[Freeipa-users] ipa-client-install failure

Fri Mar 20 08:53:55 UTC 2015

It seems so:

$ firewall-cmd --list-all
FedoraServer (default, active)
  interfaces: em2
  sources:
  services: cockpit dhcpv6-client ssh
  ports: 8009/tcp 443/tcp 7999/tcp 464/tcp 9443/tcp 636/tcp 88/udp 464/udp
8010/tcp 88/tcp 7990/tcp 123/udp 80/tcp 389/tcp 7389/tcp 9444/tcp 9445/tcp
8011/tcp 53/udp 8082/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

On 20 March 2015 at 00:53, Dmitri Pal <dpal at redhat.com> wrote:

>  On 03/19/2015 05:04 PM, Roberto Cornacchia wrote:
>
>  Yes.
>
>  [root at meson ~]# cat /etc/resolv.conf
> search hq.example.com
> nameserver 192.168.0.72
>
>  Sorry from the short log I posted it's not visible, but that ip address
> is the address of the ipa server (ipa.hq.example.com)
>
>  [root at meson ~]# dig ipa.hq.spinque.com
>
>  ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> ipa.hq.example.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53238
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>
>  ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;ipa.hq.example.com. IN A
>
>  ;; ANSWER SECTION:
> ipa.hq.example.com. 1200 IN A 192.168.0.72
>
>  ;; AUTHORITY SECTION:
> hq.example.com. 86400 IN NS ipa.hq.example.com.
>
>  ;; Query time: 1 msec
> ;; SERVER: 192.168.0.72#53(192.168.0.72)
> ;; WHEN: do mrt 19 22:02:04 CET 2015
> ;; MSG SIZE  rcvd: 83
>
>
>
> OK so you can in fact lookup the server.
> Have you opened all required ports for ldap and kerberos and other
> protocols in the firewall both UDP and TCP?
>
>
>
>
> On 19 March 2015 at 21:55, Dmitri Pal <dpal at redhat.com> wrote:
>
>>  On 03/19/2015 04:46 PM, Roberto Cornacchia wrote:
>>
>>  Hi,
>>
>>  This should really work like a charm, and I'm sure it is a stupid
>> mistake of mine if it doesn't, but I really can't find out what goes wrong.
>>
>>  Both IPA server and client are on FC21, very up to date.
>> Server installation (standard, with dns) worked well. Required ports open
>> in the firewall. Everything seems to work.
>>
>>  I did try to use the IPA server as a DNS (with forwarders) and NTP
>> server from non-ipa clients, no problem.
>> I also tried to use it as LDAP server, from a non-fedora machine (a
>> synology). It worked well and I could see users.
>>
>>  When trying to enroll a client, the enrollment itself seems to succeed,
>> but:
>> - Unable to sync time with NTP server
>> - Unable to update DNS
>> - Unable to find users
>>
>>  I include below the short installation log (I changed the real domain
>> into hq.example.com), and in attachment, the full log with debug on.
>>
>>  From the debug log, about the DNS update failure, I can see this:
>>
>>    ; Communication with 192.168.0.72#53 failed: operation canceled
>>   could not reach any name server
>>
>>  I'm not sure what communication problem this could be, as the server
>> (which is both the IPA and the DNS servers), clearly can be reached.
>>
>>  Any idea where to look at?
>>
>>
>>  Do you have the IPA DNS server in the resolv.conf of the client?
>>
>>
>>
>>
>>  Thanks,
>> Roberto
>>
>>
>>  [root at meson ~]# ipa-client-install --mkhomedir --ssh-trust-dns
>> --force-ntpd --hostname=meson.hq.example.com
>> Discovery was successful!
>> Hostname: meson.hq.example.com
>> Realm: HQ.EXAMPLE.COM
>> DNS Domain: hq.example.com
>> IPA Server: ipa.hq.example.com
>> BaseDN: dc=hq,dc=example,dc=com
>>
>>  Continue to configure the system with these values? [no]: yes
>> Synchronizing time with KDC...
>> *Unable to sync time with IPA NTP server, assuming the time is in sync.
>> Please check that 123 UDP port is opened.*
>> User authorized to enroll computers: admin
>> Password for admin at HQ.EXAMPLE.COM:
>> Successfully retrieved CA cert
>>     Subject:     CN=Certificate Authority,O=HQ.EXAMPLE.COM
>>     Issuer:      CN=Certificate Authority,O=HQ.EXAMPLE.COM
>>     Valid From:  Mon Mar 16 18:44:35 2015 UTC
>>     Valid Until: Fri Mar 16 18:44:35 2035 UTC
>>
>>  Enrolled in IPA realm HQ.EXAMPLE.COM
>> Created /etc/ipa/default.conf
>> New SSSD config will be created
>> Configured sudoers in /etc/nsswitch.conf
>> Configured /etc/sssd/sssd.conf
>> Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
>> trying https://ipa.hq.example.com/ipa/json
>> Forwarding 'ping' to json server 'https://ipa.hq.example.com/ipa/json'
>> Forwarding 'ca_is_enabled' to json server '
>> https://ipa.hq.example.com/ipa/json'
>> Systemwide CA database updated.
>> Added CA certificates to the default NSS database.
>> Hostname (meson.hq.example.com) not found in DNS
>> *Failed to update DNS records.*
>> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
>> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
>> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
>> Forwarding 'host_mod' to json server 'https://ipa.hq.example.com/ipa/json
>> '
>> *Could not update DNS SSHFP records.*
>> SSSD enabled
>> Configured /etc/openldap/ldap.conf
>> *Unable to find 'admin' user with 'getent passwd admin at hq.example.com
>> <admin at hq.example.com>'!*
>> *Unable to reliably detect configuration. Check NSS setup manually.*
>> NTP enabled
>> Configured /etc/ssh/ssh_config
>> Configured /etc/ssh/sshd_config
>> Configuring hq.example.com as NIS domain.
>> Client configuration complete.
>>
>>
>>
>>
>>
>>   --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150320/bc02f5ec/attachment.htm>