[Freeipa-users] ipa-client-install failure
Dmitri Pal
dpal at redhat.com
Fri Mar 20 16:06:49 UTC 2015
On 03/20/2015 10:56 AM, Roberto Cornacchia wrote:
> The zone settings:
>
> $ ipa dnszone-show --all
> Zone name: hq.example.com <http://hq.example.com>.
> dn: idnsname=hq.example.com
> <http://hq.example.com>.,cn=dns,dc=hq,dc=example,dc=com
> Zone name: hq.example.com <http://hq.example.com>.
> Active zone: TRUE
> Authoritative nameserver: ipa.hq.example.com
> <http://ipa.hq.example.com>.
> Administrator e-mail address: hostmaster.hq.example.com
> <http://hostmaster.hq.example.com>.
> SOA serial: 1426857128
> SOA refresh: 3600
> SOA retry: 900
> SOA expire: 1209600
> SOA minimum: 3600
> BIND update policy: grant HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
> krb5-self * A; grant HQ.EXAMPLE.COM krb5-self * AAAA; grant
> HQ.EXAMPLE.COM krb5-self * SSHFP;
> Dynamic update: TRUE
> Allow query: any;
> Allow transfer: none;
> nsrecord: ipa.hq.example.com <http://ipa.hq.example.com>.
> objectclass: idnszone, top, idnsrecord
>
> The DNS log doesn't mention anything about updates. It does contain
> some errors about unreachable hosts, but that's because I had a
> temporary interruption towards the gateway from the ipa server.
>
> One thing I did after installing the IPA server is to turn off support
> for ipv6, using
> $ echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
> $ sysctl -p
>
> Do you think it could have any influence?
I think it can.
I have a vague recollection of a bug related to that is some of the
packages we depend on or something like.
Can you try enabling it and see if it makes a difference?
>
>
> On 20 March 2015 at 12:31, Martin Basti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>> wrote:
>
> Hello,
>
> do you have enabled DNS dynamic updates for hq.example.zone?
> You can check it in zone settings.
>
> Are there any log entries in dns log related to nsupdate executed
> from a client?
> $ journalctl -b -u named-pkcs11
>
>
> On 20/03/15 09:53, Roberto Cornacchia wrote:
>> It seems so:
>>
>> $ firewall-cmd --list-all
>> FedoraServer (default, active)
>> interfaces: em2
>> sources:
>> services: cockpit dhcpv6-client ssh
>> ports: 8009/tcp 443/tcp 7999/tcp 464/tcp 9443/tcp 636/tcp
>> 88/udp 464/udp 8010/tcp 88/tcp 7990/tcp 123/udp 80/tcp 389/tcp
>> 7389/tcp 9444/tcp 9445/tcp 8011/tcp 53/udp 8082/tcp
>> masquerade: no
>> forward-ports:
>> icmp-blocks:
>> rich rules:
>>
>>
>> On 20 March 2015 at 00:53, Dmitri Pal <dpal at redhat.com
>> <mailto:dpal at redhat.com>> wrote:
>>
>> On 03/19/2015 05:04 PM, Roberto Cornacchia wrote:
>>> Yes.
>>>
>>> [root at meson ~]# cat /etc/resolv.conf
>>> search hq.example.com <http://hq.example.com>
>>> nameserver 192.168.0.72
>>>
>>> Sorry from the short log I posted it's not visible, but that
>>> ip address is the address of the ipa server
>>> (ipa.hq.example.com <http://ipa.hq.example.com>)
>>>
>>> [root at meson ~]# dig ipa.hq.example.com
>>> <http://ipa.hq.example.com>
>>>
>>> ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>>
>>> ipa.hq.example.com <http://ipa.hq.example.com>
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53238
>>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1,
>>> ADDITIONAL: 1
>>>
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags:; udp: 4096
>>> ;; QUESTION SECTION:
>>> ;ipa.hq.example.com.INA
>>>
>>> ;; ANSWER SECTION:
>>> ipa.hq.example.com. 1200INA192.168.0.72
>>>
>>> ;; AUTHORITY SECTION:
>>> hq.example.com.86400INNSipa.hq.example.com.
>>>
>>> ;; Query time: 1 msec
>>> ;; SERVER: 192.168.0.72#53(192.168.0.72)
>>> ;; WHEN: do mrt 19 22:02:04 CET 2015
>>> ;; MSG SIZE rcvd: 83
>>
>>
>> OK so you can in fact lookup the server.
>> Have you opened all required ports for ldap and kerberos and
>> other protocols in the firewall both UDP and TCP?
>>
>>
>>>
>>>
>>> On 19 March 2015 at 21:55, Dmitri Pal <dpal at redhat.com
>>> <mailto:dpal at redhat.com>> wrote:
>>>
>>> On 03/19/2015 04:46 PM, Roberto Cornacchia wrote:
>>>> Hi,
>>>>
>>>> This should really work like a charm, and I'm sure it
>>>> is a stupid mistake of mine if it doesn't, but I really
>>>> can't find out what goes wrong.
>>>>
>>>> Both IPA server and client are on FC21, very up to date.
>>>> Server installation (standard, with dns) worked well.
>>>> Required ports open in the firewall. Everything seems
>>>> to work.
>>>>
>>>> I did try to use the IPA server as a DNS (with
>>>> forwarders) and NTP server from non-ipa clients, no
>>>> problem.
>>>> I also tried to use it as LDAP server, from a
>>>> non-fedora machine (a synology). It worked well and I
>>>> could see users.
>>>>
>>>> When trying to enroll a client, the enrollment itself
>>>> seems to succeed, but:
>>>> - Unable to sync time with NTP server
>>>> - Unable to update DNS
>>>> - Unable to find users
>>>>
>>>> I include below the short installation log (I changed
>>>> the real domain into hq.example.com
>>>> <http://hq.example.com>), and in attachment, the full
>>>> log with debug on.
>>>>
>>>> From the debug log, about the DNS update failure, I can
>>>> see this:
>>>>
>>>> ; Communication with 192.168.0.72#53 failed:
>>>> operation canceled
>>>> could not reach any name server
>>>>
>>>> I'm not sure what communication problem this could be,
>>>> as the server (which is both the IPA and the DNS
>>>> servers), clearly can be reached.
>>>>
>>>> Any idea where to look at?
>>>
>>> Do you have the IPA DNS server in the resolv.conf of the
>>> client?
>>>
>>>
>>>
>>>>
>>>> Thanks,
>>>> Roberto
>>>>
>>>>
>>>> [root at meson ~]# ipa-client-install --mkhomedir
>>>> --ssh-trust-dns --force-ntpd
>>>> --hostname=meson.hq.example.com
>>>> <http://meson.hq.example.com>
>>>> Discovery was successful!
>>>> Hostname: meson.hq.example.com
>>>> <http://meson.hq.example.com>
>>>> Realm: HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
>>>> DNS Domain: hq.example.com <http://hq.example.com>
>>>> IPA Server: ipa.hq.example.com <http://ipa.hq.example.com>
>>>> BaseDN: dc=hq,dc=example,dc=com
>>>>
>>>> Continue to configure the system with these values?
>>>> [no]: yes
>>>> Synchronizing time with KDC...
>>>> *Unable to sync time with IPA NTP server, assuming the
>>>> time is in sync. Please check that 123 UDP port is opened.*
>>>> User authorized to enroll computers: admin
>>>> Password for admin at HQ.EXAMPLE.COM
>>>> <mailto:admin at HQ.EXAMPLE.COM>:
>>>> Successfully retrieved CA cert
>>>> Subject: CN=Certificate Authority,O=HQ.EXAMPLE.COM
>>>> <http://HQ.EXAMPLE.COM>
>>>> Issuer: CN=Certificate Authority,O=HQ.EXAMPLE.COM
>>>> <http://HQ.EXAMPLE.COM>
>>>> Valid From: Mon Mar 16 18:44:35 2015 UTC
>>>> Valid Until: Fri Mar 16 18:44:35 2035 UTC
>>>>
>>>> Enrolled in IPA realm HQ.EXAMPLE.COM
>>>> <http://HQ.EXAMPLE.COM>
>>>> Created /etc/ipa/default.conf
>>>> New SSSD config will be created
>>>> Configured sudoers in /etc/nsswitch.conf
>>>> Configured /etc/sssd/sssd.conf
>>>> Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
>>>> <http://HQ.EXAMPLE.COM>
>>>> trying https://ipa.hq.example.com/ipa/json
>>>> Forwarding 'ping' to json server
>>>> 'https://ipa.hq.example.com/ipa/json'
>>>> Forwarding 'ca_is_enabled' to json server
>>>> 'https://ipa.hq.example.com/ipa/json'
>>>> Systemwide CA database updated.
>>>> Added CA certificates to the default NSS database.
>>>> Hostname (meson.hq.example.com
>>>> <http://meson.hq.example.com>) not found in DNS
>>>> *Failed to update DNS records.*
>>>> Adding SSH public key from
>>>> /etc/ssh/ssh_host_ed25519_key.pub
>>>> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
>>>> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
>>>> Forwarding 'host_mod' to json server
>>>> 'https://ipa.hq.example.com/ipa/json'
>>>> *Could not update DNS SSHFP records.*
>>>> SSSD enabled
>>>> Configured /etc/openldap/ldap.conf
>>>> *Unable to find 'admin' user with 'getent passwd
>>>> admin at hq.example.com <mailto:admin at hq.example.com>'!*
>>>> *Unable to reliably detect configuration. Check NSS
>>>> setup manually.*
>>>> NTP enabled
>>>> Configured /etc/ssh/ssh_config
>>>> Configured /etc/ssh/sshd_config
>>>> Configuring hq.example.com <http://hq.example.com> as
>>>> NIS domain.
>>>> Client configuration complete.
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IdM portfolio
>>> Red Hat, Inc.
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>>
>>
>>
>
>
> --
> Martin Basti
>
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150320/c5334ffc/attachment.htm>
More information about the Freeipa-users
mailing list