Do a --help on the script. I specify every parameter.  When I trust the
script to discover anything on ubuntu it fails. Even the host name.

On Saturday, May 18, 2013, Endre Karlson wrote:

> So I am trying to enrull Ubuntu into FreeIPA.
>
> But I am getting a number of issues:
> 1. DNS autodiscovery isn't working.
> 2. certutils fails at the end?
>
> In my setup I currently have 1 IPA server running DNS and all of it.
>
> What can be wrong?
>
> Endre.
>
> sudo ipa-client-install -d --enable-dns-updates
> root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
> options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force':
> False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None,
> 'preserve_sssd': False, 'server': None, 'prompt_password': False,
> 'mkhomedir': False, 'dns_updates': True, 'permit': False, 'debug': True,
> 'on_master': False, 'ntp_server': None, 'realm_name': None, 'unattended':
> None, 'principal': None}
> root        : DEBUG    missing options might be asked for interactively
> later
>
> root        : DEBUG    Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> root        : DEBUG    Loading StateFile from
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> root        : DEBUG    [ipadnssearchldap(coretrek.net)]
> root        : DEBUG    [ipadnssearchldap(net)]
> root        : DEBUG    [ipadnssearchldap(coretrek.net)]
> root        : DEBUG    [ipadnssearchldap(net)]
> root        : DEBUG    Domain not found
> DNS discovery failed to determine your DNS domain
> Provide the domain name of your IPA server (ex: example.com): coretrek.net
> root        : DEBUG    will use domain: coretrek.net
>
> root        : DEBUG    [ipadnssearchldap]
> root        : DEBUG    IPA Server not found
> DNS discovery failed to find the IPA Server
> Provide your IPA server name (ex: ipa.example.com):
> st-vidm001.coretrek.net
> root        : DEBUG    will use server: st-vidm001.coretrek.net
>
> root        : DEBUG    [ipadnssearchkrb]
> root        : DEBUG    [ipacheckldap]
> root        : DEBUG    args=/usr/bin/wget -O /tmp/tmp1RBeGA/ca.crt -T 15
> -t 2 http://st-vidm001.coretrek.net/ipa/config/ca.crt
> root        : DEBUG    stdout=
> root        : DEBUG    stderr=--2013-05-18 18:40:05--
> http://st-vidm001.coretrek.net/ipa/config/ca.crt
> Resolving st-vidm001.coretrek.net (st-vidm001.coretrek.net)...
> 172.16.200.5
> Connecting to st-vidm001.coretrek.net 
> (st-vidm001.coretrek.net)|172.16.200.5|:80...
> connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 1321 (1.3K) [application/x-x509-ca-cert]
> Saving to: `/tmp/tmp1RBeGA/ca.crt'
>
>      0K .                                                     100% 69.1M=0s
>
> 2013-05-18 18:40:05 (69.1 MB/s) - `/tmp/tmp1RBeGA/ca.crt' saved [1321/1321]
>
>
> root        : DEBUG    Init ldap with: ldap://st-vidm001.coretrek.net:389
> root        : DEBUG    Search LDAP server for IPA base DN
> root        : DEBUG    Check if naming context 'dc=coretrek,dc=net' is for
> IPA
> root        : DEBUG    Naming context 'dc=coretrek,dc=net' is a valid IPA
> context
> root        : DEBUG    Search for (objectClass=krbRealmContainer) in
> dc=coretrek,dc=net(sub)
> root        : DEBUG    Found: 
> [('cn=CORETREK.NET,cn=kerberos,dc=coretrek,dc=net',
> {'krbSubTrees': ['dc=coretrek,dc=net'], 'cn': ['CORETREK.NET'],
> 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special',
> 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top',
> 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'],
> 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
> 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
> 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special'],
> 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})]
>
> The failure to use DNS to find your IPA server indicates that your
> resolv.conf file is not properly configured.
>
> Autodiscovery of servers for failover cannot work with this configuration.
>
> If you proceed with the installation, services will be configured to always
> access the discovered server for all operation and will not fail over to
> other servers in case of failure.
>
> Proceed with fixed values and no DNS discovery? [no]: yes
> root        : DEBUG    will use cli_realm: CORETREK.NET
>
> root        : DEBUG    will use cli_basedn: dc=coretrek,dc=net
>
> Hostname: st-posctrl001.coretrek.net
> Realm: CORETREK.NET
> DNS Domain: coretrek.net
> IPA Server: st-vidm001.coretrek.net
> BaseDN: dc=coretrek,dc=net
>
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admin
> root        : DEBUG    will use principal: admin
>
> root        : DEBUG    args=/usr/bin/wget -O /etc/ipa/ca.crt
> http://st-vidm001.coretrek.net/ipa/config/ca.crt
> root        : DEBUG    stdout=
> root        : DEBUG    stderr=--2013-05-18 18:40:28--
> http://st-vidm001.coretrek.net/ipa/config/ca.crt
> Resolving st-vidm001.coretrek.net (st-vidm001.coretrek.net)...
> 172.16.200.5
> Connecting to st-vidm001.coretrek.net 
> (st-vidm001.coretrek.net)|172.16.200.5|:80...
> connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 1321 (1.3K) [application/x-x509-ca-cert]
> Saving to: `/etc/ipa/ca.crt'
>
>      0K .                                                     100% 66.7M=0s
>
> 2013-05-18 18:40:28 (66.7 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321]
>
>
> Synchronizing time with KDC...
> root        : DEBUG    args=/usr/sbin/ntpdate -U ntp -s -b
> st-vidm001.coretrek.net
> root        : DEBUG    stdout=
> root        : DEBUG    stderr=/usr/sbin/ntpdate: unknown option -U
> usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p
> samples] [-o version#] [-t timeo] server ...
>
> root        : DEBUG    args=/usr/sbin/ntpdate -U ntp -s -b
> st-vidm001.coretrek.net
> root        : DEBUG    stdout=
> root        : DEBUG    stderr=/usr/sbin/ntpdate: unknown option -U
> usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p
> samples] [-o version#] [-t timeo] server ...
>
> root        : DEBUG    args=/usr/sbin/ntpdate -U ntp -s -b
> st-vidm001.coretrek.net
> root        : DEBUG    stdout=
> root        : DEBUG    stderr=/usr/sbin/ntpdate: unknown option -U
> usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p
> samples] [-o version#] [-t timeo] server ...
>
> Unable to sync time with IPA NTP server, assuming the time is in sync.
> root        : DEBUG    Writing Kerberos configuration to /tmp/tmpdGLoJb:
> #File modified by ipa-client-install
>
> [libdefaults]
>   default_realm = CORETREK.NET
>   dns_lookup_realm = false
>   dns_lookup_kdc = false
>   rdns = false
>   ticket_lifetime = 24h
>   forwardable = yes
>
> [realms]
>   CORETREK.NET = {
>     kdc = st-vidm001.coretrek.net:88
>     admin_server = st-vidm001.coretrek.net:749
>     default_domain = coretrek.net
>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>   }
>
> [domain_realm]
>   .coretrek.net = CORETREK.NET
>   coretrek.net = CORETREK.NET
>
>
> Password for ad...@coretrek.net:
>
> root        : DEBUG    args=kinit ad...@coretrek.net
> root        : DEBUG    stdout=Password for ad...@coretrek.net:
>
> root        : DEBUG    stderr=
>
> root        : DEBUG    args=/usr/sbin/ipa-join -s st-vidm001.coretrek.net-b 
> dc=coretrek,dc=net -d
> root        : DEBUG    stdout=
> root        : DEBUG    stderr=XML-RPC CALL:
>
> <?xml version="1.0" encoding="UTF-8"?>\r\n
> <methodCall>\r\n
> <methodName>join</methodName>\r\n
> <params>\r\n
> <param><value><array><data>\r\n
> <value><string>st-posctrl001.coretrek.net</string></value>\r\n
> </data></array></value></param>\r\n
> <param><value><struct>\r\n
> <member><name>nsosversion</name>\r\n
> <value><string>3.2.0-43-generic</string></value></member>\r\n
> <member><name>nshardwareplatform</name>\r\n
> <value><string>x86_64</string></value></member>\r\n
> </struct></value></param>\r\n
> </params>\r\n
> </methodCall>\r\n
>
> XML-RPC RESPONSE:
>
> <?xml version='1.0' encoding='UTF-8'?>\n
> <methodResponse>\n
> <params>\n
> <param>\n
> <value><array><data>\n
> <value><string>fqdn=st-posctrl001.coretrek.net
> ,cn=computers,cn=accounts,dc=coretrek,dc=net</string></value>\n
> <value><struct>\n
> <member>\n
> <name>dn</name>\n
> <value><string>fqdn=st-posctrl001.coretrek.net
> ,cn=computers,cn=accounts,dc=coretrek,dc=net</string></value>\n
> </member>\n
> <member>\n
> <name>ipacertificatesubjectbase</name>\n
> <value><array><data>\n
> <value><string>O=CORETREK.NET</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>krbextradata</name>\n
> <value><array><data>\n
> <value><base64>\n
> AAKuqZdRaG9zdC9zdC1wb3NjdHJsMDAxLmNvcmV0cmVrLm5ldEBDT1JFVFJFSy5ORVQA\n
> </base64></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>cn</name>\n
> <value><array><data>\n
> <value><string>st-posctrl001.coretrek.net</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>objectclass</name>\n
> <value><array><data>\n
> <value><string>ipaobject</string></value>\n
> <value><string>nshost</string></value>\n
> <value><string>ipahost</string></value>\n
> <value><string>pkiuser</string></value>\n
> <value><string>ipaservice</string></value>\n
> <value><string>krbprincipalaux</string></value>\n
> <value><string>krbprincipal</string></value>\n
> <value><string>ieee802device</string></value>\n
> <value><string>ipasshhost</string></value>\n
> <value><string>top</string></value>\n
> <value><string>ipaSshGroupOfPubKeys</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>fqdn</name>\n
> <value><array><data>\n
> <value><string>st-posctrl001.coretrek.net</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>managing_host</name>\n
> <value><array><data>\n
> <value><string>st-posctrl001.coretrek.net</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>krblastsuccessfulauth</name>\n
> <value><array><data>\n
> <value><string>20130518162120Z</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>has_keytab</name>\n
> <value><boolean>0</boolean></value>\n
> </member>\n
> <member>\n
> <name>has_password</name>\n
> <value><boolean>0</boolean></value>\n
> </member>\n
> <member>\n
> <name>ipauniqueid</name>\n
> <value><array><data>\n
> <value><string>88f1ad52-bfd2-11e2-81f5-525400d79980</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>krbprincipalname</name>\n
> <value><array><data>\n
> <value><string>host/st-posctrl001.coretrek....@coretrek.net
> </string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>managedby_host</name>\n
> <value><array><data>\n
> <value><string>st-posctrl001.coretrek.net</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>serverhostname</name>\n
> <value><array><data>\n
> <value><string>st-posctrl001</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>enrolledby_user</name>\n
> <value><array><data>\n
> <value><string>admin</string></value>\n
> </data></array></value>\n
> </member>\n
> </struct></value>\n
> </data></array></value>\n
> </param>\n
> </params>\n
> </methodResponse>\n
>
> Keytab successfully retrieved and stored in: /etc/krb5.keytab
> Certificate subject base is: O=CORETREK.NET
> Enrolled in IPA realm CORETREK.NET
> root        : DEBUG    args=kdestroy
> root        : DEBUG    stdout=
> root        : DEBUG    stderr=
> root        : DEBUG    Backing up system configuration file
> '/etc/ipa/default.conf'
> root        : DEBUG      -> Not backing up - '/etc/ipa/default.conf'
> doesn't exist
> Created /etc/ipa/default.conf
> root        : DEBUG    Backing up system configuration file
> '/etc/sssd/sssd.conf'
> root        : DEBUG    Saving Index File to
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> Domain coretrek.net is already configured in existing SSSD c
>


-- 
You want it fast, cheap, or right.  Pick two!!
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to