On 02/02/15 14:13, Gerardo Cuppari wrote:
Hello! I am trying to enroll one host to my IPA server (4.1.2) and I am having one problem: the ipa-client-install script keeps giving me errors at the "forwarding ping to json server" step.


My configuration is:
- server.estudio.local192.168.56.2Fedora Server 21ipa 4.1.2
- pc01.estudio.local192.168.56.106Fedora Works. 21

Both have firewalld down (just to test) and can reach each other. I've been trying to get this working without success (solved other minor issues) and so I'm asking for your help. The only way I can make it work is by adding the --force switch to ipa-client-install script but, that way, it just disregards errors.

Thanks in advance!!!

Here are my tests:

SERVER
======
[root@server ~]# ipa ping
-------------------------------------------
IPA server version 4.1.2. API version 2.109
-------------------------------------------

CLIENT
======
[root@pc01 ~]# dig server

; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> server
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29286
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server.          IN      A

;; Query time: 10 msec
;; SERVER: 192.168.56.2#53(192.168.56.2)
;; WHEN: lun feb 02 09:51:07 ART 2015
;; MSG SIZE  rcvd: 35

***********************************************

[root@pc01 ~]# nslookup server
Server:         192.168.56.2
Address:        192.168.56.2#53

Name:   server.estudio.local
Address: 192.168.56.2

***********************************************

Here I disable chronyd so I can run the script without NTP sync errors:

[root@pc01 ~]# systemctl disable chronyd
Removed symlink /etc/systemd/system/multi-user.target.wants/chronyd.service.
[root@pc01 ~]# service chronyd stop
Redirecting to /bin/systemctl stop  chronyd.service

***********************************************

Without having "server.estudio.local" on /etc/hosts file:

[root@pc01 ~]# ipa-client-install --enable-dns-updates --mkhomedir --ssh-trust-dns
Skip server.estudio.local: cannot verify if this is an IPA server
Provide your IPA server name (ex: ipa.example.com <http://ipa.example.com>): server.estudio.local
Skip server.estudio.local: cannot verify if this is an IPA server
Failed to verify that server.estudio.local is an IPA Server.
This may mean that the remote server is not up or is not reachable due to network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.


***********************************************

Here I added hostname and IP address to /etc/hosts file (don't know why it doesn't work without it):

[root@pc01 ~]# ipa-client-install --enable-dns-updates --mkhomedir --ssh-trust-dns
Discovery was successful!
Hostname: pc01.estudio.local
Realm: ESTUDIO.LOCAL
DNS Domain: estudio.local
IPA Server: server.estudio.local
BaseDN: dc=estudio,dc=local

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
User authorized to enroll computers: admin
Password for admin@ESTUDIO.LOCAL:
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=ESTUDIO.LOCAL
    Issuer:      CN=Certificate Authority,O=ESTUDIO.LOCAL
    Valid From:  Fri Jan 30 12:02:01 2015 UTC
    Valid Until: Tue Jan 30 12:02:01 2035 UTC

Enrolled in IPA realm ESTUDIO.LOCAL
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm ESTUDIO.LOCAL
trying https://server.estudio.local/ipa/json
Forwarding 'ping' to json server 'https://server.estudio.local/ipa/json'
Cannot connect to the server due to Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", -1765328228). Trying with delegate=True
trying https://server.estudio.local/ipa/json
Forwarding 'ping' to json server 'https://server.estudio.local/ipa/json'
Second connect with delegate=True also failed: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", -1765328228) Cannot connect to the IPA server RPC interface: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", -1765328228)
Installation failed. Rolling back changes.
Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255 Failed to remove /etc/ipa/nssdb/cert8.db: [Errno 2] No existe el fichero o el directorio: '/etc/ipa/nssdb/cert8.db' Failed to remove /etc/ipa/nssdb/key3.db: [Errno 2] No existe el fichero o el directorio: '/etc/ipa/nssdb/key3.db' Failed to remove /etc/ipa/nssdb/secmod.db: [Errno 2] No existe el fichero o el directorio: '/etc/ipa/nssdb/secmod.db' Failed to remove /etc/ipa/nssdb/pwdfile.txt: [Errno 2] No existe el fichero o el directorio: '/etc/ipa/nssdb/pwdfile.txt'
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm: host/domain name not found.

Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.

***********************************************



Hello

dig returns servfail, it may be issue.

Can you check please /etc/named.conf on server, if there is dnssec-validation true ? If yes, please set the dnssec-validation to no, because you use domain name .local. it may cause troubles.

If troubles persist, please send journalctl -u named-pkcs11 log.

Martin^2

--
Martin Basti

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to