Re: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry
On Fri, 25 Feb 2011 15:19:25 -0500 Simo Sorce wrote: > On Fri, 25 Feb 2011 14:49:27 -0500 > Adam Young wrote: > > > 2011-02-24 20:46:06,851 DEBUG stderr= > > 2011-02-24 20:46:06,878 DEBUG args=/usr/bin/kinit -k > > -t /etc/krb5.keytab 2011-02-24 20:46:06,879 DEBUG stdout= > > 2011-02-24 20:46:06,879 DEBUG stderr=kinit: Hostname cannot be > > canonicalized when creating default server principal name > > ah no sorry this is the error, kinit failing ... > now on why this happens ... > > Simo. > > Ok this happens becaue /etc/hosts doesn't have an entry for the hostname and DNS doesn't still resolve it (chicken/egg) Please open a ticket, the fix is to pass the principal name as argument of the kinit command so that it doesn't have to go thorugh name resolution to understand what name to use. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry
On Fri, 25 Feb 2011 14:49:27 -0500 Adam Young wrote: > 2011-02-24 20:46:06,851 DEBUG stderr= > 2011-02-24 20:46:06,878 DEBUG args=/usr/bin/kinit -k > -t /etc/krb5.keytab 2011-02-24 20:46:06,879 DEBUG stdout= > 2011-02-24 20:46:06,879 DEBUG stderr=kinit: Hostname cannot be > canonicalized when creating default server principal name ah no sorry this is the error, kinit failing ... now on why this happens ... Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry
On 02/25/2011 12:47 AM, Simo Sorce wrote:
On Thu, 24 Feb 2011 20:55:32 -0500
Adam Young wrote:
I updated the reolve.conf of the client machine to point to the
server and ran:
[root@vm-060 ~]# ipa-client-install --domain idm.lab.bos.redhat.com
-p admin -w freeipa4all
Discovery was successful!
Realm: IDM.LAB.BOS.REDHAT.COM
DNS Domain: idm.lab.bos.redhat.com
IPA Server: vm-051.idm.lab.bos.redhat.com
BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
Continue to configure the system with these values? [no]: yes
Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IDM.LAB.BOS.REDHAT.COM
certmonger request for host certificate failed
Warning: Hostname (vm-060.idm.lab.bos.redhat.com) not found in DNS
Failed to obtain host TGT.
Failed to update DNS A record. (Command 'x' returned non-zero exit
status 1) SSSD enabled
Kerberos 5 enabled
NTP enabled
Client configuration complete.
Is this a sign of a cert server issue? THis is the first time
running with dogtag.
We use TSIG-GSSAPI for DNS Updates, no certs involved.
Here's the last couple of lines from the ipa-server-log/ They look
fine to me.
[Thu Feb 24 20:41:06 2011] [error] ipa: INFO:
ad...@idm.lab.bos.redhat.com: host_find(u'', all=True): SUCCESS
[Thu Feb 24 20:41:14 2011] [error] ipa: INFO:
ad...@idm.lab.bos.redhat.com: batch(({u'params':
[[u'vm-060.idm.lab.bos.redhat.com'], {}], u'method': u'host_del'},)):
SUCCESS
[Thu Feb 24 20:41:15 2011] [error] ipa: INFO:
ad...@idm.lab.bos.redhat.com: host_find(u'', all=True): SUCCESS
[Thu Feb 24 20:46:04 2011] [error] ipa: INFO:
ad...@idm.lab.bos.redhat.com: join(u'vm-060.idm.lab.bos.redhat.com',
nshardwareplatform=u'x86_64',
nsosversion=u'2.6.32-114.0.1.el6.x86_64'): SUCCESS
Can you send the ipaclient-install.log file ?
Attached
This machine had client installed before, but I've since uninstalled
and reinstalled both the server and client, and rebooted the client
as well.
Should make no difference at all, it seem nsupdate is failing.
Do you have bind-utils installed ?
Yes: bind-utils-9.7.2-8.P3.el6.x86_64
There is no file /etc/ipa/.dns_update.txt
And there shouldn't, it is a temp file we delete as soon as we are done.
Simo.
2011-02-24 20:45:58,992 DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'conf_ntp': True, 'domain': 'idm.lab.bos.redhat.com', 'uninstall':
False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False,
'server': None, 'prompt_password': False, 'realm_name': None, 'dns_updates':
False, 'debug': False, 'on_master': False, 'ntp_server': None, 'mkhomedir':
False, 'unattended': None, 'principal': 'admin'}
2011-02-24 20:45:58,992 DEBUG missing options might be asked for interactively
later
2011-02-24 20:45:58,992 DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-02-24 20:45:58,995 DEBUG [ipadnssearchldap(idm.lab.bos.redhat.com)]
2011-02-24 20:45:58,998 DEBUG [ipadnssearchkrb]
2011-02-24 20:45:59,001 DEBUG [ipacheckldap]
2011-02-24 20:45:59,054 DEBUG args=/usr/bin/wget -O /tmp/tmpYLmC3X/ca.crt
http://vm-051.idm.lab.bos.redhat.com/ipa/config/ca.crt
2011-02-24 20:45:59,055 DEBUG stdout=
2011-02-24 20:45:59,055 DEBUG stderr=--2011-02-24 20:45:59--
http://vm-051.idm.lab.bos.redhat.com/ipa/config/ca.crt
Resolving vm-051.idm.lab.bos.redhat.com... 10.16.78.51
Connecting to vm-051.idm.lab.bos.redhat.com|10.16.78.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1361 (1.3K) [application/x-x509-ca-cert]
Saving to: `/tmp/tmpYLmC3X/ca.crt'
0K . 100% 194M=0s
2011-02-24 20:45:59 (194 MB/s) - `/tmp/tmpYLmC3X/ca.crt' saved [1361/1361]
2011-02-24 20:45:59,055 DEBUG Init ldap with:
ldap://vm-051.idm.lab.bos.redhat.com:389
2011-02-24 20:45:59,146 DEBUG Search rootdse
2011-02-24 20:45:59,149 DEBUG Search for (info=*) in
dc=idm,dc=lab,dc=bos,dc=redhat,dc=com(base)
2011-02-24 20:45:59,150 DEBUG Found: [('dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
{'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject',
'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain':
['idm.lab.bos.redhat.com'], 'dc': ['idm'], 'nisDomain':
['idm.lab.bos.redhat.com']})]
2011-02-24 20:45:59,151 DEBUG Search for (objectClass=krbRealmContainer) in
dc=idm,dc=lab,dc=bos,dc=redhat,dc=com(sub)
2011-02-24 20:45:59,153 DEBUG Found:
[('cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
{'krbSubTrees': ['dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'], 'cn':
['IDM.LAB.BOS.REDHAT.COM'], 'krbDefaultEncSaltTypes': ['aes256-cts:special',
'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'],
'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'],
'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal',
'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special',
'des3-hmac-sha1:normal', 'des3-hmac-s
Re: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry
On Fri, 25 Feb 2011 10:18:11 +0100 Sumit Bose wrote: > Maybe you need to specify the server explicitly in the message you > send to nsupdate. The man page says it should work without, but then > nsupdate must be able to read the SOA record for the zone. Given that you can install the DNS server only on some IPA servers and not others, I omitted the server on purpose. When resolving the SOA record for the zone the client should get the right server automatically. Failure to resolve the SOA record means you have other (DNS) issues as well. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry
On Fri, Feb 25, 2011 at 12:47:03AM -0500, Simo Sorce wrote:
> On Thu, 24 Feb 2011 20:55:32 -0500
> Adam Young wrote:
>
> > I updated the reolve.conf of the client machine to point to the
> > server and ran:
> >
> >
> > [root@vm-060 ~]# ipa-client-install --domain idm.lab.bos.redhat.com
> > -p admin -w freeipa4all
> > Discovery was successful!
> > Realm: IDM.LAB.BOS.REDHAT.COM
> > DNS Domain: idm.lab.bos.redhat.com
> > IPA Server: vm-051.idm.lab.bos.redhat.com
> > BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >
> >
> > Continue to configure the system with these values? [no]: yes
> >
> > Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM
> > Created /etc/ipa/default.conf
> > Configured /etc/sssd/sssd.conf
> > Configured /etc/krb5.conf for IPA realm IDM.LAB.BOS.REDHAT.COM
> > certmonger request for host certificate failed
> > Warning: Hostname (vm-060.idm.lab.bos.redhat.com) not found in DNS
> > Failed to obtain host TGT.
> > Failed to update DNS A record. (Command 'x' returned non-zero exit
> > status 1) SSSD enabled
> > Kerberos 5 enabled
> > NTP enabled
> > Client configuration complete.
> >
> >
> > Is this a sign of a cert server issue? THis is the first time
> > running with dogtag.
>
> We use TSIG-GSSAPI for DNS Updates, no certs involved.
>
> > Here's the last couple of lines from the ipa-server-log/ They look
> > fine to me.
> >
> > [Thu Feb 24 20:41:06 2011] [error] ipa: INFO:
> > ad...@idm.lab.bos.redhat.com: host_find(u'', all=True): SUCCESS
> > [Thu Feb 24 20:41:14 2011] [error] ipa: INFO:
> > ad...@idm.lab.bos.redhat.com: batch(({u'params':
> > [[u'vm-060.idm.lab.bos.redhat.com'], {}], u'method': u'host_del'},)):
> > SUCCESS
> > [Thu Feb 24 20:41:15 2011] [error] ipa: INFO:
> > ad...@idm.lab.bos.redhat.com: host_find(u'', all=True): SUCCESS
> > [Thu Feb 24 20:46:04 2011] [error] ipa: INFO:
> > ad...@idm.lab.bos.redhat.com: join(u'vm-060.idm.lab.bos.redhat.com',
> > nshardwareplatform=u'x86_64',
> > nsosversion=u'2.6.32-114.0.1.el6.x86_64'): SUCCESS
>
> Can you send the ipaclient-install.log file ?
>
> > This machine had client installed before, but I've since uninstalled
> > and reinstalled both the server and client, and rebooted the client
> > as well.
>
> Should make no difference at all, it seem nsupdate is failing.
> Do you have bind-utils installed ?
>
> > There is no file /etc/ipa/.dns_update.txt
>
> And there shouldn't, it is a temp file we delete as soon as we are done.
Maybe you need to specify the server explicitly in the message you send
to nsupdate. The man page says it should work without, but then nsupdate
must be able to read the SOA record for the zone.
bye,
Sumit
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> ___
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry
On Thu, 24 Feb 2011 20:55:32 -0500
Adam Young wrote:
> I updated the reolve.conf of the client machine to point to the
> server and ran:
>
>
> [root@vm-060 ~]# ipa-client-install --domain idm.lab.bos.redhat.com
> -p admin -w freeipa4all
> Discovery was successful!
> Realm: IDM.LAB.BOS.REDHAT.COM
> DNS Domain: idm.lab.bos.redhat.com
> IPA Server: vm-051.idm.lab.bos.redhat.com
> BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>
>
> Continue to configure the system with these values? [no]: yes
>
> Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM
> Created /etc/ipa/default.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm IDM.LAB.BOS.REDHAT.COM
> certmonger request for host certificate failed
> Warning: Hostname (vm-060.idm.lab.bos.redhat.com) not found in DNS
> Failed to obtain host TGT.
> Failed to update DNS A record. (Command 'x' returned non-zero exit
> status 1) SSSD enabled
> Kerberos 5 enabled
> NTP enabled
> Client configuration complete.
>
>
> Is this a sign of a cert server issue? THis is the first time
> running with dogtag.
We use TSIG-GSSAPI for DNS Updates, no certs involved.
> Here's the last couple of lines from the ipa-server-log/ They look
> fine to me.
>
> [Thu Feb 24 20:41:06 2011] [error] ipa: INFO:
> ad...@idm.lab.bos.redhat.com: host_find(u'', all=True): SUCCESS
> [Thu Feb 24 20:41:14 2011] [error] ipa: INFO:
> ad...@idm.lab.bos.redhat.com: batch(({u'params':
> [[u'vm-060.idm.lab.bos.redhat.com'], {}], u'method': u'host_del'},)):
> SUCCESS
> [Thu Feb 24 20:41:15 2011] [error] ipa: INFO:
> ad...@idm.lab.bos.redhat.com: host_find(u'', all=True): SUCCESS
> [Thu Feb 24 20:46:04 2011] [error] ipa: INFO:
> ad...@idm.lab.bos.redhat.com: join(u'vm-060.idm.lab.bos.redhat.com',
> nshardwareplatform=u'x86_64',
> nsosversion=u'2.6.32-114.0.1.el6.x86_64'): SUCCESS
Can you send the ipaclient-install.log file ?
> This machine had client installed before, but I've since uninstalled
> and reinstalled both the server and client, and rebooted the client
> as well.
Should make no difference at all, it seem nsupdate is failing.
Do you have bind-utils installed ?
> There is no file /etc/ipa/.dns_update.txt
And there shouldn't, it is a temp file we delete as soon as we are done.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
