<div dir="ltr">Hi I tried to install freeipa-client on Ubuntu 10.04 & 12.04, but none of them worked :-( At the moment, only 12.04 ships the apt repo so that I can use apt to install the freeipa-client(2.1.4-0ubuntu1). Although I can installed the package successfully, I can't make it work during my ipa-client-install process, I just follow the instruction as the below docs says: <a href="https://ashbyte.com/ashbyte/wiki/FreeIPA/Ubuntu">https://ashbyte.com/ashbyte/wiki/FreeIPA/Ubuntu</a> <a href="http://ubuntuforums.org/showthread.php?t=2207956">http://ubuntuforums.org/showthread.php?t=2207956</a> But failed with --debug options on, below is the message it produced during installation: --- # ipa-client-install --domain=<a href="http://example.com">example.com</a> --mkhomedir --realm=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a> --server=<a href="http://ad25.example.com">ad25.example.com</a> --no-ntp --hostname=<a href="http://dp40.example.com">dp40.example.com</a> --debug root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': False, 'domain': '<a href="http://example.com">example.com</a>', 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': '<a href="http://dp40.example.com">dp40.example.com</a>', 'preserve_sssd': False, 'server': '<a href="http://ad25.example.com">ad25.example.com</a>', 'prompt_password': False, 'mkhomedir': True, 'dns_updates': False, 'permit': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'realm_name': '<a href="http://EXAMPLE.COM">EXAMPLE.COM</a>', 'unattended': None, 'principal': None} root : DEBUG missing options might be asked for interactively later root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root : DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' root : DEBUG [ipadnssearchkrb] root : DEBUG [ipacheckldap] root : DEBUG args=/usr/bin/wget -O /tmp/tmp_gTNxY/ca.crt -T 15 -t 2 <a href="http://ad25.example.com/ipa/config/ca.crt">http://ad25.example.com/ipa/config/ca.crt</a> root : DEBUG stdout= root : DEBUG stderr=--2014-07-29 01:00:16-- <a href="http://ad25.example.com/ipa/config/ca.crt">http://ad25.example.com/ipa/config/ca.crt</a> Resolving <a href="http://ad25.example.com">ad25.example.com</a> (<a href="http://ad25.example.com">ad25.example.com</a>)... 10.11.50.5 Connecting to <a href="http://ad25.example.com">ad25.example.com</a> (<a href="http://ad25.example.com">ad25.example.com</a>)|10.11.50.5|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1295 (1.3K) [application/x-x509-ca-cert] Saving to: `/tmp/tmp_gTNxY/ca.crt' 0K . 100% 109M=0s 2014-07-29 01:00:16 (109 MB/s) - `/tmp/tmp_gTNxY/ca.crt' saved [1295/1295] root : DEBUG Init ldap with: ldap://<a href="http://ad25.example.com:389">ad25.example.com:389</a> root : DEBUG Search LDAP server for IPA base DN root : DEBUG Check if naming context 'dc=example,dc=com' is for IPA root : DEBUG Naming context 'dc=example,dc=com' is a valid IPA context root : DEBUG Search for (objectClass=krbRealmContainer) in dc=example,dc=com(sub) root : DEBUG Found: [('cn=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a>,cn=kerberos,dc=example,dc=us', {'krbSubTrees': ['dc=example,dc=com'], 'cn': ['<a href="http://EXAMPLE.COM">EXAMPLE.COM</a>'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})] root : DEBUG will use domain: <a href="http://example.com">example.com</a> root : DEBUG will use server: <a href="http://ad25.example.com">ad25.example.com</a> DNS domain '<a href="http://example.com">example.com</a>' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! root : DEBUG will use cli_realm: <a href="http://EXAMPLE.COM">EXAMPLE.COM</a> root : DEBUG will use cli_basedn: dc=example,dc=com Hostname: <a href="http://dp40.example.com">dp40.example.com</a> Realm: <a href="http://EXAMPLE.COM">EXAMPLE.COM</a> DNS Domain: <a href="http://example.com">example.com</a> IPA Server: <a href="http://ad25.example.com">ad25.example.com</a> BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes root : DEBUG Backing up system configuration file '/etc/hostname' root : DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' root : DEBUG args=/bin/hostname <a href="http://dp40.example.com">dp40.example.com</a> root : DEBUG stdout= root : DEBUG stderr= User authorized to enroll computers: admin root : DEBUG will use principal: admin root : DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt <a href="http://ad25.example.com/ipa/config/ca.crt">http://ad25.example.com/ipa/config/ca.crt</a> root : DEBUG stdout= root : DEBUG stderr=--2014-07-29 01:00:29-- <a href="http://ad25.example.com/ipa/config/ca.crt">http://ad25.example.com/ipa/config/ca.crt</a> Resolving <a href="http://ad25.example.com">ad25.example.com</a> (<a href="http://ad25.example.com">ad25.example.com</a>)... 10.11.50.5 Connecting to <a href="http://ad25.example.com">ad25.example.com</a> (<a href="http://ad25.example.com">ad25.example.com</a>)|10.11.50.5|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1295 (1.3K) [application/x-x509-ca-cert] Saving to: `/etc/ipa/ca.crt' 0K . 100% 127M=0s 2014-07-29 01:00:29 (127 MB/s) - `/etc/ipa/ca.crt' saved [1295/1295] Synchronizing time with KDC... root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b <a href="http://ad25.example.com">ad25.example.com</a> root : DEBUG stdout= root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p samples] [-o version#] [-t timeo] server ... root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b <a href="http://ad25.example.com">ad25.example.com</a> root : DEBUG stdout= root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p samples] [-o version#] [-t timeo] server ... root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b <a href="http://ad25.example.com">ad25.example.com</a> root : DEBUG stdout= root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p samples] [-o version#] [-t timeo] server ... Unable to sync time with IPA NTP server, assuming the time is in sync. root : DEBUG Writing Kerberos configuration to /tmp/tmpaGEtIp: #File modified by ipa-client-install [libdefaults] default_realm = <a href="http://EXAMPLE.COM">EXAMPLE.COM</a> dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] <a href="http://EXAMPLE.COM">EXAMPLE.COM</a> = { kdc = <a href="http://ad25.example.com:88">ad25.example.com:88</a> admin_server = <a href="http://ad25.example.com:749">ad25.example.com:749</a> default_domain = <a href="http://example.com">example.com</a> pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .<a href="http://example.com">example.com</a> = <a href="http://EXAMPLE.COM">EXAMPLE.COM</a> <a href="http://example.com">example.com</a> = <a href="http://EXAMPLE.COM">EXAMPLE.COM</a> Password for <a href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a>: root : DEBUG args=kinit <a href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a> root : DEBUG stdout=Password for <a href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a>: root : DEBUG stderr= root : DEBUG args=/usr/sbin/ipa-join -s <a href="http://ad25.example.com">ad25.example.com</a> -b dc=example,dc=com -d -h <a href="http://dp40.example.com">dp40.example.com</a> root : DEBUG stdout= root : DEBUG stderr=XML-RPC CALL: <?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n <methodName>join</methodName>\r\n <params>\r\n <param><value><array><data>\r\n <value><string><a href="http://dp40.example.com">dp40.example.com</a></string></value>\r\n </data></array></value></param>\r\n <param><value><struct>\r\n <member><name>nsosversion</name>\r\n <value><string>3.2.0-29-generic</string></value></member>\r\n <member><name>nshardwareplatform</name>\r\n <value><string>x86_64</string></value></member>\r\n </struct></value></param>\r\n </params>\r\n </methodCall>\r\n XML-RPC RESPONSE: <?xml version='1.0' encoding='UTF-8'?>\n <methodResponse>\n <params>\n <param>\n <value><array><data>\n <value><string>fqdn=<a href="http://dp40.example.com">dp40.example.com</a>,cn=computers,cn=accounts,dc=example,dc=com</string></value>\n <value><struct>\n <member>\n <name>dn</name>\n <value><string>fqdn=<a href="http://dp40.example.com">dp40.example.com</a>,cn=computers,cn=accounts,dc=example,dc=com</string></value>\n </member>\n <member>\n <name>ipacertificatesubjectbase</name>\n <value><array><data>\n <value><string>O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a></string></value>\n </data></array></value>\n </member>\n <member>\n <name>has_keytab</name>\n <value><boolean>0</boolean></value>\n </member>\n <member>\n <name>objectclass</name>\n <value><array><data>\n <value><string>ipaobject</string></value>\n <value><string>nshost</string></value>\n <value><string>ipahost</string></value>\n <value><string>pkiuser</string></value>\n <value><string>ipaservice</string></value>\n <value><string>krbprincipalaux</string></value>\n <value><string>krbprincipal</string></value>\n <value><string>top</string></value>\n </data></array></value>\n </member>\n <member>\n <name>fqdn</name>\n <value><array><data>\n <value><string><a href="http://dp40.example.com">dp40.example.com</a></string></value>\n </data></array></value>\n </member>\n <member>\n <name>has_password</name>\n <value><boolean>0</boolean></value>\n </member>\n <member>\n <name>ipauniqueid</name>\n <value><array><data>\n <value><string>b086ab94-1678-11e4-991b-bc305bf33a5c</string></value>\n </data></array></value>\n </member>\n <member>\n <name>krbprincipalname</name>\n <value><array><data>\n <value><string>host/<a href="mailto:dp40.example.com@EXAMPLE.COM">dp40.example.com@EXAMPLE.COM</a></string></value>\n </data></array></value>\n </member>\n <member>\n <name>managedby_host</name>\n <value><array><data>\n <value><string><a href="http://dp40.example.com">dp40.example.com</a></string></value>\n </data></array></value>\n </member>\n </struct></value>\n </data></array></value>\n </param>\n </params>\n </methodResponse>\n Keytab successfully retrieved and stored in: /etc/krb5.keytab Certificate subject base is: O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a> Enrolled in IPA realm <a href="http://EXAMPLE.COM">EXAMPLE.COM</a> root : DEBUG args=kdestroy root : DEBUG stdout= root : DEBUG stderr= root : DEBUG Backing up system configuration file '/etc/ipa/default.conf' root : DEBUG -> Not backing up - '/etc/ipa/default.conf' doesn't exist Created /etc/ipa/default.conf root : DEBUG Backing up system configuration file '/etc/sssd/sssd.conf' root : DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' Domain <a href="http://example.com">example.com</a> is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. root : DEBUG Domain <a href="http://example.com">example.com</a> is already configured in existing SSSD config, creating a new one. Configured /etc/sssd/sssd.conf root : DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt root : DEBUG stdout= root : DEBUG stderr= root : DEBUG Backing up system configuration file '/etc/krb5.conf' root : DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' root : DEBUG Writing Kerberos configuration to /etc/krb5.conf: #File modified by ipa-client-install [libdefaults] default_realm = <a href="http://EXAMPLE.COM">EXAMPLE.COM</a> dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] <a href="http://EXAMPLE.COM">EXAMPLE.COM</a> = { kdc = <a href="http://ad25.example.com:88">ad25.example.com:88</a> admin_server = <a href="http://ad25.example.com:749">ad25.example.com:749</a> default_domain = <a href="http://example.com">example.com</a> pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .<a href="http://example.com">example.com</a> = <a href="http://EXAMPLE.COM">EXAMPLE.COM</a> <a href="http://example.com">example.com</a> = <a href="http://EXAMPLE.COM">EXAMPLE.COM</a> Configured /etc/krb5.conf for IPA realm <a href="http://EXAMPLE.COM">EXAMPLE.COM</a> Warning: Hostname (<a href="http://dp40.example.com">dp40.example.com</a>) not found in DNS root : DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt: zone <a href="http://example.com">example.com</a>. update delete <a href="http://dp40.example.com">dp40.example.com</a>. IN A send update add <a href="http://dp40.example.com">dp40.example.com</a>. 1200 IN A 10.11.0.40 send root : DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/<a href="http://dp40.example.com">dp40.example.com</a> root : DEBUG stdout= root : DEBUG stderr=kinit: Password incorrect while getting initial credentials Failed to obtain host TGT. root : DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt root : DEBUG stdout= root : DEBUG stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Credentials cache file '/etc/ipa/.dns_ccache' not found. Failed to update DNS A record. (Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1) root : DEBUG args=/usr/sbin/service dbus start root : DEBUG stdout= root : DEBUG stderr=start: Job is already running: dbus root : ERROR dbus failed to start: Command '/usr/sbin/service dbus start ' returned non-zero exit status 1 root : DEBUG args=/usr/sbin/service certmonger restart root : DEBUG stdout=certmonger stop/waiting certmonger start/running, process 293499 root : DEBUG stderr= root : DEBUG args=/usr/sbin/service certmonger stop root : DEBUG stdout=certmonger stop/waiting root : DEBUG stderr= root : DEBUG args=/usr/sbin/service certmonger restart root : DEBUG stdout=certmonger start/running, process 293513 root : DEBUG stderr=stop: Unknown instance: root : DEBUG args=/sbin/chkconfig certmonger on root : DEBUG stdout= root : DEBUG stderr=/sbin/insserv: No such file or directory Failed to configure automatic startup of the certmonger daemon Automatic certificate management will not be available root : ERROR Failed to disable automatic startup of the certmonger daemon: Command '/sbin/chkconfig certmonger on' returned non-zero exit status 1 root : DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - <a href="http://dp40.example.com">dp40.example.com</a> -N CN=<a href="http://dp40.example.com">dp40.example.com</a>,O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a> -K host/<a href="mailto:dp40.example.com@EXAMPLE.COM">dp40.example.com@EXAMPLE.COM</a> root : DEBUG stdout=New signing request "20140728170038" added. root : DEBUG stderr= root : DEBUG args=/usr/sbin/service nscd status root : DEBUG stdout= root : DEBUG stderr=nscd: unrecognized service root : DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' root : DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' root : DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' Would run on a Red Hat platform: /usr/sbin/authconfig --enablesssdauth --enablemkhomedir --update --enablesssd Please do the corresponding changes manually and press Enter: SSSD enabled root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG stderr= Unable to find 'admin' user with 'getent passwd admin'! Recognized configuration: SSSD Client configuration complete. --- Obviously, the package is buggy, and it just copied configs from Redhat that is not suitable for Ubuntu. As for Ubuntu 10.04, I google a lot, but found far less info about it. Basically, the documentation of 10.04 and 12.04 is really really rare, I havent' find any good cases that run them smoothly. I have read through the official documentation, and there only exit some info about install ipa-client manually, which is still for redhat based distribution, not debian based. although no matter which distribution, the theory behind them is the same, One of the main purpose of freeipa I think is to make the idm more easy to use and maintain especially there involve lots of complicated components that normal user don't want to cover: <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/linux-manual.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/linux-manual.html</a> Besides Ubuntu, we have hundreds of redhat clients which run quite good and they don't have many problems during the whole process, but Ubuntu is a big trouble for us, we still have more than 200 hundreds of them running on our production environment, and we still wan to let them join in our freeipa domain so we can manage our accounts more efficiently. So, can anybody help me to debug the above error on Ubuntu 12.04, and any suggestion or good reference on Ubuntu distribution? Thank you. </div>