[Freeipa-users] stupid question

Rob Crittenden rcritten at redhat.com
Tue Oct 15 20:55:26 UTC 2013 

Mike Calautti wrote:
> Ok..
> So  I did ad the kerberos stuff to the DNS server..
>
> Then I got further..
> But got this..
>
> 2013-10-15T20:31:31Z DEBUG Init LDAP connection with: ldap://rdsdev01:389
> 2013-10-15T20:31:31Z DEBUG LDAP Error: server down

You need to use FQDNs for things to work properly.

> So then I added the fqdn and shortname to the clients host file..
>
> And get this.,
>
> ipa-client-install --server=rdsdev01 --domain=dev.com
> Autodiscovery of servers for failover cannot work with this configuration.
> If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
> Proceed with fixed values and no DNS discovery? [no]:

By passing in --server you are overriding discovery so we're warning 
that you will have manual changes to make in the future if your network 
configuration changes.

rob

>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Mike Calautti
> Sent: Tuesday, October 15, 2013 4:25 PM
> To: Rob Crittenden; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] stupid question
>
> Your awesome !!!!
>
> Interesting..
> Well for one its claiming it cant contact the LDAP server...
> But its calling a machine in our domain that I didn't know existed and furthermore never mentioned in the ipa setup..
> So I see it was searching the network...
>
> Also..when doing research on installing, I saw that someone said to paste the entries form the example DNS file to your existing DNS db file.
> I didn't do that because I am just testing..
> Would that affect it ?
>
> Dns is correct for both IPA master/replica
>
> Here is the log.
>
> cat /var/log/ipaclient-install.log
> 2013-10-15T20:18:11Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': None, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False, 'realm_name': None, 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False} 2013-10-15T20:18:11Z DEBUG missing options might be asked for interactively later 2013-10-15T20:18:11Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
> 2013-10-15T20:18:11Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
> 2013-10-15T20:18:11Z DEBUG [IPA Discovery] 2013-10-15T20:18:11Z DEBUG Starting IPA discovery with domain=None, servers=None, hostname=freeiptest01.dev.com 2013-10-15T20:18:11Z DEBUG Start searching for LDAP SRV record in "dev.com" (domain of the hostname) and its sub-domains 2013-10-15T20:18:11Z DEBUG Search DNS for SRV record of _ldap._tcp.dev.com.
> 2013-10-15T20:18:11Z DEBUG No DNS record found 2013-10-15T20:18:11Z DEBUG Search DNS for SRV record of _ldap._tcp.dev.com.
> 2013-10-15T20:18:11Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.dev.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:hqdc02.dev.com.}
> 2013-10-15T20:18:11Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.dev.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:hqdc.dev.com.}
> 2013-10-15T20:18:11Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.dev.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:drdc01.dev.com.}
> 2013-10-15T20:18:11Z DEBUG [Kerberos realm search] 2013-10-15T20:18:11Z DEBUG Search DNS for TXT record of _kerberos.dev.com.
> 2013-10-15T20:18:11Z DEBUG No DNS record found 2013-10-15T20:18:11Z DEBUG [LDAP server check] 2013-10-15T20:18:11Z DEBUG Verifying that hqdc02.dev.com (realm None) is an IPA server 2013-10-15T20:18:11Z DEBUG Init LDAP connection with: ldap://hqdc02.dev.com:389 2013-10-15T20:18:11Z DEBUG Search LDAP server for IPA base DN
>
> If I specify --server=rdsdev01 --domain=dev.com
>
> I get
>
> Failed to verify that rdsdev01 is an IPA Server.
> This may mean that the remote server is not up or is not reachable due to network or firewall settings.
> Please make sure the following ports are opened in the firewall settings:
>       TCP: 80, 88, 389
>       UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment:
>       TCP: 464
>       UDP: 464, 123 (if NTP enabled)
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
> However there is no FW>. Iptables is not running.. and I can telnet to each of those ports.
>
>
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Tuesday, October 15, 2013 4:11 PM
> To: Mike Calautti; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] stupid question
>
> Mike Calautti wrote:
>> I installed ipa-client..
>>
>> I get this now.
>>
>> ipa-client-install
>> Traceback (most recent call last):
>>     File "/usr/sbin/ipa-client-install", line 2323, in <module>
>>       sys.exit(main())
>>     File "/usr/sbin/ipa-client-install", line 2309, in main
>>       rval = install(options, env, fstore, statestore)
>>     File "/usr/sbin/ipa-client-install", line 1684, in install
>>       ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
>>     File "/usr/lib/python2.6/site-packages/ipaclient/ipadiscovery.py", line 242, in search
>>       ldapret = self.ipacheckldap(server, self.realm, ca_cert_path=ca_cert_path)
>>     File "/usr/lib/python2.6/site-packages/ipaclient/ipadiscovery.py", line 339, in ipacheckldap
>>       basedn = get_ipa_basedn(lh)
>>     File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 817, in get_ipa_basedn
>>       contexts = entries[0][1]['namingcontexts']
>>
>> cat /etc/redhat-release
>> CentOS release 6.4 (Final)
>
> Hmm. I'd take a look at /var/log/ipaclient-install.log to see what host it is trying to enroll against. I have the feeling it is finding another host.
>
> We fixed a bug post-6.4 related to case insensitivity and namingcontents. I have the feeling the LDAP server you're connecting to isn't return it all as lower case as we expect.
>
> rob
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list