[Freeipa-users] ipa-client-install failure

Roberto Cornacchia roberto.cornacchia at gmail.com
Mon Mar 23 09:21:45 UTC 2015 

About the DNS update, this is what the debug log has to say:

Found zone name: hq.example.com
The master is: ipa.hq.example.com
start_gssrequest
Found realm from ticket: HQ.EXAMPLE.COM
send_gssrequest
*; Communication with 192.168.0.72#53 failed: operation canceled*
*Reply from SOA query:*
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id:   4923
;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;1835417091.sig-ipa.hq.example.com. ANY TKEY

response to SOA query was unsuccessful



Notice that is is *different* from what I got before the chronyd change.
Before, there was not even a reply:

Found zone name: hq.example.com
The master is: ipa.hq.example.com
start_gssrequest
Found realm from ticket: HQ.EXAMPLE.COM
send_gssrequest
*; Communication with 192.168.0.72#53 failed: operation canceled*
*could not reach any name server*




On 23 March 2015 at 10:07, Roberto Cornacchia <roberto.cornacchia at gmail.com>
wrote:

> Dmitri, Rob, Jakub,
>
> I found at least one of the major problems: chronyd.
>
> This is what I get when I use ipa-client-install on a plain FC21 machine,
> *without* using --force-ntpd
>
> WARNING: ntpd time&date synchronization service will not be configured as
> conflicting service (chronyd) is enabled
> Use --force-ntpd option to disable it and force configuration of ntpd
>
>
> Good, then I abort and run it again with  --force-ntpd:
>
> Synchronizing time with KDC...
> Unable to sync time with IPA NTP server, assuming the time is in sync.
> Please check that 123 UDP port is opened.
>
>
> Perhaps I misinterpreted the meaning of --force-ntpd. I had assumed it
> would take care of stopping and disabling chronyd. But it doesn't. That's
> why I get the error above.
>
> If I first stop chronyd manually and run the installation again, then it
> does synchronise with NTP.
> This was apparently the cause of "id admin" not working (kerberos failing
> without proper NTP sync?)
> Now the basic functionalities are all OK.
> Also, chronyd is disabled and ntpd is enabled after installation - good.
>
> My nsswitch.conf now looks like this:
>
> passwd:     files sss
> shadow:     files sss
> group:      files sss
> hosts:      files mdns4_minimal [NOTFOUND=return] dns myhostname
> bootparams: nisplus [NOTFOUND=return] files
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files sss
> netgroup:   files sss
> publickey:  nisplus
> automount:  files sss
> aliases:    files nisplus
> sudoers: files sss
>
>
>
> I am left with 2 issues:
>
> 1) Is the above expected? Do I have to stop chronyd manually? Or is it a
> bug?
> 2) DNS update still does not work
>
>
> The latest installation log:
>
>
> $ systemctl stop chronyd
> $ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
> Discovery was successful!
> Hostname: meson.hq.example.com
> Realm: HQ.EXAMPLE.COM
> DNS Domain: hq.example.com
> IPA Server: ipa.hq.example.com
> BaseDN: dc=hq,dc=example,dc=com
>
> Continue to configure the system with these values? [no]: yes
> Synchronizing time with KDC...
> User authorized to enroll computers: User authorized to enroll computers:
> admin
> Password for admin at HQ.EXAMPLE.COM:
> Successfully retrieved CA cert
>     Subject:     CN=Certificate Authority,O=HQ.EXAMPLE.COM
>     Issuer:      CN=Certificate Authority,O=HQ.EXAMPLE.COM
>     Valid From:  Mon Mar 16 18:44:35 2015 UTC
>     Valid Until: Fri Mar 16 18:44:35 2035 UTC
>
> Enrolled in IPA realm HQ.EXAMPLE.COM
> Created /etc/ipa/default.conf
> New SSSD config will be created
> Configured sudoers in /etc/nsswitch.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
> trying https://ipa.hq.example.com/ipa/json
> Forwarding 'ping' to json server 'https://ipa.hq.example.com/ipa/json'
> Forwarding 'ca_is_enabled' to json server 'https://ipa.hq.example.com
> /ipa/json'
> Systemwide CA database updated.
> Added CA certificates to the default NSS database.
> Hostname (meson.hq.example.com) not found in DNS
> *Failed to update DNS records.*
> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
> Forwarding 'host_mod' to json server 'https://ipa.hq.example.com/ipa/json'
> *Could not update DNS SSHFP records.*
> SSSD enabled
> Configured /etc/openldap/ldap.conf
> NTP enabled
> Configured /etc/ssh/ssh_config
> Configured /etc/ssh/sshd_config
> Configuring hq.example.com as NIS domain.
> Client configuration complete.
>
> $ id admin
> uid=1172000000(admin) gid=1172000000(admins) groups=1172000000(admins)
>
>
>
>
> On 22 March 2015 at 21:04, Jakub Hrozek <jhrozek at redhat.com> wrote:
>
>> On Sun, Mar 22, 2015 at 04:24:49PM +0100, Roberto Cornacchia wrote:
>> > Thanks Rob.
>> >
>> > Knowing that /etc/nsswitch.conf is created wrongly is a step forward,
>> > although we don't know why that happens yet.
>> > I'm not very keen on fixing it post-installation (except if this is
>> just to
>> > learn more about the issue), even if this seems to solve problems. I'm
>> not
>> > going to deploy freeIPA for real before I can at least run successfully
>> a
>> > plain installation.
>>
>> Hi,
>>
>> I find it a bit unexpected that the client system didn't have
>> nsswitch.conf configured..I've never seen the client installation fail
>> in this particular way.
>>
>> For debugging SSSD issues, we've created a new troubleshooting page
>> upstream that should walk you through the config:
>>     https://fedorahosted.org/sssd/wiki/Troubleshooting
>> maybe this article would also help:
>>     https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/
>>
>> But most improtantly, I wouldn't expect to see any issues as long as
>> you use ipa-client-install. I guess re-enrolling the client would be the
>> fastest way forward?
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150323/d6405240/attachment.htm>

More information about the Freeipa-users mailing list