[Freeipa-users] ipa-client-install failure
Dmitri Pal
dpal at redhat.com
Fri Mar 20 22:03:19 UTC 2015
On 03/20/2015 05:59 PM, Roberto Cornacchia wrote:
> SSSD logs are empty so far.
This is wrong.
> Isn't sssd.conf written by ipa-client-install?
Yes
> If I raise the debug level after client installation,
(and restart)
> what activities do you suggest to attempt from the client?
the ones that fail. getent call that returns nothing.
Also try 'id'.
http://www.freeipa.org/page/Troubleshooting#Client_Installation
https://fedorahosted.org/sssd/wiki/Troubleshooting
>
>
> On 20 March 2015 at 22:37, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 03/20/2015 05:28 PM, Roberto Cornacchia wrote:
>> It certainly gets there, because the client gets in fact enrolled
>> as a domain host. I can see it from the UI in Identity / Hosts.
>> But not in the DNS zone.
>>
>> *Before ipa-client-install, all these do work: *
>>
>> $ ssh ipa.hq.example.com <http://ipa.hq.example.com>
>> $ ntpdate ipa.hq.example.com <http://ipa.hq.example.com>
>> $ ldapsearch -x -h ipa.hq.example.com <http://ipa.hq.example.com>
>> -b dc=hq,dc=example,dc=com uid=admin
>>
>>
>> *After running ipa-client-install, all these do work:*
>>
>> $ kinit admin
>> Password for admin at HQ.EXAMPLE.COM <mailto:admin at HQ.EXAMPLE.COM>:
>> $ ipa dnszone-show --all
>> [...]
>> $ ntpq -p
>> remote refid st t when poll reach delay
>> offset jitter
>> ==============================================================================
>> *ipa.hq.example. 131.155.140.130 3 u 19 64 1 0.415
>> -0.006 0.000
>> LOCAL(0) .LOCL. 5 l - 64 0 0.000
>> 0.000 0.000
>>
>> *But this does NOT work:*
>> $ getent passwd admin at hq.example.com <mailto:admin at hq.example.com>
>
> What do SSSD logs show on the client?
> Please rise the SSSD debug_level and provide SSSD logs.
>
>>
>> *On the server, in /var/log/krb5kdc.log, I see many of these:*
>>
>> Mar 20 21:53:17 ipa.hq.example.com <http://ipa.hq.example.com>
>> krb5kdc[9229](info): AS_REQ (6 etypes {18 17 16 23 25 26})
>> 192.168.0.207 <http://192.168.0.207>: NEEDED_PREAUTH:
>> admin at HQ.EXAMPLE.COM <mailto:admin at HQ.EXAMPLE.COM> for
>> krbtgt/HQ.EXAMPLE.COM at HQ.EXAMPLE.COM <mailto:COM at HQ.EXAMPLE.COM>,
>> Additional pre-authentication required
>> Mar 20 21:53:17 ipa.hq.example.com <http://ipa.hq.example.com>
>> krb5kdc[9229](info): AS_REQ (6 etypes {18 17 16 23 25 26})
>> 192.168.0.207 <http://192.168.0.207>: ISSUE: authtime 1426884797,
>> etypes {rep=18 tkt=18 ses=18}, admin at HQ.EXAMPLE.COM
>> <mailto:admin at HQ.EXAMPLE.COM> for
>> krbtgt/HQ.EXAMPLE.COM at HQ.EXAMPLE.COM
>> <mailto:HQ.EXAMPLE.COM at HQ.EXAMPLE.COM>
>
> This is not an error. It is a normal user authentication.
> OK so it is DNS that is not working. Is DNS server running on the
> server?
> What do Bind logs show?
>
>
>>
>> 192.168.0.207 is the IP of the client I'm trying to install.
>> However, higher up in the log, I also see such errors for the ipa
>> server itself.
>>
>> On 20 March 2015 at 20:24, Dmitri Pal <dpal at redhat.com
>> <mailto:dpal at redhat.com>> wrote:
>>
>> On 03/20/2015 02:48 PM, Roberto Cornacchia wrote:
>>> No, all real machines.
>>>
>>> I'm really sorry it's taking so much of your time.
>>> I had tried almost everything on a VM setting first, and
>>> everything was fine.
>>> Everything always works fine, until you actually need it.
>>
>>
>> We try to help as much as we can.
>> Can you do LDAP lookups as a directory manager from client
>> host to server?
>> Can you ssh from client to server?
>>
>> When you try to install client is there anything in the logs
>> on the server? Does it even get there?
>>
>>
>>
>>
>>>
>>>
>>> On 20 March 2015 at 19:41, Dmitri Pal <dpal at redhat.com
>>> <mailto:dpal at redhat.com>> wrote:
>>>
>>> On 03/20/2015 01:57 PM, Roberto Cornacchia wrote:
>>>> But the ipa server itself is also enrolled as a client,
>>>> just after the server installation, right?. And that
>>>> worked fine.
>>>
>>> Are these VMs?
>>> There have been a similar case when the network was not
>>> set properly for the virtual test environment.
>>>
>>>
>>>>
>>>> On 20 March 2015 at 18:55, Roberto Cornacchia
>>>> <roberto.cornacchia at gmail.com
>>>> <mailto:roberto.cornacchia at gmail.com>> wrote:
>>>>
>>>> No, sorry about the confusion, i shouldn't have
>>>> posted so quickly.
>>>>
>>>> When I use the correct domain (hq.example.com
>>>> <http://hq.example.com>), then I really get all the
>>>> same errors as before, also in the new client.
>>>>
>>>>
>>>>
>>>> On 20 Mar 2015 18:39, "Dmitri Pal" <dpal at redhat.com
>>>> <mailto:dpal at redhat.com>> wrote:
>>>>
>>>> On 03/20/2015 01:25 PM, Roberto Cornacchia wrote:
>>>>> Oops. Not true, forget last email.
>>>>>
>>>>> This secon client installation went different
>>>>> just because it took the wrong domain.
>>>>> It used *example.com
>>>>> <http://example.com>* (what was previously
>>>>> set) instead of *hq.example.com
>>>>> <http://hq.example.com>*
>>>>>
>>>>> Uninstalled, tried again with
>>>>> --hostname=photon.hq.example.com
>>>>> <http://photon.hq.example.com>
>>>>> And then it behaves precisely like the
>>>>> previous client.
>>>>>
>>>>> So something seems wrong in the server.
>>>>>
>>>>> On 20 March 2015 at 18:18, Roberto Cornacchia
>>>>> <roberto.cornacchia at gmail.com
>>>>> <mailto:roberto.cornacchia at gmail.com>> wrote:
>>>>>
>>>>> Update:
>>>>> I tried from another client. Also FC21,
>>>>> same network, same settings from the same
>>>>> DHCP.
>>>>> But obviously it must have something
>>>>> different because it partially succeeded.
>>>>>
>>>>> - I do not get errors about LDAP users.
>>>>> - I do not get errors about DNS update
>>>>>
>>>>> However:
>>>>> - I still get the initial error about NTP
>>>>> - The host is enrolled, but not added to
>>>>> the DNS zone
>>>>>
>>>>> Now, I don't care much about the previous
>>>>> client. It was pretty much empty and can
>>>>> re-install Fedora from scratch.
>>>>>
>>>>> But I'd like to understand if this is
>>>>> still a problem.
>>>>> It should be added to the zone, shouldn't it?
>>>>>
>>>>> $ ipa-client-install --mkhomedir
>>>>> --ssh-trust-dns --force-ntpd
>>>>> Discovery was successful!
>>>>> Hostname: photon.example.com
>>>>> <http://photon.example.com>
>>>>> Realm: HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
>>>>> DNS Domain: hq.example.com
>>>>> <http://hq.example.com>
>>>>> IPA Server: ipa.hq.example.com
>>>>> <http://ipa.hq.example.com>
>>>>> BaseDN: dc=hq,dc=example,dc=com
>>>>>
>>>>> Continue to configure the system with
>>>>> these values? [no]: yes
>>>>> Synchronizing time with KDC...
>>>>> *Unable to sync time with IPA NTP server,
>>>>> assuming the time is in sync. Please check
>>>>> that 123 UDP port is opened.*
>>>>> User authorized to enroll computers: admin
>>>>> Password for admin at HQ.EXAMPLE.COM
>>>>> <mailto:admin at HQ.EXAMPLE.COM>:
>>>>> Successfully retrieved CA cert
>>>>> Subject: CN=Certificate
>>>>> Authority,O=HQ.EXAMPLE.COM
>>>>> <http://HQ.EXAMPLE.COM>
>>>>> Issuer: CN=Certificate
>>>>> Authority,O=HQ.EXAMPLE.COM
>>>>> <http://HQ.EXAMPLE.COM>
>>>>> Valid From: Mon Mar 16 18:44:35 2015 UTC
>>>>> Valid Until: Fri Mar 16 18:44:35 2035 UTC
>>>>>
>>>>> Enrolled in IPA realm HQ.EXAMPLE.COM
>>>>> <http://HQ.EXAMPLE.COM>
>>>>> Created /etc/ipa/default.conf
>>>>> New SSSD config will be created
>>>>> Configured sudoers in /etc/nsswitch.conf
>>>>> Configured /etc/sssd/sssd.conf
>>>>> Configured /etc/krb5.conf for IPA realm
>>>>> HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
>>>>> trying https://ipa.hq.example.com/ipa/json
>>>>> Forwarding 'ping' to json server
>>>>> 'https://ipa.hq.example.com/ipa/json'
>>>>> Forwarding 'ca_is_enabled' to json server
>>>>> 'https://ipa.hq.example.com/ipa/json'
>>>>> Systemwide CA database updated.
>>>>> Added CA certificates to the default NSS
>>>>> database.
>>>>> Adding SSH public key from
>>>>> /etc/ssh/ssh_host_rsa_key.pub
>>>>> Adding SSH public key from
>>>>> /etc/ssh/ssh_host_ed25519_key.pub
>>>>> Adding SSH public key from
>>>>> /etc/ssh/ssh_host_dsa_key.pub
>>>>> Adding SSH public key from
>>>>> /etc/ssh/ssh_host_ecdsa_key.pub
>>>>> Forwarding 'host_mod' to json server
>>>>> 'https://ipa.hq.example.com/ipa/json'
>>>>> *Could not update DNS SSHFP records.*
>>>>> SSSD enabled
>>>>> Configured /etc/openldap/ldap.conf
>>>>> NTP enabled
>>>>> Configured /etc/ssh/ssh_config
>>>>> Configured /etc/ssh/sshd_config
>>>>> Configuring hq.example.com
>>>>> <http://hq.example.com> as NIS domain.
>>>>> Client configuration complete.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> It is different. It does not have the same
>>>> failure about admin as you had in the first email.
>>>> So may be it is the permissions issue and a
>>>> separate NTP issue?
>>>> Did you play with any permissions on the server
>>>> side?
>>>>
>>>>
>>>> --
>>>> Thank you,
>>>> Dmitri Pal
>>>>
>>>> Sr. Engineering Manager IdM portfolio
>>>> Red Hat, Inc.
>>>>
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users
>>>> mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the
>>>> project
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IdM portfolio
>>> Red Hat, Inc.
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>>
>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150320/facb3294/attachment.htm>
More information about the Freeipa-users
mailing list