<br><br><div class="gmail_quote">2012/3/8 Brian Cook <span dir="ltr"><<a href="mailto:bcook@redhat.com" target="_blank">bcook@redhat.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div style="word-wrap:break-word">Also, I would not use 'delegation record' from AD, use conditional forwarding for *.<a href="http://unix.abcd.ca" target="_blank">unix.abcd.ca</a>.  Your AD admins should know how to do it.<div>

<div><br><div>
<span style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><span style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">

<span style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">

---<br>Brian Cook<br>Solutions Architect, Red Hat, Inc.<br><a href="tel:407-212-7079" value="+14072127079" target="_blank">407-212-7079</a></div><div style="word-wrap:break-word"><br></div></span></div></span><br></span><br>


</div>
<br></div><div><div><div><div>On Mar 8, 2012, at 9:04 AM, Simo Sorce wrote:</div><br></div></div><blockquote type="cite"><div><div><div>On Thu, 2012-03-08 at 11:54 -0500, Sylvain Angers wrote:<br><blockquote type="cite">

Alright!<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I am now requesting to our DNS team<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">please delegate dns zone "<a href="http://unix.abcd.ca" target="_blank">unix.abcd.ca</a>" to ???<br>

</blockquote><br>the ip address of your ipa server, they will know what questions to<br>ask :)<br><br><blockquote type="cite">Question: is the ipa server fqdn, be <a href="http://ipaserver.unix.abcd.ca" target="_blank">ipaserver.unix.abcd.ca</a> or<br>

</blockquote><blockquote type="cite"><a href="http://ipaserver.abcd.ca" target="_blank">ipaserver.abcd.ca</a>?<br></blockquote><br><blockquote type="cite">does it matter?<br></blockquote><br>It does, the IPa server DNS domain is what matters for the first master.<br>

So it should be <name>.<a href="http://unix.abcd.ca" target="_blank">unix.abcd.ca</a><br><br>So that DNS domain = <a href="http://unix.abcd.ca" target="_blank">unix.abcd.ca</a> and realm = <a href="http://UNIX.ABCD.CA" target="_blank">UNIX.ABCD.CA</a> (if you use<br>

the standard configuration).<br><br>Simo.<br><br>-- <br>Simo Sorce * Red Hat, Inc * New York<br><br></div></div><div>_______________________________________________<br>Freeipa-users mailing list<br><a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>

<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></div></div></blockquote></div><br></div></div></blockquote></div><br>Hello<div>
<br></div><div>Still have same issue "unable to find 'admin' user with 'getent passwd admin'!<br><div><br></div><div>I redid both client and servers, no selinux,no firewall</div><div><br></div><div>Our dns teams did set soa unix.cnppd.lab to point to my ipa server</div>
<div><br></div><div>I had to put a manual entry in /etc/hosts</div><div><div>165.115.118.21  mtl-ipa01d.unix.cnppd.lab       mtl-ipa01d</div></div><div><br></div><div><br><div>then did set my ipa server with the following</div>
<div><b style="font-family:'Times New Roman';font-size:medium"><span style="font-size:15px;font-family:Arial;color:rgb(255,0,255);font-weight:normal;vertical-align:baseline;white-space:pre-wrap">ipa-server-install -a xxxxxxx --hostname=mtl-ipa01d.unix.cnppd.lab -n unix.cnppd.lab -p xxxxx -r UNIX.CNPPD.LAB --setup-dns --forwarder=165.115.52.21--fowarder=165.115.51.21</span></b></div>
<div><font color="#ff00ff" face="Arial"><div><span style="font-size:15px;white-space:pre-wrap">Server host name [mtl-ipa01d.unix.cnppd.lab]:</span></div><div><span style="font-size:15px;white-space:pre-wrap"><br></span></div>
<div><span style="font-size:15px;white-space:pre-wrap">Warning: skipping DNS resolution of host mtl-ipa01d.unix.cnppd.lab</span></div><div><span style="font-size:15px;white-space:pre-wrap">The IPA Master Server will be configured with</span></div>
<div><span style="font-size:15px;white-space:pre-wrap">Hostname:    mtl-ipa01d.unix.cnppd.lab</span></div><div><span style="font-size:15px;white-space:pre-wrap">IP address:  165.115.118.21</span></div><div><span style="font-size:15px;white-space:pre-wrap">Domain name: unix.cnppd.lab</span></div>
<div><span style="font-size:15px;white-space:pre-wrap"><br></span></div><div><span style="font-size:15px;white-space:pre-wrap">Do you want to configure the reverse zone? [yes]:</span></div><div><span style="font-size:15px;white-space:pre-wrap">Please specify the reverse zone name [118.115.165.in-addr.arpa.]:</span></div>
<div><span style="font-size:15px;white-space:pre-wrap">Using reverse zone 118.115.165.in-addr.arpa.</span></div><div style="font-size:15px;white-space:pre-wrap"><br></div></font></div><div><font color="#ff00ff" face="Arial"><span style="font-size:15px;white-space:pre-wrap"><br>
</span></font></div><div><font color="#ff00ff" face="Arial"><div><span style="font-size:15px;white-space:pre-wrap">Restarting the directory server</span></div><div><span style="font-size:15px;white-space:pre-wrap">Restarting the KDC</span></div>
<div><span style="font-size:15px;white-space:pre-wrap">Restarting the web server</span></div><div><span style="font-size:15px;white-space:pre-wrap">Configuring named:</span></div><div><span style="font-size:15px;white-space:pre-wrap">  [1/9]: adding DNS container</span></div>
<div><span style="font-size:15px;white-space:pre-wrap">  [2/9]: setting up our zone</span></div><div><span style="font-size:15px;white-space:pre-wrap">  [3/9]: setting up reverse zone</span></div><div><span style="font-size:15px;white-space:pre-wrap">  [4/9]: setting up our own record</span></div>
<div><span style="font-size:15px;white-space:pre-wrap">  [5/9]: setting up kerberos principal</span></div><div><span style="font-size:15px;white-space:pre-wrap">  [6/9]: setting up named.conf</span></div><div><span style="font-size:15px;white-space:pre-wrap">  [7/9]: restarting named</span></div>
<div><span style="font-size:15px;white-space:pre-wrap">  [8/9]: configuring named to start on boot</span></div><div><span style="font-size:15px;white-space:pre-wrap">  [9/9]: changing resolv.conf to point to ourselves</span></div>
<div><span style="font-size:15px;white-space:pre-wrap">done configuring named.</span></div><div><span style="font-size:15px;white-space:pre-wrap">==============================================================================</span></div>
<div><span style="font-size:15px;white-space:pre-wrap">Setup complete</span></div><div style="font-size:15px;white-space:pre-wrap"><br></div></font>
<div><br></div><div>I did set my client with</div><div><div>[root@mtl-vdi01d ~]# ipa-client-install --server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB --realm=UNIX.CNPPD.LAB --mkhomedir</div><div>Discovery was successful!</div>
<div>Hostname: <a href="http://mtl-vdi01d.cn.ca">mtl-vdi01d.cn.ca</a></div><div>Realm: UNIX.CNPPD.LAB</div><div>DNS Domain: UNIX.CNPPD.LAB</div><div>IPA Server: mtl-ipa01d.unix.cnppd.lab</div><div>BaseDN: dc=unix,dc=cnppd,dc=lab</div>
<div><br></div><div><br></div><div>Continue to configure the system with these values? [no]: yes</div><div>User authorized to enroll computers: admin</div><div>Synchronizing time with KDC...</div><div>Password for admin@UNIX.CNPPD.LAB: </div>
<div><br></div><div>Enrolled in IPA realm UNIX.CNPPD.LAB</div><div>Created /etc/ipa/default.conf</div><div>Configured[root@mtl-vdi01d ~]# ipa-client-install --server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB --realm=UNIX.CNPPD.LAB --mkhomedir</div>
<div>Discovery was successful!</div><div>Hostname: <a href="http://mtl-vdi01d.cn.ca">mtl-vdi01d.cn.ca</a></div><div>Realm: UNIX.CNPPD.LAB</div><div>DNS Domain: UNIX.CNPPD.LAB</div><div>IPA Server: mtl-ipa01d.unix.cnppd.lab</div>
<div>BaseDN: dc=unix,dc=cnppd,dc=lab</div><div><br></div><div><br></div><div>Continue to configure the system with these values? [no]: yes</div><div>User authorized to enroll computers: admin</div><div>Synchronizing time with KDC...</div>
<div>Password for admin@UNIX.CNPPD.LAB: </div><div><br></div><div>Enrolled in IPA realm UNIX.CNPPD.LAB</div><div>Created /etc/ipa/default.conf</div><div>Configured /etc/sssd/sssd.conf</div><div>Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB</div>
<div>SSSD enabled</div><div>Unable to find 'admin' user with 'getent passwd admin'!</div><div>Recognized configuration: SSSD</div><div>NTP enabled</div><div>Client configuration complete. /etc/sssd/sssd.conf</div>
<div>Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB</div><div>SSSD enabled</div><div>Unable to find 'admin' user with 'getent passwd admin'!</div><div>Recognized configuration: SSSD</div><div>NTP enabled</div>
<div>Client configuration complete.</div></div><div><br></div><div>you can see that ipa did enroll my client </div><div><br></div><div><div>[root@mtl-ipa01d ~]# ipa host-find</div><div>---------------</div><div>2 hosts matched</div>
<div>---------------</div><div>  Host name: mtl-ipa01d.unix.cnppd.lab</div><div>  Principal name: host/mtl-ipa01d.unix.cnppd.lab@UNIX.CNPPD.LAB</div><div>  Keytab: True</div><div>  Password: False</div><div>  Managed by: mtl-ipa01d.unix.cnppd.lab</div>
<div><br></div><div>  Host name: <a href="http://mtl-vdi01d.cn.ca">mtl-vdi01d.cn.ca</a></div><div>  Certificate: MIIDhTCCAm2gAwIBAgIBDDANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5VTklYLkNOUFBELkxBQjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMDMxMzE4Mjc0MVoXDTE0MDMxNDE4Mjc0MVowNDEXMBUGA1UEChMOVU5JWC5DTlBQRC5MQUIxGTAXBgNVBAMTEG10bC12ZGkwMWQuY24uY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKTPD8p7Ttxn87Y/2CCu54GDTd/CS77irN6OYj9IznqMusHAIWsVVu5m0aT77iULYzO9lKmKCL9RuSnZuqsoppFZk8UJu1KAGKv2FQi7zck28P2t6XRhHXcLRRTq5Mzfd/QjFmCv3oxTP2gd/0rLZUTHJkTzqyYIMlExfQqnEBJCzfzukyFUB5S+X2DthiGOM7vcKPXlmG+VstebtsZ1FkE9LquyWGhSBjqycZM350zRwQP6MLKU4ZX11mit6+/AvRrOJW3Gw9JWRxDOullJG2mCjyFCsUKOX/Xz4VrJeSylIGJQk5kLfP2haSPhkKhG9FXy1vhwpXFF1GAa9DYvhvAgMBAAGjgZwwgZkwHwYDVR0jBBgwFoAUZtbp/CAAXZ/LZAKgUqcXPxgkOzcwRwYIKwYBBQUHAQEEOzA5MDcGCCsGAQUFBzABhitodHRwOi8vbXRsLWlwYTAxZC51bml4LmNucHBkLmxhYjo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAEPpr1rn+inQlxc+u7WAkyuRDd1af/ilUlldkB0n4l9Ni2Lkt+Gt7w6VYqS+/ZtqTPB/mQuISGDuqeEXSgWSc+1NQq1THgBACzfE5CbKWOcfGd/SnTqIA+/ITydintYB7SNQ0Vz6BOC9Uv/VmEPqD38ThR88qhK0+wmvdf2HyKOFAsu5Ty5qKaOyDHuhhA4AXEbQz8vRH3XQa/WtSf/zgRKiNeabEc5gWXEd9dSpm2UhW7oLuPlnKolI3IL1RUoc8WrKKLK1HdyrcNY+woZ2Jw4OCkyiGuWaNZHOEAmAlwmvQrFBlMsIPJfI/mxmAXufEO66AHf/747V2n1TvZrnkrQ=</div>
<div>  Principal name: host/mtl-vdi01d.cn.ca@UNIX.CNPPD.LAB</div><div>  Keytab: True</div><div>  Password: False</div><div>  Managed by: <a href="http://mtl-vdi01d.cn.ca">mtl-vdi01d.cn.ca</a></div><div>  Subject: CN=<a href="http://mtl-vdi01d.cn.ca">mtl-vdi01d.cn.ca</a>,O=UNIX.CNPPD.LAB</div>
<div>  Serial Number: 12</div><div>  Issuer: CN=Certificate Authority,O=UNIX.CNPPD.LAB</div><div>  Not Before: Tue Mar 13 18:27:41 2012 UTC</div><div>  Not After: Fri Mar 14 18:27:41 2014 UTC</div><div>  Fingerprint (MD5): 26:f6:9f:32:3d:a0:13:43:8e:16:1a:7f:d7:43:7e:51</div>
<div>  Fingerprint (SHA1): 4b:28:b2:a4:33:16:27:fc:16:cc:35:54:68:fc:b4:45:85:3f:dc:1a</div><div>----------------------------</div><div>Number of entries returned 2</div><div>----------------------------</div><div>[root@mtl-ipa01d ~]# </div>
</div><div><br></div><div><br></div><div><br></div><div>I keep getting "unable to find 'admin' user with 'getent passwd admin'!</div><div><br></div><div>Why is that? </div><div><br></div><div>Thanks</div>
<div><br></div><div>Sylvain</div><div><br></div><div><br></div><div><br></div>
-- <br>Sylvain Angers<br><br>
</div>
</div></div>