[Freeipa-users] freeipa-client installation(debug) on Ubuntu 10.04 & 12.04
Martin Kosek
mkosek at redhat.com
Tue Jul 29 07:10:54 UTC 2014
On 07/28/2014 07:29 PM, jaseywang wrote:
> Hi
> I tried to install freeipa-client on Ubuntu 10.04 & 12.04, but none of them
> worked :-(
> At the moment, only 12.04 ships the apt repo so that I can use apt to
> install the freeipa-client(2.1.4-0ubuntu1). Although I can installed the
> package successfully, I can't make it work during my ipa-client-install
> process, I just follow the instruction as the below docs says:
> https://ashbyte.com/ashbyte/wiki/FreeIPA/Ubuntu
> http://ubuntuforums.org/showthread.php?t=2207956
>
> But failed with --debug options on, below is the message it produced during
> installation:
>
> ---
>
> # ipa-client-install --domain=example.com --mkhomedir --realm=EXAMPLE.COM
> --server=ad25.example.com --no-ntp --hostname=dp40.example.com --debug
> root : DEBUG /usr/sbin/ipa-client-install was invoked with
> options: {'conf_ntp': False, 'domain': 'example.com', 'uninstall': False,
> 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': '
> dp40.example.com', 'preserve_sssd': False, 'server': 'ad25.example.com',
> 'prompt_password': False, 'mkhomedir': True, 'dns_updates': False,
> 'permit': False, 'debug': True, 'on_master': False, 'ntp_server': None,
> 'realm_name': 'EXAMPLE.COM', 'unattended': None, 'principal': None}
> root : DEBUG missing options might be asked for interactively
> later
>
> root : DEBUG Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> root : DEBUG Loading StateFile from
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> root : DEBUG [ipadnssearchkrb]
> root : DEBUG [ipacheckldap]
> root : DEBUG args=/usr/bin/wget -O /tmp/tmp_gTNxY/ca.crt -T 15 -t
> 2 http://ad25.example.com/ipa/config/ca.crt
> root : DEBUG stdout=
> root : DEBUG stderr=--2014-07-29 01:00:16--
> http://ad25.example.com/ipa/config/ca.crt
> Resolving ad25.example.com (ad25.example.com)... 10.11.50.5
> Connecting to ad25.example.com (ad25.example.com)|10.11.50.5|:80...
> connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 1295 (1.3K) [application/x-x509-ca-cert]
> Saving to: `/tmp/tmp_gTNxY/ca.crt'
>
> 0K . 100% 109M=0s
>
> 2014-07-29 01:00:16 (109 MB/s) - `/tmp/tmp_gTNxY/ca.crt' saved [1295/1295]
>
>
> root : DEBUG Init ldap with: ldap://ad25.example.com:389
> root : DEBUG Search LDAP server for IPA base DN
> root : DEBUG Check if naming context 'dc=example,dc=com' is for
> IPA
> root : DEBUG Naming context 'dc=example,dc=com' is a valid IPA
> context
> root : DEBUG Search for (objectClass=krbRealmContainer) in
> dc=example,dc=com(sub)
> root : DEBUG Found: [('cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=us',
> {'krbSubTrees': ['dc=example,dc=com'], 'cn': ['EXAMPLE.COM'],
> 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special',
> 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top',
> 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'],
> 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
> 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
> 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special',
> 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal',
> 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'],
> 'krbMaxRenewableAge': ['604800']})]
> root : DEBUG will use domain: example.com
>
> root : DEBUG will use server: ad25.example.com
>
> DNS domain 'example.com' is not configured for automatic KDC address lookup.
> KDC address will be set to fixed value.
>
> Discovery was successful!
> root : DEBUG will use cli_realm: EXAMPLE.COM
>
> root : DEBUG will use cli_basedn: dc=example,dc=com
>
> Hostname: dp40.example.com
> Realm: EXAMPLE.COM
> DNS Domain: example.com
> IPA Server: ad25.example.com
> BaseDN: dc=example,dc=com
>
>
> Continue to configure the system with these values? [no]: yes
> root : DEBUG Backing up system configuration file '/etc/hostname'
> root : DEBUG Saving Index File to
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> root : DEBUG args=/bin/hostname dp40.example.com
> root : DEBUG stdout=
> root : DEBUG stderr=
> User authorized to enroll computers: admin
> root : DEBUG will use principal: admin
>
> root : DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
> http://ad25.example.com/ipa/config/ca.crt
> root : DEBUG stdout=
> root : DEBUG stderr=--2014-07-29 01:00:29--
> http://ad25.example.com/ipa/config/ca.crt
> Resolving ad25.example.com (ad25.example.com)... 10.11.50.5
> Connecting to ad25.example.com (ad25.example.com)|10.11.50.5|:80...
> connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 1295 (1.3K) [application/x-x509-ca-cert]
> Saving to: `/etc/ipa/ca.crt'
>
> 0K . 100% 127M=0s
>
> 2014-07-29 01:00:29 (127 MB/s) - `/etc/ipa/ca.crt' saved [1295/1295]
>
>
> Synchronizing time with KDC...
> root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b ad25.example.com
> root : DEBUG stdout=
> root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U
> usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p
> samples] [-o version#] [-t timeo] server ...
>
> root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b ad25.example.com
> root : DEBUG stdout=
> root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U
> usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p
> samples] [-o version#] [-t timeo] server ...
>
> root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b ad25.example.com
> root : DEBUG stdout=
> root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U
> usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p
> samples] [-o version#] [-t timeo] server ...
>
> Unable to sync time with IPA NTP server, assuming the time is in sync.
> root : DEBUG Writing Kerberos configuration to /tmp/tmpaGEtIp:
> #File modified by ipa-client-install
>
> [libdefaults]
> default_realm = EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> EXAMPLE.COM = {
> kdc = ad25.example.com:88
> admin_server = ad25.example.com:749
> default_domain = example.com
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
> [domain_realm]
> .example.com = EXAMPLE.COM
> example.com = EXAMPLE.COM
>
>
> Password for admin at EXAMPLE.COM:
> root : DEBUG args=kinit admin at EXAMPLE.COM
> root : DEBUG stdout=Password for admin at EXAMPLE.COM:
>
> root : DEBUG stderr=
>
> root : DEBUG args=/usr/sbin/ipa-join -s ad25.example.com -b
> dc=example,dc=com -d -h dp40.example.com
> root : DEBUG stdout=
> root : DEBUG stderr=XML-RPC CALL:
>
> <?xml version="1.0" encoding="UTF-8"?>\r\n
> <methodCall>\r\n
> <methodName>join</methodName>\r\n
> <params>\r\n
> <param><value><array><data>\r\n
> <value><string>dp40.example.com</string></value>\r\n
> </data></array></value></param>\r\n
> <param><value><struct>\r\n
> <member><name>nsosversion</name>\r\n
> <value><string>3.2.0-29-generic</string></value></member>\r\n
> <member><name>nshardwareplatform</name>\r\n
> <value><string>x86_64</string></value></member>\r\n
> </struct></value></param>\r\n
> </params>\r\n
> </methodCall>\r\n
>
> XML-RPC RESPONSE:
>
> <?xml version='1.0' encoding='UTF-8'?>\n
> <methodResponse>\n
> <params>\n
> <param>\n
> <value><array><data>\n
> <value><string>fqdn=dp40.example.com
> ,cn=computers,cn=accounts,dc=example,dc=com</string></value>\n
> <value><struct>\n
> <member>\n
> <name>dn</name>\n
> <value><string>fqdn=dp40.example.com
> ,cn=computers,cn=accounts,dc=example,dc=com</string></value>\n
> </member>\n
> <member>\n
> <name>ipacertificatesubjectbase</name>\n
> <value><array><data>\n
> <value><string>O=EXAMPLE.COM</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>has_keytab</name>\n
> <value><boolean>0</boolean></value>\n
> </member>\n
> <member>\n
> <name>objectclass</name>\n
> <value><array><data>\n
> <value><string>ipaobject</string></value>\n
> <value><string>nshost</string></value>\n
> <value><string>ipahost</string></value>\n
> <value><string>pkiuser</string></value>\n
> <value><string>ipaservice</string></value>\n
> <value><string>krbprincipalaux</string></value>\n
> <value><string>krbprincipal</string></value>\n
> <value><string>top</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>fqdn</name>\n
> <value><array><data>\n
> <value><string>dp40.example.com</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>has_password</name>\n
> <value><boolean>0</boolean></value>\n
> </member>\n
> <member>\n
> <name>ipauniqueid</name>\n
> <value><array><data>\n
> <value><string>b086ab94-1678-11e4-991b-bc305bf33a5c</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>krbprincipalname</name>\n
> <value><array><data>\n
> <value><string>host/dp40.example.com at EXAMPLE.COM</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>managedby_host</name>\n
> <value><array><data>\n
> <value><string>dp40.example.com</string></value>\n
> </data></array></value>\n
> </member>\n
> </struct></value>\n
> </data></array></value>\n
> </param>\n
> </params>\n
> </methodResponse>\n
>
> Keytab successfully retrieved and stored in: /etc/krb5.keytab
> Certificate subject base is: O=EXAMPLE.COM
>
> Enrolled in IPA realm EXAMPLE.COM
> root : DEBUG args=kdestroy
> root : DEBUG stdout=
> root : DEBUG stderr=
> root : DEBUG Backing up system configuration file
> '/etc/ipa/default.conf'
> root : DEBUG -> Not backing up - '/etc/ipa/default.conf'
> doesn't exist
> Created /etc/ipa/default.conf
> root : DEBUG Backing up system configuration file
> '/etc/sssd/sssd.conf'
> root : DEBUG Saving Index File to
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> Domain example.com is already configured in existing SSSD config, creating
> a new one.
> The old /etc/sssd/sssd.conf is backed up and will be restored during
> uninstall.
> root : DEBUG Domain example.com is already configured in existing
> SSSD config, creating a new one.
> Configured /etc/sssd/sssd.conf
> root : DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA
> CA -t CT,C,C -a -i /etc/ipa/ca.crt
> root : DEBUG stdout=
> root : DEBUG stderr=
> root : DEBUG Backing up system configuration file '/etc/krb5.conf'
> root : DEBUG Saving Index File to
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> root : DEBUG Writing Kerberos configuration to /etc/krb5.conf:
> #File modified by ipa-client-install
>
> [libdefaults]
> default_realm = EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> EXAMPLE.COM = {
> kdc = ad25.example.com:88
> admin_server = ad25.example.com:749
> default_domain = example.com
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
> [domain_realm]
> .example.com = EXAMPLE.COM
> example.com = EXAMPLE.COM
>
>
> Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
> Warning: Hostname (dp40.example.com) not found in DNS
> root : DEBUG Writing nsupdate commands to
> /etc/ipa/.dns_update.txt:
>
> zone example.com.
> update delete dp40.example.com. IN A
> send
> update add dp40.example.com. 1200 IN A 10.11.0.40
> send
>
> root : DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/
> dp40.example.com
> root : DEBUG stdout=
> root : DEBUG stderr=kinit: Password incorrect while getting
> initial credentials
>
> Failed to obtain host TGT.
> root : DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
> root : DEBUG stdout=
> root : DEBUG stderr=tkey query failed: GSSAPI error: Major =
> Unspecified GSS failure. Minor code may provide more information, Minor =
> Credentials cache file '/etc/ipa/.dns_ccache' not found.
>
> Failed to update DNS A record. (Command '/usr/bin/nsupdate -g
> /etc/ipa/.dns_update.txt' returned non-zero exit status 1)
> root : DEBUG args=/usr/sbin/service dbus start
> root : DEBUG stdout=
> root : DEBUG stderr=start: Job is already running: dbus
>
> root : ERROR dbus failed to start: Command '/usr/sbin/service
> dbus start ' returned non-zero exit status 1
> root : DEBUG args=/usr/sbin/service certmonger restart
> root : DEBUG stdout=certmonger stop/waiting
> certmonger start/running, process 293499
>
> root : DEBUG stderr=
> root : DEBUG args=/usr/sbin/service certmonger stop
> root : DEBUG stdout=certmonger stop/waiting
>
> root : DEBUG stderr=
> root : DEBUG args=/usr/sbin/service certmonger restart
> root : DEBUG stdout=certmonger start/running, process 293513
>
> root : DEBUG stderr=stop: Unknown instance:
>
> root : DEBUG args=/sbin/chkconfig certmonger on
> root : DEBUG stdout=
> root : DEBUG stderr=/sbin/insserv: No such file or directory
>
> Failed to configure automatic startup of the certmonger daemon
> Automatic certificate management will not be available
> root : ERROR Failed to disable automatic startup of the
> certmonger daemon: Command '/sbin/chkconfig certmonger on' returned
> non-zero exit status 1
> root : DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA
> Machine Certificate - dp40.example.com -N CN=dp40.example.com,O=EXAMPLE.COM
> -K host/dp40.example.com at EXAMPLE.COM
> root : DEBUG stdout=New signing request "20140728170038" added.
>
> root : DEBUG stderr=
> root : DEBUG args=/usr/sbin/service nscd status
> root : DEBUG stdout=
> root : DEBUG stderr=nscd: unrecognized service
>
> root : DEBUG Saving StateFile to
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> root : DEBUG Saving StateFile to
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> root : DEBUG Saving StateFile to
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> Would run on a Red Hat platform: /usr/sbin/authconfig --enablesssdauth
> --enablemkhomedir --update --enablesssd
> Please do the corresponding changes manually and press Enter:
> SSSD enabled
> root : DEBUG args=getent passwd admin
> root : DEBUG stdout=
> root : DEBUG stderr=
> root : DEBUG args=getent passwd admin
> root : DEBUG stdout=
> root : DEBUG stderr=
> root : DEBUG args=getent passwd admin
> root : DEBUG stdout=
> root : DEBUG stderr=
> root : DEBUG args=getent passwd admin
> root : DEBUG stdout=
> root : DEBUG stderr=
> root : DEBUG args=getent passwd admin
> root : DEBUG stdout=
> root : DEBUG stderr=
> root : DEBUG args=getent passwd admin
> root : DEBUG stdout=
> root : DEBUG stderr=
> root : DEBUG args=getent passwd admin
> root : DEBUG stdout=
> root : DEBUG stderr=
> root : DEBUG args=getent passwd admin
> root : DEBUG stdout=
> root : DEBUG stderr=
> root : DEBUG args=getent passwd admin
> root : DEBUG stdout=
> root : DEBUG stderr=
> root : DEBUG args=getent passwd admin
> root : DEBUG stdout=
> root : DEBUG stderr=
> Unable to find 'admin' user with 'getent passwd admin'!
> Recognized configuration: SSSD
> Client configuration complete.
>
>
> ---
>
> Obviously, the package is buggy, and it just copied configs from Redhat
> that is not suitable for Ubuntu.
>
> As for Ubuntu 10.04, I google a lot, but found far less info about it.
> Basically, the documentation of 10.04 and 12.04 is really really rare, I
> havent' find any good cases that run them smoothly.
>
> I have read through the official documentation, and there only exit some
> info about install ipa-client manually, which is still for redhat based
> distribution, not debian based. although no matter which distribution, the
> theory behind them is the same, One of the main purpose of freeipa I think
> is to make the idm more easy to use and maintain especially there involve
> lots of complicated components that normal user don't want to cover:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/linux-manual.html
>
> Besides Ubuntu, we have hundreds of redhat clients which run quite good and
> they don't have many problems during the whole process, but Ubuntu is a big
> trouble for us, we still have more than 200 hundreds of them running on
> our production environment, and we still wan to let them join in our
> freeipa domain so we can manage our accounts more efficiently.
>
> So, can anybody help me to debug the above error on Ubuntu 12.04, and any
> suggestion or good reference on Ubuntu distribution?
> Thank you.
CCing Timo who is working on the Ubuntu port, I am sure he will be able to
provide some help.
HTH,
Martin
More information about the Freeipa-users
mailing list