[Freeipa-users] JSON error enrolling host (Fedora 21 / IPA 4.1.2)

Gerardo Cuppari gcuppari at gmail.com
Mon Feb 2 13:13:02 UTC 2015 

Hello! I am trying to enroll one host to my IPA server (4.1.2) and I am
having one problem: the ipa-client-install script keeps giving me errors at
the "forwarding ping to json server" step.

My configuration is:
- server.estudio.local 192.168.56.2 Fedora Server 21 ipa 4.1.2
- pc01.estudio.local 192.168.56.106 Fedora Works. 21

Both have firewalld down (just to test) and can reach each other. I've been
trying to get this working without success (solved other minor issues) and
so I'm asking for your help.
The only way I can make it work is by adding the --force switch to
ipa-client-install script but, that way, it just disregards errors.

Thanks in advance!!!

Here are my tests:

SERVER
======
[root at server ~]# ipa ping
-------------------------------------------
IPA server version 4.1.2. API version 2.109
-------------------------------------------

CLIENT
======
[root at pc01 ~]# dig server

; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> server
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29286
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server.                                IN      A

;; Query time: 10 msec
;; SERVER: 192.168.56.2#53(192.168.56.2)
;; WHEN: lun feb 02 09:51:07 ART 2015
;; MSG SIZE  rcvd: 35

***********************************************

[root at pc01 ~]# nslookup server
Server:         192.168.56.2
Address:        192.168.56.2#53

Name:   server.estudio.local
Address: 192.168.56.2

***********************************************

Here I disable chronyd so I can run the script without NTP sync errors:

[root at pc01 ~]# systemctl disable chronyd
Removed symlink /etc/systemd/system/multi-user.target.wants/chronyd.service.
[root at pc01 ~]# service chronyd stop
Redirecting to /bin/systemctl stop  chronyd.service

***********************************************

Without having "server.estudio.local" on /etc/hosts file:

[root at pc01 ~]# ipa-client-install --enable-dns-updates --mkhomedir
--ssh-trust-dns
Skip server.estudio.local: cannot verify if this is an IPA server
Provide your IPA server name (ex: ipa.example.com): server.estudio.local
Skip server.estudio.local: cannot verify if this is an IPA server
Failed to verify that server.estudio.local is an IPA Server.
This may mean that the remote server is not up or is not reachable due to
network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working
properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.


***********************************************

Here I added hostname and IP address to /etc/hosts file (don't know why it
doesn't work without it):

[root at pc01 ~]# ipa-client-install --enable-dns-updates --mkhomedir
--ssh-trust-dns
Discovery was successful!
Hostname: pc01.estudio.local
Realm: ESTUDIO.LOCAL
DNS Domain: estudio.local
IPA Server: server.estudio.local
BaseDN: dc=estudio,dc=local

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
User authorized to enroll computers: admin
Password for admin at ESTUDIO.LOCAL:
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=ESTUDIO.LOCAL
    Issuer:      CN=Certificate Authority,O=ESTUDIO.LOCAL
    Valid From:  Fri Jan 30 12:02:01 2015 UTC
    Valid Until: Tue Jan 30 12:02:01 2035 UTC

Enrolled in IPA realm ESTUDIO.LOCAL
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm ESTUDIO.LOCAL
trying https://server.estudio.local/ipa/json
Forwarding 'ping' to json server 'https://server.estudio.local/ipa/json'
Cannot connect to the server due to Kerberos error: Kerberos error:
('Unspecified GSS failure.  Minor code may provide more information',
851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", -1765328228).
Trying with delegate=True
trying https://server.estudio.local/ipa/json
Forwarding 'ping' to json server 'https://server.estudio.local/ipa/json'
Second connect with delegate=True also failed: Kerberos error:
('Unspecified GSS failure.  Minor code may provide more information',
851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", -1765328228)
Cannot connect to the IPA server RPC interface: Kerberos error:
('Unspecified GSS failure.  Minor code may provide more information',
851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", -1765328228)
Installation failed. Rolling back changes.
Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil'
'-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255
Failed to remove /etc/ipa/nssdb/cert8.db: [Errno 2] No existe el fichero o
el directorio: '/etc/ipa/nssdb/cert8.db'
Failed to remove /etc/ipa/nssdb/key3.db: [Errno 2] No existe el fichero o
el directorio: '/etc/ipa/nssdb/key3.db'
Failed to remove /etc/ipa/nssdb/secmod.db: [Errno 2] No existe el fichero o
el directorio: '/etc/ipa/nssdb/secmod.db'
Failed to remove /etc/ipa/nssdb/pwdfile.txt: [Errno 2] No existe el fichero
o el directorio: '/etc/ipa/nssdb/pwdfile.txt'
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm: host/domain
name not found.

Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.

***********************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150202/555e9538/attachment.htm>

More information about the Freeipa-users mailing list