<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 03/19/2015 04:46 PM, Roberto
Cornacchia wrote:<br>
</div>
<blockquote
cite="mid:CAFGv-=fMm0TouoaLO7kboVSh4Z_QHUFy6CGyZdOk7gKW+TSTLA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><font face="arial, helvetica, sans-serif">Hi, </font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">This should
really work like a charm, and I'm sure it is a stupid
mistake of mine if it doesn't, but I really can't find out
what goes wrong.</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">Both IPA server
and client are on FC21, very up to date.</font></div>
<div><font face="arial, helvetica, sans-serif">Server
installation (standard, with dns) worked well. Required
ports open in the firewall. Everything seems to work.</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">I did try to use
the IPA server as a DNS (with forwarders) and NTP server
from non-ipa clients, no problem.</font></div>
<div>I also tried to use it as LDAP server, from a non-fedora
machine (a synology). It worked well and I could see users.</div>
<div><br>
</div>
<div>When trying to enroll a client, the enrollment itself seems
to succeed, but:</div>
<div>- Unable to sync time with NTP server</div>
<div>- Unable to update DNS</div>
<div>- Unable to find users</div>
<div><br>
</div>
<div>I include below the short installation log (I changed the
real domain into <a moz-do-not-send="true"
href="http://hq.example.com">hq.example.com</a>), and in
attachment, the full log with debug on.</div>
<div><br>
</div>
<div>From the debug log, about the DNS update failure, I can see
this:</div>
<div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"> ; Communication with
192.168.0.72#53 failed: operation canceled</font></div>
<div><font face="monospace, monospace"> could not reach any
name server</font></div>
</div>
<div><font face="monospace, monospace"><br>
</font></div>
<div>I'm not sure what communication problem this could be, as
the server (which is both the IPA and the DNS servers),
clearly can be reached.</div>
<div><br>
</div>
<div>Any idea where to look at?</div>
</div>
</blockquote>
<br>
Do you have the IPA DNS server in the resolv.conf of the client?<br>
<br>
<br>
<blockquote
cite="mid:CAFGv-=fMm0TouoaLO7kboVSh4Z_QHUFy6CGyZdOk7gKW+TSTLA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Thanks,</div>
<div>Roberto </div>
<div><br>
</div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">[root@meson ~]#
ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
--hostname=<a moz-do-not-send="true"
href="http://meson.hq.example.com">meson.hq.example.com</a> </font></div>
<div><font face="monospace, monospace">Discovery was successful!</font></div>
<div><font face="monospace, monospace">Hostname: <a
moz-do-not-send="true" href="http://meson.hq.example.com">meson.hq.example.com</a></font></div>
<div><font face="monospace, monospace">Realm: <a
moz-do-not-send="true" href="http://HQ.EXAMPLE.COM">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace, monospace">DNS Domain: <a
moz-do-not-send="true" href="http://hq.example.com">hq.example.com</a></font></div>
<div><font face="monospace, monospace">IPA Server: <a
moz-do-not-send="true" href="http://ipa.hq.example.com">ipa.hq.example.com</a></font></div>
<div><font face="monospace, monospace">BaseDN:
dc=hq,dc=example,dc=com</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">Continue to configure the
system with these values? [no]: yes</font></div>
<div><font face="monospace, monospace">Synchronizing time with
KDC...</font></div>
<div><font face="monospace, monospace"><b><font color="#ff0000">Unable
to sync time with IPA NTP server, assuming the time is
in sync. Please check that 123 UDP port is opened.</font></b></font></div>
<div><font face="monospace, monospace">User authorized to enroll
computers: admin</font></div>
<div><font face="monospace, monospace">Password for <a
moz-do-not-send="true" href="mailto:admin@HQ.EXAMPLE.COM">admin@HQ.EXAMPLE.COM</a>: </font></div>
<div><font face="monospace, monospace">Successfully retrieved CA
cert</font></div>
<div><font face="monospace, monospace"> Subject:
CN=Certificate Authority,O=<a moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace, monospace"> Issuer:
CN=Certificate Authority,O=<a moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace, monospace"> Valid From: Mon Mar
16 18:44:35 2015 UTC</font></div>
<div><font face="monospace, monospace"> Valid Until: Fri Mar
16 18:44:35 2035 UTC</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">Enrolled in IPA realm <a
moz-do-not-send="true" href="http://HQ.EXAMPLE.COM">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace, monospace">Created
/etc/ipa/default.conf</font></div>
<div><font face="monospace, monospace">New SSSD config will be
created</font></div>
<div><font face="monospace, monospace">Configured sudoers in
/etc/nsswitch.conf</font></div>
<div><font face="monospace, monospace">Configured
/etc/sssd/sssd.conf</font></div>
<div><font face="monospace, monospace">Configured /etc/krb5.conf
for IPA realm <a moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace, monospace">trying <a
moz-do-not-send="true"
href="https://ipa.hq.example.com/ipa/json">https://ipa.hq.example.com/ipa/json</a></font></div>
<div><font face="monospace, monospace">Forwarding 'ping' to json
server '<a moz-do-not-send="true"
href="https://ipa.hq.example.com/ipa/json">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font face="monospace, monospace">Forwarding
'ca_is_enabled' to json server '<a moz-do-not-send="true"
href="https://ipa.hq.example.com/ipa/json">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font face="monospace, monospace">Systemwide CA database
updated.</font></div>
<div><font face="monospace, monospace">Added CA certificates to
the default NSS database.</font></div>
<div><font face="monospace, monospace">Hostname (<a
moz-do-not-send="true" href="http://meson.hq.example.com">meson.hq.example.com</a>)
not found in DNS</font></div>
<div><font color="#ff0000" face="monospace, monospace"><b>Failed
to update DNS records.</b></font></div>
<div><font face="monospace, monospace">Adding SSH public key
from /etc/ssh/ssh_host_ed25519_key.pub</font></div>
<div><font face="monospace, monospace">Adding SSH public key
from /etc/ssh/ssh_host_ecdsa_key.pub</font></div>
<div><font face="monospace, monospace">Adding SSH public key
from /etc/ssh/ssh_host_rsa_key.pub</font></div>
<div><font face="monospace, monospace">Forwarding 'host_mod' to
json server '<a moz-do-not-send="true"
href="https://ipa.hq.example.com/ipa/json">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font color="#ff0000" face="monospace, monospace"><b>Could
not update DNS SSHFP records.</b></font></div>
<div><font face="monospace, monospace">SSSD enabled</font></div>
<div><font face="monospace, monospace">Configured
/etc/openldap/ldap.conf</font></div>
<div><font color="#ff0000" face="monospace, monospace"><b>Unable
to find 'admin' user with 'getent passwd <a
moz-do-not-send="true"
href="mailto:admin@hq.example.com">admin@hq.example.com</a>'!</b></font></div>
<div><font color="#ff0000" face="monospace, monospace"><b>Unable
to reliably detect configuration. Check NSS setup
manually.</b></font></div>
<div><font face="monospace, monospace">NTP enabled</font></div>
<div><font face="monospace, monospace">Configured
/etc/ssh/ssh_config</font></div>
<div><font face="monospace, monospace">Configured
/etc/ssh/sshd_config</font></div>
<div><font face="monospace, monospace">Configuring <a
moz-do-not-send="true" href="http://hq.example.com">hq.example.com</a>
as NIS domain.</font></div>
<div><font face="monospace, monospace">Client configuration
complete.</font></div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>