[Freeipa-users] ipa-client-install failure
Dmitri Pal
dpal at redhat.com
Thu Mar 19 23:53:34 UTC 2015
On 03/19/2015 05:04 PM, Roberto Cornacchia wrote:
> Yes.
>
> [root at meson ~]# cat /etc/resolv.conf
> search hq.example.com <http://hq.example.com>
> nameserver 192.168.0.72
>
> Sorry from the short log I posted it's not visible, but that ip
> address is the address of the ipa server (ipa.hq.example.com
> <http://ipa.hq.example.com>)
>
> [root at meson ~]# dig ipa.hq.spinque.com <http://ipa.hq.spinque.com>
>
> ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> ipa.hq.example.com
> <http://ipa.hq.example.com>
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53238
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;ipa.hq.example.com.INA
>
> ;; ANSWER SECTION:
> ipa.hq.example.com. 1200INA192.168.0.72
>
> ;; AUTHORITY SECTION:
> hq.example.com.86400INNSipa.hq.example.com.
>
> ;; Query time: 1 msec
> ;; SERVER: 192.168.0.72#53(192.168.0.72)
> ;; WHEN: do mrt 19 22:02:04 CET 2015
> ;; MSG SIZE rcvd: 83
OK so you can in fact lookup the server.
Have you opened all required ports for ldap and kerberos and other
protocols in the firewall both UDP and TCP?
>
>
> On 19 March 2015 at 21:55, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 03/19/2015 04:46 PM, Roberto Cornacchia wrote:
>> Hi,
>>
>> This should really work like a charm, and I'm sure it is a stupid
>> mistake of mine if it doesn't, but I really can't find out what
>> goes wrong.
>>
>> Both IPA server and client are on FC21, very up to date.
>> Server installation (standard, with dns) worked well. Required
>> ports open in the firewall. Everything seems to work.
>>
>> I did try to use the IPA server as a DNS (with forwarders) and
>> NTP server from non-ipa clients, no problem.
>> I also tried to use it as LDAP server, from a non-fedora machine
>> (a synology). It worked well and I could see users.
>>
>> When trying to enroll a client, the enrollment itself seems to
>> succeed, but:
>> - Unable to sync time with NTP server
>> - Unable to update DNS
>> - Unable to find users
>>
>> I include below the short installation log (I changed the real
>> domain into hq.example.com <http://hq.example.com>), and in
>> attachment, the full log with debug on.
>>
>> From the debug log, about the DNS update failure, I can see this:
>>
>> ; Communication with 192.168.0.72#53 failed: operation canceled
>> could not reach any name server
>>
>> I'm not sure what communication problem this could be, as the
>> server (which is both the IPA and the DNS servers), clearly can
>> be reached.
>>
>> Any idea where to look at?
>
> Do you have the IPA DNS server in the resolv.conf of the client?
>
>
>
>>
>> Thanks,
>> Roberto
>>
>>
>> [root at meson ~]# ipa-client-install --mkhomedir --ssh-trust-dns
>> --force-ntpd --hostname=meson.hq.example.com
>> <http://meson.hq.example.com>
>> Discovery was successful!
>> Hostname: meson.hq.example.com <http://meson.hq.example.com>
>> Realm: HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
>> DNS Domain: hq.example.com <http://hq.example.com>
>> IPA Server: ipa.hq.example.com <http://ipa.hq.example.com>
>> BaseDN: dc=hq,dc=example,dc=com
>>
>> Continue to configure the system with these values? [no]: yes
>> Synchronizing time with KDC...
>> *Unable to sync time with IPA NTP server, assuming the time is in
>> sync. Please check that 123 UDP port is opened.*
>> User authorized to enroll computers: admin
>> Password for admin at HQ.EXAMPLE.COM <mailto:admin at HQ.EXAMPLE.COM>:
>> Successfully retrieved CA cert
>> Subject: CN=Certificate Authority,O=HQ.EXAMPLE.COM
>> <http://HQ.EXAMPLE.COM>
>> Issuer: CN=Certificate Authority,O=HQ.EXAMPLE.COM
>> <http://HQ.EXAMPLE.COM>
>> Valid From: Mon Mar 16 18:44:35 2015 UTC
>> Valid Until: Fri Mar 16 18:44:35 2035 UTC
>>
>> Enrolled in IPA realm HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
>> Created /etc/ipa/default.conf
>> New SSSD config will be created
>> Configured sudoers in /etc/nsswitch.conf
>> Configured /etc/sssd/sssd.conf
>> Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
>> <http://HQ.EXAMPLE.COM>
>> trying https://ipa.hq.example.com/ipa/json
>> Forwarding 'ping' to json server
>> 'https://ipa.hq.example.com/ipa/json'
>> Forwarding 'ca_is_enabled' to json server
>> 'https://ipa.hq.example.com/ipa/json'
>> Systemwide CA database updated.
>> Added CA certificates to the default NSS database.
>> Hostname (meson.hq.example.com <http://meson.hq.example.com>) not
>> found in DNS
>> *Failed to update DNS records.*
>> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
>> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
>> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
>> Forwarding 'host_mod' to json server
>> 'https://ipa.hq.example.com/ipa/json'
>> *Could not update DNS SSHFP records.*
>> SSSD enabled
>> Configured /etc/openldap/ldap.conf
>> *Unable to find 'admin' user with 'getent passwd
>> admin at hq.example.com <mailto:admin at hq.example.com>'!*
>> *Unable to reliably detect configuration. Check NSS setup manually.*
>> NTP enabled
>> Configured /etc/ssh/ssh_config
>> Configured /etc/ssh/sshd_config
>> Configuring hq.example.com <http://hq.example.com> as NIS domain.
>> Client configuration complete.
>>
>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150319/83e12214/attachment.htm>
More information about the Freeipa-users
mailing list