[Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account
Rob Crittenden
rcritten at redhat.com
Thu Dec 8 15:28:44 UTC 2016
James Harrison wrote:
>
> Hi,
> I would prefer not to compile anything. It means we have to maintain the
> package, rather than the distro maintainers.
>
> Trusty has a completely different set of errors to Precise.
>
> Xenial works with no problems.
>
> I run a script that allows the system to join the IPA domain (the same
> script regardless of Ubuntu distro):
>
> ( $P_W is read in from stdin)
>
> ipa-client-install \
> --server="$IPA_SERVER" \
> --domain=dns.domain.com \
> --principal=admin \
> --password="$P_W" \
> --preserve-sssd \
> --mkhomedir \
> --no-ntp \
> -U
>
>
> Enter (Admins) Password:
> Confirm Password:
> Hostname: jamestrusty.dns.domain.com
> Realm: IPA.REALM.COM
> DNS Domain: dns.domain.com
> IPA Server: pul-lv-ipa-01.dns.domain.com
> BaseDN: dc=int,dc=worldfirst,dc=com
>
> Synchronizing time with KDC...
> Dec 8 14:50:58 jamestrusty ntpdate[2448]: ntpdate 4.2.6p5 at 1.2349-o Wed
> Oct 5 12:35:26 UTC 2016 (1)
> Dec 8 14:50:58 jamestrusty ntpdate[2448]: the NTP socket is in use, exiting
> ...
> ...
> ...
> ...
> ...
> Unable to sync time with IPA NTP server, assuming the time is in sync.
> Please check that 123 UDP port is opened.
> Successfully retrieved CA cert
> Subject: CN=SOMECERT
> Issuer: CN=SOMECERT
> Valid From: Wed Mar 12 00:00:00 2014 UTC
> Valid Until: Sun Mar 11 23:59:59 3029 UTC
>
> Enrolled in IPA realm IPA.REALM.COM
> Created /etc/ipa/default.conf
> New SSSD config will be created
> Configured /etc/sssd/sssd.conf
> Failed to add CA to the default NSS database.
> Installation failed. Rolling back changes.
> Unenrolling client from IPA server
> Unenrolling host failed: Error getting default Kerberos realm:
> Configuration file does not specify default realm.
>
> Removing Kerberos service principals from /etc/krb5.keytab
> Disabling client Kerberos and LDAP configurations
> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
> /etc/sssd/sssd.conf.deleted
> SSSD service could not be stopped
> Client uninstall complete.
The stdout is usually not very helpful, /var/log/ipaclient-install.log
contains the real details.
Still, were I to guess, the required NSS database (and directory)
doesn't exist. This would be located in either /etc/ipa/nssdb or
/etc/pki/nssdb.
rob
>
>
> ------------------------------------------------------------------------
> *From:* Lukas Slebodnik <lslebodn at redhat.com>
> *To:* James Harrison <jamesaharrisonuk at yahoo.co.uk>
> *Cc:* "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> *Sent:* Thursday, 8 December 2016, 11:22
> *Subject:* Re: [Freeipa-users] Problem with Free IPA Client Ubuntu
> Precise (12.04) authenticating with AD account
>
> On (07/12/16 18:19), James Harrison wrote:
>>Hi all,
>>
>>I am trying to authenticate an ubuntu Precise (12.06) fully patched
> system. Its enrolled into a FreeIPA server. The following trace is the
> output of syslog auth sssd/*.log and full debug (-ddd) from the sshd
> service.
>>
> Are you able to reproduce with ubuntu 14.04
> and sssd from trusty-updates(1.11.8-0ubuntu0.3)
> You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04)
> or at least 1.12.5-1~trusty1 from ppa
> https://launchpad.net/~sssd
>
>
> LS
>
>
>
>
More information about the Freeipa-users
mailing list