[Freeipa-users] ipa-client-install failure
Martin Basti
mbasti at redhat.com
Fri Mar 20 11:31:37 UTC 2015
Hello,
do you have enabled DNS dynamic updates for hq.example.zone?
You can check it in zone settings.
Are there any log entries in dns log related to nsupdate executed from a
client?
$ journalctl -b -u named-pkcs11
On 20/03/15 09:53, Roberto Cornacchia wrote:
> It seems so:
>
> $ firewall-cmd --list-all
> FedoraServer (default, active)
> interfaces: em2
> sources:
> services: cockpit dhcpv6-client ssh
> ports: 8009/tcp 443/tcp 7999/tcp 464/tcp 9443/tcp 636/tcp 88/udp
> 464/udp 8010/tcp 88/tcp 7990/tcp 123/udp 80/tcp 389/tcp 7389/tcp
> 9444/tcp 9445/tcp 8011/tcp 53/udp 8082/tcp
> masquerade: no
> forward-ports:
> icmp-blocks:
> rich rules:
>
>
> On 20 March 2015 at 00:53, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 03/19/2015 05:04 PM, Roberto Cornacchia wrote:
>> Yes.
>>
>> [root at meson ~]# cat /etc/resolv.conf
>> search hq.example.com <http://hq.example.com>
>> nameserver 192.168.0.72
>>
>> Sorry from the short log I posted it's not visible, but that ip
>> address is the address of the ipa server (ipa.hq.example.com
>> <http://ipa.hq.example.com>)
>>
>> [root at meson ~]# dig ipa.hq.spinque.com <http://ipa.hq.spinque.com>
>>
>> ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>>
>> ipa.hq.example.com <http://ipa.hq.example.com>
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53238
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1,
>> ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;ipa.hq.example.com.INA
>>
>> ;; ANSWER SECTION:
>> ipa.hq.example.com. 1200INA192.168.0.72
>>
>> ;; AUTHORITY SECTION:
>> hq.example.com.86400INNSipa.hq.example.com.
>>
>> ;; Query time: 1 msec
>> ;; SERVER: 192.168.0.72#53(192.168.0.72)
>> ;; WHEN: do mrt 19 22:02:04 CET 2015
>> ;; MSG SIZE rcvd: 83
>
>
> OK so you can in fact lookup the server.
> Have you opened all required ports for ldap and kerberos and other
> protocols in the firewall both UDP and TCP?
>
>
>>
>>
>> On 19 March 2015 at 21:55, Dmitri Pal <dpal at redhat.com
>> <mailto:dpal at redhat.com>> wrote:
>>
>> On 03/19/2015 04:46 PM, Roberto Cornacchia wrote:
>>> Hi,
>>>
>>> This should really work like a charm, and I'm sure it is a
>>> stupid mistake of mine if it doesn't, but I really can't
>>> find out what goes wrong.
>>>
>>> Both IPA server and client are on FC21, very up to date.
>>> Server installation (standard, with dns) worked well.
>>> Required ports open in the firewall. Everything seems to work.
>>>
>>> I did try to use the IPA server as a DNS (with forwarders)
>>> and NTP server from non-ipa clients, no problem.
>>> I also tried to use it as LDAP server, from a non-fedora
>>> machine (a synology). It worked well and I could see users.
>>>
>>> When trying to enroll a client, the enrollment itself seems
>>> to succeed, but:
>>> - Unable to sync time with NTP server
>>> - Unable to update DNS
>>> - Unable to find users
>>>
>>> I include below the short installation log (I changed the
>>> real domain into hq.example.com <http://hq.example.com>),
>>> and in attachment, the full log with debug on.
>>>
>>> From the debug log, about the DNS update failure, I can see
>>> this:
>>>
>>> ; Communication with 192.168.0.72#53 failed: operation
>>> canceled
>>> could not reach any name server
>>>
>>> I'm not sure what communication problem this could be, as
>>> the server (which is both the IPA and the DNS servers),
>>> clearly can be reached.
>>>
>>> Any idea where to look at?
>>
>> Do you have the IPA DNS server in the resolv.conf of the client?
>>
>>
>>
>>>
>>> Thanks,
>>> Roberto
>>>
>>>
>>> [root at meson ~]# ipa-client-install --mkhomedir
>>> --ssh-trust-dns --force-ntpd --hostname=meson.hq.example.com
>>> <http://meson.hq.example.com>
>>> Discovery was successful!
>>> Hostname: meson.hq.example.com <http://meson.hq.example.com>
>>> Realm: HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
>>> DNS Domain: hq.example.com <http://hq.example.com>
>>> IPA Server: ipa.hq.example.com <http://ipa.hq.example.com>
>>> BaseDN: dc=hq,dc=example,dc=com
>>>
>>> Continue to configure the system with these values? [no]: yes
>>> Synchronizing time with KDC...
>>> *Unable to sync time with IPA NTP server, assuming the time
>>> is in sync. Please check that 123 UDP port is opened.*
>>> User authorized to enroll computers: admin
>>> Password for admin at HQ.EXAMPLE.COM
>>> <mailto:admin at HQ.EXAMPLE.COM>:
>>> Successfully retrieved CA cert
>>> Subject: CN=Certificate Authority,O=HQ.EXAMPLE.COM
>>> <http://HQ.EXAMPLE.COM>
>>> Issuer: CN=Certificate Authority,O=HQ.EXAMPLE.COM
>>> <http://HQ.EXAMPLE.COM>
>>> Valid From: Mon Mar 16 18:44:35 2015 UTC
>>> Valid Until: Fri Mar 16 18:44:35 2035 UTC
>>>
>>> Enrolled in IPA realm HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
>>> Created /etc/ipa/default.conf
>>> New SSSD config will be created
>>> Configured sudoers in /etc/nsswitch.conf
>>> Configured /etc/sssd/sssd.conf
>>> Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
>>> <http://HQ.EXAMPLE.COM>
>>> trying https://ipa.hq.example.com/ipa/json
>>> Forwarding 'ping' to json server
>>> 'https://ipa.hq.example.com/ipa/json'
>>> Forwarding 'ca_is_enabled' to json server
>>> 'https://ipa.hq.example.com/ipa/json'
>>> Systemwide CA database updated.
>>> Added CA certificates to the default NSS database.
>>> Hostname (meson.hq.example.com
>>> <http://meson.hq.example.com>) not found in DNS
>>> *Failed to update DNS records.*
>>> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
>>> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
>>> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
>>> Forwarding 'host_mod' to json server
>>> 'https://ipa.hq.example.com/ipa/json'
>>> *Could not update DNS SSHFP records.*
>>> SSSD enabled
>>> Configured /etc/openldap/ldap.conf
>>> *Unable to find 'admin' user with 'getent passwd
>>> admin at hq.example.com <mailto:admin at hq.example.com>'!*
>>> *Unable to reliably detect configuration. Check NSS setup
>>> manually.*
>>> NTP enabled
>>> Configured /etc/ssh/ssh_config
>>> Configured /etc/ssh/sshd_config
>>> Configuring hq.example.com <http://hq.example.com> as NIS
>>> domain.
>>> Client configuration complete.
>>>
>>>
>>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>>
>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
--
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150320/ddb579b2/attachment.htm>
More information about the Freeipa-users
mailing list