Hello everyone. I like the potential possibilities that IPA provides so I have been playing with it trying to figure it out. I am using Scientific Linux 6.1 as my OS and I have been using the Red Hat documentation  as the majority source of my learning thus far. I have been recently reading through the documentation on freeipa.org since it seems to be flushed out a little more.
 http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Enterprise_Identity_Management_Guide/index.html  https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html I have run into an issue and I am having difficultly solving it. The client will not see the server. I have posted to the SL forums but I have not heard anything back. I am hoping it is more of an IPA issue instead of a SL6.1 and as such someone here might be able to help. For testing purposes I have two hosts. Both hosts are a fresh install of SL6.1 Minimal Desktop fully updated on a VM connected by a virtual network. There is nothing else on this network at all and no connection to the outside world. My yum updates off of a external USB drive that contains a up-to-date yum mirror of 6.1, Security, and Fastbugs (I do a lot of testing and this helps alleviate me beating up someone elses mirror). Host ipa.blarg.local is my ipa server. Host dev.blarg.local is my "desktop developer" system. The minimal desktop install included dnsmasq. So I configured it for use as my DHCP/DNS server on ipa.blarg.local. /etc/dnsmasq.conf is as follows: domain=needed domain=blarg.local dhcp-range=10.1.1.50,10.1.1.55,255.255.0.0,12h dhcp-host=08:00:27:e1:7c:15,dev log-dhcp I added the dhcp-host just to ensure that the dev box gets a proper hostname entry in the DNS. I opened up ports 53 TCP and 53,67-69 UDP in the firewall of ipa.blarg.local. Then I installed the IPA server with `yum install ipa-server`. 115 packages are installed. Then I ran the install script `ipa-server-install` It correctly identifies the Server Host Name as ipa.blarg.local. It correctly identifies the domain name as blarg.local. It correctly identifies the realm name as BLARG.LOCAL. I set the Directory Manager password I set the IPA Admin password. The script runs till completion. I opened up ports 80,88,389,443,464,636 TCP and 88,464,123 UDP as suggested by the Red Hat documentation. Table 2.2 of the FreeIPA documentation has a few other ports listed as well, so I opened them too. These are 9180,9443-9446,9701,7389 TCP. Next I run `kinit admin` on the command prompt. Then I opened up firefox to http://ipa.blarg.local and "I understand the risks" to "add exception" that I permanently stored. An error pops up saying that "Kerberos ticket no longer valid" and I click the "follow these directions" link. This takes me to a page to import the CA certificate and I agree to trust the site. Next is the link to configure Firefox for Single Sign On. Everything is pretty much exactly as the documentation says it should be. Now going to ipa.blarg.local logs me in. Great! I tested it out by adding a new user via command line: `echo "password" | ipa user-add user1 --first=Some --last=User --password`. This completes successfully. Now I tried to add the dev box as a client. On dev.blarg.local, it has an IP from the DNS server and I can ping both 'ipa' and 'ipa.blarg.local'. Both hosts can ping 'dev.blarg.local' and 'dev'. I can do a `dig -x 10.1.1.12` and get a successful result for the host ipa.blarg.local. I get a successful lookup for the host dev as well. The DNS forward and reverse look-ups appear to be working correctly, as far as I can tell. `yum install ipa-client` showed it was already installed. Therefore I ran `ipa-client-install` as root. "DNS discovery failed to determine your DNS domain." "Please provide the domain name of your IPA server:" Hrm. Why didn't it pick it up? The host sees it and so does the DNS. I entered blarg.local "DNS discovery failed to determine your DNS domain." "Please provide your IPA server name:" Hrm. Very odd. I enter in ipa.blarg.local I get a big error message saying it failed. It says my resolve.conf file is not properly configured. It asks if I want to proceed without DNS and I say no. I get back a bash command prompt. `cat /etc/resolv.conf` domain blarg.local search blarg.local nameserver 10.1.1.12 #This is the IP of ipa.blarg.local aka the DNS/DHCP server Everything looks right. DNS acts properly as far as I can tell. Don't know why it didn't work. I have done a bunch of reading and verified things like my time being correct (It is. Both hosts are less then a second of each other). I thought maybe a port is missing on the firewall since the FreeIPA documentation has more ports then the Red Hat documentation. I double checked the firewall ports with nmap and they appear open. So I turned off the firewall (not great IRL but OK for testing in a isolated virtual machine). I thought it was a problem with a service not running, but everything looks like it is running properly. The latest attempt I failed out early on. The Fedora RPMS for FreeIPA 2.1.3 complained about too many packages being different from the SL base (and I would rather not have that many packages different) so I tried to pull the source to compile 2.1.3 but I was having issues pulling in all the devel packages. If I just need to suck it up and compile from source, I will. If I were to move this into my work environment I would just rather stick with the official RPMS then build my own repo, but I can do it if that is what is needed. Not sure what the problem is with the client though. Any ideas? Thanks! ~Stack~
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users