First off... new to the list, thank you in advance for your assistance! My server is Fedora 24 Server, running in a VirtualBox virtual machine. I have FreeIPA Server 4.3.2-2.fc24, installed from the standard repositories, and dnf says it's up to date. FreeIPA has a trust set up with an Windows Server 2012r2 ActiveDirectory server, and it APPEARS to be working...
The first client I connected was a Raspberry Pi running Pidora. This client appears to have connected fine, and appears to be working (I guess I haven't tried logging in as an ActiveDirectory user; But it's certainly NOT having any DNS issues, as other clients are; See below...) Then I tried connecting a second client, a system running Fedora 24 with FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to plan... Here's the output of ipa-client-install: > Discovery was successful! > Client hostname: trainmaster.ipa.rxrhouse.net > Realm: IPA.RXRHOUSE.NET > DNS Domain: ipa.rxrhouse.net > IPA Server: ipa-pdc.ipa.rxrhouse.net > BaseDN: dc=ipa,dc=rxrhouse,dc=net > Continue to configure the system with these values? [no]: yes > Synchronizing time with KDC... > Attempting to sync time using ntpd. Will timeout after 15 seconds > Attempting to sync time using ntpd. Will timeout after 15 seconds > Unable to sync time with NTP server, assuming the time is in sync. Please > check > > that 123 UDP port is opened. > User authorized to enroll computers: admin > Password for ad...@ipa.rxrhouse.net: > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=IPA.RXRHOUSE.NET > Issuer: CN=Certificate Authority,O=IPA.RXRHOUSE.NET > Valid From: Thu Sep 08 17:27:47 2016 UTC > Valid Until: Mon Sep 08 17:27:47 2036 UTC > Enrolled in IPA realm IPA.RXRHOUSE.NET > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET > trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json > Forwarding 'ping' to json server ' > https://ipa-pdc.ipa.rxrhouse.net/ipa/json' > Forwarding 'ca_is_enabled' to json server ' > https://ipa-pdc.ipa.rxrhouse.net/ipa/json' > Systemwide CA database updated. > Failed to update DNS records. > Missing reverse record(s) for address(es): 10.42.0.100. > Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub > Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub > Forwarding 'host_mod' to json server ' > https://ipa-pdc.ipa.rxrhouse.net/ipa/json' > Could not update DNS SSHFP records. > SSSD enabled > Configured /etc/openldap/ldap.conf > NTP enabled > Configured /etc/ssh/ssh_config > Configured /etc/ssh/sshd_config > Configuring ipa.rxrhouse.net as NIS domain. > Client configuration complete. Of concern, the installer failed to update DNS records, resulting in a missing reverse record, and eventually failing to update the DNS SSHFP records. Looking in the Web UI for FreeIPA server, I see that the client is registered, but it doesn't have any SSH keys , and as expected, doesn't have a reverse zone... But the Raspberry Pi DOES. Just to be fully sure something was wrong... I tried connecting with a clean install of Fedora 24 running in a virtual machine, and had the same issue. I've googled around, and can't find anyone having any similar issues... And I didn't accidentally stumble across anything interesting while exploring logs... But I honestly don't know where to look. TO BE CLEAR, things appear to work just fine from freeipa-client version 3.3.3-4.fc20 on pidora on a Raspberry Pi, but it's NOT working with the latest versions from Fedora 24 on x86_64 hardware... Where should I look first? Thank you for any assistance... -- Tyrell Jentink
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project