[Freeipa-users] freeipa-client installation(debug) on Ubuntu 10.04 & 12.04
jaseywang
jaseywang at gmail.com
Mon Jul 28 17:29:08 UTC 2014
Hi
I tried to install freeipa-client on Ubuntu 10.04 & 12.04, but none of them
worked :-(
At the moment, only 12.04 ships the apt repo so that I can use apt to
install the freeipa-client(2.1.4-0ubuntu1). Although I can installed the
package successfully, I can't make it work during my ipa-client-install
process, I just follow the instruction as the below docs says:
https://ashbyte.com/ashbyte/wiki/FreeIPA/Ubuntu
http://ubuntuforums.org/showthread.php?t=2207956
But failed with --debug options on, below is the message it produced during
installation:
---
# ipa-client-install --domain=example.com --mkhomedir --realm=EXAMPLE.COM
--server=ad25.example.com --no-ntp --hostname=dp40.example.com --debug
root : DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'conf_ntp': False, 'domain': 'example.com', 'uninstall': False,
'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': '
dp40.example.com', 'preserve_sssd': False, 'server': 'ad25.example.com',
'prompt_password': False, 'mkhomedir': True, 'dns_updates': False,
'permit': False, 'debug': True, 'on_master': False, 'ntp_server': None,
'realm_name': 'EXAMPLE.COM', 'unattended': None, 'principal': None}
root : DEBUG missing options might be asked for interactively
later
root : DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root : DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
root : DEBUG [ipadnssearchkrb]
root : DEBUG [ipacheckldap]
root : DEBUG args=/usr/bin/wget -O /tmp/tmp_gTNxY/ca.crt -T 15 -t
2 http://ad25.example.com/ipa/config/ca.crt
root : DEBUG stdout=
root : DEBUG stderr=--2014-07-29 01:00:16--
http://ad25.example.com/ipa/config/ca.crt
Resolving ad25.example.com (ad25.example.com)... 10.11.50.5
Connecting to ad25.example.com (ad25.example.com)|10.11.50.5|:80...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 1295 (1.3K) [application/x-x509-ca-cert]
Saving to: `/tmp/tmp_gTNxY/ca.crt'
0K . 100% 109M=0s
2014-07-29 01:00:16 (109 MB/s) - `/tmp/tmp_gTNxY/ca.crt' saved [1295/1295]
root : DEBUG Init ldap with: ldap://ad25.example.com:389
root : DEBUG Search LDAP server for IPA base DN
root : DEBUG Check if naming context 'dc=example,dc=com' is for
IPA
root : DEBUG Naming context 'dc=example,dc=com' is a valid IPA
context
root : DEBUG Search for (objectClass=krbRealmContainer) in
dc=example,dc=com(sub)
root : DEBUG Found: [('cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=us',
{'krbSubTrees': ['dc=example,dc=com'], 'cn': ['EXAMPLE.COM'],
'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special',
'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top',
'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'],
'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special',
'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal',
'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'],
'krbMaxRenewableAge': ['604800']})]
root : DEBUG will use domain: example.com
root : DEBUG will use server: ad25.example.com
DNS domain 'example.com' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.
Discovery was successful!
root : DEBUG will use cli_realm: EXAMPLE.COM
root : DEBUG will use cli_basedn: dc=example,dc=com
Hostname: dp40.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ad25.example.com
BaseDN: dc=example,dc=com
Continue to configure the system with these values? [no]: yes
root : DEBUG Backing up system configuration file '/etc/hostname'
root : DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root : DEBUG args=/bin/hostname dp40.example.com
root : DEBUG stdout=
root : DEBUG stderr=
User authorized to enroll computers: admin
root : DEBUG will use principal: admin
root : DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
http://ad25.example.com/ipa/config/ca.crt
root : DEBUG stdout=
root : DEBUG stderr=--2014-07-29 01:00:29--
http://ad25.example.com/ipa/config/ca.crt
Resolving ad25.example.com (ad25.example.com)... 10.11.50.5
Connecting to ad25.example.com (ad25.example.com)|10.11.50.5|:80...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 1295 (1.3K) [application/x-x509-ca-cert]
Saving to: `/etc/ipa/ca.crt'
0K . 100% 127M=0s
2014-07-29 01:00:29 (127 MB/s) - `/etc/ipa/ca.crt' saved [1295/1295]
Synchronizing time with KDC...
root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b ad25.example.com
root : DEBUG stdout=
root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U
usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p
samples] [-o version#] [-t timeo] server ...
root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b ad25.example.com
root : DEBUG stdout=
root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U
usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p
samples] [-o version#] [-t timeo] server ...
root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b ad25.example.com
root : DEBUG stdout=
root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U
usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p
samples] [-o version#] [-t timeo] server ...
Unable to sync time with IPA NTP server, assuming the time is in sync.
root : DEBUG Writing Kerberos configuration to /tmp/tmpaGEtIp:
#File modified by ipa-client-install
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = ad25.example.com:88
admin_server = ad25.example.com:749
default_domain = example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Password for admin at EXAMPLE.COM:
root : DEBUG args=kinit admin at EXAMPLE.COM
root : DEBUG stdout=Password for admin at EXAMPLE.COM:
root : DEBUG stderr=
root : DEBUG args=/usr/sbin/ipa-join -s ad25.example.com -b
dc=example,dc=com -d -h dp40.example.com
root : DEBUG stdout=
root : DEBUG stderr=XML-RPC CALL:
<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>dp40.example.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>3.2.0-29-generic</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n
XML-RPC RESPONSE:
<?xml version='1.0' encoding='UTF-8'?>\n
<methodResponse>\n
<params>\n
<param>\n
<value><array><data>\n
<value><string>fqdn=dp40.example.com
,cn=computers,cn=accounts,dc=example,dc=com</string></value>\n
<value><struct>\n
<member>\n
<name>dn</name>\n
<value><string>fqdn=dp40.example.com
,cn=computers,cn=accounts,dc=example,dc=com</string></value>\n
</member>\n
<member>\n
<name>ipacertificatesubjectbase</name>\n
<value><array><data>\n
<value><string>O=EXAMPLE.COM</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>has_keytab</name>\n
<value><boolean>0</boolean></value>\n
</member>\n
<member>\n
<name>objectclass</name>\n
<value><array><data>\n
<value><string>ipaobject</string></value>\n
<value><string>nshost</string></value>\n
<value><string>ipahost</string></value>\n
<value><string>pkiuser</string></value>\n
<value><string>ipaservice</string></value>\n
<value><string>krbprincipalaux</string></value>\n
<value><string>krbprincipal</string></value>\n
<value><string>top</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>fqdn</name>\n
<value><array><data>\n
<value><string>dp40.example.com</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>has_password</name>\n
<value><boolean>0</boolean></value>\n
</member>\n
<member>\n
<name>ipauniqueid</name>\n
<value><array><data>\n
<value><string>b086ab94-1678-11e4-991b-bc305bf33a5c</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>krbprincipalname</name>\n
<value><array><data>\n
<value><string>host/dp40.example.com at EXAMPLE.COM</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>managedby_host</name>\n
<value><array><data>\n
<value><string>dp40.example.com</string></value>\n
</data></array></value>\n
</member>\n
</struct></value>\n
</data></array></value>\n
</param>\n
</params>\n
</methodResponse>\n
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=EXAMPLE.COM
Enrolled in IPA realm EXAMPLE.COM
root : DEBUG args=kdestroy
root : DEBUG stdout=
root : DEBUG stderr=
root : DEBUG Backing up system configuration file
'/etc/ipa/default.conf'
root : DEBUG -> Not backing up - '/etc/ipa/default.conf'
doesn't exist
Created /etc/ipa/default.conf
root : DEBUG Backing up system configuration file
'/etc/sssd/sssd.conf'
root : DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
Domain example.com is already configured in existing SSSD config, creating
a new one.
The old /etc/sssd/sssd.conf is backed up and will be restored during
uninstall.
root : DEBUG Domain example.com is already configured in existing
SSSD config, creating a new one.
Configured /etc/sssd/sssd.conf
root : DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA
CA -t CT,C,C -a -i /etc/ipa/ca.crt
root : DEBUG stdout=
root : DEBUG stderr=
root : DEBUG Backing up system configuration file '/etc/krb5.conf'
root : DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root : DEBUG Writing Kerberos configuration to /etc/krb5.conf:
#File modified by ipa-client-install
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = ad25.example.com:88
admin_server = ad25.example.com:749
default_domain = example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
Warning: Hostname (dp40.example.com) not found in DNS
root : DEBUG Writing nsupdate commands to
/etc/ipa/.dns_update.txt:
zone example.com.
update delete dp40.example.com. IN A
send
update add dp40.example.com. 1200 IN A 10.11.0.40
send
root : DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/
dp40.example.com
root : DEBUG stdout=
root : DEBUG stderr=kinit: Password incorrect while getting
initial credentials
Failed to obtain host TGT.
root : DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
root : DEBUG stdout=
root : DEBUG stderr=tkey query failed: GSSAPI error: Major =
Unspecified GSS failure. Minor code may provide more information, Minor =
Credentials cache file '/etc/ipa/.dns_ccache' not found.
Failed to update DNS A record. (Command '/usr/bin/nsupdate -g
/etc/ipa/.dns_update.txt' returned non-zero exit status 1)
root : DEBUG args=/usr/sbin/service dbus start
root : DEBUG stdout=
root : DEBUG stderr=start: Job is already running: dbus
root : ERROR dbus failed to start: Command '/usr/sbin/service
dbus start ' returned non-zero exit status 1
root : DEBUG args=/usr/sbin/service certmonger restart
root : DEBUG stdout=certmonger stop/waiting
certmonger start/running, process 293499
root : DEBUG stderr=
root : DEBUG args=/usr/sbin/service certmonger stop
root : DEBUG stdout=certmonger stop/waiting
root : DEBUG stderr=
root : DEBUG args=/usr/sbin/service certmonger restart
root : DEBUG stdout=certmonger start/running, process 293513
root : DEBUG stderr=stop: Unknown instance:
root : DEBUG args=/sbin/chkconfig certmonger on
root : DEBUG stdout=
root : DEBUG stderr=/sbin/insserv: No such file or directory
Failed to configure automatic startup of the certmonger daemon
Automatic certificate management will not be available
root : ERROR Failed to disable automatic startup of the
certmonger daemon: Command '/sbin/chkconfig certmonger on' returned
non-zero exit status 1
root : DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA
Machine Certificate - dp40.example.com -N CN=dp40.example.com,O=EXAMPLE.COM
-K host/dp40.example.com at EXAMPLE.COM
root : DEBUG stdout=New signing request "20140728170038" added.
root : DEBUG stderr=
root : DEBUG args=/usr/sbin/service nscd status
root : DEBUG stdout=
root : DEBUG stderr=nscd: unrecognized service
root : DEBUG Saving StateFile to
'/var/lib/ipa-client/sysrestore/sysrestore.state'
root : DEBUG Saving StateFile to
'/var/lib/ipa-client/sysrestore/sysrestore.state'
root : DEBUG Saving StateFile to
'/var/lib/ipa-client/sysrestore/sysrestore.state'
Would run on a Red Hat platform: /usr/sbin/authconfig --enablesssdauth
--enablemkhomedir --update --enablesssd
Please do the corresponding changes manually and press Enter:
SSSD enabled
root : DEBUG args=getent passwd admin
root : DEBUG stdout=
root : DEBUG stderr=
root : DEBUG args=getent passwd admin
root : DEBUG stdout=
root : DEBUG stderr=
root : DEBUG args=getent passwd admin
root : DEBUG stdout=
root : DEBUG stderr=
root : DEBUG args=getent passwd admin
root : DEBUG stdout=
root : DEBUG stderr=
root : DEBUG args=getent passwd admin
root : DEBUG stdout=
root : DEBUG stderr=
root : DEBUG args=getent passwd admin
root : DEBUG stdout=
root : DEBUG stderr=
root : DEBUG args=getent passwd admin
root : DEBUG stdout=
root : DEBUG stderr=
root : DEBUG args=getent passwd admin
root : DEBUG stdout=
root : DEBUG stderr=
root : DEBUG args=getent passwd admin
root : DEBUG stdout=
root : DEBUG stderr=
root : DEBUG args=getent passwd admin
root : DEBUG stdout=
root : DEBUG stderr=
Unable to find 'admin' user with 'getent passwd admin'!
Recognized configuration: SSSD
Client configuration complete.
---
Obviously, the package is buggy, and it just copied configs from Redhat
that is not suitable for Ubuntu.
As for Ubuntu 10.04, I google a lot, but found far less info about it.
Basically, the documentation of 10.04 and 12.04 is really really rare, I
havent' find any good cases that run them smoothly.
I have read through the official documentation, and there only exit some
info about install ipa-client manually, which is still for redhat based
distribution, not debian based. although no matter which distribution, the
theory behind them is the same, One of the main purpose of freeipa I think
is to make the idm more easy to use and maintain especially there involve
lots of complicated components that normal user don't want to cover:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/linux-manual.html
Besides Ubuntu, we have hundreds of redhat clients which run quite good and
they don't have many problems during the whole process, but Ubuntu is a big
trouble for us, we still have more than 200 hundreds of them running on
our production environment, and we still wan to let them join in our
freeipa domain so we can manage our accounts more efficiently.
So, can anybody help me to debug the above error on Ubuntu 12.04, and any
suggestion or good reference on Ubuntu distribution?
Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140729/c39eab43/attachment.htm>
More information about the Freeipa-users
mailing list