[Freeipa-users] IPA Client Install problems
Rob Crittenden
rcritten at redhat.com
Tue Oct 11 22:52:27 UTC 2016
Tyrell Jentink wrote:
> First off... new to the list, thank you in advance for your assistance!
>
> My server is Fedora 24 Server, running in a VirtualBox virtual machine.
> I have FreeIPA Server 4.3.2-2.fc24, installed from the standard
> repositories, and dnf says it's up to date. FreeIPA has a trust set up
> with an Windows Server 2012r2 ActiveDirectory server, and it APPEARS to
> be working...
>
> The first client I connected was a Raspberry Pi running Pidora. This
> client appears to have connected fine, and appears to be working (I
> guess I haven't tried logging in as an ActiveDirectory user; But it's
> certainly NOT having any DNS issues, as other clients are; See below...)
>
> Then I tried connecting a second client, a system running Fedora 24 with
> FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to
> plan... Here's the output of ipa-client-install:
>
> Discovery was successful!
> Client hostname: trainmaster.ipa.rxrhouse.net
> <http://trainmaster.ipa.rxrhouse.net>
> Realm: IPA.RXRHOUSE.NET <http://IPA.RXRHOUSE.NET>
> DNS Domain: ipa.rxrhouse.net <http://ipa.rxrhouse.net>
> IPA Server: ipa-pdc.ipa.rxrhouse.net <http://ipa-pdc.ipa.rxrhouse.net>
> BaseDN: dc=ipa,dc=rxrhouse,dc=net
> Continue to configure the system with these values? [no]: yes
> Synchronizing time with KDC...
> Attempting to sync time using ntpd. Will timeout after 15 seconds
> Attempting to sync time using ntpd. Will timeout after 15 seconds
> Unable to sync time with NTP server, assuming the time is in sync.
> Please check
>
> that 123 UDP port is opened.
> User authorized to enroll computers: admin
> Password for admin at IPA.RXRHOUSE.NET <mailto:admin at IPA.RXRHOUSE.NET>:
> Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=IPA.RXRHOUSE.NET
> <http://IPA.RXRHOUSE.NET>
> Issuer: CN=Certificate Authority,O=IPA.RXRHOUSE.NET
> <http://IPA.RXRHOUSE.NET>
> Valid From: Thu Sep 08 17:27:47 2016 UTC
> Valid Until: Mon Sep 08 17:27:47 2036 UTC
> Enrolled in IPA realm IPA.RXRHOUSE.NET <http://IPA.RXRHOUSE.NET>
> Created /etc/ipa/default.conf
> New SSSD config will be created
> Configured sudoers in /etc/nsswitch.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET
> <http://IPA.RXRHOUSE.NET>
> trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json
> Forwarding 'ping' to json server
> 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
> Forwarding 'ca_is_enabled' to json server
> 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
> Systemwide CA database updated.
> Failed to update DNS records.
> Missing reverse record(s) for address(es): 10.42.0.100.
> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
> Forwarding 'host_mod' to json server
> 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
> Could not update DNS SSHFP records.
> SSSD enabled
> Configured /etc/openldap/ldap.conf
> NTP enabled
> Configured /etc/ssh/ssh_config
> Configured /etc/ssh/sshd_config
> Configuring ipa.rxrhouse.net <http://ipa.rxrhouse.net> as NIS domain.
> Client configuration complete.
>
>
> Of concern, the installer failed to update DNS records, resulting in a
> missing reverse record, and eventually failing to update the DNS SSHFP
> records. Looking in the Web UI for FreeIPA server, I see that the
> client is registered, but it doesn't have any SSH keys , and as
> expected, doesn't have a reverse zone... But the Raspberry Pi DOES.
>
> Just to be fully sure something was wrong... I tried connecting with a
> clean install of Fedora 24 running in a virtual machine, and had the
> same issue. I've googled around, and can't find anyone having any
> similar issues... And I didn't accidentally stumble across anything
> interesting while exploring logs... But I honestly don't know where to
> look.
>
> TO BE CLEAR, things appear to work just fine from freeipa-client version
> 3.3.3-4.fc20 on pidora on a Raspberry Pi, but it's NOT working with the
> latest versions from Fedora 24 on x86_64 hardware...
>
> Where should I look first? Thank you for any assistance...
Look in /var/log/ipaclient-install.log for debug logging of the install.
rob
More information about the Freeipa-users
mailing list