Andrey Ptashnik wrote: > Any ideas on that? /var/log/ipaclient-install.log probably has more details on the DNS update failure.
rob > > Regards, > > Andrey Ptashnik | Network Architect > CCC Information Services Inc. > 222 Merchandise Mart Plaza, Suite 900 Chicago, IL 60654 > Office: +1-312-229-2533 | Cell : +1-773-315-0200 | [email protected] > > > > > > > > On 9/16/15, 11:30 AM, "[email protected] on behalf of Andrey > Ptashnik" <[email protected] on behalf of [email protected]> > wrote: > >> Alexander, >> >> Thank you for your feedback! >> >> In my environment I noticed that client machines that are on Red Hat 6 have >> version 3.0.0 of IPA client installed. >> >> [root@ptr-test-6 ~]# yum list installed | grep ipa >> ipa-client.x86_64 3.0.0-47.el6 >> ipa-python.x86_64 3.0.0-47.el6 >> >> >> [root@ptr-test-6 ~]# yum list installed | grep sssd >> python-sssdconfig.noarch 1.12.4-47.el6 >> sssd.x86_64 1.12.4-47.el6 >> sssd-ad.x86_64 1.12.4-47.el6 >> sssd-client.x86_64 1.12.4-47.el6 >> sssd-common.x86_64 1.12.4-47.el6 >> sssd-common-pac.x86_64 1.12.4-47.el6 >> sssd-ipa.x86_64 1.12.4-47.el6 >> sssd-krb5.x86_64 1.12.4-47.el6 >> sssd-krb5-common.x86_64 1.12.4-47.el6 >> sssd-ldap.x86_64 1.12.4-47.el6 >> sssd-proxy.x86_64 1.12.4-47.el6 >> [root@ptr-test-6 ~]# >> >> >> And I noticed particular behavior with IPA client 3.0.0 and IPA server 4.1 - >> when I add machines to the domain using command below: >> >> # ipa-client-install --enable-dns-updates --ssh-trust-dns —mkhomedir >> >> DNS record populate in Forward lookup zone, but no PTR records appear in >> Reverse lookup zones. That behavior is not the same with IPA client 4.1 and >> IPA server 4.1 version combination. >> >> Also during IPA client v. 3.0.0 configuration on version 6 of Red Hat I see >> output below: >> >> Synchronizing time with KDC... >> Enrolled in IPA realm XXXXXXXXX.COM >> Attempting to get host TGT... >> Created /etc/ipa/default.conf >> New SSSD config will be created >> Configured sudoers in /etc/nsswitch.conf >> Configured /etc/sssd/sssd.conf >> Configured /etc/krb5.conf for IPA realm XXXXXXXXX.COM >> trying https://ipa-idm.XXXXXXXXX.COM/ipa/xml >> Forwarding 'env' to server u'https://ipa-idm.XXXXXXXXX.COM/ipa/xml' >> Failed to update DNS records. >> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub >> Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub >> Forwarding 'host_mod' to server u'https://ipa-idm.XXXXXXXXX.COM/ipa/xml' >> SSSD enabled >> Configuring XXXXXXXXX.COM as NIS domain >> Configured /etc/openldap/ldap.conf >> NTP enabled >> Configured /etc/ssh/ssh_config >> Configured /etc/ssh/sshd_config >> Client configuration complete. >> >> >> Regards, >> >> Andrey Ptashnik >> >> >> >> >> >> >> On 9/16/15, 8:43 AM, "Alexander Bokovoy" <[email protected]> wrote: >> >>> On Wed, 16 Sep 2015, Andrey Ptashnik wrote: >>>> Dear IPA Team, >>>> >>>> We have a situation in our datacenter where we deployed Red Hat 7.1 >>>> with IPA server 4.1 and on the other hand we still have older machines >>>> with Red Hat 5 and 6. I noticed that repositories associated with >>>> version 6 have older version of the client software – v.3.0. Therefore >>>> some functionality is missing from client package 3 vs 4, like >>>> automatic update of both forward and reverse DNS records. >>>> >>>> Is it possible to install IPA client v. 4 on Red Hat 5 and 6 without >>>> much breaking dependencies in OS? >>> You don't need to install IPA python packages on older machines. These >>> packages are mostly for administration purposes. >>> >>> Automatic update of forward/reverse DNS zones is done by SSSD. RHEL 6 >>> version of SSSD is on par with RHEL 7 version in the recent updates. >>> Additionally, MIT Kerberos backports were done in the recent updates to >>> allow OTP functionality in RHEL6 as well. So most of features are there >>> already, client-wise. >>> >>> RHEL5 version does not have such updates and you can implement most of >>> the support with existing SSSD and output of 'ipa-advise' tool on IPA >>> masters. nsupdate integration would probably need to be done >>> differently. >>> >>> Backporting IPA v4.x client code to RHEL 5 or 6 in general makes not >>> much sense. >>> >>> -- >>> / Alexander Bokovoy >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
