ipv6 re-enabled. No luck yet :( On 20 March 2015 at 17:06, Dmitri Pal <d...@redhat.com> wrote:
> On 03/20/2015 10:56 AM, Roberto Cornacchia wrote: > > The zone settings: > > $ ipa dnszone-show --all > Zone name: hq.example.com. > dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com > Zone name: hq.example.com. > Active zone: TRUE > Authoritative nameserver: ipa.hq.example.com. > Administrator e-mail address: hostmaster.hq.example.com. > SOA serial: 1426857128 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > BIND update policy: grant HQ.EXAMPLE.COM krb5-self * A; grant HQ.EXAMPLE.COM > krb5-self * AAAA; grant HQ.EXAMPLE.COM krb5-self * SSHFP; > Dynamic update: TRUE > Allow query: any; > Allow transfer: none; > nsrecord: ipa.hq.example.com. > objectclass: idnszone, top, idnsrecord > > The DNS log doesn't mention anything about updates. It does contain > some errors about unreachable hosts, but that's because I had a temporary > interruption towards the gateway from the ipa server. > > One thing I did after installing the IPA server is to turn off support > for ipv6, using > $ echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf > $ sysctl -p > > Do you think it could have any influence? > > > I think it can. > I have a vague recollection of a bug related to that is some of the > packages we depend on or something like. > Can you try enabling it and see if it makes a difference? > > > > > On 20 March 2015 at 12:31, Martin Basti <mba...@redhat.com> wrote: > >> Hello, >> >> do you have enabled DNS dynamic updates for hq.example.zone? >> You can check it in zone settings. >> >> Are there any log entries in dns log related to nsupdate executed from a >> client? >> $ journalctl -b -u named-pkcs11 >> >> >> On 20/03/15 09:53, Roberto Cornacchia wrote: >> >> It seems so: >> >> $ firewall-cmd --list-all >> FedoraServer (default, active) >> interfaces: em2 >> sources: >> services: cockpit dhcpv6-client ssh >> ports: 8009/tcp 443/tcp 7999/tcp 464/tcp 9443/tcp 636/tcp 88/udp >> 464/udp 8010/tcp 88/tcp 7990/tcp 123/udp 80/tcp 389/tcp 7389/tcp 9444/tcp >> 9445/tcp 8011/tcp 53/udp 8082/tcp >> masquerade: no >> forward-ports: >> icmp-blocks: >> rich rules: >> >> >> On 20 March 2015 at 00:53, Dmitri Pal <d...@redhat.com> wrote: >> >>> On 03/19/2015 05:04 PM, Roberto Cornacchia wrote: >>> >>> Yes. >>> >>> [root@meson ~]# cat /etc/resolv.conf >>> search hq.example.com >>> nameserver 192.168.0.72 >>> >>> Sorry from the short log I posted it's not visible, but that ip >>> address is the address of the ipa server (ipa.hq.example.com) >>> >>> [root@meson ~]# dig ipa.hq.example.com >>> >>> ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> ipa.hq.example.com >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53238 >>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 >>> >>> ;; OPT PSEUDOSECTION: >>> ; EDNS: version: 0, flags:; udp: 4096 >>> ;; QUESTION SECTION: >>> ;ipa.hq.example.com. IN A >>> >>> ;; ANSWER SECTION: >>> ipa.hq.example.com. 1200 IN A 192.168.0.72 >>> >>> ;; AUTHORITY SECTION: >>> hq.example.com. 86400 IN NS ipa.hq.example.com. >>> >>> ;; Query time: 1 msec >>> ;; SERVER: 192.168.0.72#53(192.168.0.72) >>> ;; WHEN: do mrt 19 22:02:04 CET 2015 >>> ;; MSG SIZE rcvd: 83 >>> >>> >>> >>> OK so you can in fact lookup the server. >>> Have you opened all required ports for ldap and kerberos and other >>> protocols in the firewall both UDP and TCP? >>> >>> >>> >>> >>> On 19 March 2015 at 21:55, Dmitri Pal <d...@redhat.com> wrote: >>> >>>> On 03/19/2015 04:46 PM, Roberto Cornacchia wrote: >>>> >>>> Hi, >>>> >>>> This should really work like a charm, and I'm sure it is a stupid >>>> mistake of mine if it doesn't, but I really can't find out what goes wrong. >>>> >>>> Both IPA server and client are on FC21, very up to date. >>>> Server installation (standard, with dns) worked well. Required ports >>>> open in the firewall. Everything seems to work. >>>> >>>> I did try to use the IPA server as a DNS (with forwarders) and NTP >>>> server from non-ipa clients, no problem. >>>> I also tried to use it as LDAP server, from a non-fedora machine (a >>>> synology). It worked well and I could see users. >>>> >>>> When trying to enroll a client, the enrollment itself seems to >>>> succeed, but: >>>> - Unable to sync time with NTP server >>>> - Unable to update DNS >>>> - Unable to find users >>>> >>>> I include below the short installation log (I changed the real domain >>>> into hq.example.com), and in attachment, the full log with debug on. >>>> >>>> From the debug log, about the DNS update failure, I can see this: >>>> >>>> ; Communication with 192.168.0.72#53 failed: operation canceled >>>> could not reach any name server >>>> >>>> I'm not sure what communication problem this could be, as the server >>>> (which is both the IPA and the DNS servers), clearly can be reached. >>>> >>>> Any idea where to look at? >>>> >>>> >>>> Do you have the IPA DNS server in the resolv.conf of the client? >>>> >>>> >>>> >>>> >>>> Thanks, >>>> Roberto >>>> >>>> >>>> [root@meson ~]# ipa-client-install --mkhomedir --ssh-trust-dns >>>> --force-ntpd --hostname=meson.hq.example.com >>>> Discovery was successful! >>>> Hostname: meson.hq.example.com >>>> Realm: HQ.EXAMPLE.COM >>>> DNS Domain: hq.example.com >>>> IPA Server: ipa.hq.example.com >>>> BaseDN: dc=hq,dc=example,dc=com >>>> >>>> Continue to configure the system with these values? [no]: yes >>>> Synchronizing time with KDC... >>>> *Unable to sync time with IPA NTP server, assuming the time is in sync. >>>> Please check that 123 UDP port is opened.* >>>> User authorized to enroll computers: admin >>>> Password for ad...@hq.example.com: >>>> Successfully retrieved CA cert >>>> Subject: CN=Certificate Authority,O=HQ.EXAMPLE.COM >>>> Issuer: CN=Certificate Authority,O=HQ.EXAMPLE.COM >>>> Valid From: Mon Mar 16 18:44:35 2015 UTC >>>> Valid Until: Fri Mar 16 18:44:35 2035 UTC >>>> >>>> Enrolled in IPA realm HQ.EXAMPLE.COM >>>> Created /etc/ipa/default.conf >>>> New SSSD config will be created >>>> Configured sudoers in /etc/nsswitch.conf >>>> Configured /etc/sssd/sssd.conf >>>> Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM >>>> trying https://ipa.hq.example.com/ipa/json >>>> Forwarding 'ping' to json server 'https://ipa.hq.example.com/ipa/json' >>>> Forwarding 'ca_is_enabled' to json server ' >>>> https://ipa.hq.example.com/ipa/json' >>>> Systemwide CA database updated. >>>> Added CA certificates to the default NSS database. >>>> Hostname (meson.hq.example.com) not found in DNS >>>> *Failed to update DNS records.* >>>> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub >>>> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub >>>> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub >>>> Forwarding 'host_mod' to json server ' >>>> https://ipa.hq.example.com/ipa/json' >>>> *Could not update DNS SSHFP records.* >>>> SSSD enabled >>>> Configured /etc/openldap/ldap.conf >>>> *Unable to find 'admin' user with 'getent passwd ad...@hq.example.com >>>> <ad...@hq.example.com>'!* >>>> *Unable to reliably detect configuration. Check NSS setup manually.* >>>> NTP enabled >>>> Configured /etc/ssh/ssh_config >>>> Configured /etc/ssh/sshd_config >>>> Configuring hq.example.com as NIS domain. >>>> Client configuration complete. >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IdM portfolio >>>> Red Hat, Inc. >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>> >>> >>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> >> >> >> >> -- >> Martin Basti >> >> > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project