A question


What another way I can enroll my server client on my IPA server ?


I have a server IPA with S.O. Fedora 24 and


My client server have a S.O. CentOS release 5.10  with


This is the "ipa-client-install -d"


[root@l1 ~]# ipa-client-install -d

root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force':
False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None,
'permit': False, 'server': None, 'prompt_password': False, 'mkhomedir':
False, 'dns_updates': False, 'preserve_sssd': False, 'debug': True,
'on_master': False, 'ca_cert_file': None, 'realm_name': None, 'unattended':
None, 'ntp_server': None, 'principal': None}

root        : DEBUG    missing options might be asked for interactively


root        : DEBUG    Loading Index file from

root        : DEBUG    Loading StateFile from

root        : DEBUG    [IPA Discovery]

root        : DEBUG    Starting IPA discovery with domain=None,
servers=None, hostname=l1.example.com

root        : DEBUG    [ipadnssearchldap(example.com)]

root        : DEBUG    [ipadnssearchkrb]

root        : DEBUG    [ipacheckldap]

root        : DEBUG    Verifying that ipa.example.com (realm EXAMPLE.COM) is
an IPA server

root        : DEBUG    Init ldap with: ldap://ipa.example.com:389

root        : DEBUG    Search LDAP server for IPA base DN

root        : DEBUG    Check if naming context 'cn=changelog' is for IPA

root        : DEBUG    Info attribute with IPA server version not found

root        : DEBUG    Check if naming context 'dc=example,dc=com' is for

root        : DEBUG    Naming context 'dc=example,dc=com' is a valid IPA

root        : DEBUG    Search for (objectClass=krbRealmContainer) in

root        : DEBUG    Found:
[('cn=example.COM,cn=kerberos,dc=example,dc=com', {'objectClass': ['top',
'krbrealmcontainer', 'krbticketpolicyaux'], 'cn': ['example.COM']})]

root        : DEBUG    Discovery result: Success; server=ipa.example.com,
domain=example.com, kdc=ipa.example.com, basedn=dc=example,dc=com

root        : DEBUG    Validated servers: ipa.example.com

root        : DEBUG    will use domain: example.com


root        : DEBUG    [ipadnssearchldap(example.com)]

root        : DEBUG    DNS validated, enabling discovery

root        : DEBUG    will use discovered server: ipa.example.com

Discovery was successful!

root        : DEBUG    will use cli_realm: EXAMPLE.COM


root        : DEBUG    will use cli_basedn: dc=example,dc=com


Hostname: l1.example.com

Realm: example.COM

DNS Domain: example.com

IPA Server: ipa.example.com

BaseDN: dc=example,dc=com



Continue to configure the system with these values? [no]: yes

User authorized to enroll computers: admin

root        : DEBUG    will use principal: admin


Synchronizing time with KDC...

root        : DEBUG    args=/usr/sbin/ntpdate -U ntp -s -b ipa.example.com

root        : DEBUG    stdout=

root        : DEBUG    stderr=

root        : DEBUG    Writing Kerberos configuration to /tmp/tmpSeQjKB:

#File modified by ipa-client-install



  default_realm = EXAMPLE.COM

  dns_lookup_realm = false

  dns_lookup_kdc = false

  rdns = false

  ticket_lifetime = 24h

  forwardable = yes



  example.COM = {

    kdc = ipa.example.com:88

    master_kdc = ipa.example.com:88

    admin_server = ipa.example.com:749

    default_domain = example.com

    pkinit_anchors = FILE:/etc/ipa/ca.crt




  .example.com = EXAMPLE.COM

  example.com = EXAMPLE.COM



Password for ad...@example.com: 

root        : DEBUG    args=kinit ad...@example.com

root        : DEBUG    stdout=Password for ad...@example.com: 


root        : DEBUG    stderr=


root        : DEBUG    trying to retrieve CA cert via LDAP from

root        : DEBUG    Existing CA cert and Retrieved CA cert are identical




In the line "root        : DEBUG    Existing CA cert and Retrieved CA cert
are identical"   It's don't progress.


Do Is there any other way I could do it ?



Thanks for your response 


Jose Alvarez





FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to