<div dir="ltr"><span style="font-size:12.8px">Thank you, Rob.  </span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">For reference, my full log can be found here: </span><a href="http://pastebin.com/6VLaQjYw" target="_blank" style="font-size:12.8px">http://pastebin.com/<wbr>6VLaQjYw</a><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">But I would postulate that the interesting bit is this: </span><br style="font-size:12.8px"><blockquote class="gmail_quote" style="font-size:12.8px;margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">2016-10-11T22:10:15Z DEBUG stdout=Outgoing update query:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; UPDATE SECTION:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><a href="http://trainmaster.ipa.rxrhouse.net/" target="_blank">trainmaster.ipa.rxrhouse.net</a>. 0 ANY     A</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Outgoing update query:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  23971</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; QUESTION SECTION:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;<a href="http://350449427.sig-ipa-pdc.ipa.rxrhouse.net/" target="_blank">350449427.sig-ipa-pdc.ipa.<wbr>rxrhouse.net</a>.        ANY TKEY</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; ADDITIONAL SECTION:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><a href="http://350449427.sig-ipa-pdc.ipa.rxrhouse.net/" target="_blank">350449427.sig-ipa-pdc.ipa.<wbr>rxrhouse.net</a>. 0 ANY TKEY gss-tsig. 1476223815 1476223815 3 NOERROR 683 YIICpwYJKoZIhvcSAQICAQBuggKWMI<wbr>ICkqADAgEFoQMCAQ6iBwMFACAA AACjggGIYYIBhDCCAYCgAwIBBaESGx<wbr>BJUEEuUlhSSE9VU0UuTkVUoiow KKADAgEBoSEwHxsDRE5TGxhpcGEtcG<wbr>RjLmlwYS5yeHJob3VzZS5uZXSj ggE3MIIBM6ADAgESoQMCAQKiggElBI<wbr>IBIeFubKS/x0aKfc7u/f9Z5Ro8 pZZ4RkIlwOWAAuiSxJNmoaIhYgYNit<wbr>n2pkAII+eKtdialtAI/1418exm sM7zahCj0MWpBIYQZB4tsN9JZMaKF7<wbr>SK5TlewH9mZitjd+hbQ5iwjklV 8P6OOMsIRIytywnd8eD/<wbr>988GQz3C5CfBU1pQM5Bkox4vSRawZJ<wbr>RUy0xx C8H4nOOPsJZd9AozsaAZSR4EeA05Ib<wbr>W+gxxIeXjShPDwRF6fs4sNxZUt FEkdujVZOaM4M4olLadzScsXDi2pO/<wbr>8WqjJdDwMfLD95+CHSiFMSyJqy nwem6dzJTJvyLTq4fKO+<wbr>ajmUHw5tV30Pg7w9krEiFSTuFkCmKW<wbr>1a2GQo 5Lm3VQF34cnYTA+5K8yEwLiTqX+<wbr>kgfAwge2gAwIBEqKB5QSB4u9m77de VD1pQ+DUyBKaC2jOgD/<wbr>uUWAyfNNojNAtKAMGbHzDWSRASe1Xd<wbr>+RNgwIa QdT2PC6kHbJMz9jaJu/<wbr>0fxC9JmPp6Qe6p8CGaQ6IvPGm4838T<wbr>lGdGhuS YpUwVAEqvl85S23+yT3Qo/<wbr>O8Qffhi4i/<wbr>WDdiBHGGDrKF4CCZXJrr/F+L Pd8oabRE81h+<wbr>4Tu7KBTApBwWYFYQSct7Q9ZrFiUuQz<wbr>bpc2ZjXaVLi3ai uvH2NLWvLwxt8Z8PYRHgTrEYb/<wbr>QfEluP2qfbo6XuO4UHoF7rN8d28bnw bhUsEYaVs1r8Pxk= 0</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">2016-10-11T22:10:15Z DEBUG stderr=Reply from SOA query:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  18681</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; flags: qr rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; QUESTION SECTION:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;<a href="http://trainmaster.ipa.rxrhouse.net/" target="_blank">trainmaster.ipa.rxrhouse.net</a>.<wbr>  IN      SOA</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; AUTHORITY SECTION:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><a href="http://ipa.rxrhouse.net/" target="_blank">ipa.rxrhouse.net</a>.       60      IN      SOA     <a href="http://ipa-pdc.ipa.rxrhouse.net/" target="_blank">ipa-pdc.ipa.rxrhouse.net</a>. <a href="http://hostmaster.ipa.rxrhouse.net/" target="_blank">hostmaster.ipa.rxrhouse.net</a>. 1476221978 3600 900 1209600 3600</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; ADDITIONAL SECTION:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><a href="http://ipa-pdc.ipa.rxrhouse.net/" target="_blank">ipa-pdc.ipa.rxrhouse.net</a>. 353   IN      A       10.42.0.11</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Found zone name: <a href="http://ipa.rxrhouse.net/" target="_blank">ipa.rxrhouse.net</a></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">The master is: <a href="http://ipa-pdc.ipa.rxrhouse.net/" target="_blank">ipa-pdc.ipa.rxrhouse.net</a></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">start_gssrequest</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Found realm from ticket: <a href="http://ipa.rxrhouse.net/" target="_blank">IPA.RXRHOUSE.NET</a></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">send_gssrequest</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">recvmsg reply from GSS-TSIG query</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  23971</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; QUESTION SECTION:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;<a href="http://350449427.sig-ipa-pdc.ipa.rxrhouse.net/" target="_blank">350449427.sig-ipa-pdc.ipa.<wbr>rxrhouse.net</a>.        ANY TKEY</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; ANSWER SECTION:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><a href="http://350449427.sig-ipa-pdc.ipa.rxrhouse.net/" target="_blank">350449427.sig-ipa-pdc.ipa.<wbr>rxrhouse.net</a>. 0 ANY TKEY gss-tsig. 1466641678 1466728078 3 NOERROR 101 YGMGCSqGSIb3EgECAgMAflQwUqADAg<wbr>EFoQMCAR6kERgPMjAxNjA2MjMw MDI3NThapQUCAwVDn6YDAgEpqREbD0<wbr>FELlJYUkhPVVNFLk5FVKoUMBKg AwIBAaELMAkbB2FkLXBkYyQ= 0</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Message stream modified.</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">2016-10-11T22:10:15Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">2016-10-11T22:10:15Z ERROR Failed to update DNS records.</blockquote><div><br></div></blockquote><div style="font-size:12.8px"><br>This isn't the first time I've seen this "Unspecified GSS failure [...] Message stream modified" error, and I suspect it to be the root of my problem... But my google-foo is not strong with this one...  I'm not sure how to proceed. </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 11, 2016 at 3:52 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Tyrell Jentink wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
First off...  new to the list, thank you in advance for your assistance!<br>
<br>
My server is Fedora 24 Server, running in a VirtualBox virtual machine.<br>
I have FreeIPA Server 4.3.2-2.fc24, installed from the standard<br>
repositories, and dnf says it's up to date. FreeIPA has a trust set up<br>
with an Windows Server 2012r2 ActiveDirectory server, and it APPEARS to<br>
be working...<br>
<br>
The first client I connected was a Raspberry Pi running Pidora.  This<br>
client appears to have connected fine, and appears to be working (I<br>
guess I haven't tried logging in as an ActiveDirectory user;  But it's<br>
certainly NOT having any DNS issues, as other clients are; See below...)<br>
<br>
Then I tried connecting a second client, a system running Fedora 24 with<br>
FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to<br>
plan...  Here's the output of ipa-client-install:<br>
<br>
    Discovery was successful!<br>
    Client hostname: <a href="http://trainmaster.ipa.rxrhouse.net" rel="noreferrer" target="_blank">trainmaster.ipa.rxrhouse.net</a><br></span>
    <<a href="http://trainmaster.ipa.rxrhouse.net" rel="noreferrer" target="_blank">http://trainmaster.ipa.rxrhou<wbr>se.net</a>><br>
    Realm: <a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">IPA.RXRHOUSE.NET</a> <<a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">http://IPA.RXRHOUSE.NET</a>><br>
    DNS Domain: <a href="http://ipa.rxrhouse.net" rel="noreferrer" target="_blank">ipa.rxrhouse.net</a> <<a href="http://ipa.rxrhouse.net" rel="noreferrer" target="_blank">http://ipa.rxrhouse.net</a>><br>
    IPA Server: <a href="http://ipa-pdc.ipa.rxrhouse.net" rel="noreferrer" target="_blank">ipa-pdc.ipa.rxrhouse.net</a> <<a href="http://ipa-pdc.ipa.rxrhouse.net" rel="noreferrer" target="_blank">http://ipa-pdc.ipa.rxrhouse.n<wbr>et</a>><span class=""><br>
    BaseDN: dc=ipa,dc=rxrhouse,dc=net<br>
    Continue to configure the system with these values? [no]: yes<br>
    Synchronizing time with KDC...<br>
    Attempting to sync time using ntpd.  Will timeout after 15 seconds<br>
    Attempting to sync time using ntpd.  Will timeout after 15 seconds<br>
    Unable to sync time with NTP server, assuming the time is in sync.<br>
    Please check<br>
<br>
                                      that 123 UDP port is opened.<br>
    User authorized to enroll computers: admin<br></span>
    Password for <a href="mailto:admin@IPA.RXRHOUSE.NET" target="_blank">admin@IPA.RXRHOUSE.NET</a> <mailto:<a href="mailto:admin@IPA.RXRHOUSE.NET" target="_blank">admin@IPA.RXRHOUSE.NET</a><wbr>>:<span class=""><br>
    Successfully retrieved CA cert<br>
         Subject:     CN=Certificate Authority,O=<a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">IPA.RXRHOUSE.NET</a><br></span>
    <<a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">http://IPA.RXRHOUSE.NET</a>><br>
         Issuer:      CN=Certificate Authority,O=<a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">IPA.RXRHOUSE.NET</a><br>
    <<a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">http://IPA.RXRHOUSE.NET</a>><span class=""><br>
         Valid From:  Thu Sep 08 17:27:47 2016 UTC<br>
         Valid Until: Mon Sep 08 17:27:47 2036 UTC<br></span>
    Enrolled in IPA realm <a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">IPA.RXRHOUSE.NET</a> <<a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">http://IPA.RXRHOUSE.NET</a>><span class=""><br>
    Created /etc/ipa/default.conf<br>
    New SSSD config will be created<br>
    Configured sudoers in /etc/nsswitch.conf<br>
    Configured /etc/sssd/sssd.conf<br>
    Configured /etc/krb5.conf for IPA realm <a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">IPA.RXRHOUSE.NET</a><br></span>
    <<a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">http://IPA.RXRHOUSE.NET</a>><span class=""><br>
    trying <a href="https://ipa-pdc.ipa.rxrhouse.net/ipa/json" rel="noreferrer" target="_blank">https://ipa-pdc.ipa.rxrhouse.n<wbr>et/ipa/json</a><br>
    Forwarding 'ping' to json server<br>
    '<a href="https://ipa-pdc.ipa.rxrhouse.net/ipa/json" rel="noreferrer" target="_blank">https://ipa-pdc.ipa.rxrhouse.<wbr>net/ipa/json</a>'<br>
    Forwarding 'ca_is_enabled' to json server<br>
    '<a href="https://ipa-pdc.ipa.rxrhouse.net/ipa/json" rel="noreferrer" target="_blank">https://ipa-pdc.ipa.rxrhouse.<wbr>net/ipa/json</a>'<br>
    Systemwide CA database updated.<br>
    Failed to update DNS records.<br>
    Missing reverse record(s) for address(es): 10.42.0.100.<br>
    Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.<wbr>pub<br>
    Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pu<wbr>b<br>
    Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub<br>
    Forwarding 'host_mod' to json server<br>
    '<a href="https://ipa-pdc.ipa.rxrhouse.net/ipa/json" rel="noreferrer" target="_blank">https://ipa-pdc.ipa.rxrhouse.<wbr>net/ipa/json</a>'<br>
    Could not update DNS SSHFP records.<br>
    SSSD enabled<br>
    Configured /etc/openldap/ldap.conf<br>
    NTP enabled<br>
    Configured /etc/ssh/ssh_config<br>
    Configured /etc/ssh/sshd_config<br></span>
    Configuring <a href="http://ipa.rxrhouse.net" rel="noreferrer" target="_blank">ipa.rxrhouse.net</a> <<a href="http://ipa.rxrhouse.net" rel="noreferrer" target="_blank">http://ipa.rxrhouse.net</a>> as NIS domain.<span class=""><br>
    Client configuration complete.<br>
<br>
<br>
Of concern, the installer failed to update DNS records, resulting in a<br>
missing reverse record, and eventually failing to update the DNS SSHFP<br>
records.  Looking in the Web UI for FreeIPA server, I see that the<br>
client is registered, but it doesn't have any SSH keys , and as<br>
expected, doesn't have a reverse zone...  But the Raspberry Pi DOES.<br>
<br>
Just to be fully sure something was wrong...  I tried connecting with a<br>
clean install of Fedora 24 running in a virtual machine, and had the<br>
same issue.  I've googled around, and can't find anyone having any<br>
similar issues...  And I didn't accidentally stumble across anything<br>
interesting while exploring logs...  But I honestly don't know where to<br>
look.<br>
<br>
TO BE CLEAR, things appear to work just fine from freeipa-client version<br>
3.3.3-4.fc20  on pidora on a Raspberry Pi, but it's NOT working with the<br>
latest versions from Fedora 24 on x86_64 hardware...<br>
<br>
Where should I look first?  Thank you for any assistance...<br>
</span></blockquote>
<br>
Look in /var/log/ipaclient-install.log for debug logging of the install.<span class="HOEnZb"><font color="#888888"><br>
<br>
rob<br>
<br>
</font></span></blockquote></div><br></div>