On 03/19/2015 05:04 PM, Roberto Cornacchia wrote:
Yes.

[root@meson ~]# cat /etc/resolv.conf
search hq.example.com <http://hq.example.com>
nameserver 192.168.0.72

Sorry from the short log I posted it's not visible, but that ip address is the address of the ipa server (ipa.hq.example.com <http://ipa.hq.example.com>)

[root@meson ~]# dig ipa.hq.spinque.com <http://ipa.hq.spinque.com>

; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> ipa.hq.example.com <http://ipa.hq.example.com>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53238
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipa.hq.example.com.INA

;; ANSWER SECTION:
ipa.hq.example.com. 1200INA192.168.0.72

;; AUTHORITY SECTION:
hq.example.com.86400INNSipa.hq.example.com.

;; Query time: 1 msec
;; SERVER: 192.168.0.72#53(192.168.0.72)
;; WHEN: do mrt 19 22:02:04 CET 2015
;; MSG SIZE  rcvd: 83


OK so you can in fact lookup the server.
Have you opened all required ports for ldap and kerberos and other protocols in the firewall both UDP and TCP?



On 19 March 2015 at 21:55, Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>> wrote:

    On 03/19/2015 04:46 PM, Roberto Cornacchia wrote:
    Hi,

    This should really work like a charm, and I'm sure it is a stupid
    mistake of mine if it doesn't, but I really can't find out what
    goes wrong.

    Both IPA server and client are on FC21, very up to date.
    Server installation (standard, with dns) worked well. Required
    ports open in the firewall. Everything seems to work.

    I did try to use the IPA server as a DNS (with forwarders) and
    NTP server from non-ipa clients, no problem.
    I also tried to use it as LDAP server, from a non-fedora machine
    (a synology). It worked well and I could see users.

    When trying to enroll a client, the enrollment itself seems to
    succeed, but:
    - Unable to sync time with NTP server
    - Unable to update DNS
    - Unable to find users

    I include below the short installation log (I changed the real
    domain into hq.example.com <http://hq.example.com>), and in
    attachment, the full log with debug on.

    From the debug log, about the DNS update failure, I can see this:

      ; Communication with 192.168.0.72#53 failed: operation canceled
      could not reach any name server

    I'm not sure what communication problem this could be, as the
    server (which is both the IPA and the DNS servers), clearly can
    be reached.

    Any idea where to look at?

    Do you have the IPA DNS server in the resolv.conf of the client?




    Thanks,
    Roberto


    [root@meson ~]# ipa-client-install --mkhomedir --ssh-trust-dns
    --force-ntpd --hostname=meson.hq.example.com
    <http://meson.hq.example.com>
    Discovery was successful!
    Hostname: meson.hq.example.com <http://meson.hq.example.com>
    Realm: HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
    DNS Domain: hq.example.com <http://hq.example.com>
    IPA Server: ipa.hq.example.com <http://ipa.hq.example.com>
    BaseDN: dc=hq,dc=example,dc=com

    Continue to configure the system with these values? [no]: yes
    Synchronizing time with KDC...
    *Unable to sync time with IPA NTP server, assuming the time is in
    sync. Please check that 123 UDP port is opened.*
    User authorized to enroll computers: admin
    Password for ad...@hq.example.com <mailto:ad...@hq.example.com>:
    Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=HQ.EXAMPLE.COM
    <http://HQ.EXAMPLE.COM>
        Issuer:      CN=Certificate Authority,O=HQ.EXAMPLE.COM
    <http://HQ.EXAMPLE.COM>
        Valid From:  Mon Mar 16 18:44:35 2015 UTC
        Valid Until: Fri Mar 16 18:44:35 2035 UTC

    Enrolled in IPA realm HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
    Created /etc/ipa/default.conf
    New SSSD config will be created
    Configured sudoers in /etc/nsswitch.conf
    Configured /etc/sssd/sssd.conf
    Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
    <http://HQ.EXAMPLE.COM>
    trying https://ipa.hq.example.com/ipa/json
    Forwarding 'ping' to json server
    'https://ipa.hq.example.com/ipa/json'
    Forwarding 'ca_is_enabled' to json server
    'https://ipa.hq.example.com/ipa/json'
    Systemwide CA database updated.
    Added CA certificates to the default NSS database.
    Hostname (meson.hq.example.com <http://meson.hq.example.com>) not
    found in DNS
    *Failed to update DNS records.*
    Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
    Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
    Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
    Forwarding 'host_mod' to json server
    'https://ipa.hq.example.com/ipa/json'
    *Could not update DNS SSHFP records.*
    SSSD enabled
    Configured /etc/openldap/ldap.conf
    *Unable to find 'admin' user with 'getent passwd
    ad...@hq.example.com <mailto:ad...@hq.example.com>'!*
    *Unable to reliably detect configuration. Check NSS setup manually.*
    NTP enabled
    Configured /etc/ssh/ssh_config
    Configured /etc/ssh/sshd_config
    Configuring hq.example.com <http://hq.example.com> as NIS domain.
    Client configuration complete.





-- Thank you,
    Dmitri Pal

    Sr. Engineering Manager IdM portfolio
    Red Hat, Inc.


    --
    Manage your subscription for the Freeipa-users mailing list:
    https://www.redhat.com/mailman/listinfo/freeipa-users
    Go to http://freeipa.org for more info on the project






--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to