On 03/20/2015 07:40 PM, Roberto Cornacchia wrote:
Two log files in attachment (the other files in /var/log/sssd are all empty).


I'll also go through the troubleshooting page again, thanks


Do the logs include an id call for admin?
I do not see any instance of the word "admin" in the log.


On 20 March 2015 at 23:03, Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>> wrote:

    On 03/20/2015 05:59 PM, Roberto Cornacchia wrote:
    SSSD logs are empty so far.

    This is wrong.

    Isn't sssd.conf written by ipa-client-install?

    Yes

    If I raise the debug level after client installation,

    (and restart)

    what activities do you suggest to attempt from the client?
    the ones that fail. getent call that returns nothing.
    Also try 'id'.

    http://www.freeipa.org/page/Troubleshooting#Client_Installation
    https://fedorahosted.org/sssd/wiki/Troubleshooting



    On 20 March 2015 at 22:37, Dmitri Pal <d...@redhat.com
    <mailto:d...@redhat.com>> wrote:

        On 03/20/2015 05:28 PM, Roberto Cornacchia wrote:
        It certainly gets there, because the client gets in fact
        enrolled as a domain host. I can see it from the UI in
        Identity / Hosts. But not in the DNS zone.

        *Before ipa-client-install, all these do work: *

        $ ssh ipa.hq.example.com <http://ipa.hq.example.com>
        $ ntpdate ipa.hq.example.com <http://ipa.hq.example.com>
        $ ldapsearch -x -h ipa.hq.example.com
        <http://ipa.hq.example.com> -b dc=hq,dc=example,dc=com uid=admin


        *After running ipa-client-install, all these do work:*

        $ kinit admin
        Password for ad...@hq.example.com <mailto:ad...@hq.example.com>:
        $ ipa dnszone-show --all
        [...]
        $ ntpq -p
             remote       refid      st t when poll reach   delay
        offset  jitter
        
==============================================================================
*ipa.hq.example. 131.155.140.130 3 u 19 64 1 0.415 -0.006 0.000
         LOCAL(0)  .LOCL.           5 l    -   64    0    0.000
         0.000   0.000

        *But this does NOT work:*
        $ getent passwd ad...@hq.example.com
        <mailto:ad...@hq.example.com>

        What do SSSD logs show on the client?
        Please rise the SSSD debug_level and provide SSSD logs.


        *On the server, in /var/log/krb5kdc.log, I see many of these:*

        Mar 20 21:53:17 ipa.hq.example.com
        <http://ipa.hq.example.com> krb5kdc[9229](info): AS_REQ (6
        etypes {18 17 16 23 25 26}) 192.168.0.207
        <http://192.168.0.207>: NEEDED_PREAUTH: ad...@hq.example.com
        <mailto:ad...@hq.example.com> for
        krbtgt/hq.example....@hq.example.com
        <mailto:c...@hq.example.com>, Additional pre-authentication
        required
        Mar 20 21:53:17 ipa.hq.example.com
        <http://ipa.hq.example.com> krb5kdc[9229](info): AS_REQ (6
        etypes {18 17 16 23 25 26}) 192.168.0.207
        <http://192.168.0.207>: ISSUE: authtime 1426884797, etypes
        {rep=18 tkt=18 ses=18}, ad...@hq.example.com
        <mailto:ad...@hq.example.com> for
        krbtgt/hq.example....@hq.example.com
        <mailto:hq.example....@hq.example.com>

        This is not an error. It is a normal user authentication.
        OK so it is DNS that is not working. Is DNS server running on
        the server?
        What do Bind logs show?



        192.168.0.207 is the IP of the client I'm trying to install.
        However, higher up in the log, I also see such errors for
        the ipa server itself.

        On 20 March 2015 at 20:24, Dmitri Pal <d...@redhat.com
        <mailto:d...@redhat.com>> wrote:

            On 03/20/2015 02:48 PM, Roberto Cornacchia wrote:
            No, all real machines.

            I'm really sorry it's taking so much of your time.
            I had tried almost everything on a VM setting first,
            and everything was fine.
            Everything always works fine, until you actually need it.


            We try to help as much as we can.
            Can you do LDAP lookups as a directory manager from
            client host to server?
            Can you ssh from client to server?

            When you try to install client is there anything in the
            logs on the server? Does it even get there?






            On 20 March 2015 at 19:41, Dmitri Pal <d...@redhat.com
            <mailto:d...@redhat.com>> wrote:

                On 03/20/2015 01:57 PM, Roberto Cornacchia wrote:
                But the ipa server itself is also enrolled as a
                client, just after the server installation,
                right?. And that worked fine.

                Are these VMs?
                There have been a similar case when the network was
                not set properly for the virtual test environment.



                On 20 March 2015 at 18:55, Roberto Cornacchia
                <roberto.cornacc...@gmail.com
                <mailto:roberto.cornacc...@gmail.com>> wrote:

                    No, sorry about the confusion, i shouldn't
                    have posted so quickly.

                    When I use the correct domain (hq.example.com
                    <http://hq.example.com>), then I really get
                    all the same errors as before, also in the new
                    client.



                    On 20 Mar 2015 18:39, "Dmitri Pal"
                    <d...@redhat.com <mailto:d...@redhat.com>> wrote:

                        On 03/20/2015 01:25 PM, Roberto Cornacchia
                        wrote:
                        Oops. Not true, forget last email.

                        This secon client installation went
                        different just because it took the wrong
                        domain.
                        It used *example.com
                        <http://example.com>* (what was
                        previously set) instead of
                        *hq.example.com <http://hq.example.com>*

                        Uninstalled, tried again with
                        --hostname=photon.hq.example.com
                        <http://photon.hq.example.com>
                        And then it behaves precisely like the
                        previous client.

                        So something seems wrong in the server.

                        On 20 March 2015 at 18:18, Roberto
                        Cornacchia <roberto.cornacc...@gmail.com
                        <mailto:roberto.cornacc...@gmail.com>> wrote:

                            Update:
                            I tried from another client. Also
                            FC21, same network, same settings
                            from the same DHCP.
                            But obviously it must have something
                            different because it partially succeeded.

                            - I do not get errors about LDAP users.
                            - I do not get errors about DNS update

                            However:
                            - I still get the initial error about NTP
                            - The host is enrolled, but not added
                            to the DNS zone

                            Now, I don't care much about the
                            previous client. It was pretty much
                            empty and can re-install Fedora from
                            scratch.

                            But I'd like to understand if this is
                            still a problem.
                            It should be added to the zone,
                            shouldn't it?

                            $ ipa-client-install --mkhomedir
                            --ssh-trust-dns --force-ntpd
                            Discovery was successful!
                            Hostname: photon.example.com
                            <http://photon.example.com>
                            Realm: HQ.EXAMPLE.COM
                            <http://HQ.EXAMPLE.COM>
                            DNS Domain: hq.example.com
                            <http://hq.example.com>
                            IPA Server: ipa.hq.example.com
                            <http://ipa.hq.example.com>
                            BaseDN: dc=hq,dc=example,dc=com

                            Continue to configure the system with
                            these values? [no]: yes
                            Synchronizing time with KDC...
                            *Unable to sync time with IPA NTP
                            server, assuming the time is in sync.
                            Please check that 123 UDP port is
                            opened.*
                            User authorized to enroll computers:
                            admin
                            Password for ad...@hq.example.com
                            <mailto:ad...@hq.example.com>:
                            Successfully retrieved CA cert
                            Subject: CN=Certificate
                            Authority,O=HQ.EXAMPLE.COM
                            <http://HQ.EXAMPLE.COM>
                            Issuer:  CN=Certificate
                            Authority,O=HQ.EXAMPLE.COM
                            <http://HQ.EXAMPLE.COM>
                            Valid From:  Mon Mar 16 18:44:35 2015 UTC
                            Valid Until: Fri Mar 16 18:44:35 2035 UTC

                            Enrolled in IPA realm HQ.EXAMPLE.COM
                            <http://HQ.EXAMPLE.COM>
                            Created /etc/ipa/default.conf
                            New SSSD config will be created
                            Configured sudoers in /etc/nsswitch.conf
                            Configured /etc/sssd/sssd.conf
                            Configured /etc/krb5.conf for IPA
                            realm HQ.EXAMPLE.COM
                            <http://HQ.EXAMPLE.COM>
                            trying
                            https://ipa.hq.example.com/ipa/json
                            Forwarding 'ping' to json server
                            'https://ipa.hq.example.com/ipa/json'
                            Forwarding 'ca_is_enabled' to json
                            server
                            'https://ipa.hq.example.com/ipa/json'
                            Systemwide CA database updated.
                            Added CA certificates to the default
                            NSS database.
                            Adding SSH public key from
                            /etc/ssh/ssh_host_rsa_key.pub
                            Adding SSH public key from
                            /etc/ssh/ssh_host_ed25519_key.pub
                            Adding SSH public key from
                            /etc/ssh/ssh_host_dsa_key.pub
                            Adding SSH public key from
                            /etc/ssh/ssh_host_ecdsa_key.pub
                            Forwarding 'host_mod' to json server
                            'https://ipa.hq.example.com/ipa/json'
                            *Could not update DNS SSHFP records.*
                            SSSD enabled
                            Configured /etc/openldap/ldap.conf
                            NTP enabled
                            Configured /etc/ssh/ssh_config
                            Configured /etc/ssh/sshd_config
                            Configuring hq.example.com
                            <http://hq.example.com> as NIS domain.
                            Client configuration complete.





                        It is different. It does not have the same
                        failure about admin as you had in the
                        first email.
                        So may be it is the permissions issue and
                        a separate NTP issue?
                        Did you play with any permissions on the
                        server side?


-- Thank you,
                        Dmitri Pal

                        Sr. Engineering Manager IdM portfolio
                        Red Hat, Inc.


                        --
                        Manage your subscription for the
                        Freeipa-users mailing list:
                        https://www.redhat.com/mailman/listinfo/freeipa-users
                        Go to http://freeipa.org for more info on
                        the project






-- Thank you,
                Dmitri Pal

                Sr. Engineering Manager IdM portfolio
                Red Hat, Inc.


                --
                Manage your subscription for the Freeipa-users
                mailing list:
                https://www.redhat.com/mailman/listinfo/freeipa-users
                Go to http://freeipa.org for more info on the project






-- Thank you,
            Dmitri Pal

            Sr. Engineering Manager IdM portfolio
            Red Hat, Inc.


            --
            Manage your subscription for the Freeipa-users mailing list:
            https://www.redhat.com/mailman/listinfo/freeipa-users
            Go to http://freeipa.org for more info on the project






-- Thank you,
        Dmitri Pal

        Sr. Engineering Manager IdM portfolio
        Red Hat, Inc.


        --
        Manage your subscription for the Freeipa-users mailing list:
        https://www.redhat.com/mailman/listinfo/freeipa-users
        Go to http://freeipa.org for more info on the project






-- Thank you,
    Dmitri Pal

    Sr. Engineering Manager IdM portfolio
    Red Hat, Inc.


    --
    Manage your subscription for the Freeipa-users mailing list:
    https://www.redhat.com/mailman/listinfo/freeipa-users
    Go to http://freeipa.org for more info on the project






--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to