<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/02/15 16:07, Martin Basti wrote:<br>
</div>
<blockquote cite="mid:54CF929F.5050905@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 02/02/15 14:13, Gerardo Cuppari
wrote:<br>
</div>
<blockquote
cite="mid:CAAD-uD1NzRPGBG0X_O2MsczZJz3bMkqcP0d4mBUqt7CFjH=KPg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default" style="">
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Hello! I am trying to enroll
one host to my IPA server (4.1.2) and I am having one
problem: the ipa-client-install script keeps giving me
errors at the "forwarding ping to json server" step.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">My configuration is:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><span class=""
style="white-space:pre"> </span>-
server.estudio.local<span class=""
style="white-space:pre"> </span>192.168.56.2<span
class="" style="white-space:pre"> </span>Fedora
Server 21<span class="" style="white-space:pre"> </span>ipa
4.1.2</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><span class=""
style="white-space:pre"> </span>- pc01.estudio.local<span
class="" style="white-space:pre"> </span>192.168.56.106<span
class="" style="white-space:pre"> </span>Fedora
Works. 21</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Both have firewalld down
(just to test) and can reach each other. I've been
trying to get this working without success (solved other
minor issues) and so I'm asking for your help.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">The only way I can make it
work is by adding the --force switch to
ipa-client-install script but, that way, it just
disregards errors.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Thanks in advance!!!</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Here are my tests:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">SERVER</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">======</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">[root@server ~]# ipa ping</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">-------------------------------------------</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">IPA server version 4.1.2. API
version 2.109</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">-------------------------------------------</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">CLIENT</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">======</font></div>
<div class="gmail_default" style=""><span class=""
style="white-space:pre"><font color="#000099"
face="verdana, sans-serif"> </font></span></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">[root@pc01 ~]# dig server</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">; <<>> DiG
9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> server</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; global options: +cmd</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; Got answer:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; ->>HEADER<<-
opcode: QUERY, status: SERVFAIL, id: 29286</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; flags: qr rd ra; QUERY: 1,
ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; OPT PSEUDOSECTION:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">; EDNS: version: 0, flags:;
udp: 4096</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; QUESTION SECTION:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;server.
IN A</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; Query time: 10 msec</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; SERVER:
192.168.56.2#53(192.168.56.2)</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; WHEN: lun feb 02 09:51:07
ART 2015</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; MSG SIZE rcvd: 35</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">***********************************************</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">[root@pc01 ~]# nslookup
server</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Server: 192.168.56.2</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Address:
192.168.56.2#53</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Name: server.estudio.local</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Address: 192.168.56.2</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">***********************************************</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Here I disable chronyd so I
can run the script without NTP sync errors:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">[root@pc01 ~]# systemctl
disable chronyd</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Removed symlink
/etc/systemd/system/multi-user.target.wants/chronyd.service.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">[root@pc01 ~]# service
chronyd stop</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Redirecting to /bin/systemctl
stop chronyd.service</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">***********************************************</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Without having
"server.estudio.local" on /etc/hosts file:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">[root@pc01 ~]#
ipa-client-install --enable-dns-updates --mkhomedir
--ssh-trust-dns</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Skip server.estudio.local:
cannot verify if this is an IPA server</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Provide your IPA server name
(ex: <a moz-do-not-send="true"
href="http://ipa.example.com">ipa.example.com</a>): <br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Skip server.estudio.local:
cannot verify if this is an IPA server</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Failed to verify that
server.estudio.local is an IPA Server.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">This may mean that the remote
server is not up or is not reachable due to network or
firewall settings.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Please make sure the
following ports are opened in the firewall settings:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"> TCP: 80, 88, 389</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"> UDP: 88 (at least one of
TCP/UDP ports 88 has to be open)</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Also note that following
ports are necessary for ipa-client working properly
after enrollment:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"> TCP: 464</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"> UDP: 464, 123 (if NTP
enabled)</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Installation failed. Rolling
back changes.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">IPA client is not configured
on this system.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">***********************************************</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Here I added hostname and IP
address to /etc/hosts file (don't know why it doesn't
work without it):</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">[root@pc01 ~]#
ipa-client-install --enable-dns-updates --mkhomedir
--ssh-trust-dns</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Discovery was successful!</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Hostname: pc01.estudio.local</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Realm: ESTUDIO.LOCAL</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">DNS Domain: estudio.local</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">IPA Server:
server.estudio.local</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">BaseDN: dc=estudio,dc=local</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Continue to configure the
system with these values? [no]: yes</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Synchronizing time with
KDC...</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">User authorized to enroll
computers: admin</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Password for <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:admin@ESTUDIO.LOCAL">admin@ESTUDIO.LOCAL</a>:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Successfully retrieved CA
cert</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"> Subject:
CN=Certificate Authority,O=ESTUDIO.LOCAL</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"> Issuer:
CN=Certificate Authority,O=ESTUDIO.LOCAL</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"> Valid From: Fri Jan 30
12:02:01 2015 UTC</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"> Valid Until: Tue Jan 30
12:02:01 2035 UTC</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Enrolled in IPA realm
ESTUDIO.LOCAL</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Created /etc/ipa/default.conf</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">New SSSD config will be
created</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Configured sudoers in
/etc/nsswitch.conf</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Configured
/etc/sssd/sssd.conf</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Configured /etc/krb5.conf for
IPA realm ESTUDIO.LOCAL</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">trying <a
moz-do-not-send="true"
href="https://server.estudio.local/ipa/json">https://server.estudio.local/ipa/json</a></font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Forwarding 'ping' to json
server '<a moz-do-not-send="true"
href="https://server.estudio.local/ipa/json">https://server.estudio.local/ipa/json</a>'</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Cannot connect to the server
due to Kerberos error: Kerberos error: ('Unspecified GSS
failure. Minor code may provide more information',
851968)/("Cannot contact any KDC for realm
'ESTUDIO.LOCAL'", -1765328228). Trying with
delegate=True</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">trying <a
moz-do-not-send="true"
href="https://server.estudio.local/ipa/json">https://server.estudio.local/ipa/json</a></font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Forwarding 'ping' to json
server '<a moz-do-not-send="true"
href="https://server.estudio.local/ipa/json">https://server.estudio.local/ipa/json</a>'</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Second connect with
delegate=True also failed: Kerberos error: ('Unspecified
GSS failure. Minor code may provide more information',
851968)/("Cannot contact any KDC for realm
'ESTUDIO.LOCAL'", -1765328228)</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Cannot connect to the IPA
server RPC interface: Kerberos error: ('Unspecified GSS
failure. Minor code may provide more information',
851968)/("Cannot contact any KDC for realm
'ESTUDIO.LOCAL'", -1765328228)</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Installation failed. Rolling
back changes.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Failed to list certificates
in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d'
'/etc/ipa/nssdb' '-L'' returned non-zero exit status 255</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Failed to remove
/etc/ipa/nssdb/cert8.db: [Errno 2] No existe el fichero
o el directorio: '/etc/ipa/nssdb/cert8.db'</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Failed to remove
/etc/ipa/nssdb/key3.db: [Errno 2] No existe el fichero o
el directorio: '/etc/ipa/nssdb/key3.db'</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Failed to remove
/etc/ipa/nssdb/secmod.db: [Errno 2] No existe el fichero
o el directorio: '/etc/ipa/nssdb/secmod.db'</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Failed to remove
/etc/ipa/nssdb/pwdfile.txt: [Errno 2] No existe el
fichero o el directorio: '/etc/ipa/nssdb/pwdfile.txt'</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Unenrolling client from IPA
server</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Unenrolling host failed:
Error getting default Kerberos realm: host/domain name
not found.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Removing Kerberos service
principals from /etc/krb5.keytab</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Disabling client Kerberos and
LDAP configurations</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Redundant SSSD configuration
file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Restoring client
configuration files</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">nscd daemon is not installed,
skip configuration</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">nslcd daemon is not
installed, skip configuration</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Client uninstall complete.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">***********************************************</font></div>
<div
style="color:rgb(0,0,153);font-family:verdana,sans-serif"><br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Hello<br>
<br>
dig returns servfail, it may be issue.<br>
</blockquote>
<br>
You used dig with wrong name, please use dig <font color="#000099"
face="verdana, sans-serif"><font color="#000000">server.estudio.local
and send result?</font><br>
<br>
</font>
<blockquote cite="mid:54CF929F.5050905@redhat.com" type="cite"> <br>
Can you check please /etc/named.conf on server, if there is
dnssec-validation true ?<br>
If yes, please set the dnssec-validation to no, because you use
domain name .local. it may cause troubles.<br>
<br>
If troubles persist, please send journalctl -u named-pkcs11 log.<br>
<br>
Martin^2<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
</body>
</html>