[Freeipa-users] need info on AD / IPA coexistence

Dmitri Pal dpal at redhat.com
Tue Mar 13 21:21:28 UTC 2012 

On 03/13/2012 02:59 PM, Sylvain Angers wrote:
>
>
> 2012/3/8 Brian Cook <bcook at redhat.com <mailto:bcook at redhat.com>>
>
>     Also, I would not use 'delegation record' from AD, use conditional
>     forwarding for *.unix.abcd.ca <http://unix.abcd.ca>.  Your AD
>     admins should know how to do it.
>
>     ---
>     Brian Cook
>     Solutions Architect, Red Hat, Inc.
>     407-212-7079 <tel:407-212-7079>
>
>
>
>
>     On Mar 8, 2012, at 9:04 AM, Simo Sorce wrote:
>
>>     On Thu, 2012-03-08 at 11:54 -0500, Sylvain Angers wrote:
>>>     Alright!
>>>
>>>     I am now requesting to our DNS team
>>>
>>>     please delegate dns zone "unix.abcd.ca <http://unix.abcd.ca>" to ???
>>
>>     the ip address of your ipa server, they will know what questions to
>>     ask :)
>>
>>>     Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca
>>>     <http://ipaserver.unix.abcd.ca> or
>>>     ipaserver.abcd.ca <http://ipaserver.abcd.ca>?
>>
>>>     does it matter?
>>
>>     It does, the IPa server DNS domain is what matters for the first
>>     master.
>>     So it should be <name>.unix.abcd.ca <http://unix.abcd.ca>
>>
>>     So that DNS domain = unix.abcd.ca <http://unix.abcd.ca> and realm
>>     = UNIX.ABCD.CA <http://UNIX.ABCD.CA> (if you use
>>     the standard configuration).
>>
>>     Simo.
>>
>>     -- 
>>     Simo Sorce * Red Hat, Inc * New York
>>
>>     _______________________________________________
>>     Freeipa-users mailing list
>>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> Hello
>
> Still have same issue "unable to find 'admin' user with 'getent passwd
> admin'!
>
> I redid both client and servers, no selinux,no firewall
>
> Our dns teams did set soa unix.cnppd.lab to point to my ipa server
>
> I had to put a manual entry in /etc/hosts
> 165.115.118.21  mtl-ipa01d.unix.cnppd.lab       mtl-ipa01d
>
>
> then did set my ipa server with the following
> *ipa-server-install -a xxxxxxx --hostname=mtl-ipa01d.unix.cnppd.lab -n
> unix.cnppd.lab -p xxxxx -r UNIX.CNPPD.LAB --setup-dns
> --forwarder=165.115.52.21--fowarder=165.115.51.21*
> Server host name [mtl-ipa01d.unix.cnppd.lab]:
>
> Warning: skipping DNS resolution of host mtl-ipa01d.unix.cnppd.lab
> The IPA Master Server will be configured with
> Hostname:    mtl-ipa01d.unix.cnppd.lab
> IP address:  165.115.118.21
> Domain name: unix.cnppd.lab
>
> Do you want to configure the reverse zone? [yes]:
> Please specify the reverse zone name [118.115.165.in-addr.arpa.]:
> Using reverse zone 118.115.165.in-addr.arpa.
>
>
>
> Restarting the directory server
> Restarting the KDC
> Restarting the web server
> Configuring named:
>   [1/9]: adding DNS container
>   [2/9]: setting up our zone
>   [3/9]: setting up reverse zone
>   [4/9]: setting up our own record
>   [5/9]: setting up kerberos principal
>   [6/9]: setting up named.conf
>   [7/9]: restarting named
>   [8/9]: configuring named to start on boot
>   [9/9]: changing resolv.conf to point to ourselves
> done configuring named.
> ==============================================================================
> Setup complete
>
>
> I did set my client with
> [root at mtl-vdi01d ~]# ipa-client-install
> --server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB
> --realm=UNIX.CNPPD.LAB --mkhomedir
> Discovery was successful!
> Hostname: mtl-vdi01d.cn.ca <http://mtl-vdi01d.cn.ca>
> Realm: UNIX.CNPPD.LAB
> DNS Domain: UNIX.CNPPD.LAB
> IPA Server: mtl-ipa01d.unix.cnppd.lab
> BaseDN: dc=unix,dc=cnppd,dc=lab
>
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Password for admin at UNIX.CNPPD.LAB: 
>
> Enrolled in IPA realm UNIX.CNPPD.LAB
> Created /etc/ipa/default.conf
> Configured[root at mtl-vdi01d ~]# ipa-client-install
> --server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB
> --realm=UNIX.CNPPD.LAB --mkhomedir
> Discovery was successful!
> Hostname: mtl-vdi01d.cn.ca <http://mtl-vdi01d.cn.ca>
> Realm: UNIX.CNPPD.LAB
> DNS Domain: UNIX.CNPPD.LAB
> IPA Server: mtl-ipa01d.unix.cnppd.lab
> BaseDN: dc=unix,dc=cnppd,dc=lab
>
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Password for admin at UNIX.CNPPD.LAB: 
>
> Enrolled in IPA realm UNIX.CNPPD.LAB
> Created /etc/ipa/default.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB
> SSSD enabled
> Unable to find 'admin' user with 'getent passwd admin'!
> Recognized configuration: SSSD
> NTP enabled
> Client configuration complete. /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB
> SSSD enabled
> Unable to find 'admin' user with 'getent passwd admin'!
> Recognized configuration: SSSD
> NTP enabled
> Client configuration complete.
>
> you can see that ipa did enroll my client 
>
> [root at mtl-ipa01d ~]# ipa host-find
> ---------------
> 2 hosts matched
> ---------------
>   Host name: mtl-ipa01d.unix.cnppd.lab
>   Principal name: host/mtl-ipa01d.unix.cnppd.lab at UNIX.CNPPD.LAB
>   Keytab: True
>   Password: False
>   Managed by: mtl-ipa01d.unix.cnppd.lab
>
>   Host name: mtl-vdi01d.cn.ca <http://mtl-vdi01d.cn.ca>
>   Certificate:
> MIIDhTCCAm2gAwIBAgIBDDANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5VTklYLkNOUFBELkxBQjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMDMxMzE4Mjc0MVoXDTE0MDMxNDE4Mjc0MVowNDEXMBUGA1UEChMOVU5JWC5DTlBQRC5MQUIxGTAXBgNVBAMTEG10bC12ZGkwMWQuY24uY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKTPD8p7Ttxn87Y/2CCu54GDTd/CS77irN6OYj9IznqMusHAIWsVVu5m0aT77iULYzO9lKmKCL9RuSnZuqsoppFZk8UJu1KAGKv2FQi7zck28P2t6XRhHXcLRRTq5Mzfd/QjFmCv3oxTP2gd/0rLZUTHJkTzqyYIMlExfQqnEBJCzfzukyFUB5S+X2DthiGOM7vcKPXlmG+VstebtsZ1FkE9LquyWGhSBjqycZM350zRwQP6MLKU4ZX11mit6+/AvRrOJW3Gw9JWRxDOullJG2mCjyFCsUKOX/Xz4VrJeSylIGJQk5kLfP2haSPhkKhG9FXy1vhwpXFF1GAa9DYvhvAgMBAAGjgZwwgZkwHwYDVR0jBBgwFoAUZtbp/CAAXZ/LZAKgUqcXPxgkOzcwRwYIKwYBBQUHAQEEOzA5MDcGCCsGAQUFBzABhitodHRwOi8vbXRsLWlwYTAxZC51bml4LmNucHBkLmxhYjo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAEPpr1rn+inQlxc+u7WAkyuRDd1af/ilUlldkB0n4l9Ni2Lkt+Gt7w6VYqS+/ZtqTPB/mQuISGDuqeEXSgWSc+1NQq1THgBACzfE5CbKWOcfGd/SnTqIA+/ITydintYB7SNQ0Vz6BOC9Uv/VmEPqD38ThR88qhK0+wmvdf2HyKOFAsu5Ty5qKaOyDHuhhA4AXEbQz8vRH3XQa/WtSf/zgRKiNeabEc5gWXEd9dSpm2UhW7oLuPlnKolI3IL1RUoc8WrKKLK1HdyrcNY+woZ2Jw4OCkyiGuWaNZHOEAmAlwmvQrFBlMsIPJfI/mxmAXufEO66AHf/747V2n1TvZrnkrQ=
>   Principal name: host/mtl-vdi01d.cn.ca at UNIX.CNPPD.LAB
>   Keytab: True
>   Password: False
>   Managed by: mtl-vdi01d.cn.ca <http://mtl-vdi01d.cn.ca>
>   Subject: CN=mtl-vdi01d.cn.ca <http://mtl-vdi01d.cn.ca>,O=UNIX.CNPPD.LAB
>   Serial Number: 12
>   Issuer: CN=Certificate Authority,O=UNIX.CNPPD.LAB
>   Not Before: Tue Mar 13 18:27:41 2012 UTC
>   Not After: Fri Mar 14 18:27:41 2014 UTC
>   Fingerprint (MD5): 26:f6:9f:32:3d:a0:13:43:8e:16:1a:7f:d7:43:7e:51
>   Fingerprint (SHA1):
> 4b:28:b2:a4:33:16:27:fc:16:cc:35:54:68:fc:b4:45:85:3f:dc:1a
> ----------------------------
> Number of entries returned 2
> ----------------------------
> [root at mtl-ipa01d ~]# 
>
>
>
> I keep getting "unable to find 'admin' user with 'getent passwd admin'!
>
> Why is that? 
>
> Thanks
>
> Sylvain
>

Did you run the client enrollment twice?
Can you provide a ipaclient installation log?

>
>
> -- 
> Sylvain Angers
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120313/07ed92d0/attachment.htm>

More information about the Freeipa-users mailing list