[Freeipa-users] need info on AD / IPA coexistence

Rob Crittenden rcritten at redhat.com
Wed Mar 14 02:46:03 UTC 2012 

Sylvain Angers wrote:
>
>
> 2012/3/8 Brian Cook <bcook at redhat.com <mailto:bcook at redhat.com>>
>
>     Also, I would not use 'delegation record' from AD, use conditional
>     forwarding for *.unix.abcd.ca <http://unix.abcd.ca>.  Your AD admins
>     should know how to do it.
>
>     ---
>     Brian Cook
>     Solutions Architect, Red Hat, Inc.
>     407-212-7079 <tel:407-212-7079>
>
>
>
>
>     On Mar 8, 2012, at 9:04 AM, Simo Sorce wrote:
>
>>     On Thu, 2012-03-08 at 11:54 -0500, Sylvain Angers wrote:
>>>     Alright!
>>>
>>>     I am now requesting to our DNS team
>>>
>>>     please delegate dns zone "unix.abcd.ca <http://unix.abcd.ca>" to ???
>>
>>     the ip address of your ipa server, they will know what questions to
>>     ask :)
>>
>>>     Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca
>>>     <http://ipaserver.unix.abcd.ca> or
>>>     ipaserver.abcd.ca <http://ipaserver.abcd.ca>?
>>
>>>     does it matter?
>>
>>     It does, the IPa server DNS domain is what matters for the first
>>     master.
>>     So it should be <name>.unix.abcd.ca <http://unix.abcd.ca>
>>
>>     So that DNS domain = unix.abcd.ca <http://unix.abcd.ca> and realm
>>     = UNIX.ABCD.CA <http://UNIX.ABCD.CA> (if you use
>>     the standard configuration).
>>
>>     Simo.
>>
>>     --
>>     Simo Sorce * Red Hat, Inc * New York
>>
>>     _______________________________________________
>>     Freeipa-users mailing list
>>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> Hello
>
> Still have same issue "unable to find 'admin' user with 'getent passwd
> admin'!
>
> I redid both client and servers, no selinux,no firewall
>
> Our dns teams did set soa unix.cnppd.lab to point to my ipa server
>
> I had to put a manual entry in /etc/hosts
> 165.115.118.21  mtl-ipa01d.unix.cnppd.lab       mtl-ipa01d
>
>
> then did set my ipa server with the following
> *ipa-server-install -a xxxxxxx --hostname=mtl-ipa01d.unix.cnppd.lab -n
> unix.cnppd.lab -p xxxxx -r UNIX.CNPPD.LAB --setup-dns
> --forwarder=165.115.52.21--fowarder=165.115.51.21*
> Server host name [mtl-ipa01d.unix.cnppd.lab]:
>
> Warning: skipping DNS resolution of host mtl-ipa01d.unix.cnppd.lab
> The IPA Master Server will be configured with
> Hostname:    mtl-ipa01d.unix.cnppd.lab
> IP address:  165.115.118.21
> Domain name: unix.cnppd.lab
>
> Do you want to configure the reverse zone? [yes]:
> Please specify the reverse zone name [118.115.165.in-addr.arpa.]:
> Using reverse zone 118.115.165.in-addr.arpa.
>
>
> Restarting the directory server
> Restarting the KDC
> Restarting the web server
> Configuring named:
>    [1/9]: adding DNS container
>    [2/9]: setting up our zone
>    [3/9]: setting up reverse zone
>    [4/9]: setting up our own record
>    [5/9]: setting up kerberos principal
>    [6/9]: setting up named.conf
>    [7/9]: restarting named
>    [8/9]: configuring named to start on boot
>    [9/9]: changing resolv.conf to point to ourselves
> done configuring named.
> ==============================================================================
> Setup complete
>
>
> I did set my client with
> [root at mtl-vdi01d ~]# ipa-client-install
> --server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB
> --realm=UNIX.CNPPD.LAB --mkhomedir
> Discovery was successful!
> Hostname: mtl-vdi01d.cn.ca <http://mtl-vdi01d.cn.ca>
> Realm: UNIX.CNPPD.LAB
> DNS Domain: UNIX.CNPPD.LAB
> IPA Server: mtl-ipa01d.unix.cnppd.lab
> BaseDN: dc=unix,dc=cnppd,dc=lab
>
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Password for admin at UNIX.CNPPD.LAB:
>
> Enrolled in IPA realm UNIX.CNPPD.LAB
> Created /etc/ipa/default.conf
> Configured[root at mtl-vdi01d ~]# ipa-client-install
> --server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB
> --realm=UNIX.CNPPD.LAB --mkhomedir
> Discovery was successful!
> Hostname: mtl-vdi01d.cn.ca <http://mtl-vdi01d.cn.ca>
> Realm: UNIX.CNPPD.LAB
> DNS Domain: UNIX.CNPPD.LAB
> IPA Server: mtl-ipa01d.unix.cnppd.lab
> BaseDN: dc=unix,dc=cnppd,dc=lab
>
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Password for admin at UNIX.CNPPD.LAB:
>
> Enrolled in IPA realm UNIX.CNPPD.LAB
> Created /etc/ipa/default.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB
> SSSD enabled
> Unable to find 'admin' user with 'getent passwd admin'!
> Recognized configuration: SSSD
> NTP enabled
> Client configuration complete. /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB
> SSSD enabled
> Unable to find 'admin' user with 'getent passwd admin'!
> Recognized configuration: SSSD
> NTP enabled
> Client configuration complete.
>
> you can see that ipa did enroll my client
>
> [root at mtl-ipa01d ~]# ipa host-find
> ---------------
> 2 hosts matched
> ---------------
>    Host name: mtl-ipa01d.unix.cnppd.lab
>    Principal name: host/mtl-ipa01d.unix.cnppd.lab at UNIX.CNPPD.LAB
>    Keytab: True
>    Password: False
>    Managed by: mtl-ipa01d.unix.cnppd.lab
>
>    Host name: mtl-vdi01d.cn.ca <http://mtl-vdi01d.cn.ca>
>    Certificate:
> MIIDhTCCAm2gAwIBAgIBDDANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5VTklYLkNOUFBELkxBQjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMDMxMzE4Mjc0MVoXDTE0MDMxNDE4Mjc0MVowNDEXMBUGA1UEChMOVU5JWC5DTlBQRC5MQUIxGTAXBgNVBAMTEG10bC12ZGkwMWQuY24uY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKTPD8p7Ttxn87Y/2CCu54GDTd/CS77irN6OYj9IznqMusHAIWsVVu5m0aT77iULYzO9lKmKCL9RuSnZuqsoppFZk8UJu1KAGKv2FQi7zck28P2t6XRhHXcLRRTq5Mzfd/QjFmCv3oxTP2gd/0rLZUTHJkTzqyYIMlExfQqnEBJCzfzukyFUB5S+X2DthiGOM7vcKPXlmG+VstebtsZ1FkE9LquyWGhSBjqycZM350zRwQP6MLKU4ZX11mit6+/AvRrOJW3Gw9JWRxDOullJG2mCjyFCsUKOX/Xz4VrJeSylIGJQk5kLfP2haSPhkKhG9FXy1vhwpXFF1GAa9DYvhvAgMBAAGjgZwwgZkwHwYDVR0jBBgwFoAUZtbp/CAAXZ/LZAKgUqcXPxgkOzcwRwYIKwYBBQUHAQEEOzA5MDcGCCsGAQUFBzABhitodHRwOi8vbXRsLWlwYTAxZC51bml4LmNucHBkLmxhYjo4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAEPpr1rn+inQlxc+u7WAkyuRDd1af/ilUlldkB0n4l9Ni2Lkt+Gt7w6VYqS+/ZtqTPB/mQuISGDuqeEXSgWSc+1NQq1THgBACzfE5CbKWOcfGd/SnTqIA+/ITydi
ntYB7SNQ0Vz6BOC9Uv/VmEPqD38ThR88qhK0+wmvdf2HyKOFAsu5Ty5qKaOyDHuhhA4AXEbQz8vRH3XQa/WtSf/zgRKiNeabEc5gWXEd9dSpm2UhW7oLuPlnKolI3IL1RUoc8WrKKLK1HdyrcNY+woZ2Jw4OCkyiGuWaNZHOEAmAlwmvQrFBlMsIPJfI/mxmAXufEO66AHf/747V2n1TvZrnkrQ=
>    Principal name: host/mtl-vdi01d.cn.ca at UNIX.CNPPD.LAB
>    Keytab: True
>    Password: False
>    Managed by: mtl-vdi01d.cn.ca <http://mtl-vdi01d.cn.ca>
>    Subject: CN=mtl-vdi01d.cn.ca <http://mtl-vdi01d.cn.ca>,O=UNIX.CNPPD.LAB
>    Serial Number: 12
>    Issuer: CN=Certificate Authority,O=UNIX.CNPPD.LAB
>    Not Before: Tue Mar 13 18:27:41 2012 UTC
>    Not After: Fri Mar 14 18:27:41 2014 UTC
>    Fingerprint (MD5): 26:f6:9f:32:3d:a0:13:43:8e:16:1a:7f:d7:43:7e:51
>    Fingerprint (SHA1):
> 4b:28:b2:a4:33:16:27:fc:16:cc:35:54:68:fc:b4:45:85:3f:dc:1a
> ----------------------------
> Number of entries returned 2
> ----------------------------
> [root at mtl-ipa01d ~]#
>
>
>
> I keep getting "unable to find 'admin' user with 'getent passwd admin'!

Can you check the sssd logs for any details? This is what does the user 
name resolution.

You can read about sssd troubleshooting at 
https://fedorahosted.org/sssd/wiki/FAQ#Troubleshooting

rob

More information about the Freeipa-users mailing list