<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 03/19/2015 05:04 PM, Roberto
Cornacchia wrote:<br>
</div>
<blockquote
cite="mid:CAFGv-=dJwQHQ5JYeex57DxjRoEP185U5oQEvsnc+PDqU8O9ywQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Yes.</div>
<div><br>
</div>
<div><font face="monospace, monospace">[root@meson ~]# cat
/etc/resolv.conf </font></div>
<div><font face="monospace, monospace">search <a
moz-do-not-send="true" href="http://hq.example.com">hq.example.com</a></font></div>
<div><font face="monospace, monospace">nameserver 192.168.0.72</font></div>
<div><br>
</div>
<div>Sorry from the short log I posted it's not visible, but
that ip address is the address of the ipa server (<a
moz-do-not-send="true" href="http://ipa.hq.example.com">ipa.hq.example.com</a>)<br>
</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace">[root@meson ~]# dig <a
moz-do-not-send="true" href="http://ipa.hq.spinque.com">ipa.hq.spinque.com</a></font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">; <<>> DiG
9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> <a
moz-do-not-send="true" href="http://ipa.hq.example.com">ipa.hq.example.com</a></font></div>
<div><font face="monospace, monospace">;; global options: +cmd</font></div>
<div><font face="monospace, monospace">;; Got answer:</font></div>
<div><font face="monospace, monospace">;;
->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 53238</font></div>
<div><font face="monospace, monospace">;; flags: qr aa rd ra;
QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">;; OPT PSEUDOSECTION:</font></div>
<div><font face="monospace, monospace">; EDNS: version: 0,
flags:; udp: 4096</font></div>
<div><font face="monospace, monospace">;; QUESTION SECTION:</font></div>
<div><font face="monospace, monospace">;ipa.hq.</font><span
style="font-family:monospace,monospace">example</span><font
face="monospace, monospace">.com.<span class=""
style="white-space:pre"> </span>IN<span class=""
style="white-space:pre"> </span>A</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">;; ANSWER SECTION:</font></div>
<div><font face="monospace, monospace">ipa.hq.</font><span
style="font-family:monospace,monospace">example</span><font
face="monospace, monospace">.com. 1200<span class=""
style="white-space:pre"> </span>IN<span class=""
style="white-space:pre"> </span>A<span class=""
style="white-space:pre"> </span>192.168.0.72</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">;; AUTHORITY SECTION:</font></div>
<div><font face="monospace, monospace">hq.</font><span
style="font-family:monospace,monospace">example</span><font
face="monospace, monospace">.com.<span class=""
style="white-space:pre"> </span>86400<span class=""
style="white-space:pre"> </span>IN<span class=""
style="white-space:pre"> </span>NS<span class=""
style="white-space:pre"> </span>ipa.hq.</font><span
style="font-family:monospace,monospace">example</span><font
face="monospace, monospace">.com.</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">;; Query time: 1 msec</font></div>
<div><font face="monospace, monospace">;; SERVER:
192.168.0.72#53(192.168.0.72)</font></div>
<div><font face="monospace, monospace">;; WHEN: do mrt 19
22:02:04 CET 2015</font></div>
<div><font face="monospace, monospace">;; MSG SIZE rcvd: 83</font></div>
</div>
</div>
</blockquote>
<br>
<br>
OK so you can in fact lookup the server.<br>
Have you opened all required ports for ldap and kerberos and other
protocols in the firewall both UDP and TCP?<br>
<br>
<blockquote
cite="mid:CAFGv-=dJwQHQ5JYeex57DxjRoEP185U5oQEvsnc+PDqU8O9ywQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 19 March 2015 at 21:55, Dmitri Pal <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class="">
<div>On 03/19/2015 04:46 PM, Roberto Cornacchia wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div><font face="arial, helvetica, sans-serif">Hi, </font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">This
should really work like a charm, and I'm sure it
is a stupid mistake of mine if it doesn't, but I
really can't find out what goes wrong.</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">Both
IPA server and client are on FC21, very up to
date.</font></div>
<div><font face="arial, helvetica, sans-serif">Server
installation (standard, with dns) worked well.
Required ports open in the firewall. Everything
seems to work.</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">I did
try to use the IPA server as a DNS (with
forwarders) and NTP server from non-ipa clients,
no problem.</font></div>
<div>I also tried to use it as LDAP server, from a
non-fedora machine (a synology). It worked well
and I could see users.</div>
<div><br>
</div>
<div>When trying to enroll a client, the enrollment
itself seems to succeed, but:</div>
<div>- Unable to sync time with NTP server</div>
<div>- Unable to update DNS</div>
<div>- Unable to find users</div>
<div><br>
</div>
<div>I include below the short installation log (I
changed the real domain into <a
moz-do-not-send="true"
href="http://hq.example.com" target="_blank">hq.example.com</a>),
and in attachment, the full log with debug on.</div>
<div><br>
</div>
<div>From the debug log, about the DNS update
failure, I can see this:</div>
<div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"> ;
Communication with 192.168.0.72#53 failed:
operation canceled</font></div>
<div><font face="monospace, monospace"> could not
reach any name server</font></div>
</div>
<div><font face="monospace, monospace"><br>
</font></div>
<div>I'm not sure what communication problem this
could be, as the server (which is both the IPA and
the DNS servers), clearly can be reached.</div>
<div><br>
</div>
<div>Any idea where to look at?</div>
</div>
</blockquote>
<br>
</span> Do you have the IPA DNS server in the resolv.conf
of the client?
<div>
<div class="h5"><br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Thanks,</div>
<div>Roberto </div>
<div><br>
</div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">[root@meson
~]# ipa-client-install --mkhomedir
--ssh-trust-dns --force-ntpd --hostname=<a
moz-do-not-send="true"
href="http://meson.hq.example.com"
target="_blank">meson.hq.example.com</a> </font></div>
<div><font face="monospace, monospace">Discovery
was successful!</font></div>
<div><font face="monospace, monospace">Hostname: <a
moz-do-not-send="true"
href="http://meson.hq.example.com"
target="_blank">meson.hq.example.com</a></font></div>
<div><font face="monospace, monospace">Realm: <a
moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace, monospace">DNS Domain:
<a moz-do-not-send="true"
href="http://hq.example.com" target="_blank">hq.example.com</a></font></div>
<div><font face="monospace, monospace">IPA Server:
<a moz-do-not-send="true"
href="http://ipa.hq.example.com"
target="_blank">ipa.hq.example.com</a></font></div>
<div><font face="monospace, monospace">BaseDN:
dc=hq,dc=example,dc=com</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">Continue to
configure the system with these values? [no]:
yes</font></div>
<div><font face="monospace, monospace">Synchronizing
time with KDC...</font></div>
<div><font face="monospace, monospace"><b><font
color="#ff0000">Unable to sync time with
IPA NTP server, assuming the time is in
sync. Please check that 123 UDP port is
opened.</font></b></font></div>
<div><font face="monospace, monospace">User
authorized to enroll computers: admin</font></div>
<div><font face="monospace, monospace">Password
for <a moz-do-not-send="true"
href="mailto:admin@HQ.EXAMPLE.COM"
target="_blank">admin@HQ.EXAMPLE.COM</a>: </font></div>
<div><font face="monospace, monospace">Successfully
retrieved CA cert</font></div>
<div><font face="monospace, monospace">
Subject: CN=Certificate Authority,O=<a
moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace, monospace"> Issuer:
CN=Certificate Authority,O=<a
moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace, monospace"> Valid
From: Mon Mar 16 18:44:35 2015 UTC</font></div>
<div><font face="monospace, monospace"> Valid
Until: Fri Mar 16 18:44:35 2035 UTC</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">Enrolled in
IPA realm <a moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace, monospace">Created
/etc/ipa/default.conf</font></div>
<div><font face="monospace, monospace">New SSSD
config will be created</font></div>
<div><font face="monospace, monospace">Configured
sudoers in /etc/nsswitch.conf</font></div>
<div><font face="monospace, monospace">Configured
/etc/sssd/sssd.conf</font></div>
<div><font face="monospace, monospace">Configured
/etc/krb5.conf for IPA realm <a
moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace, monospace">trying <a
moz-do-not-send="true"
href="https://ipa.hq.example.com/ipa/json"
target="_blank">https://ipa.hq.example.com/ipa/json</a></font></div>
<div><font face="monospace, monospace">Forwarding
'ping' to json server '<a
moz-do-not-send="true"
href="https://ipa.hq.example.com/ipa/json"
target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font face="monospace, monospace">Forwarding
'ca_is_enabled' to json server '<a
moz-do-not-send="true"
href="https://ipa.hq.example.com/ipa/json"
target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font face="monospace, monospace">Systemwide
CA database updated.</font></div>
<div><font face="monospace, monospace">Added CA
certificates to the default NSS database.</font></div>
<div><font face="monospace, monospace">Hostname (<a
moz-do-not-send="true"
href="http://meson.hq.example.com"
target="_blank">meson.hq.example.com</a>)
not found in DNS</font></div>
<div><font color="#ff0000" face="monospace,
monospace"><b>Failed to update DNS records.</b></font></div>
<div><font face="monospace, monospace">Adding SSH
public key from
/etc/ssh/ssh_host_ed25519_key.pub</font></div>
<div><font face="monospace, monospace">Adding SSH
public key from
/etc/ssh/ssh_host_ecdsa_key.pub</font></div>
<div><font face="monospace, monospace">Adding SSH
public key from /etc/ssh/ssh_host_rsa_key.pub</font></div>
<div><font face="monospace, monospace">Forwarding
'host_mod' to json server '<a
moz-do-not-send="true"
href="https://ipa.hq.example.com/ipa/json"
target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font color="#ff0000" face="monospace,
monospace"><b>Could not update DNS SSHFP
records.</b></font></div>
<div><font face="monospace, monospace">SSSD
enabled</font></div>
<div><font face="monospace, monospace">Configured
/etc/openldap/ldap.conf</font></div>
<div><font color="#ff0000" face="monospace,
monospace"><b>Unable to find 'admin' user with
'getent passwd <a moz-do-not-send="true"
href="mailto:admin@hq.example.com"
target="_blank">admin@hq.example.com</a>'!</b></font></div>
<div><font color="#ff0000" face="monospace,
monospace"><b>Unable to reliably detect
configuration. Check NSS setup manually.</b></font></div>
<div><font face="monospace, monospace">NTP enabled</font></div>
<div><font face="monospace, monospace">Configured
/etc/ssh/ssh_config</font></div>
<div><font face="monospace, monospace">Configured
/etc/ssh/sshd_config</font></div>
<div><font face="monospace, monospace">Configuring
<a moz-do-not-send="true"
href="http://hq.example.com" target="_blank">hq.example.com</a>
as NIS domain.</font></div>
<div><font face="monospace, monospace">Client
configuration complete.</font></div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div>
</div>
<span class="HOEnZb"><font color="#888888">
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</font></span></div>
<br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a moz-do-not-send="true" href="http://freeipa.org"
target="_blank">http://freeipa.org</a> for more info on
the project<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>