On 03/24/2015 02:49 PM, Dmitri Pal wrote:
> On 03/24/2015 09:43 AM, Roberto Cornacchia wrote:
>> Hi there,
>> All the issues I reported in this long thread are SOLVED.
> Thanks for closing the loop.


>> For completeness, I'm posting here the conclusions.
>> ipa-client-install did enroll the client but failed in several points:
>> $ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
>> [...]
>> Synchronizing time with KDC...
>> Unable to sync time with IPA NTP server, assuming the time is in sync. Please
>> check that 123 UDP port is opened.
>> [...]
>> Failed to update DNS records.
>> [...]
>> Could not update DNS SSHFP records.
>> [...]
>> Unable to find 'admin' user with 'getent passwd ad...@hq.example.com
>> <mailto:ad...@hq.example.com>'!
>> Unable to reliably detect configuration. Check NSS setup manually.
>> [...]
>> Client configuration complete.
>> There were two distinct problems:
>> 1) NTP sync failed because despite using --force-ntp, chronyd wasn't stopped
>> beforehand. Stopping it manually solved the issue. I believe
>> ipa-client-install stopping chronyd was the intended behaviour, in which case
>> this is perhaps a bug. If it needs to be stopped manually, then it should be
>> documented clearly.
>> The failed NTP sync caused Kerberos to fail, which explains "Unable to find
>> 'admin' user with 'getent passwd ad...@hq.example.com
>> <mailto:ad...@hq.example.com>'".
> We should probably file a ticket about this. I am just not sure what exactly 
> it
> should be.

This is a bug, yes. I filed https://fedorahosted.org/freeipa/ticket/4963, it
can be fixed together with other related chronyd changes that David is working 

>> 2) DNS update failed because for some obscure reason I forgot to open port
>> 53/tcp on the server's firewall. Only 53/udp was open. This fooled me,
>> because with 53/udp open, the DNS was almost completely functional. However,
>> updates also require 53/tcp.

I added this as a troubleshooting tip to
If you have other ideas how to extend the guide to help your followers, please
feel free to edit it directly or propose improvements.

>> All in all, it was a full 2day digging and debugging. Bright side is, I
>> learned a lot.

Good! freeipa-users mission was successful :-)

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to