[Freeipa-users] ipa-client-install failure
Dmitri Pal
dpal at redhat.com
Fri Mar 20 17:37:17 UTC 2015
On 03/20/2015 01:25 PM, Roberto Cornacchia wrote:
> Oops. Not true, forget last email.
>
> This secon client installation went different just because it took the
> wrong domain.
> It used *example.com <http://example.com>* (what was previously set)
> instead of *hq.example.com <http://hq.example.com>*
>
> Uninstalled, tried again with --hostname=photon.hq.example.com
> <http://photon.hq.example.com>
> And then it behaves precisely like the previous client.
>
> So something seems wrong in the server.
>
> On 20 March 2015 at 18:18, Roberto Cornacchia
> <roberto.cornacchia at gmail.com <mailto:roberto.cornacchia at gmail.com>>
> wrote:
>
> Update:
> I tried from another client. Also FC21, same network, same
> settings from the same DHCP.
> But obviously it must have something different because it
> partially succeeded.
>
> - I do not get errors about LDAP users.
> - I do not get errors about DNS update
>
> However:
> - I still get the initial error about NTP
> - The host is enrolled, but not added to the DNS zone
>
> Now, I don't care much about the previous client. It was pretty
> much empty and can re-install Fedora from scratch.
>
> But I'd like to understand if this is still a problem.
> It should be added to the zone, shouldn't it?
>
> $ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
> Discovery was successful!
> Hostname: photon.example.com <http://photon.example.com>
> Realm: HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
> DNS Domain: hq.example.com <http://hq.example.com>
> IPA Server: ipa.hq.example.com <http://ipa.hq.example.com>
> BaseDN: dc=hq,dc=example,dc=com
>
> Continue to configure the system with these values? [no]: yes
> Synchronizing time with KDC...
> *Unable to sync time with IPA NTP server, assuming the time is in
> sync. Please check that 123 UDP port is opened.*
> User authorized to enroll computers: admin
> Password for admin at HQ.EXAMPLE.COM <mailto:admin at HQ.EXAMPLE.COM>:
> Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=HQ.EXAMPLE.COM
> <http://HQ.EXAMPLE.COM>
> Issuer: CN=Certificate Authority,O=HQ.EXAMPLE.COM
> <http://HQ.EXAMPLE.COM>
> Valid From: Mon Mar 16 18:44:35 2015 UTC
> Valid Until: Fri Mar 16 18:44:35 2035 UTC
>
> Enrolled in IPA realm HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
> Created /etc/ipa/default.conf
> New SSSD config will be created
> Configured sudoers in /etc/nsswitch.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
> <http://HQ.EXAMPLE.COM>
> trying https://ipa.hq.example.com/ipa/json
> Forwarding 'ping' to json server 'https://ipa.hq.example.com/ipa/json'
> Forwarding 'ca_is_enabled' to json server
> 'https://ipa.hq.example.com/ipa/json'
> Systemwide CA database updated.
> Added CA certificates to the default NSS database.
> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
> Forwarding 'host_mod' to json server
> 'https://ipa.hq.example.com/ipa/json'
> *Could not update DNS SSHFP records.*
> SSSD enabled
> Configured /etc/openldap/ldap.conf
> NTP enabled
> Configured /etc/ssh/ssh_config
> Configured /etc/ssh/sshd_config
> Configuring hq.example.com <http://hq.example.com> as NIS domain.
> Client configuration complete.
>
>
>
>
It is different. It does not have the same failure about admin as you
had in the first email.
So may be it is the permissions issue and a separate NTP issue?
Did you play with any permissions on the server side?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150320/eb9be4e1/attachment.htm>
More information about the Freeipa-users
mailing list