[Freeipa-users] DNS discovery failed to determine your DNS domain
Endre Karlson
endre.karlson at gmail.com
Sat May 18 16:57:19 UTC 2013
So I am trying to enrull Ubuntu into FreeIPA.
But I am getting a number of issues:
1. DNS autodiscovery isn't working.
2. certutils fails at the end?
In my setup I currently have 1 IPA server running DNS and all of it.
What can be wrong?
Endre.
sudo ipa-client-install -d --enable-dns-updates
root : DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force':
False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None,
'preserve_sssd': False, 'server': None, 'prompt_password': False,
'mkhomedir': False, 'dns_updates': True, 'permit': False, 'debug': True,
'on_master': False, 'ntp_server': None, 'realm_name': None, 'unattended':
None, 'principal': None}
root : DEBUG missing options might be asked for interactively
later
root : DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root : DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
root : DEBUG [ipadnssearchldap(coretrek.net)]
root : DEBUG [ipadnssearchldap(net)]
root : DEBUG [ipadnssearchldap(coretrek.net)]
root : DEBUG [ipadnssearchldap(net)]
root : DEBUG Domain not found
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): coretrek.net
root : DEBUG will use domain: coretrek.net
root : DEBUG [ipadnssearchldap]
root : DEBUG IPA Server not found
DNS discovery failed to find the IPA Server
Provide your IPA server name (ex: ipa.example.com): st-vidm001.coretrek.net
root : DEBUG will use server: st-vidm001.coretrek.net
root : DEBUG [ipadnssearchkrb]
root : DEBUG [ipacheckldap]
root : DEBUG args=/usr/bin/wget -O /tmp/tmp1RBeGA/ca.crt -T 15 -t
2 http://st-vidm001.coretrek.net/ipa/config/ca.crt
root : DEBUG stdout=
root : DEBUG stderr=--2013-05-18 18:40:05--
http://st-vidm001.coretrek.net/ipa/config/ca.crt
Resolving st-vidm001.coretrek.net (st-vidm001.coretrek.net)... 172.16.200.5
Connecting to st-vidm001.coretrek.net
(st-vidm001.coretrek.net)|172.16.200.5|:80...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 1321 (1.3K) [application/x-x509-ca-cert]
Saving to: `/tmp/tmp1RBeGA/ca.crt'
0K . 100% 69.1M=0s
2013-05-18 18:40:05 (69.1 MB/s) - `/tmp/tmp1RBeGA/ca.crt' saved [1321/1321]
root : DEBUG Init ldap with: ldap://st-vidm001.coretrek.net:389
root : DEBUG Search LDAP server for IPA base DN
root : DEBUG Check if naming context 'dc=coretrek,dc=net' is for
IPA
root : DEBUG Naming context 'dc=coretrek,dc=net' is a valid IPA
context
root : DEBUG Search for (objectClass=krbRealmContainer) in
dc=coretrek,dc=net(sub)
root : DEBUG Found:
[('cn=CORETREK.NET,cn=kerberos,dc=coretrek,dc=net',
{'krbSubTrees': ['dc=coretrek,dc=net'], 'cn': ['CORETREK.NET'],
'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special',
'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top',
'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'],
'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special'],
'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})]
The failure to use DNS to find your IPA server indicates that your
resolv.conf file is not properly configured.
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always
access the discovered server for all operation and will not fail over to
other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
root : DEBUG will use cli_realm: CORETREK.NET
root : DEBUG will use cli_basedn: dc=coretrek,dc=net
Hostname: st-posctrl001.coretrek.net
Realm: CORETREK.NET
DNS Domain: coretrek.net
IPA Server: st-vidm001.coretrek.net
BaseDN: dc=coretrek,dc=net
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
root : DEBUG will use principal: admin
root : DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
http://st-vidm001.coretrek.net/ipa/config/ca.crt
root : DEBUG stdout=
root : DEBUG stderr=--2013-05-18 18:40:28--
http://st-vidm001.coretrek.net/ipa/config/ca.crt
Resolving st-vidm001.coretrek.net (st-vidm001.coretrek.net)... 172.16.200.5
Connecting to st-vidm001.coretrek.net
(st-vidm001.coretrek.net)|172.16.200.5|:80...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 1321 (1.3K) [application/x-x509-ca-cert]
Saving to: `/etc/ipa/ca.crt'
0K . 100% 66.7M=0s
2013-05-18 18:40:28 (66.7 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321]
Synchronizing time with KDC...
root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b
st-vidm001.coretrek.net
root : DEBUG stdout=
root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U
usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p
samples] [-o version#] [-t timeo] server ...
root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b
st-vidm001.coretrek.net
root : DEBUG stdout=
root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U
usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p
samples] [-o version#] [-t timeo] server ...
root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b
st-vidm001.coretrek.net
root : DEBUG stdout=
root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U
usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p
samples] [-o version#] [-t timeo] server ...
Unable to sync time with IPA NTP server, assuming the time is in sync.
root : DEBUG Writing Kerberos configuration to /tmp/tmpdGLoJb:
#File modified by ipa-client-install
[libdefaults]
default_realm = CORETREK.NET
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
CORETREK.NET = {
kdc = st-vidm001.coretrek.net:88
admin_server = st-vidm001.coretrek.net:749
default_domain = coretrek.net
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.coretrek.net = CORETREK.NET
coretrek.net = CORETREK.NET
Password for admin at CORETREK.NET:
root : DEBUG args=kinit admin at CORETREK.NET
root : DEBUG stdout=Password for admin at CORETREK.NET:
root : DEBUG stderr=
root : DEBUG args=/usr/sbin/ipa-join -s
st-vidm001.coretrek.net-b dc=coretrek,dc=net -d
root : DEBUG stdout=
root : DEBUG stderr=XML-RPC CALL:
<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>st-posctrl001.coretrek.net</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>3.2.0-43-generic</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n
XML-RPC RESPONSE:
<?xml version='1.0' encoding='UTF-8'?>\n
<methodResponse>\n
<params>\n
<param>\n
<value><array><data>\n
<value><string>fqdn=st-posctrl001.coretrek.net
,cn=computers,cn=accounts,dc=coretrek,dc=net</string></value>\n
<value><struct>\n
<member>\n
<name>dn</name>\n
<value><string>fqdn=st-posctrl001.coretrek.net
,cn=computers,cn=accounts,dc=coretrek,dc=net</string></value>\n
</member>\n
<member>\n
<name>ipacertificatesubjectbase</name>\n
<value><array><data>\n
<value><string>O=CORETREK.NET</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>krbextradata</name>\n
<value><array><data>\n
<value><base64>\n
AAKuqZdRaG9zdC9zdC1wb3NjdHJsMDAxLmNvcmV0cmVrLm5ldEBDT1JFVFJFSy5ORVQA\n
</base64></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>cn</name>\n
<value><array><data>\n
<value><string>st-posctrl001.coretrek.net</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>objectclass</name>\n
<value><array><data>\n
<value><string>ipaobject</string></value>\n
<value><string>nshost</string></value>\n
<value><string>ipahost</string></value>\n
<value><string>pkiuser</string></value>\n
<value><string>ipaservice</string></value>\n
<value><string>krbprincipalaux</string></value>\n
<value><string>krbprincipal</string></value>\n
<value><string>ieee802device</string></value>\n
<value><string>ipasshhost</string></value>\n
<value><string>top</string></value>\n
<value><string>ipaSshGroupOfPubKeys</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>fqdn</name>\n
<value><array><data>\n
<value><string>st-posctrl001.coretrek.net</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>managing_host</name>\n
<value><array><data>\n
<value><string>st-posctrl001.coretrek.net</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>krblastsuccessfulauth</name>\n
<value><array><data>\n
<value><string>20130518162120Z</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>has_keytab</name>\n
<value><boolean>0</boolean></value>\n
</member>\n
<member>\n
<name>has_password</name>\n
<value><boolean>0</boolean></value>\n
</member>\n
<member>\n
<name>ipauniqueid</name>\n
<value><array><data>\n
<value><string>88f1ad52-bfd2-11e2-81f5-525400d79980</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>krbprincipalname</name>\n
<value><array><data>\n
<value><string>host/st-posctrl001.coretrek.net at CORETREK.NET
</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>managedby_host</name>\n
<value><array><data>\n
<value><string>st-posctrl001.coretrek.net</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>serverhostname</name>\n
<value><array><data>\n
<value><string>st-posctrl001</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>enrolledby_user</name>\n
<value><array><data>\n
<value><string>admin</string></value>\n
</data></array></value>\n
</member>\n
</struct></value>\n
</data></array></value>\n
</param>\n
</params>\n
</methodResponse>\n
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=CORETREK.NET
Enrolled in IPA realm CORETREK.NET
root : DEBUG args=kdestroy
root : DEBUG stdout=
root : DEBUG stderr=
root : DEBUG Backing up system configuration file
'/etc/ipa/default.conf'
root : DEBUG -> Not backing up - '/etc/ipa/default.conf'
doesn't exist
Created /etc/ipa/default.conf
root : DEBUG Backing up system configuration file
'/etc/sssd/sssd.conf'
root : DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
Domain coretrek.net is already configured in existing SSSD config, creating
a new one.
The old /etc/sssd/sssd.conf is backed up and will be restored during
uninstall.
root : DEBUG Domain coretrek.net is already configured in
existing SSSD config, creating a new one.
Configured /etc/sssd/sssd.conf
root : DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA
CA -t CT,C,C -a -i /etc/ipa/ca.crt
root : DEBUG stdout=
root : DEBUG stderr=certutil: function failed: The
certificate/key database is in an old, unsupported format.
Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 1292, in <module>
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 1279, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 1124, in install
run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA",
"-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"])
File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 273,
in run
raise CalledProcessError(p.returncode, args)
subprocess.CalledProcessError: Command '/usr/bin/certutil -A -d
/etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt' returned non-zero
exit status 255
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130518/b2ee9b60/attachment.htm>
More information about the Freeipa-users
mailing list