<div dir="ltr"><div>Yes.</div><div><br></div><div><font face="monospace, monospace">[root@meson ~]# cat /etc/resolv.conf </font></div><div><font face="monospace, monospace">search <a href="http://hq.example.com">hq.example.com</a></font></div><div><font face="monospace, monospace">nameserver 192.168.0.72</font></div><div><br></div><div>Sorry from the short log I posted it's not visible, but that ip address is the address of the ipa server (<a href="http://ipa.hq.example.com">ipa.hq.example.com</a>)<br></div><div><br></div><div><div><font face="monospace, monospace">[root@meson ~]# dig <a href="http://ipa.hq.spinque.com">ipa.hq.spinque.com</a></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> <a href="http://ipa.hq.example.com">ipa.hq.example.com</a></font></div><div><font face="monospace, monospace">;; global options: +cmd</font></div><div><font face="monospace, monospace">;; Got answer:</font></div><div><font face="monospace, monospace">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53238</font></div><div><font face="monospace, monospace">;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">;; OPT PSEUDOSECTION:</font></div><div><font face="monospace, monospace">; EDNS: version: 0, flags:; udp: 4096</font></div><div><font face="monospace, monospace">;; QUESTION SECTION:</font></div><div><font face="monospace, monospace">;ipa.hq.</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">.com.<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>A</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">;; ANSWER SECTION:</font></div><div><font face="monospace, monospace">ipa.hq.</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">.com. 1200<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>A<span class="" style="white-space:pre"> </span>192.168.0.72</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">;; AUTHORITY SECTION:</font></div><div><font face="monospace, monospace">hq.</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">.com.<span class="" style="white-space:pre"> </span>86400<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>NS<span class="" style="white-space:pre"> </span>ipa.hq.</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">.com.</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">;; Query time: 1 msec</font></div><div><font face="monospace, monospace">;; SERVER: 192.168.0.72#53(192.168.0.72)</font></div><div><font face="monospace, monospace">;; WHEN: do mrt 19 22:02:04 CET 2015</font></div><div><font face="monospace, monospace">;; MSG SIZE rcvd: 83</font></div></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 19 March 2015 at 21:55, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div text="#000000" bgcolor="#FFFFFF"><span class=""> <div>On 03/19/2015 04:46 PM, Roberto Cornacchia wrote:<br> </div> <blockquote type="cite"> <div dir="ltr"> <div><font face="arial, helvetica, sans-serif">Hi, </font></div> <div><font face="arial, helvetica, sans-serif"><br> </font></div> <div><font face="arial, helvetica, sans-serif">This should really work like a charm, and I'm sure it is a stupid mistake of mine if it doesn't, but I really can't find out what goes wrong.</font></div> <div><font face="arial, helvetica, sans-serif"><br> </font></div> <div><font face="arial, helvetica, sans-serif">Both IPA server and client are on FC21, very up to date.</font></div> <div><font face="arial, helvetica, sans-serif">Server installation (standard, with dns) worked well. Required ports open in the firewall. Everything seems to work.</font></div> <div><font face="arial, helvetica, sans-serif"><br> </font></div> <div><font face="arial, helvetica, sans-serif">I did try to use the IPA server as a DNS (with forwarders) and NTP server from non-ipa clients, no problem.</font></div> <div>I also tried to use it as LDAP server, from a non-fedora machine (a synology). It worked well and I could see users.</div> <div><br> </div> <div>When trying to enroll a client, the enrollment itself seems to succeed, but:</div> <div>- Unable to sync time with NTP server</div> <div>- Unable to update DNS</div> <div>- Unable to find users</div> <div><br> </div> <div>I include below the short installation log (I changed the real domain into <a href="http://hq.example.com" target="_blank">hq.example.com</a>), and in attachment, the full log with debug on.</div> <div><br> </div> <div>From the debug log, about the DNS update failure, I can see this:</div> <div> <div><font face="monospace, monospace"><br> </font></div> <div><font face="monospace, monospace"> ; Communication with 192.168.0.72#53 failed: operation canceled</font></div> <div><font face="monospace, monospace"> could not reach any name server</font></div> </div> <div><font face="monospace, monospace"><br> </font></div> <div>I'm not sure what communication problem this could be, as the server (which is both the IPA and the DNS servers), clearly can be reached.</div> <div><br> </div> <div>Any idea where to look at?</div> </div> </blockquote> <br></span> Do you have the IPA DNS server in the resolv.conf of the client?<div><div class="h5"><br> <br> <br> <blockquote type="cite"> <div dir="ltr"> <div><br> </div> <div>Thanks,</div> <div>Roberto </div> <div><br> </div> <div><font face="monospace, monospace"><br> </font></div> <div><font face="monospace, monospace">[root@meson ~]# ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd --hostname=<a href="http://meson.hq.example.com" target="_blank">meson.hq.example.com</a> </font></div> <div><font face="monospace, monospace">Discovery was successful!</font></div> <div><font face="monospace, monospace">Hostname: <a href="http://meson.hq.example.com" target="_blank">meson.hq.example.com</a></font></div> <div><font face="monospace, monospace">Realm: <a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div> <div><font face="monospace, monospace">DNS Domain: <a href="http://hq.example.com" target="_blank">hq.example.com</a></font></div> <div><font face="monospace, monospace">IPA Server: <a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a></font></div> <div><font face="monospace, monospace">BaseDN: dc=hq,dc=example,dc=com</font></div> <div><font face="monospace, monospace"><br> </font></div> <div><font face="monospace, monospace">Continue to configure the system with these values? [no]: yes</font></div> <div><font face="monospace, monospace">Synchronizing time with KDC...</font></div> <div><font face="monospace, monospace"><b><font color="#ff0000">Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.</font></b></font></div> <div><font face="monospace, monospace">User authorized to enroll computers: admin</font></div> <div><font face="monospace, monospace">Password for <a href="mailto:admin@HQ.EXAMPLE.COM" target="_blank">admin@HQ.EXAMPLE.COM</a>: </font></div> <div><font face="monospace, monospace">Successfully retrieved CA cert</font></div> <div><font face="monospace, monospace"> Subject: CN=Certificate Authority,O=<a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div> <div><font face="monospace, monospace"> Issuer: CN=Certificate Authority,O=<a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div> <div><font face="monospace, monospace"> Valid From: Mon Mar 16 18:44:35 2015 UTC</font></div> <div><font face="monospace, monospace"> Valid Until: Fri Mar 16 18:44:35 2035 UTC</font></div> <div><font face="monospace, monospace"><br> </font></div> <div><font face="monospace, monospace">Enrolled in IPA realm <a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div> <div><font face="monospace, monospace">Created /etc/ipa/default.conf</font></div> <div><font face="monospace, monospace">New SSSD config will be created</font></div> <div><font face="monospace, monospace">Configured sudoers in /etc/nsswitch.conf</font></div> <div><font face="monospace, monospace">Configured /etc/sssd/sssd.conf</font></div> <div><font face="monospace, monospace">Configured /etc/krb5.conf for IPA realm <a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div> <div><font face="monospace, monospace">trying <a href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a></font></div> <div><font face="monospace, monospace">Forwarding 'ping' to json server '<a href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div> <div><font face="monospace, monospace">Forwarding 'ca_is_enabled' to json server '<a href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div> <div><font face="monospace, monospace">Systemwide CA database updated.</font></div> <div><font face="monospace, monospace">Added CA certificates to the default NSS database.</font></div> <div><font face="monospace, monospace">Hostname (<a href="http://meson.hq.example.com" target="_blank">meson.hq.example.com</a>) not found in DNS</font></div> <div><font color="#ff0000" face="monospace, monospace"><b>Failed to update DNS records.</b></font></div> <div><font face="monospace, monospace">Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub</font></div> <div><font face="monospace, monospace">Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub</font></div> <div><font face="monospace, monospace">Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub</font></div> <div><font face="monospace, monospace">Forwarding 'host_mod' to json server '<a href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div> <div><font color="#ff0000" face="monospace, monospace"><b>Could not update DNS SSHFP records.</b></font></div> <div><font face="monospace, monospace">SSSD enabled</font></div> <div><font face="monospace, monospace">Configured /etc/openldap/ldap.conf</font></div> <div><font color="#ff0000" face="monospace, monospace"><b>Unable to find 'admin' user with 'getent passwd <a href="mailto:admin@hq.example.com" target="_blank">admin@hq.example.com</a>'!</b></font></div> <div><font color="#ff0000" face="monospace, monospace"><b>Unable to reliably detect configuration. Check NSS setup manually.</b></font></div> <div><font face="monospace, monospace">NTP enabled</font></div> <div><font face="monospace, monospace">Configured /etc/ssh/ssh_config</font></div> <div><font face="monospace, monospace">Configured /etc/ssh/sshd_config</font></div> <div><font face="monospace, monospace">Configuring <a href="http://hq.example.com" target="_blank">hq.example.com</a> as NIS domain.</font></div> <div><font face="monospace, monospace">Client configuration complete.</font></div> <div><br> </div> </div> <br> <fieldset></fieldset> <br> </blockquote> <br> <br> </div></div><span class="HOEnZb"><font color="#888888"><pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </font></span></div> <br>--<br> Manage your subscription for the Freeipa-users mailing list:<br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br></div>