Hi Petr, Thanks for the reply.
I wrote: <snip> > > I have been trying to set up SRV records for the FreeIPA server by > providing the autogenerated zone file to our DNS manager, who has > incorporated the configuration. When we deployed these changes, I used > dig to confirm that SRV queries were giving appropriate responses, which > they appear to be. > > > > I then tried setting up a client using ipa-client-install and got an error: > > > > Failed to verify that freeipa01.<munged.domain> is an IPA Server. > > This may mean that the remote server is not up or is not reachable due to > network or firewall settings. <snip> > > The zone config we currently have in place is as follows (we changed > hostnames in the sample file to fqdns for this attempt, but the same > symptoms came from bare hostnames)... > > > > ; ldap servers > > _ldap._tcp.my.domain. IN SRV 0 100 389 freeipa01.my.domain. > > ; > > ; kerberos realm > > _kerberos.my.domain. IN TXT my.domain. > > ; > > ; kerberos servers > > _kerberos._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > > _kerberos._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > > _kerberos-master._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > > _kerberos-master._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > > _kpasswd._tcp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. > > _kpasswd._udp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. > > ; > > ; ntp server > > _ntp._udp.my.domain. IN SRV 0 100 123 freeipa01.my.domain. Petr wrote: > Interesting. Please provide us with information listed on > http://www.freeipa.org/page/Troubleshooting#Client_Installation OK, log file attached. > Additionally not-obfuscated output from dig could help too. Transcript of some dig commands attached (script output edited to clear up control characters). > Also, please keep in mind that: > 1) Log obfuscation will make debugging harder for us. > 2) Obfuscating DNS names does not bring any real security. > > Did you read your e-mail headers? DNS domain EXCHMBX01.fed.cclrc.ac.uk is > in there ... Point taken, I won't do that again. :) And thanks again. Rob
2015-01-20T15:02:18Z DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'domain': None, 'force': False, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True,
'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None,
'principal': None, 'hostname': None, 'no_ac': False, 'unattended': None,
'sssd': True, 'trust_sshfp': False, 'dns_updates': False, 'realm_name': None,
'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False,
'debug': False, 'preserve_sssd': False, 'uninstall': False}
2015-01-20T15:02:18Z DEBUG missing options might be asked for interactively
later
2015-01-20T15:02:18Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2015-01-20T15:02:18Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2015-01-20T15:02:18Z DEBUG [IPA Discovery]
2015-01-20T15:02:18Z DEBUG Starting IPA discovery with domain=None,
server=None, hostname=rhtest02.gridpp.rl.ac.uk
2015-01-20T15:02:18Z DEBUG Start searching for LDAP SRV record in
"gridpp.rl.ac.uk" (domain of the hostname) and its sub-domains
2015-01-20T15:02:18Z DEBUG Search DNS for SRV record of
_ldap._tcp.gridpp.rl.ac.uk.
2015-01-20T15:02:18Z DEBUG DNS record found:
DNSResult::name:_ldap._tcp.gridpp.rl.ac.uk.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:freeipa01.gridpp.rl.ac.uk.}
2015-01-20T15:02:18Z DEBUG [Kerberos realm search]
2015-01-20T15:02:18Z DEBUG Search DNS for TXT record of
_kerberos.gridpp.rl.ac.uk.
2015-01-20T15:02:18Z DEBUG DNS record found:
DNSResult::name:_kerberos.gridpp.rl.ac.uk.,type:16,class:1,rdata={data:gridpp.rl.ac.uk.}
2015-01-20T15:02:18Z DEBUG Search DNS for SRV record of
_kerberos._udp.gridpp.rl.ac.uk.
2015-01-20T15:02:18Z DEBUG DNS record found:
DNSResult::name:_kerberos._udp.gridpp.rl.ac.uk.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:freeipa01.gridpp.rl.ac.uk.}
2015-01-20T15:02:18Z DEBUG [LDAP server check]
2015-01-20T15:02:18Z DEBUG Verifying that freeipa01.gridpp.rl.ac.uk (realm
gridpp.rl.ac.uk.) is an IPA server
2015-01-20T15:02:18Z DEBUG Init LDAP connection with:
ldap://freeipa01.gridpp.rl.ac.uk:389
2015-01-20T15:02:18Z DEBUG Search LDAP server for IPA base DN
2015-01-20T15:02:18Z DEBUG Check if naming context
'dc=gridpp,dc=rl,dc=ac,dc=uk' is for IPA
2015-01-20T15:02:18Z DEBUG Naming context 'dc=gridpp,dc=rl,dc=ac,dc=uk' is a
valid IPA context
2015-01-20T15:02:18Z DEBUG Search for (objectClass=krbRealmContainer) in
dc=gridpp,dc=rl,dc=ac,dc=uk (sub)
2015-01-20T15:02:18Z DEBUG Found:
cn=GRIDPP.RL.AC.UK,cn=kerberos,dc=gridpp,dc=rl,dc=ac,dc=uk
2015-01-20T15:02:18Z DEBUG Discovery result: REALM_NOT_FOUND;
server=freeipa01.gridpp.rl.ac.uk, domain=gridpp.rl.ac.uk,
kdc=freeipa01.gridpp.rl.ac.uk, basedn=dc=gridpp,dc=rl,dc=ac,dc=uk
2015-01-20T15:02:18Z DEBUG will use discovered domain: gridpp.rl.ac.uk
2015-01-20T15:02:18Z DEBUG Start searching for LDAP SRV record in
"gridpp.rl.ac.uk" (Validating DNS Discovery) and its sub-domains
2015-01-20T15:02:18Z DEBUG Search DNS for SRV record of
_ldap._tcp.gridpp.rl.ac.uk.
2015-01-20T15:02:18Z DEBUG DNS record found:
DNSResult::name:_ldap._tcp.gridpp.rl.ac.uk.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:freeipa01.gridpp.rl.ac.uk.}
2015-01-20T15:02:18Z DEBUG DNS validated, enabling discovery
2015-01-20T15:02:18Z DEBUG will use discovered server: freeipa01.gridpp.rl.ac.uk
2015-01-20T15:02:18Z ERROR Failed to verify that freeipa01.gridpp.rl.ac.uk is
an IPA Server.
2015-01-20T15:02:18Z ERROR This may mean that the remote server is not up or is
not reachable due to network or firewall settings.
2015-01-20T15:02:18Z INFO Please make sure the following ports are opened in
the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly
after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
2015-01-20T15:02:18Z DEBUG (freeipa01.gridpp.rl.ac.uk: Discovered LDAP SRV
records from gridpp.rl.ac.uk (domain of the hostname))
2015-01-20T15:02:18Z ERROR Installation failed. Rolling back changes.
2015-01-20T15:02:18Z ERROR IPA client is not configured on this system.
dig_queries
Description: dig_queries
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
