On 07/28/2014 07:29 PM, jaseywang wrote: > Hi > I tried to install freeipa-client on Ubuntu 10.04 & 12.04, but none of them > worked :-( > At the moment, only 12.04 ships the apt repo so that I can use apt to > install the freeipa-client(2.1.4-0ubuntu1). Although I can installed the > package successfully, I can't make it work during my ipa-client-install > process, I just follow the instruction as the below docs says: > https://ashbyte.com/ashbyte/wiki/FreeIPA/Ubuntu > http://ubuntuforums.org/showthread.php?t=2207956 > > But failed with --debug options on, below is the message it produced during > installation: > > --- > > # ipa-client-install --domain=example.com --mkhomedir --realm=EXAMPLE.COM > --server=ad25.example.com --no-ntp --hostname=dp40.example.com --debug > root : DEBUG /usr/sbin/ipa-client-install was invoked with > options: {'conf_ntp': False, 'domain': 'example.com', 'uninstall': False, > 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': ' > dp40.example.com', 'preserve_sssd': False, 'server': 'ad25.example.com', > 'prompt_password': False, 'mkhomedir': True, 'dns_updates': False, > 'permit': False, 'debug': True, 'on_master': False, 'ntp_server': None, > 'realm_name': 'EXAMPLE.COM', 'unattended': None, 'principal': None} > root : DEBUG missing options might be asked for interactively > later > > root : DEBUG Loading Index file from > '/var/lib/ipa-client/sysrestore/sysrestore.index' > root : DEBUG Loading StateFile from > '/var/lib/ipa-client/sysrestore/sysrestore.state' > root : DEBUG [ipadnssearchkrb] > root : DEBUG [ipacheckldap] > root : DEBUG args=/usr/bin/wget -O /tmp/tmp_gTNxY/ca.crt -T 15 -t > 2 http://ad25.example.com/ipa/config/ca.crt > root : DEBUG stdout= > root : DEBUG stderr=--2014-07-29 01:00:16-- > http://ad25.example.com/ipa/config/ca.crt > Resolving ad25.example.com (ad25.example.com)... 10.11.50.5 > Connecting to ad25.example.com (ad25.example.com)|10.11.50.5|:80... > connected. > HTTP request sent, awaiting response... 200 OK > Length: 1295 (1.3K) [application/x-x509-ca-cert] > Saving to: `/tmp/tmp_gTNxY/ca.crt' > > 0K . 100% 109M=0s > > 2014-07-29 01:00:16 (109 MB/s) - `/tmp/tmp_gTNxY/ca.crt' saved [1295/1295] > > > root : DEBUG Init ldap with: ldap://ad25.example.com:389 > root : DEBUG Search LDAP server for IPA base DN > root : DEBUG Check if naming context 'dc=example,dc=com' is for > IPA > root : DEBUG Naming context 'dc=example,dc=com' is a valid IPA > context > root : DEBUG Search for (objectClass=krbRealmContainer) in > dc=example,dc=com(sub) > root : DEBUG Found: [('cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=us', > {'krbSubTrees': ['dc=example,dc=com'], 'cn': ['EXAMPLE.COM'], > 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', > 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', > 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], > 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', > 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', > 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', > 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', > 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], > 'krbMaxRenewableAge': ['604800']})] > root : DEBUG will use domain: example.com > > root : DEBUG will use server: ad25.example.com > > DNS domain 'example.com' is not configured for automatic KDC address lookup. > KDC address will be set to fixed value. > > Discovery was successful! > root : DEBUG will use cli_realm: EXAMPLE.COM > > root : DEBUG will use cli_basedn: dc=example,dc=com > > Hostname: dp40.example.com > Realm: EXAMPLE.COM > DNS Domain: example.com > IPA Server: ad25.example.com > BaseDN: dc=example,dc=com > > > Continue to configure the system with these values? [no]: yes > root : DEBUG Backing up system configuration file '/etc/hostname' > root : DEBUG Saving Index File to > '/var/lib/ipa-client/sysrestore/sysrestore.index' > root : DEBUG args=/bin/hostname dp40.example.com > root : DEBUG stdout= > root : DEBUG stderr= > User authorized to enroll computers: admin > root : DEBUG will use principal: admin > > root : DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt > http://ad25.example.com/ipa/config/ca.crt > root : DEBUG stdout= > root : DEBUG stderr=--2014-07-29 01:00:29-- > http://ad25.example.com/ipa/config/ca.crt > Resolving ad25.example.com (ad25.example.com)... 10.11.50.5 > Connecting to ad25.example.com (ad25.example.com)|10.11.50.5|:80... > connected. > HTTP request sent, awaiting response... 200 OK > Length: 1295 (1.3K) [application/x-x509-ca-cert] > Saving to: `/etc/ipa/ca.crt' > > 0K . 100% 127M=0s > > 2014-07-29 01:00:29 (127 MB/s) - `/etc/ipa/ca.crt' saved [1295/1295] > > > Synchronizing time with KDC... > root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b ad25.example.com > root : DEBUG stdout= > root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U > usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p > samples] [-o version#] [-t timeo] server ... > > root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b ad25.example.com > root : DEBUG stdout= > root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U > usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p > samples] [-o version#] [-t timeo] server ... > > root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b ad25.example.com > root : DEBUG stdout= > root : DEBUG stderr=/usr/sbin/ntpdate: unknown option -U > usage: /usr/sbin/ntpdate [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p > samples] [-o version#] [-t timeo] server ... > > Unable to sync time with IPA NTP server, assuming the time is in sync. > root : DEBUG Writing Kerberos configuration to /tmp/tmpaGEtIp: > #File modified by ipa-client-install > > [libdefaults] > default_realm = EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = false > rdns = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > EXAMPLE.COM = { > kdc = ad25.example.com:88 > admin_server = ad25.example.com:749 > default_domain = example.com > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > [domain_realm] > .example.com = EXAMPLE.COM > example.com = EXAMPLE.COM > > > Password for ad...@example.com: > root : DEBUG args=kinit ad...@example.com > root : DEBUG stdout=Password for ad...@example.com: > > root : DEBUG stderr= > > root : DEBUG args=/usr/sbin/ipa-join -s ad25.example.com -b > dc=example,dc=com -d -h dp40.example.com > root : DEBUG stdout= > root : DEBUG stderr=XML-RPC CALL: > > <?xml version="1.0" encoding="UTF-8"?>\r\n > <methodCall>\r\n > <methodName>join</methodName>\r\n > <params>\r\n > <param><value><array><data>\r\n > <value><string>dp40.example.com</string></value>\r\n > </data></array></value></param>\r\n > <param><value><struct>\r\n > <member><name>nsosversion</name>\r\n > <value><string>3.2.0-29-generic</string></value></member>\r\n > <member><name>nshardwareplatform</name>\r\n > <value><string>x86_64</string></value></member>\r\n > </struct></value></param>\r\n > </params>\r\n > </methodCall>\r\n > > XML-RPC RESPONSE: > > <?xml version='1.0' encoding='UTF-8'?>\n > <methodResponse>\n > <params>\n > <param>\n > <value><array><data>\n > <value><string>fqdn=dp40.example.com > ,cn=computers,cn=accounts,dc=example,dc=com</string></value>\n > <value><struct>\n > <member>\n > <name>dn</name>\n > <value><string>fqdn=dp40.example.com > ,cn=computers,cn=accounts,dc=example,dc=com</string></value>\n > </member>\n > <member>\n > <name>ipacertificatesubjectbase</name>\n > <value><array><data>\n > <value><string>O=EXAMPLE.COM</string></value>\n > </data></array></value>\n > </member>\n > <member>\n > <name>has_keytab</name>\n > <value><boolean>0</boolean></value>\n > </member>\n > <member>\n > <name>objectclass</name>\n > <value><array><data>\n > <value><string>ipaobject</string></value>\n > <value><string>nshost</string></value>\n > <value><string>ipahost</string></value>\n > <value><string>pkiuser</string></value>\n > <value><string>ipaservice</string></value>\n > <value><string>krbprincipalaux</string></value>\n > <value><string>krbprincipal</string></value>\n > <value><string>top</string></value>\n > </data></array></value>\n > </member>\n > <member>\n > <name>fqdn</name>\n > <value><array><data>\n > <value><string>dp40.example.com</string></value>\n > </data></array></value>\n > </member>\n > <member>\n > <name>has_password</name>\n > <value><boolean>0</boolean></value>\n > </member>\n > <member>\n > <name>ipauniqueid</name>\n > <value><array><data>\n > <value><string>b086ab94-1678-11e4-991b-bc305bf33a5c</string></value>\n > </data></array></value>\n > </member>\n > <member>\n > <name>krbprincipalname</name>\n > <value><array><data>\n > <value><string>host/dp40.example....@example.com</string></value>\n > </data></array></value>\n > </member>\n > <member>\n > <name>managedby_host</name>\n > <value><array><data>\n > <value><string>dp40.example.com</string></value>\n > </data></array></value>\n > </member>\n > </struct></value>\n > </data></array></value>\n > </param>\n > </params>\n > </methodResponse>\n > > Keytab successfully retrieved and stored in: /etc/krb5.keytab > Certificate subject base is: O=EXAMPLE.COM > > Enrolled in IPA realm EXAMPLE.COM > root : DEBUG args=kdestroy > root : DEBUG stdout= > root : DEBUG stderr= > root : DEBUG Backing up system configuration file > '/etc/ipa/default.conf' > root : DEBUG -> Not backing up - '/etc/ipa/default.conf' > doesn't exist > Created /etc/ipa/default.conf > root : DEBUG Backing up system configuration file > '/etc/sssd/sssd.conf' > root : DEBUG Saving Index File to > '/var/lib/ipa-client/sysrestore/sysrestore.index' > Domain example.com is already configured in existing SSSD config, creating > a new one. > The old /etc/sssd/sssd.conf is backed up and will be restored during > uninstall. > root : DEBUG Domain example.com is already configured in existing > SSSD config, creating a new one. > Configured /etc/sssd/sssd.conf > root : DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA > CA -t CT,C,C -a -i /etc/ipa/ca.crt > root : DEBUG stdout= > root : DEBUG stderr= > root : DEBUG Backing up system configuration file '/etc/krb5.conf' > root : DEBUG Saving Index File to > '/var/lib/ipa-client/sysrestore/sysrestore.index' > root : DEBUG Writing Kerberos configuration to /etc/krb5.conf: > #File modified by ipa-client-install > > [libdefaults] > default_realm = EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = false > rdns = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > EXAMPLE.COM = { > kdc = ad25.example.com:88 > admin_server = ad25.example.com:749 > default_domain = example.com > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > [domain_realm] > .example.com = EXAMPLE.COM > example.com = EXAMPLE.COM > > > Configured /etc/krb5.conf for IPA realm EXAMPLE.COM > Warning: Hostname (dp40.example.com) not found in DNS > root : DEBUG Writing nsupdate commands to > /etc/ipa/.dns_update.txt: > > zone example.com. > update delete dp40.example.com. IN A > send > update add dp40.example.com. 1200 IN A 10.11.0.40 > send > > root : DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/ > dp40.example.com > root : DEBUG stdout= > root : DEBUG stderr=kinit: Password incorrect while getting > initial credentials > > Failed to obtain host TGT. > root : DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt > root : DEBUG stdout= > root : DEBUG stderr=tkey query failed: GSSAPI error: Major = > Unspecified GSS failure. Minor code may provide more information, Minor = > Credentials cache file '/etc/ipa/.dns_ccache' not found. > > Failed to update DNS A record. (Command '/usr/bin/nsupdate -g > /etc/ipa/.dns_update.txt' returned non-zero exit status 1) > root : DEBUG args=/usr/sbin/service dbus start > root : DEBUG stdout= > root : DEBUG stderr=start: Job is already running: dbus > > root : ERROR dbus failed to start: Command '/usr/sbin/service > dbus start ' returned non-zero exit status 1 > root : DEBUG args=/usr/sbin/service certmonger restart > root : DEBUG stdout=certmonger stop/waiting > certmonger start/running, process 293499 > > root : DEBUG stderr= > root : DEBUG args=/usr/sbin/service certmonger stop > root : DEBUG stdout=certmonger stop/waiting > > root : DEBUG stderr= > root : DEBUG args=/usr/sbin/service certmonger restart > root : DEBUG stdout=certmonger start/running, process 293513 > > root : DEBUG stderr=stop: Unknown instance: > > root : DEBUG args=/sbin/chkconfig certmonger on > root : DEBUG stdout= > root : DEBUG stderr=/sbin/insserv: No such file or directory > > Failed to configure automatic startup of the certmonger daemon > Automatic certificate management will not be available > root : ERROR Failed to disable automatic startup of the > certmonger daemon: Command '/sbin/chkconfig certmonger on' returned > non-zero exit status 1 > root : DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA > Machine Certificate - dp40.example.com -N CN=dp40.example.com,O=EXAMPLE.COM > -K host/dp40.example....@example.com > root : DEBUG stdout=New signing request "20140728170038" added. > > root : DEBUG stderr= > root : DEBUG args=/usr/sbin/service nscd status > root : DEBUG stdout= > root : DEBUG stderr=nscd: unrecognized service > > root : DEBUG Saving StateFile to > '/var/lib/ipa-client/sysrestore/sysrestore.state' > root : DEBUG Saving StateFile to > '/var/lib/ipa-client/sysrestore/sysrestore.state' > root : DEBUG Saving StateFile to > '/var/lib/ipa-client/sysrestore/sysrestore.state' > Would run on a Red Hat platform: /usr/sbin/authconfig --enablesssdauth > --enablemkhomedir --update --enablesssd > Please do the corresponding changes manually and press Enter: > SSSD enabled > root : DEBUG args=getent passwd admin > root : DEBUG stdout= > root : DEBUG stderr= > root : DEBUG args=getent passwd admin > root : DEBUG stdout= > root : DEBUG stderr= > root : DEBUG args=getent passwd admin > root : DEBUG stdout= > root : DEBUG stderr= > root : DEBUG args=getent passwd admin > root : DEBUG stdout= > root : DEBUG stderr= > root : DEBUG args=getent passwd admin > root : DEBUG stdout= > root : DEBUG stderr= > root : DEBUG args=getent passwd admin > root : DEBUG stdout= > root : DEBUG stderr= > root : DEBUG args=getent passwd admin > root : DEBUG stdout= > root : DEBUG stderr= > root : DEBUG args=getent passwd admin > root : DEBUG stdout= > root : DEBUG stderr= > root : DEBUG args=getent passwd admin > root : DEBUG stdout= > root : DEBUG stderr= > root : DEBUG args=getent passwd admin > root : DEBUG stdout= > root : DEBUG stderr= > Unable to find 'admin' user with 'getent passwd admin'! > Recognized configuration: SSSD > Client configuration complete. > > > --- > > Obviously, the package is buggy, and it just copied configs from Redhat > that is not suitable for Ubuntu. > > As for Ubuntu 10.04, I google a lot, but found far less info about it. > Basically, the documentation of 10.04 and 12.04 is really really rare, I > havent' find any good cases that run them smoothly. > > I have read through the official documentation, and there only exit some > info about install ipa-client manually, which is still for redhat based > distribution, not debian based. although no matter which distribution, the > theory behind them is the same, One of the main purpose of freeipa I think > is to make the idm more easy to use and maintain especially there involve > lots of complicated components that normal user don't want to cover: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/linux-manual.html > > Besides Ubuntu, we have hundreds of redhat clients which run quite good and > they don't have many problems during the whole process, but Ubuntu is a big > trouble for us, we still have more than 200 hundreds of them running on > our production environment, and we still wan to let them join in our > freeipa domain so we can manage our accounts more efficiently. > > So, can anybody help me to debug the above error on Ubuntu 12.04, and any > suggestion or good reference on Ubuntu distribution? > Thank you.
CCing Timo who is working on the Ubuntu port, I am sure he will be able to provide some help. HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project