[Freeipa-users] IPA Client Install problems
Tyrell Jentink
tyrell at jentink.net
Wed Oct 12 01:24:41 UTC 2016
Thank you, Rob.
For reference, my full log can be found here: http://pastebin.com/6VLaQjYw
But I would postulate that the interesting bit is this:
> 2016-10-11T22:10:15Z DEBUG stdout=Outgoing update query:
>
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>
> ;; UPDATE SECTION:
>
> trainmaster.ipa.rxrhouse.net. 0 ANY A
>
>
>> Outgoing update query:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23971
>
> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
>
> ;350449427.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
>
>
>> ;; ADDITIONAL SECTION:
>
> 350449427.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1476223815
>> 1476223815 3 NOERROR 683 YIICpwYJKoZIhvcSAQICAQBuggKWMIICkqADAgEFoQMCAQ6iBwMFACAA
>> AACjggGIYYIBhDCCAYCgAwIBBaESGxBJUEEuUlhSSE9VU0UuTkVUoiow
>> KKADAgEBoSEwHxsDRE5TGxhpcGEtcGRjLmlwYS5yeHJob3VzZS5uZXSj
>> ggE3MIIBM6ADAgESoQMCAQKiggElBIIBIeFubKS/x0aKfc7u/f9Z5Ro8
>> pZZ4RkIlwOWAAuiSxJNmoaIhYgYNitn2pkAII+eKtdialtAI/1418exm
>> sM7zahCj0MWpBIYQZB4tsN9JZMaKF7SK5TlewH9mZitjd+hbQ5iwjklV
>> 8P6OOMsIRIytywnd8eD/988GQz3C5CfBU1pQM5Bkox4vSRawZJRUy0xx
>> C8H4nOOPsJZd9AozsaAZSR4EeA05IbW+gxxIeXjShPDwRF6fs4sNxZUt
>> FEkdujVZOaM4M4olLadzScsXDi2pO/8WqjJdDwMfLD95+CHSiFMSyJqy
>> nwem6dzJTJvyLTq4fKO+ajmUHw5tV30Pg7w9krEiFSTuFkCmKW1a2GQo
>> 5Lm3VQF34cnYTA+5K8yEwLiTqX+kgfAwge2gAwIBEqKB5QSB4u9m77de
>> VD1pQ+DUyBKaC2jOgD/uUWAyfNNojNAtKAMGbHzDWSRASe1Xd+RNgwIa
>> QdT2PC6kHbJMz9jaJu/0fxC9JmPp6Qe6p8CGaQ6IvPGm4838TlGdGhuS
>> YpUwVAEqvl85S23+yT3Qo/O8Qffhi4i/WDdiBHGGDrKF4CCZXJrr/F+L Pd8oabRE81h+
>> 4Tu7KBTApBwWYFYQSct7Q9ZrFiUuQzbpc2ZjXaVLi3ai uvH2NLWvLwxt8Z8PYRHgTrEYb/QfEluP2qfbo6XuO4UHoF7rN8d28bnw
>> bhUsEYaVs1r8Pxk= 0
>
>
>>
>> 2016-10-11T22:10:15Z DEBUG stderr=Reply from SOA query:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18681
>
> ;; flags: qr rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
>
> ;trainmaster.ipa.rxrhouse.net. IN SOA
>
>
>> ;; AUTHORITY SECTION:
>
> ipa.rxrhouse.net. 60 IN SOA ipa-pdc.ipa.rxrhouse.net.
>> hostmaster.ipa.rxrhouse.net. 1476221978 3600 900 1209600 3600
>
>
>> ;; ADDITIONAL SECTION:
>
> ipa-pdc.ipa.rxrhouse.net. 353 IN A 10.42.0.11
>
>
>> Found zone name: ipa.rxrhouse.net
>
> The master is: ipa-pdc.ipa.rxrhouse.net
>
> start_gssrequest
>
> Found realm from ticket: IPA.RXRHOUSE.NET <http://ipa.rxrhouse.net/>
>
> send_gssrequest
>
> recvmsg reply from GSS-TSIG query
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23971
>
> ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
>
> ;350449427.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
>
>
>> ;; ANSWER SECTION:
>
> 350449427.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1466641678
>> 1466728078 3 NOERROR 101 YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MjMw
>> MDI3NThapQUCAwVDn6YDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg
>> AwIBAaELMAkbB2FkLXBkYyQ= 0
>
>
>> dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS
>> failure. Minor code may provide more information, Minor = Message stream
>> modified.
>
>
>> 2016-10-11T22:10:15Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g
>> /etc/ipa/.dns_update.txt' returned non-zero exit status 1
>
> 2016-10-11T22:10:15Z ERROR Failed to update DNS records.
>
>
>
This isn't the first time I've seen this "Unspecified GSS failure [...]
Message stream modified" error, and I suspect it to be the root of my
problem... But my google-foo is not strong with this one... I'm not sure
how to proceed.
On Tue, Oct 11, 2016 at 3:52 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Tyrell Jentink wrote:
>
>> First off... new to the list, thank you in advance for your assistance!
>>
>> My server is Fedora 24 Server, running in a VirtualBox virtual machine.
>> I have FreeIPA Server 4.3.2-2.fc24, installed from the standard
>> repositories, and dnf says it's up to date. FreeIPA has a trust set up
>> with an Windows Server 2012r2 ActiveDirectory server, and it APPEARS to
>> be working...
>>
>> The first client I connected was a Raspberry Pi running Pidora. This
>> client appears to have connected fine, and appears to be working (I
>> guess I haven't tried logging in as an ActiveDirectory user; But it's
>> certainly NOT having any DNS issues, as other clients are; See below...)
>>
>> Then I tried connecting a second client, a system running Fedora 24 with
>> FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to
>> plan... Here's the output of ipa-client-install:
>>
>> Discovery was successful!
>> Client hostname: trainmaster.ipa.rxrhouse.net
>> <http://trainmaster.ipa.rxrhouse.net>
>> Realm: IPA.RXRHOUSE.NET <http://IPA.RXRHOUSE.NET>
>> DNS Domain: ipa.rxrhouse.net <http://ipa.rxrhouse.net>
>> IPA Server: ipa-pdc.ipa.rxrhouse.net <http://ipa-pdc.ipa.rxrhouse.net
>> >
>> BaseDN: dc=ipa,dc=rxrhouse,dc=net
>> Continue to configure the system with these values? [no]: yes
>> Synchronizing time with KDC...
>> Attempting to sync time using ntpd. Will timeout after 15 seconds
>> Attempting to sync time using ntpd. Will timeout after 15 seconds
>> Unable to sync time with NTP server, assuming the time is in sync.
>> Please check
>>
>> that 123 UDP port is opened.
>> User authorized to enroll computers: admin
>> Password for admin at IPA.RXRHOUSE.NET <mailto:admin at IPA.RXRHOUSE.NET>:
>> Successfully retrieved CA cert
>> Subject: CN=Certificate Authority,O=IPA.RXRHOUSE.NET
>> <http://IPA.RXRHOUSE.NET>
>> Issuer: CN=Certificate Authority,O=IPA.RXRHOUSE.NET
>> <http://IPA.RXRHOUSE.NET>
>> Valid From: Thu Sep 08 17:27:47 2016 UTC
>> Valid Until: Mon Sep 08 17:27:47 2036 UTC
>> Enrolled in IPA realm IPA.RXRHOUSE.NET <http://IPA.RXRHOUSE.NET>
>> Created /etc/ipa/default.conf
>> New SSSD config will be created
>> Configured sudoers in /etc/nsswitch.conf
>> Configured /etc/sssd/sssd.conf
>> Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET
>> <http://IPA.RXRHOUSE.NET>
>> trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json
>> Forwarding 'ping' to json server
>> 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
>> Forwarding 'ca_is_enabled' to json server
>> 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
>> Systemwide CA database updated.
>> Failed to update DNS records.
>> Missing reverse record(s) for address(es): 10.42.0.100.
>> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
>> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
>> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
>> Forwarding 'host_mod' to json server
>> 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
>> Could not update DNS SSHFP records.
>> SSSD enabled
>> Configured /etc/openldap/ldap.conf
>> NTP enabled
>> Configured /etc/ssh/ssh_config
>> Configured /etc/ssh/sshd_config
>> Configuring ipa.rxrhouse.net <http://ipa.rxrhouse.net> as NIS domain.
>> Client configuration complete.
>>
>>
>> Of concern, the installer failed to update DNS records, resulting in a
>> missing reverse record, and eventually failing to update the DNS SSHFP
>> records. Looking in the Web UI for FreeIPA server, I see that the
>> client is registered, but it doesn't have any SSH keys , and as
>> expected, doesn't have a reverse zone... But the Raspberry Pi DOES.
>>
>> Just to be fully sure something was wrong... I tried connecting with a
>> clean install of Fedora 24 running in a virtual machine, and had the
>> same issue. I've googled around, and can't find anyone having any
>> similar issues... And I didn't accidentally stumble across anything
>> interesting while exploring logs... But I honestly don't know where to
>> look.
>>
>> TO BE CLEAR, things appear to work just fine from freeipa-client version
>> 3.3.3-4.fc20 on pidora on a Raspberry Pi, but it's NOT working with the
>> latest versions from Fedora 24 on x86_64 hardware...
>>
>> Where should I look first? Thank you for any assistance...
>>
>
> Look in /var/log/ipaclient-install.log for debug logging of the install.
>
> rob
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161011/fbead561/attachment.htm>
More information about the Freeipa-users
mailing list