Dmitri, Rob, Jakub,

I found at least one of the major problems: chronyd.

This is what I get when I use ipa-client-install on a plain FC21 machine,
*without* using --force-ntpd

WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Good, then I abort and run it again with  --force-ntpd:

Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Please check that 123 UDP port is opened.

Perhaps I misinterpreted the meaning of --force-ntpd. I had assumed it
would take care of stopping and disabling chronyd. But it doesn't. That's
why I get the error above.

If I first stop chronyd manually and run the installation again, then it
does synchronise with NTP.
This was apparently the cause of "id admin" not working (kerberos failing
without proper NTP sync?)
Now the basic functionalities are all OK.
Also, chronyd is disabled and ntpd is enabled after installation - good.

My nsswitch.conf now looks like this:

passwd:     files sss
shadow:     files sss
group:      files sss
hosts:      files mdns4_minimal [NOTFOUND=return] dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss
netgroup:   files sss
publickey:  nisplus
automount:  files sss
aliases:    files nisplus
sudoers: files sss

I am left with 2 issues:

1) Is the above expected? Do I have to stop chronyd manually? Or is it a
2) DNS update still does not work

The latest installation log:

$ systemctl stop chronyd
$ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
Discovery was successful!
DNS Domain:
IPA Server:
BaseDN: dc=hq,dc=example,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
User authorized to enroll computers: User authorized to enroll computers:
Password for
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=HQ.EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=HQ.EXAMPLE.COM
    Valid From:  Mon Mar 16 18:44:35 2015 UTC
    Valid Until: Fri Mar 16 18:44:35 2035 UTC

Enrolled in IPA realm HQ.EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
Forwarding 'ping' to json server ''
Forwarding 'ca_is_enabled' to json server '
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Hostname ( not found in DNS
*Failed to update DNS records.*
Adding SSH public key from /etc/ssh/
Adding SSH public key from /etc/ssh/
Adding SSH public key from /etc/ssh/
Forwarding 'host_mod' to json server ''
*Could not update DNS SSHFP records.*
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring as NIS domain.
Client configuration complete.

$ id admin
uid=1172000000(admin) gid=1172000000(admins) groups=1172000000(admins)

On 22 March 2015 at 21:04, Jakub Hrozek <> wrote:

> On Sun, Mar 22, 2015 at 04:24:49PM +0100, Roberto Cornacchia wrote:
> > Thanks Rob.
> >
> > Knowing that /etc/nsswitch.conf is created wrongly is a step forward,
> > although we don't know why that happens yet.
> > I'm not very keen on fixing it post-installation (except if this is just
> to
> > learn more about the issue), even if this seems to solve problems. I'm
> not
> > going to deploy freeIPA for real before I can at least run successfully a
> > plain installation.
> Hi,
> I find it a bit unexpected that the client system didn't have
> nsswitch.conf configured..I've never seen the client installation fail
> in this particular way.
> For debugging SSSD issues, we've created a new troubleshooting page
> upstream that should walk you through the config:
> maybe this article would also help:
> But most improtantly, I wouldn't expect to see any issues as long as
> you use ipa-client-install. I guess re-enrolling the client would be the
> fastest way forward?
> --
> Manage your subscription for the Freeipa-users mailing list:
> Go to for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to