[Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account

Rob Crittenden rcritten at redhat.com
Thu Dec 8 15:28:44 UTC 2016 

James Harrison wrote:
> 
> Hi,
> I would prefer not to compile anything. It means we have to maintain the
> package, rather than the distro maintainers.
> 
> Trusty has a completely different set of errors to Precise. 
> 
> Xenial works with no problems.
> 
> I run a script that allows the system to join the IPA domain (the same
> script regardless of Ubuntu distro):
> 
> ( $P_W is read in from stdin)
> 
> ipa-client-install \
>      --server="$IPA_SERVER" \
>      --domain=dns.domain.com \
>      --principal=admin \
>      --password="$P_W" \
>      --preserve-sssd \
>      --mkhomedir \
>      --no-ntp \
>      -U
> 
> 
> Enter (Admins) Password:  
> Confirm Password:
> Hostname: jamestrusty.dns.domain.com
> Realm: IPA.REALM.COM
> DNS Domain: dns.domain.com
> IPA Server: pul-lv-ipa-01.dns.domain.com
> BaseDN: dc=int,dc=worldfirst,dc=com
> 
> Synchronizing time with KDC...
> Dec  8 14:50:58 jamestrusty ntpdate[2448]: ntpdate 4.2.6p5 at 1.2349-o Wed
> Oct  5 12:35:26 UTC 2016 (1)
> Dec  8 14:50:58 jamestrusty ntpdate[2448]: the NTP socket is in use, exiting
> ...
> ...
> ...
> ...
> ...
> Unable to sync time with IPA NTP server, assuming the time is in sync.
> Please check that 123 UDP port is opened.
> Successfully retrieved CA cert
>     Subject:     CN=SOMECERT
>     Issuer:      CN=SOMECERT
>     Valid From:  Wed Mar 12 00:00:00 2014 UTC
>     Valid Until: Sun Mar 11 23:59:59 3029 UTC
> 
> Enrolled in IPA realm IPA.REALM.COM
> Created /etc/ipa/default.conf
> New SSSD config will be created
> Configured /etc/sssd/sssd.conf
> Failed to add CA to the default NSS database.
> Installation failed. Rolling back changes.
> Unenrolling client from IPA server
> Unenrolling host failed: Error getting default Kerberos realm:
> Configuration file does not specify default realm.
> 
> Removing Kerberos service principals from /etc/krb5.keytab
> Disabling client Kerberos and LDAP configurations
> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
> /etc/sssd/sssd.conf.deleted
> SSSD service could not be stopped
> Client uninstall complete.

The stdout is usually not very helpful, /var/log/ipaclient-install.log
contains the real details.

Still, were I to guess, the required NSS database (and directory)
doesn't exist. This would be located in either /etc/ipa/nssdb or
/etc/pki/nssdb.

rob

> 
> 
> ------------------------------------------------------------------------
> *From:* Lukas Slebodnik <lslebodn at redhat.com>
> *To:* James Harrison <jamesaharrisonuk at yahoo.co.uk>
> *Cc:* "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> *Sent:* Thursday, 8 December 2016, 11:22
> *Subject:* Re: [Freeipa-users] Problem with Free IPA Client Ubuntu
> Precise (12.04) authenticating with AD account
> 
> On (07/12/16 18:19), James Harrison wrote:
>>Hi all,
>>
>>I am trying to authenticate an ubuntu Precise (12.06) fully patched
> system. Its enrolled into a FreeIPA server. The following trace is the
> output of syslog auth sssd/*.log and full debug (-ddd) from the sshd
> service.
>>
> Are you able to reproduce with ubuntu 14.04
> and sssd from trusty-updates(1.11.8-0ubuntu0.3)
> You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04)
> or at least 1.12.5-1~trusty1 from ppa
> https://launchpad.net/~sssd
> 
> 
> LS
> 
> 
> 
>

More information about the Freeipa-users mailing list