Andrey Ptashnik wrote:
> Any ideas on that?

/var/log/ipaclient-install.log probably has more details on the DNS
update failure.

rob

> 
> Regards,
> 
> Andrey Ptashnik | Network Architect
> CCC Information Services Inc.
> 222 Merchandise Mart Plaza, Suite 900 Chicago, IL 60654
> Office: +1-312-229-2533 | Cell : +1-773-315-0200 | aptash...@cccis.com
> 
> 
> 
> 
> 
> 
> 
> On 9/16/15, 11:30 AM, "freeipa-users-boun...@redhat.com on behalf of Andrey 
> Ptashnik" <freeipa-users-boun...@redhat.com on behalf of aptash...@cccis.com> 
> wrote:
> 
>> Alexander,
>>
>> Thank you for your feedback!
>>
>> In my environment I noticed that client machines that are on Red Hat 6 have 
>> version 3.0.0 of IPA client installed.
>>
>> [root@ptr-test-6 ~]# yum list installed | grep ipa
>> ipa-client.x86_64                  3.0.0-47.el6
>> ipa-python.x86_64                  3.0.0-47.el6
>>
>>
>> [root@ptr-test-6 ~]# yum list installed | grep sssd
>> python-sssdconfig.noarch           1.12.4-47.el6
>> sssd.x86_64                        1.12.4-47.el6
>> sssd-ad.x86_64                     1.12.4-47.el6
>> sssd-client.x86_64                 1.12.4-47.el6
>> sssd-common.x86_64                 1.12.4-47.el6
>> sssd-common-pac.x86_64             1.12.4-47.el6
>> sssd-ipa.x86_64                    1.12.4-47.el6
>> sssd-krb5.x86_64                   1.12.4-47.el6
>> sssd-krb5-common.x86_64            1.12.4-47.el6
>> sssd-ldap.x86_64                   1.12.4-47.el6
>> sssd-proxy.x86_64                  1.12.4-47.el6
>> [root@ptr-test-6 ~]# 
>>
>>
>> And I noticed particular behavior with IPA client 3.0.0 and IPA server 4.1 - 
>> when I add machines to the domain using command below:
>>
>> # ipa-client-install --enable-dns-updates --ssh-trust-dns —mkhomedir
>>
>> DNS record populate in Forward lookup zone, but no PTR records appear in 
>> Reverse lookup zones. That behavior is not the same with IPA client 4.1 and 
>> IPA server 4.1 version combination.
>>
>> Also during IPA client v. 3.0.0 configuration on version 6 of Red Hat I see 
>> output below:
>>
>> Synchronizing time with KDC...
>> Enrolled in IPA realm XXXXXXXXX.COM
>> Attempting to get host TGT...
>> Created /etc/ipa/default.conf
>> New SSSD config will be created
>> Configured sudoers in /etc/nsswitch.conf
>> Configured /etc/sssd/sssd.conf
>> Configured /etc/krb5.conf for IPA realm XXXXXXXXX.COM
>> trying https://ipa-idm.XXXXXXXXX.COM/ipa/xml
>> Forwarding 'env' to server u'https://ipa-idm.XXXXXXXXX.COM/ipa/xml'
>> Failed to update DNS records.
>> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
>> Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
>> Forwarding 'host_mod' to server u'https://ipa-idm.XXXXXXXXX.COM/ipa/xml'
>> SSSD enabled
>> Configuring XXXXXXXXX.COM as NIS domain
>> Configured /etc/openldap/ldap.conf
>> NTP enabled
>> Configured /etc/ssh/ssh_config
>> Configured /etc/ssh/sshd_config
>> Client configuration complete.
>>
>>
>> Regards,
>>
>> Andrey Ptashnik
>>
>>
>>
>>
>>
>>
>> On 9/16/15, 8:43 AM, "Alexander Bokovoy" <aboko...@redhat.com> wrote:
>>
>>> On Wed, 16 Sep 2015, Andrey Ptashnik wrote:
>>>> Dear IPA Team,
>>>>
>>>> We have a situation in our datacenter where we deployed Red Hat 7.1
>>>> with IPA server 4.1 and on the other hand we still have older machines
>>>> with Red Hat 5 and 6. I noticed that repositories associated with
>>>> version 6 have older version of the client software – v.3.0. Therefore
>>>> some functionality is missing from client package 3 vs 4, like
>>>> automatic update of both forward and reverse DNS records.
>>>>
>>>> Is it possible to install IPA client v. 4 on Red Hat 5 and 6 without
>>>> much breaking dependencies in OS?
>>> You don't need to install IPA python packages on older machines. These
>>> packages are mostly for administration purposes.
>>>
>>> Automatic update of forward/reverse DNS zones is done by SSSD. RHEL 6
>>> version of SSSD is on par with RHEL 7 version in the recent updates.
>>> Additionally, MIT Kerberos backports were done in the recent updates to
>>> allow OTP functionality in RHEL6 as well. So most of features are there
>>> already, client-wise.
>>>
>>> RHEL5 version does not have such updates and you can implement most of
>>> the support with existing SSSD and output of 'ipa-advise' tool on IPA
>>> masters. nsupdate integration would probably need to be done
>>> differently.
>>>
>>> Backporting IPA v4.x client code to RHEL 5 or 6 in general makes not
>>> much sense.
>>>
>>> -- 
>>> / Alexander Bokovoy
>>
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to