[Freeipa-users] Configuration of client side components failed! on IPA Server
Martin Kosek
mkosek at redhat.com
Wed Mar 25 13:37:22 UTC 2015
This should be in the official RHEL-7.1/CentOS-7.1 repos.
Or you can try our upstream CentOS-7 based Copr repo:
https://copr.fedoraproject.org/coprs/mkosek/freeipa/
On 03/25/2015 02:30 PM, Yogesh Sharma wrote:
> Hi Martin,
>
> Finally, the issue has resolved. :)
>
> Is there RPM available to install latest IPA version in CentOS or at least
> 4.0.2 version.
>
>
>
>
> *Best Regards,__________________________________________*
>
> *Yogesh Sharma*
> *Email: yks0000 at gmail.com <yks0000 at gmail.com> | Web: www.initd.in
> <http://www.initd.in>*
>
> RHCE, VCE-CIA, RackSpace Cloud U
> [image: My LinkedIn Profile] <http://in.linkedin.com/in/yks0000>
>
>
> On Wed, Mar 25, 2015 at 6:43 PM, Martin Kosek <mkosek at redhat.com> wrote:
>
>> Ah, may be. This is an issue we fixed in FreeIPA 4.0.2. Upstream ticket:
>>
>> https://fedorahosted.org/freeipa/ticket/4444
>>
>> Please let us know if the DNS update fixed the error.
>>
>> Martin
>>
>> On 03/25/2015 02:11 PM, Yogesh Sharma wrote:
>>> I think I got the issue. Realm Name Entry in DNS is added in lower case
>>> rather than UPPER.
>>>
>>> 2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT <http://sd.int/>
>>> ,cn=kerberos,dc=sd,dc=int
>>> 2015-03-25T12:29:49Z DEBUG Discovery result: REALM_NOT_FOUND;
>> server=None,
>>> domain=sd.int, kdc=ldap-inf-stg-sg1-01.sd.int, basedn=dc=sd,dc=int
>>>
>>> Will try changing the Realm and see if it resovled.
>>>
>>>
>>>
>>>
>>> *Best Regards,__________________________________________*
>>>
>>> *Yogesh Sharma*
>>> *Email: yks0000 at gmail.com <yks0000 at gmail.com> | Web: www.initd.in
>>> <http://www.initd.in>*
>>>
>>> RHCE, VCE-CIA, RackSpace Cloud U
>>> [image: My LinkedIn Profile] <http://in.linkedin.com/in/yks0000>
>>>
>>>
>>> On Wed, Mar 25, 2015 at 6:13 PM, Yogesh Sharma <yks0000 at gmail.com>
>> wrote:
>>>
>>>> Hi Martin,
>>>>
>>>> Please find the client logs:
>>>>
>>>>
>>>>
>>>> 2015-03-25T12:29:49Z DEBUG /usr/sbin/ipa-client-install was invoked with
>>>> options: {'domain': 'sd.int', 'force': False, 'krb5_offline_passwords':
>>>> True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True,
>>>> 'conf_sshd': True, 'conf_ntp': True, 'on_master': True, 'ntp_server':
>> None,
>>>> 'server': ['ldap-inf-stg-sg1-01.sd.int'], 'no_nisdomain': False,
>>>> 'principal': None, 'hostname': 'ldap-inf-stg-sg1-01.sd.int', 'no_ac':
>>>> False, 'unattended': True, 'sssd': True, 'trust_sshfp': False,
>>>> 'realm_name': 'SD.INT', 'dns_updates': False, 'conf_sudo': True,
>>>> 'conf_ssh': True, 'force_join': False, 'ca_cert_file': None,
>> 'nisdomain':
>>>> None, 'prompt_password': False, 'permit': False, 'debug': False,
>>>> 'preserve_sssd': False, 'uninstall': False}
>>>> 2015-03-25T12:29:49Z DEBUG missing options might be asked for
>>>> interactively later
>>>> 2015-03-25T12:29:49Z DEBUG Loading Index file from
>>>> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>>>> 2015-03-25T12:29:49Z DEBUG Loading StateFile from
>>>> '/var/lib/ipa-client/sysrestore/sysrestore.state'
>>>> 2015-03-25T12:29:49Z DEBUG [IPA Discovery]
>>>> 2015-03-25T12:29:49Z DEBUG Starting IPA discovery with domain=sd.int,
>>>> servers=['ldap-inf-stg-sg1-01.sd.int'], hostname=
>>>> ldap-inf-stg-sg1-01.sd.int
>>>> 2015-03-25T12:29:49Z DEBUG Server and domain forced
>>>> 2015-03-25T12:29:49Z DEBUG [Kerberos realm search]
>>>> 2015-03-25T12:29:49Z DEBUG Search DNS for TXT record of _
>> kerberos.sd.int.
>>>> 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_
>>>> kerberos.sd.int.,type:16,class:1,rdata={data:sd.int}
>>>> 2015-03-25T12:29:49Z DEBUG Search DNS for SRV record of _kerberos._
>>>> udp.sd.int.
>>>> 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_kerberos._
>>>> udp.sd.int
>> .,type:33,class:1,rdata={priority:0,port:88,weight:100,server:
>>>> ldap-inf-stg-sg1-01.sd.int.}
>>>> 2015-03-25T12:29:49Z DEBUG [LDAP server check]
>>>> 2015-03-25T12:29:49Z DEBUG Verifying that ldap-inf-stg-sg1-01.sd.int
>>>> (realm sd.int) is an IPA server
>>>> 2015-03-25T12:29:49Z DEBUG Init LDAP connection with: ldap://
>>>> ldap-inf-stg-sg1-01.sd.int:389
>>>> 2015-03-25T12:29:49Z DEBUG Search LDAP server for IPA base DN
>>>> 2015-03-25T12:29:49Z DEBUG Check if naming context 'dc=sd,dc=int' is for
>>>> IPA
>>>> 2015-03-25T12:29:49Z DEBUG Naming context 'dc=sd,dc=int' is a valid IPA
>>>> context
>>>> 2015-03-25T12:29:49Z DEBUG Search for (objectClass=krbRealmContainer) in
>>>> dc=sd,dc=int (sub)
>>>> 2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT,cn=kerberos,dc=sd,dc=int
>>>> 2015-03-25T12:29:49Z DEBUG Discovery result: REALM_NOT_FOUND;
>> server=None,
>>>> domain=sd.int, kdc=ldap-inf-stg-sg1-01.sd.int, basedn=dc=sd,dc=int
>>>> 2015-03-25T12:29:49Z DEBUG Validated servers:
>>>> 2015-03-25T12:29:49Z DEBUG will use discovered domain: sd.int
>>>> 2015-03-25T12:29:49Z DEBUG IPA Server not found
>>>> 2015-03-25T12:29:49Z DEBUG [IPA Discovery]
>>>> 2015-03-25T12:29:49Z DEBUG Starting IPA discovery with domain=sd.int,
>>>> servers=['ldap-inf-stg-sg1-01.sd.int'], hostname=
>>>> ldap-inf-stg-sg1-01.sd.int
>>>> 2015-03-25T12:29:49Z DEBUG Server and domain forced
>>>> 2015-03-25T12:29:49Z DEBUG [Kerberos realm search]
>>>> 2015-03-25T12:29:49Z DEBUG Search DNS for TXT record of _
>> kerberos.sd.int.
>>>> 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_
>>>> kerberos.sd.int.,type:16,class:1,rdata={data:sd.int}
>>>> 2015-03-25T12:29:49Z DEBUG Search DNS for SRV record of _kerberos._
>>>> udp.sd.int.
>>>> 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_kerberos._
>>>> udp.sd.int
>> .,type:33,class:1,rdata={priority:0,port:88,weight:100,server:
>>>> ldap-inf-stg-sg1-01.sd.int.}
>>>> 2015-03-25T12:29:49Z DEBUG [LDAP server check]
>>>> 2015-03-25T12:29:49Z DEBUG Verifying that ldap-inf-stg-sg1-01.sd.int
>>>> (realm sd.int) is an IPA server
>>>> 2015-03-25T12:29:49Z DEBUG Init LDAP connection with: ldap://
>>>> ldap-inf-stg-sg1-01.sd.int:389
>>>> 2015-03-25T12:29:49Z DEBUG Search LDAP server for IPA base DN
>>>> 2015-03-25T12:29:49Z DEBUG Check if naming context 'dc=sd,dc=int' is for
>>>> IPA
>>>> 2015-03-25T12:29:49Z DEBUG Naming context 'dc=sd,dc=int' is a valid IPA
>>>> context
>>>> 2015-03-25T12:29:49Z DEBUG Search for (objectClass=krbRealmContainer) in
>>>> dc=sd,dc=int (sub)
>>>> 2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT,cn=kerberos,dc=sd,dc=int
>>>> 2015-03-25T12:29:49Z DEBUG Discovery result: REALM_NOT_FOUND;
>> server=None,
>>>> domain=sd.int, kdc=ldap-inf-stg-sg1-01.sd.int, basedn=dc=sd,dc=int
>>>> 2015-03-25T12:29:49Z DEBUG Validated servers:
>>>> 2015-03-25T12:29:49Z ERROR Failed to verify that
>>>> ldap-inf-stg-sg1-01.sd.int is an IPA Server.
>>>> 2015-03-25T12:29:49Z ERROR This may mean that the remote server is not
>> up
>>>> or is not reachable due to network or firewall settings.
>>>> 2015-03-25T12:29:49Z INFO Please make sure the following ports are
>> opened
>>>> in the firewall settings:
>>>> TCP: 80, 88, 389
>>>> UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
>>>> Also note that following ports are necessary for ipa-client working
>>>> properly after enrollment:
>>>> TCP: 464
>>>> UDP: 464, 123 (if NTP enabled)
>>>> 2015-03-25T12:29:49Z DEBUG (ldap-inf-stg-sg1-01.sd.int: Provided as
>>>> option)
>>>> 2015-03-25T12:29:49Z ERROR Installation failed. Rolling back changes.
>>>> 2015-03-25T12:29:49Z DEBUG Loading Index file from
>>>> '/var/lib/ipa/sysrestore/sysrestore.index'
>>>> 2015-03-25T12:29:49Z DEBUG args=ipa-client-automount --uninstall --debug
>>>> 2015-03-25T12:29:49Z DEBUG stdout=
>>>> 2015-03-25T12:29:49Z DEBUG stderr=IPA client is not configured on this
>>>> system.
>>>>
>>>>
>>>> 2015-03-25T12:29:49Z ERROR Unconfigured automount client failed: Command
>>>> 'ipa-client-automount --uninstall --debug' returned non-zero exit
>> status 1
>>>> 2015-03-25T12:29:49Z DEBUG Loading Index file from
>>>> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>>>> 2015-03-25T12:29:49Z DEBUG Loading StateFile from
>>>> '/var/lib/ipa-client/sysrestore/sysrestore.state'
>>>> 2015-03-25T12:29:49Z DEBUG args=/usr/bin/certutil -L -d /etc/pki/nssdb
>> -n
>>>> IPA CA
>>>> 2015-03-25T12:29:49Z DEBUG stdout=
>>>> 2015-03-25T12:29:49Z DEBUG stderr=certutil: Could not find cert: IPA CA
>>>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>>>
>>>> 2015-03-25T12:29:49Z DEBUG args=/sbin/service messagebus start
>>>> 2015-03-25T12:29:49Z DEBUG stdout=Starting system message bus:
>>>>
>>>> 2015-03-25T12:29:49Z DEBUG stderr=
>>>> 2015-03-25T12:29:49Z DEBUG args=/sbin/service messagebus status
>>>> 2015-03-25T12:29:49Z DEBUG stdout=messagebus (pid 1151) is running...
>>>>
>>>> 2015-03-25T12:29:49Z DEBUG stderr=
>>>> 2015-03-25T12:29:49Z DEBUG args=/sbin/service certmonger start
>>>> 2015-03-25T12:29:49Z DEBUG stdout=
>>>> 2015-03-25T12:29:49Z DEBUG stderr=
>>>> 2015-03-25T12:29:49Z DEBUG args=/sbin/service certmonger status
>>>> 2015-03-25T12:29:49Z DEBUG stdout=certmonger (pid 13244) is running...
>>>>
>>>> 2015-03-25T12:29:49Z DEBUG stderr=
>>>> 2015-03-25T12:29:57Z DEBUG args=/usr/bin/certutil -L -d /etc/pki/nssdb
>> -n
>>>> IPA Machine Certificate - ldap-inf-stg-sg1-01.sd.int
>>>> 2015-03-25T12:29:57Z DEBUG stdout=
>>>> 2015-03-25T12:29:57Z DEBUG stderr=certutil: Could not find cert: IPA
>>>> Machine Certificate - ldap-inf-stg-sg1-01.sd.int
>>>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>>>
>>>> 2015-03-25T12:29:57Z DEBUG args=/sbin/service certmonger stop
>>>> 2015-03-25T12:29:57Z DEBUG stdout=Stopping certmonger: [ OK ]
>>>>
>>>> 2015-03-25T12:29:57Z DEBUG stderr=
>>>> 2015-03-25T12:29:59Z DEBUG args=/sbin/chkconfig certmonger off
>>>> 2015-03-25T12:29:59Z DEBUG stdout=
>>>> 2015-03-25T12:29:59Z DEBUG stderr=
>>>> 2015-03-25T12:29:59Z INFO Removing Kerberos service principals from
>>>> /etc/krb5.keytab
>>>> 2015-03-25T12:29:59Z DEBUG args=/usr/sbin/ipa-rmkeytab -k
>> /etc/krb5.keytab
>>>> -r SD.INT
>>>> 2015-03-25T12:29:59Z DEBUG stdout=
>>>> 2015-03-25T12:29:59Z DEBUG stderr=Removing principal host/
>>>> ldap-inf-stg-sg1-01.sd.int at SD.INT
>>>>
>>>> 2015-03-25T12:29:59Z INFO Disabling client Kerberos and LDAP
>> configurations
>>>> 2015-03-25T12:29:59Z DEBUG args=/usr/sbin/authconfig --disablekrb5
>>>> --disablesssd --update --disablemkhomedir --disableldap
>> --disablesssdauth
>>>> 2015-03-25T12:29:59Z DEBUG stdout=
>>>> 2015-03-25T12:29:59Z DEBUG stderr=
>>>> 2015-03-25T12:29:59Z DEBUG Error while moving /etc/sssd/sssd.conf to
>>>> /etc/sssd/sssd.conf.deleted
>>>> 2015-03-25T12:29:59Z INFO Redundant SSSD configuration file
>>>> /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
>>>> 2015-03-25T12:29:59Z DEBUG args=/sbin/service sssd stop
>>>> 2015-03-25T12:29:59Z DEBUG stdout=
>>>> 2015-03-25T12:29:59Z DEBUG stderr=
>>>> 2015-03-25T12:29:59Z DEBUG args=/sbin/chkconfig sssd off
>>>> 2015-03-25T12:29:59Z DEBUG stdout=
>>>> 2015-03-25T12:29:59Z DEBUG stderr=
>>>> 2015-03-25T12:29:59Z DEBUG args=/sbin/service nscd status
>>>> 2015-03-25T12:29:59Z DEBUG stdout=
>>>> 2015-03-25T12:29:59Z DEBUG stderr=nscd: unrecognized service
>>>>
>>>> 2015-03-25T12:29:59Z INFO nscd daemon is not installed, skip
>> configuration
>>>> 2015-03-25T12:29:59Z DEBUG args=/sbin/service nslcd status
>>>> 2015-03-25T12:29:59Z DEBUG stdout=
>>>> 2015-03-25T12:29:59Z DEBUG stderr=nslcd: unrecognized service
>>>>
>>>> 2015-03-25T12:29:59Z INFO nslcd daemon is not installed, skip
>> configuration
>>>> 2015-03-25T12:29:59Z INFO Client uninstall complete.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *Best Regards,__________________________________________*
>>>>
>>>> *Yogesh Sharma*
>>>> *Email: yks0000 at gmail.com <yks0000 at gmail.com> | Web: www.initd.in
>>>> <http://www.initd.in>*
>>>>
>>>> RHCE, VCE-CIA, RackSpace Cloud U
>>>> [image: My LinkedIn Profile] <http://in.linkedin.com/in/yks0000>
>>>>
>>>>
>>>> On Wed, Mar 25, 2015 at 6:10 PM, Martin Kosek <mkosek at redhat.com>
>> wrote:
>>>>
>>>>> On 03/25/2015 07:46 AM, Yogesh Sharma wrote:
>>>>>> Hi,
>>>>>>
>>>>>> We are getting below error while we are installing IPA Server
>>>>>> (ipa-server-install --no-ntp).
>>>>>>
>>>>>>
>>>>>> **
>>>>>> *Configuration of client side components failed!*
>>>>>> *ipa-client-install returned: Command '/usr/sbin/ipa-client-install
>>>>>> --on-master --unattended --domain sd.int <http://sd.int> --server
>>>>>> ldap-inf-stg-sg1-01.sd.int <http://ldap-inf-stg-sg1-01.sd.int>
>> --realm
>>>>>> SD.INT <http://SD.INT> --hostname ldap-inf-stg-sg1-01.sd.int
>>>>>> <http://ldap-inf-stg-sg1-01.sd.int>' returned non-zero exit status 1*
>>>>>>
>>>>>> **Logs indicate below errors:
>>>>>>
>>>>>> *2015-03-25T06:39:59Z DEBUG args=/usr/bin/ldappasswd -h
>>>>>> ldap-inf-stg-sg1-01.sd.int <http://ldap-inf-stg-sg1-01.sd.int> -ZZ -x
>>>>> -D
>>>>>> cn=Directory Manager -y /var/lib/ipa/tmpiI0qCS -T
>> /var/lib/ipa/tmp0iYpzn
>>>>>> uid=admin,cn=users,cn=accounts,dc=sd,dc=int*
>>>>>> *2015-03-25T06:39:59Z DEBUG stdout=*
>>>>>> *2015-03-25T06:39:59Z DEBUG stderr=*
>>>>>> *2015-03-25T06:39:59Z DEBUG ldappasswd done*
>>>>>> *2015-03-25T06:40:10Z DEBUG args=/usr/sbin/ipa-client-install
>>>>> --on-master
>>>>>> --unattended --domain sd.int <http://sd.int> --server
>>>>>> ldap-inf-stg-sg1-01.sd.int <http://ldap-inf-stg-sg1-01.sd.int>
>> --realm
>>>>>> SD.INT <http://SD.INT> --hostname ldap-inf-stg-sg1-01.sd.int
>>>>>> <http://ldap-inf-stg-sg1-01.sd.int>*
>>>>>> *2015-03-25T06:40:10Z DEBUG stdout=*
>>>>>> *2015-03-25T06:40:10Z DEBUG stderr=Failed to verify that
>>>>>> ldap-inf-stg-sg1-01.sd.int <http://ldap-inf-stg-sg1-01.sd.int> is an
>>>>> IPA
>>>>>> Server.*
>>>>>> *This may mean that the remote server is not up or is not reachable
>> due
>>>>> to
>>>>>> network or firewall settings.*
>>>>>> *Please make sure the following ports are opened in the firewall
>>>>> settings:*
>>>>>> * TCP: 80, 88, 389*
>>>>>> * UDP: 88 (at least one of TCP/UDP ports 88 has to be open)*
>>>>>> *Also note that following ports are necessary for ipa-client working
>>>>>> properly after enrollment:*
>>>>>> * TCP: 464*
>>>>>> * UDP: 464, 123 (if NTP enabled)*
>>>>>> *Installation failed. Rolling back changes.*
>>>>>> *Unconfigured automount client failed: Command 'ipa-client-automount
>>>>>> --uninstall --debug' returned non-zero exit status 1*
>>>>>> *Removing Kerberos service principals from /etc/krb5.keytab*
>>>>>> *Disabling client Kerberos and LDAP configurations*
>>>>>> *Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
>>>>>> /etc/sssd/sssd.conf.deleted*
>>>>>> *nscd daemon is not installed, skip configuration*
>>>>>> *nslcd daemon is not installed, skip configuration*
>>>>>> *Client uninstall complete.*
>>>>>>
>>>>>> *2015-03-25T06:40:10Z INFO File
>>>>>> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
>>>>> line
>>>>>> 614, in run_script*
>>>>>> * return_value = main_function()*
>>>>>>
>>>>>> * File "/usr/sbin/ipa-server-install", line 1103, in main*
>>>>>> * sys.exit("Configuration of client side components
>>>>>> failed!\nipa-client-install returned: " + str(e))*
>>>>>>
>>>>>> *2015-03-25T06:40:10Z INFO The ipa-server-install command failed,
>>>>>> exception: SystemExit: Configuration of client side components
>> failed!*
>>>>>> *ipa-client-install returned: Command '/usr/sbin/ipa-client-install
>>>>>> --on-master --unattended --domain sd.int <http://sd.int> --server
>>>>>> ldap-inf-stg-sg1-01.sd.int <http://ldap-inf-stg-sg1-01.sd.int>
>> --realm
>>>>>> SD.INT <http://SD.INT> --hostname ldap-inf-stg-sg1-01.sd.int
>>>>>> <http://ldap-inf-stg-sg1-01.sd.int>' returned non-zero exit status 1*
>>>>>>
>>>>>> **
>>>>>>
>>>>>>
>>>>>> This server is on AWS and I can confirm that all above ports are
>> opened.
>>>>>> Also as it is installing on same server where IPA Server is being
>>>>>> installed, Port should not be an issue.
>>>>>>
>>>>>> Am I missing anything here.
>>>>>
>>>>> Please also share ipaclient-install.log, it should show what is the
>> exact
>>>>> problem in the client component installation.
>>>>>
>>>>>
>>>>
>>>
>>
>>
>
More information about the Freeipa-users
mailing list