[Freeipa-users] stupid question

Mike Calautti Mike.Calautti at genesyslab.com
Tue Oct 15 20:34:53 UTC 2013 

Ok..
So  I did ad the kerberos stuff to the DNS server..

Then I got further..
But got this..

2013-10-15T20:31:31Z DEBUG Init LDAP connection with: ldap://rdsdev01:389
2013-10-15T20:31:31Z DEBUG LDAP Error: server down

So then I added the fqdn and shortname to the clients host file..

And get this.,

ipa-client-install --server=rdsdev01 --domain=dev.com
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]:

-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Mike Calautti
Sent: Tuesday, October 15, 2013 4:25 PM
To: Rob Crittenden; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] stupid question

Your awesome !!!!

Interesting..
Well for one its claiming it cant contact the LDAP server...
But its calling a machine in our domain that I didn't know existed and furthermore never mentioned in the ipa setup..
So I see it was searching the network... 

Also..when doing research on installing, I saw that someone said to paste the entries form the example DNS file to your existing DNS db file.
I didn't do that because I am just testing..
Would that affect it ?

Dns is correct for both IPA master/replica

Here is the log.

cat /var/log/ipaclient-install.log
2013-10-15T20:18:11Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': None, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False, 'realm_name': None, 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False} 2013-10-15T20:18:11Z DEBUG missing options might be asked for interactively later 2013-10-15T20:18:11Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2013-10-15T20:18:11Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2013-10-15T20:18:11Z DEBUG [IPA Discovery] 2013-10-15T20:18:11Z DEBUG Starting IPA discovery with domain=None, servers=None, hostname=freeiptest01.dev.com 2013-10-15T20:18:11Z DEBUG Start searching for LDAP SRV record in "dev.com" (domain of the hostname) and its sub-domains 2013-10-15T20:18:11Z DEBUG Search DNS for SRV record of _ldap._tcp.dev.com.
2013-10-15T20:18:11Z DEBUG No DNS record found 2013-10-15T20:18:11Z DEBUG Search DNS for SRV record of _ldap._tcp.dev.com.
2013-10-15T20:18:11Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.dev.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:hqdc02.dev.com.}
2013-10-15T20:18:11Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.dev.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:hqdc.dev.com.}
2013-10-15T20:18:11Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.dev.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:drdc01.dev.com.}
2013-10-15T20:18:11Z DEBUG [Kerberos realm search] 2013-10-15T20:18:11Z DEBUG Search DNS for TXT record of _kerberos.dev.com.
2013-10-15T20:18:11Z DEBUG No DNS record found 2013-10-15T20:18:11Z DEBUG [LDAP server check] 2013-10-15T20:18:11Z DEBUG Verifying that hqdc02.dev.com (realm None) is an IPA server 2013-10-15T20:18:11Z DEBUG Init LDAP connection with: ldap://hqdc02.dev.com:389 2013-10-15T20:18:11Z DEBUG Search LDAP server for IPA base DN

If I specify --server=rdsdev01 --domain=dev.com

I get 

Failed to verify that rdsdev01 is an IPA Server.
This may mean that the remote server is not up or is not reachable due to network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.

However there is no FW>. Iptables is not running.. and I can telnet to each of those ports.



-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com]
Sent: Tuesday, October 15, 2013 4:11 PM
To: Mike Calautti; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] stupid question

Mike Calautti wrote:
> I installed ipa-client..
>
> I get this now.
>
> ipa-client-install
> Traceback (most recent call last):
>    File "/usr/sbin/ipa-client-install", line 2323, in <module>
>      sys.exit(main())
>    File "/usr/sbin/ipa-client-install", line 2309, in main
>      rval = install(options, env, fstore, statestore)
>    File "/usr/sbin/ipa-client-install", line 1684, in install
>      ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
>    File "/usr/lib/python2.6/site-packages/ipaclient/ipadiscovery.py", line 242, in search
>      ldapret = self.ipacheckldap(server, self.realm, ca_cert_path=ca_cert_path)
>    File "/usr/lib/python2.6/site-packages/ipaclient/ipadiscovery.py", line 339, in ipacheckldap
>      basedn = get_ipa_basedn(lh)
>    File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 817, in get_ipa_basedn
>      contexts = entries[0][1]['namingcontexts']
>
> cat /etc/redhat-release
> CentOS release 6.4 (Final)

Hmm. I'd take a look at /var/log/ipaclient-install.log to see what host it is trying to enroll against. I have the feeling it is finding another host.

We fixed a bug post-6.4 related to case insensitivity and namingcontents. I have the feeling the LDAP server you're connecting to isn't return it all as lower case as we expect.

rob



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list