Hi John,
After many tests yesterday evening and this morning i can confirm that even
ipa-client-install manually doesn't work now, i was thinking about problem
with kernel version but no cause i installed 18.10 with new kernel version
and doesn't work:
maas version: 2.4
ipa version: 4.6.90.pre1+git20180411, API_VERSION: 2.229
sssd version: 1.16.1
krb5 version: 2.6
nfs-kernel-server: 1:1.3
sssd.conf and krb5.conf are exactly like other machines deployed manually.
krb5.keytab: looks fine:
sudo klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 host/maas-client.example....@example.com
1 host/maas-client.example....@example.com
nsswitch.conf: exactly like machines deployed manually.
So for sure the problem not with ipa installation script.
On Wed, May 29, 2019 at 6:31 PM John Keates <j...@keates.nl> wrote:
> Very odd, those steps look correct to me. And if auto-discovery for the
> domain, realm, hostname and IPA server work, then it’s not the
> ipa-client-install script I think.
> What versions are you running? Important bits:
>
> - freeipa packages
> - kerberos packages
> - sssd packages
>
> also, what does /etc/nsswitch.conf and /etc/sssd/sssd.conf and
> /etc/krb5.conf look like? Do you have a valid keytab in /etc/krb5.keytab?
> Other things to compare:
>
> /var/log/ipa-client-install.log
>
> check if the enrollment is different between the command you run
> automatically vs. running it manually when it works
>
> John
>
> On 29 May 2019, at 23:04, Boudjoudad Abdelkader <boujou...@gmail.com>
> wrote:
>
> I was using curtin but now i'm using cloud-init post-installatio, after
> the installation freeipa-client is installed and sssd.conf configured as
> well as krb5.conf and krb5.keytab but the nfs mount doesn't work !
>
> The command to deploy the script is:
> maas $PROFILE machine deploy $SYSTEM_ID user_data=$(base64 -w 0
> /opt/myscript.sh)
> The script is executed after the installation i can see that but it seems
> to have a problem with ipa-client-installation !
>
> On Wed, May 29, 2019 at 4:59 PM John Keates <j...@keates.nl> wrote:
>
>> In what phase do you run the script? It should be one of the last scripts
>> in the final phase for the install to work reliably. If it’s in preconfig
>> or config phase it breaks 9 out of 10 times.
>>
>> John
>>
>> On 29 May 2019, at 22:53, Boudjoudad Abdelkader <boujou...@gmail.com>
>> wrote:
>>
>> I'm using cloud-init with this script:
>> locale-gen en_CA.utf8
>> locale-gen en_US.utf8
>>
>> HOSTNAME=$(hostname)
>> IP=$(hostname -i | awk '{print $1}')
>> echo "$HOSTNAME.example.com" > /etc/hostname
>> FQDN="$HOSTNAME.example.com"
>> echo "FQDN is: $FQDN"
>> sed -i "1 i\
>> $IP $FQDN $HOSTNAME" /etc/hosts
>> apt-get -y update
>> apt-get install -y nfs-kernel-server nfs-common
>> DEBIAN_FRONTEND=noninteractive apt-get -y install freeipa-client
>> ipa-client-install --hostname=$(hostname -f) --server=freeipa.
>> example.com --domain example.com --no-ntp --unattended --principal admin
>> --password 'Deep201' --realm EXAMPLE.COM <http://example.com/>
>> --enable-dns-updates --force --force-join
>> sed -i '/ticket_lifetime/a renew_lifetime = 28d' /etc/krb5.conf
>>
>> I will test with only --enable-dns-updates, principal and password
>> The network is configured well because i can reach the nfs server.
>>
>>
>> On Wed, May 29, 2019 at 4:44 PM John Keates <j...@keates.nl> wrote:
>>
>>> What I meant was that you are already practically disabling it; you
>>> specify the hostname, domain, server, realm on your command line but those
>>> should be discoverable.
>>> Here is an enrollment jinja2 template I use:
>>>
>>> ipa-client-install -U --enable-dns-updates
>>> --principal={{freeipa.client.enroll.username}}
>>> --password={{freeipa.client.enroll.password}}
>>>
>>> It’s all that’s needed as long as your network has the correct setup.
>>> You’d replace the principal and password with your own of course.
>>> It would probably look like:
>>>
>>> ipa-client-install -U --enable-dns-updates —principal=admin
>>> --password=Deep201qa
>>>
>>> John
>>>
>>> On 29 May 2019, at 22:39, Boudjoudad Abdelkader <boujou...@gmail.com>
>>> wrote:
>>>
>>> Hi John,
>>> Thank you for the quick reply,
>>>
>>> To disable autodiscrovery the option is ?
>>> --autodiscovery=no
>>>
>>> On Wed, May 29, 2019 at 4:18 PM John Keates <j...@keates.nl> wrote:
>>>
>>>> I don’t know what you are missing, but I do know that in theory your
>>>> enrolment should work with just -U for unattended and the principal and
>>>> password.
>>>> Unless you have a special environment that requires auto discovery to
>>>> be disabled, I’d recommend using it.
>>>>
>>>> I’m enrolling clients in three ways that all work this way, one using a
>>>> Cloud-Init module, one using a SaltStack formula and one using a Lambda
>>>> function that uses SSH to connect to a machine and run the enrolment
>>>> remotely.
>>>>
>>>> The text from your mount command seems to suggest a timeout issue,
>>>> perhaps the network isn’t up or DNS is broken? I’m also seeing you using an
>>>> IP, it’s usually a sign of an incomplete or improper network setup (but
>>>> technically it should be fine)
>>>>
>>>> John
>>>>
>>>> On 29 May 2019, at 22:10, Boudjoudad Abdelkader via FreeIPA-users <
>>>> freeipa-users@lists.fedorahosted.org> wrote:
>>>>
>>>> Hello,
>>>> I'm trying to automate freeipa-client installation on Ubuntu with
>>>> custom script using MAAS as follow :
>>>> HOSTNAME=$(hostname)
>>>> IP=$(hostname -i | awk '{print $1}')
>>>> echo "$HOSTNAME.example.com <http://hostname.example.com/>" >
>>>> /etc/hostname
>>>> FQDN="$HOSTNAME.example.com <http://hostname.example.com/>"
>>>> echo "FQDN is: $FQDN"
>>>> sed -i "1 i\
>>>> $IP $FQDN $HOSTNAME" /etc/hosts
>>>> apt-get -y update
>>>> apt-get install -y nfs-kernel-server nfs-common
>>>> DEBIAN_FRONTEND=noninteractive apt-get -y install freeipa-client
>>>> ipa-client-install --hostname=$(hostname -f) --server=
>>>> freeipa.example.com --domain example.com --no-ntp --unattended
>>>> --principal admin --password 'Deep201qa' --realm EXAMPLE.COM
>>>> <http://example.com/> --enable-dns-updates
>>>> sed -i '/ticket_lifetime/a renew_lifetime = 28d' /etc/krb5.conf
>>>> service sssd restart
>>>>
>>>> After the deployment i can do kinit domain_user and ipa user-show
>>>> without any problem, but when i tried to mount an nfs in /ec/fstab with the
>>>> following options i get an error:
>>>> The mount in /etc/fstab: nfs4
>>>> rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none
>>>> 0 0
>>>> The error:
>>>> mount -av
>>>> / : ignored
>>>> none : ignored
>>>> mount.nfs4: timeout set for Wed May 29 20:04:29 2019
>>>> mount.nfs4: trying text-based options
>>>> 'vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none,addr=172.16.2.11,clientaddr=IP_ADDR0ESS
>>>>
>>>> I tried to install freeipa-client manually and the nfs mount works:
>>>> ipa-client-install
>>>>
>>>> What i'm missing?
>>>>
>>>> Thanks,
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>>> To unsubscribe send an email to
>>>> freeipa-users-le...@lists.fedorahosted.org
>>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>>>
>>>>
>>>>
>>>
>>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
