[Freeipa-users] JSON error enrolling host (Fedora 21 / IPA 4.1.2)
Martin Basti
mbasti at redhat.com
Wed Feb 4 08:52:09 UTC 2015
Hello,
well it depends what exactly you did and what helped. I see Alexander
gave you some hints about mDNS.
If it was DNSSEC error you should see validation error messages in
journalctl -u named-pkcs11 before you disabled DNSSEC validation.
Martin^2
On 02/02/15 16:34, Gerardo Cuppari wrote:
> Hi Martin, thanks for your replies!
>
> Please, don't tell me I am getting all these errors because of the
> ".local" domain! If so, I will surelly kill someone haha
>
> I checked /etc/named.conf and changed to "no" dnssec-validation and
> here is what you requested:
>
> [root at pc01 ~]# dig server.estudio.local
>
> ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> server.estudio.local
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31554
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;server.estudio.local. IN A
>
> ;; ANSWER SECTION:
> server.estudio.local. 1200 IN A 192.168.56.2
>
> ;; AUTHORITY SECTION:
> estudio.local. 86400 IN NS server.estudio.local.
>
> ;; Query time: 0 msec
> ;; SERVER: 192.168.56.2#53(192.168.56.2)
> ;; WHEN: lun feb 02 12:29:17 ART 2015
> ;; MSG SIZE rcvd: 79
>
> ******************************************
>
> [root at pc01 ~]# dig -t ptr 2.56.168.192.in-addr.arpa
>
> ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> -t ptr
> 2.56.168.192.in-addr.arpa
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36167
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;2.56.168.192.in-addr.arpa. IN PTR
>
> ;; ANSWER SECTION:
> 2.56.168.192.in-addr.arpa. 86400 IN PTR server.estudio.local.
>
> ;; AUTHORITY SECTION:
> 56.168.192.in-addr.arpa. 86400 IN NS server.estudio.local.
>
> ;; ADDITIONAL SECTION:
> server.estudio.local. 1200 IN A 192.168.56.2
>
> ;; Query time: 0 msec
> ;; SERVER: 192.168.56.2#53(192.168.56.2)
> ;; WHEN: lun feb 02 12:34:27 ART 2015
> ;; MSG SIZE rcvd: 118
>
>
> 2015-02-02 12:17 GMT-03:00 Martin Basti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>>:
>
> On 02/02/15 16:07, Martin Basti wrote:
>> On 02/02/15 14:13, Gerardo Cuppari wrote:
>>> Hello! I am trying to enroll one host to my IPA server (4.1.2)
>>> and I am having one problem: the ipa-client-install script keeps
>>> giving me errors at the "forwarding ping to json server" step.
>>>
>>> My configuration is:
>>> - server.estudio.local192.168.56.2Fedora Server 21ipa 4.1.2
>>> - pc01.estudio.local192.168.56.106Fedora Works. 21
>>>
>>> Both have firewalld down (just to test) and can reach each
>>> other. I've been trying to get this working without success
>>> (solved other minor issues) and so I'm asking for your help.
>>> The only way I can make it work is by adding the --force switch
>>> to ipa-client-install script but, that way, it just disregards
>>> errors.
>>>
>>> Thanks in advance!!!
>>>
>>> Here are my tests:
>>>
>>> SERVER
>>> ======
>>> [root at server ~]# ipa ping
>>> -------------------------------------------
>>> IPA server version 4.1.2. API version 2.109
>>> -------------------------------------------
>>>
>>> CLIENT
>>> ======
>>> [root at pc01 ~]# dig server
>>>
>>> ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> server
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29286
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>>
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags:; udp: 4096
>>> ;; QUESTION SECTION:
>>> ;server. IN A
>>>
>>> ;; Query time: 10 msec
>>> ;; SERVER: 192.168.56.2#53(192.168.56.2)
>>> ;; WHEN: lun feb 02 09:51:07 ART 2015
>>> ;; MSG SIZE rcvd: 35
>>>
>>> ***********************************************
>>>
>>> [root at pc01 ~]# nslookup server
>>> Server: 192.168.56.2
>>> Address: 192.168.56.2#53
>>>
>>> Name: server.estudio.local
>>> Address: 192.168.56.2
>>>
>>> ***********************************************
>>>
>>> Here I disable chronyd so I can run the script without NTP sync
>>> errors:
>>>
>>> [root at pc01 ~]# systemctl disable chronyd
>>> Removed symlink
>>> /etc/systemd/system/multi-user.target.wants/chronyd.service.
>>> [root at pc01 ~]# service chronyd stop
>>> Redirecting to /bin/systemctl stop chronyd.service
>>>
>>> ***********************************************
>>>
>>> Without having "server.estudio.local" on /etc/hosts file:
>>>
>>> [root at pc01 ~]# ipa-client-install --enable-dns-updates
>>> --mkhomedir --ssh-trust-dns
>>> Skip server.estudio.local: cannot verify if this is an IPA server
>>> Provide your IPA server name (ex: ipa.example.com
>>> <http://ipa.example.com>):
>>> Skip server.estudio.local: cannot verify if this is an IPA server
>>> Failed to verify that server.estudio.local is an IPA Server.
>>> This may mean that the remote server is not up or is not
>>> reachable due to network or firewall settings.
>>> Please make sure the following ports are opened in the firewall
>>> settings:
>>> TCP: 80, 88, 389
>>> UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
>>> Also note that following ports are necessary for ipa-client
>>> working properly after enrollment:
>>> TCP: 464
>>> UDP: 464, 123 (if NTP enabled)
>>> Installation failed. Rolling back changes.
>>> IPA client is not configured on this system.
>>>
>>>
>>> ***********************************************
>>>
>>> Here I added hostname and IP address to /etc/hosts file (don't
>>> know why it doesn't work without it):
>>>
>>> [root at pc01 ~]# ipa-client-install --enable-dns-updates
>>> --mkhomedir --ssh-trust-dns
>>> Discovery was successful!
>>> Hostname: pc01.estudio.local
>>> Realm: ESTUDIO.LOCAL
>>> DNS Domain: estudio.local
>>> IPA Server: server.estudio.local
>>> BaseDN: dc=estudio,dc=local
>>>
>>> Continue to configure the system with these values? [no]: yes
>>> Synchronizing time with KDC...
>>> User authorized to enroll computers: admin
>>> Password for admin at ESTUDIO.LOCAL <mailto:admin at ESTUDIO.LOCAL>:
>>> Successfully retrieved CA cert
>>> Subject: CN=Certificate Authority,O=ESTUDIO.LOCAL
>>> Issuer: CN=Certificate Authority,O=ESTUDIO.LOCAL
>>> Valid From: Fri Jan 30 12:02:01 2015 UTC
>>> Valid Until: Tue Jan 30 12:02:01 2035 UTC
>>>
>>> Enrolled in IPA realm ESTUDIO.LOCAL
>>> Created /etc/ipa/default.conf
>>> New SSSD config will be created
>>> Configured sudoers in /etc/nsswitch.conf
>>> Configured /etc/sssd/sssd.conf
>>> Configured /etc/krb5.conf for IPA realm ESTUDIO.LOCAL
>>> trying https://server.estudio.local/ipa/json
>>> Forwarding 'ping' to json server
>>> 'https://server.estudio.local/ipa/json'
>>> Cannot connect to the server due to Kerberos error: Kerberos
>>> error: ('Unspecified GSS failure. Minor code may provide more
>>> information', 851968)/("Cannot contact any KDC for realm
>>> 'ESTUDIO.LOCAL'", -1765328228). Trying with delegate=True
>>> trying https://server.estudio.local/ipa/json
>>> Forwarding 'ping' to json server
>>> 'https://server.estudio.local/ipa/json'
>>> Second connect with delegate=True also failed: Kerberos error:
>>> ('Unspecified GSS failure. Minor code may provide more
>>> information', 851968)/("Cannot contact any KDC for realm
>>> 'ESTUDIO.LOCAL'", -1765328228)
>>> Cannot connect to the IPA server RPC interface: Kerberos error:
>>> ('Unspecified GSS failure. Minor code may provide more
>>> information', 851968)/("Cannot contact any KDC for realm
>>> 'ESTUDIO.LOCAL'", -1765328228)
>>> Installation failed. Rolling back changes.
>>> Failed to list certificates in /etc/ipa/nssdb: Command
>>> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned
>>> non-zero exit status 255
>>> Failed to remove /etc/ipa/nssdb/cert8.db: [Errno 2] No existe el
>>> fichero o el directorio: '/etc/ipa/nssdb/cert8.db'
>>> Failed to remove /etc/ipa/nssdb/key3.db: [Errno 2] No existe el
>>> fichero o el directorio: '/etc/ipa/nssdb/key3.db'
>>> Failed to remove /etc/ipa/nssdb/secmod.db: [Errno 2] No existe
>>> el fichero o el directorio: '/etc/ipa/nssdb/secmod.db'
>>> Failed to remove /etc/ipa/nssdb/pwdfile.txt: [Errno 2] No existe
>>> el fichero o el directorio: '/etc/ipa/nssdb/pwdfile.txt'
>>> Unenrolling client from IPA server
>>> Unenrolling host failed: Error getting default Kerberos realm:
>>> host/domain name not found.
>>>
>>> Removing Kerberos service principals from /etc/krb5.keytab
>>> Disabling client Kerberos and LDAP configurations
>>> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved
>>> to /etc/sssd/sssd.conf.deleted
>>> Restoring client configuration files
>>> nscd daemon is not installed, skip configuration
>>> nslcd daemon is not installed, skip configuration
>>> Client uninstall complete.
>>>
>>> ***********************************************
>>>
>>>
>>>
>> Hello
>>
>> dig returns servfail, it may be issue.
>
> You used dig with wrong name, please use dig server.estudio.local
> and send result?
>
>>
>> Can you check please /etc/named.conf on server, if there is
>> dnssec-validation true ?
>> If yes, please set the dnssec-validation to no, because you use
>> domain name .local. it may cause troubles.
>>
>> If troubles persist, please send journalctl -u named-pkcs11 log.
>>
>> Martin^2
>>
>> --
>> Martin Basti
>>
>>
>
>
> --
> Martin Basti
>
>
>
>
--
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150204/0708ec68/attachment.htm>
More information about the Freeipa-users
mailing list