Very odd, those steps look correct to me. And if auto-discovery for the domain, realm, hostname and IPA server work, then it’s not the ipa-client-install script I think. What versions are you running? Important bits:
- freeipa packages - kerberos packages - sssd packages also, what does /etc/nsswitch.conf and /etc/sssd/sssd.conf and /etc/krb5.conf look like? Do you have a valid keytab in /etc/krb5.keytab? Other things to compare: /var/log/ipa-client-install.log check if the enrollment is different between the command you run automatically vs. running it manually when it works John > On 29 May 2019, at 23:04, Boudjoudad Abdelkader <boujou...@gmail.com> wrote: > > I was using curtin but now i'm using cloud-init post-installatio, after the > installation freeipa-client is installed and sssd.conf configured as well as > krb5.conf and krb5.keytab but the nfs mount doesn't work ! > > The command to deploy the script is: > maas $PROFILE machine deploy $SYSTEM_ID user_data=$(base64 -w 0 > /opt/myscript.sh) > The script is executed after the installation i can see that but it seems to > have a problem with ipa-client-installation ! > > On Wed, May 29, 2019 at 4:59 PM John Keates <j...@keates.nl > <mailto:j...@keates.nl>> wrote: > In what phase do you run the script? It should be one of the last scripts in > the final phase for the install to work reliably. If it’s in preconfig or > config phase it breaks 9 out of 10 times. > > John > >> On 29 May 2019, at 22:53, Boudjoudad Abdelkader <boujou...@gmail.com >> <mailto:boujou...@gmail.com>> wrote: >> >> I'm using cloud-init with this script: >> locale-gen en_CA.utf8 >> locale-gen en_US.utf8 >> >> HOSTNAME=$(hostname) >> IP=$(hostname -i | awk '{print $1}') >> echo "$HOSTNAME.example.com <http://example.com/>" > /etc/hostname >> FQDN="$HOSTNAME.example.com <http://example.com/>" >> echo "FQDN is: $FQDN" >> sed -i "1 i\ >> $IP $FQDN $HOSTNAME" /etc/hosts >> apt-get -y update >> apt-get install -y nfs-kernel-server nfs-common >> DEBIAN_FRONTEND=noninteractive apt-get -y install freeipa-client >> ipa-client-install --hostname=$(hostname -f) --server=freeipa.example.com >> <http://example.com/> --domain example.com <http://example.com/> --no-ntp >> --unattended --principal admin --password 'Deep201' --realm EXAMPLE.COM >> <http://example.com/> --enable-dns-updates --force --force-join >> sed -i '/ticket_lifetime/a renew_lifetime = 28d' /etc/krb5.conf >> >> I will test with only --enable-dns-updates, principal and password >> The network is configured well because i can reach the nfs server. >> >> >> On Wed, May 29, 2019 at 4:44 PM John Keates <j...@keates.nl >> <mailto:j...@keates.nl>> wrote: >> What I meant was that you are already practically disabling it; you specify >> the hostname, domain, server, realm on your command line but those should be >> discoverable. >> Here is an enrollment jinja2 template I use: >> >> ipa-client-install -U --enable-dns-updates >> --principal={{freeipa.client.enroll.username}} >> --password={{freeipa.client.enroll.password}} >> >> It’s all that’s needed as long as your network has the correct setup. You’d >> replace the principal and password with your own of course. >> It would probably look like: >> >> ipa-client-install -U --enable-dns-updates —principal=admin >> --password=Deep201qa >> >> John >> >>> On 29 May 2019, at 22:39, Boudjoudad Abdelkader <boujou...@gmail.com >>> <mailto:boujou...@gmail.com>> wrote: >>> >>> Hi John, >>> Thank you for the quick reply, >>> >>> To disable autodiscrovery the option is ? >>> --autodiscovery=no >>> >>> On Wed, May 29, 2019 at 4:18 PM John Keates <j...@keates.nl >>> <mailto:j...@keates.nl>> wrote: >>> I don’t know what you are missing, but I do know that in theory your >>> enrolment should work with just -U for unattended and the principal and >>> password. >>> Unless you have a special environment that requires auto discovery to be >>> disabled, I’d recommend using it. >>> >>> I’m enrolling clients in three ways that all work this way, one using a >>> Cloud-Init module, one using a SaltStack formula and one using a Lambda >>> function that uses SSH to connect to a machine and run the enrolment >>> remotely. >>> >>> The text from your mount command seems to suggest a timeout issue, perhaps >>> the network isn’t up or DNS is broken? I’m also seeing you using an IP, >>> it’s usually a sign of an incomplete or improper network setup (but >>> technically it should be fine) >>> >>> John >>> >>>> On 29 May 2019, at 22:10, Boudjoudad Abdelkader via FreeIPA-users >>>> <freeipa-users@lists.fedorahosted.org >>>> <mailto:freeipa-users@lists.fedorahosted.org>> wrote: >>>> >>>> Hello, >>>> I'm trying to automate freeipa-client installation on Ubuntu with custom >>>> script using MAAS as follow : >>>> HOSTNAME=$(hostname) >>>> IP=$(hostname -i | awk '{print $1}') >>>> echo "$HOSTNAME.example.com <http://hostname.example.com/>" > /etc/hostname >>>> FQDN="$HOSTNAME.example.com <http://hostname.example.com/>" >>>> echo "FQDN is: $FQDN" >>>> sed -i "1 i\ >>>> $IP $FQDN $HOSTNAME" /etc/hosts >>>> apt-get -y update >>>> apt-get install -y nfs-kernel-server nfs-common >>>> DEBIAN_FRONTEND=noninteractive apt-get -y install freeipa-client >>>> ipa-client-install --hostname=$(hostname -f) --server=freeipa.example.com >>>> <http://freeipa.example.com/> --domain example.com <http://example.com/> >>>> --no-ntp --unattended --principal admin --password 'Deep201qa' --realm >>>> EXAMPLE.COM <http://example.com/> --enable-dns-updates >>>> sed -i '/ticket_lifetime/a renew_lifetime = 28d' /etc/krb5.conf >>>> service sssd restart >>>> >>>> After the deployment i can do kinit domain_user and ipa user-show without >>>> any problem, but when i tried to mount an nfs in /ec/fstab with the >>>> following options i get an error: >>>> The mount in /etc/fstab: nfs4 >>>> rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none >>>> 0 0 >>>> The error: >>>> mount -av >>>> / : ignored >>>> none : ignored >>>> mount.nfs4: timeout set for Wed May 29 20:04:29 2019 >>>> mount.nfs4: trying text-based options >>>> 'vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none,addr=172.16.2.11,clientaddr=IP_ADDR0ESS >>>> >>>> I tried to install freeipa-client manually and the nfs mount works: >>>> ipa-client-install >>>> >>>> What i'm missing? >>>> >>>> Thanks, >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>>> <https://getfedora.org/code-of-conduct.html> >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> <https://fedoraproject.org/wiki/Mailing_list_guidelines> >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>>> >>>> <https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org> >>> >> >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
