lejeczek via FreeIPA-users wrote: > Hi guys > > I do not see any clear problems and no errors in client log but each > time I try to install client process stops: > ... > No SRV records of NTP servers found and no NTP server or pool address > was provided. > Using default chrony configuration. > Attempting to sync time with chronyc. > Time synchronization was successful. > Do you want to download the CA cert from > http://c8kubermaster2.ton.mko.priv.com/ipa/config/ca.crt ? > (this is INSECURE) [no]: > --- > If I go with 'yes' as the answer then: > ... > Joining realm failed: SASL Bind failed > Invalid credentials > > Installation failed. Rolling back changes. > Disabling client Kerberos and LDAP configurations > nscd daemon is not installed, skip configuration > nslcd daemon is not installed, skip configuration > Client uninstall complete. > The ipa-client-install command failed. See > /var/log/ipaclient-install.log for more information > ---- > One thing is new and different from all freeIPA deployments I have done > in the past, namely > REALM =! FQDN > but both share a "top level/part". > I do not think about that being the root cause. > Client install would succeed if I gave it: > --server= --domain= --realm= (which is bit weir cause those seem to get > discovered as expected) > > Any thought on routes of troubleshooting very appreciated. > many thanks, L.
You need to read the client install log carefully to ensure it is discovering the expected domain/realm/server. After providing enrollment credentials those are used to retrieve the CA certificate over LDAP and if that fails, it falls back to HTTP. Given the enrollment is failing with a bind error perhaps it is as simple as a bad password. That or you're binding to a different server than you are expecting. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
