Re: [Freeipa-users] IPA Client Install problems

2016-10-11 Thread Tyrell Jentink 
Thank you, Rob.

For reference, my full log can be found here: http://pastebin.com/6VLaQjYw

But I would postulate that the interesting bit is this:

> 2016-10-11T22:10:15Z DEBUG stdout=Outgoing update query:
>
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  0
>
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>
> ;; UPDATE SECTION:
>
> trainmaster.ipa.rxrhouse.net. 0 ANY A
>
>
>> Outgoing update query:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  23971
>
> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
>
> ;350449427.sig-ipa-pdc.ipa.rxrhouse.net.ANY TKEY
>
>
>> ;; ADDITIONAL SECTION:
>
> 350449427.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1476223815
>> 1476223815 3 NOERROR 683 
>> YIICpwYJKoZIhvcSAQICAQBuggKWMIICkqADAgEFoQMCAQ6iBwMFACAA
>> AACjggGIYYIBhDCCAYCgAwIBBaESGxBJUEEuUlhSSE9VU0UuTkVUoiow
>> KKADAgEBoSEwHxsDRE5TGxhpcGEtcGRjLmlwYS5yeHJob3VzZS5uZXSj
>> ggE3MIIBM6ADAgESoQMCAQKiggElBIIBIeFubKS/x0aKfc7u/f9Z5Ro8
>> pZZ4RkIlwOWAAuiSxJNmoaIhYgYNitn2pkAII+eKtdialtAI/1418exm
>> sM7zahCj0MWpBIYQZB4tsN9JZMaKF7SK5TlewH9mZitjd+hbQ5iwjklV
>> 8P6OOMsIRIytywnd8eD/988GQz3C5CfBU1pQM5Bkox4vSRawZJRUy0xx
>> C8H4nOOPsJZd9AozsaAZSR4EeA05IbW+gxxIeXjShPDwRF6fs4sNxZUt
>> FEkdujVZOaM4M4olLadzScsXDi2pO/8WqjJdDwMfLD95+CHSiFMSyJqy
>> nwem6dzJTJvyLTq4fKO+ajmUHw5tV30Pg7w9krEiFSTuFkCmKW1a2GQo
>> 5Lm3VQF34cnYTA+5K8yEwLiTqX+kgfAwge2gAwIBEqKB5QSB4u9m77de
>> VD1pQ+DUyBKaC2jOgD/uUWAyfNNojNAtKAMGbHzDWSRASe1Xd+RNgwIa
>> QdT2PC6kHbJMz9jaJu/0fxC9JmPp6Qe6p8CGaQ6IvPGm4838TlGdGhuS
>> YpUwVAEqvl85S23+yT3Qo/O8Qffhi4i/WDdiBHGGDrKF4CCZXJrr/F+L Pd8oabRE81h+
>> 4Tu7KBTApBwWYFYQSct7Q9ZrFiUuQzbpc2ZjXaVLi3ai 
>> uvH2NLWvLwxt8Z8PYRHgTrEYb/QfEluP2qfbo6XuO4UHoF7rN8d28bnw
>> bhUsEYaVs1r8Pxk= 0
>
>
>>
>> 2016-10-11T22:10:15Z DEBUG stderr=Reply from SOA query:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  18681
>
> ;; flags: qr rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
>
> ;trainmaster.ipa.rxrhouse.net.  IN  SOA
>
>
>> ;; AUTHORITY SECTION:
>
> ipa.rxrhouse.net.   60  IN  SOA ipa-pdc.ipa.rxrhouse.net.
>> hostmaster.ipa.rxrhouse.net. 1476221978 3600 900 1209600 3600
>
>
>> ;; ADDITIONAL SECTION:
>
> ipa-pdc.ipa.rxrhouse.net. 353   IN  A   10.42.0.11
>
>
>> Found zone name: ipa.rxrhouse.net
>
> The master is: ipa-pdc.ipa.rxrhouse.net
>
> start_gssrequest
>
> Found realm from ticket: IPA.RXRHOUSE.NET 
>
> send_gssrequest
>
> recvmsg reply from GSS-TSIG query
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  23971
>
> ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
>
> ;350449427.sig-ipa-pdc.ipa.rxrhouse.net.ANY TKEY
>
>
>> ;; ANSWER SECTION:
>
> 350449427.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1466641678
>> 1466728078 3 NOERROR 101 
>> YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MjMw
>> MDI3NThapQUCAwVDn6YDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg
>> AwIBAaELMAkbB2FkLXBkYyQ= 0
>
>
>> dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS
>> failure.  Minor code may provide more information, Minor = Message stream
>> modified.
>
>
>> 2016-10-11T22:10:15Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g
>> /etc/ipa/.dns_update.txt' returned non-zero exit status 1
>
> 2016-10-11T22:10:15Z ERROR Failed to update DNS records.
>
>
>
This isn't the first time I've seen this "Unspecified GSS failure [...]
Message stream modified" error, and I suspect it to be the root of my
problem... But my google-foo is not strong with this one...  I'm not sure
how to proceed.

On Tue, Oct 11, 2016 at 3:52 PM, Rob Crittenden  wrote:

> Tyrell Jentink wrote:
>
>> First off...  new to the list, thank you in advance for your assistance!
>>
>> My server is Fedora 24 Server, running in a VirtualBox virtual machine.
>> I have FreeIPA Server 4.3.2-2.fc24, installed from the standard
>> repositories, and dnf says it's up to date. FreeIPA has a trust set up
>> with an Windows Server 2012r2 ActiveDirectory server, and it APPEARS to
>> be working...
>>
>> The first client I connected was a Raspberry Pi running Pidora.  This
>> client appears to have connected fine, and appears to be working (I
>> guess I haven't tried logging in as an ActiveDirectory user;  But it's
>> certainly NOT having any DNS issues, as other clients are; See below...)
>>
>> Then I tried connecting a second client, a system running Fedora 24 with
>> FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to
>> plan...  Here's the output of ipa-client-install:
>>
>> Discovery was successful!
>> Client hostname: trainmaster.ipa.rxrhouse.net
>> 
>> Realm: IPA.RXRHOUSE.NET 
>> DNS Domain: ipa.rxrhouse.net 
>> IPA Server: ipa-pdc.ipa.rxrhouse.net > >
>> BaseDN:

[Freeipa-users] IPA Client Install problems

2016-10-11 Thread Tyrell Jentink 
First off...  new to the list, thank you in advance for your assistance!

My server is Fedora 24 Server, running in a VirtualBox virtual machine.  I
have FreeIPA Server 4.3.2-2.fc24, installed from the standard repositories,
and dnf says it's up to date. FreeIPA has a trust set up with an Windows
Server 2012r2 ActiveDirectory server, and it APPEARS to be working...

The first client I connected was a Raspberry Pi running Pidora.  This
client appears to have connected fine, and appears to be working (I guess I
haven't tried logging in as an ActiveDirectory user;  But it's certainly
NOT having any DNS issues, as other clients are; See below...)

Then I tried connecting a second client, a system running Fedora 24 with
FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to
plan...  Here's the output of ipa-client-install:

> Discovery was successful!
> Client hostname: trainmaster.ipa.rxrhouse.net
> Realm: IPA.RXRHOUSE.NET
> DNS Domain: ipa.rxrhouse.net
> IPA Server: ipa-pdc.ipa.rxrhouse.net
> BaseDN: dc=ipa,dc=rxrhouse,dc=net
> Continue to configure the system with these values? [no]: yes
> Synchronizing time with KDC...
> Attempting to sync time using ntpd.  Will timeout after 15 seconds
> Attempting to sync time using ntpd.  Will timeout after 15 seconds
> Unable to sync time with NTP server, assuming the time is in sync. Please
> check
>
>that 123 UDP port is opened.
> User authorized to enroll computers: admin
> Password for ad...@ipa.rxrhouse.net:
> Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=IPA.RXRHOUSE.NET
> Issuer:  CN=Certificate Authority,O=IPA.RXRHOUSE.NET
> Valid From:  Thu Sep 08 17:27:47 2016 UTC
> Valid Until: Mon Sep 08 17:27:47 2036 UTC
> Enrolled in IPA realm IPA.RXRHOUSE.NET
> Created /etc/ipa/default.conf
> New SSSD config will be created
> Configured sudoers in /etc/nsswitch.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET
> trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json
> Forwarding 'ping' to json server '
> https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
> Forwarding 'ca_is_enabled' to json server '
> https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
> Systemwide CA database updated.
> Failed to update DNS records.
> Missing reverse record(s) for address(es): 10.42.0.100.
> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
> Forwarding 'host_mod' to json server '
> https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
> Could not update DNS SSHFP records.
> SSSD enabled
> Configured /etc/openldap/ldap.conf
> NTP enabled
> Configured /etc/ssh/ssh_config
> Configured /etc/ssh/sshd_config
> Configuring ipa.rxrhouse.net as NIS domain.
> Client configuration complete.


Of concern, the installer failed to update DNS records, resulting in a
missing reverse record, and eventually failing to update the DNS SSHFP
records.  Looking in the Web UI for FreeIPA server, I see that the client
is registered, but it doesn't have any SSH keys , and as expected, doesn't
have a reverse zone...  But the Raspberry Pi DOES.

Just to be fully sure something was wrong...  I tried connecting with a
clean install of Fedora 24 running in a virtual machine, and had the same
issue.  I've googled around, and can't find anyone having any similar
issues...  And I didn't accidentally stumble across anything interesting
while exploring logs...  But I honestly don't know where to look.

TO BE CLEAR, things appear to work just fine from freeipa-client version
3.3.3-4.fc20  on pidora on a Raspberry Pi, but it's NOT working with the
latest versions from Fedora 24 on x86_64 hardware...

Where should I look first?  Thank you for any assistance...

--
Tyrell Jentink
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project