[Freeipa-users] ipa-client-install failure
Martin Kosek
mkosek at redhat.com
Wed Mar 25 12:26:25 UTC 2015
On 03/24/2015 02:49 PM, Dmitri Pal wrote:
> On 03/24/2015 09:43 AM, Roberto Cornacchia wrote:
>> Hi there,
>>
>> All the issues I reported in this long thread are SOLVED.
>
> Thanks for closing the loop.
Indeed!
>
>> For completeness, I'm posting here the conclusions.
>>
>> ipa-client-install did enroll the client but failed in several points:
>>
>> $ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
>> [...]
>> Synchronizing time with KDC...
>> Unable to sync time with IPA NTP server, assuming the time is in sync. Please
>> check that 123 UDP port is opened.
>> [...]
>> Failed to update DNS records.
>> [...]
>> Could not update DNS SSHFP records.
>> [...]
>> Unable to find 'admin' user with 'getent passwd admin at hq.example.com
>> <mailto:admin at hq.example.com>'!
>> Unable to reliably detect configuration. Check NSS setup manually.
>> [...]
>> Client configuration complete.
>>
>> There were two distinct problems:
>>
>> 1) NTP sync failed because despite using --force-ntp, chronyd wasn't stopped
>> beforehand. Stopping it manually solved the issue. I believe
>> ipa-client-install stopping chronyd was the intended behaviour, in which case
>> this is perhaps a bug. If it needs to be stopped manually, then it should be
>> documented clearly.
>> The failed NTP sync caused Kerberos to fail, which explains "Unable to find
>> 'admin' user with 'getent passwd admin at hq.example.com
>> <mailto:admin at hq.example.com>'".
>
> We should probably file a ticket about this. I am just not sure what exactly it
> should be.
This is a bug, yes. I filed https://fedorahosted.org/freeipa/ticket/4963, it
can be fixed together with other related chronyd changes that David is working on.
>> 2) DNS update failed because for some obscure reason I forgot to open port
>> 53/tcp on the server's firewall. Only 53/udp was open. This fooled me,
>> because with 53/udp open, the DNS was almost completely functional. However,
>> updates also require 53/tcp.
I added this as a troubleshooting tip to
http://www.freeipa.org/page/Troubleshooting#Failed_to_update_DNS_records
If you have other ideas how to extend the guide to help your followers, please
feel free to edit it directly or propose improvements.
>> All in all, it was a full 2day digging and debugging. Bright side is, I
>> learned a lot.
Good! freeipa-users mission was successful :-)
More information about the Freeipa-users
mailing list