Re: [Freeipa-users] IPA users can't log in to SDDM
Oh, you are quite right... It's even identified in the project scope of the original proposal to switch from KDM: "Fix the bugs affecting log in: PAM stack integration and LDAP user lists" -- https://fedoraproject.org/wiki/Changes/SDDMinsteadOfKDM I'm just going to switch back to KDM... Should solve my problem. Thank you! On Tue, Mar 14, 2017 at 12:46 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On ti, 14 maalis 2017, Tyrell Jentink wrote: > >> I have users in an AD Domain, my FreeIPA server is set up with an >> interforest trust, and users can log in using SSH or virtual terminals on >> any system joined to the IPA domain, and I have Samba authenticating >> against these users on another server... Things are good... >> >> Until I try logging in to the Fedora 25 KDE Respin from the desktop >> manager >> (SDDM), in which case it goes to a black screen, with an X as a cursor, >> but >> nothing else... This is my first attempt at logging a remote user in >> through the GUI, and KDE/SDDM is the default configuration on Fedora KDE >> Respin, thus the combination in question... I haven't tried anything else. >> >> Some diagnostics I have tried: >> >> If I log in to a virtual terminal and run startx, then I get KDE, >> regardless of the user. >> If I log in to SDDM/KDE using a local user, then I get KDE. >> If I log in to SDDM/KDE using an IPA user, I get the black screen... >> But, the audit and security logs show that the user successfully >> authenticated. Dmesg shows the user getting authenticated successfully and >> user contexts changing successfully. >> >> >> So, I'm left assuming this is a problem with SDDM somewhere, but only with >> remote users... And my logs aren't giving me any hints. >> >> Any ideas? Any logs in particular that I should be looking at? >> > "Black screen" with SDDM is a fairly known issue -- you can look at > https://bugzilla.redhat.com/show_bug.cgi?id=1350107, for example. Or > https://github.com/sddm/sddm/issues/756, or many other distros. It looks > like SDDM is crashing internally on many conditions. The bug in Red Hat > bugzilla has at least three different cases where SDDM crashes. > > I'd suggest you to file a bug and attach system logs to it. You can use > SSSD troubleshooting guide to create SSSD debug logs (domain, pam, nss, > and selinux sections at least) but also attach logs for sddm and audit. > > -- > / Alexander Bokovoy > -- Tyrell Jentink tyrell.jentink.net -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA users can't log in to SDDM
I have users in an AD Domain, my FreeIPA server is set up with an interforest trust, and users can log in using SSH or virtual terminals on any system joined to the IPA domain, and I have Samba authenticating against these users on another server... Things are good... Until I try logging in to the Fedora 25 KDE Respin from the desktop manager (SDDM), in which case it goes to a black screen, with an X as a cursor, but nothing else... This is my first attempt at logging a remote user in through the GUI, and KDE/SDDM is the default configuration on Fedora KDE Respin, thus the combination in question... I haven't tried anything else. Some diagnostics I have tried: If I log in to a virtual terminal and run startx, then I get KDE, regardless of the user. If I log in to SDDM/KDE using a local user, then I get KDE. If I log in to SDDM/KDE using an IPA user, I get the black screen... But, the audit and security logs show that the user successfully authenticated. Dmesg shows the user getting authenticated successfully and user contexts changing successfully. So, I'm left assuming this is a problem with SDDM somewhere, but only with remote users... And my logs aren't giving me any hints. Any ideas? Any logs in particular that I should be looking at? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] dns_tkey_negotiategss: failure GSSAPI error [...] Message stream modified.
Thank you Petr! I found the problem, but quite by accident... There may be a Best Practice at hand that I wasn't aware of... I still have the Windows AD server sitting on the side, serving as DHCP server and waiting patiently for my Cross Realm Trust; That server will forward DNS requests to the IPA server, and return a non-authoritative answer. Occasionally, that server will seemingly loose track of the IPA server, and stop returning results... And that happened while I was trying to follow through with your request for info... So as a quick work around, I simply dropped the AD server from my resolv.conf... And then performed your requests, without errors. I ran the DNS Update from the ipa-server-install script, and that worked without errors. I added the AD server back into resolv.conf, and everything failed again. I put the AD server as the SECOND name server in resolv.conf, and the errors went away. So I've clearly identified the problem. I uninstalled the client, and reinstalled the client, and everything went cleanly. To prevent this problem in the future... I will be changing the DHCP options to list the IPA DNS first for the Linux clients, and the AD DNS first for Windows clients; I still want the AD DNS server in the list, as a fallback. Is this plan the best practice here? On Wed, Oct 26, 2016 at 11:36 PM, Petr Spacek <pspa...@redhat.com> wrote: > On 27.10.2016 04:43, Tyrell Jentink wrote: > >> 2016-10-26T23:30:40Z DEBUG Writing nsupdate commands to > >> > /etc/ipa/.dns_update.txt: > >> > 2016-10-26T23:30:40Z DEBUG debug > >> > > >> > update delete trainmaster.ipa.rxrhouse.net. IN A > >> > show > >> > send > >> > > >> > update delete trainmaster.ipa.rxrhouse.net. IN > >> > show > >> > send > >> > > >> > update add trainmaster.ipa.rxrhouse.net. 1200 IN A 10.42.0.100 > >> > show > >> > send > >> > > >> > 2016-10-26T23:30:40Z DEBUG Starting external process > >> > 2016-10-26T23:30:40Z DEBUG args=/usr/bin/nsupdate -g > >> > /etc/ipa/.dns_update.txt > >> > 2016-10-26T23:30:40Z DEBUG Process finished, return code=1 > >> > 2016-10-26T23:30:40Z DEBUG stdout=Outgoing update query: > >> > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> > ;; UPDATE SECTION: > >> > trainmaster.ipa.rxrhouse.net. 0 ANY A > >> > > >> > Outgoing update query: > >> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562 > >> > ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > >> > ;; QUESTION SECTION: > >> > ;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY > >> > > >> > ;; ADDITIONAL SECTION: > >> > 3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. > 1477524640 > [...] > >> > > >> > 2016-10-26T23:30:40Z DEBUG stderr=Reply from SOA query: > >> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38738 > >> > ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, > ADDITIONAL: 0 > >> > ;; QUESTION SECTION: > >> > ;trainmaster.ipa.rxrhouse.net. IN SOA > >> > > >> > ;; AUTHORITY SECTION: > >> > ipa.rxrhouse.net. 0 IN SOA > ipa-pdc.ipa.rxrhouse.net. > >> > hostmaster.ipa.rxrhouse.net. 1477524446 3600 900 1209600 3600 > >> > > >> > Found zone name: ipa.rxrhouse.net > >> > The master is: ipa-pdc.ipa.rxrhouse.net > >> > start_gssrequest > >> > Found realm from ticket: IPA.RXRHOUSE.NET > >> > send_gssrequest > >> > recvmsg reply from GSS-TSIG query > >> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562 > >> > ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > >> > ;; QUESTION SECTION: > >> > ;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY > >> > > >> > ;; ANSWER SECTION: > >> > 3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. > 1466301805 > >> > 1466388205 3 NOERROR 101 > >> > YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MTkw > >> > MjAzMjVapQUCAwHGkaYDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg > >> > AwIBAaELMAkbB2FkLXBkYyQ= > >> > 0 > >> > > >> > dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS > >> > failure. Minor code may provide more information, Minor = M
[Freeipa-users] dns_tkey_negotiategss: failure GSSAPI error [...] Message stream modified.
namic enp1s6\ valid_lft 588384sec > preferred_lft 588384sec > 2: enp1s6inet6 fe80::e779:3263:960d:ff87/64 scope link \ > valid_lft forever preferred_lft forever > > 2016-10-26T23:30:40Z DEBUG stderr= > 2016-10-26T23:30:40Z DEBUG Writing nsupdate commands to > /etc/ipa/.dns_update.txt: > 2016-10-26T23:30:40Z DEBUG debug > > update delete trainmaster.ipa.rxrhouse.net. IN A > show > send > > update delete trainmaster.ipa.rxrhouse.net. IN > show > send > > update add trainmaster.ipa.rxrhouse.net. 1200 IN A 10.42.0.100 > show > send > > 2016-10-26T23:30:40Z DEBUG Starting external process > 2016-10-26T23:30:40Z DEBUG args=/usr/bin/nsupdate -g > /etc/ipa/.dns_update.txt > 2016-10-26T23:30:40Z DEBUG Process finished, return code=1 > 2016-10-26T23:30:40Z DEBUG stdout=Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > trainmaster.ipa.rxrhouse.net. 0 ANY A > > Outgoing update query: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562 > ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; QUESTION SECTION: > ;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY > > ;; ADDITIONAL SECTION: > 3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1477524640 > 1477524640 3 NOERROR 683 > YIICpwYJKoZIhvcSAQICAQBuggKWMIICkqADAgEFoQMCAQ6iBwMFACAA > AACjggGIYYIBhDCCAYCgAwIBBaESGxBJUEEuUlhSSE9VU0UuTkVUoiow > KKADAgEBoSEwHxsDRE5TGxhpc > GEtcGRjLmlwYS5yeHJob3VzZS5uZXSj > ggE3MIIBM6ADAgESoQMCAQKiggElBIIBIRyL2cGKhgVeg8UlZTp1+Eyg > QTBUAKE0e6NMtlIkxk9oJWldmUiP6UW7gcoxn66qvHyzHAqrlUNdFAcC > jKlsM2cRchfNTTom0QCeFn37eQICFdYo7NsrugG4DN/XT/rjNhohCSEl > O2tKYqiVBpjnyDF4OwC1nLcDpzBJr3nbSl > sh21NQJhGj+B/GPMJqpkl/ > 12HJpyjeaRjqzCD2csdvGOolH89yAhFjbmpAErBdVPD+ATAEYX+aRbEc > 3k2idj7AcEqeQpNr5XCoCLAeyqOz/qgYrHYnrBabysbkjF0JRRoEO6BD > cJjeMpqai36WtW1MAs+byXBtudap0UEnx8xpub/MN7cCzJYn5sEkTOyK > pSp4s/fiRyaX9O+dxXK1xrBblg6kgfAwge2gAwIBEqK > B5QSB4rnd/vP+ s2nrQ/yBkWRVnvqyWrTqfc213iyvIR+pNvE2T9t3F1qRPcdF4OQ8soQ4 > kQIVQOZUQZlY3NhYS08M/Rb3wUfi+Im/Z47v6//QMxb2igbPMx7/RELf > YHbZorXSKwzx5tkV2+JwtelUW6T5yw3PugyRueg0tdQH5lp4nrEbWNhY > VTDe9njUO/WCgp6ZEp+aJGVxR9qeZMVrJMYwHHF+je2fwZifztXD > 6cU/ Eki79Nk6HzhilK3pMOLuIvF2Kfpucj6aDiabvlplptzio9cqml8Li3E0 > gEN/ATloKcVgtNA= 0 > > > 2016-10-26T23:30:40Z DEBUG stderr=Reply from SOA query: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38738 > ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > ;; QUESTION SECTION: > ;trainmaster.ipa.rxrhouse.net. IN SOA > > ;; AUTHORITY SECTION: > ipa.rxrhouse.net. 0 IN SOA ipa-pdc.ipa.rxrhouse.net. > hostmaster.ipa.rxrhouse.net. 1477524446 3600 900 1209600 3600 > > Found zone name: ipa.rxrhouse.net > The master is: ipa-pdc.ipa.rxrhouse.net > start_gssrequest > Found realm from ticket: IPA.RXRHOUSE.NET > send_gssrequest > recvmsg reply from GSS-TSIG query > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562 > ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > ;; QUESTION SECTION: > ;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY > > ;; ANSWER SECTION: > 3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1466301805 > 1466388205 3 NOERROR 101 > YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MTkw > MjAzMjVapQUCAwHGkaYDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg > AwIBAaELMAkbB2FkLXBkYyQ= > 0 > > dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS > failure. Minor code may provide more information, Minor = Message stream > modified. > > 2016-10-26T23:30:40Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g > /etc/ipa/.dns_update.txt' returned non-zero exit status 1 > 2016-10-26T23:30:40Z ERROR Failed to update DNS records. > 2016-10-26T23:30:40Z DEBUG DNS resolver: Query: > trainmaster.ipa.rxrhouse.net IN A > 2016-10-26T23:30:40Z DEBUG DNS resolver: No record. > 2016-10-26T23:30:40Z DEBUG DNS resolver: Query: > trainmaster.ipa.rxrhouse.net IN > 2016-10-26T23:30:40Z DEBUG DNS resolver: No record. > 2016-10-26T23:30:40Z DEBUG DNS resolver: Query: 100.0.42.10.in-addr.arpa. > IN PTR > 2016-10-26T23:30:40Z DEBUG DNS resolver: No record. > 2016-10-26T23:30:40Z WARNING Missing A/ record(s) for host > trainmaster.ipa.rxrhouse.net: 10.42.0.100. > 2016-10-26T23:30:40Z WARNING Missing reverse record(s) for address(es): > 10.42.0.100. > -- Full logs can be found here: http://pastebin.com/90dG9Ffu - For grins, I decided to test: kinit admin id admin getent passwd admin on the client, and all of those all made valid responses
Re: [Freeipa-users] IPA Client Install problems
Thank you, Rob. For reference, my full log can be found here: http://pastebin.com/6VLaQjYw But I would postulate that the interesting bit is this: > 2016-10-11T22:10:15Z DEBUG stdout=Outgoing update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > ;; UPDATE SECTION: > > trainmaster.ipa.rxrhouse.net. 0 ANY A > > >> Outgoing update query: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23971 > > ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; QUESTION SECTION: > > ;350449427.sig-ipa-pdc.ipa.rxrhouse.net.ANY TKEY > > >> ;; ADDITIONAL SECTION: > > 350449427.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1476223815 >> 1476223815 3 NOERROR 683 >> YIICpwYJKoZIhvcSAQICAQBuggKWMIICkqADAgEFoQMCAQ6iBwMFACAA >> AACjggGIYYIBhDCCAYCgAwIBBaESGxBJUEEuUlhSSE9VU0UuTkVUoiow >> KKADAgEBoSEwHxsDRE5TGxhpcGEtcGRjLmlwYS5yeHJob3VzZS5uZXSj >> ggE3MIIBM6ADAgESoQMCAQKiggElBIIBIeFubKS/x0aKfc7u/f9Z5Ro8 >> pZZ4RkIlwOWAAuiSxJNmoaIhYgYNitn2pkAII+eKtdialtAI/1418exm >> sM7zahCj0MWpBIYQZB4tsN9JZMaKF7SK5TlewH9mZitjd+hbQ5iwjklV >> 8P6OOMsIRIytywnd8eD/988GQz3C5CfBU1pQM5Bkox4vSRawZJRUy0xx >> C8H4nOOPsJZd9AozsaAZSR4EeA05IbW+gxxIeXjShPDwRF6fs4sNxZUt >> FEkdujVZOaM4M4olLadzScsXDi2pO/8WqjJdDwMfLD95+CHSiFMSyJqy >> nwem6dzJTJvyLTq4fKO+ajmUHw5tV30Pg7w9krEiFSTuFkCmKW1a2GQo >> 5Lm3VQF34cnYTA+5K8yEwLiTqX+kgfAwge2gAwIBEqKB5QSB4u9m77de >> VD1pQ+DUyBKaC2jOgD/uUWAyfNNojNAtKAMGbHzDWSRASe1Xd+RNgwIa >> QdT2PC6kHbJMz9jaJu/0fxC9JmPp6Qe6p8CGaQ6IvPGm4838TlGdGhuS >> YpUwVAEqvl85S23+yT3Qo/O8Qffhi4i/WDdiBHGGDrKF4CCZXJrr/F+L Pd8oabRE81h+ >> 4Tu7KBTApBwWYFYQSct7Q9ZrFiUuQzbpc2ZjXaVLi3ai >> uvH2NLWvLwxt8Z8PYRHgTrEYb/QfEluP2qfbo6XuO4UHoF7rN8d28bnw >> bhUsEYaVs1r8Pxk= 0 > > >> >> 2016-10-11T22:10:15Z DEBUG stderr=Reply from SOA query: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18681 > > ;; flags: qr rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; QUESTION SECTION: > > ;trainmaster.ipa.rxrhouse.net. IN SOA > > >> ;; AUTHORITY SECTION: > > ipa.rxrhouse.net. 60 IN SOA ipa-pdc.ipa.rxrhouse.net. >> hostmaster.ipa.rxrhouse.net. 1476221978 3600 900 1209600 3600 > > >> ;; ADDITIONAL SECTION: > > ipa-pdc.ipa.rxrhouse.net. 353 IN A 10.42.0.11 > > >> Found zone name: ipa.rxrhouse.net > > The master is: ipa-pdc.ipa.rxrhouse.net > > start_gssrequest > > Found realm from ticket: IPA.RXRHOUSE.NET <http://ipa.rxrhouse.net/> > > send_gssrequest > > recvmsg reply from GSS-TSIG query > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23971 > > ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > > ;350449427.sig-ipa-pdc.ipa.rxrhouse.net.ANY TKEY > > >> ;; ANSWER SECTION: > > 350449427.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1466641678 >> 1466728078 3 NOERROR 101 >> YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MjMw >> MDI3NThapQUCAwVDn6YDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg >> AwIBAaELMAkbB2FkLXBkYyQ= 0 > > >> dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS >> failure. Minor code may provide more information, Minor = Message stream >> modified. > > >> 2016-10-11T22:10:15Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g >> /etc/ipa/.dns_update.txt' returned non-zero exit status 1 > > 2016-10-11T22:10:15Z ERROR Failed to update DNS records. > > > This isn't the first time I've seen this "Unspecified GSS failure [...] Message stream modified" error, and I suspect it to be the root of my problem... But my google-foo is not strong with this one... I'm not sure how to proceed. On Tue, Oct 11, 2016 at 3:52 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Tyrell Jentink wrote: > >> First off... new to the list, thank you in advance for your assistance! >> >> My server is Fedora 24 Server, running in a VirtualBox virtual machine. >> I have FreeIPA Server 4.3.2-2.fc24, installed from the standard >> repositories, and dnf says it's up to date. FreeIPA has a trust set up >> with an Windows Server 2012r2 ActiveDirectory server, and it APPEARS to >> be working... >> >> The first client I connected was a Raspberry Pi running Pidora. This >> client appears to have connected fine, and appears to be working (I >> guess I haven't tried logging in as an ActiveDirectory user; But it's >> certainly NOT having any DNS issues, as
[Freeipa-users] IPA Client Install problems
First off... new to the list, thank you in advance for your assistance! My server is Fedora 24 Server, running in a VirtualBox virtual machine. I have FreeIPA Server 4.3.2-2.fc24, installed from the standard repositories, and dnf says it's up to date. FreeIPA has a trust set up with an Windows Server 2012r2 ActiveDirectory server, and it APPEARS to be working... The first client I connected was a Raspberry Pi running Pidora. This client appears to have connected fine, and appears to be working (I guess I haven't tried logging in as an ActiveDirectory user; But it's certainly NOT having any DNS issues, as other clients are; See below...) Then I tried connecting a second client, a system running Fedora 24 with FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to plan... Here's the output of ipa-client-install: > Discovery was successful! > Client hostname: trainmaster.ipa.rxrhouse.net > Realm: IPA.RXRHOUSE.NET > DNS Domain: ipa.rxrhouse.net > IPA Server: ipa-pdc.ipa.rxrhouse.net > BaseDN: dc=ipa,dc=rxrhouse,dc=net > Continue to configure the system with these values? [no]: yes > Synchronizing time with KDC... > Attempting to sync time using ntpd. Will timeout after 15 seconds > Attempting to sync time using ntpd. Will timeout after 15 seconds > Unable to sync time with NTP server, assuming the time is in sync. Please > check > >that 123 UDP port is opened. > User authorized to enroll computers: admin > Password for ad...@ipa.rxrhouse.net: > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=IPA.RXRHOUSE.NET > Issuer: CN=Certificate Authority,O=IPA.RXRHOUSE.NET > Valid From: Thu Sep 08 17:27:47 2016 UTC > Valid Until: Mon Sep 08 17:27:47 2036 UTC > Enrolled in IPA realm IPA.RXRHOUSE.NET > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET > trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json > Forwarding 'ping' to json server ' > https://ipa-pdc.ipa.rxrhouse.net/ipa/json' > Forwarding 'ca_is_enabled' to json server ' > https://ipa-pdc.ipa.rxrhouse.net/ipa/json' > Systemwide CA database updated. > Failed to update DNS records. > Missing reverse record(s) for address(es): 10.42.0.100. > Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub > Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub > Forwarding 'host_mod' to json server ' > https://ipa-pdc.ipa.rxrhouse.net/ipa/json' > Could not update DNS SSHFP records. > SSSD enabled > Configured /etc/openldap/ldap.conf > NTP enabled > Configured /etc/ssh/ssh_config > Configured /etc/ssh/sshd_config > Configuring ipa.rxrhouse.net as NIS domain. > Client configuration complete. Of concern, the installer failed to update DNS records, resulting in a missing reverse record, and eventually failing to update the DNS SSHFP records. Looking in the Web UI for FreeIPA server, I see that the client is registered, but it doesn't have any SSH keys , and as expected, doesn't have a reverse zone... But the Raspberry Pi DOES. Just to be fully sure something was wrong... I tried connecting with a clean install of Fedora 24 running in a virtual machine, and had the same issue. I've googled around, and can't find anyone having any similar issues... And I didn't accidentally stumble across anything interesting while exploring logs... But I honestly don't know where to look. TO BE CLEAR, things appear to work just fine from freeipa-client version 3.3.3-4.fc20 on pidora on a Raspberry Pi, but it's NOT working with the latest versions from Fedora 24 on x86_64 hardware... Where should I look first? Thank you for any assistance... -- Tyrell Jentink -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
