On 03/20/2015 02:48 PM, Roberto Cornacchia wrote:
No, all real machines.
I'm really sorry it's taking so much of your time.
I had tried almost everything on a VM setting first, and everything
was fine.
Everything always works fine, until you actually need it.
We try to help as much as we can.
Can you do LDAP lookups as a directory manager from client host to server?
Can you ssh from client to server?
When you try to install client is there anything in the logs on the
server? Does it even get there?
On 20 March 2015 at 19:41, Dmitri Pal <[email protected]
<mailto:[email protected]>> wrote:
On 03/20/2015 01:57 PM, Roberto Cornacchia wrote:
But the ipa server itself is also enrolled as a client, just
after the server installation, right?. And that worked fine.
Are these VMs?
There have been a similar case when the network was not set
properly for the virtual test environment.
On 20 March 2015 at 18:55, Roberto Cornacchia
<[email protected]
<mailto:[email protected]>> wrote:
No, sorry about the confusion, i shouldn't have posted so
quickly.
When I use the correct domain (hq.example.com
<http://hq.example.com>), then I really get all the same
errors as before, also in the new client.
On 20 Mar 2015 18:39, "Dmitri Pal" <[email protected]
<mailto:[email protected]>> wrote:
On 03/20/2015 01:25 PM, Roberto Cornacchia wrote:
Oops. Not true, forget last email.
This secon client installation went different just
because it took the wrong domain.
It used *example.com <http://example.com>* (what was
previously set) instead of *hq.example.com
<http://hq.example.com>*
Uninstalled, tried again with
--hostname=photon.hq.example.com
<http://photon.hq.example.com>
And then it behaves precisely like the previous client.
So something seems wrong in the server.
On 20 March 2015 at 18:18, Roberto Cornacchia
<[email protected]
<mailto:[email protected]>> wrote:
Update:
I tried from another client. Also FC21, same
network, same settings from the same DHCP.
But obviously it must have something different
because it partially succeeded.
- I do not get errors about LDAP users.
- I do not get errors about DNS update
However:
- I still get the initial error about NTP
- The host is enrolled, but not added to the DNS zone
Now, I don't care much about the previous client. It
was pretty much empty and can re-install Fedora from
scratch.
But I'd like to understand if this is still a problem.
It should be added to the zone, shouldn't it?
$ ipa-client-install --mkhomedir --ssh-trust-dns
--force-ntpd
Discovery was successful!
Hostname: photon.example.com <http://photon.example.com>
Realm: HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
DNS Domain: hq.example.com <http://hq.example.com>
IPA Server: ipa.hq.example.com
<http://ipa.hq.example.com>
BaseDN: dc=hq,dc=example,dc=com
Continue to configure the system with these values?
[no]: yes
Synchronizing time with KDC...
*Unable to sync time with IPA NTP server, assuming
the time is in sync. Please check that 123 UDP port
is opened.*
User authorized to enroll computers: admin
Password for [email protected]
<mailto:[email protected]>:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=HQ.EXAMPLE.COM
<http://HQ.EXAMPLE.COM>
Issuer: CN=Certificate Authority,O=HQ.EXAMPLE.COM
<http://HQ.EXAMPLE.COM>
Valid From: Mon Mar 16 18:44:35 2015 UTC
Valid Until: Fri Mar 16 18:44:35 2035 UTC
Enrolled in IPA realm HQ.EXAMPLE.COM
<http://HQ.EXAMPLE.COM>
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm
HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
trying https://ipa.hq.example.com/ipa/json
Forwarding 'ping' to json server
'https://ipa.hq.example.com/ipa/json'
Forwarding 'ca_is_enabled' to json server
'https://ipa.hq.example.com/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from
/etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from
/etc/ssh/ssh_host_ecdsa_key.pub
Forwarding 'host_mod' to json server
'https://ipa.hq.example.com/ipa/json'
*Could not update DNS SSHFP records.*
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring hq.example.com <http://hq.example.com>
as NIS domain.
Client configuration complete.
It is different. It does not have the same failure about
admin as you had in the first email.
So may be it is the permissions issue and a separate NTP
issue?
Did you play with any permissions on the server side?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
