Hi Petr, Thanks for the reply.
I wrote: <snip> > > I have been trying to set up SRV records for the FreeIPA server by > providing the autogenerated zone file to our DNS manager, who has > incorporated the configuration. When we deployed these changes, I used > dig to confirm that SRV queries were giving appropriate responses, which > they appear to be. > > > > I then tried setting up a client using ipa-client-install and got an error: > > > > Failed to verify that freeipa01.<munged.domain> is an IPA Server. > > This may mean that the remote server is not up or is not reachable due to > network or firewall settings. <snip> > > The zone config we currently have in place is as follows (we changed > hostnames in the sample file to fqdns for this attempt, but the same > symptoms came from bare hostnames)... > > > > ; ldap servers > > _ldap._tcp.my.domain. IN SRV 0 100 389 freeipa01.my.domain. > > ; > > ; kerberos realm > > _kerberos.my.domain. IN TXT my.domain. > > ; > > ; kerberos servers > > _kerberos._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > > _kerberos._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > > _kerberos-master._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > > _kerberos-master._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > > _kpasswd._tcp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. > > _kpasswd._udp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. > > ; > > ; ntp server > > _ntp._udp.my.domain. IN SRV 0 100 123 freeipa01.my.domain. Petr wrote: > Interesting. Please provide us with information listed on > http://www.freeipa.org/page/Troubleshooting#Client_Installation OK, log file attached. > Additionally not-obfuscated output from dig could help too. Transcript of some dig commands attached (script output edited to clear up control characters). > Also, please keep in mind that: > 1) Log obfuscation will make debugging harder for us. > 2) Obfuscating DNS names does not bring any real security. > > Did you read your e-mail headers? DNS domain EXCHMBX01.fed.cclrc.ac.uk is > in there ... Point taken, I won't do that again. :) And thanks again. Rob
2015-01-20T15:02:18Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': None, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False, 'realm_name': None, 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False} 2015-01-20T15:02:18Z DEBUG missing options might be asked for interactively later 2015-01-20T15:02:18Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-01-20T15:02:18Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2015-01-20T15:02:18Z DEBUG [IPA Discovery] 2015-01-20T15:02:18Z DEBUG Starting IPA discovery with domain=None, server=None, hostname=rhtest02.gridpp.rl.ac.uk 2015-01-20T15:02:18Z DEBUG Start searching for LDAP SRV record in "gridpp.rl.ac.uk" (domain of the hostname) and its sub-domains 2015-01-20T15:02:18Z DEBUG Search DNS for SRV record of _ldap._tcp.gridpp.rl.ac.uk. 2015-01-20T15:02:18Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.gridpp.rl.ac.uk.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:freeipa01.gridpp.rl.ac.uk.} 2015-01-20T15:02:18Z DEBUG [Kerberos realm search] 2015-01-20T15:02:18Z DEBUG Search DNS for TXT record of _kerberos.gridpp.rl.ac.uk. 2015-01-20T15:02:18Z DEBUG DNS record found: DNSResult::name:_kerberos.gridpp.rl.ac.uk.,type:16,class:1,rdata={data:gridpp.rl.ac.uk.} 2015-01-20T15:02:18Z DEBUG Search DNS for SRV record of _kerberos._udp.gridpp.rl.ac.uk. 2015-01-20T15:02:18Z DEBUG DNS record found: DNSResult::name:_kerberos._udp.gridpp.rl.ac.uk.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:freeipa01.gridpp.rl.ac.uk.} 2015-01-20T15:02:18Z DEBUG [LDAP server check] 2015-01-20T15:02:18Z DEBUG Verifying that freeipa01.gridpp.rl.ac.uk (realm gridpp.rl.ac.uk.) is an IPA server 2015-01-20T15:02:18Z DEBUG Init LDAP connection with: ldap://freeipa01.gridpp.rl.ac.uk:389 2015-01-20T15:02:18Z DEBUG Search LDAP server for IPA base DN 2015-01-20T15:02:18Z DEBUG Check if naming context 'dc=gridpp,dc=rl,dc=ac,dc=uk' is for IPA 2015-01-20T15:02:18Z DEBUG Naming context 'dc=gridpp,dc=rl,dc=ac,dc=uk' is a valid IPA context 2015-01-20T15:02:18Z DEBUG Search for (objectClass=krbRealmContainer) in dc=gridpp,dc=rl,dc=ac,dc=uk (sub) 2015-01-20T15:02:18Z DEBUG Found: cn=GRIDPP.RL.AC.UK,cn=kerberos,dc=gridpp,dc=rl,dc=ac,dc=uk 2015-01-20T15:02:18Z DEBUG Discovery result: REALM_NOT_FOUND; server=freeipa01.gridpp.rl.ac.uk, domain=gridpp.rl.ac.uk, kdc=freeipa01.gridpp.rl.ac.uk, basedn=dc=gridpp,dc=rl,dc=ac,dc=uk 2015-01-20T15:02:18Z DEBUG will use discovered domain: gridpp.rl.ac.uk 2015-01-20T15:02:18Z DEBUG Start searching for LDAP SRV record in "gridpp.rl.ac.uk" (Validating DNS Discovery) and its sub-domains 2015-01-20T15:02:18Z DEBUG Search DNS for SRV record of _ldap._tcp.gridpp.rl.ac.uk. 2015-01-20T15:02:18Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.gridpp.rl.ac.uk.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:freeipa01.gridpp.rl.ac.uk.} 2015-01-20T15:02:18Z DEBUG DNS validated, enabling discovery 2015-01-20T15:02:18Z DEBUG will use discovered server: freeipa01.gridpp.rl.ac.uk 2015-01-20T15:02:18Z ERROR Failed to verify that freeipa01.gridpp.rl.ac.uk is an IPA Server. 2015-01-20T15:02:18Z ERROR This may mean that the remote server is not up or is not reachable due to network or firewall settings. 2015-01-20T15:02:18Z INFO Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) 2015-01-20T15:02:18Z DEBUG (freeipa01.gridpp.rl.ac.uk: Discovered LDAP SRV records from gridpp.rl.ac.uk (domain of the hostname)) 2015-01-20T15:02:18Z ERROR Installation failed. Rolling back changes. 2015-01-20T15:02:18Z ERROR IPA client is not configured on this system.
dig_queries
Description: dig_queries
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project