Re: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry

Adam Young Fri, 25 Feb 2011 11:48:38 -0800

On 02/25/2011 12:47 AM, Simo Sorce wrote:

On Thu, 24 Feb 2011 20:55:32 -0500
Adam Young<ayo...@redhat.com>  wrote:

I updated the reolve.conf of the client machine to point to the
server and ran:


[root@vm-060 ~]# ipa-client-install --domain  idm.lab.bos.redhat.com
-p admin -w freeipa4all
Discovery was successful!
Realm: IDM.LAB.BOS.REDHAT.COM
DNS Domain: idm.lab.bos.redhat.com
IPA Server: vm-051.idm.lab.bos.redhat.com
BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com


Continue to configure the system with these values? [no]: yes

Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IDM.LAB.BOS.REDHAT.COM
certmonger request for host certificate failed
Warning: Hostname (vm-060.idm.lab.bos.redhat.com) not found in DNS
Failed to obtain host TGT.
Failed to update DNS A record. (Command 'x' returned non-zero exit
status 1) SSSD enabled
Kerberos 5 enabled
NTP enabled
Client configuration complete.


Is this a sign of a cert server issue?  THis is the first time
running with dogtag.

We use TSIG-GSSAPI for DNS Updates, no certs involved.

Here's the last couple of lines from the ipa-server-log/  They look
fine to me.

[Thu Feb 24 20:41:06 2011] [error] ipa: INFO:
ad...@idm.lab.bos.redhat.com: host_find(u'', all=True): SUCCESS
[Thu Feb 24 20:41:14 2011] [error] ipa: INFO:
ad...@idm.lab.bos.redhat.com: batch(({u'params':
[[u'vm-060.idm.lab.bos.redhat.com'], {}], u'method': u'host_del'},)):
SUCCESS
[Thu Feb 24 20:41:15 2011] [error] ipa: INFO:
ad...@idm.lab.bos.redhat.com: host_find(u'', all=True): SUCCESS
[Thu Feb 24 20:46:04 2011] [error] ipa: INFO:
ad...@idm.lab.bos.redhat.com: join(u'vm-060.idm.lab.bos.redhat.com',
nshardwareplatform=u'x86_64',
nsosversion=u'2.6.32-114.0.1.el6.x86_64'): SUCCESS

Can you send the ipaclient-install.log file ?


Attached

This machine had client installed before, but I've since uninstalled
and reinstalled both the server and client, and rebooted the client
as well.

Should make no difference at all, it seem nsupdate is failing.
Do you have bind-utils installed ?


Yes: bind-utils-9.7.2-8.P3.el6.x86_64

There is no file /etc/ipa/.dns_update.txt

And there shouldn't, it is a temp file we delete as soon as we are done.

Simo.

2011-02-24 20:45:58,992 DEBUG /usr/sbin/ipa-client-install was invoked with 
options: {'conf_ntp': True, 'domain': 'idm.lab.bos.redhat.com', 'uninstall': 
False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 
'server': None, 'prompt_password': False, 'realm_name': None, 'dns_updates': 
False, 'debug': False, 'on_master': False, 'ntp_server': None, 'mkhomedir': 
False, 'unattended': None, 'principal': 'admin'}
2011-02-24 20:45:58,992 DEBUG missing options might be asked for interactively 
later

2011-02-24 20:45:58,992 DEBUG Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-02-24 20:45:58,995 DEBUG [ipadnssearchldap(idm.lab.bos.redhat.com)]
2011-02-24 20:45:58,998 DEBUG [ipadnssearchkrb]
2011-02-24 20:45:59,001 DEBUG [ipacheckldap]
2011-02-24 20:45:59,054 DEBUG args=/usr/bin/wget -O /tmp/tmpYLmC3X/ca.crt 
http://vm-051.idm.lab.bos.redhat.com/ipa/config/ca.crt
2011-02-24 20:45:59,055 DEBUG stdout=
2011-02-24 20:45:59,055 DEBUG stderr=--2011-02-24 20:45:59--  
http://vm-051.idm.lab.bos.redhat.com/ipa/config/ca.crt
Resolving vm-051.idm.lab.bos.redhat.com... 10.16.78.51
Connecting to vm-051.idm.lab.bos.redhat.com|10.16.78.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1361 (1.3K) [application/x-x509-ca-cert]
Saving to: `/tmp/tmpYLmC3X/ca.crt'

     0K .                                                     100%  194M=0s

2011-02-24 20:45:59 (194 MB/s) - `/tmp/tmpYLmC3X/ca.crt' saved [1361/1361]


2011-02-24 20:45:59,055 DEBUG Init ldap with: 
ldap://vm-051.idm.lab.bos.redhat.com:389
2011-02-24 20:45:59,146 DEBUG Search rootdse
2011-02-24 20:45:59,149 DEBUG Search for (info=*) in 
dc=idm,dc=lab,dc=bos,dc=redhat,dc=com(base)
2011-02-24 20:45:59,150 DEBUG Found: [('dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 
{'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', 
'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': 
['idm.lab.bos.redhat.com'], 'dc': ['idm'], 'nisDomain': 
['idm.lab.bos.redhat.com']})]
2011-02-24 20:45:59,151 DEBUG Search for (objectClass=krbRealmContainer) in 
dc=idm,dc=lab,dc=bos,dc=redhat,dc=com(sub)
2011-02-24 20:45:59,153 DEBUG Found: 
[('cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
 {'krbSubTrees': ['dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'], 'cn': 
['IDM.LAB.BOS.REDHAT.COM'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 
'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 
'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 
'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 
'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 
'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 
'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 
'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 
'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})]
2011-02-24 20:45:59,153 DEBUG will use domain: idm.lab.bos.redhat.com

2011-02-24 20:45:59,153 DEBUG will use server: vm-051.idm.lab.bos.redhat.com

2011-02-24 20:45:59,154 DEBUG will use cli_realm: IDM.LAB.BOS.REDHAT.COM

2011-02-24 20:45:59,154 DEBUG will use cli_basedn: 
dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

2011-02-24 20:46:03,281 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt 
http://vm-051.idm.lab.bos.redhat.com/ipa/config/ca.crt
2011-02-24 20:46:03,282 DEBUG stdout=
2011-02-24 20:46:03,282 DEBUG stderr=--2011-02-24 20:46:03--  
http://vm-051.idm.lab.bos.redhat.com/ipa/config/ca.crt
Resolving vm-051.idm.lab.bos.redhat.com... 10.16.78.51
Connecting to vm-051.idm.lab.bos.redhat.com|10.16.78.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1361 (1.3K) [application/x-x509-ca-cert]
Saving to: `/etc/ipa/ca.crt'

     0K .                                                     100%  130M=0s

2011-02-24 20:46:03 (130 MB/s) - `/etc/ipa/ca.crt' saved [1361/1361]


2011-02-24 20:46:03,720 DEBUG args=kinit ad...@idm.lab.bos.redhat.com
2011-02-24 20:46:03,721 DEBUG stdout=Password for ad...@idm.lab.bos.redhat.com: 

2011-02-24 20:46:03,721 DEBUG stderr=
2011-02-24 20:46:06,087 DEBUG args=/usr/sbin/ipa-join -s 
vm-051.idm.lab.bos.redhat.com
2011-02-24 20:46:06,088 DEBUG stdout=
2011-02-24 20:46:06,088 DEBUG stderr=Keytab successfully retrieved and stored 
in: /etc/krb5.keytab
Certificate subject base is: O=IDM.LAB.BOS.REDHAT.COM

2011-02-24 20:46:06,108 DEBUG args=kdestroy
2011-02-24 20:46:06,108 DEBUG stdout=
2011-02-24 20:46:06,108 DEBUG stderr=
2011-02-24 20:46:06,109 DEBUG Backing up system configuration file 
'/etc/ipa/default.conf'
2011-02-24 20:46:06,109 DEBUG   -> Not backing up - '/etc/ipa/default.conf' 
doesn't exist
2011-02-24 20:46:06,110 DEBUG Backing up system configuration file 
'/etc/sssd/sssd.conf'
2011-02-24 20:46:06,126 DEBUG Saving Index File to 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-02-24 20:46:06,255 DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n 
IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
2011-02-24 20:46:06,256 DEBUG stdout=
2011-02-24 20:46:06,256 DEBUG stderr=
2011-02-24 20:46:06,257 DEBUG Backing up system configuration file 
'/etc/krb5.conf'
2011-02-24 20:46:06,258 DEBUG Saving Index File to 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-02-24 20:46:06,334 DEBUG args=/sbin/service certmonger status
2011-02-24 20:46:06,335 DEBUG stdout=certmonger is stopped

2011-02-24 20:46:06,335 DEBUG stderr=
2011-02-24 20:46:06,560 DEBUG args=/sbin/service certmonger restart
2011-02-24 20:46:06,561 DEBUG stdout=Stopping certmonger: 
[60G[[0;31mFAILED[0;39m]
Starting certmonger: [60G[[0;32m  OK  [0;39m]

2011-02-24 20:46:06,561 DEBUG stderr=
2011-02-24 20:46:06,710 DEBUG args=/sbin/chkconfig certmonger --list
2011-02-24 20:46:06,711 DEBUG stdout=certmonger         0:off   1:off   2:off   
3:off   4:off   5:off   6:off

2011-02-24 20:46:06,711 DEBUG stderr=
2011-02-24 20:46:06,811 DEBUG args=/sbin/chkconfig certmonger on
2011-02-24 20:46:06,812 DEBUG stdout=
2011-02-24 20:46:06,812 DEBUG stderr=
2011-02-24 20:46:06,850 DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA 
Machine Certificate - vm-060.idm.lab.bos.redhat.com -N 
CN=vm-060.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM -K 
host/vm-060.idm.lab.bos.redhat....@idm.lab.bos.redhat.com
2011-02-24 20:46:06,851 DEBUG stdout=Error 
org.fedorahosted.certmonger.duplicate: Certificate at same location is already 
used by request "20110219000336".

2011-02-24 20:46:06,851 DEBUG stderr=
2011-02-24 20:46:06,878 DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab
2011-02-24 20:46:06,879 DEBUG stdout=
2011-02-24 20:46:06,879 DEBUG stderr=kinit: Hostname cannot be canonicalized 
when creating default server principal name

2011-02-24 20:46:07,014 DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
2011-02-24 20:46:07,015 DEBUG stdout=
2011-02-24 20:46:07,015 DEBUG stderr=Check your Kerberos ticket, it may have 
expired.

2011-02-24 20:46:07,046 DEBUG args=/sbin/service nscd status
2011-02-24 20:46:07,047 DEBUG stdout=
2011-02-24 20:46:07,047 DEBUG stderr=nscd: unrecognized service

2011-02-24 20:46:07,060 DEBUG args=/sbin/chkconfig nscd --list
2011-02-24 20:46:07,061 DEBUG stdout=
2011-02-24 20:46:07,061 DEBUG stderr=error reading information on service nscd: 
No such file or directory

2011-02-24 20:46:09,599 DEBUG args=/usr/sbin/authconfig --enablesssd 
--enablesssdauth --update
2011-02-24 20:46:09,600 DEBUG stdout=Starting sssd: [60G[[0;32m  OK  [0;39m]
[60G[[0;32m  OK  [0;39m]

2011-02-24 20:46:09,601 DEBUG stderr=
2011-02-24 20:46:09,649 DEBUG args=getent passwd admin
2011-02-24 20:46:09,650 DEBUG stdout=
2011-02-24 20:46:09,650 DEBUG stderr=
2011-02-24 20:46:10,664 DEBUG args=getent passwd admin
2011-02-24 20:46:10,665 DEBUG 
stdout=admin:*:1190800000:1190800000:Administrator:/home/admin:/bin/bash

2011-02-24 20:46:10,665 DEBUG stderr=
2011-02-24 20:46:12,264 DEBUG args=/usr/sbin/authconfig --enablekrb5 --update 
--nostart
2011-02-24 20:46:12,265 DEBUG stdout=
2011-02-24 20:46:12,265 DEBUG stderr=
2011-02-24 20:46:12,266 DEBUG Backing up system configuration file 
'/etc/ntp.conf'
2011-02-24 20:46:12,267 DEBUG Saving Index File to 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-02-24 20:46:12,268 DEBUG Backing up system configuration file 
'/etc/sysconfig/ntpd'
2011-02-24 20:46:12,268 DEBUG Saving Index File to 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-02-24 20:46:12,315 DEBUG args=/sbin/chkconfig ntpd on
2011-02-24 20:46:12,315 DEBUG stdout=
2011-02-24 20:46:12,315 DEBUG stderr=
2011-02-24 20:46:12,513 DEBUG args=/sbin/service ntpd restart
2011-02-24 20:46:12,513 DEBUG stdout=Shutting down ntpd: [60G[[0;32m  OK  
[0;39m]
Starting ntpd: [60G[[0;32m  OK  [0;39m]

2011-02-24 20:46:12,514 DEBUG stderr=

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry

Reply via email to