Hello everyone.

I like the potential possibilities that IPA provides so I have been playing
with it trying to figure it out. I am using Scientific Linux 6.1 as my OS
and I have been using the Red Hat documentation [1] as the majority source
of my learning thus far. I have been recently reading through the
documentation on freeipa.org since it seems to be flushed out a little


I have run into an issue and I am having difficultly solving it. The client
will not see the server. I have posted to the SL forums but I have not heard
anything back. I am hoping it is more of an IPA issue instead of a SL6.1 and
as such someone here might be able to help.

For testing purposes I have two hosts. Both hosts are a fresh install of
SL6.1 Minimal Desktop fully updated on a VM connected by a virtual network.
There is nothing else on this network at all and no connection to the
outside world. My yum updates off of a external USB drive that contains a
up-to-date yum mirror of 6.1, Security, and Fastbugs (I do a lot of testing
and this helps alleviate me beating up someone elses mirror).

Host ipa.blarg.local is my ipa server. Host dev.blarg.local is my "desktop
developer" system.

The minimal desktop install included dnsmasq. So I configured it for use as
my DHCP/DNS server on ipa.blarg.local.

/etc/dnsmasq.conf is as follows:

I added the dhcp-host just to ensure that the dev box gets a proper hostname
entry in the DNS. I opened up ports 53 TCP and 53,67-69 UDP in the firewall
of ipa.blarg.local.

Then I installed the IPA server with `yum install ipa-server`. 115 packages
are installed.

Then I ran the install script `ipa-server-install`
It correctly identifies the Server Host Name as ipa.blarg.local.
It correctly identifies the domain name as blarg.local.
It correctly identifies the realm name as BLARG.LOCAL.
I set the Directory Manager password
I set the IPA Admin password.
The script runs till completion.

I opened up ports 80,88,389,443,464,636 TCP and 88,464,123 UDP as suggested
by the Red Hat documentation. Table 2.2 of the FreeIPA documentation has a
few other ports listed as well, so I opened them too. These are
9180,9443-9446,9701,7389 TCP.

Next I run `kinit admin` on the command prompt. Then I opened up firefox to
http://ipa.blarg.local and "I understand the risks" to "add exception" that
I permanently stored.

An error pops up saying that "Kerberos ticket no longer valid" and I click
the "follow these directions" link. This takes me to a page to import the CA
certificate and I agree to trust the site. Next is the link to configure
Firefox for Single Sign On. Everything is pretty much exactly as the
documentation says it should be. Now going to ipa.blarg.local logs me in.

I tested it out by adding a new user via command line: `echo "password" |
ipa user-add user1 --first=Some --last=User --password`. This completes

Now I tried to add the dev box as a client.

On dev.blarg.local, it has an IP from the DNS server and I can ping both
'ipa' and 'ipa.blarg.local'. Both hosts can ping 'dev.blarg.local' and
'dev'. I can do a `dig -x` and get a successful result for the
host ipa.blarg.local. I get a successful lookup for the host dev as well.
The DNS forward and reverse look-ups appear to be working correctly, as far
as I can tell.

`yum install ipa-client` showed it was already installed. Therefore I ran
`ipa-client-install` as root.

"DNS discovery failed to determine your DNS domain."
"Please provide the domain name of your IPA server:"

Hrm. Why didn't it pick it up? The host sees it and so does the DNS. I
entered blarg.local

"DNS discovery failed to determine your DNS domain."
"Please provide your IPA server name:"

Hrm. Very odd. I enter in ipa.blarg.local

I get a big error message saying it failed. It says my resolve.conf file is
not properly configured. It asks if I want to proceed without DNS and I say
no. I get back a bash command prompt.

`cat /etc/resolv.conf`
domain blarg.local
search blarg.local
nameserver #This is the IP of ipa.blarg.local aka the DNS/DHCP

Everything looks right. DNS acts properly as far as I can tell. Don't know
why it didn't work.

I have done a bunch of reading and verified things like my time being
correct (It is. Both hosts are less then a second of each other). I thought
maybe a port is missing on the firewall since the FreeIPA documentation has
more ports then the Red Hat documentation. I double checked the firewall
ports with nmap and they appear open. So I turned off the firewall (not
great IRL but OK for testing in a isolated virtual machine). I thought it
was a problem with a service not running, but everything looks like it is
running properly.

The latest attempt I failed out early on. The Fedora RPMS for FreeIPA 2.1.3
complained about too many packages being different from the SL base (and I
would rather not have that many packages different) so I tried to pull the
source to compile 2.1.3 but I was having issues pulling in all the devel
packages. If I just need to suck it up and compile from source, I will. If I
were to move this into my work environment I would just rather stick with
the official RPMS then build my own repo, but I can do it if that is what is

Not sure what the problem is with the client though. Any ideas?

Freeipa-users mailing list

Reply via email to