Hi,An update.
I just got Trusty enrolled into FreeIPA by removing everything in: 
/etc/pki/nssdb and running:
/usr/bin/certutil -N --empty-password -d /etc/pki/nssdb
... before the client-install is run.
I get user IDs with Freeipa and AD domains:
root@jamestrusty:/etc/pki/nssdb# id 

root@jamestrusty:/etc/pki/nssdb# id x_james.harrison@AD.DOMAIN.LOCAL

However auth issues still the same as Precise. Doesnt accept the ssh public key 
stored with the IPA user or the Trust ID view user.

Xenial has no problems.
Regards,James Harrison

      From: James Harrison <jamesaharriso...@yahoo.co.uk>
 To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> 
 Sent: Thursday, 8 December 2016, 15:02
 Subject: Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise 
(12.04) authenticating with AD account

Hi,I would prefer not to compile anything. It means we have to maintain the 
package, rather than the distro maintainers.

Trusty has a completely different set of errors to Precise.  

Xenial works with no problems.

I run a script that allows the system to join the IPA domain (the same script 
regardless of Ubuntu distro):
( $P_W is read in from stdin)

ipa-client-install \
     --server="$IPA_SERVER" \
     --domain=dns.domain.com \
     --principal=admin \
     --password="$P_W" \
     --preserve-sssd \
     --mkhomedir \
     --no-ntp \

Enter (Admins) Password:   
Confirm Password: 
Hostname: jamestrusty.dns.domain.com
DNS Domain: dns.domain.com
IPA Server: pul-lv-ipa-01.dns.domain.com
BaseDN: dc=int,dc=worldfirst,dc=com

Synchronizing time with KDC...
Dec  8 14:50:58 jamestrusty ntpdate[2448]: ntpdate 4.2.6p5@1.2349-o Wed Oct  5 
12:35:26 UTC 2016 (1)
Dec  8 14:50:58 jamestrusty ntpdate[2448]: the NTP socket is in use, exiting
Unable to sync time with IPA NTP server, assuming the time is in sync. Please 
check that 123 UDP port is opened.
Successfully retrieved CA cert
    Subject:     CN=SOMECERT
    Issuer:      CN=SOMECERT
    Valid From:  Wed Mar 12 00:00:00 2014 UTC
    Valid Until: Sun Mar 11 23:59:59 3029 UTC

Enrolled in IPA realm IPA.REALM.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Failed to add CA to the default NSS database.
Installation failed. Rolling back changes.
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm: Configuration 
file does not specify default realm.

Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
SSSD service could not be stopped
Client uninstall complete.

      From: Lukas Slebodnik <lsleb...@redhat.com>
 To: James Harrison <jamesaharriso...@yahoo.co.uk> 
Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com>
 Sent: Thursday, 8 December 2016, 11:22
 Subject: Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise 
(12.04) authenticating with AD account
On (07/12/16 18:19), James Harrison wrote:
>Hi all,
>I am trying to authenticate an ubuntu Precise (12.06) fully patched system. 
>Its enrolled into a FreeIPA server. The following trace is the output of 
>syslog auth sssd/*.log and full debug (-ddd) from the sshd service.
Are you able to reproduce with ubuntu 14.04
and sssd from trusty-updates(1.11.8-0ubuntu0.3)
You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04)
or at least 1.12.5-1~trusty1 from ppa



Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to