Re: [Freeipa-users] Ubuntu Client HELL
Todd Maugh wrote: thanks Rob! the main issue I am having is that the install is not completing and setting this ubuntu host up as a client. I cleared out the old cert as you suggested, the ssh keys were copied over from a previous attempt. IM not using IPA as DNS and I understand the ntp part. so now my install finishes up like this: Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml' NSSConnection init se-idm-01.boingo.com Connecting: 66.103.90.130:0 handshake complete, peer = 66.103.90.130:443 received Set-Cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b; Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT; Secure; HttpOnly' storing cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b; Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT; Secure; HttpOnly' for principal host/se-idm-ubuntu-client-01.boingo@boingo.com Starting external process args=keyctl search @s user ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com Process finished, return code=1 stdout= stderr=keyctl_search: Required key not available Starting external process args=keyctl search @s user ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com Process finished, return code=1 stdout= stderr=keyctl_search: Required key not available Starting external process args=keyctl padd user ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com @s Process finished, return code=0 stdout=700576616 stderr= Caught fault 4202 from server https://se-idm-01.boingo.com/ipa/xml: no modifications to be performed Writing nsupdate commands to /etc/ipa/.dns_update.txt: zone boingo.com. update delete se-idm-ubuntu-client-01.boingo.com. IN SSHFP send update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 1 1 AD5C9E4F7AEA55418455D54D84862A2B6EC16AB4 update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 1 2 B1BE4E3E3B4A79CFFCE5B3BBCC31DFB9979F6A1D97EF4E3EF8F8295C2595033A update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 2 1 D456E5C237736406CB5F4B4C24C836217B6D977E update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 2 2 8125272934E18BFDDA77D5B03BBBF600A0833C37669C568A3476D623A191C457 update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 3 1 270551D349212B7112D4A9079FF490C8D6733041 update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 3 2 0BC5F5FA7155A03BD9B05DDD5882FD907A0FC8C6D6F6F3341521D4F7B57D3662 send Starting external process args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt Process finished, return code=1 stdout= stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/ns-1454.awsdns-53@boingo.com not found in Kerberos database. nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 Could not update DNS SSHFP records. Starting external process args=/usr/sbin/service nscd status Process finished, return code=1 stdout= stderr=nscd: unrecognized service Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' It's hard to say based on this. The next thing it would do in Fedora is run authconfig. I'm unfamiliar with the Ubuntu port, particularly the upstream version it is based on. It isn't possible to know why it is failing without more information. There is no clear indication in the log of why it died. strace might be handy here. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Ubuntu Client HELL
On 02/21/2014 03:07 PM, Todd Maugh wrote: thanks Rob! the main issue I am having is that the install is not completing and setting this ubuntu host up as a client. I cleared out the old cert as you suggested, the ssh keys were copied over from a previous attempt. IM not using IPA as DNS and I understand the ntp part. so now my install finishes up like this: Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml' NSSConnection init se-idm-01.boingo.com Connecting: 66.103.90.130:0 handshake complete, peer = 66.103.90.130:443 received Set-Cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b; Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT; Secure; HttpOnly' storing cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b; Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT; Secure; HttpOnly' for principal host/se-idm-ubuntu-client-01.boingo@boingo.com Starting external process args=keyctl search @s user ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com Process finished, return code=1 stdout= stderr=keyctl_search: Required key not available Starting external process args=keyctl search @s user ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com Process finished, return code=1 stdout= stderr=keyctl_search: Required key not available Starting external process args=keyctl padd user ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com @s Process finished, return code=0 stdout=700576616 stderr= Caught fault 4202 from server https://se-idm-01.boingo.com/ipa/xml: no modifications to be performed Writing nsupdate commands to /etc/ipa/.dns_update.txt: zone boingo.com. update delete se-idm-ubuntu-client-01.boingo.com. IN SSHFP send update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 1 1 AD5C9E4F7AEA55418455D54D84862A2B6EC16AB4 update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 1 2 B1BE4E3E3B4A79CFFCE5B3BBCC31DFB9979F6A1D97EF4E3EF8F8295C2595033A update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 2 1 D456E5C237736406CB5F4B4C24C836217B6D977E update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 2 2 8125272934E18BFDDA77D5B03BBBF600A0833C37669C568A3476D623A191C457 update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 3 1 270551D349212B7112D4A9079FF490C8D6733041 update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 3 2 0BC5F5FA7155A03BD9B05DDD5882FD907A0FC8C6D6F6F3341521D4F7B57D3662 send Starting external process args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt Process finished, return code=1 stdout= stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/ns-1454.awsdns-53@boingo.com not found in Kerberos database. nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 Could not update DNS SSHFP records. Starting external process args=/usr/sbin/service nscd status Process finished, return code=1 stdout= stderr=nscd: unrecognized service Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' thanks in advance for any help -Todd From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Rob Crittenden [rcrit...@redhat.com] Sent: Friday, February 21, 2014 11:57 AM To: freeipa-users Subject: Re: [Freeipa-users] Ubuntu Client HELL Todd Maugh wrote: IM in limbo here trying to solve this issue It would help if you said what issue you were having... And what version of the client you are running. Trolling through the log I see a couple of things: ntpdate failed, but that can happen if you already have ntpd configured on your client. We have a ticket open on that. The DNS update failed, presumably because you aren't using IPA for DNS. Not a big deal. The certmonger failure is due to a bad uninstall in the past. It is still tracking an old cert. You can clear it with: # ipa-getcert list # ipa-getcert stop-tracking -i The SSH keys are failing to load because they already exist in the host entry. I guess it was pre-created, or left over from a previous attempt? It doesn't appear to be a fatal error. rob here is my out put with the debug root@se-idm-ubuntu-client-01:/var/lib/ipa-client/sysrestore# ipa-client-install -d --no-dns-sshfp --hostname=se-idm-ubuntu-client-01.boingo.com --force-join --domain=boingo.com --server=se-idm-01.boingo.com /usr/sbin/ipa-client-install was invoked with options: {'domain': 'boingo.com', 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'realm_name': None, 'force_ntpd': False, 'create_ssh
Re: [Freeipa-users] Ubuntu Client HELL
thanks Rob! the main issue I am having is that the install is not completing and setting this ubuntu host up as a client. I cleared out the old cert as you suggested, the ssh keys were copied over from a previous attempt. IM not using IPA as DNS and I understand the ntp part. so now my install finishes up like this: Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml' NSSConnection init se-idm-01.boingo.com Connecting: 66.103.90.130:0 handshake complete, peer = 66.103.90.130:443 received Set-Cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b; Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT; Secure; HttpOnly' storing cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b; Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT; Secure; HttpOnly' for principal host/se-idm-ubuntu-client-01.boingo@boingo.com Starting external process args=keyctl search @s user ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com Process finished, return code=1 stdout= stderr=keyctl_search: Required key not available Starting external process args=keyctl search @s user ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com Process finished, return code=1 stdout= stderr=keyctl_search: Required key not available Starting external process args=keyctl padd user ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com @s Process finished, return code=0 stdout=700576616 stderr= Caught fault 4202 from server https://se-idm-01.boingo.com/ipa/xml: no modifications to be performed Writing nsupdate commands to /etc/ipa/.dns_update.txt: zone boingo.com. update delete se-idm-ubuntu-client-01.boingo.com. IN SSHFP send update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 1 1 AD5C9E4F7AEA55418455D54D84862A2B6EC16AB4 update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 1 2 B1BE4E3E3B4A79CFFCE5B3BBCC31DFB9979F6A1D97EF4E3EF8F8295C2595033A update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 2 1 D456E5C237736406CB5F4B4C24C836217B6D977E update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 2 2 8125272934E18BFDDA77D5B03BBBF600A0833C37669C568A3476D623A191C457 update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 3 1 270551D349212B7112D4A9079FF490C8D6733041 update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 3 2 0BC5F5FA7155A03BD9B05DDD5882FD907A0FC8C6D6F6F3341521D4F7B57D3662 send Starting external process args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt Process finished, return code=1 stdout= stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/ns-1454.awsdns-53@boingo.com not found in Kerberos database. nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 Could not update DNS SSHFP records. Starting external process args=/usr/sbin/service nscd status Process finished, return code=1 stdout= stderr=nscd: unrecognized service Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' thanks in advance for any help -Todd From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Rob Crittenden [rcrit...@redhat.com] Sent: Friday, February 21, 2014 11:57 AM To: freeipa-users Subject: Re: [Freeipa-users] Ubuntu Client HELL Todd Maugh wrote: > IM in limbo here trying to solve this issue It would help if you said what issue you were having... And what version of the client you are running. Trolling through the log I see a couple of things: ntpdate failed, but that can happen if you already have ntpd configured on your client. We have a ticket open on that. The DNS update failed, presumably because you aren't using IPA for DNS. Not a big deal. The certmonger failure is due to a bad uninstall in the past. It is still tracking an old cert. You can clear it with: # ipa-getcert list # ipa-getcert stop-tracking -i The SSH keys are failing to load because they already exist in the host entry. I guess it was pre-created, or left over from a previous attempt? It doesn't appear to be a fatal error. rob > > here is my out put with the debug > > root@se-idm-ubuntu-client-01:/var/lib/ipa-client/sysrestore# > ipa-client-install -d --no-dns-sshfp > --hostname=se-idm-ubuntu-client-01.boingo.com --force-join > --domain=boingo.com --server=se-idm-01.boingo.com > /usr/sbin/ipa-client-install was invoked with options: {'domain': > 'boingo.com', 'force': False, 'krb5_offline_passwords': True, 'primary': > False, 'realm_name': None, 'force_ntpd': False, '
Re: [Freeipa-users] Ubuntu Client HELL
Todd Maugh wrote: IM in limbo here trying to solve this issue It would help if you said what issue you were having... And what version of the client you are running. Trolling through the log I see a couple of things: ntpdate failed, but that can happen if you already have ntpd configured on your client. We have a ticket open on that. The DNS update failed, presumably because you aren't using IPA for DNS. Not a big deal. The certmonger failure is due to a bad uninstall in the past. It is still tracking an old cert. You can clear it with: # ipa-getcert list # ipa-getcert stop-tracking -i The SSH keys are failing to load because they already exist in the host entry. I guess it was pre-created, or left over from a previous attempt? It doesn't appear to be a fatal error. rob here is my out put with the debug root@se-idm-ubuntu-client-01:/var/lib/ipa-client/sysrestore# ipa-client-install -d --no-dns-sshfp --hostname=se-idm-ubuntu-client-01.boingo.com --force-join --domain=boingo.com --server=se-idm-01.boingo.com /usr/sbin/ipa-client-install was invoked with options: {'domain': 'boingo.com', 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'realm_name': None, 'force_ntpd': False, 'create_sshfp': False, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'ca_cert_file': None, 'principal': None, 'keytab': None, 'hostname': 'se-idm-ubuntu-client-01.boingo.com', 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False, 'mkhomedir': False, 'conf_ssh': True, 'force_join': True, 'server': ['se-idm-01.boingo.com'], 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False} missing options might be asked for interactively later Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd [IPA Discovery] Starting IPA discovery with domain=boingo.com, servers=['se-idm-01.boingo.com'], hostname=se-idm-ubuntu-client-01.boingo.com Server and domain forced [Kerberos realm search] Search DNS for TXT record of _kerberos.boingo.com DNS record not found: NXDOMAIN [LDAP server check] Verifying that se-idm-01.boingo.com (realm None) is an IPA server Init LDAP connection to: se-idm-01.boingo.com Search LDAP server for IPA base DN Check if naming context 'dc=boingo,dc=com' is for IPA Naming context 'dc=boingo,dc=com' is a valid IPA context Search for (objectClass=krbRealmContainer) in dc=boingo,dc=com (sub) Found: cn=BOINGO.COM,cn=kerberos,dc=boingo,dc=com Discovery result: Success; server=se-idm-01.boingo.com, domain=boingo.com, kdc=None, basedn=dc=boingo,dc=com Validated servers: se-idm-01.boingo.com will use discovered domain: boingo.com Using servers from command line, disabling DNS discovery will use provided server: se-idm-01.boingo.com Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes will use discovered realm: BOINGO.COM will use discovered basedn: dc=boingo,dc=com Hostname: se-idm-ubuntu-client-01.boingo.com Hostname source: Provided as option Realm: BOINGO.COM Realm source: Discovered from LDAP DNS records in se-idm-01.boingo.com DNS Domain: boingo.com DNS Domain source: Forced IPA Server: se-idm-01.boingo.com IPA Server source: Provided as option BaseDN: dc=boingo,dc=com BaseDN source: From IPA server ldap://se-idm-01.boingo.com:389 Continue to configure the system with these values? [no]: yes Starting external process args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r BOINGO.COM Process finished, return code=0 stdout= stderr=Removing principal host/se-idm-ubuntu-client-01.boingo@boingo.com Removed old keys for realm BOINGO.COM from /etc/krb5.keytab Starting external process args=/bin/hostname se-idm-ubuntu-client-01.boingo.com Process finished, return code=0 stdout= stderr= Backing up system configuration file '/etc/hostname' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' User authorized to enroll computers: admin will use principal provided as option: admin Synchronizing time with KDC... Search DNS for SRV record of _ntp._udp.boingo.com DNS record not found: NXDOMAIN Starting external process args=/usr/sbin/ntpdate -s -b -v se-idm-01.boingo.com Process finished, return code=1 stdout= stderr= Starting external process args=/usr/sbin/ntpdate -s -b -v se-idm-01.boingo.com Process finished, return code=1 stdout= stderr= Starting external process args=/usr/