James Harrison wrote: > > Hi, > I would prefer not to compile anything. It means we have to maintain the > package, rather than the distro maintainers. > > Trusty has a completely different set of errors to Precise. > > Xenial works with no problems. > > I run a script that allows the system to join the IPA domain (the same > script regardless of Ubuntu distro): > > ( $P_W is read in from stdin) > > ipa-client-install \ > --server="$IPA_SERVER" \ > --domain=dns.domain.com \ > --principal=admin \ > --password="$P_W" \ > --preserve-sssd \ > --mkhomedir \ > --no-ntp \ > -U > > > Enter (Admins) Password: > Confirm Password: > Hostname: jamestrusty.dns.domain.com > Realm: IPA.REALM.COM > DNS Domain: dns.domain.com > IPA Server: pul-lv-ipa-01.dns.domain.com > BaseDN: dc=int,dc=worldfirst,dc=com > > Synchronizing time with KDC... > Dec 8 14:50:58 jamestrusty ntpdate[2448]: ntpdate [email protected] Wed > Oct 5 12:35:26 UTC 2016 (1) > Dec 8 14:50:58 jamestrusty ntpdate[2448]: the NTP socket is in use, exiting > ... > ... > ... > ... > ... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Please check that 123 UDP port is opened. > Successfully retrieved CA cert > Subject: CN=SOMECERT > Issuer: CN=SOMECERT > Valid From: Wed Mar 12 00:00:00 2014 UTC > Valid Until: Sun Mar 11 23:59:59 3029 UTC > > Enrolled in IPA realm IPA.REALM.COM > Created /etc/ipa/default.conf > New SSSD config will be created > Configured /etc/sssd/sssd.conf > Failed to add CA to the default NSS database. > Installation failed. Rolling back changes. > Unenrolling client from IPA server > Unenrolling host failed: Error getting default Kerberos realm: > Configuration file does not specify default realm. > > Removing Kerberos service principals from /etc/krb5.keytab > Disabling client Kerberos and LDAP configurations > Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to > /etc/sssd/sssd.conf.deleted > SSSD service could not be stopped > Client uninstall complete.
The stdout is usually not very helpful, /var/log/ipaclient-install.log contains the real details. Still, were I to guess, the required NSS database (and directory) doesn't exist. This would be located in either /etc/ipa/nssdb or /etc/pki/nssdb. rob > > > ------------------------------------------------------------------------ > *From:* Lukas Slebodnik <[email protected]> > *To:* James Harrison <[email protected]> > *Cc:* "[email protected]" <[email protected]> > *Sent:* Thursday, 8 December 2016, 11:22 > *Subject:* Re: [Freeipa-users] Problem with Free IPA Client Ubuntu > Precise (12.04) authenticating with AD account > > On (07/12/16 18:19), James Harrison wrote: >>Hi all, >> >>I am trying to authenticate an ubuntu Precise (12.06) fully patched > system. Its enrolled into a FreeIPA server. The following trace is the > output of syslog auth sssd/*.log and full debug (-ddd) from the sshd > service. >> > Are you able to reproduce with ubuntu 14.04 > and sssd from trusty-updates(1.11.8-0ubuntu0.3) > You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04) > or at least 1.12.5-1~trusty1 from ppa > https://launchpad.net/~sssd > > > LS > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
