[Freeipa-users] JSON error enrolling host (Fedora 21 / IPA 4.1.2)

Martin Basti mbasti at redhat.com
Mon Feb 2 15:07:11 UTC 2015 

On 02/02/15 14:13, Gerardo Cuppari wrote:
> Hello! I am trying to enroll one host to my IPA server (4.1.2) and I 
> am having one problem: the ipa-client-install script keeps giving me 
> errors at the "forwarding ping to json server" step.
>
> My configuration is:
> - server.estudio.local192.168.56.2Fedora Server 21ipa 4.1.2
> - pc01.estudio.local192.168.56.106Fedora Works. 21
>
> Both have firewalld down (just to test) and can reach each other. I've 
> been trying to get this working without success (solved other minor 
> issues) and so I'm asking for your help.
> The only way I can make it work is by adding the --force switch to 
> ipa-client-install script but, that way, it just disregards errors.
>
> Thanks in advance!!!
>
> Here are my tests:
>
> SERVER
> ======
> [root at server ~]# ipa ping
> -------------------------------------------
> IPA server version 4.1.2. API version 2.109
> -------------------------------------------
>
> CLIENT
> ======
> [root at pc01 ~]# dig server
>
> ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> server
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29286
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;server.          IN      A
>
> ;; Query time: 10 msec
> ;; SERVER: 192.168.56.2#53(192.168.56.2)
> ;; WHEN: lun feb 02 09:51:07 ART 2015
> ;; MSG SIZE  rcvd: 35
>
> ***********************************************
>
> [root at pc01 ~]# nslookup server
> Server:         192.168.56.2
> Address:        192.168.56.2#53
>
> Name:   server.estudio.local
> Address: 192.168.56.2
>
> ***********************************************
>
> Here I disable chronyd so I can run the script without NTP sync errors:
>
> [root at pc01 ~]# systemctl disable chronyd
> Removed symlink 
> /etc/systemd/system/multi-user.target.wants/chronyd.service.
> [root at pc01 ~]# service chronyd stop
> Redirecting to /bin/systemctl stop  chronyd.service
>
> ***********************************************
>
> Without having "server.estudio.local" on /etc/hosts file:
>
> [root at pc01 ~]# ipa-client-install --enable-dns-updates --mkhomedir 
> --ssh-trust-dns
> Skip server.estudio.local: cannot verify if this is an IPA server
> Provide your IPA server name (ex: ipa.example.com 
> <http://ipa.example.com>): server.estudio.local
> Skip server.estudio.local: cannot verify if this is an IPA server
> Failed to verify that server.estudio.local is an IPA Server.
> This may mean that the remote server is not up or is not reachable due 
> to network or firewall settings.
> Please make sure the following ports are opened in the firewall settings:
>      TCP: 80, 88, 389
>      UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
> Also note that following ports are necessary for ipa-client working 
> properly after enrollment:
>      TCP: 464
>      UDP: 464, 123 (if NTP enabled)
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
>
> ***********************************************
>
> Here I added hostname and IP address to /etc/hosts file (don't know 
> why it doesn't work without it):
>
> [root at pc01 ~]# ipa-client-install --enable-dns-updates --mkhomedir 
> --ssh-trust-dns
> Discovery was successful!
> Hostname: pc01.estudio.local
> Realm: ESTUDIO.LOCAL
> DNS Domain: estudio.local
> IPA Server: server.estudio.local
> BaseDN: dc=estudio,dc=local
>
> Continue to configure the system with these values? [no]: yes
> Synchronizing time with KDC...
> User authorized to enroll computers: admin
> Password for admin at ESTUDIO.LOCAL:
> Successfully retrieved CA cert
>     Subject:     CN=Certificate Authority,O=ESTUDIO.LOCAL
>     Issuer:      CN=Certificate Authority,O=ESTUDIO.LOCAL
>     Valid From:  Fri Jan 30 12:02:01 2015 UTC
>     Valid Until: Tue Jan 30 12:02:01 2035 UTC
>
> Enrolled in IPA realm ESTUDIO.LOCAL
> Created /etc/ipa/default.conf
> New SSSD config will be created
> Configured sudoers in /etc/nsswitch.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm ESTUDIO.LOCAL
> trying https://server.estudio.local/ipa/json
> Forwarding 'ping' to json server 'https://server.estudio.local/ipa/json'
> Cannot connect to the server due to Kerberos error: Kerberos error: 
> ('Unspecified GSS failure.  Minor code may provide more information', 
> 851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", 
> -1765328228). Trying with delegate=True
> trying https://server.estudio.local/ipa/json
> Forwarding 'ping' to json server 'https://server.estudio.local/ipa/json'
> Second connect with delegate=True also failed: Kerberos error: 
> ('Unspecified GSS failure.  Minor code may provide more information', 
> 851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", -1765328228)
> Cannot connect to the IPA server RPC interface: Kerberos error: 
> ('Unspecified GSS failure.  Minor code may provide more information', 
> 851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", -1765328228)
> Installation failed. Rolling back changes.
> Failed to list certificates in /etc/ipa/nssdb: Command 
> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero 
> exit status 255
> Failed to remove /etc/ipa/nssdb/cert8.db: [Errno 2] No existe el 
> fichero o el directorio: '/etc/ipa/nssdb/cert8.db'
> Failed to remove /etc/ipa/nssdb/key3.db: [Errno 2] No existe el 
> fichero o el directorio: '/etc/ipa/nssdb/key3.db'
> Failed to remove /etc/ipa/nssdb/secmod.db: [Errno 2] No existe el 
> fichero o el directorio: '/etc/ipa/nssdb/secmod.db'
> Failed to remove /etc/ipa/nssdb/pwdfile.txt: [Errno 2] No existe el 
> fichero o el directorio: '/etc/ipa/nssdb/pwdfile.txt'
> Unenrolling client from IPA server
> Unenrolling host failed: Error getting default Kerberos realm: 
> host/domain name not found.
>
> Removing Kerberos service principals from /etc/krb5.keytab
> Disabling client Kerberos and LDAP configurations
> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
> /etc/sssd/sssd.conf.deleted
> Restoring client configuration files
> nscd daemon is not installed, skip configuration
> nslcd daemon is not installed, skip configuration
> Client uninstall complete.
>
> ***********************************************
>
>
>
Hello

dig returns servfail, it may be issue.

Can you check please /etc/named.conf on server, if there is 
dnssec-validation true ?
If yes, please set the dnssec-validation to no, because you use domain 
name .local. it may cause troubles.

If troubles persist, please send journalctl -u named-pkcs11 log.

Martin^2

-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150202/4fbcfd47/attachment.htm>

More information about the Freeipa-users mailing list