<div dir="ltr"><div><font face="arial, helvetica, sans-serif">Hi Rob,</font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">Yes, sssd is running and this is sssd.conf:</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">[domain/<a href="http://hq.example.com">hq.example.com</a>]</font></div><div><font face="monospace, monospace">debug_level=9</font></div><div><font face="monospace, monospace">cache_credentials = True</font></div><div><font face="monospace, monospace">krb5_store_password_if_offline = True</font></div><div><font face="monospace, monospace">ipa_domain = <a href="http://hq.example.com">hq.example.com</a></font></div><div><font face="monospace, monospace">id_provider = ipa</font></div><div><font face="monospace, monospace">auth_provider = ipa</font></div><div><font face="monospace, monospace">access_provider = ipa</font></div><div><font face="monospace, monospace">ipa_hostname = meson.hq.</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">.com</font></div><div><font face="monospace, monospace">chpass_provider = ipa</font></div><div><font face="monospace, monospace">ipa_server = _srv_, ipa.hq.</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">.com</font></div><div><font face="monospace, monospace">ldap_tls_cacert = /etc/ipa/ca.crt</font></div><div><font face="monospace, monospace">[sssd]</font></div><div><font face="monospace, monospace">services = nss, sudo, pam, ssh</font></div><div><font face="monospace, monospace">config_file_version = 2</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">domains = hq.</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">.com</font></div><div><font face="monospace, monospace">[nss]</font></div><div><font face="monospace, monospace">homedir_substring = /home</font></div><div><font face="monospace, monospace">debug_level=9</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">[pam]</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">[sudo]</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">[autofs]</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">[ssh]</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">[pac]</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">[ifp]</font></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 21 March 2015 at 17:05, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Roberto Cornacchia wrote:<br>
> Indeed, id admin does not work and there is no sign of it in the log.<br>
><br>
> From the client (with admin-tools installed):<br>
><br>
> $ kinit admin<br>
</span>> Password for <a href="mailto:admin@HQ.EXAMPLE.COM">admin@HQ.EXAMPLE.COM</a> <mailto:<a href="mailto:admin@HQ.EXAMPLE.COM">admin@HQ.EXAMPLE.COM</a>>:<br>
<span class="">> $ ipa user-show admin<br>
> User login: admin<br>
> Last name: Administrator<br>
> Home directory: /home/admin<br>
> Login shell: /bin/bash<br>
> UID: 1172000000<br>
> GID: 1172000000<br>
> Account disabled: False<br>
> Password: True<br>
> Member of groups: trust admins, admins<br>
> Kerberos keys available: True<br>
> $ id admin<br>
> id: admin: no such user<br>
</span>> $ getent passwd <a href="mailto:admin@hq.spinque.com">admin@hq.spinque.com</a> <mailto:<a href="mailto:admin@hq.spinque.com">admin@hq.spinque.com</a>><br>
<span class="">> $ grep admin /var/log/sssd/*<br>
> $<br>
<br>
</span>This is because sssd is not configured in nsswitch.conf to serve<br>
anything other than sudo.<br>
<br>
I see in the client install log you posted in the first message of the<br>
thread that there was no pre-existing sssd.conf so it created a new one,<br>
but that shouldn't be an issue.<br>
<br>
What does sssd.conf look like and is sssd running?<br>
<br>
rob<br>
<span class=""><br>
><br>
><br>
> On 21 March 2015 at 01:01, Dmitri Pal <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>
</span><span class="">> <mailto:<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> wrote:<br>
><br>
> On 03/20/2015 07:40 PM, Roberto Cornacchia wrote:<br>
>> Two log files in attachment (the other files in /var/log/sssd are<br>
>> all empty).<br>
>><br>
>> I'll also go through the troubleshooting page again, thanks<br>
>><br>
><br>
> Do the logs include an id call for admin?<br>
> I do not see any instance of the word "admin" in the log.<br>
><br>
><br>
>><br>
>> On 20 March 2015 at 23:03, Dmitri Pal <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>
</span><span class="">>> <mailto:<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> wrote:<br>
>><br>
>> On 03/20/2015 05:59 PM, Roberto Cornacchia wrote:<br>
>>> SSSD logs are empty so far.<br>
>><br>
>> This is wrong.<br>
>><br>
>>> Isn't sssd.conf written by ipa-client-install?<br>
>><br>
>> Yes<br>
>><br>
>>> If I raise the debug level after client installation,<br>
>><br>
>> (and restart)<br>
>><br>
>>> what activities do you suggest to attempt from the client?<br>
>> the ones that fail. getent call that returns nothing.<br>
>> Also try 'id'.<br>
>><br>
>> <a href="http://www.freeipa.org/page/Troubleshooting#Client_Installation" target="_blank">http://www.freeipa.org/page/Troubleshooting#Client_Installation</a><br>
>> <a href="https://fedorahosted.org/sssd/wiki/Troubleshooting" target="_blank">https://fedorahosted.org/sssd/wiki/Troubleshooting</a><br>
>><br>
>>><br>
>>><br>
>>> On 20 March 2015 at 22:37, Dmitri Pal <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>
</span><span class="">>>> <mailto:<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> wrote:<br>
>>><br>
>>> On 03/20/2015 05:28 PM, Roberto Cornacchia wrote:<br>
>>>> It certainly gets there, because the client gets in fact<br>
>>>> enrolled as a domain host. I can see it from the UI in<br>
>>>> Identity / Hosts. But not in the DNS zone.<br>
>>>><br>
</span>>>>> *Before ipa-client-install, all these do work: *<br>
>>>><br>
>>>> $ ssh <a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a> <<a href="http://ipa.hq.example.com" target="_blank">http://ipa.hq.example.com</a>><br>
>>>> $ ntpdate <a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a> <<a href="http://ipa.hq.example.com" target="_blank">http://ipa.hq.example.com</a>><br>
<span class="">>>>> $ ldapsearch -x -h <a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a><br>
</span>>>>> <<a href="http://ipa.hq.example.com" target="_blank">http://ipa.hq.example.com</a>> -b dc=hq,dc=example,dc=com<br>
>>>> uid=admin<br>
>>>><br>
>>>><br>
>>>> *After running ipa-client-install, all these do work:*<br>
<span class="">>>>><br>
>>>> $ kinit admin<br>
>>>> Password for <a href="mailto:admin@HQ.EXAMPLE.COM">admin@HQ.EXAMPLE.COM</a><br>
</span>>>>> <mailto:<a href="mailto:admin@HQ.EXAMPLE.COM">admin@HQ.EXAMPLE.COM</a>>:<br>
<span class="">>>>> $ ipa dnszone-show --all<br>
>>>> [...]<br>
>>>> $ ntpq -p<br>
>>>> remote refid st t when poll reach<br>
>>>> delay offset jitter<br>
>>>> ==============================================================================<br>
>>>> *ipa.hq.example. 131.155.140.130 3 u 19 64 1<br>
>>>> 0.415 -0.006 0.000<br>
>>>> LOCAL(0) .LOCL. 5 l - 64 0<br>
>>>> 0.000 0.000 0.000<br>
>>>><br>
</span>>>>> *But this does NOT work:*<br>
>>>> $ getent passwd <a href="mailto:admin@hq.example.com">admin@hq.example.com</a><br>
>>>> <mailto:<a href="mailto:admin@hq.example.com">admin@hq.example.com</a>><br>
<span class="">>>><br>
>>> What do SSSD logs show on the client?<br>
>>> Please rise the SSSD debug_level and provide SSSD logs.<br>
>>><br>
>>>><br>
</span>>>>> *On the server, in /var/log/krb5kdc.log, I see many of<br>
>>>> these:*<br>
<span class="">>>>><br>
>>>> Mar 20 21:53:17 <a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a><br>
</span>>>>> <<a href="http://ipa.hq.example.com" target="_blank">http://ipa.hq.example.com</a>> krb5kdc[9229](info): AS_REQ<br>
<span class="">>>>> (6 etypes {18 17 16 23 25 26}) 192.168.0.207<br>
</span>>>>> <<a href="http://192.168.0.207" target="_blank">http://192.168.0.207</a>>: NEEDED_PREAUTH:<br>
>>>> <a href="mailto:admin@HQ.EXAMPLE.COM">admin@HQ.EXAMPLE.COM</a> <mailto:<a href="mailto:admin@HQ.EXAMPLE.COM">admin@HQ.EXAMPLE.COM</a>> for<br>
>>>> krbtgt/<a href="mailto:HQ.EXAMPLE.COM@HQ.EXAMPLE.COM">HQ.EXAMPLE.COM@HQ.EXAMPLE.COM</a><br>
>>>> <mailto:<a href="mailto:COM@HQ.EXAMPLE.COM">COM@HQ.EXAMPLE.COM</a>>, Additional<br>
<span class="">>>>> pre-authentication required<br>
>>>> Mar 20 21:53:17 <a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a><br>
</span>>>>> <<a href="http://ipa.hq.example.com" target="_blank">http://ipa.hq.example.com</a>> krb5kdc[9229](info): AS_REQ<br>
<span class="">>>>> (6 etypes {18 17 16 23 25 26}) 192.168.0.207<br>
</span>>>>> <<a href="http://192.168.0.207" target="_blank">http://192.168.0.207</a>>: ISSUE: authtime 1426884797,<br>
<span class="">>>>> etypes {rep=18 tkt=18 ses=18}, <a href="mailto:admin@HQ.EXAMPLE.COM">admin@HQ.EXAMPLE.COM</a><br>
</span>>>>> <mailto:<a href="mailto:admin@HQ.EXAMPLE.COM">admin@HQ.EXAMPLE.COM</a>> for<br>
>>>> krbtgt/<a href="mailto:HQ.EXAMPLE.COM@HQ.EXAMPLE.COM">HQ.EXAMPLE.COM@HQ.EXAMPLE.COM</a><br>
>>>> <mailto:<a href="mailto:HQ.EXAMPLE.COM@HQ.EXAMPLE.COM">HQ.EXAMPLE.COM@HQ.EXAMPLE.COM</a>><br>
<span class="">>>><br>
>>> This is not an error. It is a normal user authentication.<br>
>>> OK so it is DNS that is not working. Is DNS server<br>
>>> running on the server?<br>
>>> What do Bind logs show?<br>
>>><br>
>>><br>
>>>><br>
>>>> 192.168.0.207 is the IP of the client I'm trying to<br>
>>>> install. However, higher up in the log, I also see such<br>
>>>> errors for the ipa server itself.<br>
>>>><br>
>>>> On 20 March 2015 at 20:24, Dmitri Pal <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>
</span><span class="">>>>> <mailto:<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> wrote:<br>
>>>><br>
>>>> On 03/20/2015 02:48 PM, Roberto Cornacchia wrote:<br>
>>>>> No, all real machines.<br>
>>>>><br>
>>>>> I'm really sorry it's taking so much of your time.<br>
>>>>> I had tried almost everything on a VM setting<br>
>>>>> first, and everything was fine.<br>
>>>>> Everything always works fine, until you actually<br>
>>>>> need it.<br>
>>>><br>
>>>><br>
>>>> We try to help as much as we can.<br>
>>>> Can you do LDAP lookups as a directory manager from<br>
>>>> client host to server?<br>
>>>> Can you ssh from client to server?<br>
>>>><br>
>>>> When you try to install client is there anything in<br>
>>>> the logs on the server? Does it even get there?<br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>>><br>
>>>>><br>
>>>>> On 20 March 2015 at 19:41, Dmitri Pal<br>
</span><span class="">>>>>> <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> wrote:<br>
>>>>><br>
>>>>> On 03/20/2015 01:57 PM, Roberto Cornacchia wrote:<br>
>>>>>> But the ipa server itself is also enrolled as<br>
>>>>>> a client, just after the server installation,<br>
>>>>>> right?. And that worked fine.<br>
>>>>><br>
>>>>> Are these VMs?<br>
>>>>> There have been a similar case when the network<br>
>>>>> was not set properly for the virtual test<br>
>>>>> environment.<br>
>>>>><br>
>>>>><br>
>>>>>><br>
>>>>>> On 20 March 2015 at 18:55, Roberto Cornacchia<br>
>>>>>> <<a href="mailto:roberto.cornacchia@gmail.com">roberto.cornacchia@gmail.com</a><br>
</span><span class="">>>>>>> <mailto:<a href="mailto:roberto.cornacchia@gmail.com">roberto.cornacchia@gmail.com</a>>> wrote:<br>
>>>>>><br>
>>>>>> No, sorry about the confusion, i shouldn't<br>
>>>>>> have posted so quickly.<br>
>>>>>><br>
>>>>>> When I use the correct domain<br>
</span>>>>>>> (<a href="http://hq.example.com" target="_blank">hq.example.com</a> <<a href="http://hq.example.com" target="_blank">http://hq.example.com</a>>),<br>
<span class="">>>>>>> then I really get all the same errors as<br>
>>>>>> before, also in the new client.<br>
>>>>>><br>
>>>>>><br>
>>>>>><br>
>>>>>> On 20 Mar 2015 18:39, "Dmitri Pal"<br>
</span>>>>>>> <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>>><br>
<span class="">>>>>>> wrote:<br>
>>>>>><br>
>>>>>> On 03/20/2015 01:25 PM, Roberto<br>
>>>>>> Cornacchia wrote:<br>
>>>>>>> Oops. Not true, forget last email.<br>
>>>>>>><br>
>>>>>>> This secon client installation went<br>
>>>>>>> different just because it took the<br>
>>>>>>> wrong domain.<br>
</span>>>>>>>> It used *<a href="http://example.com" target="_blank">example.com</a><br>
>>>>>>> <<a href="http://example.com" target="_blank">http://example.com</a>>* (what was<br>
>>>>>>> previously set) instead of<br>
>>>>>>> *<a href="http://hq.example.com" target="_blank">hq.example.com</a> <<a href="http://hq.example.com" target="_blank">http://hq.example.com</a>>*<br>
<span class="">>>>>>>><br>
>>>>>>> Uninstalled, tried again with<br>
>>>>>>> --hostname=<a href="http://photon.hq.example.com" target="_blank">photon.hq.example.com</a><br>
</span>>>>>>>> <<a href="http://photon.hq.example.com" target="_blank">http://photon.hq.example.com</a>><br>
<span class="">>>>>>>> And then it behaves precisely like<br>
>>>>>>> the previous client.<br>
>>>>>>><br>
>>>>>>> So something seems wrong in the server.<br>
>>>>>>><br>
>>>>>>> On 20 March 2015 at 18:18, Roberto<br>
>>>>>>> Cornacchia<br>
>>>>>>> <<a href="mailto:roberto.cornacchia@gmail.com">roberto.cornacchia@gmail.com</a><br>
</span><div><div class="h5">>>>>>>> <mailto:<a href="mailto:roberto.cornacchia@gmail.com">roberto.cornacchia@gmail.com</a>>> wrote:<br>
>>>>>>><br>
>>>>>>> Update:<br>
>>>>>>> I tried from another client. Also<br>
>>>>>>> FC21, same network, same settings<br>
>>>>>>> from the same DHCP.<br>
>>>>>>> But obviously it must have<br>
>>>>>>> something different because it<br>
>>>>>>> partially succeeded.<br>
>>>>>>><br>
>>>>>>> - I do not get errors about LDAP<br>
>>>>>>> users.<br>
>>>>>>> - I do not get errors about DNS<br>
>>>>>>> update<br>
>>>>>>><br>
>>>>>>> However:<br>
>>>>>>> - I still get the initial error<br>
>>>>>>> about NTP<br>
>>>>>>> - The host is enrolled, but not<br>
>>>>>>> added to the DNS zone<br>
>>>>>>><br>
>>>>>>> Now, I don't care much about the<br>
>>>>>>> previous client. It was pretty<br>
>>>>>>> much empty and can re-install<br>
>>>>>>> Fedora from scratch.<br>
>>>>>>><br>
>>>>>>> But I'd like to understand if<br>
>>>>>>> this is still a problem.<br>
>>>>>>> It should be added to the zone,<br>
>>>>>>> shouldn't it?<br>
>>>>>>><br>
>>>>>>> $ ipa-client-install --mkhomedir<br>
>>>>>>> --ssh-trust-dns --force-ntpd<br>
>>>>>>> Discovery was successful!<br>
>>>>>>> Hostname: <a href="http://photon.example.com" target="_blank">photon.example.com</a><br>
</div></div>>>>>>>> <<a href="http://photon.example.com" target="_blank">http://photon.example.com</a>><br>
>>>>>>> Realm: <a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a><br>
>>>>>>> <<a href="http://HQ.EXAMPLE.COM" target="_blank">http://HQ.EXAMPLE.COM</a>><br>
>>>>>>> DNS Domain: <a href="http://hq.example.com" target="_blank">hq.example.com</a><br>
>>>>>>> <<a href="http://hq.example.com" target="_blank">http://hq.example.com</a>><br>
>>>>>>> IPA Server: <a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a><br>
>>>>>>> <<a href="http://ipa.hq.example.com" target="_blank">http://ipa.hq.example.com</a>><br>
<span class="">>>>>>>> BaseDN: dc=hq,dc=example,dc=com<br>
>>>>>>><br>
>>>>>>> Continue to configure the system<br>
>>>>>>> with these values? [no]: yes<br>
>>>>>>> Synchronizing time with KDC...<br>
</span>>>>>>>> *Unable to sync time with IPA NTP<br>
<span class="">>>>>>>> server, assuming the time is in<br>
>>>>>>> sync. Please check that 123 UDP<br>
</span>>>>>>>> port is opened.*<br>
<span class="">>>>>>>> User authorized to enroll<br>
>>>>>>> computers: admin<br>
>>>>>>> Password for <a href="mailto:admin@HQ.EXAMPLE.COM">admin@HQ.EXAMPLE.COM</a><br>
</span>>>>>>>> <mailto:<a href="mailto:admin@HQ.EXAMPLE.COM">admin@HQ.EXAMPLE.COM</a>>:<br>
<span class="">>>>>>>> Successfully retrieved CA cert<br>
>>>>>>> Subject: CN=Certificate<br>
>>>>>>> Authority,O=<a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a><br>
</span>>>>>>>> <<a href="http://HQ.EXAMPLE.COM" target="_blank">http://HQ.EXAMPLE.COM</a>><br>
>>>>>>> Issuer: CN=Certificate<br>
>>>>>>> Authority,O=<a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a><br>
>>>>>>> <<a href="http://HQ.EXAMPLE.COM" target="_blank">http://HQ.EXAMPLE.COM</a>><br>
<span class="">>>>>>>> Valid From: Mon Mar 16<br>
>>>>>>> 18:44:35 2015 UTC<br>
>>>>>>> Valid Until: Fri Mar 16<br>
>>>>>>> 18:44:35 2035 UTC<br>
>>>>>>><br>
>>>>>>> Enrolled in IPA realm<br>
>>>>>>> <a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a><br>
</span>>>>>>>> <<a href="http://HQ.EXAMPLE.COM" target="_blank">http://HQ.EXAMPLE.COM</a>><br>
<span class="">>>>>>>> Created /etc/ipa/default.conf<br>
>>>>>>> New SSSD config will be created<br>
>>>>>>> Configured sudoers in<br>
>>>>>>> /etc/nsswitch.conf<br>
>>>>>>> Configured /etc/sssd/sssd.conf<br>
>>>>>>> Configured /etc/krb5.conf for IPA<br>
>>>>>>> realm <a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a><br>
</span>>>>>>>> <<a href="http://HQ.EXAMPLE.COM" target="_blank">http://HQ.EXAMPLE.COM</a>><br>
<span class="">>>>>>>> trying<br>
>>>>>>> <a href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a><br>
>>>>>>> Forwarding 'ping' to json server<br>
>>>>>>> '<a href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a>'<br>
>>>>>>> Forwarding 'ca_is_enabled' to<br>
>>>>>>> json server<br>
>>>>>>> '<a href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a>'<br>
>>>>>>> Systemwide CA database updated.<br>
>>>>>>> Added CA certificates to the<br>
>>>>>>> default NSS database.<br>
>>>>>>> Adding SSH public key from<br>
>>>>>>> /etc/ssh/ssh_host_rsa_key.pub<br>
>>>>>>> Adding SSH public key from<br>
>>>>>>> /etc/ssh/ssh_host_ed25519_key.pub<br>
>>>>>>> Adding SSH public key from<br>
>>>>>>> /etc/ssh/ssh_host_dsa_key.pub<br>
>>>>>>> Adding SSH public key from<br>
>>>>>>> /etc/ssh/ssh_host_ecdsa_key.pub<br>
>>>>>>> Forwarding 'host_mod' to json<br>
>>>>>>> server<br>
>>>>>>> '<a href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a>'<br>
</span>>>>>>>> *Could not update DNS SSHFP records.*<br>
<span class="">>>>>>>> SSSD enabled<br>
>>>>>>> Configured /etc/openldap/ldap.conf<br>
>>>>>>> NTP enabled<br>
>>>>>>> Configured /etc/ssh/ssh_config<br>
>>>>>>> Configured /etc/ssh/sshd_config<br>
>>>>>>> Configuring <a href="http://hq.example.com" target="_blank">hq.example.com</a><br>
</span>>>>>>>> <<a href="http://hq.example.com" target="_blank">http://hq.example.com</a>> as NIS<br>
<div class="HOEnZb"><div class="h5">>>>>>>> domain.<br>
>>>>>>> Client configuration complete.<br>
>>>>>>><br>
>>>>>>><br>
>>>>>>><br>
>>>>>>><br>
>>>>>><br>
>>>>>> It is different. It does not have the<br>
>>>>>> same failure about admin as you had in<br>
>>>>>> the first email.<br>
>>>>>> So may be it is the permissions issue<br>
>>>>>> and a separate NTP issue?<br>
>>>>>> Did you play with any permissions on<br>
>>>>>> the server side?<br>
>>>>>><br>
>>>>>><br>
>>>>>> --<br>
>>>>>> Thank you,<br>
>>>>>> Dmitri Pal<br>
>>>>>><br>
>>>>>> Sr. Engineering Manager IdM portfolio<br>
>>>>>> Red Hat, Inc.<br>
>>>>>><br>
>>>>>><br>
>>>>>> --<br>
>>>>>> Manage your subscription for the<br>
>>>>>> Freeipa-users mailing list:<br>
>>>>>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
>>>>>> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info<br>
>>>>>> on the project<br>
>>>>>><br>
>>>>>><br>
>>>>>><br>
>>>>>><br>
>>>>><br>
>>>>><br>
>>>>> --<br>
>>>>> Thank you,<br>
>>>>> Dmitri Pal<br>
>>>>><br>
>>>>> Sr. Engineering Manager IdM portfolio<br>
>>>>> Red Hat, Inc.<br>
>>>>><br>
>>>>><br>
>>>>> --<br>
>>>>> Manage your subscription for the Freeipa-users<br>
>>>>> mailing list:<br>
>>>>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
>>>>> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the<br>
>>>>> project<br>
>>>>><br>
>>>>><br>
>>>>><br>
>>>>><br>
>>>><br>
>>>><br>
>>>> --<br>
>>>> Thank you,<br>
>>>> Dmitri Pal<br>
>>>><br>
>>>> Sr. Engineering Manager IdM portfolio<br>
>>>> Red Hat, Inc.<br>
>>>><br>
>>>><br>
>>>> --<br>
>>>> Manage your subscription for the Freeipa-users<br>
>>>> mailing list:<br>
>>>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
>>>> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>><br>
>>><br>
>>> --<br>
>>> Thank you,<br>
>>> Dmitri Pal<br>
>>><br>
>>> Sr. Engineering Manager IdM portfolio<br>
>>> Red Hat, Inc.<br>
>>><br>
>>><br>
>>> --<br>
>>> Manage your subscription for the Freeipa-users mailing list:<br>
>>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
>>> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br>
>>><br>
>>><br>
>>><br>
>>><br>
>><br>
>><br>
>> --<br>
>> Thank you,<br>
>> Dmitri Pal<br>
>><br>
>> Sr. Engineering Manager IdM portfolio<br>
>> Red Hat, Inc.<br>
>><br>
>><br>
>> --<br>
>> Manage your subscription for the Freeipa-users mailing list:<br>
>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
>> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br>
>><br>
>><br>
>><br>
>><br>
><br>
><br>
> --<br>
> Thank you,<br>
> Dmitri Pal<br>
><br>
> Sr. Engineering Manager IdM portfolio<br>
> Red Hat, Inc.<br>
><br>
><br>
> --<br>
> Manage your subscription for the Freeipa-users mailing list:<br>
> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br>
><br>
><br>
><br>
><br>
<br>
</div></div></blockquote></div><br></div>