa-users mailing list