James Harrison wrote:
> I would prefer not to compile anything. It means we have to maintain the
> package, rather than the distro maintainers.
> Trusty has a completely different set of errors to Precise.
> Xenial works with no problems.
> I run a script that allows the system to join the IPA domain (the same
> script regardless of Ubuntu distro):
> ( $P_W is read in from stdin)
> ipa-client-install \
> --server="$IPA_SERVER" \
> --domain=dns.domain.com \
> --principal=admin \
> --password="$P_W" \
> --preserve-sssd \
> --mkhomedir \
> --no-ntp \
> Enter (Admins) Password:
> Confirm Password:
> Hostname: jamestrusty.dns.domain.com
> Realm: IPA.REALM.COM
> DNS Domain: dns.domain.com
> IPA Server: pul-lv-ipa-01.dns.domain.com
> BaseDN: dc=int,dc=worldfirst,dc=com
> Synchronizing time with KDC...
> Dec 8 14:50:58 jamestrusty ntpdate: ntpdate firstname.lastname@example.org Wed
> Oct 5 12:35:26 UTC 2016 (1)
> Dec 8 14:50:58 jamestrusty ntpdate: the NTP socket is in use, exiting
> Unable to sync time with IPA NTP server, assuming the time is in sync.
> Please check that 123 UDP port is opened.
> Successfully retrieved CA cert
> Subject: CN=SOMECERT
> Issuer: CN=SOMECERT
> Valid From: Wed Mar 12 00:00:00 2014 UTC
> Valid Until: Sun Mar 11 23:59:59 3029 UTC
> Enrolled in IPA realm IPA.REALM.COM
> Created /etc/ipa/default.conf
> New SSSD config will be created
> Configured /etc/sssd/sssd.conf
> Failed to add CA to the default NSS database.
> Installation failed. Rolling back changes.
> Unenrolling client from IPA server
> Unenrolling host failed: Error getting default Kerberos realm:
> Configuration file does not specify default realm.
> Removing Kerberos service principals from /etc/krb5.keytab
> Disabling client Kerberos and LDAP configurations
> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
> SSSD service could not be stopped
> Client uninstall complete.
The stdout is usually not very helpful, /var/log/ipaclient-install.log
contains the real details.
Still, were I to guess, the required NSS database (and directory)
doesn't exist. This would be located in either /etc/ipa/nssdb or
> *From:* Lukas Slebodnik <lsleb...@redhat.com>
> *To:* James Harrison <jamesaharriso...@yahoo.co.uk>
> *Cc:* "email@example.com" <firstname.lastname@example.org>
> *Sent:* Thursday, 8 December 2016, 11:22
> *Subject:* Re: [Freeipa-users] Problem with Free IPA Client Ubuntu
> Precise (12.04) authenticating with AD account
> On (07/12/16 18:19), James Harrison wrote:
>>I am trying to authenticate an ubuntu Precise (12.06) fully patched
> system. Its enrolled into a FreeIPA server. The following trace is the
> output of syslog auth sssd/*.log and full debug (-ddd) from the sshd
> Are you able to reproduce with ubuntu 14.04
> and sssd from trusty-updates(1.11.8-0ubuntu0.3)
> You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04)
> or at least 1.12.5-1~trusty1 from ppa
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project