<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/20/2015 10:56 AM, Roberto
Cornacchia wrote:<br>
</div>
<blockquote
cite="mid:CAFGv-=eFriT4u9Ue1ZCB7SQ5Z8jngXmL+ho942Oe+G6oW+EF4Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><font face="arial, helvetica, sans-serif">The zone
settings:</font></div>
<div>
<div style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div><font face="monospace, monospace">$ ipa dnszone-show
--all</font></div>
<div><font face="monospace, monospace">Zone name: <a
moz-do-not-send="true" href="http://hq.example.com">hq.example.com</a>.</font></div>
<div><font face="monospace, monospace"> dn: idnsname=<a
moz-do-not-send="true" href="http://hq.example.com">hq.example.com</a>.,cn=dns,dc=hq,dc=example,dc=com</font></div>
<div><font face="monospace, monospace"> Zone name: <a
moz-do-not-send="true" href="http://hq.example.com">hq.example.com</a>.</font></div>
<div><font face="monospace, monospace"> Active zone: TRUE</font></div>
<div><font face="monospace, monospace"> Authoritative
nameserver: <a moz-do-not-send="true"
href="http://ipa.hq.example.com">ipa.hq.example.com</a>.</font></div>
<div><font face="monospace, monospace"> Administrator e-mail
address: <a moz-do-not-send="true"
href="http://hostmaster.hq.example.com">hostmaster.hq.example.com</a>.</font></div>
<div><font face="monospace, monospace"> SOA serial:
1426857128</font></div>
<div><font face="monospace, monospace"> SOA refresh: 3600</font></div>
<div><font face="monospace, monospace"> SOA retry: 900</font></div>
<div><font face="monospace, monospace"> SOA expire: 1209600</font></div>
<div><font face="monospace, monospace"> SOA minimum: 3600</font></div>
<div><font face="monospace, monospace"> BIND update policy:
grant <a moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM">HQ.EXAMPLE.COM</a>
krb5-self * A; grant HQ.</font><span
style="font-family:monospace,monospace">EXAMPLE</span><font
face="monospace, monospace">.COM krb5-self * AAAA; grant
HQ.</font><span style="font-family:monospace,monospace">EXAMPLE</span><font
face="monospace, monospace">.COM krb5-self * SSHFP;</font></div>
<div><font face="monospace, monospace"> Dynamic update: TRUE</font></div>
<div><font face="monospace, monospace"> Allow query: any;</font></div>
<div><font face="monospace, monospace"> Allow transfer: none;</font></div>
<div><font face="monospace, monospace"> nsrecord: <a
moz-do-not-send="true" href="http://ipa.hq.example.com">ipa.hq.example.com</a>.</font></div>
<div><font face="monospace, monospace"> objectclass:
idnszone, top, idnsrecord</font></div>
<div style="font-family:arial,helvetica,sans-serif"><br>
</div>
</div>
<div class="gmail_extra">
<div class="gmail_quote">The DNS log doesn't mention anything
about updates. It does contain some errors about unreachable
hosts, but that's because I had a temporary interruption
towards the gateway from the ipa server.</div>
<div class="gmail_quote"><br>
</div>
<div class="gmail_quote">One thing I did after installing the
IPA server is to turn off support for ipv6, using </div>
$ echo "net.ipv6.conf.all.disable_ipv6 = 1" >>
/etc/sysctl.conf<br>
$ sysctl -p
<div class="gmail_quote"><br>
</div>
<div class="gmail_quote">Do you think it could have any
influence?</div>
</div>
</div>
</blockquote>
<br>
I think it can.<br>
I have a vague recollection of a bug related to that is some of the
packages we depend on or something like.<br>
Can you try enabling it and see if it makes a difference?<br>
<br>
<blockquote
cite="mid:CAFGv-=eFriT4u9Ue1ZCB7SQ5Z8jngXmL+ho942Oe+G6oW+EF4Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote"><br>
</div>
<div class="gmail_quote"><br>
</div>
<div class="gmail_quote">On 20 March 2015 at 12:31, Martin
Basti <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hello,<br>
<br>
do you have enabled DNS dynamic updates for
hq.example.zone?<br>
You can check it in zone settings.<br>
<br>
Are there any log entries in dns log related to
nsupdate executed from a client?<br>
$ journalctl -b -u named-pkcs11
<div>
<div><br>
<br>
On 20/03/15 09:53, Roberto Cornacchia wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">
<div><font face="arial, helvetica, sans-serif">It
seems so:</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">$
firewall-cmd --list-all</font></div>
<div><font face="monospace, monospace">FedoraServer
(default, active)</font></div>
<div><font face="monospace, monospace">
interfaces: em2</font></div>
<div><font face="monospace, monospace">
sources:</font></div>
<div><font face="monospace, monospace">
services: cockpit dhcpv6-client ssh</font></div>
<div><font face="monospace, monospace"> ports:
8009/tcp 443/tcp 7999/tcp 464/tcp 9443/tcp
636/tcp 88/udp 464/udp 8010/tcp 88/tcp
7990/tcp 123/udp 80/tcp 389/tcp 7389/tcp
9444/tcp 9445/tcp 8011/tcp 53/udp 8082/tcp</font></div>
<div><font face="monospace, monospace">
masquerade: no</font></div>
<div><font face="monospace, monospace">
forward-ports:</font></div>
<div><font face="monospace, monospace">
icmp-blocks:</font></div>
<div><font face="monospace, monospace"> rich
rules:</font></div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 20 March 2015 at
00:53, Dmitri Pal <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span>
<div>On 03/19/2015 05:04 PM, Roberto
Cornacchia wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Yes.</div>
<div><br>
</div>
<div><font face="monospace,
monospace">[root@meson ~]# cat
/etc/resolv.conf </font></div>
<div><font face="monospace,
monospace">search <a
moz-do-not-send="true"
href="http://hq.example.com"
target="_blank">hq.example.com</a></font></div>
<div><font face="monospace,
monospace">nameserver
192.168.0.72</font></div>
<div><br>
</div>
<div>Sorry from the short log I
posted it's not visible, but that
ip address is the address of the
ipa server (<a
moz-do-not-send="true"
href="http://ipa.hq.example.com"
target="_blank">ipa.hq.example.com</a>)<br>
</div>
<div><br>
</div>
<div>
<div><font face="monospace,
monospace">[root@meson ~]# dig
<a moz-do-not-send="true"
href="http://ipa.hq.example.com">ipa.hq.example.com</a></font></div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="monospace,
monospace">; <<>>
DiG
9.9.6-P1-RedHat-9.9.6-8.P1.fc21
<<>> <a
moz-do-not-send="true"
href="http://ipa.hq.example.com"
target="_blank">ipa.hq.example.com</a></font></div>
<div><font face="monospace,
monospace">;; global options:
+cmd</font></div>
<div><font face="monospace,
monospace">;; Got answer:</font></div>
<div><font face="monospace,
monospace">;;
->>HEADER<<-
opcode: QUERY, status:
NOERROR, id: 53238</font></div>
<div><font face="monospace,
monospace">;; flags: qr aa rd
ra; QUERY: 1, ANSWER: 1,
AUTHORITY: 1, ADDITIONAL: 1</font></div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="monospace,
monospace">;; OPT
PSEUDOSECTION:</font></div>
<div><font face="monospace,
monospace">; EDNS: version: 0,
flags:; udp: 4096</font></div>
<div><font face="monospace,
monospace">;; QUESTION
SECTION:</font></div>
<div><font face="monospace,
monospace">;ipa.hq.</font><span
style="font-family:monospace,monospace">example</span><font
face="monospace, monospace">.com.<span
style="white-space:pre-wrap">
</span>IN<span
style="white-space:pre-wrap">
</span>A</font></div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="monospace,
monospace">;; ANSWER SECTION:</font></div>
<div><font face="monospace,
monospace">ipa.hq.</font><span
style="font-family:monospace,monospace">example</span><font
face="monospace, monospace">.com.
1200<span
style="white-space:pre-wrap">
</span>IN<span
style="white-space:pre-wrap">
</span>A<span
style="white-space:pre-wrap">
</span>192.168.0.72</font></div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="monospace,
monospace">;; AUTHORITY
SECTION:</font></div>
<div><font face="monospace,
monospace">hq.</font><span
style="font-family:monospace,monospace">example</span><font
face="monospace, monospace">.com.<span
style="white-space:pre-wrap">
</span>86400<span
style="white-space:pre-wrap">
</span>IN<span
style="white-space:pre-wrap">
</span>NS<span
style="white-space:pre-wrap">
</span>ipa.hq.</font><span
style="font-family:monospace,monospace">example</span><font
face="monospace, monospace">.com.</font></div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="monospace,
monospace">;; Query time: 1
msec</font></div>
<div><font face="monospace,
monospace">;; SERVER:
192.168.0.72#53(192.168.0.72)</font></div>
<div><font face="monospace,
monospace">;; WHEN: do mrt 19
22:02:04 CET 2015</font></div>
<div><font face="monospace,
monospace">;; MSG SIZE rcvd:
83</font></div>
</div>
</div>
</blockquote>
<br>
<br>
</span> OK so you can in fact lookup the
server.<br>
Have you opened all required ports for
ldap and kerberos and other protocols in
the firewall both UDP and TCP?
<div>
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 19
March 2015 at 21:55, Dmitri Pal
<span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div text="#000000"
bgcolor="#FFFFFF"><span>
<div>On 03/19/2015 04:46
PM, Roberto Cornacchia
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div><font
face="arial,
helvetica,
sans-serif">Hi, </font></div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div><font
face="arial,
helvetica,
sans-serif">This
should really work
like a charm, and
I'm sure it is a
stupid mistake of
mine if it
doesn't, but I
really can't find
out what goes
wrong.</font></div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div><font
face="arial,
helvetica,
sans-serif">Both
IPA server and
client are on
FC21, very up to
date.</font></div>
<div><font
face="arial,
helvetica,
sans-serif">Server
installation
(standard, with
dns) worked well.
Required ports
open in the
firewall.
Everything seems
to work.</font></div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div><font
face="arial,
helvetica,
sans-serif">I did
try to use the IPA
server as a DNS
(with forwarders)
and NTP server
from non-ipa
clients, no
problem.</font></div>
<div>I also tried to
use it as LDAP
server, from a
non-fedora machine
(a synology). It
worked well and I
could see users.</div>
<div><br>
</div>
<div>When trying to
enroll a client, the
enrollment itself
seems to succeed,
but:</div>
<div>- Unable to sync
time with NTP server</div>
<div>- Unable to
update DNS</div>
<div>- Unable to find
users</div>
<div><br>
</div>
<div>I include below
the short
installation log (I
changed the real
domain into <a
moz-do-not-send="true"
href="http://hq.example.com" target="_blank">hq.example.com</a>), and in
attachment, the full
log with debug on.</div>
<div><br>
</div>
<div>From the debug
log, about the DNS
update failure, I
can see this:</div>
<div>
<div><font
face="monospace,
monospace"><br>
</font></div>
<div><font
face="monospace,
monospace"> ;
Communication
with
192.168.0.72#53
failed:
operation
canceled</font></div>
<div><font
face="monospace,
monospace">
could not reach
any name server</font></div>
</div>
<div><font
face="monospace,
monospace"><br>
</font></div>
<div>I'm not sure what
communication
problem this could
be, as the server
(which is both the
IPA and the DNS
servers), clearly
can be reached.</div>
<div><br>
</div>
<div>Any idea where to
look at?</div>
</div>
</blockquote>
<br>
</span> Do you have the IPA
DNS server in the
resolv.conf of the client?
<div>
<div><br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Thanks,</div>
<div>Roberto </div>
<div><br>
</div>
<div><font
face="monospace,
monospace"><br>
</font></div>
<div><font
face="monospace,
monospace">[root@meson
~]#
ipa-client-install
--mkhomedir
--ssh-trust-dns
--force-ntpd
--hostname=<a
moz-do-not-send="true"
href="http://meson.hq.example.com" target="_blank">meson.hq.example.com</a> </font></div>
<div><font
face="monospace,
monospace">Discovery
was successful!</font></div>
<div><font
face="monospace,
monospace">Hostname:
<a
moz-do-not-send="true"
href="http://meson.hq.example.com" target="_blank">meson.hq.example.com</a></font></div>
<div><font
face="monospace,
monospace">Realm:
<a
moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font
face="monospace,
monospace">DNS
Domain: <a
moz-do-not-send="true"
href="http://hq.example.com" target="_blank">hq.example.com</a></font></div>
<div><font
face="monospace,
monospace">IPA
Server: <a
moz-do-not-send="true"
href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a></font></div>
<div><font
face="monospace,
monospace">BaseDN:
dc=hq,dc=example,dc=com</font></div>
<div><font
face="monospace,
monospace"><br>
</font></div>
<div><font
face="monospace,
monospace">Continue
to configure the
system with
these values?
[no]: yes</font></div>
<div><font
face="monospace,
monospace">Synchronizing
time with KDC...</font></div>
<div><font
face="monospace,
monospace"><b><font
color="#ff0000">Unable to sync time with IPA NTP server, assuming the
time is in
sync. Please
check that 123
UDP port is
opened.</font></b></font></div>
<div><font
face="monospace,
monospace">User
authorized to
enroll
computers: admin</font></div>
<div><font
face="monospace,
monospace">Password
for <a
moz-do-not-send="true"
href="mailto:admin@HQ.EXAMPLE.COM" target="_blank">admin@HQ.EXAMPLE.COM</a>: </font></div>
<div><font
face="monospace,
monospace">Successfully
retrieved CA
cert</font></div>
<div><font
face="monospace,
monospace">
Subject:
CN=Certificate
Authority,O=<a
moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font
face="monospace,
monospace">
Issuer:
CN=Certificate
Authority,O=<a
moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font
face="monospace,
monospace">
Valid From: Mon
Mar 16 18:44:35
2015 UTC</font></div>
<div><font
face="monospace,
monospace">
Valid Until: Fri
Mar 16 18:44:35
2035 UTC</font></div>
<div><font
face="monospace,
monospace"><br>
</font></div>
<div><font
face="monospace,
monospace">Enrolled
in IPA realm <a
moz-do-not-send="true" href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font
face="monospace,
monospace">Created
/etc/ipa/default.conf</font></div>
<div><font
face="monospace,
monospace">New
SSSD config will
be created</font></div>
<div><font
face="monospace,
monospace">Configured
sudoers in
/etc/nsswitch.conf</font></div>
<div><font
face="monospace,
monospace">Configured
/etc/sssd/sssd.conf</font></div>
<div><font
face="monospace,
monospace">Configured
/etc/krb5.conf
for IPA realm <a
moz-do-not-send="true" href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font
face="monospace,
monospace">trying
<a
moz-do-not-send="true"
href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a></font></div>
<div><font
face="monospace,
monospace">Forwarding
'ping' to json
server '<a
moz-do-not-send="true"
href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font
face="monospace,
monospace">Forwarding
'ca_is_enabled'
to json server '<a
moz-do-not-send="true" href="https://ipa.hq.example.com/ipa/json"
target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font
face="monospace,
monospace">Systemwide
CA database
updated.</font></div>
<div><font
face="monospace,
monospace">Added
CA certificates
to the default
NSS database.</font></div>
<div><font
face="monospace,
monospace">Hostname
(<a
moz-do-not-send="true"
href="http://meson.hq.example.com" target="_blank">meson.hq.example.com</a>)
not found in DNS</font></div>
<div><font
color="#ff0000"
face="monospace,
monospace"><b>Failed
to update DNS
records.</b></font></div>
<div><font
face="monospace,
monospace">Adding
SSH public key
from
/etc/ssh/ssh_host_ed25519_key.pub</font></div>
<div><font
face="monospace,
monospace">Adding
SSH public key
from
/etc/ssh/ssh_host_ecdsa_key.pub</font></div>
<div><font
face="monospace,
monospace">Adding
SSH public key
from
/etc/ssh/ssh_host_rsa_key.pub</font></div>
<div><font
face="monospace,
monospace">Forwarding
'host_mod' to
json server '<a
moz-do-not-send="true" href="https://ipa.hq.example.com/ipa/json"
target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font
color="#ff0000"
face="monospace,
monospace"><b>Could
not update DNS
SSHFP records.</b></font></div>
<div><font
face="monospace,
monospace">SSSD
enabled</font></div>
<div><font
face="monospace,
monospace">Configured
/etc/openldap/ldap.conf</font></div>
<div><font
color="#ff0000"
face="monospace,
monospace"><b>Unable
to find
'admin' user
with 'getent
passwd <a
moz-do-not-send="true"
href="mailto:admin@hq.example.com" target="_blank">admin@hq.example.com</a>'!</b></font></div>
<div><font
color="#ff0000"
face="monospace,
monospace"><b>Unable
to reliably
detect
configuration.
Check NSS
setup
manually.</b></font></div>
<div><font
face="monospace,
monospace">NTP
enabled</font></div>
<div><font
face="monospace,
monospace">Configured
/etc/ssh/ssh_config</font></div>
<div><font
face="monospace,
monospace">Configured
/etc/ssh/sshd_config</font></div>
<div><font
face="monospace,
monospace">Configuring
<a
moz-do-not-send="true"
href="http://hq.example.com" target="_blank">hq.example.com</a> as NIS
domain.</font></div>
<div><font
face="monospace,
monospace">Client
configuration
complete.</font></div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div>
</div>
<span><font color="#888888">
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</font></span></div>
<br>
--<br>
Manage your subscription for
the Freeipa-users mailing
list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a
moz-do-not-send="true"
href="http://freeipa.org"
target="_blank">http://freeipa.org</a>
for more info on the project<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</div>
</div>
</div>
<br>
--<br>
Manage your subscription for the
Freeipa-users mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a moz-do-not-send="true"
href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div>
</div>
<span><font color="#888888">
<pre cols="72">--
Martin Basti</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>