[Freeipa-users] IPA Client Install problems

Rob Crittenden rcritten at redhat.com
Tue Oct 11 22:52:27 UTC 2016 

Tyrell Jentink wrote:
> First off...  new to the list, thank you in advance for your assistance!
>
> My server is Fedora 24 Server, running in a VirtualBox virtual machine.
> I have FreeIPA Server 4.3.2-2.fc24, installed from the standard
> repositories, and dnf says it's up to date. FreeIPA has a trust set up
> with an Windows Server 2012r2 ActiveDirectory server, and it APPEARS to
> be working...
>
> The first client I connected was a Raspberry Pi running Pidora.  This
> client appears to have connected fine, and appears to be working (I
> guess I haven't tried logging in as an ActiveDirectory user;  But it's
> certainly NOT having any DNS issues, as other clients are; See below...)
>
> Then I tried connecting a second client, a system running Fedora 24 with
> FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to
> plan...  Here's the output of ipa-client-install:
>
>     Discovery was successful!
>     Client hostname: trainmaster.ipa.rxrhouse.net
>     <http://trainmaster.ipa.rxrhouse.net>
>     Realm: IPA.RXRHOUSE.NET <http://IPA.RXRHOUSE.NET>
>     DNS Domain: ipa.rxrhouse.net <http://ipa.rxrhouse.net>
>     IPA Server: ipa-pdc.ipa.rxrhouse.net <http://ipa-pdc.ipa.rxrhouse.net>
>     BaseDN: dc=ipa,dc=rxrhouse,dc=net
>     Continue to configure the system with these values? [no]: yes
>     Synchronizing time with KDC...
>     Attempting to sync time using ntpd.  Will timeout after 15 seconds
>     Attempting to sync time using ntpd.  Will timeout after 15 seconds
>     Unable to sync time with NTP server, assuming the time is in sync.
>     Please check
>
>                                       that 123 UDP port is opened.
>     User authorized to enroll computers: admin
>     Password for admin at IPA.RXRHOUSE.NET <mailto:admin at IPA.RXRHOUSE.NET>:
>     Successfully retrieved CA cert
>          Subject:     CN=Certificate Authority,O=IPA.RXRHOUSE.NET
>     <http://IPA.RXRHOUSE.NET>
>          Issuer:      CN=Certificate Authority,O=IPA.RXRHOUSE.NET
>     <http://IPA.RXRHOUSE.NET>
>          Valid From:  Thu Sep 08 17:27:47 2016 UTC
>          Valid Until: Mon Sep 08 17:27:47 2036 UTC
>     Enrolled in IPA realm IPA.RXRHOUSE.NET <http://IPA.RXRHOUSE.NET>
>     Created /etc/ipa/default.conf
>     New SSSD config will be created
>     Configured sudoers in /etc/nsswitch.conf
>     Configured /etc/sssd/sssd.conf
>     Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET
>     <http://IPA.RXRHOUSE.NET>
>     trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json
>     Forwarding 'ping' to json server
>     'https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
>     Forwarding 'ca_is_enabled' to json server
>     'https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
>     Systemwide CA database updated.
>     Failed to update DNS records.
>     Missing reverse record(s) for address(es): 10.42.0.100.
>     Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
>     Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
>     Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
>     Forwarding 'host_mod' to json server
>     'https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
>     Could not update DNS SSHFP records.
>     SSSD enabled
>     Configured /etc/openldap/ldap.conf
>     NTP enabled
>     Configured /etc/ssh/ssh_config
>     Configured /etc/ssh/sshd_config
>     Configuring ipa.rxrhouse.net <http://ipa.rxrhouse.net> as NIS domain.
>     Client configuration complete.
>
>
> Of concern, the installer failed to update DNS records, resulting in a
> missing reverse record, and eventually failing to update the DNS SSHFP
> records.  Looking in the Web UI for FreeIPA server, I see that the
> client is registered, but it doesn't have any SSH keys , and as
> expected, doesn't have a reverse zone...  But the Raspberry Pi DOES.
>
> Just to be fully sure something was wrong...  I tried connecting with a
> clean install of Fedora 24 running in a virtual machine, and had the
> same issue.  I've googled around, and can't find anyone having any
> similar issues...  And I didn't accidentally stumble across anything
> interesting while exploring logs...  But I honestly don't know where to
> look.
>
> TO BE CLEAR, things appear to work just fine from freeipa-client version
> 3.3.3-4.fc20  on pidora on a Raspberry Pi, but it's NOT working with the
> latest versions from Fedora 24 on x86_64 hardware...
>
> Where should I look first?  Thank you for any assistance...

Look in /var/log/ipaclient-install.log for debug logging of the install.

rob

More information about the Freeipa-users mailing list