[Freeipa-users] need info on AD / IPA coexistence

Sylvain Angers sylvainangers at gmail.com
Tue Mar 13 18:59:14 UTC 2012 

2012/3/8 Brian Cook <bcook at redhat.com>

> Also, I would not use 'delegation record' from AD, use conditional
> forwarding for *.unix.abcd.ca.  Your AD admins should know how to do it.
>
>  ---
> Brian Cook
> Solutions Architect, Red Hat, Inc.
> 407-212-7079
>
>
>
>
> On Mar 8, 2012, at 9:04 AM, Simo Sorce wrote:
>
> On Thu, 2012-03-08 at 11:54 -0500, Sylvain Angers wrote:
>
> Alright!
>
>
> I am now requesting to our DNS team
>
>
> please delegate dns zone "unix.abcd.ca" to ???
>
>
> the ip address of your ipa server, they will know what questions to
> ask :)
>
> Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca or
>
> ipaserver.abcd.ca?
>
>
> does it matter?
>
>
> It does, the IPa server DNS domain is what matters for the first master.
> So it should be <name>.unix.abcd.ca
>
> So that DNS domain = unix.abcd.ca and realm = UNIX.ABCD.CA (if you use
> the standard configuration).
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
Hello

Still have same issue "unable to find 'admin' user with 'getent passwd
admin'!

I redid both client and servers, no selinux,no firewall

Our dns teams did set soa unix.cnppd.lab to point to my ipa server

I had to put a manual entry in /etc/hosts
165.115.118.21  mtl-ipa01d.unix.cnppd.lab       mtl-ipa01d


then did set my ipa server with the following
*ipa-server-install -a xxxxxxx --hostname=mtl-ipa01d.unix.cnppd.lab -n
unix.cnppd.lab -p xxxxx -r UNIX.CNPPD.LAB --setup-dns
--forwarder=165.115.52.21--fowarder=165.115.51.21*
Server host name [mtl-ipa01d.unix.cnppd.lab]:

Warning: skipping DNS resolution of host mtl-ipa01d.unix.cnppd.lab
The IPA Master Server will be configured with
Hostname:    mtl-ipa01d.unix.cnppd.lab
IP address:  165.115.118.21
Domain name: unix.cnppd.lab

Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [118.115.165.in-addr.arpa.]:
Using reverse zone 118.115.165.in-addr.arpa.


Restarting the directory server
Restarting the KDC
Restarting the web server
Configuring named:
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
done configuring named.
==============================================================================
Setup complete


I did set my client with
[root at mtl-vdi01d ~]# ipa-client-install --server=mtl-ipa01d.unix.cnppd.lab
--domain=UNIX.CNPPD.LAB --realm=UNIX.CNPPD.LAB --mkhomedir
Discovery was successful!
Hostname: mtl-vdi01d.cn.ca
Realm: UNIX.CNPPD.LAB
DNS Domain: UNIX.CNPPD.LAB
IPA Server: mtl-ipa01d.unix.cnppd.lab
BaseDN: dc=unix,dc=cnppd,dc=lab


Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin at UNIX.CNPPD.LAB:

Enrolled in IPA realm UNIX.CNPPD.LAB
Created /etc/ipa/default.conf
Configured[root at mtl-vdi01d ~]# ipa-client-install
--server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB
--realm=UNIX.CNPPD.LAB --mkhomedir
Discovery was successful!
Hostname: mtl-vdi01d.cn.ca
Realm: UNIX.CNPPD.LAB
DNS Domain: UNIX.CNPPD.LAB
IPA Server: mtl-ipa01d.unix.cnppd.lab
BaseDN: dc=unix,dc=cnppd,dc=lab


Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin at UNIX.CNPPD.LAB:

Enrolled in IPA realm UNIX.CNPPD.LAB
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB
SSSD enabled
Unable to find 'admin' user with 'getent passwd admin'!
Recognized configuration: SSSD
NTP enabled
Client configuration complete. /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB
SSSD enabled
Unable to find 'admin' user with 'getent passwd admin'!
Recognized configuration: SSSD
NTP enabled
Client configuration complete.

you can see that ipa did enroll my client

[root at mtl-ipa01d ~]# ipa host-find
---------------
2 hosts matched
---------------
  Host name: mtl-ipa01d.unix.cnppd.lab
  Principal name: host/mtl-ipa01d.unix.cnppd.lab at UNIX.CNPPD.LAB
  Keytab: True
  Password: False
  Managed by: mtl-ipa01d.unix.cnppd.lab

  Host name: mtl-vdi01d.cn.ca
  Certificate:
MIIDhTCCAm2gAwIBAgIBDDANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5VTklYLkNOUFBELkxBQjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMDMxMzE4Mjc0MVoXDTE0MDMxNDE4Mjc0MVowNDEXMBUGA1UEChMOVU5JWC5DTlBQRC5MQUIxGTAXBgNVBAMTEG10bC12ZGkwMWQuY24uY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKTPD8p7Ttxn87Y/2CCu54GDTd/CS77irN6OYj9IznqMusHAIWsVVu5m0aT77iULYzO9lKmKCL9RuSnZuqsoppFZk8UJu1KAGKv2FQi7zck28P2t6XRhHXcLRRTq5Mzfd/QjFmCv3oxTP2gd/0rLZUTHJkTzqyYIMlExfQqnEBJCzfzukyFUB5S+X2DthiGOM7vcKPXlmG+VstebtsZ1FkE9LquyWGhSBjqycZM350zRwQP6MLKU4ZX11mit6+/AvRrOJW3Gw9JWRxDOullJG2mCjyFCsUKOX/Xz4VrJeSylIGJQk5kLfP2haSPhkKhG9FXy1vhwpXFF1GAa9DYvhvAgMBAAGjgZwwgZkwHwYDVR0jBBgwFoAUZtbp/CAAXZ/LZAKgUqcXPxgkOzcwRwYIKwYBBQUHAQEEOzA5MDcGCCsGAQUFBzABhitodHRwOi8vbXRsLWlwYTAxZC51bml4LmNucHBkLmxhYjo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAEPpr1rn+inQlxc+u7WAkyuRDd1af/ilUlldkB0n4l9Ni2Lkt+Gt7w6VYqS+/ZtqTPB/mQuISGDuqeEXSgWSc+1NQq1THgBACzfE5CbKWOcfGd/SnTqIA+/ITydintYB7SNQ0Vz6BOC9Uv/VmEPqD38ThR88qhK0+wmvdf2HyKOFAsu5Ty5qKaOyDHuhhA4AXEbQz8vRH3XQa/WtSf/zgRKiNeabEc5gWXEd9dSpm2UhW7oLuPlnKolI3IL1RUoc8WrKKLK1HdyrcNY+woZ2Jw4OCkyiGuWaNZHOEAmAlwmvQrFBlMsIPJfI/mxmAXufEO66AHf/747V2n1TvZrnkrQ=
  Principal name: host/mtl-vdi01d.cn.ca at UNIX.CNPPD.LAB
  Keytab: True
  Password: False
  Managed by: mtl-vdi01d.cn.ca
  Subject: CN=mtl-vdi01d.cn.ca,O=UNIX.CNPPD.LAB
  Serial Number: 12
  Issuer: CN=Certificate Authority,O=UNIX.CNPPD.LAB
  Not Before: Tue Mar 13 18:27:41 2012 UTC
  Not After: Fri Mar 14 18:27:41 2014 UTC
  Fingerprint (MD5): 26:f6:9f:32:3d:a0:13:43:8e:16:1a:7f:d7:43:7e:51
  Fingerprint (SHA1):
4b:28:b2:a4:33:16:27:fc:16:cc:35:54:68:fc:b4:45:85:3f:dc:1a
----------------------------
Number of entries returned 2
----------------------------
[root at mtl-ipa01d ~]#



I keep getting "unable to find 'admin' user with 'getent passwd admin'!

Why is that?

Thanks

Sylvain



-- 
Sylvain Angers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120313/f68b6bfa/attachment.htm>

More information about the Freeipa-users mailing list