On 19 May 2013 02:57, Endre Karlson <endre.karl...@gmail.com> wrote:

> So I am trying to enrull Ubuntu into FreeIPA.
>
> But I am getting a number of issues:
> 1. DNS autodiscovery isn't working.
> 2. certutils fails at the end?
>
> In my setup I currently have 1 IPA server running DNS and all of it.
>
> What can be wrong?
>

I have to ask.
Is the host you are enrolling using dns server from freeipa?
If it is it should find the srv records and set it up.
See further comments inline.


>
> Endre.
>
> sudo ipa-client-install -d --enable-dns-updates
> root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
> options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force':
> False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None,
> 'preserve_sssd': False, 'server': None, 'prompt_password': False,
> 'mkhomedir': False, 'dns_updates': True, 'permit': False, 'debug': True,
> 'on_master': False, 'ntp_server': None, 'realm_name': None, 'unattended':
> None, 'principal': None}
> root        : DEBUG    missing options might be asked for interactively
> later
>
> root        : DEBUG    Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> root        : DEBUG    Loading StateFile from
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> root        : DEBUG    [ipadnssearchldap(coretrek.net)]
> root        : DEBUG    [ipadnssearchldap(net)]
> root        : DEBUG    [ipadnssearchldap(coretrek.net)]
> root        : DEBUG    [ipadnssearchldap(net)]
> root        : DEBUG    Domain not found
> DNS discovery failed to determine your DNS domain
> Provide the domain name of your IPA server (ex: example.com): coretrek.net
> root        : DEBUG    will use domain: coretrek.net
>
> root        : DEBUG    [ipadnssearchldap]
> root        : DEBUG    IPA Server not found
> DNS discovery failed to find the IPA Server
> Provide your IPA server name (ex: ipa.example.com):
> st-vidm001.coretrek.net
> root        : DEBUG    will use server: st-vidm001.coretrek.net
>
> root        : DEBUG    [ipadnssearchkrb]
> root        : DEBUG    [ipacheckldap]
> root        : DEBUG    args=/usr/bin/wget -O /tmp/tmp1RBeGA/ca.crt -T 15
> -t 2 http://st-vidm001.coretrek.net/ipa/config/ca.crt
> root        : DEBUG    stdout=
> root        : DEBUG    stderr=--2013-05-18 18:40:05--
> http://st-vidm001.coretrek.net/ipa/config/ca.crt
> Resolving st-vidm001.coretrek.net (st-vidm001.coretrek.net)...
> 172.16.200.5
> Connecting to st-vidm001.coretrek.net 
> (st-vidm001.coretrek.net)|172.16.200.5|:80...
> connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 1321 (1.3K) [application/x-x509-ca-cert]
> Saving to: `/tmp/tmp1RBeGA/ca.crt'
>
>      0K .                                                     100% 69.1M=0s
>
> 2013-05-18 18:40:05 (69.1 MB/s) - `/tmp/tmp1RBeGA/ca.crt' saved [1321/1321]
>
>
> root        : DEBUG    Init ldap with: ldap://st-vidm001.coretrek.net:389
> root        : DEBUG    Search LDAP server for IPA base DN
> root        : DEBUG    Check if naming context 'dc=coretrek,dc=net' is for
> IPA
> root        : DEBUG    Naming context 'dc=coretrek,dc=net' is a valid IPA
> context
> root        : DEBUG    Search for (objectClass=krbRealmContainer) in
> dc=coretrek,dc=net(sub)
> root        : DEBUG    Found: 
> [('cn=CORETREK.NET,cn=kerberos,dc=coretrek,dc=net',
> {'krbSubTrees': ['dc=coretrek,dc=net'], 'cn': ['CORETREK.NET'],
> 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special',
> 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top',
> 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'],
> 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
> 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
> 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special'],
> 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})]
>
> The failure to use DNS to find your IPA server indicates that your
> resolv.conf file is not properly configured.
>

This message would suggest it isn't using the dns server on your freeipa
server.



>
> Autodiscovery of servers for failover cannot work with this configuration.
>
> If you proceed with the installation, services will be configured to always
> access the discovered server for all operation and will not fail over to
> other servers in case of failure.
>
> Proceed with fixed values and no DNS discovery? [no]: yes
> root        : DEBUG    will use cli_realm: CORETREK.NET
>
> root        : DEBUG    will use cli_basedn: dc=coretrek,dc=net
>
> Hostname: st-posctrl001.coretrek.net
> Realm: CORETREK.NET
> DNS Domain: coretrek.net
> IPA Server: st-vidm001.coretrek.net
> BaseDN: dc=coretrek,dc=net
>
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admin
> root        : DEBUG    will use principal: admin
>
> root        : DEBUG    args=/usr/bin/wget -O /etc/ipa/ca.crt
> http://st-vidm001.coretrek.net/ipa/config/ca.crt
> root        : DEBUG    stdout=
> root        : DEBUG    stderr=--2013-05-18 18:40:28--
> http://st-vidm001.coretrek.net/ipa/config/ca.crt
> Resolving st-vidm001.coretrek.net (st-vidm001.coretrek.net)...
> 172.16.200.5
> Connecting to st-vidm001.coretrek.net 
> (st-vidm001.coretrek.net)|172.16.200.5|:80...
> connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 1321 (1.3K) [application/x-x509-ca-cert]
> Saving to: `/etc/ipa/ca.crt'
>
>      0K .                                                     100% 66.7M=0s
>
> 2013-05-18 18:40:28 (66.7 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321]
>
>
> Synchronizing time with KDC...
> root        : DEBUG    args=/usr/sbin/ntpdate -U ntp -s -b
> st-vidm001.coretrek.net
> root        : DEBUG    stdout=
> root        : DEBUG    stderr=/usr/sbin/ntpdate: unknown option -U
> usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p
> samples] [-o version#] [-t timeo] server ...
>
> root        : DEBUG    args=/usr/sbin/ntpdate -U ntp -s -b
> st-vidm001.coretrek.net
> root        : DEBUG    stdout=
> root        : DEBUG    stderr=/usr/sbin/ntpdate: unknown option -U
> usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p
> samples] [-o version#] [-t timeo] server ...
>
> root        : DEBUG    args=/usr/sbin/ntpdate -U ntp -s -b
> st-vidm001.coretrek.net
> root        : DEBUG    stdout=
> root        : DEBUG    stderr=/usr/sbin/ntpdate: unknown option -U
> usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p
> samples] [-o version#] [-t timeo] server ...
>
> Unable to sync time with IPA NTP server, assuming the time is in sync.
> root        : DEBUG    Writing Kerberos configuration to /tmp/tmpdGLoJb:
> #File modified by ipa-client-install
>
> [libdefaults]
>   default_realm = CORETREK.NET
>   dns_lookup_realm = false
>   dns_lookup_kdc = false
>   rdns = false
>   ticket_lifetime = 24h
>   forwardable = yes
>
> [realms]
>   CORETREK.NET = {
>     kdc = st-vidm001.coretrek.net:88
>     admin_server = st-vidm001.coretrek.net:749
>     default_domain = coretrek.net
>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>   }
>
> [domain_realm]
>   .coretrek.net = CORETREK.NET
>   coretrek.net = CORETREK.NET
>
>
> Password for ad...@coretrek.net:
>
> root        : DEBUG    args=kinit ad...@coretrek.net
> root        : DEBUG    stdout=Password for ad...@coretrek.net:
>
> root        : DEBUG    stderr=
>
> root        : DEBUG    args=/usr/sbin/ipa-join -s st-vidm001.coretrek.net-b 
> dc=coretrek,dc=net -d
> root        : DEBUG    stdout=
> root        : DEBUG    stderr=XML-RPC CALL:
>
> <?xml version="1.0" encoding="UTF-8"?>\r\n
> <methodCall>\r\n
> <methodName>join</methodName>\r\n
> <params>\r\n
> <param><value><array><data>\r\n
> <value><string>st-posctrl001.coretrek.net</string></value>\r\n
> </data></array></value></param>\r\n
> <param><value><struct>\r\n
> <member><name>nsosversion</name>\r\n
> <value><string>3.2.0-43-generic</string></value></member>\r\n
> <member><name>nshardwareplatform</name>\r\n
> <value><string>x86_64</string></value></member>\r\n
> </struct></value></param>\r\n
> </params>\r\n
> </methodCall>\r\n
>
> XML-RPC RESPONSE:
>
> <?xml version='1.0' encoding='UTF-8'?>\n
> <methodResponse>\n
> <params>\n
> <param>\n
> <value><array><data>\n
> <value><string>fqdn=st-posctrl001.coretrek.net
> ,cn=computers,cn=accounts,dc=coretrek,dc=net</string></value>\n
> <value><struct>\n
> <member>\n
> <name>dn</name>\n
> <value><string>fqdn=st-posctrl001.coretrek.net
> ,cn=computers,cn=accounts,dc=coretrek,dc=net</string></value>\n
> </member>\n
> <member>\n
> <name>ipacertificatesubjectbase</name>\n
> <value><array><data>\n
> <value><string>O=CORETREK.NET</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>krbextradata</name>\n
> <value><array><data>\n
> <value><base64>\n
> AAKuqZdRaG9zdC9zdC1wb3NjdHJsMDAxLmNvcmV0cmVrLm5ldEBDT1JFVFJFSy5ORVQA\n
> </base64></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>cn</name>\n
> <value><array><data>\n
> <value><string>st-posctrl001.coretrek.net</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>objectclass</name>\n
> <value><array><data>\n
> <value><string>ipaobject</string></value>\n
> <value><string>nshost</string></value>\n
> <value><string>ipahost</string></value>\n
> <value><string>pkiuser</string></value>\n
> <value><string>ipaservice</string></value>\n
> <value><string>krbprincipalaux</string></value>\n
> <value><string>krbprincipal</string></value>\n
> <value><string>ieee802device</string></value>\n
> <value><string>ipasshhost</string></value>\n
> <value><string>top</string></value>\n
> <value><string>ipaSshGroupOfPubKeys</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>fqdn</name>\n
> <value><array><data>\n
> <value><string>st-posctrl001.coretrek.net</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>managing_host</name>\n
> <value><array><data>\n
> <value><string>st-posctrl001.coretrek.net</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>krblastsuccessfulauth</name>\n
> <value><array><data>\n
> <value><string>20130518162120Z</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>has_keytab</name>\n
> <value><boolean>0</boolean></value>\n
> </member>\n
> <member>\n
> <name>has_password</name>\n
> <value><boolean>0</boolean></value>\n
> </member>\n
> <member>\n
> <name>ipauniqueid</name>\n
> <value><array><data>\n
> <value><string>88f1ad52-bfd2-11e2-81f5-525400d79980</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>krbprincipalname</name>\n
> <value><array><data>\n
> <value><string>host/st-posctrl001.coretrek....@coretrek.net
> </string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>managedby_host</name>\n
> <value><array><data>\n
> <value><string>st-posctrl001.coretrek.net</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>serverhostname</name>\n
> <value><array><data>\n
> <value><string>st-posctrl001</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>enrolledby_user</name>\n
> <value><array><data>\n
> <value><string>admin</string></value>\n
> </data></array></value>\n
> </member>\n
> </struct></value>\n
> </data></array></value>\n
> </param>\n
> </params>\n
> </methodResponse>\n
>
> Keytab successfully retrieved and stored in: /etc/krb5.keytab
> Certificate subject base is: O=CORETREK.NET
> Enrolled in IPA realm CORETREK.NET
> root        : DEBUG    args=kdestroy
> root        : DEBUG    stdout=
> root        : DEBUG    stderr=
> root        : DEBUG    Backing up system configuration file
> '/etc/ipa/default.conf'
> root        : DEBUG      -> Not backing up - '/etc/ipa/default.conf'
> doesn't exist
> Created /etc/ipa/default.conf
> root        : DEBUG    Backing up system configuration file
> '/etc/sssd/sssd.conf'
> root        : DEBUG    Saving Index File to
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> Domain coretrek.net is already configured in existing SSSD config,
> creating a new one.
> The old /etc/sssd/sssd.conf is backed up and will be restored during
> uninstall.
> root        : DEBUG    Domain coretrek.net is already configured in
> existing SSSD config, creating a new one.
> Configured /etc/sssd/sssd.conf
> root        : DEBUG    args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA
> CA -t CT,C,C -a -i /etc/ipa/ca.crt
> root        : DEBUG    stdout=
> root        : DEBUG    stderr=certutil: function failed: The
> certificate/key database is in an old, unsupported format.
>
> Traceback (most recent call last):
>   File "/usr/sbin/ipa-client-install", line 1292, in <module>
>     sys.exit(main())
>   File "/usr/sbin/ipa-client-install", line 1279, in main
>     rval = install(options, env, fstore, statestore)
>   File "/usr/sbin/ipa-client-install", line 1124, in install
>     run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA
> CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"])
>   File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 273,
> in run
>     raise CalledProcessError(p.returncode, args)
> subprocess.CalledProcessError: Command '/usr/bin/certutil -A -d
> /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt' returned non-zero
> exit status 255
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to