<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 24 March 2015 at 14:49, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class="">
<div>On 03/24/2015 09:43 AM, Roberto
Cornacchia wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi there,
<div><br>
</div>
<div>All the issues I reported in this long thread are SOLVED.</div>
</div>
</blockquote>
<br></span>
Thanks for closing the loop.<span class=""><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>For completeness, I'm posting here the conclusions.
<div><br>
</div>
<div>ipa-client-install did enroll the client but failed in
several points:</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace">$ ipa-client-install
--mkhomedir --ssh-trust-dns --force-ntpd</font></div>
<div><span style="font-family:monospace,monospace">[...</span><span style="font-family:monospace,monospace">]</span></div>
<div><font face="monospace, monospace">Synchronizing time
with KDC...<br>
</font></div>
<div><font face="monospace, monospace">Unable to sync time
with IPA NTP server, assuming the time is in sync.
Please check that 123 UDP port is opened.</font></div>
<div><span style="font-family:monospace,monospace">[...</span><span style="font-family:monospace,monospace">]</span></div>
<div><span style="font-family:monospace,monospace">Failed to
update DNS records.</span></div>
<div><span style="font-family:monospace,monospace">[...</span><span style="font-family:monospace,monospace">]</span></div>
<div><span style="font-family:monospace,monospace">Could not
update DNS SSHFP records.</span><br>
</div>
<div><span style="font-family:monospace,monospace">[...</span><span style="font-family:monospace,monospace">]</span></div>
<div><span style="font-family:monospace,monospace">Unable to
find 'admin' user with 'getent passwd <a href="mailto:admin@hq.example.com" target="_blank">admin@hq.example.com</a>'!</span><br>
</div>
<div><font face="monospace, monospace">Unable to reliably
detect configuration. Check NSS setup manually.</font></div>
<div><span style="font-family:monospace,monospace">[...</span><span style="font-family:monospace,monospace">]</span></div>
<div><span style="font-family:monospace,monospace">Client
configuration complete.</span><br>
</div>
</div>
<div><br>
</div>
<div>There were two distinct problems:</div>
<div><br>
</div>
<div>1) NTP sync failed because despite using --force-ntp,
chronyd wasn't stopped beforehand. Stopping it manually
solved the issue. I believe ipa-client-install stopping
chronyd was the intended behaviour, in which case this is
perhaps a bug. If it needs to be stopped manually, then it
should be documented clearly.</div>
<div>The failed NTP sync caused Kerberos to fail, which
explains "Unable to find 'admin' user with 'getent passwd <a href="mailto:admin@hq.example.com" target="_blank">admin@hq.example.com</a>'".</div>
</div>
</div>
</blockquote>
<br></span>
We should probably file a ticket about this. I am just not sure what
exactly it should be.<div><div class="h5"><br>
<br></div></div></div></blockquote><div><br></div><div>IMHO, the "assuming the time is in sync" bit is dangerous. The client and the server were already quite in sync (both automatically synced with a remote time server) , but apparently not enough. Being time sync so central in the infrastructure, I would probably want to abort the installation if no sync can be performed successfully.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF"><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
<div>2) DNS update failed because for some obscure reason I
forgot to open port 53/tcp on the server's firewall. Only
53/udp was open. This fooled me, because with 53/udp open,
the DNS was almost completely functional. However, updates
also require 53/tcp.</div>
<div><br>
</div>
<div><br>
</div>
<div>All in all, it was a full 2day digging and debugging.
Bright side is, I learned a lot.</div>
<div><br>
</div>
<div>A sincere thank you for the many useful answers I
received!</div>
<div>Best, </div>
<div>Roberto</div>
<div><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 23 March 2015 at 10:07,
Roberto Cornacchia <span dir="ltr"><<a href="mailto:roberto.cornacchia@gmail.com" target="_blank">roberto.cornacchia@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">
<div><font face="arial, helvetica, sans-serif">Dmitri,
Rob, Jakub,</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">I
found at least one of the major problems:
chronyd.</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">This
is what I get when I use ipa-client-install on a
plain FC21 machine, <i>without</i> using
--force-ntpd</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div><font face="monospace, monospace">WARNING:
ntpd time&date synchronization service
will not be configured as</font></div>
<div><font face="monospace, monospace">conflicting
service (chronyd) is enabled</font></div>
<div><font face="monospace, monospace">Use
--force-ntpd option to disable it and force
configuration of ntpd</font></div>
</blockquote>
<div><br>
</div>
<div>Good, then I abort and run it again with <span style="font-family:arial,helvetica,sans-serif"> </span><span style="font-family:arial,helvetica,sans-serif">--force-ntpd:</span></div>
<div><br>
</div>
<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div>
<div><font face="monospace, monospace">Synchronizing
time with KDC...</font></div>
</div>
<div>
<div><font face="monospace, monospace">Unable to
sync time with IPA NTP server, assuming the
time is in sync. Please check that 123 UDP
port is opened.</font></div>
</div>
</blockquote>
<div><br>
</div>
<div>Perhaps I misinterpreted the meaning of
--force-ntpd. I had assumed it would take care of
stopping and disabling chronyd. But it doesn't.
That's why I get the error above.</div>
<div><br>
</div>
<div>If I first stop chronyd manually and run the
installation again, then it does synchronise with
NTP.</div>
<div>This was apparently the cause of "id admin" not
working (kerberos failing without proper NTP
sync?)</div>
<div>Now the basic functionalities are all OK.</div>
<div>Also, chronyd is disabled and ntpd is enabled
after installation - good.</div>
<div><br>
</div>
<div>My nsswitch.conf now looks like this:</div>
<div><br>
</div>
<div><span>
<div><font face="monospace, monospace">passwd:
files sss</font></div>
<div><font face="monospace, monospace">shadow:
files sss</font></div>
<div><font face="monospace, monospace">group:
files sss</font></div>
</span><span>
<div><font face="monospace, monospace">hosts:
files mdns4_minimal [NOTFOUND=return] dns
myhostname<br>
</font></div>
<div><font face="monospace, monospace">bootparams:
nisplus [NOTFOUND=return] files<br>
</font></div>
<div><font face="monospace, monospace">ethers:
files<br>
</font></div>
<div><font face="monospace, monospace">netmasks:
files</font></div>
<div><font face="monospace, monospace">networks:
files</font></div>
<div><font face="monospace, monospace">protocols:
files</font></div>
<div><font face="monospace, monospace">rpc:
files</font></div>
</span><span>
<div><font face="monospace, monospace">services:
files sss</font></div>
<div><font face="monospace, monospace">netgroup:
files sss<br>
</font></div>
</span>
<div><font face="monospace, monospace">publickey:
nisplus<br>
</font></div>
<div><font face="monospace, monospace">automount:
files sss<br>
</font></div>
<span>
<div><font face="monospace, monospace">aliases:
files nisplus</font></div>
<div><font face="monospace, monospace">sudoers:
files sss</font></div>
</span></div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>I am left with 2 issues:</div>
<div><br>
</div>
<div>1) Is the above expected? Do I have to stop
chronyd manually? Or is it a bug?</div>
<div>2) DNS update still does not work</div>
<div><br>
</div>
<div><br>
</div>
<div>The latest installation log:</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace">$ systemctl
stop chronyd</font></div>
<span>
<div><span style="font-family:monospace,monospace">$
ipa-client-install --mkhomedir
--ssh-trust-dns --force-ntpd </span><br>
</div>
<div><font face="monospace, monospace">Discovery
was successful!</font></div>
</span>
<div><font face="monospace, monospace">Hostname: <a href="http://meson.hq.example.com" target="_blank">meson.hq.example.com</a></font></div>
<span>
<div><font face="monospace, monospace">Realm: <a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace, monospace">DNS
Domain: hq.</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">.com</font></div>
<div><font face="monospace, monospace">IPA
Server: ipa.hq.</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">.com</font></div>
</span><span>
<div><font face="monospace, monospace">BaseDN:
dc=hq,dc=</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">,dc=com</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">Continue
to configure the system with these values?
[no]: yes</font></div>
<div><font face="monospace, monospace">Synchronizing
time with KDC...</font></div>
</span>
<div><span style="font-family:monospace,monospace">User
authorized to enroll computers: User
authorized to enroll computers: admin</span><br>
</div>
<div><font face="monospace, monospace">Password
for <a href="mailto:admin@HQ.EXAMPLE.COM" target="_blank">admin@HQ.EXAMPLE.COM</a>: </font></div>
<span>
<div><font face="monospace, monospace">Successfully
retrieved CA cert</font></div>
<div><font face="monospace, monospace">
Subject: CN=Certificate Authority,O=HQ.</font><span style="font-family:monospace,monospace">EXAMPLE</span><font face="monospace, monospace">.COM</font></div>
</span>
<div><font face="monospace, monospace"> Issuer:
CN=Certificate Authority,O=HQ.</font><span style="font-family:monospace,monospace">EXAMPLE</span><font face="monospace, monospace">.COM</font></div>
<span>
<div><font face="monospace, monospace"> Valid
From: Mon Mar 16 18:44:35 2015 UTC</font></div>
<div><font face="monospace, monospace"> Valid
Until: Fri Mar 16 18:44:35 2035 UTC</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">Enrolled
in IPA realm HQ.</font><span style="font-family:monospace,monospace">EXAMPLE</span><font face="monospace, monospace">.COM</font></div>
</span><span>
<div><font face="monospace, monospace">Created
/etc/ipa/default.conf</font></div>
<div><font face="monospace, monospace">New SSSD
config will be created</font></div>
<div><font face="monospace, monospace">Configured
sudoers in /etc/nsswitch.conf</font></div>
<div><font face="monospace, monospace">Configured
/etc/sssd/sssd.conf</font></div>
<div><font face="monospace, monospace">Configured
/etc/krb5.conf for IPA realm HQ.</font><span style="font-family:monospace,monospace">EXAMPLE</span><font face="monospace, monospace">.COM</font></div>
</span><span>
<div><font face="monospace, monospace">trying <a href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a></font></div>
<div><font face="monospace, monospace">Forwarding
'ping' to json server '<a>https://</a></font><span style="font-family:monospace,monospace"><a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a></span><font face="monospace, monospace">/ipa/json'</font></div>
<div><font face="monospace, monospace">Forwarding
'ca_is_enabled' to json server '<a>https://</a></font><span style="font-family:monospace,monospace"><a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a></span><font face="monospace, monospace">/ipa/json'</font></div>
<div><font face="monospace, monospace">Systemwide
CA database updated.</font></div>
<div><font face="monospace, monospace">Added CA
certificates to the default NSS database.</font></div>
</span><span>
<div><font face="monospace, monospace">Hostname
(<a href="http://meson.hq.example.com" target="_blank">meson.hq.example.com</a>)
not found in DNS</font></div>
<div><font color="#ff0000" face="monospace,
monospace"><b>Failed to update DNS records.</b></font></div>
</span><span>
<div><font face="monospace, monospace">Adding
SSH public key from
/etc/ssh/ssh_host_ed25519_key.pub</font></div>
</span>
<div><font face="monospace, monospace">Adding SSH
public key from
/etc/ssh/ssh_host_ecdsa_key.pub</font></div>
<span>
<div><font face="monospace, monospace">Adding
SSH public key from
/etc/ssh/ssh_host_rsa_key.pub</font></div>
</span><span>
<div><font face="monospace, monospace">Forwarding
'host_mod' to json server '<a>https://</a></font><span style="font-family:monospace,monospace"><a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a></span><font face="monospace, monospace">/ipa/json'</font></div>
</span><span>
<div><font color="#ff0000" face="monospace,
monospace"><b>Could not update DNS SSHFP
records.</b></font></div>
</span><span>
<div><font face="monospace, monospace">SSSD
enabled</font></div>
<div><font face="monospace, monospace">Configured
/etc/openldap/ldap.conf</font></div>
<div><font face="monospace, monospace">NTP
enabled</font></div>
<div><font face="monospace, monospace">Configured
/etc/ssh/ssh_config</font></div>
<div><font face="monospace, monospace">Configured
/etc/ssh/sshd_config</font></div>
</span>
<div><font face="monospace, monospace">Configuring
<a href="http://hq.example.com" target="_blank">hq.example.com</a>
as NIS domain.</font></div>
<div><font face="monospace, monospace">Client
configuration complete.</font></div>
</div>
<div><br>
</div>
<div><font face="monospace, monospace">$ id admin</font></div>
<div>
<div><font face="monospace, monospace">uid=1172000000(admin)
gid=1172000000(admins)
groups=1172000000(admins)</font></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 22 March 2015 at
21:04, Jakub Hrozek <span dir="ltr"><<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span>On
Sun, Mar 22, 2015 at 04:24:49PM +0100,
Roberto Cornacchia wrote:<br>
> Thanks Rob.<br>
><br>
> Knowing that /etc/nsswitch.conf is
created wrongly is a step forward,<br>
> although we don't know why that
happens yet.<br>
> I'm not very keen on fixing it
post-installation (except if this is just
to<br>
> learn more about the issue), even if
this seems to solve problems. I'm not<br>
> going to deploy freeIPA for real
before I can at least run successfully a<br>
> plain installation.<br>
<br>
</span>Hi,<br>
<br>
I find it a bit unexpected that the client
system didn't have<br>
nsswitch.conf configured..I've never seen
the client installation fail<br>
in this particular way.<br>
<br>
For debugging SSSD issues, we've created a
new troubleshooting page<br>
upstream that should walk you through the
config:<br>
<a href="https://fedorahosted.org/sssd/wiki/Troubleshooting" target="_blank">https://fedorahosted.org/sssd/wiki/Troubleshooting</a><br>
maybe this article would also help:<br>
<a href="https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/" target="_blank">https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/</a><br>
<br>
But most improtantly, I wouldn't expect to
see any issues as long as<br>
you use ipa-client-install. I guess
re-enrolling the client would be the<br>
fastest way forward?<br>
<div>
<div><br>
--<br>
Manage your subscription for the
Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div></div><span class=""><pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</span></div>
<br>--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br></div></div>