On 03/24/2015 02:49 PM, Dmitri Pal wrote: > On 03/24/2015 09:43 AM, Roberto Cornacchia wrote: >> Hi there, >> >> All the issues I reported in this long thread are SOLVED. > > Thanks for closing the loop.
Indeed! > >> For completeness, I'm posting here the conclusions. >> >> ipa-client-install did enroll the client but failed in several points: >> >> $ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd >> [...] >> Synchronizing time with KDC... >> Unable to sync time with IPA NTP server, assuming the time is in sync. Please >> check that 123 UDP port is opened. >> [...] >> Failed to update DNS records. >> [...] >> Could not update DNS SSHFP records. >> [...] >> Unable to find 'admin' user with 'getent passwd ad...@hq.example.com >> <mailto:ad...@hq.example.com>'! >> Unable to reliably detect configuration. Check NSS setup manually. >> [...] >> Client configuration complete. >> >> There were two distinct problems: >> >> 1) NTP sync failed because despite using --force-ntp, chronyd wasn't stopped >> beforehand. Stopping it manually solved the issue. I believe >> ipa-client-install stopping chronyd was the intended behaviour, in which case >> this is perhaps a bug. If it needs to be stopped manually, then it should be >> documented clearly. >> The failed NTP sync caused Kerberos to fail, which explains "Unable to find >> 'admin' user with 'getent passwd ad...@hq.example.com >> <mailto:ad...@hq.example.com>'". > > We should probably file a ticket about this. I am just not sure what exactly > it > should be. This is a bug, yes. I filed https://fedorahosted.org/freeipa/ticket/4963, it can be fixed together with other related chronyd changes that David is working on. >> 2) DNS update failed because for some obscure reason I forgot to open port >> 53/tcp on the server's firewall. Only 53/udp was open. This fooled me, >> because with 53/udp open, the DNS was almost completely functional. However, >> updates also require 53/tcp. I added this as a troubleshooting tip to http://www.freeipa.org/page/Troubleshooting#Failed_to_update_DNS_records If you have other ideas how to extend the guide to help your followers, please feel free to edit it directly or propose improvements. >> All in all, it was a full 2day digging and debugging. Bright side is, I >> learned a lot. Good! freeipa-users mission was successful :-) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project