ipv6 re-enabled. No luck yet :(

On 20 March 2015 at 17:06, Dmitri Pal <d...@redhat.com> wrote:

>  On 03/20/2015 10:56 AM, Roberto Cornacchia wrote:
>
>  The zone settings:
>
>  $ ipa dnszone-show --all
> Zone name: hq.example.com.
>   dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com
>   Zone name: hq.example.com.
>   Active zone: TRUE
>   Authoritative nameserver: ipa.hq.example.com.
>   Administrator e-mail address: hostmaster.hq.example.com.
>   SOA serial: 1426857128
>   SOA refresh: 3600
>   SOA retry: 900
>   SOA expire: 1209600
>   SOA minimum: 3600
>   BIND update policy: grant HQ.EXAMPLE.COM krb5-self * A; grant HQ.EXAMPLE.COM
> krb5-self * AAAA; grant HQ.EXAMPLE.COM krb5-self * SSHFP;
>   Dynamic update: TRUE
>   Allow query: any;
>   Allow transfer: none;
>   nsrecord: ipa.hq.example.com.
>   objectclass: idnszone, top, idnsrecord
>
>   The DNS log doesn't mention anything about updates. It does contain
> some errors about unreachable hosts, but that's because I had a temporary
> interruption towards the gateway from the ipa server.
>
>  One thing I did after installing the IPA server is to turn off support
> for ipv6, using
> $ echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
> $ sysctl -p
>
>  Do you think it could have any influence?
>
>
> I think it can.
> I have a vague recollection of a bug related to that is some of the
> packages we depend on or something like.
> Can you try enabling it and see if it makes a difference?
>
>
>
>
>  On 20 March 2015 at 12:31, Martin Basti <mba...@redhat.com> wrote:
>
>>  Hello,
>>
>> do you have enabled DNS dynamic updates for hq.example.zone?
>> You can check it in zone settings.
>>
>> Are there any log entries in dns log related to nsupdate executed from a
>> client?
>> $ journalctl -b -u named-pkcs11
>>
>>
>> On 20/03/15 09:53, Roberto Cornacchia wrote:
>>
>>  It seems so:
>>
>>  $ firewall-cmd --list-all
>> FedoraServer (default, active)
>>   interfaces: em2
>>   sources:
>>   services: cockpit dhcpv6-client ssh
>>   ports: 8009/tcp 443/tcp 7999/tcp 464/tcp 9443/tcp 636/tcp 88/udp
>> 464/udp 8010/tcp 88/tcp 7990/tcp 123/udp 80/tcp 389/tcp 7389/tcp 9444/tcp
>> 9445/tcp 8011/tcp 53/udp 8082/tcp
>>   masquerade: no
>>   forward-ports:
>>   icmp-blocks:
>>   rich rules:
>>
>>
>> On 20 March 2015 at 00:53, Dmitri Pal <d...@redhat.com> wrote:
>>
>>>  On 03/19/2015 05:04 PM, Roberto Cornacchia wrote:
>>>
>>>  Yes.
>>>
>>>  [root@meson ~]# cat /etc/resolv.conf
>>> search hq.example.com
>>> nameserver 192.168.0.72
>>>
>>>  Sorry from the short log I posted it's not visible, but that ip
>>> address is the address of the ipa server (ipa.hq.example.com)
>>>
>>>  [root@meson ~]# dig ipa.hq.example.com
>>>
>>>  ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> ipa.hq.example.com
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53238
>>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>>>
>>>  ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags:; udp: 4096
>>> ;; QUESTION SECTION:
>>> ;ipa.hq.example.com. IN A
>>>
>>>  ;; ANSWER SECTION:
>>> ipa.hq.example.com. 1200 IN A 192.168.0.72
>>>
>>>  ;; AUTHORITY SECTION:
>>> hq.example.com. 86400 IN NS ipa.hq.example.com.
>>>
>>>  ;; Query time: 1 msec
>>> ;; SERVER: 192.168.0.72#53(192.168.0.72)
>>> ;; WHEN: do mrt 19 22:02:04 CET 2015
>>> ;; MSG SIZE  rcvd: 83
>>>
>>>
>>>
>>>  OK so you can in fact lookup the server.
>>> Have you opened all required ports for ldap and kerberos and other
>>> protocols in the firewall both UDP and TCP?
>>>
>>>
>>>
>>>
>>> On 19 March 2015 at 21:55, Dmitri Pal <d...@redhat.com> wrote:
>>>
>>>>  On 03/19/2015 04:46 PM, Roberto Cornacchia wrote:
>>>>
>>>>  Hi,
>>>>
>>>>  This should really work like a charm, and I'm sure it is a stupid
>>>> mistake of mine if it doesn't, but I really can't find out what goes wrong.
>>>>
>>>>  Both IPA server and client are on FC21, very up to date.
>>>> Server installation (standard, with dns) worked well. Required ports
>>>> open in the firewall. Everything seems to work.
>>>>
>>>>  I did try to use the IPA server as a DNS (with forwarders) and NTP
>>>> server from non-ipa clients, no problem.
>>>> I also tried to use it as LDAP server, from a non-fedora machine (a
>>>> synology). It worked well and I could see users.
>>>>
>>>>  When trying to enroll a client, the enrollment itself seems to
>>>> succeed, but:
>>>> - Unable to sync time with NTP server
>>>> - Unable to update DNS
>>>> - Unable to find users
>>>>
>>>>  I include below the short installation log (I changed the real domain
>>>> into hq.example.com), and in attachment, the full log with debug on.
>>>>
>>>>  From the debug log, about the DNS update failure, I can see this:
>>>>
>>>>    ; Communication with 192.168.0.72#53 failed: operation canceled
>>>>   could not reach any name server
>>>>
>>>>  I'm not sure what communication problem this could be, as the server
>>>> (which is both the IPA and the DNS servers), clearly can be reached.
>>>>
>>>>  Any idea where to look at?
>>>>
>>>>
>>>>  Do you have the IPA DNS server in the resolv.conf of the client?
>>>>
>>>>
>>>>
>>>>
>>>>  Thanks,
>>>> Roberto
>>>>
>>>>
>>>>  [root@meson ~]# ipa-client-install --mkhomedir --ssh-trust-dns
>>>> --force-ntpd --hostname=meson.hq.example.com
>>>> Discovery was successful!
>>>> Hostname: meson.hq.example.com
>>>> Realm: HQ.EXAMPLE.COM
>>>> DNS Domain: hq.example.com
>>>> IPA Server: ipa.hq.example.com
>>>> BaseDN: dc=hq,dc=example,dc=com
>>>>
>>>>  Continue to configure the system with these values? [no]: yes
>>>> Synchronizing time with KDC...
>>>> *Unable to sync time with IPA NTP server, assuming the time is in sync.
>>>> Please check that 123 UDP port is opened.*
>>>> User authorized to enroll computers: admin
>>>> Password for ad...@hq.example.com:
>>>> Successfully retrieved CA cert
>>>>     Subject:     CN=Certificate Authority,O=HQ.EXAMPLE.COM
>>>>     Issuer:      CN=Certificate Authority,O=HQ.EXAMPLE.COM
>>>>     Valid From:  Mon Mar 16 18:44:35 2015 UTC
>>>>     Valid Until: Fri Mar 16 18:44:35 2035 UTC
>>>>
>>>>  Enrolled in IPA realm HQ.EXAMPLE.COM
>>>> Created /etc/ipa/default.conf
>>>> New SSSD config will be created
>>>> Configured sudoers in /etc/nsswitch.conf
>>>> Configured /etc/sssd/sssd.conf
>>>> Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
>>>> trying https://ipa.hq.example.com/ipa/json
>>>> Forwarding 'ping' to json server 'https://ipa.hq.example.com/ipa/json'
>>>> Forwarding 'ca_is_enabled' to json server '
>>>> https://ipa.hq.example.com/ipa/json'
>>>> Systemwide CA database updated.
>>>> Added CA certificates to the default NSS database.
>>>> Hostname (meson.hq.example.com) not found in DNS
>>>> *Failed to update DNS records.*
>>>> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
>>>> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
>>>> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
>>>> Forwarding 'host_mod' to json server '
>>>> https://ipa.hq.example.com/ipa/json'
>>>> *Could not update DNS SSHFP records.*
>>>> SSSD enabled
>>>> Configured /etc/openldap/ldap.conf
>>>> *Unable to find 'admin' user with 'getent passwd ad...@hq.example.com
>>>> <ad...@hq.example.com>'!*
>>>> *Unable to reliably detect configuration. Check NSS setup manually.*
>>>> NTP enabled
>>>> Configured /etc/ssh/ssh_config
>>>> Configured /etc/ssh/sshd_config
>>>> Configuring hq.example.com as NIS domain.
>>>> Client configuration complete.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>   --
>>>> Thank you,
>>>> Dmitri Pal
>>>>
>>>> Sr. Engineering Manager IdM portfolio
>>>> Red Hat, Inc.
>>>>
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IdM portfolio
>>> Red Hat, Inc.
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>>
>>
>>
>>   --
>> Martin Basti
>>
>>
>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to