[Freeipa-users] JSON error enrolling host (Fedora 21 / IPA 4.1.2)

Gerardo Cuppari gcuppari at gmail.com
Mon Feb 2 15:34:43 UTC 2015 

Hi Martin, thanks for your replies!

Please, don't tell me I am getting all these errors because of the ".local"
domain! If so, I will surelly kill someone haha

I checked /etc/named.conf and changed to "no" dnssec-validation and here is
what you requested:

[root at pc01 ~]# dig server.estudio.local

; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> server.estudio.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31554
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server.estudio.local.          IN      A

;; ANSWER SECTION:
server.estudio.local.   1200    IN      A       192.168.56.2

;; AUTHORITY SECTION:
estudio.local.          86400   IN      NS      server.estudio.local.

;; Query time: 0 msec
;; SERVER: 192.168.56.2#53(192.168.56.2)
;; WHEN: lun feb 02 12:29:17 ART 2015
;; MSG SIZE  rcvd: 79

******************************************

[root at pc01 ~]# dig -t ptr 2.56.168.192.in-addr.arpa

; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> -t ptr
2.56.168.192.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36167
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;2.56.168.192.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
2.56.168.192.in-addr.arpa. 86400 IN     PTR     server.estudio.local.

;; AUTHORITY SECTION:
56.168.192.in-addr.arpa. 86400  IN      NS      server.estudio.local.

;; ADDITIONAL SECTION:
server.estudio.local.   1200    IN      A       192.168.56.2

;; Query time: 0 msec
;; SERVER: 192.168.56.2#53(192.168.56.2)
;; WHEN: lun feb 02 12:34:27 ART 2015
;; MSG SIZE  rcvd: 118


2015-02-02 12:17 GMT-03:00 Martin Basti <mbasti at redhat.com>:

>  On 02/02/15 16:07, Martin Basti wrote:
>
> On 02/02/15 14:13, Gerardo Cuppari wrote:
>
>  Hello! I am trying to enroll one host to my IPA server (4.1.2) and I am
> having one problem: the ipa-client-install script keeps giving me errors at
> the "forwarding ping to json server" step.
>
>  My configuration is:
>  - server.estudio.local 192.168.56.2 Fedora Server 21 ipa 4.1.2
>  - pc01.estudio.local 192.168.56.106 Fedora Works. 21
>
>  Both have firewalld down (just to test) and can reach each other. I've
> been trying to get this working without success (solved other minor issues)
> and so I'm asking for your help.
> The only way I can make it work is by adding the --force switch to
> ipa-client-install script but, that way, it just disregards errors.
>
>  Thanks in advance!!!
>
>  Here are my tests:
>
>  SERVER
> ======
> [root at server ~]# ipa ping
> -------------------------------------------
> IPA server version 4.1.2. API version 2.109
> -------------------------------------------
>
>  CLIENT
> ======
>  [root at pc01 ~]# dig server
>
>  ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> server
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29286
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
>  ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;server.                                IN      A
>
>  ;; Query time: 10 msec
> ;; SERVER: 192.168.56.2#53(192.168.56.2)
> ;; WHEN: lun feb 02 09:51:07 ART 2015
> ;; MSG SIZE  rcvd: 35
>
>  ***********************************************
>
>  [root at pc01 ~]# nslookup server
> Server:         192.168.56.2
> Address:        192.168.56.2#53
>
>  Name:   server.estudio.local
> Address: 192.168.56.2
>
>  ***********************************************
>
>  Here I disable chronyd so I can run the script without NTP sync errors:
>
>  [root at pc01 ~]# systemctl disable chronyd
> Removed symlink
> /etc/systemd/system/multi-user.target.wants/chronyd.service.
> [root at pc01 ~]# service chronyd stop
> Redirecting to /bin/systemctl stop  chronyd.service
>
>  ***********************************************
>
>  Without having "server.estudio.local" on /etc/hosts file:
>
>  [root at pc01 ~]# ipa-client-install --enable-dns-updates --mkhomedir
> --ssh-trust-dns
> Skip server.estudio.local: cannot verify if this is an IPA server
> Provide your IPA server name (ex: ipa.example.com):
>  Skip server.estudio.local: cannot verify if this is an IPA server
> Failed to verify that server.estudio.local is an IPA Server.
> This may mean that the remote server is not up or is not reachable due to
> network or firewall settings.
> Please make sure the following ports are opened in the firewall settings:
>      TCP: 80, 88, 389
>      UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
> Also note that following ports are necessary for ipa-client working
> properly after enrollment:
>      TCP: 464
>      UDP: 464, 123 (if NTP enabled)
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
>
>  ***********************************************
>
>  Here I added hostname and IP address to /etc/hosts file (don't know why
> it doesn't work without it):
>
>  [root at pc01 ~]# ipa-client-install --enable-dns-updates --mkhomedir
> --ssh-trust-dns
> Discovery was successful!
> Hostname: pc01.estudio.local
> Realm: ESTUDIO.LOCAL
> DNS Domain: estudio.local
> IPA Server: server.estudio.local
> BaseDN: dc=estudio,dc=local
>
>  Continue to configure the system with these values? [no]: yes
> Synchronizing time with KDC...
> User authorized to enroll computers: admin
> Password for admin at ESTUDIO.LOCAL:
> Successfully retrieved CA cert
>     Subject:     CN=Certificate Authority,O=ESTUDIO.LOCAL
>     Issuer:      CN=Certificate Authority,O=ESTUDIO.LOCAL
>     Valid From:  Fri Jan 30 12:02:01 2015 UTC
>     Valid Until: Tue Jan 30 12:02:01 2035 UTC
>
>  Enrolled in IPA realm ESTUDIO.LOCAL
> Created /etc/ipa/default.conf
> New SSSD config will be created
> Configured sudoers in /etc/nsswitch.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm ESTUDIO.LOCAL
> trying https://server.estudio.local/ipa/json
> Forwarding 'ping' to json server 'https://server.estudio.local/ipa/json'
> Cannot connect to the server due to Kerberos error: Kerberos error:
> ('Unspecified GSS failure.  Minor code may provide more information',
> 851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", -1765328228).
> Trying with delegate=True
> trying https://server.estudio.local/ipa/json
> Forwarding 'ping' to json server 'https://server.estudio.local/ipa/json'
> Second connect with delegate=True also failed: Kerberos error:
> ('Unspecified GSS failure.  Minor code may provide more information',
> 851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", -1765328228)
> Cannot connect to the IPA server RPC interface: Kerberos error:
> ('Unspecified GSS failure.  Minor code may provide more information',
> 851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", -1765328228)
> Installation failed. Rolling back changes.
> Failed to list certificates in /etc/ipa/nssdb: Command
> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
> status 255
> Failed to remove /etc/ipa/nssdb/cert8.db: [Errno 2] No existe el fichero o
> el directorio: '/etc/ipa/nssdb/cert8.db'
> Failed to remove /etc/ipa/nssdb/key3.db: [Errno 2] No existe el fichero o
> el directorio: '/etc/ipa/nssdb/key3.db'
> Failed to remove /etc/ipa/nssdb/secmod.db: [Errno 2] No existe el fichero
> o el directorio: '/etc/ipa/nssdb/secmod.db'
> Failed to remove /etc/ipa/nssdb/pwdfile.txt: [Errno 2] No existe el
> fichero o el directorio: '/etc/ipa/nssdb/pwdfile.txt'
> Unenrolling client from IPA server
> Unenrolling host failed: Error getting default Kerberos realm: host/domain
> name not found.
>
>  Removing Kerberos service principals from /etc/krb5.keytab
> Disabling client Kerberos and LDAP configurations
> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
> /etc/sssd/sssd.conf.deleted
> Restoring client configuration files
> nscd daemon is not installed, skip configuration
> nslcd daemon is not installed, skip configuration
> Client uninstall complete.
>
>  ***********************************************
>
>
>
>  Hello
>
> dig returns servfail, it may be issue.
>
>
> You used dig with wrong name, please use dig server.estudio.local and
> send result?
>
>
> Can you check please /etc/named.conf on server, if there is
> dnssec-validation true ?
> If yes, please set the dnssec-validation to no, because you use domain
> name .local. it may cause troubles.
>
> If troubles persist, please send journalctl -u named-pkcs11 log.
>
> Martin^2
>
> --
> Martin Basti
>
>
>
>
>
> --
> Martin Basti
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150202/4cc6ec26/attachment.htm>

More information about the Freeipa-users mailing list