Hi John, After many tests yesterday evening and this morning i can confirm that even ipa-client-install manually doesn't work now, i was thinking about problem with kernel version but no cause i installed 18.10 with new kernel version and doesn't work: maas version: 2.4 ipa version: 4.6.90.pre1+git20180411, API_VERSION: 2.229 sssd version: 1.16.1 krb5 version: 2.6 nfs-kernel-server: 1:1.3
sssd.conf and krb5.conf are exactly like other machines deployed manually. krb5.keytab: looks fine: sudo klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/maas-client.example....@example.com 1 host/maas-client.example....@example.com nsswitch.conf: exactly like machines deployed manually. So for sure the problem not with ipa installation script. On Wed, May 29, 2019 at 6:31 PM John Keates <j...@keates.nl> wrote: > Very odd, those steps look correct to me. And if auto-discovery for the > domain, realm, hostname and IPA server work, then it’s not the > ipa-client-install script I think. > What versions are you running? Important bits: > > - freeipa packages > - kerberos packages > - sssd packages > > also, what does /etc/nsswitch.conf and /etc/sssd/sssd.conf and > /etc/krb5.conf look like? Do you have a valid keytab in /etc/krb5.keytab? > Other things to compare: > > /var/log/ipa-client-install.log > > check if the enrollment is different between the command you run > automatically vs. running it manually when it works > > John > > On 29 May 2019, at 23:04, Boudjoudad Abdelkader <boujou...@gmail.com> > wrote: > > I was using curtin but now i'm using cloud-init post-installatio, after > the installation freeipa-client is installed and sssd.conf configured as > well as krb5.conf and krb5.keytab but the nfs mount doesn't work ! > > The command to deploy the script is: > maas $PROFILE machine deploy $SYSTEM_ID user_data=$(base64 -w 0 > /opt/myscript.sh) > The script is executed after the installation i can see that but it seems > to have a problem with ipa-client-installation ! > > On Wed, May 29, 2019 at 4:59 PM John Keates <j...@keates.nl> wrote: > >> In what phase do you run the script? It should be one of the last scripts >> in the final phase for the install to work reliably. If it’s in preconfig >> or config phase it breaks 9 out of 10 times. >> >> John >> >> On 29 May 2019, at 22:53, Boudjoudad Abdelkader <boujou...@gmail.com> >> wrote: >> >> I'm using cloud-init with this script: >> locale-gen en_CA.utf8 >> locale-gen en_US.utf8 >> >> HOSTNAME=$(hostname) >> IP=$(hostname -i | awk '{print $1}') >> echo "$HOSTNAME.example.com" > /etc/hostname >> FQDN="$HOSTNAME.example.com" >> echo "FQDN is: $FQDN" >> sed -i "1 i\ >> $IP $FQDN $HOSTNAME" /etc/hosts >> apt-get -y update >> apt-get install -y nfs-kernel-server nfs-common >> DEBIAN_FRONTEND=noninteractive apt-get -y install freeipa-client >> ipa-client-install --hostname=$(hostname -f) --server=freeipa. >> example.com --domain example.com --no-ntp --unattended --principal admin >> --password 'Deep201' --realm EXAMPLE.COM <http://example.com/> >> --enable-dns-updates --force --force-join >> sed -i '/ticket_lifetime/a renew_lifetime = 28d' /etc/krb5.conf >> >> I will test with only --enable-dns-updates, principal and password >> The network is configured well because i can reach the nfs server. >> >> >> On Wed, May 29, 2019 at 4:44 PM John Keates <j...@keates.nl> wrote: >> >>> What I meant was that you are already practically disabling it; you >>> specify the hostname, domain, server, realm on your command line but those >>> should be discoverable. >>> Here is an enrollment jinja2 template I use: >>> >>> ipa-client-install -U --enable-dns-updates >>> --principal={{freeipa.client.enroll.username}} >>> --password={{freeipa.client.enroll.password}} >>> >>> It’s all that’s needed as long as your network has the correct setup. >>> You’d replace the principal and password with your own of course. >>> It would probably look like: >>> >>> ipa-client-install -U --enable-dns-updates —principal=admin >>> --password=Deep201qa >>> >>> John >>> >>> On 29 May 2019, at 22:39, Boudjoudad Abdelkader <boujou...@gmail.com> >>> wrote: >>> >>> Hi John, >>> Thank you for the quick reply, >>> >>> To disable autodiscrovery the option is ? >>> --autodiscovery=no >>> >>> On Wed, May 29, 2019 at 4:18 PM John Keates <j...@keates.nl> wrote: >>> >>>> I don’t know what you are missing, but I do know that in theory your >>>> enrolment should work with just -U for unattended and the principal and >>>> password. >>>> Unless you have a special environment that requires auto discovery to >>>> be disabled, I’d recommend using it. >>>> >>>> I’m enrolling clients in three ways that all work this way, one using a >>>> Cloud-Init module, one using a SaltStack formula and one using a Lambda >>>> function that uses SSH to connect to a machine and run the enrolment >>>> remotely. >>>> >>>> The text from your mount command seems to suggest a timeout issue, >>>> perhaps the network isn’t up or DNS is broken? I’m also seeing you using an >>>> IP, it’s usually a sign of an incomplete or improper network setup (but >>>> technically it should be fine) >>>> >>>> John >>>> >>>> On 29 May 2019, at 22:10, Boudjoudad Abdelkader via FreeIPA-users < >>>> freeipa-users@lists.fedorahosted.org> wrote: >>>> >>>> Hello, >>>> I'm trying to automate freeipa-client installation on Ubuntu with >>>> custom script using MAAS as follow : >>>> HOSTNAME=$(hostname) >>>> IP=$(hostname -i | awk '{print $1}') >>>> echo "$HOSTNAME.example.com <http://hostname.example.com/>" > >>>> /etc/hostname >>>> FQDN="$HOSTNAME.example.com <http://hostname.example.com/>" >>>> echo "FQDN is: $FQDN" >>>> sed -i "1 i\ >>>> $IP $FQDN $HOSTNAME" /etc/hosts >>>> apt-get -y update >>>> apt-get install -y nfs-kernel-server nfs-common >>>> DEBIAN_FRONTEND=noninteractive apt-get -y install freeipa-client >>>> ipa-client-install --hostname=$(hostname -f) --server= >>>> freeipa.example.com --domain example.com --no-ntp --unattended >>>> --principal admin --password 'Deep201qa' --realm EXAMPLE.COM >>>> <http://example.com/> --enable-dns-updates >>>> sed -i '/ticket_lifetime/a renew_lifetime = 28d' /etc/krb5.conf >>>> service sssd restart >>>> >>>> After the deployment i can do kinit domain_user and ipa user-show >>>> without any problem, but when i tried to mount an nfs in /ec/fstab with the >>>> following options i get an error: >>>> The mount in /etc/fstab: nfs4 >>>> rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none >>>> 0 0 >>>> The error: >>>> mount -av >>>> / : ignored >>>> none : ignored >>>> mount.nfs4: timeout set for Wed May 29 20:04:29 2019 >>>> mount.nfs4: trying text-based options >>>> 'vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none,addr=172.16.2.11,clientaddr=IP_ADDR0ESS >>>> >>>> I tried to install freeipa-client manually and the nfs mount works: >>>> ipa-client-install >>>> >>>> What i'm missing? >>>> >>>> Thanks, >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to >>>> freeipa-users-le...@lists.fedorahosted.org >>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>>> >>>> >>>> >>> >> >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org