<div dir="ltr">Hello all, <br><br>I'm still having problems with my IPA Client install...  My errors aren't bringing up any meaningful results on Google, so I really appreciate any hints anyone might have!  <div><br></div><div>To narrow the scope of the problem, I simply rebuilt both the server and the client from scratch... This time without Active Directory Realm trusts, so things are nice and clean. To wit, I have been using <a href="http://www.freeipa.org/page/Active_Directory_trust_setup">http://www.freeipa.org/page/Active_Directory_trust_setup</a> and <a href="https://blog.christophersmart.com/articles/freeipa-how-to-fedora/">https://blog.christophersmart.com/articles/freeipa-how-to-fedora/</a> as references, and I have run the following:<br><br>ON THE SERVER:</div><div><ul><li>dnf -y update && dnf install -y "*ipa-server" "*ipa-server-trust-ad" "*ipa-server-dns" bind bind-dyndb-ldap</li><li>echo "ipa_ip_address ipa_hostname.ipa_domain ipa_hostname" >> /etc/hosts<br>(I also added the AD server to my hosts file, although that shouldn't be messing with anything...)</li><li>hostname ipa_hostname.ipa_domain<br></li><li>hostnamectl set-hostname ipa_hostname.ipa_domain<br></li><li>reboot (And took a snapshot of the VM)</li><li>for x in freeipa-ldap freeipa-ldaps dns ntp; do firewall-cmd --permanent --zone=FedoraServer --add-service=${x} ; done</li><li>systemctl reload firewalld.service</li><li>ipa-server-install --setup-dns --no-forwarders<br>(I had no errors there...  But I can share my logs if anyone wants to see them)</li><li>And I rebooted again, took another snapshot, and verified the following:</li><ul><li>kinit admin<br>id admin<br>getent passwd admin<br>All return appropriate values on the server...</li><li>nslookup ipa_hostname.ipa_domain works on both the server and on the client...</li></ul></ul><div>So, ON TO THE CLIENT:</div></div><div><ul><li>echo "ipa_ip_address ipa_hostname.ipa_domain ipa_hostname" >> /etc/hosts<br></li><li>echo "nameserver ipa_ip_address" >> /etc/resolv.conf</li><li>(OF course, I verified that the client can ping the server, and nslookup against the server)</li><li>ipa-client-install --enable-dns-updates --ssh-trust-dns --force-ntpd<br>And this is where I ran into problems... My output:</li></ul><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span style="font-size:12.8px">Discovery was successful!</span><br style="font-size:12.8px"><span style="font-size:12.8px">Client hostname: </span><a href="http://trainmaster.ipa.rxrhouse.net/" target="_blank" style="font-size:12.8px">trainmaster.ipa.rxrhouse.net</a><br style="font-size:12.8px"><span style="font-size:12.8px">Realm: </span><a href="http://ipa.rxrhouse.net/" target="_blank" style="font-size:12.8px">IPA.RXRHOUSE.NET</a><br style="font-size:12.8px"><span style="font-size:12.8px">DNS Domain: </span><a href="http://ipa.rxrhouse.net/" target="_blank" style="font-size:12.8px">ipa.rxrhouse.net</a><br style="font-size:12.8px"><span style="font-size:12.8px">IPA Server: </span><a href="http://ipa-pdc.ipa.rxrhouse.net/" target="_blank" style="font-size:12.8px">ipa-pdc.ipa.rxrhouse.net</a><br style="font-size:12.8px"><span style="font-size:12.8px">BaseDN: dc=ipa,dc=rxrhouse,dc=net</span><br style="font-size:12.8px"><span style="font-size:12.8px">Continue to configure the system with these values? [no]: yes</span><br style="font-size:12.8px"><span style="font-size:12.8px">Synchronizing time with KDC...</span><br style="font-size:12.8px"><span style="font-size:12.8px">Attempting to sync time using ntpd.  Will timeout after 15 seconds</span><br style="font-size:12.8px"><span style="font-size:12.8px">Attempting to sync time using ntpd.  Will timeout after 15 seconds</span><br style="font-size:12.8px"><span style="font-size:12.8px">Unable to sync time with NTP server, assuming the time is in sync. Please check                                                                                                                                                              that 123 UDP port is opened.</span><br style="font-size:12.8px"><span style="font-size:12.8px">User authorized to enroll computers: admin</span><br style="font-size:12.8px"><span style="font-size:12.8px">Password for </span><a href="mailto:admin@IPA.RXRHOUSE.NET" target="_blank" style="font-size:12.8px">admin@IPA.RXRHOUSE.NET</a><span style="font-size:12.8px">:</span><br style="font-size:12.8px"><span style="font-size:12.8px">Successfully retrieved CA cert</span><br style="font-size:12.8px"><span style="font-size:12.8px">    Subject:     CN=Certificate Authority,O=</span><a href="http://ipa.rxrhouse.net/" target="_blank" style="font-size:12.8px">IPA.RXRHOUSE.NET</a><br style="font-size:12.8px"><span style="font-size:12.8px">    Issuer:      CN=Certificate Authority,O=</span><a href="http://ipa.rxrhouse.net/" target="_blank" style="font-size:12.8px">IPA.RXRHOUSE.NET</a><br style="font-size:12.8px"><span style="font-size:12.8px">    Valid From:  Thu Sep 08 17:27:47 2016 UTC</span><br style="font-size:12.8px"><span style="font-size:12.8px">    Valid Until: Mon Sep 08 17:27:47 2036 UTC</span><br style="font-size:12.8px"><span style="font-size:12.8px">Enrolled in IPA realm </span><a href="http://ipa.rxrhouse.net/" target="_blank" style="font-size:12.8px">IPA.RXRHOUSE.NET</a><br style="font-size:12.8px"><span style="font-size:12.8px">Created /etc/ipa/default.conf</span><br style="font-size:12.8px"><span style="font-size:12.8px">New SSSD config will be created</span><br style="font-size:12.8px"><span style="font-size:12.8px">Configured sudoers in /etc/nsswitch.conf</span><br style="font-size:12.8px"><span style="font-size:12.8px">Configured /etc/sssd/sssd.conf</span><br style="font-size:12.8px"><span style="font-size:12.8px">Configured /etc/krb5.conf for IPA realm </span><a href="http://ipa.rxrhouse.net/" target="_blank" style="font-size:12.8px">IPA.RXRHOUSE.NET</a><br style="font-size:12.8px"><span style="font-size:12.8px">trying </span><a href="https://ipa-pdc.ipa.rxrhouse.net/ipa/json" target="_blank" style="font-size:12.8px">https://ipa-pdc.ipa.rxrhouse.<wbr>net/ipa/json</a><br style="font-size:12.8px"><span style="font-size:12.8px">Forwarding 'ping' to json server '</span><a href="https://ipa-pdc.ipa.rxrhouse.net/ipa/json" target="_blank" style="font-size:12.8px">https://ipa-pdc.ipa.rxrhouse.<wbr>net/ipa/json</a><span style="font-size:12.8px">'</span><br style="font-size:12.8px"><span style="font-size:12.8px">Forwarding 'ca_is_enabled' to json server '</span><a href="https://ipa-pdc.ipa.rxrhouse.net/ipa/json" target="_blank" style="font-size:12.8px">https://ipa-pdc.ipa.rxrhouse.<wbr>net/ipa/json</a><span style="font-size:12.8px">'</span><br style="font-size:12.8px"><span style="font-size:12.8px">Systemwide CA database updated.</span><br style="font-size:12.8px"><span style="font-size:12.8px">Failed to update DNS records.</span><br style="font-size:12.8px"><span style="font-size:12.8px">Missing reverse record(s) for address(es): 10.42.0.100.</span><br style="font-size:12.8px"><span style="font-size:12.8px">Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">pub</span><br style="font-size:12.8px"><span style="font-size:12.8px">Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">pub</span><br style="font-size:12.8px"><span style="font-size:12.8px">Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub</span><br style="font-size:12.8px"><span style="font-size:12.8px">Forwarding 'host_mod' to json server '</span><a href="https://ipa-pdc.ipa.rxrhouse.net/ipa/json" target="_blank" style="font-size:12.8px">https://ipa-pdc.ipa.rxrhouse.<wbr>net/ipa/json</a><span style="font-size:12.8px">'</span><br style="font-size:12.8px"><span style="font-size:12.8px">Could not update DNS SSHFP records.</span><br style="font-size:12.8px"><span style="font-size:12.8px">SSSD enabled</span><br style="font-size:12.8px"><span style="font-size:12.8px">Configured /etc/openldap/ldap.conf</span><br style="font-size:12.8px"><span style="font-size:12.8px">NTP enabled</span><br style="font-size:12.8px"><span style="font-size:12.8px">Configured /etc/ssh/ssh_config</span><br style="font-size:12.8px"><span style="font-size:12.8px">Configured /etc/ssh/sshd_config</span><br style="font-size:12.8px"><span style="font-size:12.8px">Configuring </span><a href="http://ipa.rxrhouse.net/" target="_blank" style="font-size:12.8px">ipa.rxrhouse.net</a><span style="font-size:12.8px"> as NIS domain.</span><br style="font-size:12.8px"><span style="font-size:12.8px">Client configuration complete.</span></blockquote><div><br></div><ul><li>Of interest, I DID solve my NTP issues from before!  On the downside, that wasn't the source of my DNS issues...  <br>In /var/log/ipaclient-install, I still have the following clipping of errors, which I'm merely assuming are the relevant piece:</li></ul><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div>2016-10-26T23:30:40Z DEBUG Starting external process</div><div>2016-10-26T23:30:40Z DEBUG args=/sbin/ip -oneline address show dev enp1s6</div><div>2016-10-26T23:30:40Z DEBUG Process finished, return code=0</div><div>2016-10-26T23:30:40Z DEBUG stdout=2: enp1s6    inet <a href="http://10.42.0.100/8">10.42.0.100/8</a> brd 10.255.255.255 scope global dynamic enp1s6\       valid_lft 588384sec preferred_lft 588384sec</div><div>2: enp1s6    inet6 fe80::e779:3263:960d:ff87/64 scope link \       valid_lft forever preferred_lft forever</div><div><br></div><div>2016-10-26T23:30:40Z DEBUG stderr=</div><div>2016-10-26T23:30:40Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt:</div><div>2016-10-26T23:30:40Z DEBUG debug</div><div><br></div><div>update delete <a href="http://trainmaster.ipa.rxrhouse.net">trainmaster.ipa.rxrhouse.net</a>. IN A</div><div>show</div><div>send</div><div><br></div><div>update delete <a href="http://trainmaster.ipa.rxrhouse.net">trainmaster.ipa.rxrhouse.net</a>. IN AAAA</div><div>show</div><div>send</div><div><br></div><div>update add <a href="http://trainmaster.ipa.rxrhouse.net">trainmaster.ipa.rxrhouse.net</a>. 1200 IN A 10.42.0.100</div><div>show</div><div>send</div><div><br></div><div>2016-10-26T23:30:40Z DEBUG Starting external process</div><div>2016-10-26T23:30:40Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt</div><div>2016-10-26T23:30:40Z DEBUG Process finished, return code=1</div><div>2016-10-26T23:30:40Z DEBUG stdout=Outgoing update query:</div><div>;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0</div><div>;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0</div><div>;; UPDATE SECTION:</div><div><a href="http://trainmaster.ipa.rxrhouse.net">trainmaster.ipa.rxrhouse.net</a>. 0 ANY     A</div><div><br></div><div>Outgoing update query:</div><div>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  39562</div><div>;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1</div><div>;; QUESTION SECTION:</div><div>;<a href="http://3107127915.sig-ipa-pdc.ipa.rxrhouse.net">3107127915.sig-ipa-pdc.ipa.rxrhouse.net</a>. ANY TKEY</div><div><br></div><div>;; ADDITIONAL SECTION:</div><div><a href="http://3107127915.sig-ipa-pdc.ipa.rxrhouse.net">3107127915.sig-ipa-pdc.ipa.rxrhouse.net</a>. 0 ANY TKEY gss-tsig. 1477524640 1477524640 3 NOERROR 683 YIICpwYJKoZIhvcSAQICAQBuggKWMIICkqADAgEFoQMCAQ6iBwMFACAA AACjggGIYYIBhDCCAYCgAwIBBaESGxBJUEEuUlhSSE9VU0UuTkVUoiow KKADAgEBoSEwHxsDRE5TGxhpc</div><div>GEtcGRjLmlwYS5yeHJob3VzZS5uZXSj ggE3MIIBM6ADAgESoQMCAQKiggElBIIBIRyL2cGKhgVeg8UlZTp1+Eyg QTBUAKE0e6NMtlIkxk9oJWldmUiP6UW7gcoxn66qvHyzHAqrlUNdFAcC jKlsM2cRchfNTTom0QCeFn37eQICFdYo7NsrugG4DN/XT/rjNhohCSEl O2tKYqiVBpjnyDF4OwC1nLcDpzBJr3nbSl</div><div>sh21NQJhGj+B/GPMJqpkl/ 12HJpyjeaRjqzCD2csdvGOolH89yAhFjbmpAErBdVPD+ATAEYX+aRbEc 3k2idj7AcEqeQpNr5XCoCLAeyqOz/qgYrHYnrBabysbkjF0JRRoEO6BD cJjeMpqai36WtW1MAs+byXBtudap0UEnx8xpub/MN7cCzJYn5sEkTOyK pSp4s/fiRyaX9O+dxXK1xrBblg6kgfAwge2gAwIBEqK</div><div>B5QSB4rnd/vP+ s2nrQ/yBkWRVnvqyWrTqfc213iyvIR+pNvE2T9t3F1qRPcdF4OQ8soQ4 kQIVQOZUQZlY3NhYS08M/Rb3wUfi+Im/Z47v6//QMxb2igbPMx7/RELf YHbZorXSKwzx5tkV2+JwtelUW6T5yw3PugyRueg0tdQH5lp4nrEbWNhY VTDe9njUO/WCgp6ZEp+aJGVxR9qeZMVrJMYwHHF+je2fwZifztXD</div><div>6cU/ Eki79Nk6HzhilK3pMOLuIvF2Kfpucj6aDiabvlplptzio9cqml8Li3E0 gEN/ATloKcVgtNA= 0</div><div><br></div><div><br></div><div>2016-10-26T23:30:40Z DEBUG stderr=Reply from SOA query:</div><div>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  38738</div><div>;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0</div><div>;; QUESTION SECTION:</div><div>;<a href="http://trainmaster.ipa.rxrhouse.net">trainmaster.ipa.rxrhouse.net</a>.  IN      SOA</div><div><br></div><div>;; AUTHORITY SECTION:</div><div><a href="http://ipa.rxrhouse.net">ipa.rxrhouse.net</a>.       0       IN      SOA     <a href="http://ipa-pdc.ipa.rxrhouse.net">ipa-pdc.ipa.rxrhouse.net</a>. <a href="http://hostmaster.ipa.rxrhouse.net">hostmaster.ipa.rxrhouse.net</a>. 1477524446 3600 900 1209600 3600</div><div><br></div><div>Found zone name: <a href="http://ipa.rxrhouse.net">ipa.rxrhouse.net</a></div><div>The master is: <a href="http://ipa-pdc.ipa.rxrhouse.net">ipa-pdc.ipa.rxrhouse.net</a></div><div>start_gssrequest</div><div>Found realm from ticket: <a href="http://IPA.RXRHOUSE.NET">IPA.RXRHOUSE.NET</a></div><div>send_gssrequest</div></div><div><div>recvmsg reply from GSS-TSIG query</div><div>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  39562</div><div>;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0</div><div>;; QUESTION SECTION:</div><div>;<a href="http://3107127915.sig-ipa-pdc.ipa.rxrhouse.net">3107127915.sig-ipa-pdc.ipa.rxrhouse.net</a>. ANY TKEY</div><div><br></div><div>;; ANSWER SECTION:</div><div><a href="http://3107127915.sig-ipa-pdc.ipa.rxrhouse.net">3107127915.sig-ipa-pdc.ipa.rxrhouse.net</a>. 0 ANY TKEY gss-tsig. 1466301805 1466388205 3 NOERROR 101 YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MTkw MjAzMjVapQUCAwHGkaYDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg AwIBAaELMAkbB2FkLXBkYyQ=</div><div>0</div><div><br></div><div>dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Message stream modified.</div><div><br></div><div>2016-10-26T23:30:40Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1</div><div>2016-10-26T23:30:40Z ERROR Failed to update DNS records.</div><div>2016-10-26T23:30:40Z DEBUG DNS resolver: Query: <a href="http://trainmaster.ipa.rxrhouse.net">trainmaster.ipa.rxrhouse.net</a> IN A</div><div>2016-10-26T23:30:40Z DEBUG DNS resolver: No record.</div><div>2016-10-26T23:30:40Z DEBUG DNS resolver: Query: <a href="http://trainmaster.ipa.rxrhouse.net">trainmaster.ipa.rxrhouse.net</a> IN AAAA</div><div>2016-10-26T23:30:40Z DEBUG DNS resolver: No record.</div><div>2016-10-26T23:30:40Z DEBUG DNS resolver: Query: 100.0.42.10.in-addr.arpa. IN PTR</div><div>2016-10-26T23:30:40Z DEBUG DNS resolver: No record.</div><div>2016-10-26T23:30:40Z WARNING Missing A/AAAA record(s) for host <a href="http://trainmaster.ipa.rxrhouse.net">trainmaster.ipa.rxrhouse.net</a>: 10.42.0.100.</div><div>2016-10-26T23:30:40Z WARNING Missing reverse record(s) for address(es): 10.42.0.100.</div></div></blockquote><div>-- Full logs can be found here:  <a href="http://pastebin.com/90dG9Ffu">http://pastebin.com/90dG9Ffu</a></div><ul><li>For grins, I decided to test:<br>kinit admin<br>id admin<br>getent passwd admin<br>on the client, and all of those all made valid responses... So authentication is working, I just can't update DNS records.  </li></ul><div><br>So that's what I've tried, and where I'm at...  My client machines running modern client software can NOT update DNS records, complaining about GSSAPI "Message Stream Modified" errors...  And I have no idea how to troubleshoot that... Any ideas?  </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 11, 2016 at 6:24 PM, Tyrell Jentink <span dir="ltr"><<a href="mailto:tyrell@jentink.net" target="_blank">tyrell@jentink.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="gmail-HOEnZb"><div class="gmail-h5"><div dir="ltr"><span style="font-size:12.8px">Thank you, Rob.  </span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">For reference, my full log can be found here: </span><a href="http://pastebin.com/6VLaQjYw" style="font-size:12.8px" target="_blank">http://pastebin.com/6VLa<wbr>QjYw</a><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">But I would postulate that the interesting bit is this: </span><br style="font-size:12.8px"><blockquote class="gmail_quote" style="font-size:12.8px;margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">2016-10-11T22:10:15Z DEBUG stdout=Outgoing update query:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; UPDATE SECTION:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><a href="http://trainmaster.ipa.rxrhouse.net/" target="_blank">trainmaster.ipa.rxrhouse.net</a>. 0 ANY     A</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Outgoing update query:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  23971</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; QUESTION SECTION:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;<a href="http://350449427.sig-ipa-pdc.ipa.rxrhouse.net/" target="_blank">350449427.sig-ipa-pdc.ipa.rxr<wbr>house.net</a>.        ANY TKEY</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; ADDITIONAL SECTION:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><a href="http://350449427.sig-ipa-pdc.ipa.rxrhouse.net/" target="_blank">350449427.sig-ipa-pdc.ipa.rxrh<wbr>ouse.net</a>. 0 ANY TKEY gss-tsig. 1476223815 1476223815 3 NOERROR 683 YIICpwYJKoZIhvcSAQICAQBuggKWMI<wbr>ICkqADAgEFoQMCAQ6iBwMFACAA AACjggGIYYIBhDCCAYCgAwIBBaESGx<wbr>BJUEEuUlhSSE9VU0UuTkVUoiow KKADAgEBoSEwHxsDRE5TGxhpcGEtcG<wbr>RjLmlwYS5yeHJob3VzZS5uZXSj ggE3MIIBM6ADAgESoQMCAQKiggElBI<wbr>IBIeFubKS/x0aKfc7u/f9Z5Ro8 pZZ4RkIlwOWAAuiSxJNmoaIhYgYNit<wbr>n2pkAII+eKtdialtAI/1418exm sM7zahCj0MWpBIYQZB4tsN9JZMaKF7<wbr>SK5TlewH9mZitjd+hbQ5iwjklV 8P6OOMsIRIytywnd8eD/988GQz3C5C<wbr>fBU1pQM5Bkox4vSRawZJRUy0xx C8H4nOOPsJZd9AozsaAZSR4EeA05Ib<wbr>W+gxxIeXjShPDwRF6fs4sNxZUt FEkdujVZOaM4M4olLadzScsXDi2pO/<wbr>8WqjJdDwMfLD95+CHSiFMSyJqy nwem6dzJTJvyLTq4fKO+ajmUHw5tV3<wbr>0Pg7w9krEiFSTuFkCmKW1a2GQo 5Lm3VQF34cnYTA+5K8yEwLiTqX+kgf<wbr>Awge2gAwIBEqKB5QSB4u9m77de VD1pQ+DUyBKaC2jOgD/uUWAyfNNojN<wbr>AtKAMGbHzDWSRASe1Xd+RNgwIa QdT2PC6kHbJMz9jaJu/0fxC9JmPp6Q<wbr>e6p8CGaQ6IvPGm4838TlGdGhuS YpUwVAEqvl85S23+yT3Qo/O8Qffhi4<wbr>i/WDdiBHGGDrKF4CCZXJrr/F+L Pd8oabRE81h+4Tu7KBTApBwWYFYQSc<wbr>t7Q9ZrFiUuQzbpc2ZjXaVLi3ai uvH2NLWvLwxt8Z8PYRHgTrEYb/QfEl<wbr>uP2qfbo6XuO4UHoF7rN8d28bnw bhUsEYaVs1r8Pxk= 0</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">2016-10-11T22:10:15Z DEBUG stderr=Reply from SOA query:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  18681</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; flags: qr rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; QUESTION SECTION:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;<a href="http://trainmaster.ipa.rxrhouse.net/" target="_blank">trainmaster.ipa.rxrhouse.net</a>.<wbr>  IN      SOA</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; AUTHORITY SECTION:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><a href="http://ipa.rxrhouse.net/" target="_blank">ipa.rxrhouse.net</a>.       60      IN      SOA     <a href="http://ipa-pdc.ipa.rxrhouse.net/" target="_blank">ipa-pdc.ipa.rxrhouse.net</a>. <a href="http://hostmaster.ipa.rxrhouse.net/" target="_blank">ho<wbr>stmaster.ipa.rxrhouse.net</a>. 1476221978 3600 900 1209600 3600</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; ADDITIONAL SECTION:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><a href="http://ipa-pdc.ipa.rxrhouse.net/" target="_blank">ipa-pdc.ipa.rxrhouse.net</a>. 353   IN      A       10.42.0.11</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Found zone name: <a href="http://ipa.rxrhouse.net/" target="_blank">ipa.rxrhouse.net</a></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">The master is: <a href="http://ipa-pdc.ipa.rxrhouse.net/" target="_blank">ipa-pdc.ipa.rxrhouse.net</a></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">start_gssrequest</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Found realm from ticket: <a href="http://ipa.rxrhouse.net/" target="_blank">IPA.RXRHOUSE.NET</a></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">send_gssrequest</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">recvmsg reply from GSS-TSIG query</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  23971</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; QUESTION SECTION:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;<a href="http://350449427.sig-ipa-pdc.ipa.rxrhouse.net/" target="_blank">350449427.sig-ipa-pdc.ipa.rxr<wbr>house.net</a>.        ANY TKEY</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">;; ANSWER SECTION:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><a href="http://350449427.sig-ipa-pdc.ipa.rxrhouse.net/" target="_blank">350449427.sig-ipa-pdc.ipa.rxrh<wbr>ouse.net</a>. 0 ANY TKEY gss-tsig. 1466641678 1466728078 3 NOERROR 101 YGMGCSqGSIb3EgECAgMAflQwUqADAg<wbr>EFoQMCAR6kERgPMjAxNjA2MjMw MDI3NThapQUCAwVDn6YDAgEpqREbD0<wbr>FELlJYUkhPVVNFLk5FVKoUMBKg AwIBAaELMAkbB2FkLXBkYyQ= 0</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Message stream modified.</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">2016-10-11T22:10:15Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">2016-10-11T22:10:15Z ERROR Failed to update DNS records.</blockquote><div><br></div></blockquote><div style="font-size:12.8px"><br>This isn't the first time I've seen this "Unspecified GSS failure [...] Message stream modified" error, and I suspect it to be the root of my problem... But my google-foo is not strong with this one...  I'm not sure how to proceed. </div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="gmail-h5">On Tue, Oct 11, 2016 at 3:52 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br></div></div><div><div class="gmail-h5"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Tyrell Jentink wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span>
First off...  new to the list, thank you in advance for your assistance!<br>
<br>
My server is Fedora 24 Server, running in a VirtualBox virtual machine.<br>
I have FreeIPA Server 4.3.2-2.fc24, installed from the standard<br>
repositories, and dnf says it's up to date. FreeIPA has a trust set up<br>
with an Windows Server 2012r2 ActiveDirectory server, and it APPEARS to<br>
be working...<br>
<br>
The first client I connected was a Raspberry Pi running Pidora.  This<br>
client appears to have connected fine, and appears to be working (I<br>
guess I haven't tried logging in as an ActiveDirectory user;  But it's<br>
certainly NOT having any DNS issues, as other clients are; See below...)<br>
<br>
Then I tried connecting a second client, a system running Fedora 24 with<br>
FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to<br>
plan...  Here's the output of ipa-client-install:<br>
<br>
    Discovery was successful!<br>
    Client hostname: <a href="http://trainmaster.ipa.rxrhouse.net" rel="noreferrer" target="_blank">trainmaster.ipa.rxrhouse.net</a><br></span>
    <<a href="http://trainmaster.ipa.rxrhouse.net" rel="noreferrer" target="_blank">http://trainmaster.ipa.rxrhou<wbr>se.net</a>><br>
    Realm: <a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">IPA.RXRHOUSE.NET</a> <<a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">http://IPA.RXRHOUSE.NET</a>><br>
    DNS Domain: <a href="http://ipa.rxrhouse.net" rel="noreferrer" target="_blank">ipa.rxrhouse.net</a> <<a href="http://ipa.rxrhouse.net" rel="noreferrer" target="_blank">http://ipa.rxrhouse.net</a>><br>
    IPA Server: <a href="http://ipa-pdc.ipa.rxrhouse.net" rel="noreferrer" target="_blank">ipa-pdc.ipa.rxrhouse.net</a> <<a href="http://ipa-pdc.ipa.rxrhouse.net" rel="noreferrer" target="_blank">http://ipa-pdc.ipa.rxrhouse.n<wbr>et</a>><span><br>
    BaseDN: dc=ipa,dc=rxrhouse,dc=net<br>
    Continue to configure the system with these values? [no]: yes<br>
    Synchronizing time with KDC...<br>
    Attempting to sync time using ntpd.  Will timeout after 15 seconds<br>
    Attempting to sync time using ntpd.  Will timeout after 15 seconds<br>
    Unable to sync time with NTP server, assuming the time is in sync.<br>
    Please check<br>
<br>
                                      that 123 UDP port is opened.<br>
    User authorized to enroll computers: admin<br></span>
    Password for <a href="mailto:admin@IPA.RXRHOUSE.NET" target="_blank">admin@IPA.RXRHOUSE.NET</a> <mailto:<a href="mailto:admin@IPA.RXRHOUSE.NET" target="_blank">admin@IPA.RXRHOUSE.NET</a><wbr>>:<span><br>
    Successfully retrieved CA cert<br>
         Subject:     CN=Certificate Authority,O=<a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">IPA.RXRHOUSE.NET</a><br></span>
    <<a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">http://IPA.RXRHOUSE.NET</a>><br>
         Issuer:      CN=Certificate Authority,O=<a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">IPA.RXRHOUSE.NET</a><br>
    <<a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">http://IPA.RXRHOUSE.NET</a>><span><br>
         Valid From:  Thu Sep 08 17:27:47 2016 UTC<br>
         Valid Until: Mon Sep 08 17:27:47 2036 UTC<br></span>
    Enrolled in IPA realm <a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">IPA.RXRHOUSE.NET</a> <<a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">http://IPA.RXRHOUSE.NET</a>><span><br>
    Created /etc/ipa/default.conf<br>
    New SSSD config will be created<br>
    Configured sudoers in /etc/nsswitch.conf<br>
    Configured /etc/sssd/sssd.conf<br>
    Configured /etc/krb5.conf for IPA realm <a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">IPA.RXRHOUSE.NET</a><br></span>
    <<a href="http://IPA.RXRHOUSE.NET" rel="noreferrer" target="_blank">http://IPA.RXRHOUSE.NET</a>><span><br>
    trying <a href="https://ipa-pdc.ipa.rxrhouse.net/ipa/json" rel="noreferrer" target="_blank">https://ipa-pdc.ipa.rxrhouse.n<wbr>et/ipa/json</a><br>
    Forwarding 'ping' to json server<br>
    '<a href="https://ipa-pdc.ipa.rxrhouse.net/ipa/json" rel="noreferrer" target="_blank">https://ipa-pdc.ipa.rxrhouse.<wbr>net/ipa/json</a>'<br>
    Forwarding 'ca_is_enabled' to json server<br>
    '<a href="https://ipa-pdc.ipa.rxrhouse.net/ipa/json" rel="noreferrer" target="_blank">https://ipa-pdc.ipa.rxrhouse.<wbr>net/ipa/json</a>'<br>
    Systemwide CA database updated.<br>
    Failed to update DNS records.<br>
    Missing reverse record(s) for address(es): 10.42.0.100.<br>
    Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.<wbr>pub<br>
    Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pu<wbr>b<br>
    Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub<br>
    Forwarding 'host_mod' to json server<br>
    '<a href="https://ipa-pdc.ipa.rxrhouse.net/ipa/json" rel="noreferrer" target="_blank">https://ipa-pdc.ipa.rxrhouse.<wbr>net/ipa/json</a>'<br>
    Could not update DNS SSHFP records.<br>
    SSSD enabled<br>
    Configured /etc/openldap/ldap.conf<br>
    NTP enabled<br>
    Configured /etc/ssh/ssh_config<br>
    Configured /etc/ssh/sshd_config<br></span>
    Configuring <a href="http://ipa.rxrhouse.net" rel="noreferrer" target="_blank">ipa.rxrhouse.net</a> <<a href="http://ipa.rxrhouse.net" rel="noreferrer" target="_blank">http://ipa.rxrhouse.net</a>> as NIS domain.<span><br>
    Client configuration complete.<br>
<br>
<br>
Of concern, the installer failed to update DNS records, resulting in a<br>
missing reverse record, and eventually failing to update the DNS SSHFP<br>
records.  Looking in the Web UI for FreeIPA server, I see that the<br>
client is registered, but it doesn't have any SSH keys , and as<br>
expected, doesn't have a reverse zone...  But the Raspberry Pi DOES.<br>
<br>
Just to be fully sure something was wrong...  I tried connecting with a<br>
clean install of Fedora 24 running in a virtual machine, and had the<br>
same issue.  I've googled around, and can't find anyone having any<br>
similar issues...  And I didn't accidentally stumble across anything<br>
interesting while exploring logs...  But I honestly don't know where to<br>
look.<br>
<br>
TO BE CLEAR, things appear to work just fine from freeipa-client version<br>
3.3.3-4.fc20  on pidora on a Raspberry Pi, but it's NOT working with the<br>
latest versions from Fedora 24 on x86_64 hardware...<br>
<br>
Where should I look first?  Thank you for any assistance...<br>
</span></blockquote>
<br>
Look in /var/log/ipaclient-install.log for debug logging of the install.<span class="gmail-m_6892700087236129561HOEnZb"><font color="#888888"><br>
<br>
rob<br>
<br>
</font></span></blockquote></div></div></div><br></div>
</blockquote></div><br></div></div>