On 03/19/2015 04:46 PM, Roberto Cornacchia wrote:
This should really work like a charm, and I'm sure it is a stupid
mistake of mine if it doesn't, but I really can't find out what goes
Both IPA server and client are on FC21, very up to date.
Server installation (standard, with dns) worked well. Required ports
open in the firewall. Everything seems to work.
I did try to use the IPA server as a DNS (with forwarders) and NTP
server from non-ipa clients, no problem.
I also tried to use it as LDAP server, from a non-fedora machine (a
synology). It worked well and I could see users.
When trying to enroll a client, the enrollment itself seems to
- Unable to sync time with NTP server
- Unable to update DNS
- Unable to find users
I include below the short installation log (I changed the real domain
into hq.example.com <http://hq.example.com>), and in attachment, the
full log with debug on.
From the debug log, about the DNS update failure, I can see this:
; Communication with 192.168.0.72#53 failed: operation canceled
could not reach any name server
I'm not sure what communication problem this could be, as the server
(which is both the IPA and the DNS servers), clearly can be reached.
Any idea where to look at?
Do you have the IPA DNS server in the resolv.conf of the client?
[root@meson ~]# ipa-client-install --mkhomedir --ssh-trust-dns
Discovery was successful!
Hostname: meson.hq.example.com <http://meson.hq.example.com>
Realm: HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
DNS Domain: hq.example.com <http://hq.example.com>
IPA Server: ipa.hq.example.com <http://ipa.hq.example.com>
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
*Unable to sync time with IPA NTP server, assuming the time is in
sync. Please check that 123 UDP port is opened.*
User authorized to enroll computers: admin
Password for ad...@hq.example.com <mailto:ad...@hq.example.com>:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=HQ.EXAMPLE.COM
Issuer: CN=Certificate Authority,O=HQ.EXAMPLE.COM
Valid From: Mon Mar 16 18:44:35 2015 UTC
Valid Until: Fri Mar 16 18:44:35 2035 UTC
Enrolled in IPA realm HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
Forwarding 'ping' to json server 'https://ipa.hq.example.com/ipa/json'
Forwarding 'ca_is_enabled' to json server
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Hostname (meson.hq.example.com <http://meson.hq.example.com>) not
found in DNS
*Failed to update DNS records.*
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to json server 'https://ipa.hq.example.com/ipa/json'
*Could not update DNS SSHFP records.*
*Unable to find 'admin' user with 'getent passwd ad...@hq.example.com
*Unable to reliably detect configuration. Check NSS setup manually.*
Configuring hq.example.com <http://hq.example.com> as NIS domain.
Client configuration complete.
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project