<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">Unable to sync time normally means you've got the ntpd service running on the client (or the port is blocked). Try turn that off and then run ntpdate ipaserver or ipa-client-install again. I noticed this happened to me too a few times. I think it's because the new host you're trying to enroll is in the past and kerberos keys aren't active until x time. </div> <div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">I may be wrong..</div> <div class="gmail_extra"> <br><br><div class="gmail_quote">On Thu, Sep 26, 2013 at 10:30 PM, Bret Wortman <span dir="ltr"><<a href="mailto:bret.wortman@damascusgrp.com" target="_blank">bret.wortman@damascusgrp.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div dir="ltr"><font face="courier new, monospace"># ipa-client-install --enable-dns-updates --mkhomedir</font><div><font face="courier new, monospace">Discovery was successful!</font></div><div><font face="courier new, monospace">Hostname: <a href="http://os105.foo.net" target="_blank">os105.foo.net</a></font></div> <div><font face="courier new, monospace">Realm: <a href="http://FOO.NET" target="_blank">FOO.NET</a></font></div><div><font face="courier new, monospace">DNS Domain: <a href="http://foo.net" target="_blank">foo.net</a></font></div> <div><font face="courier new, monospace">IPA Server: <a href="http://osipa.foo.net" target="_blank">osipa.foo.net</a></font></div> <div><font face="courier new, monospace">BaseDN: dc=foo,dc=net</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">Continue to configure the system with these values? [no]: yes</font></div> <div><font face="courier new, monospace">User authrozied to enroll computers: admin</font></div><div><font face="courier new, monospace">Synchronizing time with KDC...</font></div><div><font face="courier new, monospace">Unable to sync time with IPA NTP server, assuming the time is in sync.</font></div> <div><font face="courier new, monospace">Password for <a href="mailto:admin@FOO.NET" target="_blank">admin@FOO.NET</a></font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">Enrolled in IPA realm <a href="http://FOO.NET" target="_blank">FOO.NET</a></font></div> <div><font face="courier new, monospace">Created /etc/ipa/default.conf</font></div><div><font face="courier new, monospace">COnfigured /etc/sssd/sssd.conf</font></div><div><font face="courier new, monospace">COnfigured /etc/krb5.conf for IPA realm <a href="http://FOO.NET" target="_blank">FOO.NET</a></font></div> <div><font face="courier new, monospace">Failed to obtain host TGT.</font></div><div><font face="courier new, monospace">Installation failed. Rolling back changes.</font></div><div><font face="courier new, monospace">#</font></div> <div><br></div><div>I've seen the "unable to sync time" error before and have still been able to enroll, but something's different with this host. It also does this when I try to enroll with other replicas as well. Thoughts?<span><font color="#888888"><br clear="all"> <div><div dir="ltr"><div><br></div><div><u><br></u></div><div><b>Bret Wortman</b></div><div><img width="200" height="53"><br></div><div><a href="http://damascusgrp.com/" target="_blank">http://damascusgrp.com/</a><br> </div><div><a href="http://about.me/wortmanbret" target="_blank">http://about.me/wortmanbret</a><br></div></div></div> </font></span></div></div> <br>_______________________________________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></blockquote></div><br></div></div>