<div dir="ltr">Hi<br>I tried to install freeipa-client on Ubuntu 10.04 & 12.04, but none of them worked :-(<br>At the moment, only 12.04 ships the apt repo so that I can use apt to install the freeipa-client(2.1.4-0ubuntu1). Although I can installed the package successfully, I can't make it work during my ipa-client-install process, I just follow the instruction as the below docs says:<br>
<a href="https://ashbyte.com/ashbyte/wiki/FreeIPA/Ubuntu">https://ashbyte.com/ashbyte/wiki/FreeIPA/Ubuntu</a><br><a href="http://ubuntuforums.org/showthread.php?t=2207956">http://ubuntuforums.org/showthread.php?t=2207956</a><br>
<br>But failed with --debug options on, below is the message it produced during installation:<br><br>---<br><br># ipa-client-install --domain=<a href="http://example.com">example.com</a> --mkhomedir --realm=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a> --server=<a href="http://ad25.example.com">ad25.example.com</a> --no-ntp --hostname=<a href="http://dp40.example.com">dp40.example.com</a> --debug<br>
root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': False, 'domain': '<a href="http://example.com">example.com</a>', 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': '<a href="http://dp40.example.com">dp40.example.com</a>', 'preserve_sssd': False, 'server': '<a href="http://ad25.example.com">ad25.example.com</a>', 'prompt_password': False, 'mkhomedir': True, 'dns_updates': False, 'permit': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'realm_name': '<a href="http://EXAMPLE.COM">EXAMPLE.COM</a>', 'unattended': None, 'principal': None}<br>
root : DEBUG missing options might be asked for interactively later<br><br>root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'<br>root : DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'<br>
root : DEBUG [ipadnssearchkrb]<br>root : DEBUG [ipacheckldap]<br>root : DEBUG args=/usr/bin/wget -O /tmp/tmp_gTNxY/ca.crt -T 15 -t 2 <a href="http://ad25.example.com/ipa/config/ca.crt">http://ad25.example.com/ipa/config/ca.crt</a><br>
root : DEBUG stdout=<br>root : DEBUG stderr=--2014-07-29 01:00:16-- <a href="http://ad25.example.com/ipa/config/ca.crt">http://ad25.example.com/ipa/config/ca.crt</a><br>Resolving <a href="http://ad25.example.com">ad25.example.com</a> (<a href="http://ad25.example.com">ad25.example.com</a>)... 10.11.50.5<br>
Connecting to <a href="http://ad25.example.com">ad25.example.com</a> (<a href="http://ad25.example.com">ad25.example.com</a>)|10.11.50.5|:80... connected.<br>HTTP request sent, awaiting response... 200 OK<br>Length: 1295 (1.3K) [application/x-x509-ca-cert]<br>
Saving to: `/tmp/tmp_gTNxY/ca.crt'<br><br> 0K . 100% 109M=0s<br><br>2014-07-29 01:00:16 (109 MB/s) - `/tmp/tmp_gTNxY/ca.crt' saved [1295/1295]<br><br><br>root : DEBUG Init ldap with: ldap://<a href="http://ad25.example.com:389">ad25.example.com:389</a><br>
root : DEBUG Search LDAP server for IPA base DN<br>root : DEBUG Check if naming context 'dc=example,dc=com' is for IPA<br>root : DEBUG Naming context 'dc=example,dc=com' is a valid IPA context<br>
root : DEBUG Search for (objectClass=krbRealmContainer) in dc=example,dc=com(sub)<br>root : DEBUG Found: [('cn=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a>,cn=kerberos,dc=example,dc=us', {'krbSubTrees': ['dc=example,dc=com'], 'cn': ['<a href="http://EXAMPLE.COM">EXAMPLE.COM</a>'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})]<br>
root : DEBUG will use domain: <a href="http://example.com">example.com</a><br><br>root : DEBUG will use server: <a href="http://ad25.example.com">ad25.example.com</a><br><br>DNS domain '<a href="http://example.com">example.com</a>' is not configured for automatic KDC address lookup.<br>
KDC address will be set to fixed value.<br><br>Discovery was successful!<br>root : DEBUG will use cli_realm: <a href="http://EXAMPLE.COM">EXAMPLE.COM</a><br><br>root : DEBUG will use cli_basedn: dc=example,dc=com<br>
<br>Hostname: <a href="http://dp40.example.com">dp40.example.com</a><br>Realm: <a href="http://EXAMPLE.COM">EXAMPLE.COM</a><br>DNS Domain: <a href="http://example.com">example.com</a><br>IPA Server: <a href="http://ad25.example.com">ad25.example.com</a><br>
BaseDN: dc=example,dc=com<br><br><br>Continue to configure the system with these values? [no]: yes<br>root : DEBUG Backing up system configuration file '/etc/hostname'<br>root : DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'<br>
root : DEBUG args=/bin/hostname <a href="http://dp40.example.com">dp40.example.com</a><br>root : DEBUG stdout=<br>root : DEBUG stderr=<br>User authorized to enroll computers: admin<br>root : DEBUG will use principal: admin<br>
<br>root : DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt <a href="http://ad25.example.com/ipa/config/ca.crt">http://ad25.example.com/ipa/config/ca.crt</a><br>root : DEBUG stdout=<br>root : DEBUG stderr=--2014-07-29 01:00:29-- <a href="http://ad25.example.com/ipa/config/ca.crt">http://ad25.example.com/ipa/config/ca.crt</a><br>
Resolving <a href="http://ad25.example.com">ad25.example.com</a> (<a href="http://ad25.example.com">ad25.example.com</a>)... 10.11.50.5<br>Connecting to <a href="http://ad25.example.com">ad25.example.com</a> (<a href="http://ad25.example.com">ad25.example.com</a>)|10.11.50.5|:80... connected.<br>
HTTP request sent, awaiting response... 200 OK<br>Length: 1295 (1.3K) [application/x-x509-ca-cert]<br>Saving to: `/etc/ipa/ca.crt'<br><br> 0K . 100% 127M=0s<br>
<br>2014-07-29 01:00:29 (127 MB/s) - `/etc/ipa/ca.crt' saved [1295/1295]<br><br><br>Synchronizing time with KDC...<br>root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b <a href="http://ad25.example.com">ad25.example.com</a><br>
root : DEBUG stdout=<br>root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U<br>usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p samples] [-o version#] [-t timeo] server ...<br>
<br>root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b <a href="http://ad25.example.com">ad25.example.com</a><br>root : DEBUG stdout=<br>root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U<br>
usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p samples] [-o version#] [-t timeo] server ...<br><br>root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b <a href="http://ad25.example.com">ad25.example.com</a><br>
root : DEBUG stdout=<br>root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U<br>usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p samples] [-o version#] [-t timeo] server ...<br>
<br>Unable to sync time with IPA NTP server, assuming the time is in sync.<br>root : DEBUG Writing Kerberos configuration to /tmp/tmpaGEtIp:<br>#File modified by ipa-client-install<br><br>[libdefaults]<br> default_realm = <a href="http://EXAMPLE.COM">EXAMPLE.COM</a><br>
dns_lookup_realm = false<br> dns_lookup_kdc = false<br> rdns = false<br> ticket_lifetime = 24h<br> forwardable = yes<br><br>[realms]<br> <a href="http://EXAMPLE.COM">EXAMPLE.COM</a> = {<br> kdc = <a href="http://ad25.example.com:88">ad25.example.com:88</a><br>
admin_server = <a href="http://ad25.example.com:749">ad25.example.com:749</a><br> default_domain = <a href="http://example.com">example.com</a><br> pkinit_anchors = FILE:/etc/ipa/ca.crt<br> }<br><br>[domain_realm]<br>
.<a href="http://example.com">example.com</a> = <a href="http://EXAMPLE.COM">EXAMPLE.COM</a><br> <a href="http://example.com">example.com</a> = <a href="http://EXAMPLE.COM">EXAMPLE.COM</a><br><br><br>Password for <a href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a>: <br>
root : DEBUG args=kinit <a href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a><br>root : DEBUG stdout=Password for <a href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a>: <br><br>root : DEBUG stderr=<br>
<br>root : DEBUG args=/usr/sbin/ipa-join -s <a href="http://ad25.example.com">ad25.example.com</a> -b dc=example,dc=com -d -h <a href="http://dp40.example.com">dp40.example.com</a><br>root : DEBUG stdout=<br>
root : DEBUG stderr=XML-RPC CALL:<br><br><?xml version="1.0" encoding="UTF-8"?>\r\n<br><methodCall>\r\n<br><methodName>join</methodName>\r\n<br><params>\r\n<br>
<param><value><array><data>\r\n<br>
<value><string><a href="http://dp40.example.com">dp40.example.com</a></string></value>\r\n<br></data></array></value></param>\r\n<br><param><value><struct>\r\n<br>
<member><name>nsosversion</name>\r\n<br><value><string>3.2.0-29-generic</string></value></member>\r\n<br><member><name>nshardwareplatform</name>\r\n<br><value><string>x86_64</string></value></member>\r\n<br>
</struct></value></param>\r\n<br></params>\r\n<br></methodCall>\r\n<br><br>XML-RPC RESPONSE:<br><br><?xml version='1.0' encoding='UTF-8'?>\n<br><methodResponse>\n<br>
<params>\n<br><param>\n<br><value><array><data>\n<br><value><string>fqdn=<a href="http://dp40.example.com">dp40.example.com</a>,cn=computers,cn=accounts,dc=example,dc=com</string></value>\n<br>
<value><struct>\n<br><member>\n<br><name>dn</name>\n<br><value><string>fqdn=<a href="http://dp40.example.com">dp40.example.com</a>,cn=computers,cn=accounts,dc=example,dc=com</string></value>\n<br>
</member>\n<br><member>\n<br><name>ipacertificatesubjectbase</name>\n<br><value><array><data>\n<br><value><string>O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a></string></value>\n<br>
</data></array></value>\n<br></member>\n<br><member>\n<br><name>has_keytab</name>\n<br><value><boolean>0</boolean></value>\n<br></member>\n<br><member>\n<br>
<name>objectclass</name>\n<br><value><array><data>\n<br><value><string>ipaobject</string></value>\n<br><value><string>nshost</string></value>\n<br>
<value><string>ipahost</string></value>\n<br><value><string>pkiuser</string></value>\n<br><value><string>ipaservice</string></value>\n<br><value><string>krbprincipalaux</string></value>\n<br>
<value><string>krbprincipal</string></value>\n<br><value><string>top</string></value>\n<br></data></array></value>\n<br></member>\n<br><member>\n<br>
<name>fqdn</name>\n<br><value><array><data>\n<br><value><string><a href="http://dp40.example.com">dp40.example.com</a></string></value>\n<br></data></array></value>\n<br>
</member>\n<br><member>\n<br><name>has_password</name>\n<br><value><boolean>0</boolean></value>\n<br></member>\n<br><member>\n<br><name>ipauniqueid</name>\n<br>
<value><array><data>\n<br><value><string>b086ab94-1678-11e4-991b-bc305bf33a5c</string></value>\n<br></data></array></value>\n<br></member>\n<br><member>\n<br>
<name>krbprincipalname</name>\n<br><value><array><data>\n<br><value><string>host/<a href="mailto:dp40.example.com@EXAMPLE.COM">dp40.example.com@EXAMPLE.COM</a></string></value>\n<br>
</data></array></value>\n<br></member>\n<br><member>\n<br><name>managedby_host</name>\n<br><value><array><data>\n<br><value><string><a href="http://dp40.example.com">dp40.example.com</a></string></value>\n<br>
</data></array></value>\n<br></member>\n<br></struct></value>\n<br></data></array></value>\n<br></param>\n<br></params>\n<br></methodResponse>\n<br>
<br>
Keytab successfully retrieved and stored in: /etc/krb5.keytab<br>Certificate subject base is: O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a><br><br>Enrolled in IPA realm <a href="http://EXAMPLE.COM">EXAMPLE.COM</a><br>root : DEBUG args=kdestroy<br>
root : DEBUG stdout=<br>root : DEBUG stderr=<br>root : DEBUG Backing up system configuration file '/etc/ipa/default.conf'<br>root : DEBUG -> Not backing up - '/etc/ipa/default.conf' doesn't exist<br>
Created /etc/ipa/default.conf<br>root : DEBUG Backing up system configuration file '/etc/sssd/sssd.conf'<br>root : DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'<br>
Domain <a href="http://example.com">example.com</a> is already configured in existing SSSD config, creating a new one.<br>The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.<br>root : DEBUG Domain <a href="http://example.com">example.com</a> is already configured in existing SSSD config, creating a new one.<br>
Configured /etc/sssd/sssd.conf<br>root : DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt<br>root : DEBUG stdout=<br>root : DEBUG stderr=<br>root : DEBUG Backing up system configuration file '/etc/krb5.conf'<br>
root : DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'<br>root : DEBUG Writing Kerberos configuration to /etc/krb5.conf:<br>#File modified by ipa-client-install<br>
<br>[libdefaults]<br> default_realm = <a href="http://EXAMPLE.COM">EXAMPLE.COM</a><br> dns_lookup_realm = false<br> dns_lookup_kdc = false<br> rdns = false<br> ticket_lifetime = 24h<br> forwardable = yes<br><br>[realms]<br>
<a href="http://EXAMPLE.COM">EXAMPLE.COM</a> = {<br> kdc = <a href="http://ad25.example.com:88">ad25.example.com:88</a><br> admin_server = <a href="http://ad25.example.com:749">ad25.example.com:749</a><br> default_domain = <a href="http://example.com">example.com</a><br>
pkinit_anchors = FILE:/etc/ipa/ca.crt<br> }<br><br>[domain_realm]<br> .<a href="http://example.com">example.com</a> = <a href="http://EXAMPLE.COM">EXAMPLE.COM</a><br> <a href="http://example.com">example.com</a> = <a href="http://EXAMPLE.COM">EXAMPLE.COM</a><br>
<br><br>Configured /etc/krb5.conf for IPA realm <a href="http://EXAMPLE.COM">EXAMPLE.COM</a><br>Warning: Hostname (<a href="http://dp40.example.com">dp40.example.com</a>) not found in DNS<br>root : DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt:<br>
<br>zone <a href="http://example.com">example.com</a>.<br>update delete <a href="http://dp40.example.com">dp40.example.com</a>. IN A<br>send<br>update add <a href="http://dp40.example.com">dp40.example.com</a>. 1200 IN A 10.11.0.40<br>
send<br><br>root : DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/<a href="http://dp40.example.com">dp40.example.com</a><br>root : DEBUG stdout=<br>root : DEBUG stderr=kinit: Password incorrect while getting initial credentials<br>
<br>Failed to obtain host TGT.<br>root : DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt<br>root : DEBUG stdout=<br>root : DEBUG stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Credentials cache file '/etc/ipa/.dns_ccache' not found.<br>
<br>Failed to update DNS A record. (Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1)<br>root : DEBUG args=/usr/sbin/service dbus start <br>root : DEBUG stdout=<br>
root : DEBUG stderr=start: Job is already running: dbus<br><br>root : ERROR dbus failed to start: Command '/usr/sbin/service dbus start ' returned non-zero exit status 1<br>root : DEBUG args=/usr/sbin/service certmonger restart <br>
root : DEBUG stdout=certmonger stop/waiting<br>certmonger start/running, process 293499<br><br>root : DEBUG stderr=<br>root : DEBUG args=/usr/sbin/service certmonger stop <br>root : DEBUG stdout=certmonger stop/waiting<br>
<br>root : DEBUG stderr=<br>root : DEBUG args=/usr/sbin/service certmonger restart <br>root : DEBUG stdout=certmonger start/running, process 293513<br><br>root : DEBUG stderr=stop: Unknown instance: <br>
<br>root : DEBUG args=/sbin/chkconfig certmonger on<br>root : DEBUG stdout=<br>root : DEBUG stderr=/sbin/insserv: No such file or directory<br><br>Failed to configure automatic startup of the certmonger daemon<br>
Automatic certificate management will not be available<br>root : ERROR Failed to disable automatic startup of the certmonger daemon: Command '/sbin/chkconfig certmonger on' returned non-zero exit status 1<br>
root : DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - <a href="http://dp40.example.com">dp40.example.com</a> -N CN=<a href="http://dp40.example.com">dp40.example.com</a>,O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a> -K host/<a href="mailto:dp40.example.com@EXAMPLE.COM">dp40.example.com@EXAMPLE.COM</a><br>
root : DEBUG stdout=New signing request "20140728170038" added.<br><br>root : DEBUG stderr=<br>root : DEBUG args=/usr/sbin/service nscd status<br>root : DEBUG stdout=<br>
root : DEBUG stderr=nscd: unrecognized service<br>
<br>root : DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'<br>root : DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'<br>root : DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'<br>
Would run on a Red Hat platform: /usr/sbin/authconfig --enablesssdauth --enablemkhomedir --update --enablesssd<br>Please do the corresponding changes manually and press Enter: <br>SSSD enabled<br>root : DEBUG args=getent passwd admin<br>
root : DEBUG stdout=<br>root : DEBUG stderr=<br>root : DEBUG args=getent passwd admin<br>root : DEBUG stdout=<br>root : DEBUG stderr=<br>root : DEBUG args=getent passwd admin<br>
root : DEBUG stdout=<br>root : DEBUG stderr=<br>root : DEBUG args=getent passwd admin<br>root : DEBUG stdout=<br>root : DEBUG stderr=<br>root : DEBUG args=getent passwd admin<br>
root : DEBUG stdout=<br>root : DEBUG stderr=<br>root : DEBUG args=getent passwd admin<br>root : DEBUG stdout=<br>root : DEBUG stderr=<br>root : DEBUG args=getent passwd admin<br>
root : DEBUG stdout=<br>root : DEBUG stderr=<br>root : DEBUG args=getent passwd admin<br>root : DEBUG stdout=<br>root : DEBUG stderr=<br>root : DEBUG args=getent passwd admin<br>
root : DEBUG stdout=<br>root : DEBUG stderr=<br>root : DEBUG args=getent passwd admin<br>root : DEBUG stdout=<br>root : DEBUG stderr=<br>Unable to find 'admin' user with 'getent passwd admin'!<br>
Recognized configuration: SSSD<br>Client configuration complete.<br><br><br>---<br><br>Obviously, the package is buggy, and it just copied configs from Redhat that is not suitable for Ubuntu.<br><br>As for Ubuntu 10.04, I google a lot, but found far less info about it. Basically, the documentation of 10.04 and 12.04 is really really rare, I havent' find any good cases that run them smoothly.<br>
<br>I have read through the official documentation, and there only exit some info about install ipa-client manually, which is still for redhat based distribution, not debian based. although no matter which distribution, the theory behind them is the same, One of the main purpose of freeipa I think is to make the idm more easy to use and maintain especially there involve lots of complicated components that normal user don't want to cover:<br>
<a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/linux-manual.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/linux-manual.html</a><br>
<br>Besides Ubuntu, we have hundreds of redhat clients which run quite good and they don't have many problems during the whole process, but Ubuntu is a big trouble for us, we still have more than 200 hundreds of them running on our production environment, and we still wan to let them join in our freeipa domain so we can manage our accounts more efficiently.<br>
<br>So, can anybody help me to debug the above error on Ubuntu 12.04, and any suggestion or good reference on Ubuntu distribution?<br>Thank you.<br><br></div>