<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 02/02/2015 08:13 AM, Gerardo Cuppari
wrote:<br>
</div>
<blockquote
cite="mid:CAAD-uD1NzRPGBG0X_O2MsczZJz3bMkqcP0d4mBUqt7CFjH=KPg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default" style="">
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Hello! I am trying to enroll
one host to my IPA server (4.1.2) and I am having one
problem: the ipa-client-install script keeps giving me
errors at the "forwarding ping to json server" step.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">My configuration is:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><span class=""
style="white-space:pre"> </span>- server.estudio.local<span
class="" style="white-space:pre"> </span>192.168.56.2<span
class="" style="white-space:pre"> </span>Fedora Server
21<span class="" style="white-space:pre"> </span>ipa
4.1.2</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><span class=""
style="white-space:pre"> </span>- pc01.estudio.local<span
class="" style="white-space:pre"> </span>192.168.56.106<span
class="" style="white-space:pre"> </span>Fedora Works.
21</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Both have firewalld down (just
to test) and can reach each other. I've been trying to get
this working without success (solved other minor issues)
and so I'm asking for your help.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">The only way I can make it work
is by adding the --force switch to ipa-client-install
script but, that way, it just disregards errors.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Thanks in advance!!!</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Here are my tests:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">SERVER</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">======</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">[root@server ~]# ipa ping</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">-------------------------------------------</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">IPA server version 4.1.2. API
version 2.109</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">-------------------------------------------</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">CLIENT</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">======</font></div>
<div class="gmail_default" style=""><span class=""
style="white-space:pre"><font color="#000099"
face="verdana, sans-serif"> </font></span></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">[root@pc01 ~]# dig server</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">; <<>> DiG
9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> server</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; global options: +cmd</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; Got answer:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; ->>HEADER<<-
opcode: QUERY, status: SERVFAIL, id: 29286</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; flags: qr rd ra; QUERY: 1,
ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; OPT PSEUDOSECTION:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">; EDNS: version: 0, flags:;
udp: 4096</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; QUESTION SECTION:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;server.
IN A</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; Query time: 10 msec</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; SERVER:
192.168.56.2#53(192.168.56.2)</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; WHEN: lun feb 02 09:51:07
ART 2015</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">;; MSG SIZE rcvd: 35</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">***********************************************</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">[root@pc01 ~]# nslookup server</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Server: 192.168.56.2</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Address: 192.168.56.2#53</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Name: server.estudio.local</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Address: 192.168.56.2</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">***********************************************</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Here I disable chronyd so I can
run the script without NTP sync errors:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">[root@pc01 ~]# systemctl
disable chronyd</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Removed symlink
/etc/systemd/system/multi-user.target.wants/chronyd.service.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">[root@pc01 ~]# service chronyd
stop</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Redirecting to /bin/systemctl
stop chronyd.service</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">***********************************************</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Without having
"server.estudio.local" on /etc/hosts file:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">[root@pc01 ~]#
ipa-client-install --enable-dns-updates --mkhomedir
--ssh-trust-dns</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Skip server.estudio.local:
cannot verify if this is an IPA server</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Provide your IPA server name
(ex: <a moz-do-not-send="true"
href="http://ipa.example.com">ipa.example.com</a>):
server.estudio.local</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Skip server.estudio.local:
cannot verify if this is an IPA server</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Failed to verify that
server.estudio.local is an IPA Server.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">This may mean that the remote
server is not up or is not reachable due to network or
firewall settings.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Please make sure the following
ports are opened in the firewall settings:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"> TCP: 80, 88, 389</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"> UDP: 88 (at least one of
TCP/UDP ports 88 has to be open)</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Also note that following ports
are necessary for ipa-client working properly after
enrollment:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"> TCP: 464</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"> UDP: 464, 123 (if NTP
enabled)</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Installation failed. Rolling
back changes.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">IPA client is not configured on
this system.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">***********************************************</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Here I added hostname and IP
address to /etc/hosts file (don't know why it doesn't work
without it):</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">[root@pc01 ~]#
ipa-client-install --enable-dns-updates --mkhomedir
--ssh-trust-dns</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Discovery was successful!</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Hostname: pc01.estudio.local</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Realm: ESTUDIO.LOCAL</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">DNS Domain: estudio.local</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">IPA Server:
server.estudio.local</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">BaseDN: dc=estudio,dc=local</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Continue to configure the
system with these values? [no]: yes</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Synchronizing time with KDC...</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">User authorized to enroll
computers: admin</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Password for
<a class="moz-txt-link-abbreviated" href="mailto:admin@ESTUDIO.LOCAL">admin@ESTUDIO.LOCAL</a>:</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Successfully retrieved CA cert</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"> Subject: CN=Certificate
Authority,O=ESTUDIO.LOCAL</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"> Issuer: CN=Certificate
Authority,O=ESTUDIO.LOCAL</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"> Valid From: Fri Jan 30
12:02:01 2015 UTC</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"> Valid Until: Tue Jan 30
12:02:01 2035 UTC</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Enrolled in IPA realm
ESTUDIO.LOCAL</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Created /etc/ipa/default.conf</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">New SSSD config will be created</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Configured sudoers in
/etc/nsswitch.conf</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Configured /etc/sssd/sssd.conf</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Configured /etc/krb5.conf for
IPA realm ESTUDIO.LOCAL</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">trying <a
moz-do-not-send="true"
href="https://server.estudio.local/ipa/json">https://server.estudio.local/ipa/json</a></font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Forwarding 'ping' to json
server '<a moz-do-not-send="true"
href="https://server.estudio.local/ipa/json">https://server.estudio.local/ipa/json</a>'</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Cannot connect to the server
due to Kerberos error: Kerberos error: ('Unspecified GSS
failure. Minor code may provide more information',
851968)/("Cannot contact any KDC for realm
'ESTUDIO.LOCAL'", -1765328228). Trying with delegate=True</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">trying <a
moz-do-not-send="true"
href="https://server.estudio.local/ipa/json">https://server.estudio.local/ipa/json</a></font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Forwarding 'ping' to json
server '<a moz-do-not-send="true"
href="https://server.estudio.local/ipa/json">https://server.estudio.local/ipa/json</a>'</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Second connect with
delegate=True also failed: Kerberos error: ('Unspecified
GSS failure. Minor code may provide more information',
851968)/("Cannot contact any KDC for realm
'ESTUDIO.LOCAL'", -1765328228)</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Cannot connect to the IPA
server RPC interface: Kerberos error: ('Unspecified GSS
failure. Minor code may provide more information',
851968)/("Cannot contact any KDC for realm
'ESTUDIO.LOCAL'", -1765328228)</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Installation failed. Rolling
back changes.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Failed to list certificates in
/etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d'
'/etc/ipa/nssdb' '-L'' returned non-zero exit status 255</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Failed to remove
/etc/ipa/nssdb/cert8.db: [Errno 2] No existe el fichero o
el directorio: '/etc/ipa/nssdb/cert8.db'</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Failed to remove
/etc/ipa/nssdb/key3.db: [Errno 2] No existe el fichero o
el directorio: '/etc/ipa/nssdb/key3.db'</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Failed to remove
/etc/ipa/nssdb/secmod.db: [Errno 2] No existe el fichero o
el directorio: '/etc/ipa/nssdb/secmod.db'</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Failed to remove
/etc/ipa/nssdb/pwdfile.txt: [Errno 2] No existe el fichero
o el directorio: '/etc/ipa/nssdb/pwdfile.txt'</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Unenrolling client from IPA
server</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Unenrolling host failed: Error
getting default Kerberos realm: host/domain name not
found.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Removing Kerberos service
principals from /etc/krb5.keytab</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Disabling client Kerberos and
LDAP configurations</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Redundant SSSD configuration
file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Restoring client configuration
files</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">nscd daemon is not installed,
skip configuration</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">nslcd daemon is not installed,
skip configuration</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">Client uninstall complete.</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font color="#000099"
face="verdana, sans-serif">***********************************************</font></div>
<div style="color:rgb(0,0,153);font-family:verdana,sans-serif"><br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
It seems like a DNS issue.<br>
It might be that DNS has entries that already define LDAP and
Kerberos services but they are not IPA.<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>