About the DNS update, this is what the debug log has to say: Found zone name: hq.example.com The master is: ipa.hq.example.com start_gssrequest Found realm from ticket: HQ.EXAMPLE.COM send_gssrequest *; Communication with 192.168.0.72#53 failed: operation canceled* *Reply from SOA query:* ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4923 ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;1835417091.sig-ipa.hq.example.com. ANY TKEY
response to SOA query was unsuccessful Notice that is is *different* from what I got before the chronyd change. Before, there was not even a reply: Found zone name: hq.example.com The master is: ipa.hq.example.com start_gssrequest Found realm from ticket: HQ.EXAMPLE.COM send_gssrequest *; Communication with 192.168.0.72#53 failed: operation canceled* *could not reach any name server* On 23 March 2015 at 10:07, Roberto Cornacchia <[email protected]> wrote: > Dmitri, Rob, Jakub, > > I found at least one of the major problems: chronyd. > > This is what I get when I use ipa-client-install on a plain FC21 machine, > *without* using --force-ntpd > > WARNING: ntpd time&date synchronization service will not be configured as > conflicting service (chronyd) is enabled > Use --force-ntpd option to disable it and force configuration of ntpd > > > Good, then I abort and run it again with --force-ntpd: > > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Please check that 123 UDP port is opened. > > > Perhaps I misinterpreted the meaning of --force-ntpd. I had assumed it > would take care of stopping and disabling chronyd. But it doesn't. That's > why I get the error above. > > If I first stop chronyd manually and run the installation again, then it > does synchronise with NTP. > This was apparently the cause of "id admin" not working (kerberos failing > without proper NTP sync?) > Now the basic functionalities are all OK. > Also, chronyd is disabled and ntpd is enabled after installation - good. > > My nsswitch.conf now looks like this: > > passwd: files sss > shadow: files sss > group: files sss > hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname > bootparams: nisplus [NOTFOUND=return] files > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files sss > netgroup: files sss > publickey: nisplus > automount: files sss > aliases: files nisplus > sudoers: files sss > > > > I am left with 2 issues: > > 1) Is the above expected? Do I have to stop chronyd manually? Or is it a > bug? > 2) DNS update still does not work > > > The latest installation log: > > > $ systemctl stop chronyd > $ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd > Discovery was successful! > Hostname: meson.hq.example.com > Realm: HQ.EXAMPLE.COM > DNS Domain: hq.example.com > IPA Server: ipa.hq.example.com > BaseDN: dc=hq,dc=example,dc=com > > Continue to configure the system with these values? [no]: yes > Synchronizing time with KDC... > User authorized to enroll computers: User authorized to enroll computers: > admin > Password for [email protected]: > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=HQ.EXAMPLE.COM > Issuer: CN=Certificate Authority,O=HQ.EXAMPLE.COM > Valid From: Mon Mar 16 18:44:35 2015 UTC > Valid Until: Fri Mar 16 18:44:35 2035 UTC > > Enrolled in IPA realm HQ.EXAMPLE.COM > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM > trying https://ipa.hq.example.com/ipa/json > Forwarding 'ping' to json server 'https://ipa.hq.example.com/ipa/json' > Forwarding 'ca_is_enabled' to json server 'https://ipa.hq.example.com > /ipa/json' > Systemwide CA database updated. > Added CA certificates to the default NSS database. > Hostname (meson.hq.example.com) not found in DNS > *Failed to update DNS records.* > Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub > Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub > Forwarding 'host_mod' to json server 'https://ipa.hq.example.com/ipa/json' > *Could not update DNS SSHFP records.* > SSSD enabled > Configured /etc/openldap/ldap.conf > NTP enabled > Configured /etc/ssh/ssh_config > Configured /etc/ssh/sshd_config > Configuring hq.example.com as NIS domain. > Client configuration complete. > > $ id admin > uid=1172000000(admin) gid=1172000000(admins) groups=1172000000(admins) > > > > > On 22 March 2015 at 21:04, Jakub Hrozek <[email protected]> wrote: > >> On Sun, Mar 22, 2015 at 04:24:49PM +0100, Roberto Cornacchia wrote: >> > Thanks Rob. >> > >> > Knowing that /etc/nsswitch.conf is created wrongly is a step forward, >> > although we don't know why that happens yet. >> > I'm not very keen on fixing it post-installation (except if this is >> just to >> > learn more about the issue), even if this seems to solve problems. I'm >> not >> > going to deploy freeIPA for real before I can at least run successfully >> a >> > plain installation. >> >> Hi, >> >> I find it a bit unexpected that the client system didn't have >> nsswitch.conf configured..I've never seen the client installation fail >> in this particular way. >> >> For debugging SSSD issues, we've created a new troubleshooting page >> upstream that should walk you through the config: >> https://fedorahosted.org/sssd/wiki/Troubleshooting >> maybe this article would also help: >> https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/ >> >> But most improtantly, I wouldn't expect to see any issues as long as >> you use ipa-client-install. I guess re-enrolling the client would be the >> fastest way forward? >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
