[Freeipa-users] IPA Client Install problems

Tue Oct 11 22:35:57 UTC 2016

First off...  new to the list, thank you in advance for your assistance!

My server is Fedora 24 Server, running in a VirtualBox virtual machine.  I
have FreeIPA Server 4.3.2-2.fc24, installed from the standard repositories,
and dnf says it's up to date. FreeIPA has a trust set up with an Windows
Server 2012r2 ActiveDirectory server, and it APPEARS to be working...

The first client I connected was a Raspberry Pi running Pidora.  This
client appears to have connected fine, and appears to be working (I guess I
haven't tried logging in as an ActiveDirectory user;  But it's certainly
NOT having any DNS issues, as other clients are; See below...)

Then I tried connecting a second client, a system running Fedora 24 with
FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to
plan...  Here's the output of ipa-client-install:

> Discovery was successful!
> Client hostname: trainmaster.ipa.rxrhouse.net
> Realm: IPA.RXRHOUSE.NET
> DNS Domain: ipa.rxrhouse.net
> IPA Server: ipa-pdc.ipa.rxrhouse.net
> BaseDN: dc=ipa,dc=rxrhouse,dc=net
> Continue to configure the system with these values? [no]: yes
> Synchronizing time with KDC...
> Attempting to sync time using ntpd.  Will timeout after 15 seconds
> Attempting to sync time using ntpd.  Will timeout after 15 seconds
> Unable to sync time with NTP server, assuming the time is in sync. Please
> check
>
>            that 123 UDP port is opened.
> User authorized to enroll computers: admin
> Password for admin at IPA.RXRHOUSE.NET:
> Successfully retrieved CA cert
>     Subject:     CN=Certificate Authority,O=IPA.RXRHOUSE.NET
>     Issuer:      CN=Certificate Authority,O=IPA.RXRHOUSE.NET
>     Valid From:  Thu Sep 08 17:27:47 2016 UTC
>     Valid Until: Mon Sep 08 17:27:47 2036 UTC
> Enrolled in IPA realm IPA.RXRHOUSE.NET
> Created /etc/ipa/default.conf
> New SSSD config will be created
> Configured sudoers in /etc/nsswitch.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET
> trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json
> Forwarding 'ping' to json server '
> https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
> Forwarding 'ca_is_enabled' to json server '
> https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
> Systemwide CA database updated.
> Failed to update DNS records.
> Missing reverse record(s) for address(es): 10.42.0.100.
> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
> Forwarding 'host_mod' to json server '
> https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
> Could not update DNS SSHFP records.
> SSSD enabled
> Configured /etc/openldap/ldap.conf
> NTP enabled
> Configured /etc/ssh/ssh_config
> Configured /etc/ssh/sshd_config
> Configuring ipa.rxrhouse.net as NIS domain.
> Client configuration complete.

Of concern, the installer failed to update DNS records, resulting in a
missing reverse record, and eventually failing to update the DNS SSHFP
records.  Looking in the Web UI for FreeIPA server, I see that the client
is registered, but it doesn't have any SSH keys , and as expected, doesn't
have a reverse zone...  But the Raspberry Pi DOES.

Just to be fully sure something was wrong...  I tried connecting with a
clean install of Fedora 24 running in a virtual machine, and had the same
issue.  I've googled around, and can't find anyone having any similar
issues...  And I didn't accidentally stumble across anything interesting
while exploring logs...  But I honestly don't know where to look.

TO BE CLEAR, things appear to work just fine from freeipa-client version
3.3.3-4.fc20  on pidora on a Raspberry Pi, but it's NOT working with the
latest versions from Fedora 24 on x86_64 hardware...

Where should I look first?  Thank you for any assistance...

--
Tyrell Jentink
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161011/e4f78cf8/attachment.htm>