Hello,

well it depends what exactly you did and what helped. I see Alexander gave you some hints about mDNS.


If it was DNSSEC error you should see validation error messages in journalctl -u named-pkcs11 before you disabled DNSSEC validation.

Martin^2

On 02/02/15 16:34, Gerardo Cuppari wrote:
Hi Martin, thanks for your replies!

Please, don't tell me I am getting all these errors because of the ".local" domain! If so, I will surelly kill someone haha

I checked /etc/named.conf and changed to "no" dnssec-validation and here is what you requested:

[root@pc01 ~]# dig server.estudio.local

; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> server.estudio.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31554
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server.estudio.local.  IN      A

;; ANSWER SECTION:
server.estudio.local.   1200  IN      A       192.168.56.2

;; AUTHORITY SECTION:
estudio.local.          86400 IN      NS      server.estudio.local.

;; Query time: 0 msec
;; SERVER: 192.168.56.2#53(192.168.56.2)
;; WHEN: lun feb 02 12:29:17 ART 2015
;; MSG SIZE  rcvd: 79

******************************************

[root@pc01 ~]# dig -t ptr 2.56.168.192.in-addr.arpa

; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> -t ptr 2.56.168.192.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36167
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;2.56.168.192.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
2.56.168.192.in-addr.arpa. 86400 IN     PTR     server.estudio.local.

;; AUTHORITY SECTION:
56.168.192.in-addr.arpa. 86400  IN      NS      server.estudio.local.

;; ADDITIONAL SECTION:
server.estudio.local.   1200    IN      A       192.168.56.2

;; Query time: 0 msec
;; SERVER: 192.168.56.2#53(192.168.56.2)
;; WHEN: lun feb 02 12:34:27 ART 2015
;; MSG SIZE  rcvd: 118


2015-02-02 12:17 GMT-03:00 Martin Basti <mba...@redhat.com <mailto:mba...@redhat.com>>:

    On 02/02/15 16:07, Martin Basti wrote:
    On 02/02/15 14:13, Gerardo Cuppari wrote:
    Hello! I am trying to enroll one host to my IPA server (4.1.2)
    and I am having one problem: the ipa-client-install script keeps
    giving me errors at the "forwarding ping to json server" step.

    My configuration is:
    - server.estudio.local192.168.56.2Fedora Server 21ipa 4.1.2
    - pc01.estudio.local192.168.56.106Fedora Works. 21

    Both have firewalld down (just to test) and can reach each
    other. I've been trying to get this working without success
    (solved other minor issues) and so I'm asking for your help.
    The only way I can make it work is by adding the --force switch
    to ipa-client-install script but, that way, it just disregards
    errors.

    Thanks in advance!!!

    Here are my tests:

    SERVER
    ======
    [root@server ~]# ipa ping
    -------------------------------------------
    IPA server version 4.1.2. API version 2.109
    -------------------------------------------

    CLIENT
    ======
    [root@pc01 ~]# dig server

    ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> server
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29286
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;server.                                IN      A

    ;; Query time: 10 msec
    ;; SERVER: 192.168.56.2#53(192.168.56.2)
    ;; WHEN: lun feb 02 09:51:07 ART 2015
    ;; MSG SIZE  rcvd: 35

    ***********************************************

    [root@pc01 ~]# nslookup server
    Server:         192.168.56.2
    Address:        192.168.56.2#53

    Name:   server.estudio.local
    Address: 192.168.56.2

    ***********************************************

    Here I disable chronyd so I can run the script without NTP sync
    errors:

    [root@pc01 ~]# systemctl disable chronyd
    Removed symlink
    /etc/systemd/system/multi-user.target.wants/chronyd.service.
    [root@pc01 ~]# service chronyd stop
    Redirecting to /bin/systemctl stop  chronyd.service

    ***********************************************

    Without having "server.estudio.local" on /etc/hosts file:

    [root@pc01 ~]# ipa-client-install --enable-dns-updates
    --mkhomedir --ssh-trust-dns
    Skip server.estudio.local: cannot verify if this is an IPA server
    Provide your IPA server name (ex: ipa.example.com
    <http://ipa.example.com>):
    Skip server.estudio.local: cannot verify if this is an IPA server
    Failed to verify that server.estudio.local is an IPA Server.
    This may mean that the remote server is not up or is not
    reachable due to network or firewall settings.
    Please make sure the following ports are opened in the firewall
    settings:
       TCP: 80, 88, 389
       UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
    Also note that following ports are necessary for ipa-client
    working properly after enrollment:
       TCP: 464
       UDP: 464, 123 (if NTP enabled)
    Installation failed. Rolling back changes.
    IPA client is not configured on this system.


    ***********************************************

    Here I added hostname and IP address to /etc/hosts file (don't
    know why it doesn't work without it):

    [root@pc01 ~]# ipa-client-install --enable-dns-updates
    --mkhomedir --ssh-trust-dns
    Discovery was successful!
    Hostname: pc01.estudio.local
    Realm: ESTUDIO.LOCAL
    DNS Domain: estudio.local
    IPA Server: server.estudio.local
    BaseDN: dc=estudio,dc=local

    Continue to configure the system with these values? [no]: yes
    Synchronizing time with KDC...
    User authorized to enroll computers: admin
    Password for admin@ESTUDIO.LOCAL <mailto:admin@ESTUDIO.LOCAL>:
    Successfully retrieved CA cert
      Subject:     CN=Certificate Authority,O=ESTUDIO.LOCAL
      Issuer:      CN=Certificate Authority,O=ESTUDIO.LOCAL
      Valid From:  Fri Jan 30 12:02:01 2015 UTC
      Valid Until: Tue Jan 30 12:02:01 2035 UTC

    Enrolled in IPA realm ESTUDIO.LOCAL
    Created /etc/ipa/default.conf
    New SSSD config will be created
    Configured sudoers in /etc/nsswitch.conf
    Configured /etc/sssd/sssd.conf
    Configured /etc/krb5.conf for IPA realm ESTUDIO.LOCAL
    trying https://server.estudio.local/ipa/json
    Forwarding 'ping' to json server
    'https://server.estudio.local/ipa/json'
    Cannot connect to the server due to Kerberos error: Kerberos
    error: ('Unspecified GSS failure.  Minor code may provide more
    information', 851968)/("Cannot contact any KDC for realm
    'ESTUDIO.LOCAL'", -1765328228). Trying with delegate=True
    trying https://server.estudio.local/ipa/json
    Forwarding 'ping' to json server
    'https://server.estudio.local/ipa/json'
    Second connect with delegate=True also failed: Kerberos error:
    ('Unspecified GSS failure.  Minor code may provide more
    information', 851968)/("Cannot contact any KDC for realm
    'ESTUDIO.LOCAL'", -1765328228)
    Cannot connect to the IPA server RPC interface: Kerberos error:
    ('Unspecified GSS failure.  Minor code may provide more
    information', 851968)/("Cannot contact any KDC for realm
    'ESTUDIO.LOCAL'", -1765328228)
    Installation failed. Rolling back changes.
    Failed to list certificates in /etc/ipa/nssdb: Command
    ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned
    non-zero exit status 255
    Failed to remove /etc/ipa/nssdb/cert8.db: [Errno 2] No existe el
    fichero o el directorio: '/etc/ipa/nssdb/cert8.db'
    Failed to remove /etc/ipa/nssdb/key3.db: [Errno 2] No existe el
    fichero o el directorio: '/etc/ipa/nssdb/key3.db'
    Failed to remove /etc/ipa/nssdb/secmod.db: [Errno 2] No existe
    el fichero o el directorio: '/etc/ipa/nssdb/secmod.db'
    Failed to remove /etc/ipa/nssdb/pwdfile.txt: [Errno 2] No existe
    el fichero o el directorio: '/etc/ipa/nssdb/pwdfile.txt'
    Unenrolling client from IPA server
    Unenrolling host failed: Error getting default Kerberos realm:
    host/domain name not found.

    Removing Kerberos service principals from /etc/krb5.keytab
    Disabling client Kerberos and LDAP configurations
    Redundant SSSD configuration file /etc/sssd/sssd.conf was moved
    to /etc/sssd/sssd.conf.deleted
    Restoring client configuration files
    nscd daemon is not installed, skip configuration
    nslcd daemon is not installed, skip configuration
    Client uninstall complete.

    ***********************************************



    Hello

    dig returns servfail, it may be issue.

    You used dig with wrong name, please use dig server.estudio.local
    and send result?


    Can you check please /etc/named.conf on server, if there is
    dnssec-validation true ?
    If yes, please set the dnssec-validation to no, because you use
    domain name .local. it may cause troubles.

    If troubles persist, please send journalctl -u named-pkcs11 log.

    Martin^2

-- Martin Basti




-- Martin Basti






--
Martin Basti

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to