<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/20/2015 01:25 PM, Roberto
Cornacchia wrote:<br>
</div>
<blockquote
cite="mid:CAFGv-=c7=3ZO_0easTPkietOqBAx_PywZ8ZeBV2AAFcYEXq5Tg@mail.gmail.com"
type="cite">
<div dir="ltr">Oops. Not true, forget last email.
<div><br>
</div>
<div>This secon client installation went different just because
it took the wrong domain.</div>
<div>It used <b><a moz-do-not-send="true"
href="http://example.com">example.com</a></b> (what was
previously set) instead of <b><a moz-do-not-send="true"
href="http://hq.example.com">hq.example.com</a></b></div>
<div><br>
</div>
<div>Uninstalled, tried again with --hostname=<a
moz-do-not-send="true" href="http://photon.hq.example.com">photon.hq.example.com</a></div>
<div>And then it behaves precisely like the previous client.</div>
<div><br>
</div>
<div>So something seems wrong in the server.</div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 20 March 2015 at 18:18, Roberto
Cornacchia <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:roberto.cornacchia@gmail.com"
target="_blank">roberto.cornacchia@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div><font face="arial, helvetica, sans-serif">Update:</font></div>
<div><font face="arial, helvetica, sans-serif">I
tried from another client. Also FC21, same
network, same settings from the same DHCP. </font></div>
<div><font face="arial, helvetica, sans-serif">But
obviously it must have something different
because it partially succeeded.</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">- I
do not get errors about LDAP users.</font></div>
<div><font face="arial, helvetica, sans-serif">- I
do not get errors about DNS update</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">However:</font></div>
<div><font face="arial, helvetica, sans-serif">- I
still get the initial error about NTP</font></div>
<div><font face="arial, helvetica, sans-serif">- The
host is enrolled, but not added to the DNS zone</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">Now,
I don't care much about the previous client. It
was pretty much empty and can re-install Fedora
from scratch. </font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">But
I'd like to understand if this is still a
problem.</font></div>
<div><font face="arial, helvetica, sans-serif">It
should be added to the zone, shouldn't it?</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">$
ipa-client-install --mkhomedir --ssh-trust-dns
--force-ntpd</font></div>
<div><font face="monospace, monospace">Discovery was
successful!</font></div>
<div><font face="monospace, monospace">Hostname: <a
moz-do-not-send="true"
href="http://photon.example.com"
target="_blank">photon.example.com</a></font></div>
<div>
<div class="h5">
<div><font face="monospace, monospace">Realm: <a
moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM"
target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace, monospace">DNS
Domain: <a moz-do-not-send="true"
href="http://hq.example.com"
target="_blank">hq.example.com</a></font></div>
<div><font face="monospace, monospace">IPA
Server: <a moz-do-not-send="true"
href="http://ipa.hq.example.com"
target="_blank">ipa.hq.example.com</a></font></div>
<div><font face="monospace, monospace">BaseDN:
dc=hq,dc=example,dc=com</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">Continue
to configure the system with these values?
[no]: yes</font></div>
<div><font face="monospace, monospace">Synchronizing
time with KDC...</font></div>
<div><font color="#ff0000" face="monospace,
monospace"><b>Unable to sync time with IPA
NTP server, assuming the time is in sync.
Please check that 123 UDP port is opened.</b></font></div>
<div><font face="monospace, monospace">User
authorized to enroll computers: admin</font></div>
<div><font face="monospace, monospace">Password
for <a moz-do-not-send="true"
href="mailto:admin@HQ.EXAMPLE.COM"
target="_blank">admin@HQ.EXAMPLE.COM</a>:</font></div>
<div><font face="monospace, monospace">Successfully
retrieved CA cert</font></div>
<div><font face="monospace, monospace">
Subject: CN=Certificate Authority,O=<a
moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM"
target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace, monospace">
Issuer: CN=Certificate Authority,O=<a
moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM"
target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace, monospace"> Valid
From: Mon Mar 16 18:44:35 2015 UTC</font></div>
<div><font face="monospace, monospace"> Valid
Until: Fri Mar 16 18:44:35 2035 UTC</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">Enrolled
in IPA realm <a moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM"
target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace, monospace">Created
/etc/ipa/default.conf</font></div>
<div><font face="monospace, monospace">New SSSD
config will be created</font></div>
<div><font face="monospace, monospace">Configured
sudoers in /etc/nsswitch.conf</font></div>
<div><font face="monospace, monospace">Configured
/etc/sssd/sssd.conf</font></div>
<div><font face="monospace, monospace">Configured
/etc/krb5.conf for IPA realm <a
moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM"
target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace, monospace">trying <a
moz-do-not-send="true"
href="https://ipa.hq.example.com/ipa/json"
target="_blank">https://ipa.hq.example.com/ipa/json</a></font></div>
<div><font face="monospace, monospace">Forwarding
'ping' to json server '<a
moz-do-not-send="true"
href="https://ipa.hq.example.com/ipa/json"
target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font face="monospace, monospace">Forwarding
'ca_is_enabled' to json server '<a
moz-do-not-send="true"
href="https://ipa.hq.example.com/ipa/json"
target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font face="monospace, monospace">Systemwide
CA database updated.</font></div>
<div><font face="monospace, monospace">Added CA
certificates to the default NSS database.</font></div>
</div>
</div>
<span class="">
<div><font face="monospace, monospace">Adding SSH
public key from /etc/ssh/ssh_host_rsa_key.pub</font></div>
</span><span class="">
<div><font face="monospace, monospace">Adding SSH
public key from
/etc/ssh/ssh_host_ed25519_key.pub</font></div>
</span>
<div><font face="monospace, monospace">Adding SSH
public key from /etc/ssh/ssh_host_dsa_key.pub</font></div>
<span class="">
<div><font face="monospace, monospace">Adding SSH
public key from
/etc/ssh/ssh_host_ecdsa_key.pub</font></div>
</span><span class="">
<div><font face="monospace, monospace">Forwarding
'host_mod' to json server '<a
moz-do-not-send="true"
href="https://ipa.hq.example.com/ipa/json"
target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font color="#ff0000" face="monospace,
monospace"><b>Could not update DNS SSHFP
records.</b></font></div>
<div><font face="monospace, monospace">SSSD
enabled</font></div>
<div><font face="monospace, monospace">Configured
/etc/openldap/ldap.conf</font></div>
</span><span class="">
<div><font face="monospace, monospace">NTP enabled</font></div>
<div><font face="monospace, monospace">Configured
/etc/ssh/ssh_config</font></div>
<div><font face="monospace, monospace">Configured
/etc/ssh/sshd_config</font></div>
<div><font face="monospace, monospace">Configuring
<a moz-do-not-send="true"
href="http://hq.example.com" target="_blank">hq.example.com</a>
as NIS domain.</font></div>
<div><font face="monospace, monospace">Client
configuration complete.</font></div>
</span></div>
<div><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
It is different. It does not have the same failure about admin as
you had in the first email.<br>
So may be it is the permissions issue and a separate NTP issue?<br>
Did you play with any permissions on the server side?<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>