On 03/20/2015 01:57 PM, Roberto Cornacchia wrote:
But the ipa server itself is also enrolled as a client, just after the server installation, right?. And that worked fine.


Are these VMs?
There have been a similar case when the network was not set properly for the virtual test environment.


On 20 March 2015 at 18:55, Roberto Cornacchia <roberto.cornacc...@gmail.com <mailto:roberto.cornacc...@gmail.com>> wrote:

    No, sorry about the confusion, i shouldn't have posted so quickly.

    When I use the correct domain (hq.example.com
    <http://hq.example.com>), then I really get all the same errors as
    before, also in the new client.



    On 20 Mar 2015 18:39, "Dmitri Pal" <d...@redhat.com
    <mailto:d...@redhat.com>> wrote:

        On 03/20/2015 01:25 PM, Roberto Cornacchia wrote:
        Oops. Not true, forget last email.

        This secon client installation went different just because it
        took the wrong domain.
        It used *example.com <http://example.com>* (what was
        previously set) instead of *hq.example.com
        <http://hq.example.com>*

        Uninstalled, tried again with
        --hostname=photon.hq.example.com <http://photon.hq.example.com>
        And then it behaves precisely like the previous client.

        So something seems wrong in the server.

        On 20 March 2015 at 18:18, Roberto Cornacchia
        <roberto.cornacc...@gmail.com
        <mailto:roberto.cornacc...@gmail.com>> wrote:

            Update:
            I tried from another client. Also FC21, same network,
            same settings from the same DHCP.
            But obviously it must have something different because it
            partially succeeded.

            - I do not get errors about LDAP users.
            - I do not get errors about DNS update

            However:
            - I still get the initial error about NTP
            - The host is enrolled, but not added to the DNS zone

            Now, I don't care much about the previous client. It was
            pretty much empty and can re-install Fedora from scratch.

            But I'd like to understand if this is still a problem.
            It should be added to the zone, shouldn't it?

            $ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
            Discovery was successful!
            Hostname: photon.example.com <http://photon.example.com>
            Realm: HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
            DNS Domain: hq.example.com <http://hq.example.com>
            IPA Server: ipa.hq.example.com <http://ipa.hq.example.com>
            BaseDN: dc=hq,dc=example,dc=com

            Continue to configure the system with these values? [no]: yes
            Synchronizing time with KDC...
            *Unable to sync time with IPA NTP server, assuming the
            time is in sync. Please check that 123 UDP port is opened.*
            User authorized to enroll computers: admin
            Password for ad...@hq.example.com
            <mailto:ad...@hq.example.com>:
            Successfully retrieved CA cert
                Subject:     CN=Certificate
            Authority,O=HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
                Issuer:    CN=Certificate Authority,O=HQ.EXAMPLE.COM
            <http://HQ.EXAMPLE.COM>
                Valid From:  Mon Mar 16 18:44:35 2015 UTC
                Valid Until: Fri Mar 16 18:44:35 2035 UTC

            Enrolled in IPA realm HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
            Created /etc/ipa/default.conf
            New SSSD config will be created
            Configured sudoers in /etc/nsswitch.conf
            Configured /etc/sssd/sssd.conf
            Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
            <http://HQ.EXAMPLE.COM>
            trying https://ipa.hq.example.com/ipa/json
            Forwarding 'ping' to json server
            'https://ipa.hq.example.com/ipa/json'
            Forwarding 'ca_is_enabled' to json server
            'https://ipa.hq.example.com/ipa/json'
            Systemwide CA database updated.
            Added CA certificates to the default NSS database.
            Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
            Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
            Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
            Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
            Forwarding 'host_mod' to json server
            'https://ipa.hq.example.com/ipa/json'
            *Could not update DNS SSHFP records.*
            SSSD enabled
            Configured /etc/openldap/ldap.conf
            NTP enabled
            Configured /etc/ssh/ssh_config
            Configured /etc/ssh/sshd_config
            Configuring hq.example.com <http://hq.example.com> as NIS
            domain.
            Client configuration complete.





        It is different. It does not have the same failure about admin
        as you had in the first email.
        So may be it is the permissions issue and a separate NTP issue?
        Did you play with any permissions on the server side?


-- Thank you,
        Dmitri Pal

        Sr. Engineering Manager IdM portfolio
        Red Hat, Inc.


        --
        Manage your subscription for the Freeipa-users mailing list:
        https://www.redhat.com/mailman/listinfo/freeipa-users
        Go to http://freeipa.org for more info on the project






--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to