<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/20/2015 02:48 PM, Roberto
Cornacchia wrote:<br>
</div>
<blockquote
cite="mid:CAFGv-=eB2NnFhhMuPFQ333rfUuJ+d+OC9_Bg5da5d9_UAWF5-g@mail.gmail.com"
type="cite">
<div dir="ltr">No, all real machines.
<div><br>
</div>
<div>I'm really sorry it's taking so much of your time. </div>
<div>I had tried almost everything on a VM setting first, and
everything was fine. </div>
<div>Everything always works fine, until you actually need it.</div>
</div>
</blockquote>
<br>
<br>
We try to help as much as we can.<br>
Can you do LDAP lookups as a directory manager from client host to
server?<br>
Can you ssh from client to server?<br>
<br>
When you try to install client is there anything in the logs on the
server? Does it even get there?<br>
<br>
<br>
<br>
<blockquote
cite="mid:CAFGv-=eB2NnFhhMuPFQ333rfUuJ+d+OC9_Bg5da5d9_UAWF5-g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 20 March 2015 at 19:41, Dmitri Pal <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 03/20/2015 01:57 PM, Roberto Cornacchia wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">But the ipa server itself is also
enrolled as a client, just after the server
installation, right?. And that worked fine.</div>
</blockquote>
<br>
</span> Are these VMs?<br>
There have been a similar case when the network was not
set properly for the virtual test environment.
<div>
<div class="h5"><br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 20 March 2015 at
18:55, Roberto Cornacchia <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:roberto.cornacchia@gmail.com"
target="_blank">roberto.cornacchia@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<p dir="ltr">No, sorry about the confusion,
i shouldn't have posted so quickly.</p>
<p>When I use the correct domain (<a
moz-do-not-send="true"
href="http://hq.example.com"
target="_blank">hq.example.com</a>),
then I really get all the same errors as
before, also in the new client.</p>
<p><br>
</p>
<p dir="ltr"><br>
</p>
<div class="gmail_quote">
<div>
<div>On 20 Mar 2015 18:39, "Dmitri Pal"
<<a moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>>
wrote:<br type="attribution">
</div>
</div>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div>
<div>
<div bgcolor="#FFFFFF"
text="#000000">
<div>On 03/20/2015 01:25 PM,
Roberto Cornacchia wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Oops. Not true,
forget last email.
<div><br>
</div>
<div>This secon client
installation went different
just because it took the
wrong domain.</div>
<div>It used <b><a
moz-do-not-send="true"
href="http://example.com"
target="_blank">example.com</a></b> (what
was previously set) instead
of <b><a
moz-do-not-send="true"
href="http://hq.example.com"
target="_blank">hq.example.com</a></b></div>
<div><br>
</div>
<div>Uninstalled, tried again
with --hostname=<a
moz-do-not-send="true"
href="http://photon.hq.example.com"
target="_blank">photon.hq.example.com</a></div>
<div>And then it behaves
precisely like the previous
client.</div>
<div><br>
</div>
<div>So something seems wrong
in the server.</div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
20 March 2015 at 18:18,
Roberto Cornacchia <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:roberto.cornacchia@gmail.com" target="_blank">roberto.cornacchia@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div dir="ltr">
<div>
<div><font
face="arial,
helvetica,
sans-serif">Update:</font></div>
<div><font
face="arial,
helvetica,
sans-serif">I
tried from
another
client. Also
FC21, same
network, same
settings from
the same
DHCP. </font></div>
<div><font
face="arial,
helvetica,
sans-serif">But
obviously it
must have
something
different
because it
partially
succeeded.</font></div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div><font
face="arial,
helvetica,
sans-serif">-
I do not get
errors about
LDAP users.</font></div>
<div><font
face="arial,
helvetica,
sans-serif">-
I do not get
errors about
DNS update</font></div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div><font
face="arial,
helvetica,
sans-serif">However:</font></div>
<div><font
face="arial,
helvetica,
sans-serif">-
I still get
the initial
error about
NTP</font></div>
<div><font
face="arial,
helvetica,
sans-serif">-
The host is
enrolled, but
not added to
the DNS zone</font></div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div><font
face="arial,
helvetica,
sans-serif">Now,
I don't care
much about the
previous
client. It was
pretty much
empty and can
re-install
Fedora from
scratch. </font></div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div><font
face="arial,
helvetica,
sans-serif">But
I'd like to
understand if
this is still
a problem.</font></div>
<div><font
face="arial,
helvetica,
sans-serif">It
should be
added to the
zone,
shouldn't it?</font></div>
<div><font
face="monospace,
monospace"><br>
</font></div>
<div><font
face="monospace,
monospace">$
ipa-client-install
--mkhomedir
--ssh-trust-dns
--force-ntpd</font></div>
<div><font
face="monospace,
monospace">Discovery
was
successful!</font></div>
<div><font
face="monospace,
monospace">Hostname:
<a
moz-do-not-send="true"
href="http://photon.example.com" target="_blank">photon.example.com</a></font></div>
<div>
<div>
<div><font
face="monospace,
monospace">Realm:
<a
moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font
face="monospace,
monospace">DNS
Domain: <a
moz-do-not-send="true"
href="http://hq.example.com" target="_blank">hq.example.com</a></font></div>
<div><font
face="monospace,
monospace">IPA
Server: <a
moz-do-not-send="true"
href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a></font></div>
<div><font
face="monospace,
monospace">BaseDN:
dc=hq,dc=example,dc=com</font></div>
<div><font
face="monospace,
monospace"><br>
</font></div>
<div><font
face="monospace,
monospace">Continue
to configure
the system
with these
values? [no]:
yes</font></div>
<div><font
face="monospace,
monospace">Synchronizing
time with
KDC...</font></div>
<div><font
color="#ff0000"
face="monospace,
monospace"><b>Unable
to sync time
with IPA NTP
server,
assuming the
time is in
sync. Please
check that 123
UDP port is
opened.</b></font></div>
<div><font
face="monospace,
monospace">User
authorized to
enroll
computers:
admin</font></div>
<div><font
face="monospace,
monospace">Password
for <a
moz-do-not-send="true"
href="mailto:admin@HQ.EXAMPLE.COM" target="_blank">admin@HQ.EXAMPLE.COM</a>:</font></div>
<div><font
face="monospace,
monospace">Successfully
retrieved CA
cert</font></div>
<div><font
face="monospace,
monospace">
Subject:
CN=Certificate
Authority,O=<a
moz-do-not-send="true" href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font
face="monospace,
monospace">
Issuer:
CN=Certificate
Authority,O=<a
moz-do-not-send="true" href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font
face="monospace,
monospace">
Valid From:
Mon Mar 16
18:44:35 2015
UTC</font></div>
<div><font
face="monospace,
monospace">
Valid Until:
Fri Mar 16
18:44:35 2035
UTC</font></div>
<div><font
face="monospace,
monospace"><br>
</font></div>
<div><font
face="monospace,
monospace">Enrolled
in IPA realm <a
moz-do-not-send="true" href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font
face="monospace,
monospace">Created
/etc/ipa/default.conf</font></div>
<div><font
face="monospace,
monospace">New
SSSD config
will be
created</font></div>
<div><font
face="monospace,
monospace">Configured
sudoers in
/etc/nsswitch.conf</font></div>
<div><font
face="monospace,
monospace">Configured
/etc/sssd/sssd.conf</font></div>
<div><font
face="monospace,
monospace">Configured
/etc/krb5.conf
for IPA realm
<a
moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font
face="monospace,
monospace">trying
<a
moz-do-not-send="true"
href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a></font></div>
<div><font
face="monospace,
monospace">Forwarding
'ping' to json
server '<a
moz-do-not-send="true"
href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font
face="monospace,
monospace">Forwarding
'ca_is_enabled'
to json server
'<a
moz-do-not-send="true"
href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font
face="monospace,
monospace">Systemwide
CA database
updated.</font></div>
<div><font
face="monospace,
monospace">Added
CA
certificates
to the default
NSS database.</font></div>
</div>
</div>
<span>
<div><font
face="monospace,
monospace">Adding
SSH public key
from
/etc/ssh/ssh_host_rsa_key.pub</font></div>
</span><span>
<div><font
face="monospace,
monospace">Adding
SSH public key
from
/etc/ssh/ssh_host_ed25519_key.pub</font></div>
</span>
<div><font
face="monospace,
monospace">Adding
SSH public key
from
/etc/ssh/ssh_host_dsa_key.pub</font></div>
<span>
<div><font
face="monospace,
monospace">Adding
SSH public key
from
/etc/ssh/ssh_host_ecdsa_key.pub</font></div>
</span><span>
<div><font
face="monospace,
monospace">Forwarding
'host_mod' to
json server '<a
moz-do-not-send="true" href="https://ipa.hq.example.com/ipa/json"
target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font
color="#ff0000"
face="monospace,
monospace"><b>Could
not update DNS
SSHFP records.</b></font></div>
<div><font
face="monospace,
monospace">SSSD
enabled</font></div>
<div><font
face="monospace,
monospace">Configured
/etc/openldap/ldap.conf</font></div>
</span><span>
<div><font
face="monospace,
monospace">NTP
enabled</font></div>
<div><font
face="monospace,
monospace">Configured
/etc/ssh/ssh_config</font></div>
<div><font
face="monospace,
monospace">Configured
/etc/ssh/sshd_config</font></div>
<div><font
face="monospace,
monospace">Configuring
<a
moz-do-not-send="true"
href="http://hq.example.com" target="_blank">hq.example.com</a> as NIS
domain.</font></div>
<div><font
face="monospace,
monospace">Client
configuration
complete.</font></div>
</span></div>
<div><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
It is different. It does not have
the same failure about admin as
you had in the first email.<br>
So may be it is the permissions
issue and a separate NTP issue?<br>
Did you play with any permissions
on the server side?<br>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</div>
<br>
</div>
</div>
<span>--<br>
Manage your subscription for the
Freeipa-users mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a moz-do-not-send="true"
href="http://freeipa.org"
target="_blank">http://freeipa.org</a>
for more info on the project<br>
</span></blockquote>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</div>
</div>
</div>
<br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a moz-do-not-send="true" href="http://freeipa.org"
target="_blank">http://freeipa.org</a> for more info on
the project<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>