Re: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry
On Fri, 25 Feb 2011 15:19:25 -0500 Simo Sorce wrote: > On Fri, 25 Feb 2011 14:49:27 -0500 > Adam Young wrote: > > > 2011-02-24 20:46:06,851 DEBUG stderr= > > 2011-02-24 20:46:06,878 DEBUG args=/usr/bin/kinit -k > > -t /etc/krb5.keytab 2011-02-24 20:46:06,879 DEBUG stdout= > > 2011-02-24 20:46:06,879 DEBUG stderr=kinit: Hostname cannot be > > canonicalized when creating default server principal name > > ah no sorry this is the error, kinit failing ... > now on why this happens ... > > Simo. > > Ok this happens becaue /etc/hosts doesn't have an entry for the hostname and DNS doesn't still resolve it (chicken/egg) Please open a ticket, the fix is to pass the principal name as argument of the kinit command so that it doesn't have to go thorugh name resolution to understand what name to use. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry
On Fri, 25 Feb 2011 14:49:27 -0500 Adam Young wrote: > 2011-02-24 20:46:06,851 DEBUG stderr= > 2011-02-24 20:46:06,878 DEBUG args=/usr/bin/kinit -k > -t /etc/krb5.keytab 2011-02-24 20:46:06,879 DEBUG stdout= > 2011-02-24 20:46:06,879 DEBUG stderr=kinit: Hostname cannot be > canonicalized when creating default server principal name ah no sorry this is the error, kinit failing ... now on why this happens ... Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry
On 02/25/2011 12:47 AM, Simo Sorce wrote: On Thu, 24 Feb 2011 20:55:32 -0500 Adam Young wrote: I updated the reolve.conf of the client machine to point to the server and ran: [root@vm-060 ~]# ipa-client-install --domain idm.lab.bos.redhat.com -p admin -w freeipa4all Discovery was successful! Realm: IDM.LAB.BOS.REDHAT.COM DNS Domain: idm.lab.bos.redhat.com IPA Server: vm-051.idm.lab.bos.redhat.com BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Continue to configure the system with these values? [no]: yes Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IDM.LAB.BOS.REDHAT.COM certmonger request for host certificate failed Warning: Hostname (vm-060.idm.lab.bos.redhat.com) not found in DNS Failed to obtain host TGT. Failed to update DNS A record. (Command 'x' returned non-zero exit status 1) SSSD enabled Kerberos 5 enabled NTP enabled Client configuration complete. Is this a sign of a cert server issue? THis is the first time running with dogtag. We use TSIG-GSSAPI for DNS Updates, no certs involved. Here's the last couple of lines from the ipa-server-log/ They look fine to me. [Thu Feb 24 20:41:06 2011] [error] ipa: INFO: ad...@idm.lab.bos.redhat.com: host_find(u'', all=True): SUCCESS [Thu Feb 24 20:41:14 2011] [error] ipa: INFO: ad...@idm.lab.bos.redhat.com: batch(({u'params': [[u'vm-060.idm.lab.bos.redhat.com'], {}], u'method': u'host_del'},)): SUCCESS [Thu Feb 24 20:41:15 2011] [error] ipa: INFO: ad...@idm.lab.bos.redhat.com: host_find(u'', all=True): SUCCESS [Thu Feb 24 20:46:04 2011] [error] ipa: INFO: ad...@idm.lab.bos.redhat.com: join(u'vm-060.idm.lab.bos.redhat.com', nshardwareplatform=u'x86_64', nsosversion=u'2.6.32-114.0.1.el6.x86_64'): SUCCESS Can you send the ipaclient-install.log file ? Attached This machine had client installed before, but I've since uninstalled and reinstalled both the server and client, and rebooted the client as well. Should make no difference at all, it seem nsupdate is failing. Do you have bind-utils installed ? Yes: bind-utils-9.7.2-8.P3.el6.x86_64 There is no file /etc/ipa/.dns_update.txt And there shouldn't, it is a temp file we delete as soon as we are done. Simo. 2011-02-24 20:45:58,992 DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': 'idm.lab.bos.redhat.com', 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server': None, 'mkhomedir': False, 'unattended': None, 'principal': 'admin'} 2011-02-24 20:45:58,992 DEBUG missing options might be asked for interactively later 2011-02-24 20:45:58,992 DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2011-02-24 20:45:58,995 DEBUG [ipadnssearchldap(idm.lab.bos.redhat.com)] 2011-02-24 20:45:58,998 DEBUG [ipadnssearchkrb] 2011-02-24 20:45:59,001 DEBUG [ipacheckldap] 2011-02-24 20:45:59,054 DEBUG args=/usr/bin/wget -O /tmp/tmpYLmC3X/ca.crt http://vm-051.idm.lab.bos.redhat.com/ipa/config/ca.crt 2011-02-24 20:45:59,055 DEBUG stdout= 2011-02-24 20:45:59,055 DEBUG stderr=--2011-02-24 20:45:59-- http://vm-051.idm.lab.bos.redhat.com/ipa/config/ca.crt Resolving vm-051.idm.lab.bos.redhat.com... 10.16.78.51 Connecting to vm-051.idm.lab.bos.redhat.com|10.16.78.51|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1361 (1.3K) [application/x-x509-ca-cert] Saving to: `/tmp/tmpYLmC3X/ca.crt' 0K . 100% 194M=0s 2011-02-24 20:45:59 (194 MB/s) - `/tmp/tmpYLmC3X/ca.crt' saved [1361/1361] 2011-02-24 20:45:59,055 DEBUG Init ldap with: ldap://vm-051.idm.lab.bos.redhat.com:389 2011-02-24 20:45:59,146 DEBUG Search rootdse 2011-02-24 20:45:59,149 DEBUG Search for (info=*) in dc=idm,dc=lab,dc=bos,dc=redhat,dc=com(base) 2011-02-24 20:45:59,150 DEBUG Found: [('dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': ['idm.lab.bos.redhat.com'], 'dc': ['idm'], 'nisDomain': ['idm.lab.bos.redhat.com']})] 2011-02-24 20:45:59,151 DEBUG Search for (objectClass=krbRealmContainer) in dc=idm,dc=lab,dc=bos,dc=redhat,dc=com(sub) 2011-02-24 20:45:59,153 DEBUG Found: [('cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', {'krbSubTrees': ['dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'], 'cn': ['IDM.LAB.BOS.REDHAT.COM'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-s
Re: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry
On Fri, 25 Feb 2011 10:18:11 +0100 Sumit Bose wrote: > Maybe you need to specify the server explicitly in the message you > send to nsupdate. The man page says it should work without, but then > nsupdate must be able to read the SOA record for the zone. Given that you can install the DNS server only on some IPA servers and not others, I omitted the server on purpose. When resolving the SOA record for the zone the client should get the right server automatically. Failure to resolve the SOA record means you have other (DNS) issues as well. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry
On Fri, Feb 25, 2011 at 12:47:03AM -0500, Simo Sorce wrote: > On Thu, 24 Feb 2011 20:55:32 -0500 > Adam Young wrote: > > > I updated the reolve.conf of the client machine to point to the > > server and ran: > > > > > > [root@vm-060 ~]# ipa-client-install --domain idm.lab.bos.redhat.com > > -p admin -w freeipa4all > > Discovery was successful! > > Realm: IDM.LAB.BOS.REDHAT.COM > > DNS Domain: idm.lab.bos.redhat.com > > IPA Server: vm-051.idm.lab.bos.redhat.com > > BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > > > > > Continue to configure the system with these values? [no]: yes > > > > Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM > > Created /etc/ipa/default.conf > > Configured /etc/sssd/sssd.conf > > Configured /etc/krb5.conf for IPA realm IDM.LAB.BOS.REDHAT.COM > > certmonger request for host certificate failed > > Warning: Hostname (vm-060.idm.lab.bos.redhat.com) not found in DNS > > Failed to obtain host TGT. > > Failed to update DNS A record. (Command 'x' returned non-zero exit > > status 1) SSSD enabled > > Kerberos 5 enabled > > NTP enabled > > Client configuration complete. > > > > > > Is this a sign of a cert server issue? THis is the first time > > running with dogtag. > > We use TSIG-GSSAPI for DNS Updates, no certs involved. > > > Here's the last couple of lines from the ipa-server-log/ They look > > fine to me. > > > > [Thu Feb 24 20:41:06 2011] [error] ipa: INFO: > > ad...@idm.lab.bos.redhat.com: host_find(u'', all=True): SUCCESS > > [Thu Feb 24 20:41:14 2011] [error] ipa: INFO: > > ad...@idm.lab.bos.redhat.com: batch(({u'params': > > [[u'vm-060.idm.lab.bos.redhat.com'], {}], u'method': u'host_del'},)): > > SUCCESS > > [Thu Feb 24 20:41:15 2011] [error] ipa: INFO: > > ad...@idm.lab.bos.redhat.com: host_find(u'', all=True): SUCCESS > > [Thu Feb 24 20:46:04 2011] [error] ipa: INFO: > > ad...@idm.lab.bos.redhat.com: join(u'vm-060.idm.lab.bos.redhat.com', > > nshardwareplatform=u'x86_64', > > nsosversion=u'2.6.32-114.0.1.el6.x86_64'): SUCCESS > > Can you send the ipaclient-install.log file ? > > > This machine had client installed before, but I've since uninstalled > > and reinstalled both the server and client, and rebooted the client > > as well. > > Should make no difference at all, it seem nsupdate is failing. > Do you have bind-utils installed ? > > > There is no file /etc/ipa/.dns_update.txt > > And there shouldn't, it is a temp file we delete as soon as we are done. Maybe you need to specify the server explicitly in the message you send to nsupdate. The man page says it should work without, but then nsupdate must be able to read the SOA record for the zone. bye, Sumit > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry
On Thu, 24 Feb 2011 20:55:32 -0500 Adam Young wrote: > I updated the reolve.conf of the client machine to point to the > server and ran: > > > [root@vm-060 ~]# ipa-client-install --domain idm.lab.bos.redhat.com > -p admin -w freeipa4all > Discovery was successful! > Realm: IDM.LAB.BOS.REDHAT.COM > DNS Domain: idm.lab.bos.redhat.com > IPA Server: vm-051.idm.lab.bos.redhat.com > BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > > Continue to configure the system with these values? [no]: yes > > Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM > Created /etc/ipa/default.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm IDM.LAB.BOS.REDHAT.COM > certmonger request for host certificate failed > Warning: Hostname (vm-060.idm.lab.bos.redhat.com) not found in DNS > Failed to obtain host TGT. > Failed to update DNS A record. (Command 'x' returned non-zero exit > status 1) SSSD enabled > Kerberos 5 enabled > NTP enabled > Client configuration complete. > > > Is this a sign of a cert server issue? THis is the first time > running with dogtag. We use TSIG-GSSAPI for DNS Updates, no certs involved. > Here's the last couple of lines from the ipa-server-log/ They look > fine to me. > > [Thu Feb 24 20:41:06 2011] [error] ipa: INFO: > ad...@idm.lab.bos.redhat.com: host_find(u'', all=True): SUCCESS > [Thu Feb 24 20:41:14 2011] [error] ipa: INFO: > ad...@idm.lab.bos.redhat.com: batch(({u'params': > [[u'vm-060.idm.lab.bos.redhat.com'], {}], u'method': u'host_del'},)): > SUCCESS > [Thu Feb 24 20:41:15 2011] [error] ipa: INFO: > ad...@idm.lab.bos.redhat.com: host_find(u'', all=True): SUCCESS > [Thu Feb 24 20:46:04 2011] [error] ipa: INFO: > ad...@idm.lab.bos.redhat.com: join(u'vm-060.idm.lab.bos.redhat.com', > nshardwareplatform=u'x86_64', > nsosversion=u'2.6.32-114.0.1.el6.x86_64'): SUCCESS Can you send the ipaclient-install.log file ? > This machine had client installed before, but I've since uninstalled > and reinstalled both the server and client, and rebooted the client > as well. Should make no difference at all, it seem nsupdate is failing. Do you have bind-utils installed ? > There is no file /etc/ipa/.dns_update.txt And there shouldn't, it is a temp file we delete as soon as we are done. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel