[Freeipa-users] ipa-client-install failure

Fri Mar 20 18:41:58 UTC 2015

On 03/20/2015 01:57 PM, Roberto Cornacchia wrote:
> But the ipa server itself is also enrolled as a client, just after the 
> server installation, right?. And that worked fine.

Are these VMs?
There have been a similar case when the network was not set properly for 
the virtual test environment.

>
> On 20 March 2015 at 18:55, Roberto Cornacchia 
> <roberto.cornacchia at gmail.com <mailto:roberto.cornacchia at gmail.com>> 
> wrote:
>
>     No, sorry about the confusion, i shouldn't have posted so quickly.
>
>     When I use the correct domain (hq.example.com
>     <http://hq.example.com>), then I really get all the same errors as
>     before, also in the new client.
>
>
>
>     On 20 Mar 2015 18:39, "Dmitri Pal" <dpal at redhat.com
>     <mailto:dpal at redhat.com>> wrote:
>
>         On 03/20/2015 01:25 PM, Roberto Cornacchia wrote:
>>         Oops. Not true, forget last email.
>>
>>         This secon client installation went different just because it
>>         took the wrong domain.
>>         It used *example.com <http://example.com>* (what was
>>         previously set) instead of *hq.example.com
>>         <http://hq.example.com>*
>>
>>         Uninstalled, tried again with
>>         --hostname=photon.hq.example.com <http://photon.hq.example.com>
>>         And then it behaves precisely like the previous client.
>>
>>         So something seems wrong in the server.
>>
>>         On 20 March 2015 at 18:18, Roberto Cornacchia
>>         <roberto.cornacchia at gmail.com
>>         <mailto:roberto.cornacchia at gmail.com>> wrote:
>>
>>             Update:
>>             I tried from another client. Also FC21, same network,
>>             same settings from the same DHCP.
>>             But obviously it must have something different because it
>>             partially succeeded.
>>
>>             - I do not get errors about LDAP users.
>>             - I do not get errors about DNS update
>>
>>             However:
>>             - I still get the initial error about NTP
>>             - The host is enrolled, but not added to the DNS zone
>>
>>             Now, I don't care much about the previous client. It was
>>             pretty much empty and can re-install Fedora from scratch.
>>
>>             But I'd like to understand if this is still a problem.
>>             It should be added to the zone, shouldn't it?
>>
>>             $ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
>>             Discovery was successful!
>>             Hostname: photon.example.com <http://photon.example.com>
>>             Realm: HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
>>             DNS Domain: hq.example.com <http://hq.example.com>
>>             IPA Server: ipa.hq.example.com <http://ipa.hq.example.com>
>>             BaseDN: dc=hq,dc=example,dc=com
>>
>>             Continue to configure the system with these values? [no]: yes
>>             Synchronizing time with KDC...
>>             *Unable to sync time with IPA NTP server, assuming the
>>             time is in sync. Please check that 123 UDP port is opened.*
>>             User authorized to enroll computers: admin
>>             Password for admin at HQ.EXAMPLE.COM
>>             <mailto:admin at HQ.EXAMPLE.COM>:
>>             Successfully retrieved CA cert
>>                 Subject:     CN=Certificate
>>             Authority,O=HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
>>                 Issuer:    CN=Certificate Authority,O=HQ.EXAMPLE.COM
>>             <http://HQ.EXAMPLE.COM>
>>                 Valid From:  Mon Mar 16 18:44:35 2015 UTC
>>                 Valid Until: Fri Mar 16 18:44:35 2035 UTC
>>
>>             Enrolled in IPA realm HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
>>             Created /etc/ipa/default.conf
>>             New SSSD config will be created
>>             Configured sudoers in /etc/nsswitch.conf
>>             Configured /etc/sssd/sssd.conf
>>             Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
>>             <http://HQ.EXAMPLE.COM>
>>             trying https://ipa.hq.example.com/ipa/json
>>             Forwarding 'ping' to json server
>>             'https://ipa.hq.example.com/ipa/json'
>>             Forwarding 'ca_is_enabled' to json server
>>             'https://ipa.hq.example.com/ipa/json'
>>             Systemwide CA database updated.
>>             Added CA certificates to the default NSS database.
>>             Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
>>             Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
>>             Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
>>             Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
>>             Forwarding 'host_mod' to json server
>>             'https://ipa.hq.example.com/ipa/json'
>>             *Could not update DNS SSHFP records.*
>>             SSSD enabled
>>             Configured /etc/openldap/ldap.conf
>>             NTP enabled
>>             Configured /etc/ssh/ssh_config
>>             Configured /etc/ssh/sshd_config
>>             Configuring hq.example.com <http://hq.example.com> as NIS
>>             domain.
>>             Client configuration complete.
>>
>>
>>
>>
>
>         It is different. It does not have the same failure about admin
>         as you had in the first email.
>         So may be it is the permissions issue and a separate NTP issue?
>         Did you play with any permissions on the server side?
>
>
>         -- 
>         Thank you,
>         Dmitri Pal
>
>         Sr. Engineering Manager IdM portfolio
>         Red Hat, Inc.
>
>
>         --
>         Manage your subscription for the Freeipa-users mailing list:
>         https://www.redhat.com/mailman/listinfo/freeipa-users
>         Go to http://freeipa.org for more info on the project
>
>
>
>

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150320/6ce27f30/attachment.htm>