Tyrell Jentink wrote:
First off...  new to the list, thank you in advance for your assistance!

My server is Fedora 24 Server, running in a VirtualBox virtual machine.
I have FreeIPA Server 4.3.2-2.fc24, installed from the standard
repositories, and dnf says it's up to date. FreeIPA has a trust set up
with an Windows Server 2012r2 ActiveDirectory server, and it APPEARS to
be working...

The first client I connected was a Raspberry Pi running Pidora.  This
client appears to have connected fine, and appears to be working (I
guess I haven't tried logging in as an ActiveDirectory user;  But it's
certainly NOT having any DNS issues, as other clients are; See below...)

Then I tried connecting a second client, a system running Fedora 24 with
FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to
plan...  Here's the output of ipa-client-install:

    Discovery was successful!
    Client hostname: trainmaster.ipa.rxrhouse.net
    DNS Domain: ipa.rxrhouse.net <http://ipa.rxrhouse.net>
    IPA Server: ipa-pdc.ipa.rxrhouse.net <http://ipa-pdc.ipa.rxrhouse.net>
    BaseDN: dc=ipa,dc=rxrhouse,dc=net
    Continue to configure the system with these values? [no]: yes
    Synchronizing time with KDC...
    Attempting to sync time using ntpd.  Will timeout after 15 seconds
    Attempting to sync time using ntpd.  Will timeout after 15 seconds
    Unable to sync time with NTP server, assuming the time is in sync.
    Please check

                                      that 123 UDP port is opened.
    User authorized to enroll computers: admin
    Password for ad...@ipa.rxrhouse.net <mailto:ad...@ipa.rxrhouse.net>:
    Successfully retrieved CA cert
         Subject:     CN=Certificate Authority,O=IPA.RXRHOUSE.NET
         Issuer:      CN=Certificate Authority,O=IPA.RXRHOUSE.NET
         Valid From:  Thu Sep 08 17:27:47 2016 UTC
         Valid Until: Mon Sep 08 17:27:47 2036 UTC
    Enrolled in IPA realm IPA.RXRHOUSE.NET <http://IPA.RXRHOUSE.NET>
    Created /etc/ipa/default.conf
    New SSSD config will be created
    Configured sudoers in /etc/nsswitch.conf
    Configured /etc/sssd/sssd.conf
    Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET
    trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json
    Forwarding 'ping' to json server
    Forwarding 'ca_is_enabled' to json server
    Systemwide CA database updated.
    Failed to update DNS records.
    Missing reverse record(s) for address(es):
    Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
    Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
    Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
    Forwarding 'host_mod' to json server
    Could not update DNS SSHFP records.
    SSSD enabled
    Configured /etc/openldap/ldap.conf
    NTP enabled
    Configured /etc/ssh/ssh_config
    Configured /etc/ssh/sshd_config
    Configuring ipa.rxrhouse.net <http://ipa.rxrhouse.net> as NIS domain.
    Client configuration complete.

Of concern, the installer failed to update DNS records, resulting in a
missing reverse record, and eventually failing to update the DNS SSHFP
records.  Looking in the Web UI for FreeIPA server, I see that the
client is registered, but it doesn't have any SSH keys , and as
expected, doesn't have a reverse zone...  But the Raspberry Pi DOES.

Just to be fully sure something was wrong...  I tried connecting with a
clean install of Fedora 24 running in a virtual machine, and had the
same issue.  I've googled around, and can't find anyone having any
similar issues...  And I didn't accidentally stumble across anything
interesting while exploring logs...  But I honestly don't know where to

TO BE CLEAR, things appear to work just fine from freeipa-client version
3.3.3-4.fc20  on pidora on a Raspberry Pi, but it's NOT working with the
latest versions from Fedora 24 on x86_64 hardware...

Where should I look first?  Thank you for any assistance...

Look in /var/log/ipaclient-install.log for debug logging of the install.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to