subject:"\[Freeipa\-users\] ipa client install"

Re: [Freeipa-users] ipa-client-install: please look for SELINUX=disabled

2017-05-15 Thread Lukas Slebodnik

On (13/05/17 06:52), Harald Dunkel wrote:
>Hi folks,
>
>RHEL 7.3, sssd 1.14.0:
>
>If /etc/selinux/config says "SELINUX=disabled", then pam seems to fail
>(without telling why) and users cannot login. *Extremely* painful.
>
>Do you think ipa-client-install could add
>
>   selinux_provider = none
>
This is just a temporary workaround and not a solution.
And it is already fixed in upstream
https://pagure.io/SSSD/sssd/issue/3297

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install: please look for SELINUX=disabled

2017-05-12 Thread Harald Dunkel

Hi folks,

RHEL 7.3, sssd 1.14.0:

If /etc/selinux/config says "SELINUX=disabled", then pam seems to fail
(without telling why) and users cannot login. *Extremely* painful.

Do you think ipa-client-install could add

selinux_provider = none

to the generated sssd.conf file, if selinux is disabled?

Another option might be to check at runtime.


Thanx in advance
Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

2017-03-09 Thread Harald Dunkel

On 03/05/17 11:47, Timo Aaltonen wrote:
> 
> pam-auth-update configures pam, there's nothing else to be configured..
> I just ran ipa-client-install on Ubuntu zesty with freeipa-client
> 4.4.3-3ubuntu1, and services on the newly created sssd.conf look fine:
> 
> services = nss, sudo, pam, ssh
> 
> 

Do you get the same for 4.4.3-3 (the version in Debian experimental,
AFAICT) on sid? I don't :-(.

Command line:
ipa-client-install --hostname `hostname` --no-ssh --no-sshd --no-nisdomain


Regards
Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

2017-03-05 Thread Timo Aaltonen

On 03.03.2017 16:53, Rob Crittenden wrote:
> Harald Dunkel wrote:
>> On 03/03/17 10:14, Jakub Hrozek wrote:
>>> On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote:

 This is systemd-only?

 Wouldn't it be better to create a working sssd.conf, no matter
 what?
>>>
>>> It is up to whoever is creating the sssd.conf. As I said, the change is
>>> backwards-compatible. If you want the services to be started by sssd,
>>> then list them in the services line. If you want to have them started on
>>> demand and have a simpler configuration, you rely on the systemd services
>>> manager.
>>>
>>
>> Understood. I will try 1.15.1 as soon as possible.
>>
>> Reading ipa-client-install it appears to me that the other
>> services haven't been omitted on purpose. I have the
>> impression that nss and pam have simply been forgotten.
>>
>> sssd's ssh service is defined only if ipa-client-install
>> is allowed to touch the ssh or sshd configuration, but I
>> have *no* idea why there is such a correlation.
>>
>> Would somebody mind to look into this?
> 
> This is managed by authconfig on Fedora/RHEL systems. Not sure what
> Debian does in this regard. Timo?

pam-auth-update configures pam, there's nothing else to be configured..
I just ran ipa-client-install on Ubuntu zesty with freeipa-client
4.4.3-3ubuntu1, and services on the newly created sssd.conf look fine:

services = nss, sudo, pam, ssh


-- 
t

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

2017-03-03 Thread Rob Crittenden

Harald Dunkel wrote:
> On 03/03/17 10:14, Jakub Hrozek wrote:
>> On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote:
>>>
>>> This is systemd-only?
>>>
>>> Wouldn't it be better to create a working sssd.conf, no matter
>>> what?
>>
>> It is up to whoever is creating the sssd.conf. As I said, the change is
>> backwards-compatible. If you want the services to be started by sssd,
>> then list them in the services line. If you want to have them started on
>> demand and have a simpler configuration, you rely on the systemd services
>> manager.
>>
> 
> Understood. I will try 1.15.1 as soon as possible.
> 
> Reading ipa-client-install it appears to me that the other
> services haven't been omitted on purpose. I have the
> impression that nss and pam have simply been forgotten.
> 
> sssd's ssh service is defined only if ipa-client-install
> is allowed to touch the ssh or sshd configuration, but I
> have *no* idea why there is such a correlation.
> 
> Would somebody mind to look into this?

This is managed by authconfig on Fedora/RHEL systems. Not sure what
Debian does in this regard. Timo?

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

2017-03-03 Thread Harald Dunkel

On 03/03/17 10:14, Jakub Hrozek wrote:
> On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote:
>>
>> This is systemd-only?
>>
>> Wouldn't it be better to create a working sssd.conf, no matter
>> what?
> 
> It is up to whoever is creating the sssd.conf. As I said, the change is
> backwards-compatible. If you want the services to be started by sssd,
> then list them in the services line. If you want to have them started on
> demand and have a simpler configuration, you rely on the systemd services
> manager.
> 

Understood. I will try 1.15.1 as soon as possible.

Reading ipa-client-install it appears to me that the other
services haven't been omitted on purpose. I have the
impression that nss and pam have simply been forgotten.

sssd's ssh service is defined only if ipa-client-install
is allowed to touch the ssh or sshd configuration, but I
have *no* idea why there is such a correlation.

Would somebody mind to look into this?

Thanx very much
Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

2017-03-03 Thread Jakub Hrozek

On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote:
> Hi Jakub,
> 
> On 03/03/17 09:32, Jakub Hrozek wrote:
> > On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote:
> >> Hi folks,
> >>
> >> running freeipa client 4.3.2-5 and sssd 1.15.0-3 on
> >> Debian Stretch
> >   ~~
> > This is important I guess.
> > 
> > Since SSSD 1.15, SSSD allows to socket-activate the services, so it is
> > no longer required to have them explicitly listed in the services line
> > of the sssd section. But:
> > - there were some nasty bugs in the first version of the socket
> >   activation. We will be releasing 1.15.1 today to address those
> >   issues
> > - the sockets must be enabled (systemctl status sssd-nss.socket). I
> >   understand Debian is doing this but I'm neither Debian user nor
> >   developer. I would suggest to ask on some Debian-specific forum or
> >   file a bug report if the resulting configurationd doesn't work.
> > 
> 
> This is systemd-only?
> 
> Wouldn't it be better to create a working sssd.conf, no matter
> what?

It is up to whoever is creating the sssd.conf. As I said, the change is
backwards-compatible. If you want the services to be started by sssd,
then list them in the services line. If you want to have them started on
demand and have a simpler configuration, you rely on the systemd services
manager.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

2017-03-03 Thread Harald Dunkel

Hi Jakub,

On 03/03/17 09:32, Jakub Hrozek wrote:
> On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote:
>> Hi folks,
>>
>> running freeipa client 4.3.2-5 and sssd 1.15.0-3 on
>> Debian Stretch
>   ~~
> This is important I guess.
> 
> Since SSSD 1.15, SSSD allows to socket-activate the services, so it is
> no longer required to have them explicitly listed in the services line
> of the sssd section. But:
> - there were some nasty bugs in the first version of the socket
>   activation. We will be releasing 1.15.1 today to address those
>   issues
> - the sockets must be enabled (systemctl status sssd-nss.socket). I
>   understand Debian is doing this but I'm neither Debian user nor
>   developer. I would suggest to ask on some Debian-specific forum or
>   file a bug report if the resulting configurationd doesn't work.
> 

This is systemd-only?

Wouldn't it be better to create a working sssd.conf, no matter
what?


Regards
Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

2017-03-03 Thread Jakub Hrozek

On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote:
> Hi folks,
> 
> running freeipa client 4.3.2-5 and sssd 1.15.0-3 on
> Debian Stretch
  ~~
This is important I guess.

Since SSSD 1.15, SSSD allows to socket-activate the services, so it is
no longer required to have them explicitly listed in the services line
of the sssd section. But:
- there were some nasty bugs in the first version of the socket
  activation. We will be releasing 1.15.1 today to address those
  issues
- the sockets must be enabled (systemctl status sssd-nss.socket). I
  understand Debian is doing this but I'm neither Debian user nor
  developer. I would suggest to ask on some Debian-specific forum or
  file a bug report if the resulting configurationd doesn't work.

> ipa-client-install creates a bad sssd.conf file, e.g.
> 
>   [domain/example.com]
> 
>   cache_credentials = True
>   krb5_store_password_if_offline = True
>   ipa_domain = example.com
>   id_provider = ipa
>   auth_provider = ipa
>   access_provider = ipa
>   ldap_tls_cacert = /etc/ipa/ca.crt
>   ipa_hostname = stretch1.vs.example.com
>   chpass_provider = ipa
>   ipa_server = _srv_, ipa1.example.com
>   dns_discovery_domain = example.com
>   [sssd]
>   domains = example.com
>   services = sudo

btw I find it strange that sudo is listed. I would expect either all or
no services to be listed. The feature is backwards-compatible, so if you
list the services explicitly, the sssd process would still start them
explicitly, just as it did with previous versions.

>   [sudo]
> 
> 
> Esp. the services for nss, pam and ssh are not setup. Is this
> as expected?
> 
> 
> Every helpful comment is highly appreciated.
> Harri
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install generates bad sssd.conf

2017-03-02 Thread Harald Dunkel

Hi folks,

running freeipa client 4.3.2-5 and sssd 1.15.0-3 on Debian
Stretch ipa-client-install creates a bad sssd.conf file, e.g.

[domain/example.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = stretch1.vs.example.com
chpass_provider = ipa
ipa_server = _srv_, ipa1.example.com
dns_discovery_domain = example.com
[sssd]
domains = example.com
services = sudo
[sudo]


Esp. the services for nss, pam and ssh are not setup. Is this
as expected?


Every helpful comment is highly appreciated.
Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Client Install problems

2016-10-11 Thread Tyrell Jentink

Thank you, Rob.

For reference, my full log can be found here: http://pastebin.com/6VLaQjYw

But I would postulate that the interesting bit is this:

> 2016-10-11T22:10:15Z DEBUG stdout=Outgoing update query:
>
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  0
>
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>
> ;; UPDATE SECTION:
>
> trainmaster.ipa.rxrhouse.net. 0 ANY A
>
>
>> Outgoing update query:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  23971
>
> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
>
> ;350449427.sig-ipa-pdc.ipa.rxrhouse.net.ANY TKEY
>
>
>> ;; ADDITIONAL SECTION:
>
> 350449427.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1476223815
>> 1476223815 3 NOERROR 683 
>> YIICpwYJKoZIhvcSAQICAQBuggKWMIICkqADAgEFoQMCAQ6iBwMFACAA
>> AACjggGIYYIBhDCCAYCgAwIBBaESGxBJUEEuUlhSSE9VU0UuTkVUoiow
>> KKADAgEBoSEwHxsDRE5TGxhpcGEtcGRjLmlwYS5yeHJob3VzZS5uZXSj
>> ggE3MIIBM6ADAgESoQMCAQKiggElBIIBIeFubKS/x0aKfc7u/f9Z5Ro8
>> pZZ4RkIlwOWAAuiSxJNmoaIhYgYNitn2pkAII+eKtdialtAI/1418exm
>> sM7zahCj0MWpBIYQZB4tsN9JZMaKF7SK5TlewH9mZitjd+hbQ5iwjklV
>> 8P6OOMsIRIytywnd8eD/988GQz3C5CfBU1pQM5Bkox4vSRawZJRUy0xx
>> C8H4nOOPsJZd9AozsaAZSR4EeA05IbW+gxxIeXjShPDwRF6fs4sNxZUt
>> FEkdujVZOaM4M4olLadzScsXDi2pO/8WqjJdDwMfLD95+CHSiFMSyJqy
>> nwem6dzJTJvyLTq4fKO+ajmUHw5tV30Pg7w9krEiFSTuFkCmKW1a2GQo
>> 5Lm3VQF34cnYTA+5K8yEwLiTqX+kgfAwge2gAwIBEqKB5QSB4u9m77de
>> VD1pQ+DUyBKaC2jOgD/uUWAyfNNojNAtKAMGbHzDWSRASe1Xd+RNgwIa
>> QdT2PC6kHbJMz9jaJu/0fxC9JmPp6Qe6p8CGaQ6IvPGm4838TlGdGhuS
>> YpUwVAEqvl85S23+yT3Qo/O8Qffhi4i/WDdiBHGGDrKF4CCZXJrr/F+L Pd8oabRE81h+
>> 4Tu7KBTApBwWYFYQSct7Q9ZrFiUuQzbpc2ZjXaVLi3ai 
>> uvH2NLWvLwxt8Z8PYRHgTrEYb/QfEluP2qfbo6XuO4UHoF7rN8d28bnw
>> bhUsEYaVs1r8Pxk= 0
>
>
>>
>> 2016-10-11T22:10:15Z DEBUG stderr=Reply from SOA query:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  18681
>
> ;; flags: qr rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
>
> ;trainmaster.ipa.rxrhouse.net.  IN  SOA
>
>
>> ;; AUTHORITY SECTION:
>
> ipa.rxrhouse.net.   60  IN  SOA ipa-pdc.ipa.rxrhouse.net.
>> hostmaster.ipa.rxrhouse.net. 1476221978 3600 900 1209600 3600
>
>
>> ;; ADDITIONAL SECTION:
>
> ipa-pdc.ipa.rxrhouse.net. 353   IN  A   10.42.0.11
>
>
>> Found zone name: ipa.rxrhouse.net
>
> The master is: ipa-pdc.ipa.rxrhouse.net
>
> start_gssrequest
>
> Found realm from ticket: IPA.RXRHOUSE.NET 
>
> send_gssrequest
>
> recvmsg reply from GSS-TSIG query
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  23971
>
> ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
>
> ;350449427.sig-ipa-pdc.ipa.rxrhouse.net.ANY TKEY
>
>
>> ;; ANSWER SECTION:
>
> 350449427.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1466641678
>> 1466728078 3 NOERROR 101 
>> YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MjMw
>> MDI3NThapQUCAwVDn6YDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg
>> AwIBAaELMAkbB2FkLXBkYyQ= 0
>
>
>> dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS
>> failure.  Minor code may provide more information, Minor = Message stream
>> modified.
>
>
>> 2016-10-11T22:10:15Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g
>> /etc/ipa/.dns_update.txt' returned non-zero exit status 1
>
> 2016-10-11T22:10:15Z ERROR Failed to update DNS records.
>
>
>
This isn't the first time I've seen this "Unspecified GSS failure [...]
Message stream modified" error, and I suspect it to be the root of my
problem... But my google-foo is not strong with this one...  I'm not sure
how to proceed.

On Tue, Oct 11, 2016 at 3:52 PM, Rob Crittenden  wrote:

> Tyrell Jentink wrote:
>
>> First off...  new to the list, thank you in advance for your assistance!
>>
>> My server is Fedora 24 Server, running in a VirtualBox virtual machine.
>> I have FreeIPA Server 4.3.2-2.fc24, installed from the standard
>> repositories, and dnf says it's up to date. FreeIPA has a trust set up
>> with an Windows Server 2012r2 ActiveDirectory server, and it APPEARS to
>> be working...
>>
>> The first client I connected was a Raspberry Pi running Pidora.  This
>> client appears to have connected fine, and appears to be working (I
>> guess I haven't tried logging in as an ActiveDirectory user;  But it's
>> certainly NOT having any DNS issues, as other clients are; See below...)
>>
>> Then I tried connecting a second client, a system running Fedora 24 with
>> FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to
>> plan...  Here's the output of ipa-client-install:
>>
>> Discovery was successful!
>> Client hostname: trainmaster.ipa.rxrhouse.net
>> 
>> Realm: IPA.RXRHOUSE.NET 
>> DNS Domain: ipa.rxrhouse.net 
>> IPA Server: ipa-pdc.ipa.rxrhouse.net > >
>> BaseDN:

[Freeipa-users] IPA Client Install problems

2016-10-11 Thread Tyrell Jentink

First off...  new to the list, thank you in advance for your assistance!

My server is Fedora 24 Server, running in a VirtualBox virtual machine.  I
have FreeIPA Server 4.3.2-2.fc24, installed from the standard repositories,
and dnf says it's up to date. FreeIPA has a trust set up with an Windows
Server 2012r2 ActiveDirectory server, and it APPEARS to be working...

The first client I connected was a Raspberry Pi running Pidora.  This
client appears to have connected fine, and appears to be working (I guess I
haven't tried logging in as an ActiveDirectory user;  But it's certainly
NOT having any DNS issues, as other clients are; See below...)

Then I tried connecting a second client, a system running Fedora 24 with
FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to
plan...  Here's the output of ipa-client-install:

> Discovery was successful!
> Client hostname: trainmaster.ipa.rxrhouse.net
> Realm: IPA.RXRHOUSE.NET
> DNS Domain: ipa.rxrhouse.net
> IPA Server: ipa-pdc.ipa.rxrhouse.net
> BaseDN: dc=ipa,dc=rxrhouse,dc=net
> Continue to configure the system with these values? [no]: yes
> Synchronizing time with KDC...
> Attempting to sync time using ntpd.  Will timeout after 15 seconds
> Attempting to sync time using ntpd.  Will timeout after 15 seconds
> Unable to sync time with NTP server, assuming the time is in sync. Please
> check
>
>that 123 UDP port is opened.
> User authorized to enroll computers: admin
> Password for ad...@ipa.rxrhouse.net:
> Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=IPA.RXRHOUSE.NET
> Issuer:  CN=Certificate Authority,O=IPA.RXRHOUSE.NET
> Valid From:  Thu Sep 08 17:27:47 2016 UTC
> Valid Until: Mon Sep 08 17:27:47 2036 UTC
> Enrolled in IPA realm IPA.RXRHOUSE.NET
> Created /etc/ipa/default.conf
> New SSSD config will be created
> Configured sudoers in /etc/nsswitch.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET
> trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json
> Forwarding 'ping' to json server '
> https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
> Forwarding 'ca_is_enabled' to json server '
> https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
> Systemwide CA database updated.
> Failed to update DNS records.
> Missing reverse record(s) for address(es): 10.42.0.100.
> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
> Forwarding 'host_mod' to json server '
> https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
> Could not update DNS SSHFP records.
> SSSD enabled
> Configured /etc/openldap/ldap.conf
> NTP enabled
> Configured /etc/ssh/ssh_config
> Configured /etc/ssh/sshd_config
> Configuring ipa.rxrhouse.net as NIS domain.
> Client configuration complete.


Of concern, the installer failed to update DNS records, resulting in a
missing reverse record, and eventually failing to update the DNS SSHFP
records.  Looking in the Web UI for FreeIPA server, I see that the client
is registered, but it doesn't have any SSH keys , and as expected, doesn't
have a reverse zone...  But the Raspberry Pi DOES.

Just to be fully sure something was wrong...  I tried connecting with a
clean install of Fedora 24 running in a virtual machine, and had the same
issue.  I've googled around, and can't find anyone having any similar
issues...  And I didn't accidentally stumble across anything interesting
while exploring logs...  But I honestly don't know where to look.

TO BE CLEAR, things appear to work just fine from freeipa-client version
3.3.3-4.fc20  on pidora on a Raspberry Pi, but it's NOT working with the
latest versions from Fedora 24 on x86_64 hardware...

Where should I look first?  Thank you for any assistance...

--
Tyrell Jentink
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client install failurres, Could not resolve host: ipa-master-in.xyz.com; Unknown error

2016-07-28 Thread Rakesh Rajasekharan

thanks for the inputs..

the issue was with my network,

I was able to resolve it adding in the NETWORKING_IPV6=no  in
/etc/sysconfig/network


possibly it was using IPv6 resolution and that was failing


On Thu, Jul 28, 2016 at 1:37 PM, Petr Spacek  wrote:

> On 27.7.2016 19:29, Rakesh Rajasekharan wrote:
> > Hi,
> >
> > I am running ipa server 4.2 and set it up without using "--setup-dns=no".
> >
> > On few clients the installation fails with the below error message.
> >
> >
> > I verified that the ipa master dns is resolvable. Not sure what could be
> > wrong here..
> >
> >
> > Joining realm failed: libcurl failed to execute the HTTP POST
> transaction,
> > explaining:  Could not resolve host: ipa-master-in.xyz.com; Unknown
> error
> >
> > Use ipa-getkeytab to obtain a host principal for this server.
> > Please make sure the following ports are opened in the firewall settings:
> >  TCP: 80, 88, 389
> >  UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
> > Also note that following ports are necessary for ipa-client working
> > properly after enrollment:
> >  TCP: 464
> >  UDP: 464, 123 (if NTP enabled)
> > Failed to obtain host TGT: (-1765328203, 'Key table entry not found')
> > Installation failed. Force set so not rolling back changes.
> >
> >
> > I tried removeing /etc/ipa/ca.crt and delete any older certificates
> > "certutil -D -n 'IPA CA' -d /etc/pki/nssdb"
> >
> > However, no luck yet..
> >
> > any suggestions on how can I debug this..
>
> I would start with command:
> $ dig ipa-master-in.xyz.com
>
> It should print IPv4 address of the server ipa-master-in.xyz.com . If it
> does
> not print it there is a problem with DNS. In that case usual DNS debugging
> guides apply.
>
> I hope it helps.
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client install failurres, Could not resolve host: ipa-master-in.xyz.com; Unknown error

2016-07-28 Thread Petr Spacek

On 27.7.2016 19:29, Rakesh Rajasekharan wrote:
> Hi,
> 
> I am running ipa server 4.2 and set it up without using "--setup-dns=no".
> 
> On few clients the installation fails with the below error message.
> 
> 
> I verified that the ipa master dns is resolvable. Not sure what could be
> wrong here..
> 
> 
> Joining realm failed: libcurl failed to execute the HTTP POST transaction,
> explaining:  Could not resolve host: ipa-master-in.xyz.com; Unknown error
> 
> Use ipa-getkeytab to obtain a host principal for this server.
> Please make sure the following ports are opened in the firewall settings:
>  TCP: 80, 88, 389
>  UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
> Also note that following ports are necessary for ipa-client working
> properly after enrollment:
>  TCP: 464
>  UDP: 464, 123 (if NTP enabled)
> Failed to obtain host TGT: (-1765328203, 'Key table entry not found')
> Installation failed. Force set so not rolling back changes.
> 
> 
> I tried removeing /etc/ipa/ca.crt and delete any older certificates
> "certutil -D -n 'IPA CA' -d /etc/pki/nssdb"
> 
> However, no luck yet..
> 
> any suggestions on how can I debug this..

I would start with command:
$ dig ipa-master-in.xyz.com

It should print IPv4 address of the server ipa-master-in.xyz.com . If it does
not print it there is a problem with DNS. In that case usual DNS debugging
guides apply.

I hope it helps.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client install failurres, Could not resolve host: ipa-master-in.xyz.com; Unknown error

2016-07-27 Thread Rakesh Rajasekharan

Hi,

I am running ipa server 4.2 and set it up without using "--setup-dns=no".

On few clients the installation fails with the below error message.


I verified that the ipa master dns is resolvable. Not sure what could be
wrong here..


Joining realm failed: libcurl failed to execute the HTTP POST transaction,
explaining:  Could not resolve host: ipa-master-in.xyz.com; Unknown error

Use ipa-getkeytab to obtain a host principal for this server.
Please make sure the following ports are opened in the firewall settings:
 TCP: 80, 88, 389
 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working
properly after enrollment:
 TCP: 464
 UDP: 464, 123 (if NTP enabled)
Failed to obtain host TGT: (-1765328203, 'Key table entry not found')
Installation failed. Force set so not rolling back changes.


I tried removeing /etc/ipa/ca.crt and delete any older certificates
"certutil -D -n 'IPA CA' -d /etc/pki/nssdb"

However, no luck yet..

any suggestions on how can I debug this..

Thanks
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query

2016-07-06 Thread Rob Crittenden


Neal Harrington | i-Neda Ltd wrote:

Hi Rob,


Thank you very much for your message. Unfortunately/fortunately after
rebooting or restarting the ssh server this morning it is all working as
I would expect. I'm not sure what I was missing yesterday but suspect a
combination of sssd caching may have been confusing me as I'm sure
I'd already tried this several times.


Very strange indeed. The sssd cache is persistent so rebooting shouldn't 
have affected it at all.


rob




Thanks again,
Neal.

*From:* Rob Crittenden <rcrit...@redhat.com>
*Sent:* 05 July 2016 18:01
*To:* Neal Harrington | i-Neda Ltd; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and
user ssh key query
Neal Harrington | i-Neda Ltd wrote:

Hi,


I have successfully installed FreeIPA server version 4.2.0 on CentOS
7.2, including replication between servers. I have a few
dozen Ubuntu 14.04 servers joined into IPA for authentication with
various user groups controlling access, sudo permissions etc and overall
I'm very happy.


I have however managed to trip myself up by installing the
Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys
are not trusted and ssh login falls back to password based on the Ubuntu
clients.


If I uninstall a client, reboot and then reinstall without the
--ssh-trust-dns option then the users ssh key I imported into the web
interface is used and login is automatic over ssh.


I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and
can't see anything to control this. Most of my online searches cover
other aspects of ssh host keys in DNS. If I've missed anything obvious
then please point me in the right direction.


I have a reasonable number of servers to make this change on and ideally
I'd like to push out the change to a config file and maybe restart a
service. Is this behaviour easy to configure or would it be easier to go
through the uninstall/reboot/reinstall loop? Luckily these are all
testing servers so not a show stopper but I'd prefer to learn what is
actually controlling this.


As far as I can tell this option sets this in sshd.conf:

VerifyHostKeyDNS = yes
HostKeyAlgorithms = ssh-rsa,ssh-dss

I assume your DNS doesn't contain the SSHFP entries?

rob




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query

2016-07-06 Thread Neal Harrington | i-Neda Ltd

Hi Rob,


Thank you very much for your message. Unfortunately/fortunately after rebooting 
or restarting the ssh server this morning it is all working as I would expect. 
I'm not sure what I was missing yesterday but suspect a combination of sssd 
caching may have been confusing me as I'm sure I'd already tried this several 
times.

Thanks again,
Neal.

From: Rob Crittenden <rcrit...@redhat.com>
Sent: 05 July 2016 18:01
To: Neal Harrington | i-Neda Ltd; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh 
key query

Neal Harrington | i-Neda Ltd wrote:
> Hi,
>
>
> I have successfully installed FreeIPA server version 4.2.0 on CentOS
> 7.2, including replication between servers. I have a few
> dozen Ubuntu 14.04 servers joined into IPA for authentication with
> various user groups controlling access, sudo permissions etc and overall
> I'm very happy.
>
>
> I have however managed to trip myself up by installing the
> Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys
> are not trusted and ssh login falls back to password based on the Ubuntu
> clients.
>
>
> If I uninstall a client, reboot and then reinstall without the
> --ssh-trust-dns option then the users ssh key I imported into the web
> interface is used and login is automatic over ssh.
>
>
> I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and
> can't see anything to control this. Most of my online searches cover
> other aspects of ssh host keys in DNS. If I've missed anything obvious
> then please point me in the right direction.
>
>
> I have a reasonable number of servers to make this change on and ideally
> I'd like to push out the change to a config file and maybe restart a
> service. Is this behaviour easy to configure or would it be easier to go
> through the uninstall/reboot/reinstall loop? Luckily these are all
> testing servers so not a show stopper but I'd prefer to learn what is
> actually controlling this.

As far as I can tell this option sets this in sshd.conf:

VerifyHostKeyDNS = yes
HostKeyAlgorithms = ssh-rsa,ssh-dss

I assume your DNS doesn't contain the SSHFP entries?

rob


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query

2016-07-05 Thread Rob Crittenden


Neal Harrington | i-Neda Ltd wrote:

Hi,


I have successfully installed FreeIPA server version 4.2.0 on CentOS
7.2, including replication between servers. I have a few
dozen Ubuntu 14.04 servers joined into IPA for authentication with
various user groups controlling access, sudo permissions etc and overall
I'm very happy.


I have however managed to trip myself up by installing the
Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys
are not trusted and ssh login falls back to password based on the Ubuntu
clients.


If I uninstall a client, reboot and then reinstall without the
--ssh-trust-dns option then the users ssh key I imported into the web
interface is used and login is automatic over ssh.


I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and
can't see anything to control this. Most of my online searches cover
other aspects of ssh host keys in DNS. If I've missed anything obvious
then please point me in the right direction.


I have a reasonable number of servers to make this change on and ideally
I'd like to push out the change to a config file and maybe restart a
service. Is this behaviour easy to configure or would it be easier to go
through the uninstall/reboot/reinstall loop? Luckily these are all
testing servers so not a show stopper but I'd prefer to learn what is
actually controlling this.


As far as I can tell this option sets this in sshd.conf:

VerifyHostKeyDNS = yes
HostKeyAlgorithms = ssh-rsa,ssh-dss

I assume your DNS doesn't contain the SSHFP entries?

rob


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query

2016-07-05 Thread Neal Harrington | i-Neda Ltd

Hi,


I have successfully installed FreeIPA server version 4.2.0 on CentOS 7.2, 
including replication between servers. I have a few dozen Ubuntu 14.04 servers 
joined into IPA for authentication with various user groups controlling access, 
sudo permissions etc and overall I'm very happy.


I have however managed to trip myself up by installing the Ubuntu clients with 
the --ssh-trust-dns option and now my users ssh keys are not trusted and ssh 
login falls back to password based on the Ubuntu clients.


If I uninstall a client, reboot and then reinstall without the --ssh-trust-dns 
option then the users ssh key I imported into the web interface is used and 
login is automatic over ssh.


I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and can't 
see anything to control this. Most of my online searches cover other aspects of 
ssh host keys in DNS. If I've missed anything obvious then please point me in 
the right direction.


I have a reasonable number of servers to make this change on and ideally I'd 
like to push out the change to a config file and maybe restart a service. Is 
this behaviour easy to configure or would it be easier to go through the 
uninstall/reboot/reinstall loop? Luckily these are all testing servers so not a 
show stopper but I'd prefer to learn what is actually controlling this.


Thanks,

Neal.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install

2016-06-10 Thread Martin Basti




On 09.06.2016 22:36, David Zabner wrote:

Occassionally in our system we will see a failure in ipa-client-install script 
and the cleanup will leave around the host in ipa.
This means that all future client installs fail because the host already exists.
Is there any way to make sure that failure’s cause the host to be cleaned up?
Is there a command I can run that will delete the host that does not require 
the client to be installed?

Thanks for the assistance,
David



Hello,

you can use ipa host-del  to remove client that failed to do 
cleanup properly.


or you can use ipa-client-install --force-join

Martin


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install

2016-06-09 Thread David Zabner

Occassionally in our system we will see a failure in ipa-client-install script 
and the cleanup will leave around the host in ipa.
This means that all future client installs fail because the host already 
exists. 
Is there any way to make sure that failure’s cause the host to be cleaned up?
Is there a command I can run that will delete the host that does not require 
the client to be installed?

Thanks for the assistance,
David

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Gady Notrica

You guys are awesome



# ipa-client-install --enable-dns-updates --mkhomedir --no-ntp

Discovery was successful!

…



Continue to configure the system with these values? [no]: yes

…

Created /etc/ipa/default.conf

New SSSD config will be created

Configured sudoers in /etc/nsswitch.conf

Configured /etc/sssd/sssd.conf

….

Systemwide CA database updated.

Added CA certificates to the default NSS database.

…

Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub

….

SSSD enabled

Configured /etc/openldap/ldap.conf

Configured /etc/ssh/ssh_config

Configured /etc/ssh/sshd_config

Configuring ipa.candeal.ca as NIS domain.

Client configuration complete.



Gady



-Original Message-
From: Lukas Slebodnik [mailto:lsleb...@redhat.com]
Sent: April 20, 2016 4:16 PM
To: Gady Notrica
Cc: Rob Crittenden; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors



On (20/04/16 20:10), Gady Notrica wrote:

>[root@cd-s-prd-db1 krb5.include.d]# ls -l

>

>-rw-r--r--. 1 root root 224 Apr  9 07:24 domain_realm_ipa_candeal_ca

>

>-rw-r--r--. 1 root root 118 Apr  9 07:24 localauth_plugin

>

>

>

>[root@cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca

>

># Generated by NetworkManager

>

>search ipa.candeal.ca

>

>nameserver 172.20.10.40

>

>nameserver 172.20.10.41

This should be content of /etc/resolv.conf and not domain_realm_ipa_candeal_ca



>

>

>

>[root@cd-s-prd-db1 krb5.include.d]# cat localauth_plugin

>

>[domain_realm]

>

>.AD.candeal.ca = AD.CANDEAL.CA

>

>AD.candeal.ca = AD.CANDEAL.CA

>

>[capaths]

>

This should be content of domain_realm_ipa_candeal_ca and not localauth_plugin



Remove both files. It is safe. They will be created by sssd after start.



LS
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Lukas Slebodnik

On (20/04/16 20:10), Gady Notrica wrote:
>[root@cd-s-prd-db1 krb5.include.d]# ls -l
>
>-rw-r--r--. 1 root root 224 Apr  9 07:24 domain_realm_ipa_candeal_ca
>
>-rw-r--r--. 1 root root 118 Apr  9 07:24 localauth_plugin
>
>
>
>[root@cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca
>
># Generated by NetworkManager
>
>search ipa.candeal.ca
>
>nameserver 172.20.10.40
>
>nameserver 172.20.10.41
This should be content of /etc/resolv.conf and not domain_realm_ipa_candeal_ca

>
>
>
>[root@cd-s-prd-db1 krb5.include.d]# cat localauth_plugin
>
>[domain_realm]
>
>.AD.candeal.ca = AD.CANDEAL.CA
>
>AD.candeal.ca = AD.CANDEAL.CA
>
>[capaths]
>
This should be content of domain_realm_ipa_candeal_ca and not localauth_plugin

Remove both files. It is safe. They will be created by sssd
after start.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Gady Notrica

[root@cd-s-prd-db1 krb5.include.d]# ls -l

-rw-r--r--. 1 root root 224 Apr  9 07:24 domain_realm_ipa_candeal_ca

-rw-r--r--. 1 root root 118 Apr  9 07:24 localauth_plugin



[root@cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca

# Generated by NetworkManager

search ipa.candeal.ca

nameserver 172.20.10.40

nameserver 172.20.10.41



[root@cd-s-prd-db1 krb5.include.d]# cat localauth_plugin

[domain_realm]

.AD.candeal.ca = AD.CANDEAL.CA

AD.candeal.ca = AD.CANDEAL.CA

[capaths]



[root@cd-s-prd-db1 krb5.include.d]# uname -a

Linux cd-s-prd-db1.ipa.candeal.ca 3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31 
16:04:38 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux



It's Centos 7.



Gady



-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 4:04 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors



Ok, Gady sent the complete file out-of-band and the temporary krb5.conf the 
client installer creates looks ok. It does include files from 
/var/lib/sss/pubconf/krb5.include.d/. Can you see if there are any files in 
there and if so, what the contents are?



BTW, what distro and release of ipa-client is this?



thanks



rob



Rob Crittenden wrote:

> Gady Notrica wrote:

>> Please find below the kr5.conf. Still has with original content.

>>

>> [root@prddb1]# ipa-client-install

>>

>> Discovery was successful!

>>

>> ...

>>

>> Continue to configure the system with these values? [no]: yes

>>

>> 

>>

>> Kerberos authentication failed: kinit: Improper format of Kerberos

>> configuration file while initializing Kerberos 5 library

>>

>> Installation failed. Rolling back changes.

>>

>> Failed to list certificates in /etc/ipa/nssdb: Command

>> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

>> exit status 255

>>

>> Disabling client Kerberos and LDAP configurations

>>

>> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to

>> /etc/sssd/sssd.conf.deleted

>>

>> 

>>

>> Client uninstall complete.

>>

>> [root@prddb1]# cat /etc/krb5.conf

>>

>> [logging]

>>

>> default = FILE:/var/log/krb5libs.log

>>

>> kdc = FILE:/var/log/krb5kdc.log

>>

>> admin_server = FILE:/var/log/kadmind.log

>>

>> [libdefaults]

>>

>> dns_lookup_realm = false

>>

>> ticket_lifetime = 24h

>>

>> renew_lifetime = 7d

>>

>> forwardable = true

>>

>> rdns = false

>>

>> # default_realm = EXAMPLE.COM

>>

>> default_ccache_name = KEYRING:persistent:%{uid}

>>

>> [realms]

>>

>> # EXAMPLE.COM = {

>>

>> #  kdc = kerberos.example.com

>>

>> #  admin_server = kerberos.example.com

>>

>> # }

>>

>> [domain_realm]

>>

>> # .example.com = EXAMPLE.COM

>>

>> # example.com = EXAMPLE.COM

>>

>> [root@prddb1]#

>

> Ok, I agree with the others then, we need to see the full

> ipaclient-install.log. This file looks fine which means the temporary

> one that is configured must be bad in some way. The log will tell how.

>

> rob

>

>>

>> Gady

>>

>> -Original Message-

>> From: Rob Crittenden [mailto:rcrit...@redhat.com]

>> Sent: April 20, 2016 3:14 PM

>> To: Gady Notrica; Martin Basti; 
>> freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>

>> Subject: Re: [Freeipa-users] ipa-client-install errors

>>

>> Gady Notrica wrote:

>>

>>  > Thank you guys for your help.

>>

>>  >

>>

>>  > Still can't enroll the client. Any suggestion on the errors below?

>>

>>  >

>>

>>  > /Kerberos authentication failed: kinit: Improper format of

>> Kerberos

>>

>>  > configuration file while initializing Kerberos 5 library/

>>

>> What does /etc/krb5.conf look like?

>>

>>  > Installation failed. Rolling back changes.

>>

>>  >

>>

>>  > /Failed to list certificates in /etc/ipa/nssdb: Command

>>

>>  > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

>>

>>  > exit status 255/

>>

>> This is unrelated to the enrollment problem.

>>

>> rob

>>

>>  >

>>

>>  > Disabling client Kerberos and LDAP configurations

>>

>>  >

>>

>>  > Gady Notrica

>>

>>  >

>>

>>  > -Original Message-

>>

>>

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Rob Crittenden

Ok, Gady sent the complete file out-of-band and the temporary krb5.conf 
the client installer creates looks ok. It does include files from 
/var/lib/sss/pubconf/krb5.include.d/. Can you see if there are any files 
in there and if so, what the contents are?


BTW, what distro and release of ipa-client is this?

thanks

rob

Rob Crittenden wrote:

Gady Notrica wrote:

Please find below the kr5.conf. Still has with original content.

[root@prddb1]# ipa-client-install

Discovery was successful!

...

Continue to configure the system with these values? [no]: yes



Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library

Installation failed. Rolling back changes.

Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
status 255

Disabling client Kerberos and LDAP configurations

Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted



Client uninstall complete.

[root@prddb1]# cat /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

dns_lookup_realm = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false

# default_realm = EXAMPLE.COM

default_ccache_name = KEYRING:persistent:%{uid}

[realms]

# EXAMPLE.COM = {

#  kdc = kerberos.example.com

#  admin_server = kerberos.example.com

# }

[domain_realm]

# .example.com = EXAMPLE.COM

# example.com = EXAMPLE.COM

[root@prddb1]#


Ok, I agree with the others then, we need to see the full
ipaclient-install.log. This file looks fine which means the temporary
one that is configured must be bad in some way. The log will tell how.

rob



Gady

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 3:14 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

Gady Notrica wrote:

 > Thank you guys for your help.

 >

 > Still can't enroll the client. Any suggestion on the errors below?

 >

 > /Kerberos authentication failed: kinit: Improper format of Kerberos

 > configuration file while initializing Kerberos 5 library/

What does /etc/krb5.conf look like?

 > Installation failed. Rolling back changes.

 >

 > /Failed to list certificates in /etc/ipa/nssdb: Command

 > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

 > exit status 255/

This is unrelated to the enrollment problem.

rob

 >

 > Disabling client Kerberos and LDAP configurations

 >

 > Gady Notrica

 >

 > -Original Message-

 > From: freeipa-users-boun...@redhat.com
<mailto:freeipa-users-boun...@redhat.com>

 > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica

 > Sent: April 20, 2016 2:12 PM

 > To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com
<mailto:freeipa-users@redhat.com>

 > Subject: Re: [Freeipa-users] ipa-client-install errors

 >

 > Any specific command in particular to remove that keytab?

 >

 > Since these don't work

 >

 > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab

 > Kerberos context initialization failed

 >

 > [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k

 > /etc/krb5.keytab Kerberos context initialization failed

 >

 > [root@cprddb1 /]#

 >

 > Gady

 >

 > -Original Message-

 >

 > From: Rob Crittenden [mailto:rcrit...@redhat.com]

 >

 > Sent: April 20, 2016 1:59 PM

 >

 > To: Martin Basti; Gady Notrica; freeipa-users@redhat.com
<mailto:freeipa-users@redhat.com>

 > <mailto:freeipa-users@redhat.com>

 >

 > Subject: Re: [Freeipa-users] ipa-client-install errors

 >

 > Martin Basti wrote:

 >

 >  >

 >

 >  >

 >

 >  > On 20.04.2016 18:00, Gady Notrica wrote:

 >

 >  >>

 >

 >  >> Hello World,

 >

 >  >>

 >

 >  >> I am having these errors trying to install ipa-client-install.

 > Every

 >

 >  >> other machine is fine and they IPA servers are functioning

 > perfectly

 >

 >  >>

 >

 >  >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

 >

 >  >>

 >

 >  >> Kerberos authentication failed: kinit: Improper format of Kerberos

 >

 >  >> configuration file while initializing Kerberos 5 library

 >

 >  >>

 >

 >  >> Then I have "/Installation failed. Rolling back changes."/

 >

 >  >>

 >

 >  >> I have tried everything I know with no luck. Any idea on how to

 > FIX

 >

 >  >> this? Below is the full log.

 &

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Gady Notrica

Original file attached - no changes to the file

Gady


-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: April 20, 2016 3:52 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

Gady Notrica wrote:
> Please find below the kr5.conf. Still has with original content.
>
> [root@prddb1]# ipa-client-install
>
> Discovery was successful!
>
> ...
>
> Continue to configure the system with these values? [no]: yes
>
> 
>
> Kerberos authentication failed: kinit: Improper format of Kerberos 
> configuration file while initializing Kerberos 5 library
>
> Installation failed. Rolling back changes.
>
> Failed to list certificates in /etc/ipa/nssdb: Command 
> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero 
> exit status 255
>
> Disabling client Kerberos and LDAP configurations
>
> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
> /etc/sssd/sssd.conf.deleted
>
> 
>
> Client uninstall complete.
>
> [root@prddb1]# cat /etc/krb5.conf
>
> [logging]
>
> default = FILE:/var/log/krb5libs.log
>
> kdc = FILE:/var/log/krb5kdc.log
>
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>
> dns_lookup_realm = false
>
> ticket_lifetime = 24h
>
> renew_lifetime = 7d
>
> forwardable = true
>
> rdns = false
>
> # default_realm = EXAMPLE.COM
>
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
>
> # EXAMPLE.COM = {
>
> #  kdc = kerberos.example.com
>
> #  admin_server = kerberos.example.com
>
> # }
>
> [domain_realm]
>
> # .example.com = EXAMPLE.COM
>
> # example.com = EXAMPLE.COM
>
> [root@prddb1]#

Ok, I agree with the others then, we need to see the full 
ipaclient-install.log. This file looks fine which means the temporary one that 
is configured must be bad in some way. The log will tell how.

rob

>
> Gady
>
> -Original Message-
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: April 20, 2016 3:14 PM
> To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] ipa-client-install errors
>
> Gady Notrica wrote:
>
>  > Thank you guys for your help.
>
>  >
>
>  > Still can't enroll the client. Any suggestion on the errors below?
>
>  >
>
>  > /Kerberos authentication failed: kinit: Improper format of Kerberos
>
>  > configuration file while initializing Kerberos 5 library/
>
> What does /etc/krb5.conf look like?
>
>  > Installation failed. Rolling back changes.
>
>  >
>
>  > /Failed to list certificates in /etc/ipa/nssdb: Command
>
>  > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
>
>  > exit status 255/
>
> This is unrelated to the enrollment problem.
>
> rob
>
>  >
>
>  > Disabling client Kerberos and LDAP configurations
>
>  >
>
>  > Gady Notrica
>
>  >
>
>  > -Original Message-
>
>  > From: freeipa-users-boun...@redhat.com 
> <mailto:freeipa-users-boun...@redhat.com>
>
>  > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
>
>  > Sent: April 20, 2016 2:12 PM
>
>  > To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com 
> <mailto:freeipa-users@redhat.com>
>
>  > Subject: Re: [Freeipa-users] ipa-client-install errors
>
>  >
>
>  > Any specific command in particular to remove that keytab?
>
>  >
>
>  > Since these don't work
>
>  >
>
>  > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
>
>  > Kerberos context initialization failed
>
>  >
>
>  > [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k
>
>  > /etc/krb5.keytab Kerberos context initialization failed
>
>  >
>
>  > [root@cprddb1 /]#
>
>  >
>
>  > Gady
>
>  >
>
>  > -Original Message-
>
>  >
>
>  > From: Rob Crittenden [mailto:rcrit...@redhat.com]
>
>  >
>
>  > Sent: April 20, 2016 1:59 PM
>
>  >
>
>  > To: Martin Basti; Gady Notrica; freeipa-users@redhat.com 
> <mailto:freeipa-users@redhat.com>
>
>  > <mailto:freeipa-users@redhat.com>
>
>  >
>
>  > Subject: Re: [Freeipa-users] ipa-client-install errors
>
>  >
>
>  > Martin Basti wrote:
>
>  >
>
>  >  >
>
>  >
>
>  >  >
>
>  >
>
>  >  > On 20.04.2016 18:00, Gad

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Rob Crittenden


Gady Notrica wrote:

Please find below the kr5.conf. Still has with original content.

[root@prddb1]# ipa-client-install

Discovery was successful!

...

Continue to configure the system with these values? [no]: yes



Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library

Installation failed. Rolling back changes.

Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
status 255

Disabling client Kerberos and LDAP configurations

Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted



Client uninstall complete.

[root@prddb1]# cat /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

dns_lookup_realm = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false

# default_realm = EXAMPLE.COM

default_ccache_name = KEYRING:persistent:%{uid}

[realms]

# EXAMPLE.COM = {

#  kdc = kerberos.example.com

#  admin_server = kerberos.example.com

# }

[domain_realm]

# .example.com = EXAMPLE.COM

# example.com = EXAMPLE.COM

[root@prddb1]#


Ok, I agree with the others then, we need to see the full 
ipaclient-install.log. This file looks fine which means the temporary 
one that is configured must be bad in some way. The log will tell how.


rob



Gady

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 3:14 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

Gady Notrica wrote:

 > Thank you guys for your help.

 >

 > Still can't enroll the client. Any suggestion on the errors below?

 >

 > /Kerberos authentication failed: kinit: Improper format of Kerberos

 > configuration file while initializing Kerberos 5 library/

What does /etc/krb5.conf look like?

 > Installation failed. Rolling back changes.

 >

 > /Failed to list certificates in /etc/ipa/nssdb: Command

 > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

 > exit status 255/

This is unrelated to the enrollment problem.

rob

 >

 > Disabling client Kerberos and LDAP configurations

 >

 > Gady Notrica

 >

 > -Original Message-

 > From: freeipa-users-boun...@redhat.com
<mailto:freeipa-users-boun...@redhat.com>

 > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica

 > Sent: April 20, 2016 2:12 PM

 > To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com
<mailto:freeipa-users@redhat.com>

 > Subject: Re: [Freeipa-users] ipa-client-install errors

 >

 > Any specific command in particular to remove that keytab?

 >

 > Since these don't work

 >

 > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab

 > Kerberos context initialization failed

 >

 > [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k

 > /etc/krb5.keytab Kerberos context initialization failed

 >

 > [root@cprddb1 /]#

 >

 > Gady

 >

 > -Original Message-

 >

 > From: Rob Crittenden [mailto:rcrit...@redhat.com]

 >

 > Sent: April 20, 2016 1:59 PM

 >

 > To: Martin Basti; Gady Notrica; freeipa-users@redhat.com
<mailto:freeipa-users@redhat.com>

 > <mailto:freeipa-users@redhat.com>

 >

 > Subject: Re: [Freeipa-users] ipa-client-install errors

 >

 > Martin Basti wrote:

 >

 >  >

 >

 >  >

 >

 >  > On 20.04.2016 18:00, Gady Notrica wrote:

 >

 >  >>

 >

 >  >> Hello World,

 >

 >  >>

 >

 >  >> I am having these errors trying to install ipa-client-install.

 > Every

 >

 >  >> other machine is fine and they IPA servers are functioning

 > perfectly

 >

 >  >>

 >

 >  >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

 >

 >  >>

 >

 >  >> Kerberos authentication failed: kinit: Improper format of Kerberos

 >

 >  >> configuration file while initializing Kerberos 5 library

 >

 >  >>

 >

 >  >> Then I have "/Installation failed. Rolling back changes."/

 >

 >  >>

 >

 >  >> I have tried everything I know with no luck. Any idea on how to

 > FIX

 >

 >  >> this? Below is the full log.

 >

 >  >>

 >

 >  >> ---

 >

 >  >>

 >

 >  >> /Continue to configure the system with these values? [no]: yes/

 >

 >  >>

 >

 >  >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

 >

 >  >>

 >

 >

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Gady Notrica

Please find below the kr5.conf. Still has with original content.



[root@prddb1]# ipa-client-install

Discovery was successful!

...

Continue to configure the system with these values? [no]: yes



Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library



Installation failed. Rolling back changes.

Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' 
'-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255

Disabling client Kerberos and LDAP configurations

Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
/etc/sssd/sssd.conf.deleted



Client uninstall complete.



[root@prddb1]# cat /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log



[libdefaults]

dns_lookup_realm = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false

# default_realm = EXAMPLE.COM

default_ccache_name = KEYRING:persistent:%{uid}



[realms]

# EXAMPLE.COM = {

#  kdc = kerberos.example.com

#  admin_server = kerberos.example.com

# }



[domain_realm]

# .example.com = EXAMPLE.COM

# example.com = EXAMPLE.COM

[root@prddb1]#



Gady



-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 3:14 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors



Gady Notrica wrote:

> Thank you guys for your help.

>

> Still can't enroll the client. Any suggestion on the errors below?

>

> /Kerberos authentication failed: kinit: Improper format of Kerberos

> configuration file while initializing Kerberos 5 library/



What does /etc/krb5.conf look like?



> Installation failed. Rolling back changes.

>

> /Failed to list certificates in /etc/ipa/nssdb: Command

> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

> exit status 255/



This is unrelated to the enrollment problem.



rob



>

> Disabling client Kerberos and LDAP configurations

>

> Gady Notrica

>

> -Original Message-

> From: 
> freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>

> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica

> Sent: April 20, 2016 2:12 PM

> To: Rob Crittenden; Martin Basti; 
> freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>

> Subject: Re: [Freeipa-users] ipa-client-install errors

>

> Any specific command in particular to remove that keytab?

>

> Since these don't work

>

> [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab

> Kerberos context initialization failed

>

> [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k

> /etc/krb5.keytab Kerberos context initialization failed

>

> [root@cprddb1 /]#

>

> Gady

>

> -Original Message-

>

> From: Rob Crittenden [mailto:rcrit...@redhat.com]

>

> Sent: April 20, 2016 1:59 PM

>

> To: Martin Basti; Gady Notrica; 
> freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>

> <mailto:freeipa-users@redhat.com>

>

> Subject: Re: [Freeipa-users] ipa-client-install errors

>

> Martin Basti wrote:

>

>  >

>

>  >

>

>  > On 20.04.2016 18:00, Gady Notrica wrote:

>

>  >>

>

>  >> Hello World,

>

>  >>

>

>  >> I am having these errors trying to install ipa-client-install.

> Every

>

>  >> other machine is fine and they IPA servers are functioning

> perfectly

>

>  >>

>

>  >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

>

>  >>

>

>  >> Kerberos authentication failed: kinit: Improper format of Kerberos

>

>  >> configuration file while initializing Kerberos 5 library

>

>  >>

>

>  >> Then I have "/Installation failed. Rolling back changes."/

>

>  >>

>

>  >> I have tried everything I know with no luck. Any idea on how to

> FIX

>

>  >> this? Below is the full log.

>

>  >>

>

>  >> ---

>

>  >>

>

>  >> /Continue to configure the system with these values? [no]: yes/

>

>  >>

>

>  >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

>

>  >>

>

>  >> /Skipping synchronizing time with NTP server./

>

>  >>

>

>  >> /User authorized to enroll computers: admin/

>

>  >>

>

>  >> /Password for ad...@ipa.domain.com:/<mailto:ad...@ipa.domain.com:/>

> <mailto:ad...@ipa.domai

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Rob Crittenden


Gady Notrica wrote:

Thank you guys for your help.

Still can't enroll the client. Any suggestion on the errors below?

/Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library/


What does /etc/krb5.conf look like?


Installation failed. Rolling back changes.

/Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
status 255/


This is unrelated to the enrollment problem.

rob



Disabling client Kerberos and LDAP configurations

Gady Notrica

-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
Sent: April 20, 2016 2:12 PM
To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

Any specific command in particular to remove that keytab?

Since these don't work

[root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
Kerberos context initialization failed

[root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k
/etc/krb5.keytab Kerberos context initialization failed

[root@cprddb1 /]#

Gady

-Original Message-

From: Rob Crittenden [mailto:rcrit...@redhat.com]

Sent: April 20, 2016 1:59 PM

To: Martin Basti; Gady Notrica; freeipa-users@redhat.com
<mailto:freeipa-users@redhat.com>

Subject: Re: [Freeipa-users] ipa-client-install errors

Martin Basti wrote:

 >

 >

 > On 20.04.2016 18:00, Gady Notrica wrote:

 >>

 >> Hello World,

 >>

 >> I am having these errors trying to install ipa-client-install. Every

 >> other machine is fine and they IPA servers are functioning perfectly

 >>

 >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

 >>

 >> Kerberos authentication failed: kinit: Improper format of Kerberos

 >> configuration file while initializing Kerberos 5 library

 >>

 >> Then I have "/Installation failed. Rolling back changes."/

 >>

 >> I have tried everything I know with no luck. Any idea on how to FIX

 >> this? Below is the full log.

 >>

 >> ---

 >>

 >> /Continue to configure the system with these values? [no]: yes/

 >>

 >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

 >>

 >> /Skipping synchronizing time with NTP server./

 >>

 >> /User authorized to enroll computers: admin/

 >>

 >> /Password for ad...@ipa.domain.com:/ <mailto:ad...@ipa.domain.com:/>

 >>

 >> /Please make sure the following ports are opened in the firewall

 >> settings:/

 >>

 >> /TCP: 80, 88, 389/

 >>

 >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

 >>

 >> /Also note that following ports are necessary for ipa-client working

 >> properly after enrollment:/

 >>

 >> /TCP: 464/

 >>

 >> /UDP: 464, 123 (if NTP enabled)/

 >>

 >> /Kerberos authentication failed: kinit: Improper format of Kerberos

 >> configuration file while initializing Kerberos 5 library/

 >>

 >> //

 >>

 >> /Installation failed. Rolling back changes./

 >>

 >> /Failed to list certificates in /etc/ipa/nssdb: Command

 >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

 >> exit status 255/

 >>

 >> /Disabling client Kerberos and LDAP configurations/

 >>

 >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to

 >> /etc/sssd/sssd.conf.deleted/

 >>

 >> /Restoring client configuration files/

 >>

 >> /nscd daemon is not installed, skip configuration/

 >>

 >> /nslcd daemon is not installed, skip configuration/

 >>

 >> /Client uninstall complete./

 >>

 >> /---/

 >>

 >> Gady

 >>

 >>

 >>

 > Hello,

 >

 > IMO you have an old invalid keytab on that machine. Can you manually

 > remove it and try to reinstall client? (Of course only if you are sure

 > that keytab there is not needed)

 >

 > The keytab should be located here /etc/krb5.keytab

That or /etc/krb5.conf is messed up in some way.

rob

--

Manage your subscription for the Freeipa-users mailing list:

https://www.redhat.com/mailman/listinfo/freeipa-users

Go to http://freeipa.org for more info on the project



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Gady Notrica

Thank you guys for your help.



Still can't enroll the client. Any suggestion on the errors below?



Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library



Installation failed. Rolling back changes.

Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' 
'-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255

Disabling client Kerberos and LDAP configurations



Gady Notrica



-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
Sent: April 20, 2016 2:12 PM
To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors



Any specific command in particular to remove that keytab?



Since these don't work



[root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab Kerberos 
context initialization failed

[root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k /etc/krb5.keytab 
Kerberos context initialization failed

[root@cprddb1 /]#



Gady





-Original Message-

From: Rob Crittenden [mailto:rcrit...@redhat.com]

Sent: April 20, 2016 1:59 PM

To: Martin Basti; Gady Notrica; 
freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>

Subject: Re: [Freeipa-users] ipa-client-install errors



Martin Basti wrote:

>

>

> On 20.04.2016 18:00, Gady Notrica wrote:

>>

>> Hello World,

>>

>> I am having these errors trying to install ipa-client-install. Every

>> other machine is fine and they IPA servers are functioning perfectly

>>

>> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

>>

>> Kerberos authentication failed: kinit: Improper format of Kerberos

>> configuration file while initializing Kerberos 5 library

>>

>> Then I have "/Installation failed. Rolling back changes."/

>>

>> I have tried everything I know with no luck. Any idea on how to FIX

>> this? Below is the full log.

>>

>> ---

>>

>> /Continue to configure the system with these values? [no]: yes/

>>

>> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

>>

>> /Skipping synchronizing time with NTP server./

>>

>> /User authorized to enroll computers: admin/

>>

>> /Password for ad...@ipa.domain.com:/<mailto:ad...@ipa.domain.com:/>

>>

>> /Please make sure the following ports are opened in the firewall

>> settings:/

>>

>> /TCP: 80, 88, 389/

>>

>> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

>>

>> /Also note that following ports are necessary for ipa-client working

>> properly after enrollment:/

>>

>> /TCP: 464/

>>

>> /UDP: 464, 123 (if NTP enabled)/

>>

>> /Kerberos authentication failed: kinit: Improper format of Kerberos

>> configuration file while initializing Kerberos 5 library/

>>

>> //

>>

>> /Installation failed. Rolling back changes./

>>

>> /Failed to list certificates in /etc/ipa/nssdb: Command

>> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero

>> exit status 255/

>>

>> /Disabling client Kerberos and LDAP configurations/

>>

>> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to

>> /etc/sssd/sssd.conf.deleted/

>>

>> /Restoring client configuration files/

>>

>> /nscd daemon is not installed, skip configuration/

>>

>> /nslcd daemon is not installed, skip configuration/

>>

>> /Client uninstall complete./

>>

>> /---/

>>

>> Gady

>>

>>

>>

> Hello,

>

> IMO you have an old invalid keytab on that machine. Can you manually

> remove it and try to reinstall client? (Of course only if you are sure

> that keytab there is not needed)

>

> The keytab should be located here /etc/krb5.keytab



That or /etc/krb5.conf is messed up in some way.



rob





--

Manage your subscription for the Freeipa-users mailing list:

https://www.redhat.com/mailman/listinfo/freeipa-users

Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Natxo Asenjo

hi Gady,

On Wed, Apr 20, 2016 at 8:11 PM, Gady Notrica  wrote:

> Any specific command in particular to remove that keytab?
>
> Since these don't work
>
> [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
> Kerberos context initialization failed
> [root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k
> /etc/krb5.keytab
> Kerberos context initialization failed


I think that you just need to rm /etc/krb5.keytab and remove the host
object in the web interface if it exists.

-- 
groet,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Gady Notrica

Any specific command in particular to remove that keytab? 

Since these don't work

[root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
Kerberos context initialization failed
[root@prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k /etc/krb5.keytab
Kerberos context initialization failed
[root@cprddb1 /]#

Gady


-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: April 20, 2016 1:59 PM
To: Martin Basti; Gady Notrica; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

Martin Basti wrote:
>
>
> On 20.04.2016 18:00, Gady Notrica wrote:
>>
>> Hello World,
>>
>> I am having these errors trying to install ipa-client-install. Every 
>> other machine is fine and they IPA servers are functioning perfectly
>>
>> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
>>
>> Kerberos authentication failed: kinit: Improper format of Kerberos 
>> configuration file while initializing Kerberos 5 library
>>
>> Then I have "/Installation failed. Rolling back changes."/
>>
>> I have tried everything I know with no luck. Any idea on how to FIX 
>> this? Below is the full log.
>>
>> ---
>>
>> /Continue to configure the system with these values? [no]: yes/
>>
>> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/
>>
>> /Skipping synchronizing time with NTP server./
>>
>> /User authorized to enroll computers: admin/
>>
>> /Password for ad...@ipa.domain.com:/
>>
>> /Please make sure the following ports are opened in the firewall 
>> settings:/
>>
>> /TCP: 80, 88, 389/
>>
>> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/
>>
>> /Also note that following ports are necessary for ipa-client working 
>> properly after enrollment:/
>>
>> /TCP: 464/
>>
>> /UDP: 464, 123 (if NTP enabled)/
>>
>> /Kerberos authentication failed: kinit: Improper format of Kerberos 
>> configuration file while initializing Kerberos 5 library/
>>
>> //
>>
>> /Installation failed. Rolling back changes./
>>
>> /Failed to list certificates in /etc/ipa/nssdb: Command 
>> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero 
>> exit status 255/
>>
>> /Disabling client Kerberos and LDAP configurations/
>>
>> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
>> /etc/sssd/sssd.conf.deleted/
>>
>> /Restoring client configuration files/
>>
>> /nscd daemon is not installed, skip configuration/
>>
>> /nslcd daemon is not installed, skip configuration/
>>
>> /Client uninstall complete./
>>
>> /---/
>>
>> Gady
>>
>>
>>
> Hello,
>
> IMO you have an old invalid keytab on that machine. Can you manually 
> remove it and try to reinstall client? (Of course only if you are sure 
> that keytab there is not needed)
>
> The keytab should be located here /etc/krb5.keytab

That or /etc/krb5.conf is messed up in some way.

rob


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Rob Crittenden


Martin Basti wrote:



On 20.04.2016 18:00, Gady Notrica wrote:


Hello World,

I am having these errors trying to install ipa-client-install. Every
other machine is fine and they IPA servers are functioning perfectly

Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library

Then I have /Installation failed. Rolling back changes./

I have tried everything I know with no luck. Any idea on how to FIX
this? Below is the full log.

---

/Continue to configure the system with these values? [no]: yes/

/Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

/Skipping synchronizing time with NTP server./

/User authorized to enroll computers: admin/

/Password for ad...@ipa.domain.com:/

/Please make sure the following ports are opened in the firewall
settings:/

/TCP: 80, 88, 389/

/UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

/Also note that following ports are necessary for ipa-client working
properly after enrollment:/

/TCP: 464/

/UDP: 464, 123 (if NTP enabled)/

/Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library/

//

/Installation failed. Rolling back changes./

/Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
exit status 255/

/Disabling client Kerberos and LDAP configurations/

/Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted/

/Restoring client configuration files/

/nscd daemon is not installed, skip configuration/

/nslcd daemon is not installed, skip configuration/

/Client uninstall complete./

/---/

Gady




Hello,

IMO you have an old invalid keytab on that machine. Can you manually
remove it and try to reinstall client? (Of course only if you are sure
that keytab there is not needed)

The keytab should be located here /etc/krb5.keytab


That or /etc/krb5.conf is messed up in some way.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Gady Notrica

Thank you Martin, I have tried many different ways. I can't seem to be able to 
remove anything in the file.

Gady

From: Martin Basti [mailto:mba...@redhat.com]
Sent: April 20, 2016 12:50 PM
To: Gady Notrica; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors


On 20.04.2016 18:00, Gady Notrica wrote:
Hello World,

I am having these errors trying to install ipa-client-install. Every other 
machine is fine and they IPA servers are functioning perfectly

Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library

Then I have "Installation failed. Rolling back changes."

I have tried everything I know with no luck. Any idea on how to FIX this? Below 
is the full log.
---
Continue to configure the system with these values? [no]: yes
Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for ad...@ipa.domain.com<mailto:ad...@ipa.domain.com>:
Please make sure the following ports are opened in the firewall settings:
 TCP: 80, 88, 389
 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly 
after enrollment:
 TCP: 464
 UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library

Installation failed. Rolling back changes.
Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' 
'-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
/etc/sssd/sssd.conf.deleted
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
---
Gady


Hello,

IMO you have an old invalid keytab on that machine. Can you manually remove it 
and try to reinstall client? (Of course only if you are sure that keytab there 
is not needed)

The keytab should be located here /etc/krb5.keytab

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Martin Babinsky


On 04/20/2016 07:12 PM, Gady Notrica wrote:

Please find attached the install log

Gady

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
Sent: April 20, 2016 1:04 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

On 04/20/2016 06:00 PM, Gady Notrica wrote:

Hello World,

I am having these errors trying to install ipa-client-install. Every
other machine is fine and they IPA servers are functioning perfectly

Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library

Then I have "/Installation failed. Rolling back changes."/

I have tried everything I know with no luck. Any idea on how to FIX
this? Below is the full log.

---

/Continue to configure the system with these values? [no]: yes/

/Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

/Skipping synchronizing time with NTP server./

/User authorized to enroll computers: admin/

/Password for ad...@ipa.domain.com:/

/Please make sure the following ports are opened in the firewall
settings:/

/ TCP: 80, 88, 389/

/ UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

/Also note that following ports are necessary for ipa-client working
properly after enrollment:/

/ TCP: 464/

/ UDP: 464, 123 (if NTP enabled)/

/Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library/

//

/Installation failed. Rolling back changes./

/Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
exit status 255/

/Disabling client Kerberos and LDAP configurations/

/Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted/

/Restoring client configuration files/

/nscd daemon is not installed, skip configuration/

/nslcd daemon is not installed, skip configuration/

/Client uninstall complete./

/---/

Gady




We would need to see the whole log, it should be located in 
'/var/log/ipaclient-install.log'

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

It looks like the log is truncated. Are you sure that this is the full 
version?


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Gady Notrica

Please find attached the install log

Gady

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
Sent: April 20, 2016 1:04 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

On 04/20/2016 06:00 PM, Gady Notrica wrote:
> Hello World,
>
> I am having these errors trying to install ipa-client-install. Every 
> other machine is fine and they IPA servers are functioning perfectly
>
> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
>
> Kerberos authentication failed: kinit: Improper format of Kerberos 
> configuration file while initializing Kerberos 5 library
>
> Then I have "/Installation failed. Rolling back changes."/
>
> I have tried everything I know with no luck. Any idea on how to FIX 
> this? Below is the full log.
>
> ---
>
> /Continue to configure the system with these values? [no]: yes/
>
> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/
>
> /Skipping synchronizing time with NTP server./
>
> /User authorized to enroll computers: admin/
>
> /Password for ad...@ipa.domain.com:/
>
> /Please make sure the following ports are opened in the firewall 
> settings:/
>
> / TCP: 80, 88, 389/
>
> / UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/
>
> /Also note that following ports are necessary for ipa-client working 
> properly after enrollment:/
>
> / TCP: 464/
>
> / UDP: 464, 123 (if NTP enabled)/
>
> /Kerberos authentication failed: kinit: Improper format of Kerberos 
> configuration file while initializing Kerberos 5 library/
>
> //
>
> /Installation failed. Rolling back changes./
>
> /Failed to list certificates in /etc/ipa/nssdb: Command 
> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero 
> exit status 255/
>
> /Disabling client Kerberos and LDAP configurations/
>
> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
> /etc/sssd/sssd.conf.deleted/
>
> /Restoring client configuration files/
>
> /nscd daemon is not installed, skip configuration/
>
> /nslcd daemon is not installed, skip configuration/
>
> /Client uninstall complete./
>
> /---/
>
> Gady
>
>
>
We would need to see the whole log, it should be located in 
'/var/log/ipaclient-install.log'

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
# cat /var/log/ipaclient-install.log
2016-04-20T16:04:34Z DEBUG /usr/sbin/ipa-client-install was invoked with 
options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 
'ip_addresses': [], 'configure_firefox': False, 'primary': False, 'realm_name': 
None, 'force_ntpd': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': 
False, 'on_master': False, 'no_nisdomain': False, 'nisdomain': None, 
'ca_cert_file': None, 'principal': None, 'keytab': None, 'hostname': 
'cd-s-prd-db1.ipa.domain.com', 'request_cert': False, 'trust_sshfp': False, 
'no_ac': False, 'unattended': None, 'all_ip_addresses': False, 'location': 
None, 'sssd': True, 'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates': 
True, 'conf_sudo': True, 'conf_ssh': True, 'force_join': False, 'firefox_dir': 
None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': 
False, 'preserve_sssd': True, 'mkhomedir': True, 'uninstall': False}
2016-04-20T16:04:34Z DEBUG missing options might be asked for interactively 
later
2016-04-20T16:04:34Z DEBUG IPA version 4.2.0-15.0.1.el7.centos.6.1
2016-04-20T16:04:34Z DEBUG Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2016-04-20T16:04:34Z DEBUG Loading StateFile from 
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2016-04-20T16:04:34Z DEBUG [IPA Discovery]
2016-04-20T16:04:34Z DEBUG Starting IPA discovery with domain=None, 
servers=None, hostname=cd-s-prd-db1.ipa.domain.com
2016-04-20T16:04:34Z DEBUG Start searching for LDAP SRV record in 
"ipa.domain.com" (domain of the hostname) and its sub-domains
2016-04-20T16:04:34Z DEBUG Search DNS for SRV record of 
_ldap._tcp.ipa.domain.com
2016-04-20T16:04:34Z DEBUG DNS record found: 0 100 389 idmipa1.ipa.domain.com.
2016-04-20T16:04:34Z DEBUG DNS record found: 0 100 389 idmipa2.ipa.domain.com.
2016-04-20T16:04:34Z DEBUG [Kerberos realm search]
2016-04-20T16:04:34Z DEBUG Search DNS for TXT record of _kerberos.ipa.domain.com
2016-04-20T16:04:34Z DEBUG DNS record found: "IPA.domain.com"
2016-04-20T16:04:34Z DEBUG Search DNS for SRV record of 
_kerberos._udp.ipa.domain.com
2016-04-20T16:04:34Z DEB

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Martin Babinsky


On 04/20/2016 06:00 PM, Gady Notrica wrote:

Hello World,

I am having these errors trying to install ipa-client-install. Every
other machine is fine and they IPA servers are functioning perfectly

Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library

Then I have “/Installation failed. Rolling back changes.”/

I have tried everything I know with no luck. Any idea on how to FIX
this? Below is the full log.

---

/Continue to configure the system with these values? [no]: yes/

/Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

/Skipping synchronizing time with NTP server./

/User authorized to enroll computers: admin/

/Password for ad...@ipa.domain.com:/

/Please make sure the following ports are opened in the firewall settings:/

/ TCP: 80, 88, 389/

/ UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

/Also note that following ports are necessary for ipa-client working
properly after enrollment:/

/ TCP: 464/

/ UDP: 464, 123 (if NTP enabled)/

/Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library/

//

/Installation failed. Rolling back changes./

/Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
status 255/

/Disabling client Kerberos and LDAP configurations/

/Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted/

/Restoring client configuration files/

/nscd daemon is not installed, skip configuration/

/nslcd daemon is not installed, skip configuration/

/Client uninstall complete./

/---/

Gady



We would need to see the whole log, it should be located in 
'/var/log/ipaclient-install.log'


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Martin Basti




On 20.04.2016 18:00, Gady Notrica wrote:


Hello World,

I am having these errors trying to install ipa-client-install. Every 
other machine is fine and they IPA servers are functioning perfectly


Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library


Then I have “/Installation failed. Rolling back changes.”/

I have tried everything I know with no luck. Any idea on how to FIX 
this? Below is the full log.


---

/Continue to configure the system with these values? [no]: yes/

/Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

/Skipping synchronizing time with NTP server./

/User authorized to enroll computers: admin/

/Password for ad...@ipa.domain.com:/

/Please make sure the following ports are opened in the firewall 
settings:/


/TCP: 80, 88, 389/

/UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

/Also note that following ports are necessary for ipa-client working 
properly after enrollment:/


/TCP: 464/

/UDP: 464, 123 (if NTP enabled)/

/Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library/


//

/Installation failed. Rolling back changes./

/Failed to list certificates in /etc/ipa/nssdb: Command 
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero 
exit status 255/


/Disabling client Kerberos and LDAP configurations/

/Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
/etc/sssd/sssd.conf.deleted/


/Restoring client configuration files/

/nscd daemon is not installed, skip configuration/

/nslcd daemon is not installed, skip configuration/

/Client uninstall complete./

/---/

Gady




Hello,

IMO you have an old invalid keytab on that machine. Can you manually 
remove it and try to reinstall client? (Of course only if you are sure 
that keytab there is not needed)


The keytab should be located here /etc/krb5.keytab

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install errors

2016-04-20 Thread Gady Notrica

Hello World,

I am having these errors trying to install ipa-client-install. Every other 
machine is fine and they IPA servers are functioning perfectly

Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library

Then I have "Installation failed. Rolling back changes."

I have tried everything I know with no luck. Any idea on how to FIX this? Below 
is the full log.
---
Continue to configure the system with these values? [no]: yes
Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for ad...@ipa.domain.com:
Please make sure the following ports are opened in the firewall settings:
 TCP: 80, 88, 389
 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly 
after enrollment:
 TCP: 464
 UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed: kinit: Improper format of Kerberos 
configuration file while initializing Kerberos 5 library

Installation failed. Rolling back changes.
Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' 
'-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
/etc/sssd/sssd.conf.deleted
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
---
Gady
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-21 Thread Martin Kosek

On 01/21/2016 02:29 PM, bahan w wrote:
> Hello Martin.
> 
> Thank you for your answer.

Adding freeipa-users list back, so that others can follow the thread.

> Excuse me for my ignorance, but may you tell me how the bug and resolution
> work for FreeIPA ?

This is probably not something that would require own upstream release, it is
too old version no longer developed upstream. It may be rather fixed
downstream, in RHEL (I cannot promise anything though).

I wonder, do RHEL-7.x clients work in your environment? RHEL-7.1+ should have
https://fedorahosted.org/freeipa/ticket/
applied which may fix the issue.

> Will there be a new release concerning IPA 3.0.0, or a patch to apply ?

There may be RHEL-6.x fix. If you have RHEL subscription, I would recommend
pointing your Support Representative to Bug 1300561 below, to get higher
priority for the bug.

> Best regards.
> 
> Bahan
> 
> 
> On Thu, Jan 21, 2016 at 8:21 AM, Martin Kosek  wrote:
> 
>> On 01/20/2016 05:55 PM, bahan w wrote:
>>> Ah sorry, for security reasons I didn't want to put the original name
>> and I
>>> made a mistake.
>>>
>>> Here we are, for the confusing lines :
>>> ###
>>> Assuming realm is the same as domain: 
>>> Generated basedn from realm: dc=
>>> Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=,
>>> kdc=None, basedn=dc=
>>> Validated servers: 
>>> will use discovered domain: 
>>> Using servers from command line, disabling DNS discovery
>>> will use provided server: 
>>> will use discovered realm: 
>>> The provided realm name [] does not match discovered one
>>> []
>>> (: Assumed same as domain)
>>> Installation failed. Rolling back changes
>>> IPA client is not configured on this system.
>>> ###
>>>
>>> Is it more clear ? Sorry again for the confusion.
>>>
>>> I use a realm which is different than the domain.
>>
>> Ah, I see. I think you just found a bug. The problem is that given the
>> server
>> is not reachable, the realm is calculated based on the domain and then
>> rejected
>> as it is different from the option. In this case, ipa-client-install should
>> just accept the realm passed to the script. It is very specific condition,
>> but
>> we should be able to fix that easily
>>
>> I filed a bug:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1300561
>>
>> We will need to think if there is a workaround for you until the fix is
>> delivered.
>>
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-20 Thread Martin Kosek

On 01/20/2016 05:55 PM, bahan w wrote:
> Ah sorry, for security reasons I didn't want to put the original name and I
> made a mistake.
> 
> Here we are, for the confusing lines :
> ###
> Assuming realm is the same as domain: 
> Generated basedn from realm: dc=
> Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=,
> kdc=None, basedn=dc=
> Validated servers: 
> will use discovered domain: 
> Using servers from command line, disabling DNS discovery
> will use provided server: 
> will use discovered realm: 
> The provided realm name [] does not match discovered one
> []
> (: Assumed same as domain)
> Installation failed. Rolling back changes
> IPA client is not configured on this system.
> ###
> 
> Is it more clear ? Sorry again for the confusion.
> 
> I use a realm which is different than the domain.

Ah, I see. I think you just found a bug. The problem is that given the server
is not reachable, the realm is calculated based on the domain and then rejected
as it is different from the option. In this case, ipa-client-install should
just accept the realm passed to the script. It is very specific condition, but
we should be able to fix that easily

I filed a bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1300561

We will need to think if there is a workaround for you until the fix is 
delivered.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-20 Thread bahan w

Re Martin.

Here we are for the ipaclient-install.log :

###
2016-01-20T14:55:48Z DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'domain': '', 'force': False, 'realm_name':
'', 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir':
True, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False,
'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain':
False, 'principal': 'admin', 'hostname': '', 'no_ac':
False, 'unattended': True, 'sssd': True, 'trust_sshfp': False,
'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh':
False, 'force_join': False, 'ca_cert_file': None, 'server': [''], 'prompt_password': False, 'permit': False, 'debug': True,
'preserve_sssd': False, 'uninstall': False}
2016-01-20T14:55:48Z DEBUG missing options might be asked for interactively
later
2016-01-20T14:55:48Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2016-01-20T14:55:48Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2016-01-20T14:55:48Z DEBUG [IPA Discovery]
2016-01-20T14:55:48Z DEBUG Starting IPA discovery with domain=,
servers=[''], hostname=
2016-01-20T14:55:48Z DEBUG Server and domain forced
2016-01-20T14:55:48Z DEBUG [Kerberos realm search]
2016-01-20T14:55:48Z DEBUG Search DNS for TXT record of
_kerberos..
2016-01-20T14:55:48Z DEBUG No DNS record found
2016-01-20T14:55:48Z DEBUG [LDAP server check]
2016-01-20T14:55:48Z DEBUG Verifying that  (realm None) is
an IPA server
2016-01-20T14:55:48Z DEBUG Init LDAP connection with: ldap://:389
2016-01-20T14:55:48Z DEBUG LDAP Error: Anonymous access not allowed
2016-01-20T14:55:48Z DEBUG Assuming realm is the same as domain: 
2016-01-20T14:55:48Z DEBUG Generated basedn from realm:
dc=
2016-01-20T14:55:48Z DEBUG Discovery result: NO_ACCESS_TO_LDAP;
server=None, domain=, kdc=None, basedn=
2016-01-20T14:55:48Z DEBUG Validated servers: 
2016-01-20T14:55:48Z DEBUG will use discovered domain: 
2016-01-20T14:55:48Z DEBUG Using servers from command line, disabling DNS
discovery
2016-01-20T14:55:48Z DEBUG will use provided server: 
2016-01-20T14:55:48Z DEBUG will use discovered realm: 
2016-01-20T14:55:48Z ERROR The provided realm name [] does not
match discovered one []
2016-01-20T14:55:48Z DEBUG (: Assumed same as domain)
2016-01-20T14:55:48Z ERROR Installation failed. Rolling back changes.
2016-01-20T14:55:48Z ERROR IPA client is not configured on this system.
###

Best regards.

Bahan

On Wed, Jan 20, 2016 at 1:52 PM, Martin Kosek  wrote:

> Adding freeipa-users back, so that others can benefit from the answer.
>
> Can you please attach a full ipaclient-install.log DEBUG log somewhere so
> that
> we can get the full context of the bug? You may also want to open a RHEL-6
> Bugzilla as FreeIPA 3.0.0 is no longer developed upstream, but only
> maintained
> in RHEL-6.x.
>
> Thanks,
> Martin
>
> On 01/20/2016 01:39 PM, bahan w wrote:
> > Hello Martin !
> >
> > Thanks for your answer, Martin !
> >
> > I uninstalled the 3.0.0.25 and installed the 3.0.0.47, but unfortunately
> I
> > still have the same error message.
> >
> > # rpm -qa | grep ipa-client
> > ipa-client-3.0.0-47.el6.x86_64
> >
> > And in ipa-client-install.log :
> > ###
> > 2016-01-20T12:38:14Z DEBUG [LDAP server check]
> > 2016-01-20T12:38:14Z DEBUG Verifying that  (realm None)
> is
> > an IPA server
> > 2016-01-20T12:38:14Z DEBUG Init LDAP connection with: ldap:// > server>:389
> > 2016-01-20T12:38:14Z DEBUG LDAP Error: Anonymous access not allowed
> > ###
> >
> > Best regards.
> >
> > Bahan
> >
> >
> > On Wed, Jan 20, 2016 at 1:26 PM, Martin Kosek  wrote:
> >
> >> On 01/20/2016 12:08 PM, bahan w wrote:
> >>> Hello !
> >>>
> >>> I send you this mail because of the following topic.
> >>>
> >>> I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous
> >>> access for security reasons.
> >>>
> >>> But now, I have a problem when I try to enroll a new host.
> >>>
> >>> Here is the command I try :
> >>> ###
> >>> ipa-client-install --domain= --realm= --server= >>> ipaserver> --principal=admin --password=
> >>> --mkhomedir  --hostname= --no-ntp --no-ssh --no-sshd
> >>> --unattended
> >>> ###
> >>>
> >>> And here is the error message :
> >>> ###
> >>> 2016-01-20T11:06:44Z DEBUG Verifying that  (realm None)
> >> is
> >>> an IPA server
> >>> 2016-01-20T11:06:44Z DEBUG Init LDAP connection with: ldap:// >>> server>:389
> >>> 2016-01-20T11:06:44Z DEBUG LDAP Error: Anonymous access not allowed
> >>> ###
> >>>
> >>> Is there a way with IPA 3.0.0.25 to enroll host with the anonymous
> acces
> >>> disabled ?
> >>>
> >>> Best regards.
> >>>
> >>> Bahan
> >>
> >> Hello,
> >>
> >> This looks like
> >> https://bugzilla.redhat.com/show_bug.cgi?id=922843
> >>
> >> It should be fixed in recent ipa-client versions (ipa-3.0.0-29.el6 and
> >> later).
> >>
> >> HTH,
> >> Martin
> >>
> >>
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-20 Thread Martin Kosek

On 01/20/2016 04:03 PM, bahan w wrote:
> Re Martin.
> 
> Here we are for the ipaclient-install.log :
> 
> ###
> 2016-01-20T14:55:48Z DEBUG /usr/sbin/ipa-client-install was invoked with
> options: {'domain': '', 'force': False, 'realm_name':
> '', 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir':
> True, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False,
> 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain':
> False, 'principal': 'admin', 'hostname': '', 'no_ac':
> False, 'unattended': True, 'sssd': True, 'trust_sshfp': False,
> 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh':
> False, 'force_join': False, 'ca_cert_file': None, 'server': [' SERVER>'], 'prompt_password': False, 'permit': False, 'debug': True,
> 'preserve_sssd': False, 'uninstall': False}
> 2016-01-20T14:55:48Z DEBUG missing options might be asked for interactively
> later
> 2016-01-20T14:55:48Z DEBUG Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> 2016-01-20T14:55:48Z DEBUG Loading StateFile from
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> 2016-01-20T14:55:48Z DEBUG [IPA Discovery]
> 2016-01-20T14:55:48Z DEBUG Starting IPA discovery with domain=,
> servers=[''], hostname=
> 2016-01-20T14:55:48Z DEBUG Server and domain forced
> 2016-01-20T14:55:48Z DEBUG [Kerberos realm search]
> 2016-01-20T14:55:48Z DEBUG Search DNS for TXT record of
> _kerberos..
> 2016-01-20T14:55:48Z DEBUG No DNS record found
> 2016-01-20T14:55:48Z DEBUG [LDAP server check]
> 2016-01-20T14:55:48Z DEBUG Verifying that  (realm None) is
> an IPA server
> 2016-01-20T14:55:48Z DEBUG Init LDAP connection with: ldap:// SERVER>:389
> 2016-01-20T14:55:48Z DEBUG LDAP Error: Anonymous access not allowed
> 2016-01-20T14:55:48Z DEBUG Assuming realm is the same as domain: 
> 2016-01-20T14:55:48Z DEBUG Generated basedn from realm:
> dc=
> 2016-01-20T14:55:48Z DEBUG Discovery result: NO_ACCESS_TO_LDAP;
> server=None, domain=, kdc=None, basedn=
> 2016-01-20T14:55:48Z DEBUG Validated servers: 
> 2016-01-20T14:55:48Z DEBUG will use discovered domain: 
> 2016-01-20T14:55:48Z DEBUG Using servers from command line, disabling DNS
> discovery
> 2016-01-20T14:55:48Z DEBUG will use provided server: 
> 2016-01-20T14:55:48Z DEBUG will use discovered realm: 
> 2016-01-20T14:55:48Z ERROR The provided realm name [] does not
> match discovered one []

Well, I think the line above is the key to the problem. The realm you provided
and the one discovered do not match.

> 2016-01-20T14:55:48Z DEBUG (: Assumed same as domain)
> 2016-01-20T14:55:48Z ERROR Installation failed. Rolling back changes.
> 2016-01-20T14:55:48Z ERROR IPA client is not configured on this system.
> ###
> 
> Best regards.
> 
> Bahan
> 
> On Wed, Jan 20, 2016 at 1:52 PM, Martin Kosek  wrote:
> 
>> Adding freeipa-users back, so that others can benefit from the answer.
>>
>> Can you please attach a full ipaclient-install.log DEBUG log somewhere so
>> that
>> we can get the full context of the bug? You may also want to open a RHEL-6
>> Bugzilla as FreeIPA 3.0.0 is no longer developed upstream, but only
>> maintained
>> in RHEL-6.x.
>>
>> Thanks,
>> Martin
>>
>> On 01/20/2016 01:39 PM, bahan w wrote:
>>> Hello Martin !
>>>
>>> Thanks for your answer, Martin !
>>>
>>> I uninstalled the 3.0.0.25 and installed the 3.0.0.47, but unfortunately
>> I
>>> still have the same error message.
>>>
>>> # rpm -qa | grep ipa-client
>>> ipa-client-3.0.0-47.el6.x86_64
>>>
>>> And in ipa-client-install.log :
>>> ###
>>> 2016-01-20T12:38:14Z DEBUG [LDAP server check]
>>> 2016-01-20T12:38:14Z DEBUG Verifying that  (realm None)
>> is
>>> an IPA server
>>> 2016-01-20T12:38:14Z DEBUG Init LDAP connection with: ldap://>> server>:389
>>> 2016-01-20T12:38:14Z DEBUG LDAP Error: Anonymous access not allowed
>>> ###
>>>
>>> Best regards.
>>>
>>> Bahan
>>>
>>>
>>> On Wed, Jan 20, 2016 at 1:26 PM, Martin Kosek  wrote:
>>>
 On 01/20/2016 12:08 PM, bahan w wrote:
> Hello !
>
> I send you this mail because of the following topic.
>
> I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous
> access for security reasons.
>
> But now, I have a problem when I try to enroll a new host.
>
> Here is the command I try :
> ###
> ipa-client-install --domain= --realm= --server= ipaserver> --principal=admin --password=
> --mkhomedir  --hostname= --no-ntp --no-ssh --no-sshd
> --unattended
> ###
>
> And here is the error message :
> ###
> 2016-01-20T11:06:44Z DEBUG Verifying that  (realm None)
 is
> an IPA server
> 2016-01-20T11:06:44Z DEBUG Init LDAP connection with: ldap:// server>:389
> 2016-01-20T11:06:44Z DEBUG LDAP Error: Anonymous access not allowed
> ###
>
> Is there a way with IPA 3.0.0.25 to enroll host with the anonymous
>> acces
> disabled ?
>
> Best regards.
>
> Bahan

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-20 Thread bahan w

Ah sorry, for security reasons I didn't want to put the original name and I
made a mistake.

Here we are, for the confusing lines :
###
Assuming realm is the same as domain: 
Generated basedn from realm: dc=
Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=,
kdc=None, basedn=dc=
Validated servers: 
will use discovered domain: 
Using servers from command line, disabling DNS discovery
will use provided server: 
will use discovered realm: 
The provided realm name [] does not match discovered one
[]
(: Assumed same as domain)
Installation failed. Rolling back changes
IPA client is not configured on this system.
###

Is it more clear ? Sorry again for the confusion.

I use a realm which is different than the domain.

Best regards.

Bahan

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-20 Thread bahan w

Hello !

I send you this mail because of the following topic.

I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous
access for security reasons.

But now, I have a problem when I try to enroll a new host.

Here is the command I try :
###
ipa-client-install --domain= --realm= --server= --principal=admin --password=
--mkhomedir  --hostname= --no-ntp --no-ssh --no-sshd
--unattended
###

And here is the error message :
###
2016-01-20T11:06:44Z DEBUG Verifying that  (realm None) is
an IPA server
2016-01-20T11:06:44Z DEBUG Init LDAP connection with: ldap://:389
2016-01-20T11:06:44Z DEBUG LDAP Error: Anonymous access not allowed
###

Is there a way with IPA 3.0.0.25 to enroll host with the anonymous acces
disabled ?

Best regards.

Bahan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-20 Thread Martin Kosek

On 01/20/2016 12:08 PM, bahan w wrote:
> Hello !
> 
> I send you this mail because of the following topic.
> 
> I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous
> access for security reasons.
> 
> But now, I have a problem when I try to enroll a new host.
> 
> Here is the command I try :
> ###
> ipa-client-install --domain= --realm= --server= ipaserver> --principal=admin --password=
> --mkhomedir  --hostname= --no-ntp --no-ssh --no-sshd
> --unattended
> ###
> 
> And here is the error message :
> ###
> 2016-01-20T11:06:44Z DEBUG Verifying that  (realm None) is
> an IPA server
> 2016-01-20T11:06:44Z DEBUG Init LDAP connection with: ldap:// server>:389
> 2016-01-20T11:06:44Z DEBUG LDAP Error: Anonymous access not allowed
> ###
> 
> Is there a way with IPA 3.0.0.25 to enroll host with the anonymous acces
> disabled ?
> 
> Best regards.
> 
> Bahan

Hello,

This looks like
https://bugzilla.redhat.com/show_bug.cgi?id=922843

It should be fixed in recent ipa-client versions (ipa-3.0.0-29.el6 and later).

HTH,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-20 Thread Martin Kosek

Adding freeipa-users back, so that others can benefit from the answer.

Can you please attach a full ipaclient-install.log DEBUG log somewhere so that
we can get the full context of the bug? You may also want to open a RHEL-6
Bugzilla as FreeIPA 3.0.0 is no longer developed upstream, but only maintained
in RHEL-6.x.

Thanks,
Martin

On 01/20/2016 01:39 PM, bahan w wrote:
> Hello Martin !
> 
> Thanks for your answer, Martin !
> 
> I uninstalled the 3.0.0.25 and installed the 3.0.0.47, but unfortunately I
> still have the same error message.
> 
> # rpm -qa | grep ipa-client
> ipa-client-3.0.0-47.el6.x86_64
> 
> And in ipa-client-install.log :
> ###
> 2016-01-20T12:38:14Z DEBUG [LDAP server check]
> 2016-01-20T12:38:14Z DEBUG Verifying that  (realm None) is
> an IPA server
> 2016-01-20T12:38:14Z DEBUG Init LDAP connection with: ldap:// server>:389
> 2016-01-20T12:38:14Z DEBUG LDAP Error: Anonymous access not allowed
> ###
> 
> Best regards.
> 
> Bahan
> 
> 
> On Wed, Jan 20, 2016 at 1:26 PM, Martin Kosek  wrote:
> 
>> On 01/20/2016 12:08 PM, bahan w wrote:
>>> Hello !
>>>
>>> I send you this mail because of the following topic.
>>>
>>> I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous
>>> access for security reasons.
>>>
>>> But now, I have a problem when I try to enroll a new host.
>>>
>>> Here is the command I try :
>>> ###
>>> ipa-client-install --domain= --realm= --server=>> ipaserver> --principal=admin --password=
>>> --mkhomedir  --hostname= --no-ntp --no-ssh --no-sshd
>>> --unattended
>>> ###
>>>
>>> And here is the error message :
>>> ###
>>> 2016-01-20T11:06:44Z DEBUG Verifying that  (realm None)
>> is
>>> an IPA server
>>> 2016-01-20T11:06:44Z DEBUG Init LDAP connection with: ldap://>> server>:389
>>> 2016-01-20T11:06:44Z DEBUG LDAP Error: Anonymous access not allowed
>>> ###
>>>
>>> Is there a way with IPA 3.0.0.25 to enroll host with the anonymous acces
>>> disabled ?
>>>
>>> Best regards.
>>>
>>> Bahan
>>
>> Hello,
>>
>> This looks like
>> https://bugzilla.redhat.com/show_bug.cgi?id=922843
>>
>> It should be fixed in recent ipa-client versions (ipa-3.0.0-29.el6 and
>> later).
>>
>> HTH,
>> Martin
>>
>>
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install error

2015-09-28 Thread ladanyi



Hi Bahan,


Hey.

Try to remove the cert file in /etc/ipa of this client.

And then retry.



this was perfect :-) Thank you.



Best regards.

Bahan


Andy



Hi,

I want to install ipa client: ipa-client-install -d

I get the following error:

Verifying that "MyFreeIPA Server" (realm None) is an IPA server
Init LDAP connection to: "MyFreeIPA Server"
Error checking LDAP: Connect error: TLS error -8054:You are attempting
to import a cert with the same issuer/serial as an existing cert, but
that is not the same cert.
Skip "MyFreeIPA Server" : cannot verify if this is an IPA server
Discovery result: UNKNOWN_ERROR; ...
Validated servers:
Failed to verify that "MyFreeIPA Server" is an IPA Server.
This may mean that the remote server is not up or is not reachable due
to network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
 TCP: 80, 88, 389
 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working
properly after enrollment:
 TCP: 464
 UDP: 464, 123 (if NTP enabled)
"MyFreeIPA Server" : Provided interactively)
Installation failed. Rolling back changes.
IPA client is not configured on this system.


selinux on the ipa client and ipa server ist permissive, iptables is empty.

It seems to be a problem with the SSL certificate of freeipa.


About the client:

rpm -qi ipa-client
Name: ipa-client
Version : 4.1.0
Release : 18.el7.centos.4


About the freeipa server:

rpm -qi freeipa-server
Name: freeipa-server
Version : 4.1.4
Release : 1.fc21


regards,
Andy



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install error

2015-09-25 Thread Andreas Ladanyi

Hi,

I want to install ipa client: ipa-client-install -d

I get the following error:

Verifying that "MyFreeIPA Server" (realm None) is an IPA server
Init LDAP connection to: "MyFreeIPA Server"
Error checking LDAP: Connect error: TLS error -8054:You are attempting
to import a cert with the same issuer/serial as an existing cert, but
that is not the same cert.
Skip "MyFreeIPA Server" : cannot verify if this is an IPA server
Discovery result: UNKNOWN_ERROR; ...
Validated servers:
Failed to verify that "MyFreeIPA Server" is an IPA Server.
This may mean that the remote server is not up or is not reachable due
to network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
 TCP: 80, 88, 389
 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working
properly after enrollment:
 TCP: 464
 UDP: 464, 123 (if NTP enabled)
"MyFreeIPA Server" : Provided interactively)
Installation failed. Rolling back changes.
IPA client is not configured on this system.


selinux on the ipa client and ipa server ist permissive, iptables is empty.

It seems to be a problem with the SSL certificate of freeipa.


About the client:

rpm -qi ipa-client
Name: ipa-client
Version : 4.1.0
Release : 18.el7.centos.4


About the freeipa server:

rpm -qi freeipa-server
Name: freeipa-server
Version : 4.1.4
Release : 1.fc21


regards,
Andy



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install --request-cert fails

2015-09-15 Thread Jan Pazdziora

On Mon, Sep 14, 2015 at 09:59:40AM +0200, Jan Pazdziora wrote:
> On Sat, Sep 12, 2015 at 03:14:35PM +0200, Natxo Asenjo wrote:
> > On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo 
> > wrote:
> > 
> > > on a a centos 7.1 host when enrolling it with (among other) the switch
> > > --request-cert it does not create a host certificate for it. The host is
> > > properly joined but not certificate is present.
> > >
> > > In the ipaclient-install.log file I see this:
> > >
> > > 2015-09-12T09:34:02Z ERROR certmonger request for host certificate failed
> > 
> > it's not working when joining a centos 6.7 realm either, same error.
> 
> Also reproduced on RHEL 7.1 and RHEL 7.2 (to be). I've filed
> 
>   https://bugzilla.redhat.com/show_bug.cgi?id=1262718
> 
> now.
> 
> Thank you for bringing this to our attention.

It turns out it's wrong labeling if the /etc/ipa/nssdb directory that
the certificate should get stored in:

https://bugzilla.redhat.com/show_bug.cgi?id=1262718#c7

Giving it cert_t should help this particular issue but we need to
investigate if it has the potential to break something else.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

2015-09-14 Thread Nathan Peters

I think it was not having dynamic updates enabled for the reverse zone.  
I enabled those and PTR sync on both the forward and reverse and now it 
seems to be working for a new client that I joined.


What I'm not clear on at this point is why that is not a default 
setting.  I know at some point I deleted a /24 reverse zone and made a 
/16 instead because we have too many /24s to manage efficiently.


Also, due to the issues that can arise from not having valid PTR 
entries, you would think that this would be defaulted to on.


On 9/14/2015 12:03 AM, Martin Basti wrote:

Hi,
can you check the journalctl -u named(-pkcs11) on server, they might 
be errors why PTR record has not been added.


Do you have enabled dynamic updates for the reverse zone?

Martin

On 09/12/2015 10:42 PM, Youenn PIOLET wrote:


Hi,

I've seen the same issue recently on various clients using ipa 3.3 
and ipa 4.* during the first join on a clean OS. Can't confirm it was 
working before. Is it normal behavior?


Allow PTR sync is enabled.

Cheers,

Le 12 sept. 2015 7:44 AM, "Nathan Peters" > a écrit :



On 9/11/2015 10:32 AM, Simo Sorce wrote:

On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote:

I have been trying to figure this out for a while now but
when I join
machine to FreeIPA, the installer properly creates
forward DNS
entries,and DNSSSHFP entries, but does not create reverse
entries.
Without the PTR records, kerberos logins are always
failing on these
machines.

I am interested in understanding what fails exactly, stuff
should not
depend on reverse resolution can you give me an example of a
failure ?

For the PTR creation anyway have you enabled the option to
allow setting
PTR records ?
There is a global DNS option (As awell as per-zone setting)
called
"Allow PTR Sync" you may want to enable.


When we attempt to login using kerberos on a machine that has no
reverse DNS entry defined, we are instead prompted with a
password prompt.  The password authentication still works but the
ticket does not.

>From what I read, the Allow PTR Sync option is only used in
conjunction with DNS IP address changes and does not apply to the
initial join of the domain.

Is the joining process supposed to create reverse DNS entries for
the clients or just forward entries and SSHFP entries?

-- 
Manage your subscription for the Freeipa-users mailing list:

https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project







-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

2015-09-14 Thread Martin Basti


Hi,
can you check the journalctl -u named(-pkcs11) on server, they might be 
errors why PTR record has not been added.


Do you have enabled dynamic updates for the reverse zone?

Martin

On 09/12/2015 10:42 PM, Youenn PIOLET wrote:


Hi,

I've seen the same issue recently on various clients using ipa 3.3 and 
ipa 4.* during the first join on a clean OS. Can't confirm it was 
working before. Is it normal behavior?


Allow PTR sync is enabled.

Cheers,

Le 12 sept. 2015 7:44 AM, "Nathan Peters" > a écrit :



On 9/11/2015 10:32 AM, Simo Sorce wrote:

On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com
 wrote:

I have been trying to figure this out for a while now but
when I join
machine to FreeIPA, the installer properly creates forward DNS
entries,and DNSSSHFP entries, but does not create reverse
entries.
Without the PTR records, kerberos logins are always
failing on these
machines.

I am interested in understanding what fails exactly, stuff
should not
depend on reverse resolution can you give me an example of a
failure ?

For the PTR creation anyway have you enabled the option to
allow setting
PTR records ?
There is a global DNS option (As awell as per-zone setting) called
"Allow PTR Sync" you may want to enable.


When we attempt to login using kerberos on a machine that has no
reverse DNS entry defined, we are instead prompted with a password
prompt.  The password authentication still works but the ticket
does not.

>From what I read, the Allow PTR Sync option is only used in
conjunction with DNS IP address changes and does not apply to the
initial join of the domain.

Is the joining process supposed to create reverse DNS entries for
the clients or just forward entries and SSHFP entries?

-- 
Manage your subscription for the Freeipa-users mailing list:

https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install --request-cert fails

2015-09-14 Thread Jan Pazdziora

On Sat, Sep 12, 2015 at 03:14:35PM +0200, Natxo Asenjo wrote:
> On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo 
> wrote:
> 
> > on a a centos 7.1 host when enrolling it with (among other) the switch
> > --request-cert it does not create a host certificate for it. The host is
> > properly joined but not certificate is present.
> >
> > In the ipaclient-install.log file I see this:
> >
> > 2015-09-12T09:34:02Z ERROR certmonger request for host certificate failed
> 
> it's not working when joining a centos 6.7 realm either, same error.

Also reproduced on RHEL 7.1 and RHEL 7.2 (to be). I've filed

https://bugzilla.redhat.com/show_bug.cgi?id=1262718

now.

Thank you for bringing this to our attention.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install --request-cert fails

2015-09-14 Thread Martin Kosek

On 09/12/2015 03:14 PM, Natxo Asenjo wrote:
> On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo 
> wrote:
> 
>> hi,
>>
>> on a a centos 7.1 host when enrolling it with (among other) the switch
>> --request-cert it does not create a host certificate for it. The host is
>> properly joined but not certificate is present.
>>
>> In the ipaclient-install.log file I see this:
>>
>> 2015-09-12T09:34:02Z ERROR certmonger request for host certificate failed
>>
> 
> it's not working when joining a centos 6.7 realm either, same error.

We would need more debug messages from the client log or the server apache log
to see what's wrong. You can also try to "ipa-getcert request" a new
certificate and see what is the response from the server, why the request
failed. CCing Jan for reference.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

2015-09-13 Thread Youenn PIOLET

Hi,

I've seen the same issue recently on various clients using ipa 3.3 and ipa
4.* during the first join on a clean OS. Can't confirm it was working
before. Is it normal behavior?

Allow PTR sync is enabled.

Cheers,
Le 12 sept. 2015 7:44 AM, "Nathan Peters"  a
écrit :

>
> On 9/11/2015 10:32 AM, Simo Sorce wrote:
>
>> On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote:
>>
>>> I have been trying to figure this out for a while now but when I join
>>> machine to FreeIPA, the installer properly creates forward DNS
>>> entries,and DNSSSHFP entries, but does not create reverse entries.
>>> Without the PTR records, kerberos logins are always failing on these
>>> machines.
>>>
>> I am interested in understanding what fails exactly, stuff should not
>> depend on reverse resolution can you give me an example of a failure ?
>>
>> For the PTR creation anyway have you enabled the option to allow setting
>> PTR records ?
>> There is a global DNS option (As awell as per-zone setting) called
>> "Allow PTR Sync" you may want to enable.
>>
>>
> When we attempt to login using kerberos on a machine that has no reverse
> DNS entry defined, we are instead prompted with a password prompt.  The
> password authentication still works but the ticket does not.
>
> From what I read, the Allow PTR Sync option is only used in conjunction
> with DNS IP address changes and does not apply to the initial join of the
> domain.
>
> Is the joining process supposed to create reverse DNS entries for the
> clients or just forward entries and SSHFP entries?
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install --request-cert fails

2015-09-12 Thread Natxo Asenjo

hi,

on a a centos 7.1 host when enrolling it with (among other) the switch
--request-cert it does not create a host certificate for it. The host is
properly joined but not certificate is present.

In the ipaclient-install.log file I see this:

2015-09-12T09:34:02Z ERROR certmonger request for host certificate failed

but no other clue as to what went wrong.

How can I troubleshoot this?

Thanks!

-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install --request-cert fails

2015-09-12 Thread Natxo Asenjo

On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo 
wrote:

> hi,
>
> on a a centos 7.1 host when enrolling it with (among other) the switch
> --request-cert it does not create a host certificate for it. The host is
> properly joined but not certificate is present.
>
> In the ipaclient-install.log file I see this:
>
> 2015-09-12T09:34:02Z ERROR certmonger request for host certificate failed
>

it's not working when joining a centos 6.7 realm either, same error.

-- 
regards,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

2015-09-11 Thread Simo Sorce

On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote:
> I have been trying to figure this out for a while now but when I join 
> machine to FreeIPA, the installer properly creates forward DNS
> entries,and DNSSSHFP entries, but does not create reverse entries.
> Without the PTR records, kerberos logins are always failing on these
> machines.

I am interested in understanding what fails exactly, stuff should not
depend on reverse resolution can you give me an example of a failure ?

For the PTR creation anyway have you enabled the option to allow setting
PTR records ?
There is a global DNS option (As awell as per-zone setting) called
"Allow PTR Sync" you may want to enable.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install not creating reverse DNS entries

2015-09-11 Thread nathan

I have been trying to figure this out for a while now but when I join a
machine to FreeIPA, the installer properly creates forward DNS entries,
and DNSSSHFP entries, but does not create reverse entries.  Without the
PTR records, kerberos logins are always failing on these machines.

The reverse zones exist, all DNS is managed by FreeIPA, and I am able to
manually add the entries just fine.

Environment :
Servers : CentOS7, FreeIPA 4.1.4
Clients : CentOS 6.5, FreeIPA client 3.0.0-42

I have tried this both with the Internal FreeIPA 'admin' user as the join
user and as another user called 'joinscript' which has the host enrollment
and DNS administrator privileges.

Here is the ipa-client install log:

2015-09-11T16:24:05Z DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'domain': None, 'force': False, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd':
True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'server':
None, 'no_nisdomain': False, 'principal': 'joinscript', 'hostname':
'ipaclient.ipadomain.net', 'no_ac': False, 'unattended': True, 'sssd':
True, 'trust_sshfp': False, 'realm_name': None, 'dns_updates': True,
'conf_sudo': True, 'conf_ssh': True, 'force_join': True, 'ca_cert_file':
None, 'nisdomain': None, 'prompt_password': False, 'permit': False,
'debug': False, 'preserve_sssd': False, 'uninstall': False}
2015-09-11T16:24:05Z DEBUG missing options might be asked for
interactively later
2015-09-11T16:24:05Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2015-09-11T16:24:05Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2015-09-11T16:24:05Z DEBUG [IPA Discovery]
2015-09-11T16:24:05Z DEBUG Starting IPA discovery with domain=None,
servers=None, hostname=ipaclient.ipadomain.net
2015-09-11T16:24:05Z DEBUG Start searching for LDAP SRV record in
"ipadomain.net" (domain of the hostname) and its sub-domains
2015-09-11T16:24:05Z DEBUG Search DNS for SRV record of
_ldap._tcp.ipadomain.net.
2015-09-11T16:24:05Z DEBUG DNS record found:
DNSResult::name:_ldap._tcp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:dc1.ipadomain.net.}
2015-09-11T16:24:05Z DEBUG DNS record found:
DNSResult::name:_ldap._tcp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:dc2.ipadomain.net.}
2015-09-11T16:24:05Z DEBUG [Kerberos realm search]
2015-09-11T16:24:05Z DEBUG Search DNS for TXT record of
_kerberos.ipadomain.net.
2015-09-11T16:24:05Z DEBUG DNS record found:
DNSResult::name:_kerberos.ipadomain.net.,type:16,class:1,rdata={data:ipadomain.net}
2015-09-11T16:24:05Z DEBUG Search DNS for SRV record of
_kerberos._udp.ipadomain.net.
2015-09-11T16:24:05Z DEBUG DNS record found:
DNSResult::name:_kerberos._udp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:dc2.ipadomain.net.}
2015-09-11T16:24:05Z DEBUG DNS record found:
DNSResult::name:_kerberos._udp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:dc1.ipadomain.net.}
2015-09-11T16:24:05Z DEBUG [LDAP server check]
2015-09-11T16:24:05Z DEBUG Verifying that dc1.ipadomain.net (realm
ipadomain.net) is an IPA server
2015-09-11T16:24:05Z DEBUG Init LDAP connection with:
ldap://dc1.ipadomain.net:389
2015-09-11T16:24:05Z DEBUG Search LDAP server for IPA base DN
2015-09-11T16:24:05Z DEBUG Check if naming context 'dc=ipadomain,dc=net'
is for IPA
2015-09-11T16:24:05Z DEBUG Naming context 'dc=ipadomain,dc=net' is a valid
IPA context
2015-09-11T16:24:05Z DEBUG Search for (objectClass=krbRealmContainer) in
dc=ipadomain,dc=net (sub)
2015-09-11T16:24:05Z DEBUG Found:
cn=ipadomain.net,cn=kerberos,dc=ipadomain,dc=net
2015-09-11T16:24:05Z DEBUG Discovery result: Success;
server=dc1.ipadomain.net, domain=ipadomain.net,
kdc=dc2.ipadomain.net,dc1.ipadomain.net, basedn=dc=ipadomain,dc=net
2015-09-11T16:24:05Z DEBUG Validated servers: dc1.ipadomain.net
2015-09-11T16:24:05Z DEBUG will use discovered domain: ipadomain.net
2015-09-11T16:24:05Z DEBUG Start searching for LDAP SRV record in
"ipadomain.net" (Validating DNS Discovery) and its sub-domains
2015-09-11T16:24:05Z DEBUG Search DNS for SRV record of
_ldap._tcp.ipadomain.net.
2015-09-11T16:24:05Z DEBUG DNS record found:
DNSResult::name:_ldap._tcp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:dc2.ipadomain.net.}
2015-09-11T16:24:05Z DEBUG DNS record found:
DNSResult::name:_ldap._tcp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:dc1.ipadomain.net.}
2015-09-11T16:24:05Z DEBUG DNS validated, enabling discovery
2015-09-11T16:24:05Z DEBUG will use discovered server: dc1.ipadomain.net
2015-09-11T16:24:05Z INFO Discovery was successful!
2015-09-11T16:24:05Z DEBUG will use discovered realm: ipadomain.net
2015-09-11T16:24:05Z DEBUG will use discovered basedn: dc=ipadomain,dc=net
2015-09-11T16:24:05Z INFO Hostname: ipaclient.ipadomain.net
2015-09-11T16:24:05Z DEBUG

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

2015-09-11 Thread Nathan Peters



On 9/11/2015 10:32 AM, Simo Sorce wrote:

On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote:

I have been trying to figure this out for a while now but when I join
machine to FreeIPA, the installer properly creates forward DNS
entries,and DNSSSHFP entries, but does not create reverse entries.
Without the PTR records, kerberos logins are always failing on these
machines.

I am interested in understanding what fails exactly, stuff should not
depend on reverse resolution can you give me an example of a failure ?

For the PTR creation anyway have you enabled the option to allow setting
PTR records ?
There is a global DNS option (As awell as per-zone setting) called
"Allow PTR Sync" you may want to enable.



When we attempt to login using kerberos on a machine that has no reverse 
DNS entry defined, we are instead prompted with a password prompt.  The 
password authentication still works but the ticket does not.


From what I read, the Allow PTR Sync option is only used in conjunction 
with DNS IP address changes and does not apply to the initial join of 
the domain.


Is the joining process supposed to create reverse DNS entries for the 
clients or just forward entries and SSHFP entries?


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install remove the passwordless connection with root

2015-06-03 Thread Martin Kosek

Thanks for update. Adding mailing list back, to be aware of the results.

Given this description, I wonder if this is hitting
https://bugzilla.redhat.com/show_bug.cgi?id=1201454
that is planned to be fixed in next RHEL-6 minor version.

On 06/03/2015 10:46 AM, bahan w wrote:
 Hello again.
 
 The problem was coming from the sshd_config file.
 The parameter PubkeyAuthentication=yes was placed after the parameter
 PasswordAuthentication=yes.
 I uncomment the PubkeyAuthentication=yes before the PasswprdAuthentication
 and now it works.
 
 The problem is solved.
 
 Best regards.
 
 Bahan
 
 
 On Wed, Jun 3, 2015 at 10:05 AM, bahan w bahanw042...@gmail.com wrote:
 
 Hello Martin.

 Unfortunately for me, I cannot migrate OS so I need to make it work with
 RHEL 6.4. :-(

 Best regards.
 Le 3 juin 2015 09:39, Martin Kosek mko...@redhat.com a écrit :

 On 06/02/2015 06:27 PM, bahan w wrote:
 Hello !

 I send you this mail because I have a problem linked with SSH and
 FreeIPA.

 I have multiple servers :
 - One with FreeIPA server 3.0.0-26
 - The others with FreeIPA client 3.0.0-26

 They are running on RHEL 6.4.

 I configured a root user on each of them.
 On one specific server, I created an rsa key in order to connect
 passwordlessly from a specific server to all the others
 
 ssh-keygen -t rsa
 

 I distributed the public key on all the others :
 
 for i in ${my_server_list}; do scp /root/.ssh/id_rsa.pub
 $i:/root/.ssh/authorized_keys; done
 

 Once it was done, I modified the rights on these files :
 
 for i in ${my_server_list}; do scp $i chmod 644
 /root/.ssh/authorized_keys; done
 

 And I was able to connect to all these servers without entering a
 password.
 The system was working well.

 When I installed ipa-server on a specific server, this connection with
 the
 RSA key was not possible anymore.
 Each time I tried to connect to the server through SSH, it keeps asking
 me
 for a password.
 I tried to install the ipa-client on another server to just check if I
 had
 the same behaviour and indeed, each time I run ipa-client-install, I
 can't
 connect passwordlessly with root anymore.

 Hello,

 SSH with key with root account should work, SSSD (or the SSH public key
 tools)
 should not interfere with root user account at all. What I would suggest
 is to
 try to some newer version of sssd+ipa-client, RHEL-6.4 is quite old
 already.
 RHEL-6.6 (or even RHEL-7.1) would be a better starting point.


 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install remove the passwordless connection with root

2015-06-03 Thread Martin Kosek

On 06/02/2015 06:27 PM, bahan w wrote:
 Hello !
 
 I send you this mail because I have a problem linked with SSH and FreeIPA.
 
 I have multiple servers :
 - One with FreeIPA server 3.0.0-26
 - The others with FreeIPA client 3.0.0-26
 
 They are running on RHEL 6.4.
 
 I configured a root user on each of them.
 On one specific server, I created an rsa key in order to connect
 passwordlessly from a specific server to all the others
 
 ssh-keygen -t rsa
 
 
 I distributed the public key on all the others :
 
 for i in ${my_server_list}; do scp /root/.ssh/id_rsa.pub
 $i:/root/.ssh/authorized_keys; done
 
 
 Once it was done, I modified the rights on these files :
 
 for i in ${my_server_list}; do scp $i chmod 644
 /root/.ssh/authorized_keys; done
 
 
 And I was able to connect to all these servers without entering a password.
 The system was working well.
 
 When I installed ipa-server on a specific server, this connection with the
 RSA key was not possible anymore.
 Each time I tried to connect to the server through SSH, it keeps asking me
 for a password.
 I tried to install the ipa-client on another server to just check if I had
 the same behaviour and indeed, each time I run ipa-client-install, I can't
 connect passwordlessly with root anymore.

Hello,

SSH with key with root account should work, SSSD (or the SSH public key tools)
should not interfere with root user account at all. What I would suggest is to
try to some newer version of sssd+ipa-client, RHEL-6.4 is quite old already.
RHEL-6.6 (or even RHEL-7.1) would be a better starting point.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install remove the passwordless connection with root

2015-06-02 Thread bahan w

Hello !

I send you this mail because I have a problem linked with SSH and FreeIPA.

I have multiple servers :
- One with FreeIPA server 3.0.0-26
- The others with FreeIPA client 3.0.0-26

They are running on RHEL 6.4.

I configured a root user on each of them.
On one specific server, I created an rsa key in order to connect
passwordlessly from a specific server to all the others

ssh-keygen -t rsa


I distributed the public key on all the others :

for i in ${my_server_list}; do scp /root/.ssh/id_rsa.pub
$i:/root/.ssh/authorized_keys; done


Once it was done, I modified the rights on these files :

for i in ${my_server_list}; do scp $i chmod 644
/root/.ssh/authorized_keys; done


And I was able to connect to all these servers without entering a password.
The system was working well.

When I installed ipa-server on a specific server, this connection with the
RSA key was not possible anymore.
Each time I tried to connect to the server through SSH, it keeps asking me
for a password.
I tried to install the ipa-client on another server to just check if I had
the same behaviour and indeed, each time I run ipa-client-install, I can't
connect passwordlessly with root anymore.

Here is the commannd I use for the ipa-client-install :

ipa-client-install -U --realm=MYREALM --domain=mydomain.com --server=
myipaserver.mydomain.com --principal=admin --password=X --mkhomedir -N
--ca-cert=/tmp/ca.crt --hostname=myipaclient1.mydomain.com


When I add the option --no-sshd, the ssh passwordless connection is still
operationnal, but if I don't put this option, then my ssh passwordless
connection does not work anymore.

Here is the content of the sshd_config file before (ssh pubkey connection
working) and after (ssh pubkey connection not working) :

Before :

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv XMODIFIERS
AllowGroups staff root
ChallengeResponseAuthentication no
ClientAliveCountMax 0
ClientAliveCountMax 9
ClientAliveInterval 300
DSAAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
HostbasedAuthentication no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
KerberosAuthentication no
LogLevel VERBOSE
MaxAuthTries 4
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin yes
Protocol 2
PubkeyAuthentication yes
RhostsRSAAuthentication no
RSAAuthentication yes
StrictModes yes
Subsystem   sftp/usr/libexec/openssh/sftp-server
SyslogFacility AUTHPRIV
TCPKeepAlive yes
UsePAM yes
X11Forwarding yes


After, when it does not work :

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv XMODIFIERS
AllowGroups staff root
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
ChallengeResponseAuthentication no
ClientAliveCountMax 0
ClientAliveCountMax 9
ClientAliveInterval 300
DSAAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
HostbasedAuthentication no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
KerberosAuthentication no
LogLevel VERBOSE
MaxAuthTries 4
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin yes
Protocol 2
PubkeyAuthentication yes
RhostsRSAAuthentication no
RSAAuthentication yes
StrictModes yes
Subsystem   sftp/usr/libexec/openssh/sftp-server
SyslogFacility AUTHPRIV
TCPKeepAlive yes
UsePAM yes
X11Forwarding yes


A quick diff -u shows me that the only difference between these
configurations is the following parameter in the new file (when it does not
work) :

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys


Here is the log of the SSH connection when it works :

ssh -vvv myipaclient1.mydomain.com

OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p
22 myipaclient1.mydomain.com
debug1: permanently_set_uid: 0/0
debug1: permanently_drop_suid: 0
debug3: Not a RSA1 key file /root/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing

Re: [Freeipa-users] ipa-client-install --request-cert ERROR

2015-05-16 Thread Alexander Bokovoy


On Sat, 16 May 2015, Günther J. Niederwimmer wrote:

Hello,

When I install a IPA client (Centos 7.1) I have this Error in the log.

freeipa ERROR certmonger request for host certificate failed

Is there a way to become this Certificate back ?

I am nearly new on freeIPA and have mach problems :-(.

Since FreeIPA 4.1 host certificate is not created by default and failing
to fetch it is not an issue. The certificate is not used anywhere.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install --request-cert ERROR

2015-05-16 Thread Günther J . Niederwimmer

Hello,

When I install a IPA client (Centos 7.1) I have this Error in the log.

freeipa ERROR certmonger request for host certificate failed

Is there a way to become this Certificate back ?

I am nearly new on freeIPA and have mach problems :-(.

Thanks for the help,

-- 
mit freundlichen Grüssen / best regards,

 Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Client Install on Amazon Linux

2015-03-29 Thread Yogesh Sharma

Thanks Gonzalo. Appreciate your help here, Let me try this.




*Best Regards,__*

*Yogesh Sharma*
*Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in
http://www.initd.in*

RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile] http://in.linkedin.com/in/yks


On Sat, Mar 28, 2015 at 11:23 PM, Gonzalo Fernandez Ordas 
g.fer.or...@unicyber.co.uk wrote:

  Yogesh

 you do not need to explain me anything. Most people around here  are on
 the same boat and working on this stuff already for quite awhile.

 I forgot to mention this is for a PROPER sssd run, still you will need all
 those below as you will get some issues sorted (specially sudo related)

 So...you need the following If I remember well..:

 system-arch -- system Architecture

 libipa_hbac-1.9.2-129.el6.-system_arch-.rpm
 sssd-client-1.9.2-129.el6.-system_arch-.rpm
 sssd-1.9.2-129.el6_5.4.-system_arch-.rpm
 sudo-1.8.6p3-12.el6.-system_arch-

 I haven't installed the freeIPA client but I have run sssd successfully
 for a 389-ds server and the above combination worked all right, specially
 the sudo bit which was a bit of a hell.
 To get to that point I spent a number of fun days thanks to the
 limitations provided by amazon on their packages.

 Do not forget to install the epel and try to look for either ipa or
 ipa-server as I doubt that will be called freeipa at all.(I haven't
 tested that though.)

 Gonzalo


 On 27/03/2015 01:03, Yogesh Sharma wrote:

  Gonzalo,

  We have some running servers on Amazon Linux and it would be difficult
 to migrate all those to CentOS or RHEL as of now. Hence If you can provide
 the package's version then it would really help us till the time we do
 migration.

  For sure all over new Servers are going to be CentOS or RHEL.




 * Best Regards, __ *

 *Yogesh Sharma *
 *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in
 http://www.initd.in*

 RHCE, VCE-CIA, RackSpace Cloud U
 [image: My LinkedIn Profile] http://in.linkedin.com/in/yks


 On Fri, Mar 27, 2015 at 1:03 PM, Gonzalo Fernandez Ordas 
 g.fer.or...@unicyber.co.uk wrote:

  Yogesh

 My personal experience using AWS Linux and LDAP is not a good one and
 mostly an utter nightmare in relation to packages.
 Personally I would recommend you to keep away from AWS Linux and get a
 Centos, Fedora or Redhat.
 Still, if you want to go ahead, I can give you the right versions for a
 couple of packages as the default sudo given by Amazon simply DOES NOT work
 (no idea what they have done to it..)

 Thanks

 On 27/03/2015 00:03, Yogesh Sharma wrote:

  Hello,

  Is there any repo available for Amazon Linux to install IPA Client OR
 below is the only way to do as found from freeipa-user mail archive.

  http://www.redhat.com/archives/freeipa-users/2013-October/msg00058.html


  Thanks for the help.



 * Best Regards, __ *

 *Yogesh Sharma *







-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Client Install on Amazon Linux

2015-03-29 Thread Gokulnath

Quick question, if you have used Deion for ldap and Sudo, are all connections 
through Kerberos ? And all client and registered hosts will be in the same 
domain ?

Gokul

Sent from iPhone

 On Mar 29, 2015, at 12:14 PM, Yogesh Sharma yks0...@gmail.com wrote:
 
 Thanks Gonzalo. Appreciate your help here, Let me try this.
 
 
 Best Regards,
 __
 Yogesh Sharma
 Email: yks0...@gmail.com | Web: www.initd.in
 
 RHCE, VCE-CIA, RackSpace Cloud U
 
 
 
 On Sat, Mar 28, 2015 at 11:23 PM, Gonzalo Fernandez Ordas 
 g.fer.or...@unicyber.co.uk wrote:
 Yogesh
 
 you do not need to explain me anything. Most people around here  are on 
 the same boat and working on this stuff already for quite awhile.
 
 I forgot to mention this is for a PROPER sssd run, still you will need all 
 those below as you will get some issues sorted (specially sudo related)
 
 So...you need the following If I remember well..:
 
 system-arch -- system Architecture
 
 libipa_hbac-1.9.2-129.el6.-system_arch-.rpm
 sssd-client-1.9.2-129.el6.-system_arch-.rpm
 sssd-1.9.2-129.el6_5.4.-system_arch-.rpm
 sudo-1.8.6p3-12.el6.-system_arch-
 
 I haven't installed the freeIPA client but I have run sssd successfully for 
 a 389-ds server and the above combination worked all right, specially the 
 sudo bit which was a bit of a hell.
 To get to that point I spent a number of fun days thanks to the limitations 
 provided by amazon on their packages.
 
 Do not forget to install the epel and try to look for either ipa or 
 ipa-server as I doubt that will be called freeipa at all.(I haven't tested 
 that though.)
 
 Gonzalo
 
 
 On 27/03/2015 01:03, Yogesh Sharma wrote:
 Gonzalo,
 
 We have some running servers on Amazon Linux and it would be difficult to 
 migrate all those to CentOS or RHEL as of now. Hence If you can provide the 
 package's version then it would really help us till the time we do 
 migration.
 
 For sure all over new Servers are going to be CentOS or RHEL.
 
 
 Best Regards,
 __
 Yogesh Sharma
 Email: yks0...@gmail.com | Web: www.initd.in
 
 RHCE, VCE-CIA, RackSpace Cloud U
 
 
 
 On Fri, Mar 27, 2015 at 1:03 PM, Gonzalo Fernandez Ordas 
 g.fer.or...@unicyber.co.uk wrote:
 Yogesh
 
 My personal experience using AWS Linux and LDAP is not a good one and 
 mostly an utter nightmare in relation to packages.
 Personally I would recommend you to keep away from AWS Linux and get a 
 Centos, Fedora or Redhat.
 Still, if you want to go ahead, I can give you the right versions for a 
 couple of packages as the default sudo given by Amazon simply DOES NOT 
 work (no idea what they   have done to it..)
 
 Thanks
 
 On 27/03/2015 00:03, Yogesh Sharma wrote:
 Hello,
 
 Is there any repo available for Amazon Linux to install IPA Client OR 
 below is the only way to do as found from freeipa-user mail archive.
 
 http://www.redhat.com/archives/freeipa-users/2013-October/msg00058.html
 
 
 Thanks for the help.
 
 Best Regards,
 __
 Yogesh Sharma
 
 -- 
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA Client Install on Amazon Linux

2015-03-27 Thread Yogesh Sharma

Hello,

Is there any repo available for Amazon Linux to install IPA Client OR below
is the only way to do as found from freeipa-user mail archive.

http://www.redhat.com/archives/freeipa-users/2013-October/msg00058.html


Thanks for the help.



*Best Regards,__*

*Yogesh Sharma*
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Client Install on Amazon Linux

2015-03-27 Thread Gonzalo Fernandez Ordas


Yogesh

My personal experience using AWS Linux and LDAP is not a good one and 
mostly an utter nightmare in relation to packages.
Personally I would recommend you to keep away from AWS Linux and get a 
Centos, Fedora or Redhat.
Still, if you want to go ahead, I can give you the right versions for a 
couple of packages as the default sudo given by Amazon simply DOES NOT 
work (no idea what they have done to it..)


Thanks

On 27/03/2015 00:03, Yogesh Sharma wrote:

Hello,

Is there any repo available for Amazon Linux to install IPA Client OR 
below is the only way to do as found from freeipa-user mail archive.


http://www.redhat.com/archives/freeipa-users/2013-October/msg00058.html


Thanks for the help.
/
Best Regards,
__
/
/Yogesh Sharma
/





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-26 Thread Anthony Lanni

great, thanks.

On a related note: the server still doesn't get a (client) kerberos ticket,
which means I can't kinit as a user and then log into a client machine
without a password. Going the other way works fine, however.

thx
anthony

On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com wrote:

 Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have
 the
 keyutils dependency fixed anyway :-)

 Martin

 On 03/25/2015 06:59 PM, Anthony Lanni wrote:
  keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I
  reinstalled keyutils and then ran the ipa-server-install again, and this
  time it completed without error.
 
  Thanks very much, Martin and Dmitri!
 
  thx
  anthony
 
  On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com wrote:
 
  On 03/25/2015 04:11 AM, Dmitri Pal wrote:
  On 03/24/2015 09:17 PM, Anthony Lanni wrote:
  While running ipa-server-install, it's failing out at the end with an
  error
  regarding the client install on the server. This happens regardless of
  how I
  input the options, but here's the latest command:
 
  ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
  http://EXAMPLE.COM -n example.com http://example.com -p passwd1
 -a
  passwd2 --hostname=ldap-server-01.example.com
  http://ldap-server-01.example.com --forwarder=10.0.1.20
  --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
 
  Runs through the entire setup and gives me this:
 
  [...]
  ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
  --unattended --domain example.com http://example.com --server
  ldap-server-01.example.com http://ldap-server-01.example.com
 --realm
  EXAMPLE.COM http://EXAMPLE.COM --hostname
 ldap-server-01.example.com
  http://ldap-server-01.example.com
  ipa : DEBUGstdout=
 
  ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
  http://ldap-server-01.example.com
  Realm: EXAMPLE.COM http://EXAMPLE.COM
  DNS Domain: example.com http://example.com
  IPA Server: ldap-server-01.example.com 
  http://ldap-server-01.example.com
  BaseDN: dc=example,dc=com
  New SSSD config will be created
  Configured /etc/sssd/sssd.conf
  Traceback (most recent call last):
File /usr/sbin/ipa-client-install, line 2377, in module
  sys.exit(main())
File /usr/sbin/ipa-client-install, line 2363, in main
  rval = install(options, env, fstore, statestore)
File /usr/sbin/ipa-client-install, line 2135, in install
  delete_persistent_client_session_data(host_principal)
File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in
  delete_persistent_client_session_data
  kernel_keyring.del_key(keyname)
File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
  line
  99, in del_key
  real_key = get_real_key(key)
File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
  line
  45, in get_real_key
  (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE,
  key],
  raiseonerr=False)
 
  Is keyctl installed? Can you run it manually?
  Any SELinux denials?
 
  You are likely hitting
  https://fedorahosted.org/freeipa/ticket/3808
 
  Please try installing keyutils before running ipa-server-install. It is
  fixed
  in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also:
  https://bugzilla.redhat.com/show_bug.cgi?id=1205660
 
  Martin
 
  --
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go to http://freeipa.org for more info on the project
 
 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-26 Thread Rob Crittenden

Anthony Lanni wrote:
 I'm referring to the host certificate; I was looking at the web UI,
 under Identity-Hosts in the server details page. The Host Certificate
 section says 'No Valid Certificate'.
 The server has a /etc/krb5.keytab file, and on the same page the
 Enrollment section says 'Kerberos Key Present, Host Provisioned'.

No, masters never got this certificate issued. It was intended to be an
alternate way to authenticate a host to IPA. The host certificate is not
used by IPA currently, and in 4.1 one isn't issued for clients by
default any more.

rob

 
 thx
 anthony
 
 thx
 anthony
 
 On Thu, Mar 26, 2015 at 10:01 AM, Martin Kosek mko...@redhat.com
 mailto:mko...@redhat.com wrote:
 
 On 03/26/2015 05:52 PM, Anthony Lanni wrote:
  kinit USER works perfectly; but I can't ssh into the client machine from
  the server without it requesting a password.
 
  I think this is a DNS issue, actually. The server isn't resolving the 
 name
  of the client, so I'm ssh'ing with the IP address, and that's not going 
 to
  work since it's not in the Kerberos db (Cannot determine realm for 
 numeric
  host address).
 
 So it looks like you have found your problem - Kerberos tends to
 break if DNS
 is not set properly.
 
  Except, of course, that the server did not get its own valid Kerberos 
 host
  certificate. It should, right? during the ipa-client-install --on-master
  step of the server install?
 
 Are you asking about host certificate or a Kerberos keytab
 (/etc/krb5.keytab)?
 They are 2 distinct things.
 
  In fact, the global DNS config is completely empty. But I'm going to 
 have
  to tear down the server and rebuild because it's on the same domain as 
 an
  AD server, and ipa-client-install finds that server rather than the new 
 IPA
  server by default: that won't work because I want LDAP to dynamically
  update the records, and establish a trust with the AD server.
  Also we've got 2 linux DNS root servers that act as forwarders. I 
 pointed
  the IPA server at them, but I don't know enough about FreeIPA or 
 DNS/Bind
  to configure IPA to use them properly. SO I'm sure that's where most of 
 my
  problems lie.
 
  I've got to RTFM a bit more before I really start asking the right
  questions, I think. At that point I'll start a new thread.
 
 Ok :-)
 
 Martin
 
 
 
 
  thx
  anthony
 
  On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek mko...@redhat.com
 mailto:mko...@redhat.com wrote:
 
  I am not sure what you mean. So are you saying that kinit USER
 done on
  server
  fails? With what error?
 
  On 03/26/2015 05:28 PM, Anthony Lanni wrote:
  great, thanks.
 
  On a related note: the server still doesn't get a (client) kerberos
  ticket,
  which means I can't kinit as a user and then log into a client
 machine
  without a password. Going the other way works fine, however.
 
  thx
  anthony
 
  On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com
 mailto:mko...@redhat.com wrote:
 
  Ok, thanks for reaching back. BTW, next RHEL-6 minor release
 should have
  the
  keyutils dependency fixed anyway :-)
 
  Martin
 
  On 03/25/2015 06:59 PM, Anthony Lanni wrote:
  keyutils is already installed but /bin/keyctl was 0 length
 (!). Anyway
  I
  reinstalled keyutils and then ran the ipa-server-install
 again, and
  this
  time it completed without error.
 
  Thanks very much, Martin and Dmitri!
 
  thx
  anthony
 
  On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek
 mko...@redhat.com mailto:mko...@redhat.com
  wrote:
 
  On 03/25/2015 04:11 AM, Dmitri Pal wrote:
  On 03/24/2015 09:17 PM, Anthony Lanni wrote:
  While running ipa-server-install, it's failing out at the
 end with
  an
  error
  regarding the client install on the server. This happens
 regardless
  of
  how I
  input the options, but here's the latest command:
 
  ipa-server-install --setup-dns -N --idstart=1000 -r
 EXAMPLE.COM http://EXAMPLE.COM
  http://EXAMPLE.COM -n example.com http://example.com
 http://example.com -p passwd1
  -a
  passwd2 --hostname=ldap-server-01.example.com
 http://ldap-server-01.example.com
  http://ldap-server-01.example.com --forwarder=10.0.1.20
  --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
 
  Runs through the entire setup and gives me this:
 
  [...]
  ipa : DEBUG  args=/usr/sbin/ipa-client-install
 --on-master
  --unattended --domain example.com http://example.com
 http://example.com --server
  ldap-server-01.example.com
 http://ldap-server-01.example.com http://ldap-server-01.example.com
  --realm
  EXAMPLE.COM

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-26 Thread Martin Kosek

On 03/26/2015 05:52 PM, Anthony Lanni wrote:
 kinit USER works perfectly; but I can't ssh into the client machine from
 the server without it requesting a password.
 
 I think this is a DNS issue, actually. The server isn't resolving the name
 of the client, so I'm ssh'ing with the IP address, and that's not going to
 work since it's not in the Kerberos db (Cannot determine realm for numeric
 host address).

So it looks like you have found your problem - Kerberos tends to break if DNS
is not set properly.

 Except, of course, that the server did not get its own valid Kerberos host
 certificate. It should, right? during the ipa-client-install --on-master
 step of the server install?

Are you asking about host certificate or a Kerberos keytab (/etc/krb5.keytab)?
They are 2 distinct things.

 In fact, the global DNS config is completely empty. But I'm going to have
 to tear down the server and rebuild because it's on the same domain as an
 AD server, and ipa-client-install finds that server rather than the new IPA
 server by default: that won't work because I want LDAP to dynamically
 update the records, and establish a trust with the AD server.
 Also we've got 2 linux DNS root servers that act as forwarders. I pointed
 the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind
 to configure IPA to use them properly. SO I'm sure that's where most of my
 problems lie.
 
 I've got to RTFM a bit more before I really start asking the right
 questions, I think. At that point I'll start a new thread.

Ok :-)

Martin

 
 
 
 thx
 anthony
 
 On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek mko...@redhat.com wrote:
 
 I am not sure what you mean. So are you saying that kinit USER done on
 server
 fails? With what error?

 On 03/26/2015 05:28 PM, Anthony Lanni wrote:
 great, thanks.

 On a related note: the server still doesn't get a (client) kerberos
 ticket,
 which means I can't kinit as a user and then log into a client machine
 without a password. Going the other way works fine, however.

 thx
 anthony

 On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com wrote:

 Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have
 the
 keyutils dependency fixed anyway :-)

 Martin

 On 03/25/2015 06:59 PM, Anthony Lanni wrote:
 keyutils is already installed but /bin/keyctl was 0 length (!). Anyway
 I
 reinstalled keyutils and then ran the ipa-server-install again, and
 this
 time it completed without error.

 Thanks very much, Martin and Dmitri!

 thx
 anthony

 On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com
 wrote:

 On 03/25/2015 04:11 AM, Dmitri Pal wrote:
 On 03/24/2015 09:17 PM, Anthony Lanni wrote:
 While running ipa-server-install, it's failing out at the end with
 an
 error
 regarding the client install on the server. This happens regardless
 of
 how I
 input the options, but here's the latest command:

 ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
 http://EXAMPLE.COM -n example.com http://example.com -p passwd1
 -a
 passwd2 --hostname=ldap-server-01.example.com
 http://ldap-server-01.example.com --forwarder=10.0.1.20
 --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d

 Runs through the entire setup and gives me this:

 [...]
 ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
 --unattended --domain example.com http://example.com --server
 ldap-server-01.example.com http://ldap-server-01.example.com
 --realm
 EXAMPLE.COM http://EXAMPLE.COM --hostname
 ldap-server-01.example.com
 http://ldap-server-01.example.com
 ipa : DEBUGstdout=

 ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
 http://ldap-server-01.example.com
 Realm: EXAMPLE.COM http://EXAMPLE.COM
 DNS Domain: example.com http://example.com
 IPA Server: ldap-server-01.example.com 
 http://ldap-server-01.example.com
 BaseDN: dc=example,dc=com
 New SSSD config will be created
 Configured /etc/sssd/sssd.conf
 Traceback (most recent call last):
   File /usr/sbin/ipa-client-install, line 2377, in module
 sys.exit(main())
   File /usr/sbin/ipa-client-install, line 2363, in main
 rval = install(options, env, fstore, statestore)
   File /usr/sbin/ipa-client-install, line 2135, in install
 delete_persistent_client_session_data(host_principal)
   File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124,
 in
 delete_persistent_client_session_data
 kernel_keyring.del_key(keyname)
   File
 /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
 line
 99, in del_key
 real_key = get_real_key(key)
   File
 /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
 line
 45, in get_real_key
 (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING,
 KEYTYPE,
 key],
 raiseonerr=False)

 Is keyctl installed? Can you run it manually?
 Any SELinux denials?

 You are likely hitting
 https://fedorahosted.org/freeipa/ticket/3808

 Please try installing keyutils before running ipa-server-install. It
 is
 fixed
 in

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-26 Thread Martin Kosek

I am not sure what you mean. So are you saying that kinit USER done on server
fails? With what error?

On 03/26/2015 05:28 PM, Anthony Lanni wrote:
 great, thanks.
 
 On a related note: the server still doesn't get a (client) kerberos ticket,
 which means I can't kinit as a user and then log into a client machine
 without a password. Going the other way works fine, however.
 
 thx
 anthony
 
 On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com wrote:
 
 Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have
 the
 keyutils dependency fixed anyway :-)

 Martin

 On 03/25/2015 06:59 PM, Anthony Lanni wrote:
 keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I
 reinstalled keyutils and then ran the ipa-server-install again, and this
 time it completed without error.

 Thanks very much, Martin and Dmitri!

 thx
 anthony

 On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com wrote:

 On 03/25/2015 04:11 AM, Dmitri Pal wrote:
 On 03/24/2015 09:17 PM, Anthony Lanni wrote:
 While running ipa-server-install, it's failing out at the end with an
 error
 regarding the client install on the server. This happens regardless of
 how I
 input the options, but here's the latest command:

 ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
 http://EXAMPLE.COM -n example.com http://example.com -p passwd1
 -a
 passwd2 --hostname=ldap-server-01.example.com
 http://ldap-server-01.example.com --forwarder=10.0.1.20
 --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d

 Runs through the entire setup and gives me this:

 [...]
 ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
 --unattended --domain example.com http://example.com --server
 ldap-server-01.example.com http://ldap-server-01.example.com
 --realm
 EXAMPLE.COM http://EXAMPLE.COM --hostname
 ldap-server-01.example.com
 http://ldap-server-01.example.com
 ipa : DEBUGstdout=

 ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
 http://ldap-server-01.example.com
 Realm: EXAMPLE.COM http://EXAMPLE.COM
 DNS Domain: example.com http://example.com
 IPA Server: ldap-server-01.example.com 
 http://ldap-server-01.example.com
 BaseDN: dc=example,dc=com
 New SSSD config will be created
 Configured /etc/sssd/sssd.conf
 Traceback (most recent call last):
   File /usr/sbin/ipa-client-install, line 2377, in module
 sys.exit(main())
   File /usr/sbin/ipa-client-install, line 2363, in main
 rval = install(options, env, fstore, statestore)
   File /usr/sbin/ipa-client-install, line 2135, in install
 delete_persistent_client_session_data(host_principal)
   File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in
 delete_persistent_client_session_data
 kernel_keyring.del_key(keyname)
   File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
 line
 99, in del_key
 real_key = get_real_key(key)
   File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
 line
 45, in get_real_key
 (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE,
 key],
 raiseonerr=False)

 Is keyctl installed? Can you run it manually?
 Any SELinux denials?

 You are likely hitting
 https://fedorahosted.org/freeipa/ticket/3808

 Please try installing keyutils before running ipa-server-install. It is
 fixed
 in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also:
 https://bugzilla.redhat.com/show_bug.cgi?id=1205660

 Martin

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project




 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-26 Thread Anthony Lanni

I'm referring to the host certificate; I was looking at the web UI, under
Identity-Hosts in the server details page. The Host Certificate section
says 'No Valid Certificate'.
The server has a /etc/krb5.keytab file, and on the same page the Enrollment
section says 'Kerberos Key Present, Host Provisioned'.

thx
anthony

thx
anthony

On Thu, Mar 26, 2015 at 10:01 AM, Martin Kosek mko...@redhat.com wrote:

 On 03/26/2015 05:52 PM, Anthony Lanni wrote:
  kinit USER works perfectly; but I can't ssh into the client machine from
  the server without it requesting a password.
 
  I think this is a DNS issue, actually. The server isn't resolving the
 name
  of the client, so I'm ssh'ing with the IP address, and that's not going
 to
  work since it's not in the Kerberos db (Cannot determine realm for
 numeric
  host address).

 So it looks like you have found your problem - Kerberos tends to break if
 DNS
 is not set properly.

  Except, of course, that the server did not get its own valid Kerberos
 host
  certificate. It should, right? during the ipa-client-install --on-master
  step of the server install?

 Are you asking about host certificate or a Kerberos keytab
 (/etc/krb5.keytab)?
 They are 2 distinct things.

  In fact, the global DNS config is completely empty. But I'm going to have
  to tear down the server and rebuild because it's on the same domain as an
  AD server, and ipa-client-install finds that server rather than the new
 IPA
  server by default: that won't work because I want LDAP to dynamically
  update the records, and establish a trust with the AD server.
  Also we've got 2 linux DNS root servers that act as forwarders. I pointed
  the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind
  to configure IPA to use them properly. SO I'm sure that's where most of
 my
  problems lie.
 
  I've got to RTFM a bit more before I really start asking the right
  questions, I think. At that point I'll start a new thread.

 Ok :-)

 Martin

 
 
 
  thx
  anthony
 
  On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek mko...@redhat.com wrote:
 
  I am not sure what you mean. So are you saying that kinit USER done on
  server
  fails? With what error?
 
  On 03/26/2015 05:28 PM, Anthony Lanni wrote:
  great, thanks.
 
  On a related note: the server still doesn't get a (client) kerberos
  ticket,
  which means I can't kinit as a user and then log into a client machine
  without a password. Going the other way works fine, however.
 
  thx
  anthony
 
  On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com
 wrote:
 
  Ok, thanks for reaching back. BTW, next RHEL-6 minor release should
 have
  the
  keyutils dependency fixed anyway :-)
 
  Martin
 
  On 03/25/2015 06:59 PM, Anthony Lanni wrote:
  keyutils is already installed but /bin/keyctl was 0 length (!).
 Anyway
  I
  reinstalled keyutils and then ran the ipa-server-install again, and
  this
  time it completed without error.
 
  Thanks very much, Martin and Dmitri!
 
  thx
  anthony
 
  On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com
  wrote:
 
  On 03/25/2015 04:11 AM, Dmitri Pal wrote:
  On 03/24/2015 09:17 PM, Anthony Lanni wrote:
  While running ipa-server-install, it's failing out at the end with
  an
  error
  regarding the client install on the server. This happens
 regardless
  of
  how I
  input the options, but here's the latest command:
 
  ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
  http://EXAMPLE.COM -n example.com http://example.com -p
 passwd1
  -a
  passwd2 --hostname=ldap-server-01.example.com
  http://ldap-server-01.example.com --forwarder=10.0.1.20
  --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
 
  Runs through the entire setup and gives me this:
 
  [...]
  ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
  --unattended --domain example.com http://example.com --server
  ldap-server-01.example.com http://ldap-server-01.example.com
  --realm
  EXAMPLE.COM http://EXAMPLE.COM --hostname
  ldap-server-01.example.com
  http://ldap-server-01.example.com
  ipa : DEBUGstdout=
 
  ipa : DEBUGstderr=Hostname:
 ldap-server-01.example.com
  http://ldap-server-01.example.com
  Realm: EXAMPLE.COM http://EXAMPLE.COM
  DNS Domain: example.com http://example.com
  IPA Server: ldap-server-01.example.com 
  http://ldap-server-01.example.com
  BaseDN: dc=example,dc=com
  New SSSD config will be created
  Configured /etc/sssd/sssd.conf
  Traceback (most recent call last):
File /usr/sbin/ipa-client-install, line 2377, in module
  sys.exit(main())
File /usr/sbin/ipa-client-install, line 2363, in main
  rval = install(options, env, fstore, statestore)
File /usr/sbin/ipa-client-install, line 2135, in install
  delete_persistent_client_session_data(host_principal)
File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124,
  in
  delete_persistent_client_session_data
  kernel_keyring.del_key(keyname)
File

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-26 Thread Anthony Lanni

kinit USER works perfectly; but I can't ssh into the client machine from
the server without it requesting a password.

I think this is a DNS issue, actually. The server isn't resolving the name
of the client, so I'm ssh'ing with the IP address, and that's not going to
work since it's not in the Kerberos db (Cannot determine realm for numeric
host address).

Except, of course, that the server did not get its own valid Kerberos host
certificate. It should, right? during the ipa-client-install --on-master
step of the server install?

In fact, the global DNS config is completely empty. But I'm going to have
to tear down the server and rebuild because it's on the same domain as an
AD server, and ipa-client-install finds that server rather than the new IPA
server by default: that won't work because I want LDAP to dynamically
update the records, and establish a trust with the AD server.
Also we've got 2 linux DNS root servers that act as forwarders. I pointed
the IPA server at them, but I don't know enough about FreeIPA or DNS/Bind
to configure IPA to use them properly. SO I'm sure that's where most of my
problems lie.

I've got to RTFM a bit more before I really start asking the right
questions, I think. At that point I'll start a new thread.



thx
anthony

On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek mko...@redhat.com wrote:

 I am not sure what you mean. So are you saying that kinit USER done on
 server
 fails? With what error?

 On 03/26/2015 05:28 PM, Anthony Lanni wrote:
  great, thanks.
 
  On a related note: the server still doesn't get a (client) kerberos
 ticket,
  which means I can't kinit as a user and then log into a client machine
  without a password. Going the other way works fine, however.
 
  thx
  anthony
 
  On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com wrote:
 
  Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have
  the
  keyutils dependency fixed anyway :-)
 
  Martin
 
  On 03/25/2015 06:59 PM, Anthony Lanni wrote:
  keyutils is already installed but /bin/keyctl was 0 length (!). Anyway
 I
  reinstalled keyutils and then ran the ipa-server-install again, and
 this
  time it completed without error.
 
  Thanks very much, Martin and Dmitri!
 
  thx
  anthony
 
  On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com
 wrote:
 
  On 03/25/2015 04:11 AM, Dmitri Pal wrote:
  On 03/24/2015 09:17 PM, Anthony Lanni wrote:
  While running ipa-server-install, it's failing out at the end with
 an
  error
  regarding the client install on the server. This happens regardless
 of
  how I
  input the options, but here's the latest command:
 
  ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
  http://EXAMPLE.COM -n example.com http://example.com -p passwd1
  -a
  passwd2 --hostname=ldap-server-01.example.com
  http://ldap-server-01.example.com --forwarder=10.0.1.20
  --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
 
  Runs through the entire setup and gives me this:
 
  [...]
  ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
  --unattended --domain example.com http://example.com --server
  ldap-server-01.example.com http://ldap-server-01.example.com
  --realm
  EXAMPLE.COM http://EXAMPLE.COM --hostname
  ldap-server-01.example.com
  http://ldap-server-01.example.com
  ipa : DEBUGstdout=
 
  ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
  http://ldap-server-01.example.com
  Realm: EXAMPLE.COM http://EXAMPLE.COM
  DNS Domain: example.com http://example.com
  IPA Server: ldap-server-01.example.com 
  http://ldap-server-01.example.com
  BaseDN: dc=example,dc=com
  New SSSD config will be created
  Configured /etc/sssd/sssd.conf
  Traceback (most recent call last):
File /usr/sbin/ipa-client-install, line 2377, in module
  sys.exit(main())
File /usr/sbin/ipa-client-install, line 2363, in main
  rval = install(options, env, fstore, statestore)
File /usr/sbin/ipa-client-install, line 2135, in install
  delete_persistent_client_session_data(host_principal)
File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124,
 in
  delete_persistent_client_session_data
  kernel_keyring.del_key(keyname)
File
 /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
  line
  99, in del_key
  real_key = get_real_key(key)
File
 /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
  line
  45, in get_real_key
  (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING,
 KEYTYPE,
  key],
  raiseonerr=False)
 
  Is keyctl installed? Can you run it manually?
  Any SELinux denials?
 
  You are likely hitting
  https://fedorahosted.org/freeipa/ticket/3808
 
  Please try installing keyutils before running ipa-server-install. It
 is
  fixed
  in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform
 also:
  https://bugzilla.redhat.com/show_bug.cgi?id=1205660
 
  Martin
 
  --
  Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-26 Thread Anthony Lanni

ah, ok. So I'm going to assume the problem with my server not being able to
get a DNS record for any of the clients is why the user can't ssh into the
clients.

Thanks for the help, everyone!

thx
anthony

On Thu, Mar 26, 2015 at 10:44 AM, Rob Crittenden rcrit...@redhat.com
wrote:

 Anthony Lanni wrote:
  I'm referring to the host certificate; I was looking at the web UI,
  under Identity-Hosts in the server details page. The Host Certificate
  section says 'No Valid Certificate'.
  The server has a /etc/krb5.keytab file, and on the same page the
  Enrollment section says 'Kerberos Key Present, Host Provisioned'.

 No, masters never got this certificate issued. It was intended to be an
 alternate way to authenticate a host to IPA. The host certificate is not
 used by IPA currently, and in 4.1 one isn't issued for clients by
 default any more.

 rob

 
  thx
  anthony
 
  thx
  anthony
 
  On Thu, Mar 26, 2015 at 10:01 AM, Martin Kosek mko...@redhat.com
  mailto:mko...@redhat.com wrote:
 
  On 03/26/2015 05:52 PM, Anthony Lanni wrote:
   kinit USER works perfectly; but I can't ssh into the client
 machine from
   the server without it requesting a password.
  
   I think this is a DNS issue, actually. The server isn't resolving
 the name
   of the client, so I'm ssh'ing with the IP address, and that's not
 going to
   work since it's not in the Kerberos db (Cannot determine realm
 for numeric
   host address).
 
  So it looks like you have found your problem - Kerberos tends to
  break if DNS
  is not set properly.
 
   Except, of course, that the server did not get its own valid
 Kerberos host
   certificate. It should, right? during the ipa-client-install
 --on-master
   step of the server install?
 
  Are you asking about host certificate or a Kerberos keytab
  (/etc/krb5.keytab)?
  They are 2 distinct things.
 
   In fact, the global DNS config is completely empty. But I'm going
 to have
   to tear down the server and rebuild because it's on the same
 domain as an
   AD server, and ipa-client-install finds that server rather than
 the new IPA
   server by default: that won't work because I want LDAP to
 dynamically
   update the records, and establish a trust with the AD server.
   Also we've got 2 linux DNS root servers that act as forwarders. I
 pointed
   the IPA server at them, but I don't know enough about FreeIPA or
 DNS/Bind
   to configure IPA to use them properly. SO I'm sure that's where
 most of my
   problems lie.
  
   I've got to RTFM a bit more before I really start asking the right
   questions, I think. At that point I'll start a new thread.
 
  Ok :-)
 
  Martin
 
  
  
  
   thx
   anthony
  
   On Thu, Mar 26, 2015 at 9:31 AM, Martin Kosek mko...@redhat.com
  mailto:mko...@redhat.com wrote:
  
   I am not sure what you mean. So are you saying that kinit USER
  done on
   server
   fails? With what error?
  
   On 03/26/2015 05:28 PM, Anthony Lanni wrote:
   great, thanks.
  
   On a related note: the server still doesn't get a (client)
 kerberos
   ticket,
   which means I can't kinit as a user and then log into a client
  machine
   without a password. Going the other way works fine, however.
  
   thx
   anthony
  
   On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek mko...@redhat.com
  mailto:mko...@redhat.com wrote:
  
   Ok, thanks for reaching back. BTW, next RHEL-6 minor release
  should have
   the
   keyutils dependency fixed anyway :-)
  
   Martin
  
   On 03/25/2015 06:59 PM, Anthony Lanni wrote:
   keyutils is already installed but /bin/keyctl was 0 length
  (!). Anyway
   I
   reinstalled keyutils and then ran the ipa-server-install
  again, and
   this
   time it completed without error.
  
   Thanks very much, Martin and Dmitri!
  
   thx
   anthony
  
   On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek
  mko...@redhat.com mailto:mko...@redhat.com
   wrote:
  
   On 03/25/2015 04:11 AM, Dmitri Pal wrote:
   On 03/24/2015 09:17 PM, Anthony Lanni wrote:
   While running ipa-server-install, it's failing out at the
  end with
   an
   error
   regarding the client install on the server. This happens
  regardless
   of
   how I
   input the options, but here's the latest command:
  
   ipa-server-install --setup-dns -N --idstart=1000 -r
  EXAMPLE.COM http://EXAMPLE.COM
   http://EXAMPLE.COM -n example.com http://example.com
  http://example.com -p passwd1
   -a
   passwd2 --hostname=ldap-server-01.example.com
  http://ldap-server-01.example.com
   http://ldap-server-01.example.com --forwarder=10.0.1.20
   --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa.

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-26 Thread Martin Kosek

Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the
keyutils dependency fixed anyway :-)

Martin

On 03/25/2015 06:59 PM, Anthony Lanni wrote:
 keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I
 reinstalled keyutils and then ran the ipa-server-install again, and this
 time it completed without error.
 
 Thanks very much, Martin and Dmitri!
 
 thx
 anthony
 
 On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com wrote:
 
 On 03/25/2015 04:11 AM, Dmitri Pal wrote:
 On 03/24/2015 09:17 PM, Anthony Lanni wrote:
 While running ipa-server-install, it's failing out at the end with an
 error
 regarding the client install on the server. This happens regardless of
 how I
 input the options, but here's the latest command:

 ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
 http://EXAMPLE.COM -n example.com http://example.com -p passwd1 -a
 passwd2 --hostname=ldap-server-01.example.com
 http://ldap-server-01.example.com --forwarder=10.0.1.20
 --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d

 Runs through the entire setup and gives me this:

 [...]
 ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
 --unattended --domain example.com http://example.com --server
 ldap-server-01.example.com http://ldap-server-01.example.com --realm
 EXAMPLE.COM http://EXAMPLE.COM --hostname ldap-server-01.example.com
 http://ldap-server-01.example.com
 ipa : DEBUGstdout=

 ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
 http://ldap-server-01.example.com
 Realm: EXAMPLE.COM http://EXAMPLE.COM
 DNS Domain: example.com http://example.com
 IPA Server: ldap-server-01.example.com 
 http://ldap-server-01.example.com
 BaseDN: dc=example,dc=com
 New SSSD config will be created
 Configured /etc/sssd/sssd.conf
 Traceback (most recent call last):
   File /usr/sbin/ipa-client-install, line 2377, in module
 sys.exit(main())
   File /usr/sbin/ipa-client-install, line 2363, in main
 rval = install(options, env, fstore, statestore)
   File /usr/sbin/ipa-client-install, line 2135, in install
 delete_persistent_client_session_data(host_principal)
   File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in
 delete_persistent_client_session_data
 kernel_keyring.del_key(keyname)
   File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
 line
 99, in del_key
 real_key = get_real_key(key)
   File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
 line
 45, in get_real_key
 (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE,
 key],
 raiseonerr=False)

 Is keyctl installed? Can you run it manually?
 Any SELinux denials?

 You are likely hitting
 https://fedorahosted.org/freeipa/ticket/3808

 Please try installing keyutils before running ipa-server-install. It is
 fixed
 in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also:
 https://bugzilla.redhat.com/show_bug.cgi?id=1205660

 Martin

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-25 Thread Martin Kosek

On 03/25/2015 04:11 AM, Dmitri Pal wrote:
 On 03/24/2015 09:17 PM, Anthony Lanni wrote:
 While running ipa-server-install, it's failing out at the end with an error
 regarding the client install on the server. This happens regardless of how I
 input the options, but here's the latest command:

 ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
 http://EXAMPLE.COM -n example.com http://example.com -p passwd1 -a
 passwd2 --hostname=ldap-server-01.example.com
 http://ldap-server-01.example.com --forwarder=10.0.1.20
 --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d

 Runs through the entire setup and gives me this:

 [...]
 ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
 --unattended --domain example.com http://example.com --server
 ldap-server-01.example.com http://ldap-server-01.example.com --realm
 EXAMPLE.COM http://EXAMPLE.COM --hostname ldap-server-01.example.com
 http://ldap-server-01.example.com
 ipa : DEBUGstdout=

 ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
 http://ldap-server-01.example.com
 Realm: EXAMPLE.COM http://EXAMPLE.COM
 DNS Domain: example.com http://example.com
 IPA Server: ldap-server-01.example.com http://ldap-server-01.example.com
 BaseDN: dc=example,dc=com
 New SSSD config will be created
 Configured /etc/sssd/sssd.conf
 Traceback (most recent call last):
   File /usr/sbin/ipa-client-install, line 2377, in module
 sys.exit(main())
   File /usr/sbin/ipa-client-install, line 2363, in main
 rval = install(options, env, fstore, statestore)
   File /usr/sbin/ipa-client-install, line 2135, in install
 delete_persistent_client_session_data(host_principal)
   File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in
 delete_persistent_client_session_data
 kernel_keyring.del_key(keyname)
   File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line
 99, in del_key
 real_key = get_real_key(key)
   File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line
 45, in get_real_key
 (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key],
 raiseonerr=False)
 
 Is keyctl installed? Can you run it manually?
 Any SELinux denials?

You are likely hitting
https://fedorahosted.org/freeipa/ticket/3808

Please try installing keyutils before running ipa-server-install. It is fixed
in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also:
https://bugzilla.redhat.com/show_bug.cgi?id=1205660

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-25 Thread Anthony Lanni

keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I
reinstalled keyutils and then ran the ipa-server-install again, and this
time it completed without error.

Thanks very much, Martin and Dmitri!

thx
anthony

On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com wrote:

 On 03/25/2015 04:11 AM, Dmitri Pal wrote:
  On 03/24/2015 09:17 PM, Anthony Lanni wrote:
  While running ipa-server-install, it's failing out at the end with an
 error
  regarding the client install on the server. This happens regardless of
 how I
  input the options, but here's the latest command:
 
  ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
  http://EXAMPLE.COM -n example.com http://example.com -p passwd1 -a
  passwd2 --hostname=ldap-server-01.example.com
  http://ldap-server-01.example.com --forwarder=10.0.1.20
  --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
 
  Runs through the entire setup and gives me this:
 
  [...]
  ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
  --unattended --domain example.com http://example.com --server
  ldap-server-01.example.com http://ldap-server-01.example.com --realm
  EXAMPLE.COM http://EXAMPLE.COM --hostname ldap-server-01.example.com
  http://ldap-server-01.example.com
  ipa : DEBUGstdout=
 
  ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
  http://ldap-server-01.example.com
  Realm: EXAMPLE.COM http://EXAMPLE.COM
  DNS Domain: example.com http://example.com
  IPA Server: ldap-server-01.example.com 
 http://ldap-server-01.example.com
  BaseDN: dc=example,dc=com
  New SSSD config will be created
  Configured /etc/sssd/sssd.conf
  Traceback (most recent call last):
File /usr/sbin/ipa-client-install, line 2377, in module
  sys.exit(main())
File /usr/sbin/ipa-client-install, line 2363, in main
  rval = install(options, env, fstore, statestore)
File /usr/sbin/ipa-client-install, line 2135, in install
  delete_persistent_client_session_data(host_principal)
File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in
  delete_persistent_client_session_data
  kernel_keyring.del_key(keyname)
File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
 line
  99, in del_key
  real_key = get_real_key(key)
File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py,
 line
  45, in get_real_key
  (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE,
 key],
  raiseonerr=False)
 
  Is keyctl installed? Can you run it manually?
  Any SELinux denials?

 You are likely hitting
 https://fedorahosted.org/freeipa/ticket/3808

 Please try installing keyutils before running ipa-server-install. It is
 fixed
 in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also:
 https://bugzilla.redhat.com/show_bug.cgi?id=1205660

 Martin

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failure

2015-03-24 Thread Roberto Cornacchia

Hi there,

All the issues I reported in this long thread are SOLVED.
For completeness, I'm posting here the conclusions.

ipa-client-install did enroll the client but failed in several points:

$ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
[...]
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Please check that 123 UDP port is opened.
[...]
Failed to update DNS records.
[...]
Could not update DNS SSHFP records.
[...]
Unable to find 'admin' user with 'getent passwd ad...@hq.example.com'!
Unable to reliably detect configuration. Check NSS setup manually.
[...]
Client configuration complete.

There were two distinct problems:

1) NTP sync failed because despite using --force-ntp, chronyd wasn't
stopped beforehand. Stopping it manually solved the issue. I believe
ipa-client-install stopping chronyd was the intended behaviour, in which
case this is perhaps a bug. If it needs to be stopped manually, then it
should be documented clearly.
The failed NTP sync caused Kerberos to fail, which explains Unable to find
'admin' user with 'getent passwd ad...@hq.example.com'.

2) DNS update failed because for some obscure reason I forgot to open port
53/tcp on the server's firewall. Only 53/udp was open. This fooled me,
because with 53/udp open, the DNS was almost completely functional.
However, updates also require 53/tcp.


All in all, it was a full 2day digging and debugging. Bright side is, I
learned a lot.

A sincere thank you for the many useful answers I received!
Best,
Roberto


On 23 March 2015 at 10:07, Roberto Cornacchia roberto.cornacc...@gmail.com
wrote:

 Dmitri, Rob, Jakub,

 I found at least one of the major problems: chronyd.

 This is what I get when I use ipa-client-install on a plain FC21 machine,
 *without* using --force-ntpd

 WARNING: ntpd timedate synchronization service will not be configured as
 conflicting service (chronyd) is enabled
 Use --force-ntpd option to disable it and force configuration of ntpd


 Good, then I abort and run it again with  --force-ntpd:

 Synchronizing time with KDC...
 Unable to sync time with IPA NTP server, assuming the time is in sync.
 Please check that 123 UDP port is opened.


 Perhaps I misinterpreted the meaning of --force-ntpd. I had assumed it
 would take care of stopping and disabling chronyd. But it doesn't. That's
 why I get the error above.

 If I first stop chronyd manually and run the installation again, then it
 does synchronise with NTP.
 This was apparently the cause of id admin not working (kerberos failing
 without proper NTP sync?)
 Now the basic functionalities are all OK.
 Also, chronyd is disabled and ntpd is enabled after installation - good.

 My nsswitch.conf now looks like this:

 passwd: files sss
 shadow: files sss
 group:  files sss
 hosts:  files mdns4_minimal [NOTFOUND=return] dns myhostname
 bootparams: nisplus [NOTFOUND=return] files
 ethers: files
 netmasks:   files
 networks:   files
 protocols:  files
 rpc:files
 services:   files sss
 netgroup:   files sss
 publickey:  nisplus
 automount:  files sss
 aliases:files nisplus
 sudoers: files sss



 I am left with 2 issues:

 1) Is the above expected? Do I have to stop chronyd manually? Or is it a
 bug?
 2) DNS update still does not work


 The latest installation log:


 $ systemctl stop chronyd
 $ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
 Discovery was successful!
 Hostname: meson.hq.example.com
 Realm: HQ.EXAMPLE.COM
 DNS Domain: hq.example.com
 IPA Server: ipa.hq.example.com
 BaseDN: dc=hq,dc=example,dc=com

 Continue to configure the system with these values? [no]: yes
 Synchronizing time with KDC...
 User authorized to enroll computers: User authorized to enroll computers:
 admin
 Password for ad...@hq.example.com:
 Successfully retrieved CA cert
 Subject: CN=Certificate Authority,O=HQ.EXAMPLE.COM
 Issuer:  CN=Certificate Authority,O=HQ.EXAMPLE.COM
 Valid From:  Mon Mar 16 18:44:35 2015 UTC
 Valid Until: Fri Mar 16 18:44:35 2035 UTC

 Enrolled in IPA realm HQ.EXAMPLE.COM
 Created /etc/ipa/default.conf
 New SSSD config will be created
 Configured sudoers in /etc/nsswitch.conf
 Configured /etc/sssd/sssd.conf
 Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
 trying https://ipa.hq.example.com/ipa/json
 Forwarding 'ping' to json server 'https://ipa.hq.example.com/ipa/json'
 Forwarding 'ca_is_enabled' to json server 'https://ipa.hq.example.com
 /ipa/json'
 Systemwide CA database updated.
 Added CA certificates to the default NSS database.
 Hostname (meson.hq.example.com) not found in DNS
 *Failed to update DNS records.*
 Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
 Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
 Forwarding 'host_mod' to json server 'https://ipa.hq.example.com/ipa/json'
 *Could not update DNS SSHFP records.*
 SSSD enabled
 Configured

Re: [Freeipa-users] ipa-client-install failure

2015-03-24 Thread Dmitri Pal


On 03/24/2015 09:43 AM, Roberto Cornacchia wrote:

Hi there,

All the issues I reported in this long thread are SOLVED.


Thanks for closing the loop.


For completeness, I'm posting here the conclusions.

ipa-client-install did enroll the client but failed in several points:

$ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
[...]
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. 
Please check that 123 UDP port is opened.

[...]
Failed to update DNS records.
[...]
Could not update DNS SSHFP records.
[...]
Unable to find 'admin' user with 'getent passwd ad...@hq.example.com 
mailto:ad...@hq.example.com'!

Unable to reliably detect configuration. Check NSS setup manually.
[...]
Client configuration complete.

There were two distinct problems:

1) NTP sync failed because despite using --force-ntp, chronyd wasn't 
stopped beforehand. Stopping it manually solved the issue. I believe 
ipa-client-install stopping chronyd was the intended behaviour, in 
which case this is perhaps a bug. If it needs to be stopped manually, 
then it should be documented clearly.
The failed NTP sync caused Kerberos to fail, which explains Unable to 
find 'admin' user with 'getent passwd ad...@hq.example.com 
mailto:ad...@hq.example.com'.


We should probably file a ticket about this. I am just not sure what 
exactly it should be.




2) DNS update failed because for some obscure reason I forgot to open 
port 53/tcp on the server's firewall. Only 53/udp was open. This 
fooled me, because with 53/udp open, the DNS was almost completely 
functional. However, updates also require 53/tcp.



All in all, it was a full 2day digging and debugging. Bright side is, 
I learned a lot.


A sincere thank you for the many useful answers I received!
Best,
Roberto


On 23 March 2015 at 10:07, Roberto Cornacchia 
roberto.cornacc...@gmail.com mailto:roberto.cornacc...@gmail.com 
wrote:


Dmitri, Rob, Jakub,

I found at least one of the major problems: chronyd.

This is what I get when I use ipa-client-install on a plain FC21
machine, /without/ using --force-ntpd

WARNING: ntpd timedate synchronization service will not be
configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration
of ntpd


Good, then I abort and run it again with --force-ntpd:

Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is
in sync. Please check that 123 UDP port is opened.


Perhaps I misinterpreted the meaning of --force-ntpd. I had
assumed it would take care of stopping and disabling chronyd. But
it doesn't. That's why I get the error above.

If I first stop chronyd manually and run the installation again,
then it does synchronise with NTP.
This was apparently the cause of id admin not working (kerberos
failing without proper NTP sync?)
Now the basic functionalities are all OK.
Also, chronyd is disabled and ntpd is enabled after installation -
good.

My nsswitch.conf now looks like this:

passwd:   files sss
shadow:   files sss
group:files sss
hosts:files mdns4_minimal [NOTFOUND=return] dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers:   files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files sss
netgroup:   files sss
publickey:  nisplus
automount:  files sss
aliases:files nisplus
sudoers: files sss



I am left with 2 issues:

1) Is the above expected? Do I have to stop chronyd manually? Or
is it a bug?
2) DNS update still does not work


The latest installation log:


$ systemctl stop chronyd
$ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
Discovery was successful!
Hostname: meson.hq.example.com http://meson.hq.example.com
Realm: HQ.EXAMPLE.COM http://HQ.EXAMPLE.COM
DNS Domain: hq.example.com
IPA Server: ipa.hq.example.com
BaseDN: dc=hq,dc=example,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
User authorized to enroll computers: User authorized to enroll
computers: admin
Password for ad...@hq.example.com mailto:ad...@hq.example.com:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=HQ.EXAMPLE.COM
Issuer:  CN=Certificate Authority,O=HQ.EXAMPLE.COM
Valid From:  Mon Mar 16 18:44:35 2015 UTC
Valid Until: Fri Mar 16 18:44:35 2035 UTC

Enrolled in IPA realm HQ.EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
trying https://ipa.hq.example.com/ipa/json
Forwarding 'ping' to json server

Re: [Freeipa-users] ipa-client-install failure

2015-03-24 Thread Roberto Cornacchia

On 24 March 2015 at 14:49, Dmitri Pal d...@redhat.com wrote:

  On 03/24/2015 09:43 AM, Roberto Cornacchia wrote:

 Hi there,

  All the issues I reported in this long thread are SOLVED.


 Thanks for closing the loop.

  For completeness, I'm posting here the conclusions.

  ipa-client-install did enroll the client but failed in several points:

  $ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
 [...]
 Synchronizing time with KDC...
  Unable to sync time with IPA NTP server, assuming the time is in sync.
 Please check that 123 UDP port is opened.
 [...]
 Failed to update DNS records.
 [...]
 Could not update DNS SSHFP records.
  [...]
 Unable to find 'admin' user with 'getent passwd ad...@hq.example.com'!
  Unable to reliably detect configuration. Check NSS setup manually.
 [...]
 Client configuration complete.

  There were two distinct problems:

  1) NTP sync failed because despite using --force-ntp, chronyd wasn't
 stopped beforehand. Stopping it manually solved the issue. I believe
 ipa-client-install stopping chronyd was the intended behaviour, in which
 case this is perhaps a bug. If it needs to be stopped manually, then it
 should be documented clearly.
 The failed NTP sync caused Kerberos to fail, which explains Unable to
 find 'admin' user with 'getent passwd ad...@hq.example.com'.


 We should probably file a ticket about this. I am just not sure what
 exactly it should be.



IMHO, the assuming the time is in sync bit is dangerous. The client and
the server were already quite in sync (both automatically synced with a
remote time server) , but apparently not enough. Being time sync so central
in the infrastructure, I would probably want to abort the installation if
no sync can be performed successfully.




  2) DNS update failed because for some obscure reason I forgot to open
 port 53/tcp on the server's firewall. Only 53/udp was open. This fooled me,
 because with 53/udp open, the DNS was almost completely functional.
 However, updates also require 53/tcp.


  All in all, it was a full 2day digging and debugging. Bright side is, I
 learned a lot.

  A sincere thank you for the many useful answers I received!
 Best,
 Roberto


 On 23 March 2015 at 10:07, Roberto Cornacchia 
 roberto.cornacc...@gmail.com wrote:

  Dmitri, Rob, Jakub,

  I found at least one of the major problems: chronyd.

  This is what I get when I use ipa-client-install on a plain FC21
 machine, *without* using --force-ntpd

  WARNING: ntpd timedate synchronization service will not be configured
 as
 conflicting service (chronyd) is enabled
 Use --force-ntpd option to disable it and force configuration of ntpd


  Good, then I abort and run it again with  --force-ntpd:

   Synchronizing time with KDC...
  Unable to sync time with IPA NTP server, assuming the time is in sync.
 Please check that 123 UDP port is opened.


  Perhaps I misinterpreted the meaning of --force-ntpd. I had assumed it
 would take care of stopping and disabling chronyd. But it doesn't. That's
 why I get the error above.

  If I first stop chronyd manually and run the installation again, then
 it does synchronise with NTP.
 This was apparently the cause of id admin not working (kerberos failing
 without proper NTP sync?)
 Now the basic functionalities are all OK.
 Also, chronyd is disabled and ntpd is enabled after installation - good.

  My nsswitch.conf now looks like this:

  passwd: files sss
 shadow: files sss
 group:  files sss
  hosts:  files mdns4_minimal [NOTFOUND=return] dns myhostname
  bootparams: nisplus [NOTFOUND=return] files
  ethers: files
  netmasks:   files
 networks:   files
 protocols:  files
 rpc:files
  services:   files sss
 netgroup:   files sss
  publickey:  nisplus
  automount:  files sss
  aliases:files nisplus
 sudoers: files sss



  I am left with 2 issues:

  1) Is the above expected? Do I have to stop chronyd manually? Or is it
 a bug?
 2) DNS update still does not work


  The latest installation log:


  $ systemctl stop chronyd
  $ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
  Discovery was successful!
  Hostname: meson.hq.example.com
  Realm: HQ.EXAMPLE.COM
 DNS Domain: hq.example.com
 IPA Server: ipa.hq.example.com
  BaseDN: dc=hq,dc=example,dc=com

  Continue to configure the system with these values? [no]: yes
 Synchronizing time with KDC...
  User authorized to enroll computers: User authorized to enroll
 computers: admin
  Password for ad...@hq.example.com:
  Successfully retrieved CA cert
 Subject: CN=Certificate Authority,O=HQ.EXAMPLE.COM
  Issuer:  CN=Certificate Authority,O=HQ.EXAMPLE.COM
  Valid From:  Mon Mar 16 18:44:35 2015 UTC
 Valid Until: Fri Mar 16 18:44:35 2035 UTC

  Enrolled in IPA realm HQ.EXAMPLE.COM
  Created /etc/ipa/default.conf
 New SSSD config will be created
 Configured sudoers in /etc/nsswitch.conf
 Configured /etc/sssd/sssd.conf
 Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
  trying

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-24 Thread Dmitri Pal


On 03/24/2015 09:17 PM, Anthony Lanni wrote:
While running ipa-server-install, it's failing out at the end with an 
error regarding the client install on the server. This happens 
regardless of how I input the options, but here's the latest command:


ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM 
http://EXAMPLE.COM -n example.com http://example.com -p passwd1 -a 
passwd2 --hostname=ldap-server-01.example.com 
http://ldap-server-01.example.com --forwarder=10.0.1.20 
--forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d


Runs through the entire setup and gives me this:

[...]
ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master 
--unattended --domain example.com http://example.com --server 
ldap-server-01.example.com http://ldap-server-01.example.com --realm 
EXAMPLE.COM http://EXAMPLE.COM --hostname ldap-server-01.example.com 
http://ldap-server-01.example.com

ipa : DEBUGstdout=

ipa : DEBUGstderr=Hostname: ldap-server-01.example.com 
http://ldap-server-01.example.com

Realm: EXAMPLE.COM http://EXAMPLE.COM
DNS Domain: example.com http://example.com
IPA Server: ldap-server-01.example.com http://ldap-server-01.example.com
BaseDN: dc=example,dc=com
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Traceback (most recent call last):
  File /usr/sbin/ipa-client-install, line 2377, in module
sys.exit(main())
  File /usr/sbin/ipa-client-install, line 2363, in main
rval = install(options, env, fstore, statestore)
  File /usr/sbin/ipa-client-install, line 2135, in install
delete_persistent_client_session_data(host_principal)
  File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in 
delete_persistent_client_session_data

kernel_keyring.del_key(keyname)
  File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, 
line 99, in del_key

real_key = get_real_key(key)
  File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, 
line 45, in get_real_key
(stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, 
key], raiseonerr=False)


Is keyctl installed? Can you run it manually?
Any SELinux denials?

  File /usr/lib/python2.6/site-packages/ipapython/ipautil.py, line 
295, in run

close_fds=True, env=env, cwd=cwd)
  File /usr/lib64/python2.6/subprocess.py, line 642, in __init__
errread, errwrite)
  File /usr/lib64/python2.6/subprocess.py, line 1234, in _execute_child
raise child_exception
OSError: [Errno 8] Exec format error

ipa : INFO   File 
/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, 
line 614, in run_script

return_value = main_function()

  File /usr/sbin/ipa-server-install, line 1103, in main
sys.exit(Configuration of client side components 
failed!\nipa-client-install returned:  + str(e))


ipa : INFO The ipa-server-install command failed, 
exception: SystemExit: Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install 
--on-master --unattended --domain example.com http://example.com 
--server ldap-server-01.example.com 
http://ldap-server-01.example.com --realm EXAMPLE.COM 
http://EXAMPLE.COM --hostname ldap-server-01.advdc.com 
http://ldap-server-01.advdc.com' returned non-zero exit status 1



Same details (without the debug messages, of course) in 
/var/log/ipaserver-install.log. From ipaclient-install.log:

[...]
2015-03-24T23:15:26Z DEBUG Backing up system configuration file 
'/etc/sssd/sssd.conf'
2015-03-24T23:15:26Z DEBUG   - Not backing up - '/etc/sssd/sssd.conf' 
doesn't exist

2015-03-24T23:15:26Z INFO New SSSD config will be created
2015-03-24T23:15:26Z INFO Configured /etc/sssd/sssd.conf
2015-03-24T23:15:26Z DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb 
-n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt

2015-03-24T23:15:26Z DEBUG stdout=
2015-03-24T23:15:26Z DEBUG stderr=
2015-03-24T23:15:26Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab 
host/ldap-server-01.example@example.com 
mailto:ldap-server-01.example@example.com

2015-03-24T23:15:26Z DEBUG stdout=
2015-03-24T23:15:26Z DEBUG stderr=

I'm running on CENTOS 6.5, freeipa 3.0.0.37

# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING

I noticed that there's no host certificate for the server when I look 
at the host details in the web interface.


thx
anthony





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-24 Thread Anthony Lanni

While running ipa-server-install, it's failing out at the end with an error
regarding the client install on the server. This happens regardless of how
I input the options, but here's the latest command:

ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM -n
example.com -p passwd1 -a passwd2 --hostname=ldap-server-01.example.com
--forwarder=10.0.1.20 --forwarder=10.0.1.21
--reverse-zone=1.0.10.in-addr.arpa. -d

Runs through the entire setup and gives me this:

[...]
ipa : DEBUGargs=/usr/sbin/ipa-client-install --on-master
--unattended --domain example.com --server ldap-server-01.example.com
--realm EXAMPLE.COM --hostname ldap-server-01.example.com
ipa : DEBUGstdout=

ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ldap-server-01.example.com
BaseDN: dc=example,dc=com
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Traceback (most recent call last):
  File /usr/sbin/ipa-client-install, line 2377, in module
sys.exit(main())
  File /usr/sbin/ipa-client-install, line 2363, in main
rval = install(options, env, fstore, statestore)
  File /usr/sbin/ipa-client-install, line 2135, in install
delete_persistent_client_session_data(host_principal)
  File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 124, in
delete_persistent_client_session_data
kernel_keyring.del_key(keyname)
  File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line
99, in del_key
real_key = get_real_key(key)
  File /usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py, line
45, in get_real_key
(stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key],
raiseonerr=False)
  File /usr/lib/python2.6/site-packages/ipapython/ipautil.py, line 295,
in run
close_fds=True, env=env, cwd=cwd)
  File /usr/lib64/python2.6/subprocess.py, line 642, in __init__
errread, errwrite)
  File /usr/lib64/python2.6/subprocess.py, line 1234, in _execute_child
raise child_exception
OSError: [Errno 8] Exec format error

ipa : INFO   File
/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line
614, in run_script
return_value = main_function()

  File /usr/sbin/ipa-server-install, line 1103, in main
sys.exit(Configuration of client side components
failed!\nipa-client-install returned:  + str(e))

ipa : INFO The ipa-server-install command failed, exception:
SystemExit: Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install
--on-master --unattended --domain example.com --server
ldap-server-01.example.com --realm EXAMPLE.COM --hostname
ldap-server-01.advdc.com' returned non-zero exit status 1


Same details (without the debug messages, of course) in
/var/log/ipaserver-install.log. From ipaclient-install.log:
[...]
2015-03-24T23:15:26Z DEBUG Backing up system configuration file
'/etc/sssd/sssd.conf'
2015-03-24T23:15:26Z DEBUG   - Not backing up - '/etc/sssd/sssd.conf'
doesn't exist
2015-03-24T23:15:26Z INFO New SSSD config will be created
2015-03-24T23:15:26Z INFO Configured /etc/sssd/sssd.conf
2015-03-24T23:15:26Z DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n
IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
2015-03-24T23:15:26Z DEBUG stdout=
2015-03-24T23:15:26Z DEBUG stderr=
2015-03-24T23:15:26Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/
ldap-server-01.example@example.com
2015-03-24T23:15:26Z DEBUG stdout=
2015-03-24T23:15:26Z DEBUG stderr=

I'm running on CENTOS 6.5, freeipa 3.0.0.37

# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING

I noticed that there's no host certificate for the server when I look at
the host details in the web interface.

thx
anthony
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failure

2015-03-23 Thread Petr Spacek

On 23.3.2015 12:33, Roberto Cornacchia wrote:
 OK, thanks.
 That would be Dynamic updates, right? Then it is enabled.
 
 $ ipa dnszone-show --all
 Zone name: hq.example.com
   dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com
   Zone name: hq.example.com.
   Active zone: TRUE
   Authoritative nameserver: ipa.hq.example.com.
   Administrator e-mail address: hostmaster.hq.example.com.
   SOA serial: 1427108043
   SOA refresh: 3600
   SOA retry: 900
   SOA expire: 1209600
   SOA minimum: 3600
   BIND update policy: grant HQ.EXAMPLE.COM krb5-self * A; grant HQ.EXAMPLE.COM
 krb5-self * ; grant HQ.EXAMPLE.COM krb5-self * SSHFP;
   Dynamic update: TRUE

This is correct (but it should not affect SOA query anyway).

Could you share named logs on debug level 10 with us? It would be even better
is you could provide us tcpdump with transactions in question.

On the client (before you start installation) please:
1) Execute command $ tcpdump -i any -w /tmp/dns.pcap 'port 53'
2) Run ipa-client-install
3) Kill the tcpdump: $ pkill tcpdump
4) Send us the file.

Feel free to send the files to me (pspa...@redhat.com) and Martin^2
(mba...@redhat.com) privately if you do not want to make them public.

Have a nice day!

Petr^2 Spacek

   Allow query: any;
   Allow transfer: none;
   Allow PTR sync: FALSE
   nsrecord: ipa.hq.example.com.
   objectclass: idnszone, top, idnsrecord
 
 
 On 23 March 2015 at 12:27, Martin Basti mba...@redhat.com wrote:
 
  On 23/03/15 12:19, Roberto Cornacchia wrote:

 BTW, shouldn't named.conf contain an allow-update statement? Mine
 doesn't. Or is this managed differently?

 It is not needed.
 bind-dyndb-ldap plugin overrides this configuration, you just need to
 enable updates in IPA zone setting.

 Martin



 On 23 March 2015 at 12:16, Roberto Cornacchia 
 roberto.cornacc...@gmail.com wrote:



 On 23 March 2015 at 10:35, Petr Spacek pspa...@redhat.com wrote:

 On 23.3.2015 10:21, Roberto Cornacchia wrote:
 About the DNS update, this is what the debug log has to say:

 Found zone name: hq.example.com
 The master is: ipa.hq.example.com
 start_gssrequest
 Found realm from ticket: HQ.EXAMPLE.COM
 send_gssrequest
 *; Communication with 192.168.0.72#53 failed: operation canceled*
 *Reply from SOA query:*
 ;; -HEADER- opcode: QUERY, status: SERVFAIL, id:   4923
 ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
 ;; QUESTION SECTION:
 ;1835417091.sig-ipa.hq.example.com. ANY TKEY

 response to SOA query was unsuccessful

 - Please verify that 192.168.0.72 is the correct IP address of the
 FreeIPA server.


  Positive


 - Please check named.logs on the server side to see if there are any
 complains
 about unsuccessful key negotiation with client.


  I raised named's log level to debug 10 and restarted
 Ran ipa-client-install again.
 The log shows many queries from the client, for A/AAA/SOA record types,
 both about the server and the client. All approved, no problem.
 The log does not seem to contain a single failure / rejection.

  However:
 1) The client reports that response to SOA query was unsuccessful. The
 server log does not say anything about this.
 2) The server log does not contain any update request


 Notice that is is *different* from what I got before the chronyd
 change.
 Before, there was not even a reply:

 Found zone name: hq.example.com
 The master is: ipa.hq.example.com
 start_gssrequest
 Found realm from ticket: HQ.EXAMPLE.COM
 send_gssrequest
 *; Communication with 192.168.0.72#53 failed: operation canceled*
 *could not reach any name server*

 Interesting, this should not be related to time synchronization in any
 way.
 DNS server simply did not return any answer.

 --
 Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failure

2015-03-23 Thread Roberto Cornacchia

Thank you, dump sent privately

On 23 March 2015 at 13:33, Petr Spacek pspa...@redhat.com wrote:

 On 23.3.2015 12:33, Roberto Cornacchia wrote:
  OK, thanks.
  That would be Dynamic updates, right? Then it is enabled.
 
  $ ipa dnszone-show --all
  Zone name: hq.example.com
dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com
Zone name: hq.example.com.
Active zone: TRUE
Authoritative nameserver: ipa.hq.example.com.
Administrator e-mail address: hostmaster.hq.example.com.
SOA serial: 1427108043
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant HQ.EXAMPLE.COM krb5-self * A; grant
 HQ.EXAMPLE.COM
  krb5-self * ; grant HQ.EXAMPLE.COM krb5-self * SSHFP;
Dynamic update: TRUE

 This is correct (but it should not affect SOA query anyway).

 Could you share named logs on debug level 10 with us? It would be even
 better
 is you could provide us tcpdump with transactions in question.

 On the client (before you start installation) please:
 1) Execute command $ tcpdump -i any -w /tmp/dns.pcap 'port 53'
 2) Run ipa-client-install
 3) Kill the tcpdump: $ pkill tcpdump
 4) Send us the file.

 Feel free to send the files to me (pspa...@redhat.com) and Martin^2
 (mba...@redhat.com) privately if you do not want to make them public.

 Have a nice day!

 Petr^2 Spacek

Allow query: any;
Allow transfer: none;
Allow PTR sync: FALSE
nsrecord: ipa.hq.example.com.
objectclass: idnszone, top, idnsrecord
 
 
  On 23 March 2015 at 12:27, Martin Basti mba...@redhat.com wrote:
 
   On 23/03/15 12:19, Roberto Cornacchia wrote:
 
  BTW, shouldn't named.conf contain an allow-update statement? Mine
  doesn't. Or is this managed differently?
 
  It is not needed.
  bind-dyndb-ldap plugin overrides this configuration, you just need to
  enable updates in IPA zone setting.
 
  Martin
 
 
 
  On 23 March 2015 at 12:16, Roberto Cornacchia 
  roberto.cornacc...@gmail.com wrote:
 
 
 
  On 23 March 2015 at 10:35, Petr Spacek pspa...@redhat.com wrote:
 
  On 23.3.2015 10:21, Roberto Cornacchia wrote:
  About the DNS update, this is what the debug log has to say:
 
  Found zone name: hq.example.com
  The master is: ipa.hq.example.com
  start_gssrequest
  Found realm from ticket: HQ.EXAMPLE.COM
  send_gssrequest
  *; Communication with 192.168.0.72#53 failed: operation canceled*
  *Reply from SOA query:*
  ;; -HEADER- opcode: QUERY, status: SERVFAIL, id:   4923
  ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;1835417091.sig-ipa.hq.example.com. ANY TKEY
 
  response to SOA query was unsuccessful
 
  - Please verify that 192.168.0.72 is the correct IP address of the
  FreeIPA server.
 
 
   Positive
 
 
  - Please check named.logs on the server side to see if there are any
  complains
  about unsuccessful key negotiation with client.
 
 
   I raised named's log level to debug 10 and restarted
  Ran ipa-client-install again.
  The log shows many queries from the client, for A/AAA/SOA record types,
  both about the server and the client. All approved, no problem.
  The log does not seem to contain a single failure / rejection.
 
   However:
  1) The client reports that response to SOA query was unsuccessful. The
  server log does not say anything about this.
  2) The server log does not contain any update request
 
 
  Notice that is is *different* from what I got before the chronyd
  change.
  Before, there was not even a reply:
 
  Found zone name: hq.example.com
  The master is: ipa.hq.example.com
  start_gssrequest
  Found realm from ticket: HQ.EXAMPLE.COM
  send_gssrequest
  *; Communication with 192.168.0.72#53 failed: operation canceled*
  *could not reach any name server*
 
  Interesting, this should not be related to time synchronization in any
  way.
  DNS server simply did not return any answer.
 
  --
  Petr^2 Spacek

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failure

2015-03-23 Thread Roberto Cornacchia

BTW, shouldn't named.conf contain an allow-update statement? Mine
doesn't. Or is this managed differently?


On 23 March 2015 at 12:16, Roberto Cornacchia roberto.cornacc...@gmail.com
wrote:



 On 23 March 2015 at 10:35, Petr Spacek pspa...@redhat.com wrote:

 On 23.3.2015 10:21, Roberto Cornacchia wrote:
  About the DNS update, this is what the debug log has to say:
 
  Found zone name: hq.example.com
  The master is: ipa.hq.example.com
  start_gssrequest
  Found realm from ticket: HQ.EXAMPLE.COM
  send_gssrequest
  *; Communication with 192.168.0.72#53 failed: operation canceled*
  *Reply from SOA query:*
  ;; -HEADER- opcode: QUERY, status: SERVFAIL, id:   4923
  ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;1835417091.sig-ipa.hq.example.com. ANY TKEY
 
  response to SOA query was unsuccessful

 - Please verify that 192.168.0.72 is the correct IP address of the
 FreeIPA server.


 Positive


 - Please check named.logs on the server side to see if there are any
 complains
 about unsuccessful key negotiation with client.


 I raised named's log level to debug 10 and restarted
 Ran ipa-client-install again.
 The log shows many queries from the client, for A/AAA/SOA record types,
 both about the server and the client. All approved, no problem.
 The log does not seem to contain a single failure / rejection.

 However:
 1) The client reports that response to SOA query was unsuccessful. The
 server log does not say anything about this.
 2) The server log does not contain any update request


  Notice that is is *different* from what I got before the chronyd change.
  Before, there was not even a reply:
 
  Found zone name: hq.example.com
  The master is: ipa.hq.example.com
  start_gssrequest
  Found realm from ticket: HQ.EXAMPLE.COM
  send_gssrequest
  *; Communication with 192.168.0.72#53 failed: operation canceled*
  *could not reach any name server*

 Interesting, this should not be related to time synchronization in any
 way.
 DNS server simply did not return any answer.

 --
 Petr^2 Spacek

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failure

2015-03-23 Thread Roberto Cornacchia

On 23 March 2015 at 10:35, Petr Spacek pspa...@redhat.com wrote:

 On 23.3.2015 10:21, Roberto Cornacchia wrote:
  About the DNS update, this is what the debug log has to say:
 
  Found zone name: hq.example.com
  The master is: ipa.hq.example.com
  start_gssrequest
  Found realm from ticket: HQ.EXAMPLE.COM
  send_gssrequest
  *; Communication with 192.168.0.72#53 failed: operation canceled*
  *Reply from SOA query:*
  ;; -HEADER- opcode: QUERY, status: SERVFAIL, id:   4923
  ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;1835417091.sig-ipa.hq.example.com. ANY TKEY
 
  response to SOA query was unsuccessful

 - Please verify that 192.168.0.72 is the correct IP address of the FreeIPA
 server.


Positive


 - Please check named.logs on the server side to see if there are any
 complains
 about unsuccessful key negotiation with client.


I raised named's log level to debug 10 and restarted
Ran ipa-client-install again.
The log shows many queries from the client, for A/AAA/SOA record types,
both about the server and the client. All approved, no problem.
The log does not seem to contain a single failure / rejection.

However:
1) The client reports that response to SOA query was unsuccessful. The
server log does not say anything about this.
2) The server log does not contain any update request


  Notice that is is *different* from what I got before the chronyd change.
  Before, there was not even a reply:
 
  Found zone name: hq.example.com
  The master is: ipa.hq.example.com
  start_gssrequest
  Found realm from ticket: HQ.EXAMPLE.COM
  send_gssrequest
  *; Communication with 192.168.0.72#53 failed: operation canceled*
  *could not reach any name server*

 Interesting, this should not be related to time synchronization in any way.
 DNS server simply did not return any answer.

 --
 Petr^2 Spacek

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failure

2015-03-23 Thread Roberto Cornacchia

OK, thanks.
That would be Dynamic updates, right? Then it is enabled.

$ ipa dnszone-show --all
Zone name: hq.example.com
  dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com
  Zone name: hq.example.com.
  Active zone: TRUE
  Authoritative nameserver: ipa.hq.example.com.
  Administrator e-mail address: hostmaster.hq.example.com.
  SOA serial: 1427108043
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant HQ.EXAMPLE.COM krb5-self * A; grant HQ.EXAMPLE.COM
krb5-self * ; grant HQ.EXAMPLE.COM krb5-self * SSHFP;
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: none;
  Allow PTR sync: FALSE
  nsrecord: ipa.hq.example.com.
  objectclass: idnszone, top, idnsrecord


On 23 March 2015 at 12:27, Martin Basti mba...@redhat.com wrote:

  On 23/03/15 12:19, Roberto Cornacchia wrote:

 BTW, shouldn't named.conf contain an allow-update statement? Mine
 doesn't. Or is this managed differently?

 It is not needed.
 bind-dyndb-ldap plugin overrides this configuration, you just need to
 enable updates in IPA zone setting.

 Martin



 On 23 March 2015 at 12:16, Roberto Cornacchia 
 roberto.cornacc...@gmail.com wrote:



 On 23 March 2015 at 10:35, Petr Spacek pspa...@redhat.com wrote:

 On 23.3.2015 10:21, Roberto Cornacchia wrote:
  About the DNS update, this is what the debug log has to say:
 
  Found zone name: hq.example.com
  The master is: ipa.hq.example.com
  start_gssrequest
  Found realm from ticket: HQ.EXAMPLE.COM
  send_gssrequest
  *; Communication with 192.168.0.72#53 failed: operation canceled*
  *Reply from SOA query:*
  ;; -HEADER- opcode: QUERY, status: SERVFAIL, id:   4923
  ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;1835417091.sig-ipa.hq.example.com. ANY TKEY
 
  response to SOA query was unsuccessful

 - Please verify that 192.168.0.72 is the correct IP address of the
 FreeIPA server.


  Positive


 - Please check named.logs on the server side to see if there are any
 complains
 about unsuccessful key negotiation with client.


  I raised named's log level to debug 10 and restarted
 Ran ipa-client-install again.
 The log shows many queries from the client, for A/AAA/SOA record types,
 both about the server and the client. All approved, no problem.
 The log does not seem to contain a single failure / rejection.

  However:
 1) The client reports that response to SOA query was unsuccessful. The
 server log does not say anything about this.
 2) The server log does not contain any update request


  Notice that is is *different* from what I got before the chronyd
 change.
  Before, there was not even a reply:
 
  Found zone name: hq.example.com
  The master is: ipa.hq.example.com
  start_gssrequest
  Found realm from ticket: HQ.EXAMPLE.COM
  send_gssrequest
  *; Communication with 192.168.0.72#53 failed: operation canceled*
  *could not reach any name server*

 Interesting, this should not be related to time synchronization in any
 way.
 DNS server simply did not return any answer.

 --
 Petr^2 Spacek

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project







 --
 Martin Basti


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failure

2015-03-23 Thread Roberto Cornacchia

Dmitri, Rob, Jakub,

I found at least one of the major problems: chronyd.

This is what I get when I use ipa-client-install on a plain FC21 machine,
*without* using --force-ntpd

WARNING: ntpd timedate synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd


Good, then I abort and run it again with  --force-ntpd:

Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Please check that 123 UDP port is opened.


Perhaps I misinterpreted the meaning of --force-ntpd. I had assumed it
would take care of stopping and disabling chronyd. But it doesn't. That's
why I get the error above.

If I first stop chronyd manually and run the installation again, then it
does synchronise with NTP.
This was apparently the cause of id admin not working (kerberos failing
without proper NTP sync?)
Now the basic functionalities are all OK.
Also, chronyd is disabled and ntpd is enabled after installation - good.

My nsswitch.conf now looks like this:

passwd: files sss
shadow: files sss
group:  files sss
hosts:  files mdns4_minimal [NOTFOUND=return] dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files sss
netgroup:   files sss
publickey:  nisplus
automount:  files sss
aliases:files nisplus
sudoers: files sss



I am left with 2 issues:

1) Is the above expected? Do I have to stop chronyd manually? Or is it a
bug?
2) DNS update still does not work


The latest installation log:


$ systemctl stop chronyd
$ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
Discovery was successful!
Hostname: meson.hq.example.com
Realm: HQ.EXAMPLE.COM
DNS Domain: hq.example.com
IPA Server: ipa.hq.example.com
BaseDN: dc=hq,dc=example,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
User authorized to enroll computers: User authorized to enroll computers:
admin
Password for ad...@hq.example.com:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=HQ.EXAMPLE.COM
Issuer:  CN=Certificate Authority,O=HQ.EXAMPLE.COM
Valid From:  Mon Mar 16 18:44:35 2015 UTC
Valid Until: Fri Mar 16 18:44:35 2035 UTC

Enrolled in IPA realm HQ.EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
trying https://ipa.hq.example.com/ipa/json
Forwarding 'ping' to json server 'https://ipa.hq.example.com/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://ipa.hq.example.com
/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Hostname (meson.hq.example.com) not found in DNS
*Failed to update DNS records.*
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to json server 'https://ipa.hq.example.com/ipa/json'
*Could not update DNS SSHFP records.*
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring hq.example.com as NIS domain.
Client configuration complete.

$ id admin
uid=117200(admin) gid=117200(admins) groups=117200(admins)




On 22 March 2015 at 21:04, Jakub Hrozek jhro...@redhat.com wrote:

 On Sun, Mar 22, 2015 at 04:24:49PM +0100, Roberto Cornacchia wrote:
  Thanks Rob.
 
  Knowing that /etc/nsswitch.conf is created wrongly is a step forward,
  although we don't know why that happens yet.
  I'm not very keen on fixing it post-installation (except if this is just
 to
  learn more about the issue), even if this seems to solve problems. I'm
 not
  going to deploy freeIPA for real before I can at least run successfully a
  plain installation.

 Hi,

 I find it a bit unexpected that the client system didn't have
 nsswitch.conf configured..I've never seen the client installation fail
 in this particular way.

 For debugging SSSD issues, we've created a new troubleshooting page
 upstream that should walk you through the config:
 https://fedorahosted.org/sssd/wiki/Troubleshooting
 maybe this article would also help:
 https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/

 But most improtantly, I wouldn't expect to see any issues as long as
 you use ipa-client-install. I guess re-enrolling the client would be the
 fastest way forward?

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to

Re: [Freeipa-users] ipa-client-install failure

2015-03-23 Thread Roberto Cornacchia

About the DNS update, this is what the debug log has to say:

Found zone name: hq.example.com
The master is: ipa.hq.example.com
start_gssrequest
Found realm from ticket: HQ.EXAMPLE.COM
send_gssrequest
*; Communication with 192.168.0.72#53 failed: operation canceled*
*Reply from SOA query:*
;; -HEADER- opcode: QUERY, status: SERVFAIL, id:   4923
;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;1835417091.sig-ipa.hq.example.com. ANY TKEY

response to SOA query was unsuccessful



Notice that is is *different* from what I got before the chronyd change.
Before, there was not even a reply:

Found zone name: hq.example.com
The master is: ipa.hq.example.com
start_gssrequest
Found realm from ticket: HQ.EXAMPLE.COM
send_gssrequest
*; Communication with 192.168.0.72#53 failed: operation canceled*
*could not reach any name server*




On 23 March 2015 at 10:07, Roberto Cornacchia roberto.cornacc...@gmail.com
wrote:

 Dmitri, Rob, Jakub,

 I found at least one of the major problems: chronyd.

 This is what I get when I use ipa-client-install on a plain FC21 machine,
 *without* using --force-ntpd

 WARNING: ntpd timedate synchronization service will not be configured as
 conflicting service (chronyd) is enabled
 Use --force-ntpd option to disable it and force configuration of ntpd


 Good, then I abort and run it again with  --force-ntpd:

 Synchronizing time with KDC...
 Unable to sync time with IPA NTP server, assuming the time is in sync.
 Please check that 123 UDP port is opened.


 Perhaps I misinterpreted the meaning of --force-ntpd. I had assumed it
 would take care of stopping and disabling chronyd. But it doesn't. That's
 why I get the error above.

 If I first stop chronyd manually and run the installation again, then it
 does synchronise with NTP.
 This was apparently the cause of id admin not working (kerberos failing
 without proper NTP sync?)
 Now the basic functionalities are all OK.
 Also, chronyd is disabled and ntpd is enabled after installation - good.

 My nsswitch.conf now looks like this:

 passwd: files sss
 shadow: files sss
 group:  files sss
 hosts:  files mdns4_minimal [NOTFOUND=return] dns myhostname
 bootparams: nisplus [NOTFOUND=return] files
 ethers: files
 netmasks:   files
 networks:   files
 protocols:  files
 rpc:files
 services:   files sss
 netgroup:   files sss
 publickey:  nisplus
 automount:  files sss
 aliases:files nisplus
 sudoers: files sss



 I am left with 2 issues:

 1) Is the above expected? Do I have to stop chronyd manually? Or is it a
 bug?
 2) DNS update still does not work


 The latest installation log:


 $ systemctl stop chronyd
 $ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
 Discovery was successful!
 Hostname: meson.hq.example.com
 Realm: HQ.EXAMPLE.COM
 DNS Domain: hq.example.com
 IPA Server: ipa.hq.example.com
 BaseDN: dc=hq,dc=example,dc=com

 Continue to configure the system with these values? [no]: yes
 Synchronizing time with KDC...
 User authorized to enroll computers: User authorized to enroll computers:
 admin
 Password for ad...@hq.example.com:
 Successfully retrieved CA cert
 Subject: CN=Certificate Authority,O=HQ.EXAMPLE.COM
 Issuer:  CN=Certificate Authority,O=HQ.EXAMPLE.COM
 Valid From:  Mon Mar 16 18:44:35 2015 UTC
 Valid Until: Fri Mar 16 18:44:35 2035 UTC

 Enrolled in IPA realm HQ.EXAMPLE.COM
 Created /etc/ipa/default.conf
 New SSSD config will be created
 Configured sudoers in /etc/nsswitch.conf
 Configured /etc/sssd/sssd.conf
 Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
 trying https://ipa.hq.example.com/ipa/json
 Forwarding 'ping' to json server 'https://ipa.hq.example.com/ipa/json'
 Forwarding 'ca_is_enabled' to json server 'https://ipa.hq.example.com
 /ipa/json'
 Systemwide CA database updated.
 Added CA certificates to the default NSS database.
 Hostname (meson.hq.example.com) not found in DNS
 *Failed to update DNS records.*
 Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
 Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
 Forwarding 'host_mod' to json server 'https://ipa.hq.example.com/ipa/json'
 *Could not update DNS SSHFP records.*
 SSSD enabled
 Configured /etc/openldap/ldap.conf
 NTP enabled
 Configured /etc/ssh/ssh_config
 Configured /etc/ssh/sshd_config
 Configuring hq.example.com as NIS domain.
 Client configuration complete.

 $ id admin
 uid=117200(admin) gid=117200(admins) groups=117200(admins)




 On 22 March 2015 at 21:04, Jakub Hrozek jhro...@redhat.com wrote:

 On Sun, Mar 22, 2015 at 04:24:49PM +0100, Roberto Cornacchia wrote:
  Thanks Rob.
 
  Knowing that /etc/nsswitch.conf is created wrongly is a step forward,
  although we don't know why that happens yet.
  I'm not very keen on fixing it post-installation (except if this is
 just to
  learn more about the issue), even if this seems to solve problems.

Re: [Freeipa-users] ipa-client-install failure

2015-03-23 Thread Petr Spacek

On 23.3.2015 10:21, Roberto Cornacchia wrote:
 About the DNS update, this is what the debug log has to say:
 
 Found zone name: hq.example.com
 The master is: ipa.hq.example.com
 start_gssrequest
 Found realm from ticket: HQ.EXAMPLE.COM
 send_gssrequest
 *; Communication with 192.168.0.72#53 failed: operation canceled*
 *Reply from SOA query:*
 ;; -HEADER- opcode: QUERY, status: SERVFAIL, id:   4923
 ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
 ;; QUESTION SECTION:
 ;1835417091.sig-ipa.hq.example.com. ANY TKEY
 
 response to SOA query was unsuccessful

- Please verify that 192.168.0.72 is the correct IP address of the FreeIPA 
server.
- Please check named.logs on the server side to see if there are any complains
about unsuccessful key negotiation with client.


 Notice that is is *different* from what I got before the chronyd change.
 Before, there was not even a reply:
 
 Found zone name: hq.example.com
 The master is: ipa.hq.example.com
 start_gssrequest
 Found realm from ticket: HQ.EXAMPLE.COM
 send_gssrequest
 *; Communication with 192.168.0.72#53 failed: operation canceled*
 *could not reach any name server*

Interesting, this should not be related to time synchronization in any way.
DNS server simply did not return any answer.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failure

2015-03-22 Thread Roberto Cornacchia

Thanks Rob.

Knowing that /etc/nsswitch.conf is created wrongly is a step forward,
although we don't know why that happens yet.
I'm not very keen on fixing it post-installation (except if this is just to
learn more about the issue), even if this seems to solve problems. I'm not
going to deploy freeIPA for real before I can at least run successfully a
plain installation.

It seems SELinux can be ruled out as well.
I switched to permissive mode and tried again, no difference.

And so far I haven't been able to find anything useful in the logs.

What strikes me is that these are really a plain and up to date FC21
machines, and my deployment was as from the book. The last of the settings
you'd expect issues from.

Can anyone (user or developer) confirm successful deployment of both server
and client on up-to-date (updated this week) FC21 systems? I know it's
maybe a bit far-fetched, but could any of the latest FC updates have
created the issue?

Roberto


On 21 March 2015 at 17:26, Rob Crittenden rcrit...@redhat.com wrote:

 Roberto Cornacchia wrote:
  Hi Rob,
 
  Yes, sssd is running and this is sssd.conf:
 
  [domain/hq.example.com http://hq.example.com]
  debug_level=9
  cache_credentials = True
  krb5_store_password_if_offline = True
  ipa_domain = hq.example.com http://hq.example.com
  id_provider = ipa
  auth_provider = ipa
  access_provider = ipa
  ipa_hostname = meson.hq.example.com
  chpass_provider = ipa
  ipa_server = _srv_, ipa.hq.example.com
  ldap_tls_cacert = /etc/ipa/ca.crt
  [sssd]
  services = nss, sudo, pam, ssh
  config_file_version = 2
 
  domains = hq.example.com
  [nss]
  homedir_substring = /home
  debug_level=9
 
  [pam]
 
  [sudo]
 
  [autofs]
 
  [ssh]
 
  [pac]
 
  [ifp]

 Ok, that's good. Maybe authconfig didn't do the right thing. I'd add sss
 to these values in /etc/nsswitch.conf, grepp'd from mine:

 passwd: files sss
 shadow: files sss
 group:  files sss
 services:   files sss
 netgroup:   files sss
 automount:  files sss
 sudoers:sss

 You've got quite a mix of odd things happening during install. It seems
 like DNS and firewall can be ruled out given that lots of other
 operations are working fine, and you've confirmed that NTP works
 pre-install.

 I guess working on a cleanish system, the things I'd look for on both
 client and server are the system logs to see if any errors are being
 thrown to syslog or service-specific logs.

 And I'd check for SELinux errors on the client if you're in enforcing mode.

 rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failure

2015-03-22 Thread Jakub Hrozek

On Sun, Mar 22, 2015 at 04:24:49PM +0100, Roberto Cornacchia wrote:
 Thanks Rob.
 
 Knowing that /etc/nsswitch.conf is created wrongly is a step forward,
 although we don't know why that happens yet.
 I'm not very keen on fixing it post-installation (except if this is just to
 learn more about the issue), even if this seems to solve problems. I'm not
 going to deploy freeIPA for real before I can at least run successfully a
 plain installation.

Hi,

I find it a bit unexpected that the client system didn't have
nsswitch.conf configured..I've never seen the client installation fail
in this particular way.

For debugging SSSD issues, we've created a new troubleshooting page
upstream that should walk you through the config:
https://fedorahosted.org/sssd/wiki/Troubleshooting
maybe this article would also help:
https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/

But most improtantly, I wouldn't expect to see any issues as long as
you use ipa-client-install. I guess re-enrolling the client would be the
fastest way forward?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failure

2015-03-22 Thread Dmitri Pal


On 03/22/2015 11:24 AM, Roberto Cornacchia wrote:

Thanks Rob.

Knowing that /etc/nsswitch.conf is created wrongly is a step forward, 
although we don't know why that happens yet.
I'm not very keen on fixing it post-installation (except if this is 
just to learn more about the issue), even if this seems to solve 
problems. I'm not going to deploy freeIPA for real before I can at 
least run successfully a plain installation.


It seems SELinux can be ruled out as well.
I switched to permissive mode and tried again, no difference.

And so far I haven't been able to find anything useful in the logs.

What strikes me is that these are really a plain and up to date FC21 
machines, and my deployment was as from the book. The last of the 
settings you'd expect issues from.


Can anyone (user or developer) confirm successful deployment of both 
server and client on up-to-date (updated this week) FC21 systems? I 
know it's maybe a bit far-fetched, but could any of the latest FC 
updates have created the issue?


May be.
To config nsswitch we call authconfig so may be there is something weird 
with it, can you check?




Roberto


On 21 March 2015 at 17:26, Rob Crittenden rcrit...@redhat.com 
mailto:rcrit...@redhat.com wrote:


Roberto Cornacchia wrote:
 Hi Rob,

 Yes, sssd is running and this is sssd.conf:

 [domain/hq.example.com http://hq.example.com
http://hq.example.com]
 debug_level=9
 cache_credentials = True
 krb5_store_password_if_offline = True
 ipa_domain = hq.example.com http://hq.example.com
http://hq.example.com
 id_provider = ipa
 auth_provider = ipa
 access_provider = ipa
 ipa_hostname = meson.hq.example.com http://meson.hq.example.com
 chpass_provider = ipa
 ipa_server = _srv_, ipa.hq.example.com http://ipa.hq.example.com
 ldap_tls_cacert = /etc/ipa/ca.crt
 [sssd]
 services = nss, sudo, pam, ssh
 config_file_version = 2

 domains = hq.example.com http://hq.example.com
 [nss]
 homedir_substring = /home
 debug_level=9

 [pam]

 [sudo]

 [autofs]

 [ssh]

 [pac]

 [ifp]

Ok, that's good. Maybe authconfig didn't do the right thing. I'd
add sss
to these values in /etc/nsswitch.conf, grepp'd from mine:

passwd: files sss
shadow: files sss
group:  files sss
services:   files sss
netgroup:   files sss
automount:  files sss
sudoers:sss

You've got quite a mix of odd things happening during install. It
seems
like DNS and firewall can be ruled out given that lots of other
operations are working fine, and you've confirmed that NTP works
pre-install.

I guess working on a cleanish system, the things I'd look for on both
client and server are the system logs to see if any errors are being
thrown to syslog or service-specific logs.

And I'd check for SELinux errors on the client if you're in
enforcing mode.

rob







--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failure

2015-03-21 Thread Roberto Cornacchia

Hi Rob,

Yes, sssd is running and this is sssd.conf:

[domain/hq.example.com]
debug_level=9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = hq.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = meson.hq.example.com
chpass_provider = ipa
ipa_server = _srv_, ipa.hq.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2

domains = hq.example.com
[nss]
homedir_substring = /home
debug_level=9

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]


On 21 March 2015 at 17:05, Rob Crittenden rcrit...@redhat.com wrote:

 Roberto Cornacchia wrote:
  Indeed, id admin does not work and there is no sign of it in the log.
 
  From the client (with admin-tools installed):
 
  $ kinit admin
  Password for ad...@hq.example.com mailto:ad...@hq.example.com:
  $ ipa user-show admin
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
UID: 117200
GID: 117200
Account disabled: False
Password: True
Member of groups: trust admins, admins
Kerberos keys available: True
  $ id admin
  id: admin: no such user
  $ getent passwd ad...@hq.spinque.com mailto:ad...@hq.spinque.com
  $ grep admin /var/log/sssd/*
  $

 This is because sssd is not configured in nsswitch.conf to serve
 anything other than sudo.

 I see in the client install log you posted in the first message of the
 thread that there was no pre-existing sssd.conf so it created a new one,
 but that shouldn't be an issue.

 What does sssd.conf look like and is sssd running?

 rob

 
 
  On 21 March 2015 at 01:01, Dmitri Pal d...@redhat.com
  mailto:d...@redhat.com wrote:
 
  On 03/20/2015 07:40 PM, Roberto Cornacchia wrote:
  Two log files in attachment (the other files in /var/log/sssd are
  all empty).
 
  I'll also go through the troubleshooting page again, thanks
 
 
  Do the logs include an id call for admin?
  I do not see any instance of the word admin in the log.
 
 
 
  On 20 March 2015 at 23:03, Dmitri Pal d...@redhat.com
  mailto:d...@redhat.com wrote:
 
  On 03/20/2015 05:59 PM, Roberto Cornacchia wrote:
  SSSD logs are empty so far.
 
  This is wrong.
 
  Isn't sssd.conf written by ipa-client-install?
 
  Yes
 
  If I raise the debug level after client installation,
 
  (and restart)
 
  what activities do you suggest to attempt from the client?
  the ones that fail. getent call that returns nothing.
  Also try 'id'.
 
  http://www.freeipa.org/page/Troubleshooting#Client_Installation
  https://fedorahosted.org/sssd/wiki/Troubleshooting
 
 
 
  On 20 March 2015 at 22:37, Dmitri Pal d...@redhat.com
  mailto:d...@redhat.com wrote:
 
  On 03/20/2015 05:28 PM, Roberto Cornacchia wrote:
  It certainly gets there, because the client gets in fact
  enrolled as a domain host. I can see it from the UI in
  Identity / Hosts. But not in the DNS zone.
 
  *Before ipa-client-install, all these do work: *
 
  $ ssh ipa.hq.example.com http://ipa.hq.example.com
  $ ntpdate ipa.hq.example.com http://ipa.hq.example.com
  $ ldapsearch -x -h ipa.hq.example.com
  http://ipa.hq.example.com -b dc=hq,dc=example,dc=com
  uid=admin
 
 
  *After running ipa-client-install, all these do work:*
 
  $ kinit admin
  Password for ad...@hq.example.com
  mailto:ad...@hq.example.com:
  $ ipa dnszone-show --all
  [...]
  $ ntpq -p
   remote   refid  st t when poll reach
  delay   offset  jitter
 
  
 ==
  *ipa.hq.example. 131.155.140.130  3 u   19   641
   0.415   -0.006   0.000
   LOCAL(0).LOCL.   5 l-   640
   0.0000.000   0.000
 
  *But this does NOT work:*
  $ getent passwd ad...@hq.example.com
  mailto:ad...@hq.example.com
 
  What do SSSD logs show on the client?
  Please rise the SSSD debug_level and provide SSSD logs.
 
 
  *On the server, in /var/log/krb5kdc.log, I see many of
  these:*
 
  Mar 20 21:53:17 ipa.hq.example.com
  http://ipa.hq.example.com krb5kdc[9229](info): AS_REQ
  (6 etypes {18 17 16 23 25 26}) 192.168.0.207
  http://192.168.0.207: NEEDED_PREAUTH:
  ad...@hq.example.com mailto:ad...@hq.example.com for
  krbtgt/hq.example@hq.example.com
  mailto:c...@hq.example.com, Additional
  pre-authentication required
  Mar 20 21:53:17 ipa.hq.example.com

Re: [Freeipa-users] ipa-client-install failure

2015-03-21 Thread Roberto Cornacchia

Indeed, id admin does not work and there is no sign of it in the log.

From the client (with admin-tools installed):

$ kinit admin
Password for ad...@hq.example.com:
$ ipa user-show admin
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 117200
  GID: 117200
  Account disabled: False
  Password: True
  Member of groups: trust admins, admins
  Kerberos keys available: True
$ id admin
id: admin: no such user
$ getent passwd ad...@hq.spinque.com
$ grep admin /var/log/sssd/*
$


On 21 March 2015 at 01:01, Dmitri Pal d...@redhat.com wrote:

  On 03/20/2015 07:40 PM, Roberto Cornacchia wrote:

 Two log files in attachment (the other files in /var/log/sssd are all
 empty).

  I'll also go through the troubleshooting page again, thanks


 Do the logs include an id call for admin?
 I do not see any instance of the word admin in the log.



 On 20 March 2015 at 23:03, Dmitri Pal d...@redhat.com wrote:

  On 03/20/2015 05:59 PM, Roberto Cornacchia wrote:

 SSSD logs are empty so far.


  This is wrong.

  Isn't sssd.conf written by ipa-client-install?


  Yes

  If I raise the debug level after client installation,


  (and restart)

   what activities do you suggest to attempt from the client?

  the ones that fail. getent call that returns nothing.
 Also try 'id'.

 http://www.freeipa.org/page/Troubleshooting#Client_Installation
 https://fedorahosted.org/sssd/wiki/Troubleshooting



 On 20 March 2015 at 22:37, Dmitri Pal d...@redhat.com wrote:

  On 03/20/2015 05:28 PM, Roberto Cornacchia wrote:

  It certainly gets there, because the client gets in fact enrolled as a
 domain host. I can see it from the UI in Identity / Hosts. But not in the
 DNS zone.

  *Before ipa-client-install, all these do work: *

  $ ssh ipa.hq.example.com
 $ ntpdate ipa.hq.example.com
 $ ldapsearch -x -h ipa.hq.example.com -b dc=hq,dc=example,dc=com
 uid=admin


  *After running ipa-client-install, all these do work:*

  $ kinit admin
 Password for ad...@hq.example.com:
  $ ipa dnszone-show --all
  [...]
 $ ntpq -p
  remote   refid  st t when poll reach   delay   offset
  jitter

 ==
 *ipa.hq.example. 131.155.140.130  3 u   19   6410.415   -0.006
 0.000
  LOCAL(0).LOCL.   5 l-   6400.0000.000
 0.000

  *But this does NOT work:*
 $ getent passwd ad...@hq.example.com


 What do SSSD logs show on the client?
 Please rise the SSSD debug_level and provide SSSD logs.


  *On the server, in /var/log/krb5kdc.log, I see many of these:*

  Mar 20 21:53:17 ipa.hq.example.com krb5kdc[9229](info): AS_REQ (6
 etypes {18 17 16 23 25 26}) 192.168.0.207: NEEDED_PREAUTH:
 ad...@hq.example.com for krbtgt/hq.example@hq.example.com,
 Additional pre-authentication required
 Mar 20 21:53:17 ipa.hq.example.com krb5kdc[9229](info): AS_REQ (6
 etypes {18 17 16 23 25 26}) 192.168.0.207: ISSUE: authtime 1426884797,
 etypes {rep=18 tkt=18 ses=18}, ad...@hq.example.com for krbtgt/
 hq.example@hq.example.com


  This is not an error. It is a normal user authentication.
 OK so it is DNS that is not working. Is DNS server running on the server?
 What do Bind logs show?



  192.168.0.207 is the IP of the client I'm trying to install. However,
 higher up in the log, I also see such errors for the ipa server itself.

  On 20 March 2015 at 20:24, Dmitri Pal d...@redhat.com wrote:

  On 03/20/2015 02:48 PM, Roberto Cornacchia wrote:

 No, all real machines.

  I'm really sorry it's taking so much of your time.
 I had tried almost everything on a VM setting first, and everything was
 fine.
 Everything always works fine, until you actually need it.



  We try to help as much as we can.
 Can you do LDAP lookups as a directory manager from client host to
 server?
 Can you ssh from client to server?

 When you try to install client is there anything in the logs on the
 server? Does it even get there?






 On 20 March 2015 at 19:41, Dmitri Pal d...@redhat.com wrote:

  On 03/20/2015 01:57 PM, Roberto Cornacchia wrote:

 But the ipa server itself is also enrolled as a client, just after the
 server installation, right?. And that worked fine.


  Are these VMs?
 There have been a similar case when the network was not set properly
 for the virtual test environment.



 On 20 March 2015 at 18:55, Roberto Cornacchia 
 roberto.cornacc...@gmail.com wrote:

  No, sorry about the confusion, i shouldn't have posted so quickly.

 When I use the correct domain (hq.example.com), then I really get
 all the same errors as before, also in the new client.



   On 20 Mar 2015 18:39, Dmitri Pal d...@redhat.com wrote:

   On 03/20/2015 01:25 PM, Roberto Cornacchia wrote:

 Oops. Not true, forget last email.

  This secon client installation went different just because it took
 the wrong domain.
 It used *example.com http://example.com* (what was previously
 set) instead of *hq.example.com

Re: [Freeipa-users] ipa-client-install failure

2015-03-21 Thread Rob Crittenden

Roberto Cornacchia wrote:
 Indeed, id admin does not work and there is no sign of it in the log.
 
 From the client (with admin-tools installed):
 
 $ kinit admin
 Password for ad...@hq.example.com mailto:ad...@hq.example.com:
 $ ipa user-show admin
   User login: admin
   Last name: Administrator
   Home directory: /home/admin
   Login shell: /bin/bash
   UID: 117200
   GID: 117200
   Account disabled: False
   Password: True
   Member of groups: trust admins, admins
   Kerberos keys available: True
 $ id admin
 id: admin: no such user
 $ getent passwd ad...@hq.spinque.com mailto:ad...@hq.spinque.com
 $ grep admin /var/log/sssd/*
 $

This is because sssd is not configured in nsswitch.conf to serve
anything other than sudo.

I see in the client install log you posted in the first message of the
thread that there was no pre-existing sssd.conf so it created a new one,
but that shouldn't be an issue.

What does sssd.conf look like and is sssd running?

rob

 
 
 On 21 March 2015 at 01:01, Dmitri Pal d...@redhat.com
 mailto:d...@redhat.com wrote:
 
 On 03/20/2015 07:40 PM, Roberto Cornacchia wrote:
 Two log files in attachment (the other files in /var/log/sssd are
 all empty). 

 I'll also go through the troubleshooting page again, thanks

 
 Do the logs include an id call for admin?
 I do not see any instance of the word admin in the log.
 
 

 On 20 March 2015 at 23:03, Dmitri Pal d...@redhat.com
 mailto:d...@redhat.com wrote:

 On 03/20/2015 05:59 PM, Roberto Cornacchia wrote:
 SSSD logs are empty so far.

 This is wrong.

 Isn't sssd.conf written by ipa-client-install?

 Yes

 If I raise the debug level after client installation,

 (and restart)

 what activities do you suggest to attempt from the client?
 the ones that fail. getent call that returns nothing.
 Also try 'id'.

 http://www.freeipa.org/page/Troubleshooting#Client_Installation
 https://fedorahosted.org/sssd/wiki/Troubleshooting



 On 20 March 2015 at 22:37, Dmitri Pal d...@redhat.com
 mailto:d...@redhat.com wrote:

 On 03/20/2015 05:28 PM, Roberto Cornacchia wrote:
 It certainly gets there, because the client gets in fact
 enrolled as a domain host. I can see it from the UI in
 Identity / Hosts. But not in the DNS zone.

 *Before ipa-client-install, all these do work: *

 $ ssh ipa.hq.example.com http://ipa.hq.example.com 
 $ ntpdate ipa.hq.example.com http://ipa.hq.example.com
 $ ldapsearch -x -h ipa.hq.example.com
 http://ipa.hq.example.com -b dc=hq,dc=example,dc=com
 uid=admin


 *After running ipa-client-install, all these do work:*

 $ kinit admin
 Password for ad...@hq.example.com
 mailto:ad...@hq.example.com:
 $ ipa dnszone-show --all
 [...]
 $ ntpq -p
  remote   refid  st t when poll reach  
 delay   offset  jitter
 
 ==
 *ipa.hq.example. 131.155.140.130  3 u   19   641  
  0.415   -0.006   0.000
  LOCAL(0).LOCL.   5 l-   640  
  0.0000.000   0.000

 *But this does NOT work:*
 $ getent passwd ad...@hq.example.com
 mailto:ad...@hq.example.com

 What do SSSD logs show on the client?
 Please rise the SSSD debug_level and provide SSSD logs.


 *On the server, in /var/log/krb5kdc.log, I see many of
 these:*

 Mar 20 21:53:17 ipa.hq.example.com
 http://ipa.hq.example.com krb5kdc[9229](info): AS_REQ
 (6 etypes {18 17 16 23 25 26}) 192.168.0.207
 http://192.168.0.207: NEEDED_PREAUTH:
 ad...@hq.example.com mailto:ad...@hq.example.com for
 krbtgt/hq.example@hq.example.com
 mailto:c...@hq.example.com, Additional
 pre-authentication required
 Mar 20 21:53:17 ipa.hq.example.com
 http://ipa.hq.example.com krb5kdc[9229](info): AS_REQ
 (6 etypes {18 17 16 23 25 26}) 192.168.0.207
 http://192.168.0.207: ISSUE: authtime 1426884797,
 etypes {rep=18 tkt=18 ses=18}, ad...@hq.example.com
 mailto:ad...@hq.example.com for
 krbtgt/hq.example@hq.example.com
 mailto:hq.example@hq.example.com

 This is not an error. It is a normal user authentication.
 OK so it is DNS that is not working. Is DNS server
 running on the server?
 What do Bind logs show?



 192.168.0.207 is the IP of the client I'm trying to
 install. However, higher up in the log, I also

Re: [Freeipa-users] ipa-client-install failure

2015-03-21 Thread Roberto Cornacchia

/etc/nsswitch.conf:

passwd: files
shadow: files
group:  files
hosts:  files mdns4_minimal [NOTFOUND=return] dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files
netgroup:   files
publickey:  nisplus
automount:  files
aliases:files nisplus
sudoers: files sss
On 21 Mar 2015 01:06, Dmitri Pal d...@redhat.com wrote:

  On 03/20/2015 07:56 PM, Roberto Cornacchia wrote:

 From https://fedorahosted.org/sssd/wiki/Troubleshooting, I see that
 invoking getent should correspond to seeing command 17 invoked in the nss
 log:

  Something like:
 [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input
 [admin].

  I don't see any command invocation in my sss_dnss log


 Forgot to reply to the list...

 Right.
 So how does your nsswitch.conf looks like?


  On 21 March 2015 at 00:51, Roberto Cornacchia 
 roberto.cornacc...@gmail.com wrote:

 Ah, I see, I had forgotten to enable debut in the nss section. Here its
 log.

 On 21 March 2015 at 00:40, Roberto Cornacchia 
 roberto.cornacc...@gmail.com wrote:

 Two log files in attachment (the other files in /var/log/sssd are all
 empty).

  I'll also go through the troubleshooting page again, thanks


 On 20 March 2015 at 23:03, Dmitri Pal d...@redhat.com wrote:

  On 03/20/2015 05:59 PM, Roberto Cornacchia wrote:

 SSSD logs are empty so far.


  This is wrong.

  Isn't sssd.conf written by ipa-client-install?


  Yes

  If I raise the debug level after client installation,


  (and restart)

   what activities do you suggest to attempt from the client?

  the ones that fail. getent call that returns nothing.
 Also try 'id'.

 http://www.freeipa.org/page/Troubleshooting#Client_Installation
 https://fedorahosted.org/sssd/wiki/Troubleshooting



 On 20 March 2015 at 22:37, Dmitri Pal d...@redhat.com wrote:

  On 03/20/2015 05:28 PM, Roberto Cornacchia wrote:

  It certainly gets there, because the client gets in fact enrolled as
 a domain host. I can see it from the UI in Identity / Hosts. But not in 
 the
 DNS zone.

  *Before ipa-client-install, all these do work: *

  $ ssh ipa.hq.example.com
 $ ntpdate ipa.hq.example.com
 $ ldapsearch -x -h ipa.hq.example.com -b dc=hq,dc=example,dc=com
 uid=admin


  *After running ipa-client-install, all these do work:*

  $ kinit admin
 Password for ad...@hq.example.com:
  $ ipa dnszone-show --all
  [...]
 $ ntpq -p
  remote   refid  st t when poll reach   delay   offset
  jitter

 ==
 *ipa.hq.example. 131.155.140.130  3 u   19   6410.415   -0.006
   0.000
  LOCAL(0).LOCL.   5 l-   6400.0000.000
   0.000

  *But this does NOT work:*
 $ getent passwd ad...@hq.example.com


 What do SSSD logs show on the client?
 Please rise the SSSD debug_level and provide SSSD logs.


  *On the server, in /var/log/krb5kdc.log, I see many of these:*

  Mar 20 21:53:17 ipa.hq.example.com krb5kdc[9229](info): AS_REQ (6
 etypes {18 17 16 23 25 26}) 192.168.0.207: NEEDED_PREAUTH:
 ad...@hq.example.com for krbtgt/hq.example@hq.example.com,
 Additional pre-authentication required
 Mar 20 21:53:17 ipa.hq.example.com krb5kdc[9229](info): AS_REQ (6
 etypes {18 17 16 23 25 26}) 192.168.0.207: ISSUE: authtime
 1426884797, etypes {rep=18 tkt=18 ses=18}, ad...@hq.example.com for
 krbtgt/hq.example@hq.example.com


  This is not an error. It is a normal user authentication.
 OK so it is DNS that is not working. Is DNS server running on the
 server?
 What do Bind logs show?



  192.168.0.207 is the IP of the client I'm trying to install.
 However, higher up in the log, I also see such errors for the ipa server
 itself.

  On 20 March 2015 at 20:24, Dmitri Pal d...@redhat.com wrote:

  On 03/20/2015 02:48 PM, Roberto Cornacchia wrote:

 No, all real machines.

  I'm really sorry it's taking so much of your time.
 I had tried almost everything on a VM setting first, and everything
 was fine.
 Everything always works fine, until you actually need it.



  We try to help as much as we can.
 Can you do LDAP lookups as a directory manager from client host to
 server?
 Can you ssh from client to server?

 When you try to install client is there anything in the logs on the
 server? Does it even get there?






 On 20 March 2015 at 19:41, Dmitri Pal d...@redhat.com wrote:

  On 03/20/2015 01:57 PM, Roberto Cornacchia wrote:

 But the ipa server itself is also enrolled as a client, just after
 the server installation, right?. And that worked fine.


  Are these VMs?
 There have been a similar case when the network was not set properly
 for the virtual test environment.



 On 20 March 2015 at 18:55, Roberto Cornacchia 
 roberto.cornacc...@gmail.com wrote:

  No, sorry about the confusion, i shouldn't have posted so quickly.

 When I use the correct domain (hq.example.com), then I really get

Re: [Freeipa-users] ipa-client-install failure

2015-03-20 Thread Roberto Cornacchia

It seems so:

$ firewall-cmd --list-all
FedoraServer (default, active)
  interfaces: em2
  sources:
  services: cockpit dhcpv6-client ssh
  ports: 8009/tcp 443/tcp 7999/tcp 464/tcp 9443/tcp 636/tcp 88/udp 464/udp
8010/tcp 88/tcp 7990/tcp 123/udp 80/tcp 389/tcp 7389/tcp 9444/tcp 9445/tcp
8011/tcp 53/udp 8082/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:


On 20 March 2015 at 00:53, Dmitri Pal d...@redhat.com wrote:

  On 03/19/2015 05:04 PM, Roberto Cornacchia wrote:

  Yes.

  [root@meson ~]# cat /etc/resolv.conf
 search hq.example.com
 nameserver 192.168.0.72

  Sorry from the short log I posted it's not visible, but that ip address
 is the address of the ipa server (ipa.hq.example.com)

  [root@meson ~]# dig ipa.hq.spinque.com

  ;  DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21  ipa.hq.example.com
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 53238
 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ;; QUESTION SECTION:
 ;ipa.hq.example.com. IN A

  ;; ANSWER SECTION:
 ipa.hq.example.com. 1200 IN A 192.168.0.72

  ;; AUTHORITY SECTION:
 hq.example.com. 86400 IN NS ipa.hq.example.com.

  ;; Query time: 1 msec
 ;; SERVER: 192.168.0.72#53(192.168.0.72)
 ;; WHEN: do mrt 19 22:02:04 CET 2015
 ;; MSG SIZE  rcvd: 83



 OK so you can in fact lookup the server.
 Have you opened all required ports for ldap and kerberos and other
 protocols in the firewall both UDP and TCP?




 On 19 March 2015 at 21:55, Dmitri Pal d...@redhat.com wrote:

  On 03/19/2015 04:46 PM, Roberto Cornacchia wrote:

  Hi,

  This should really work like a charm, and I'm sure it is a stupid
 mistake of mine if it doesn't, but I really can't find out what goes wrong.

  Both IPA server and client are on FC21, very up to date.
 Server installation (standard, with dns) worked well. Required ports open
 in the firewall. Everything seems to work.

  I did try to use the IPA server as a DNS (with forwarders) and NTP
 server from non-ipa clients, no problem.
 I also tried to use it as LDAP server, from a non-fedora machine (a
 synology). It worked well and I could see users.

  When trying to enroll a client, the enrollment itself seems to succeed,
 but:
 - Unable to sync time with NTP server
 - Unable to update DNS
 - Unable to find users

  I include below the short installation log (I changed the real domain
 into hq.example.com), and in attachment, the full log with debug on.

  From the debug log, about the DNS update failure, I can see this:

; Communication with 192.168.0.72#53 failed: operation canceled
   could not reach any name server

  I'm not sure what communication problem this could be, as the server
 (which is both the IPA and the DNS servers), clearly can be reached.

  Any idea where to look at?


  Do you have the IPA DNS server in the resolv.conf of the client?




  Thanks,
 Roberto


  [root@meson ~]# ipa-client-install --mkhomedir --ssh-trust-dns
 --force-ntpd --hostname=meson.hq.example.com
 Discovery was successful!
 Hostname: meson.hq.example.com
 Realm: HQ.EXAMPLE.COM
 DNS Domain: hq.example.com
 IPA Server: ipa.hq.example.com
 BaseDN: dc=hq,dc=example,dc=com

  Continue to configure the system with these values? [no]: yes
 Synchronizing time with KDC...
 *Unable to sync time with IPA NTP server, assuming the time is in sync.
 Please check that 123 UDP port is opened.*
 User authorized to enroll computers: admin
 Password for ad...@hq.example.com:
 Successfully retrieved CA cert
 Subject: CN=Certificate Authority,O=HQ.EXAMPLE.COM
 Issuer:  CN=Certificate Authority,O=HQ.EXAMPLE.COM
 Valid From:  Mon Mar 16 18:44:35 2015 UTC
 Valid Until: Fri Mar 16 18:44:35 2035 UTC

  Enrolled in IPA realm HQ.EXAMPLE.COM
 Created /etc/ipa/default.conf
 New SSSD config will be created
 Configured sudoers in /etc/nsswitch.conf
 Configured /etc/sssd/sssd.conf
 Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
 trying https://ipa.hq.example.com/ipa/json
 Forwarding 'ping' to json server 'https://ipa.hq.example.com/ipa/json'
 Forwarding 'ca_is_enabled' to json server '
 https://ipa.hq.example.com/ipa/json'
 Systemwide CA database updated.
 Added CA certificates to the default NSS database.
 Hostname (meson.hq.example.com) not found in DNS
 *Failed to update DNS records.*
 Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
 Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
 Forwarding 'host_mod' to json server 'https://ipa.hq.example.com/ipa/json
 '
 *Could not update DNS SSHFP records.*
 SSSD enabled
 Configured /etc/openldap/ldap.conf
 *Unable to find 'admin' user with 'getent passwd ad...@hq.example.com
 ad...@hq.example.com'!*
 *Unable to reliably detect configuration. Check NSS setup manually.*
 NTP enabled
 Configured /etc/ssh/ssh_config
 Configured /etc/ssh/sshd_config
 Configuring

1 2 3 >

1 - 100 of 266 matches

Mail list logo