[Freeipa-users] need info on AD / IPA coexistence
Dmitri Pal
dpal at redhat.com
Tue Mar 13 21:21:28 UTC 2012
On 03/13/2012 02:59 PM, Sylvain Angers wrote:
>
>
> 2012/3/8 Brian Cook <bcook at redhat.com <mailto:bcook at redhat.com>>
>
> Also, I would not use 'delegation record' from AD, use conditional
> forwarding for *.unix.abcd.ca <http://unix.abcd.ca>. Your AD
> admins should know how to do it.
>
> ---
> Brian Cook
> Solutions Architect, Red Hat, Inc.
> 407-212-7079 <tel:407-212-7079>
>
>
>
>
> On Mar 8, 2012, at 9:04 AM, Simo Sorce wrote:
>
>> On Thu, 2012-03-08 at 11:54 -0500, Sylvain Angers wrote:
>>> Alright!
>>>
>>> I am now requesting to our DNS team
>>>
>>> please delegate dns zone "unix.abcd.ca <http://unix.abcd.ca>" to ???
>>
>> the ip address of your ipa server, they will know what questions to
>> ask :)
>>
>>> Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca
>>> <http://ipaserver.unix.abcd.ca> or
>>> ipaserver.abcd.ca <http://ipaserver.abcd.ca>?
>>
>>> does it matter?
>>
>> It does, the IPa server DNS domain is what matters for the first
>> master.
>> So it should be <name>.unix.abcd.ca <http://unix.abcd.ca>
>>
>> So that DNS domain = unix.abcd.ca <http://unix.abcd.ca> and realm
>> = UNIX.ABCD.CA <http://UNIX.ABCD.CA> (if you use
>> the standard configuration).
>>
>> Simo.
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> Hello
>
> Still have same issue "unable to find 'admin' user with 'getent passwd
> admin'!
>
> I redid both client and servers, no selinux,no firewall
>
> Our dns teams did set soa unix.cnppd.lab to point to my ipa server
>
> I had to put a manual entry in /etc/hosts
> 165.115.118.21 mtl-ipa01d.unix.cnppd.lab mtl-ipa01d
>
>
> then did set my ipa server with the following
> *ipa-server-install -a xxxxxxx --hostname=mtl-ipa01d.unix.cnppd.lab -n
> unix.cnppd.lab -p xxxxx -r UNIX.CNPPD.LAB --setup-dns
> --forwarder=165.115.52.21--fowarder=165.115.51.21*
> Server host name [mtl-ipa01d.unix.cnppd.lab]:
>
> Warning: skipping DNS resolution of host mtl-ipa01d.unix.cnppd.lab
> The IPA Master Server will be configured with
> Hostname: mtl-ipa01d.unix.cnppd.lab
> IP address: 165.115.118.21
> Domain name: unix.cnppd.lab
>
> Do you want to configure the reverse zone? [yes]:
> Please specify the reverse zone name [118.115.165.in-addr.arpa.]:
> Using reverse zone 118.115.165.in-addr.arpa.
>
>
>
> Restarting the directory server
> Restarting the KDC
> Restarting the web server
> Configuring named:
> [1/9]: adding DNS container
> [2/9]: setting up our zone
> [3/9]: setting up reverse zone
> [4/9]: setting up our own record
> [5/9]: setting up kerberos principal
> [6/9]: setting up named.conf
> [7/9]: restarting named
> [8/9]: configuring named to start on boot
> [9/9]: changing resolv.conf to point to ourselves
> done configuring named.
> ==============================================================================
> Setup complete
>
>
> I did set my client with
> [root at mtl-vdi01d ~]# ipa-client-install
> --server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB
> --realm=UNIX.CNPPD.LAB --mkhomedir
> Discovery was successful!
> Hostname: mtl-vdi01d.cn.ca <http://mtl-vdi01d.cn.ca>
> Realm: UNIX.CNPPD.LAB
> DNS Domain: UNIX.CNPPD.LAB
> IPA Server: mtl-ipa01d.unix.cnppd.lab
> BaseDN: dc=unix,dc=cnppd,dc=lab
>
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Password for admin at UNIX.CNPPD.LAB:
>
> Enrolled in IPA realm UNIX.CNPPD.LAB
> Created /etc/ipa/default.conf
> Configured[root at mtl-vdi01d ~]# ipa-client-install
> --server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB
> --realm=UNIX.CNPPD.LAB --mkhomedir
> Discovery was successful!
> Hostname: mtl-vdi01d.cn.ca <http://mtl-vdi01d.cn.ca>
> Realm: UNIX.CNPPD.LAB
> DNS Domain: UNIX.CNPPD.LAB
> IPA Server: mtl-ipa01d.unix.cnppd.lab
> BaseDN: dc=unix,dc=cnppd,dc=lab
>
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Password for admin at UNIX.CNPPD.LAB:
>
> Enrolled in IPA realm UNIX.CNPPD.LAB
> Created /etc/ipa/default.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB
> SSSD enabled
> Unable to find 'admin' user with 'getent passwd admin'!
> Recognized configuration: SSSD
> NTP enabled
> Client configuration complete. /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB
> SSSD enabled
> Unable to find 'admin' user with 'getent passwd admin'!
> Recognized configuration: SSSD
> NTP enabled
> Client configuration complete.
>
> you can see that ipa did enroll my client
>
> [root at mtl-ipa01d ~]# ipa host-find
> ---------------
> 2 hosts matched
> ---------------
> Host name: mtl-ipa01d.unix.cnppd.lab
> Principal name: host/mtl-ipa01d.unix.cnppd.lab at UNIX.CNPPD.LAB
> Keytab: True
> Password: False
> Managed by: mtl-ipa01d.unix.cnppd.lab
>
> Host name: mtl-vdi01d.cn.ca <http://mtl-vdi01d.cn.ca>
> Certificate:
> MIIDhTCCAm2gAwIBAgIBDDANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5VTklYLkNOUFBELkxBQjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMDMxMzE4Mjc0MVoXDTE0MDMxNDE4Mjc0MVowNDEXMBUGA1UEChMOVU5JWC5DTlBQRC5MQUIxGTAXBgNVBAMTEG10bC12ZGkwMWQuY24uY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKTPD8p7Ttxn87Y/2CCu54GDTd/CS77irN6OYj9IznqMusHAIWsVVu5m0aT77iULYzO9lKmKCL9RuSnZuqsoppFZk8UJu1KAGKv2FQi7zck28P2t6XRhHXcLRRTq5Mzfd/QjFmCv3oxTP2gd/0rLZUTHJkTzqyYIMlExfQqnEBJCzfzukyFUB5S+X2DthiGOM7vcKPXlmG+VstebtsZ1FkE9LquyWGhSBjqycZM350zRwQP6MLKU4ZX11mit6+/AvRrOJW3Gw9JWRxDOullJG2mCjyFCsUKOX/Xz4VrJeSylIGJQk5kLfP2haSPhkKhG9FXy1vhwpXFF1GAa9DYvhvAgMBAAGjgZwwgZkwHwYDVR0jBBgwFoAUZtbp/CAAXZ/LZAKgUqcXPxgkOzcwRwYIKwYBBQUHAQEEOzA5MDcGCCsGAQUFBzABhitodHRwOi8vbXRsLWlwYTAxZC51bml4LmNucHBkLmxhYjo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAEPpr1rn+inQlxc+u7WAkyuRDd1af/ilUlldkB0n4l9Ni2Lkt+Gt7w6VYqS+/ZtqTPB/mQuISGDuqeEXSgWSc+1NQq1THgBACzfE5CbKWOcfGd/SnTqIA+/ITydintYB7SNQ0Vz6BOC9Uv/VmEPqD38ThR88qhK0+wmvdf2HyKOFAsu5Ty5qKaOyDHuhhA4AXEbQz8vRH3XQa/WtSf/zgRKiNeabEc5gWXEd9dSpm2UhW7oLuPlnKolI3IL1RUoc8WrKKLK1HdyrcNY+woZ2Jw4OCkyiGuWaNZHOEAmAlwmvQrFBlMsIPJfI/mxmAXufEO66AHf/747V2n1TvZrnkrQ=
> Principal name: host/mtl-vdi01d.cn.ca at UNIX.CNPPD.LAB
> Keytab: True
> Password: False
> Managed by: mtl-vdi01d.cn.ca <http://mtl-vdi01d.cn.ca>
> Subject: CN=mtl-vdi01d.cn.ca <http://mtl-vdi01d.cn.ca>,O=UNIX.CNPPD.LAB
> Serial Number: 12
> Issuer: CN=Certificate Authority,O=UNIX.CNPPD.LAB
> Not Before: Tue Mar 13 18:27:41 2012 UTC
> Not After: Fri Mar 14 18:27:41 2014 UTC
> Fingerprint (MD5): 26:f6:9f:32:3d:a0:13:43:8e:16:1a:7f:d7:43:7e:51
> Fingerprint (SHA1):
> 4b:28:b2:a4:33:16:27:fc:16:cc:35:54:68:fc:b4:45:85:3f:dc:1a
> ----------------------------
> Number of entries returned 2
> ----------------------------
> [root at mtl-ipa01d ~]#
>
>
>
> I keep getting "unable to find 'admin' user with 'getent passwd admin'!
>
> Why is that?
>
> Thanks
>
> Sylvain
>
Did you run the client enrollment twice?
Can you provide a ipaclient installation log?
>
>
> --
> Sylvain Angers
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120313/07ed92d0/attachment.htm>
More information about the Freeipa-users
mailing list