Hello all,

I'm still having problems with my IPA Client install...  My errors aren't
bringing up any meaningful results on Google, so I really appreciate any
hints anyone might have!

To narrow the scope of the problem, I simply rebuilt both the server and
the client from scratch... This time without Active Directory Realm trusts,
so things are nice and clean. To wit, I have been using
http://www.freeipa.org/page/Active_Directory_trust_setup and
https://blog.christophersmart.com/articles/freeipa-how-to-fedora/ as
references, and I have run the following:


   - dnf -y update && dnf install -y "*ipa-server" "*ipa-server-trust-ad"
   "*ipa-server-dns" bind bind-dyndb-ldap
   - echo "ipa_ip_address ipa_hostname.ipa_domain ipa_hostname" >>
   (I also added the AD server to my hosts file, although that shouldn't be
   messing with anything...)
   - hostname ipa_hostname.ipa_domain
   - hostnamectl set-hostname ipa_hostname.ipa_domain
   - reboot (And took a snapshot of the VM)
   - for x in freeipa-ldap freeipa-ldaps dns ntp; do firewall-cmd
   --permanent --zone=FedoraServer --add-service=${x} ; done
   - systemctl reload firewalld.service
   - ipa-server-install --setup-dns --no-forwarders
   (I had no errors there...  But I can share my logs if anyone wants to
   see them)
   - And I rebooted again, took another snapshot, and verified the
      - kinit admin
      id admin
      getent passwd admin
      All return appropriate values on the server...
      - nslookup ipa_hostname.ipa_domain works on both the server and on
      the client...


   - echo "ipa_ip_address ipa_hostname.ipa_domain ipa_hostname" >>
   - echo "nameserver ipa_ip_address" >> /etc/resolv.conf
   - (OF course, I verified that the client can ping the server, and
   nslookup against the server)
   - ipa-client-install --enable-dns-updates --ssh-trust-dns --force-ntpd
   And this is where I ran into problems... My output:

Discovery was successful!
> Client hostname: trainmaster.ipa.rxrhouse.net
> Realm: IPA.RXRHOUSE.NET <http://ipa.rxrhouse.net/>
> DNS Domain: ipa.rxrhouse.net
> IPA Server: ipa-pdc.ipa.rxrhouse.net
> BaseDN: dc=ipa,dc=rxrhouse,dc=net
> Continue to configure the system with these values? [no]: yes
> Synchronizing time with KDC...
> Attempting to sync time using ntpd.  Will timeout after 15 seconds
> Attempting to sync time using ntpd.  Will timeout after 15 seconds
> Unable to sync time with NTP server, assuming the time is in sync. Please
> check
>            that 123 UDP port is opened.
> User authorized to enroll computers: admin
> Password for ad...@ipa.rxrhouse.net:
> Successfully retrieved CA cert
>     Subject:     CN=Certificate Authority,O=IPA.RXRHOUSE.NET
> <http://ipa.rxrhouse.net/>
>     Issuer:      CN=Certificate Authority,O=IPA.RXRHOUSE.NET
> <http://ipa.rxrhouse.net/>
>     Valid From:  Thu Sep 08 17:27:47 2016 UTC
>     Valid Until: Mon Sep 08 17:27:47 2036 UTC
> Enrolled in IPA realm IPA.RXRHOUSE.NET <http://ipa.rxrhouse.net/>
> Created /etc/ipa/default.conf
> New SSSD config will be created
> Configured sudoers in /etc/nsswitch.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET
> <http://ipa.rxrhouse.net/>
> trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json
> Forwarding 'ping' to json server 'https://ipa-pdc.ipa.rxrhouse.
> net/ipa/json'
> Forwarding 'ca_is_enabled' to json server 'https://ipa-pdc.ipa.rxrhouse.
> net/ipa/json'
> Systemwide CA database updated.
> Failed to update DNS records.
> Missing reverse record(s) for address(es):
> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
> Forwarding 'host_mod' to json server 'https://ipa-pdc.ipa.rxrhouse.
> net/ipa/json'
> Could not update DNS SSHFP records.
> SSSD enabled
> Configured /etc/openldap/ldap.conf
> NTP enabled
> Configured /etc/ssh/ssh_config
> Configured /etc/ssh/sshd_config
> Configuring ipa.rxrhouse.net as NIS domain.
> Client configuration complete.

   - Of interest, I DID solve my NTP issues from before!  On the downside,
   that wasn't the source of my DNS issues...
   In /var/log/ipaclient-install, I still have the following clipping of
   errors, which I'm merely assuming are the relevant piece:

2016-10-26T23:30:40Z DEBUG Starting external process
> 2016-10-26T23:30:40Z DEBUG args=/sbin/ip -oneline address show dev enp1s6
> 2016-10-26T23:30:40Z DEBUG Process finished, return code=0
> 2016-10-26T23:30:40Z DEBUG stdout=2: enp1s6    inet brd
> scope global dynamic enp1s6\       valid_lft 588384sec
> preferred_lft 588384sec
> 2: enp1s6    inet6 fe80::e779:3263:960d:ff87/64 scope link \
> valid_lft forever preferred_lft forever
> 2016-10-26T23:30:40Z DEBUG stderr=
> 2016-10-26T23:30:40Z DEBUG Writing nsupdate commands to
> /etc/ipa/.dns_update.txt:
> 2016-10-26T23:30:40Z DEBUG debug
> update delete trainmaster.ipa.rxrhouse.net. IN A
> show
> send
> update delete trainmaster.ipa.rxrhouse.net. IN AAAA
> show
> send
> update add trainmaster.ipa.rxrhouse.net. 1200 IN A
> show
> send
> 2016-10-26T23:30:40Z DEBUG Starting external process
> 2016-10-26T23:30:40Z DEBUG args=/usr/bin/nsupdate -g
> /etc/ipa/.dns_update.txt
> 2016-10-26T23:30:40Z DEBUG Process finished, return code=1
> 2016-10-26T23:30:40Z DEBUG stdout=Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> trainmaster.ipa.rxrhouse.net. 0 ANY     A
> Outgoing update query:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  39562
> ;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
> 3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1477524640
> 1477524640 3 NOERROR 683
> GEtcGRjLmlwYS5yeHJob3VzZS5uZXSj
> QTBUAKE0e6NMtlIkxk9oJWldmUiP6UW7gcoxn66qvHyzHAqrlUNdFAcC
> jKlsM2cRchfNTTom0QCeFn37eQICFdYo7NsrugG4DN/XT/rjNhohCSEl
> O2tKYqiVBpjnyDF4OwC1nLcDpzBJr3nbSl
> sh21NQJhGj+B/GPMJqpkl/
> 12HJpyjeaRjqzCD2csdvGOolH89yAhFjbmpAErBdVPD+ATAEYX+aRbEc
> 3k2idj7AcEqeQpNr5XCoCLAeyqOz/qgYrHYnrBabysbkjF0JRRoEO6BD
> cJjeMpqai36WtW1MAs+byXBtudap0UEnx8xpub/MN7cCzJYn5sEkTOyK
> pSp4s/fiRyaX9O+dxXK1xrBblg6kgfAwge2gAwIBEqK
> B5QSB4rnd/vP+ s2nrQ/yBkWRVnvqyWrTqfc213iyvIR+pNvE2T9t3F1qRPcdF4OQ8soQ4
> kQIVQOZUQZlY3NhYS08M/Rb3wUfi+Im/Z47v6//QMxb2igbPMx7/RELf
> YHbZorXSKwzx5tkV2+JwtelUW6T5yw3PugyRueg0tdQH5lp4nrEbWNhY
> VTDe9njUO/WCgp6ZEp+aJGVxR9qeZMVrJMYwHHF+je2fwZifztXD
> 6cU/ Eki79Nk6HzhilK3pMOLuIvF2Kfpucj6aDiabvlplptzio9cqml8Li3E0
> gEN/ATloKcVgtNA= 0
> 2016-10-26T23:30:40Z DEBUG stderr=Reply from SOA query:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  38738
> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;trainmaster.ipa.rxrhouse.net.  IN      SOA
> ipa.rxrhouse.net.       0       IN      SOA     ipa-pdc.ipa.rxrhouse.net.
> hostmaster.ipa.rxrhouse.net. 1477524446 3600 900 1209600 3600
> Found zone name: ipa.rxrhouse.net
> The master is: ipa-pdc.ipa.rxrhouse.net
> start_gssrequest
> Found realm from ticket: IPA.RXRHOUSE.NET
> send_gssrequest
> recvmsg reply from GSS-TSIG query
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  39562
> ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
> 3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1466301805
> 1466388205 3 NOERROR 101
> 0
> dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS
> failure.  Minor code may provide more information, Minor = Message stream
> modified.
> 2016-10-26T23:30:40Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g
> /etc/ipa/.dns_update.txt' returned non-zero exit status 1
> 2016-10-26T23:30:40Z ERROR Failed to update DNS records.
> 2016-10-26T23:30:40Z DEBUG DNS resolver: Query:
> trainmaster.ipa.rxrhouse.net IN A
> 2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
> 2016-10-26T23:30:40Z DEBUG DNS resolver: Query:
> trainmaster.ipa.rxrhouse.net IN AAAA
> 2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
> 2016-10-26T23:30:40Z DEBUG DNS resolver: Query:
> 2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
> 2016-10-26T23:30:40Z WARNING Missing A/AAAA record(s) for host
> trainmaster.ipa.rxrhouse.net:
> 2016-10-26T23:30:40Z WARNING Missing reverse record(s) for address(es):
-- Full logs can be found here:  http://pastebin.com/90dG9Ffu

   - For grins, I decided to test:
   kinit admin
   id admin
   getent passwd admin
   on the client, and all of those all made valid responses... So
   authentication is working, I just can't update DNS records.

So that's what I've tried, and where I'm at...  My client machines running
modern client software can NOT update DNS records, complaining about GSSAPI
"Message Stream Modified" errors...  And I have no idea how to troubleshoot
that... Any ideas?

On Tue, Oct 11, 2016 at 6:24 PM, Tyrell Jentink <tyr...@jentink.net> wrote:

> Thank you, Rob.
> For reference, my full log can be found here: http://pastebin.com/6VLaQjYw
> But I would postulate that the interesting bit is this:
>> 2016-10-11T22:10:15Z DEBUG stdout=Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> trainmaster.ipa.rxrhouse.net. 0 ANY     A
>>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  23971
>> ;350449427.sig-ipa-pdc.ipa.rxrhouse.net.        ANY TKEY
>> 350449427.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1476223815
>>> 1476223815 3 NOERROR 683 
>>> KKADAgEBoSEwHxsDRE5TGxhpcGEtcGRjLmlwYS5yeHJob3VzZS5uZXSj
>>> ggE3MIIBM6ADAgESoQMCAQKiggElBIIBIeFubKS/x0aKfc7u/f9Z5Ro8
>>> pZZ4RkIlwOWAAuiSxJNmoaIhYgYNitn2pkAII+eKtdialtAI/1418exm
>>> sM7zahCj0MWpBIYQZB4tsN9JZMaKF7SK5TlewH9mZitjd+hbQ5iwjklV
>>> 8P6OOMsIRIytywnd8eD/988GQz3C5CfBU1pQM5Bkox4vSRawZJRUy0xx
>>> C8H4nOOPsJZd9AozsaAZSR4EeA05IbW+gxxIeXjShPDwRF6fs4sNxZUt
>>> FEkdujVZOaM4M4olLadzScsXDi2pO/8WqjJdDwMfLD95+CHSiFMSyJqy
>>> nwem6dzJTJvyLTq4fKO+ajmUHw5tV30Pg7w9krEiFSTuFkCmKW1a2GQo
>>> 5Lm3VQF34cnYTA+5K8yEwLiTqX+kgfAwge2gAwIBEqKB5QSB4u9m77de
>>> QdT2PC6kHbJMz9jaJu/0fxC9JmPp6Qe6p8CGaQ6IvPGm4838TlGdGhuS
>>> YpUwVAEqvl85S23+yT3Qo/O8Qffhi4i/WDdiBHGGDrKF4CCZXJrr/F+L
>>> Pd8oabRE81h+4Tu7KBTApBwWYFYQSct7Q9ZrFiUuQzbpc2ZjXaVLi3ai
>>> uvH2NLWvLwxt8Z8PYRHgTrEYb/QfEluP2qfbo6XuO4UHoF7rN8d28bnw
>>> bhUsEYaVs1r8Pxk= 0
>>> 2016-10-11T22:10:15Z DEBUG stderr=Reply from SOA query:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  18681
>> ;; flags: qr rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>> ;trainmaster.ipa.rxrhouse.net.  IN      SOA
>> ipa.rxrhouse.net.       60      IN      SOA     ipa-pdc.ipa.rxrhouse.net
>>> . hostmaster.ipa.rxrhouse.net. 1476221978 3600 900 1209600 3600
>> ipa-pdc.ipa.rxrhouse.net. 353   IN      A
>>> Found zone name: ipa.rxrhouse.net
>> The master is: ipa-pdc.ipa.rxrhouse.net
>> start_gssrequest
>> Found realm from ticket: IPA.RXRHOUSE.NET <http://ipa.rxrhouse.net/>
>> send_gssrequest
>> recvmsg reply from GSS-TSIG query
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  23971
>> ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>> ;350449427.sig-ipa-pdc.ipa.rxrhouse.net.        ANY TKEY
>> 350449427.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1466641678
>>> 1466728078 3 NOERROR 101 
>>> AwIBAaELMAkbB2FkLXBkYyQ= 0
>>> dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS
>>> failure.  Minor code may provide more information, Minor = Message stream
>>> modified.
>>> 2016-10-11T22:10:15Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate
>>> -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1
>> 2016-10-11T22:10:15Z ERROR Failed to update DNS records.
> This isn't the first time I've seen this "Unspecified GSS failure [...]
> Message stream modified" error, and I suspect it to be the root of my
> problem... But my google-foo is not strong with this one...  I'm not sure
> how to proceed.
> On Tue, Oct 11, 2016 at 3:52 PM, Rob Crittenden <rcrit...@redhat.com>
> wrote:
>> Tyrell Jentink wrote:
>>> First off...  new to the list, thank you in advance for your assistance!
>>> My server is Fedora 24 Server, running in a VirtualBox virtual machine.
>>> I have FreeIPA Server 4.3.2-2.fc24, installed from the standard
>>> repositories, and dnf says it's up to date. FreeIPA has a trust set up
>>> with an Windows Server 2012r2 ActiveDirectory server, and it APPEARS to
>>> be working...
>>> The first client I connected was a Raspberry Pi running Pidora.  This
>>> client appears to have connected fine, and appears to be working (I
>>> guess I haven't tried logging in as an ActiveDirectory user;  But it's
>>> certainly NOT having any DNS issues, as other clients are; See below...)
>>> Then I tried connecting a second client, a system running Fedora 24 with
>>> FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to
>>> plan...  Here's the output of ipa-client-install:
>>>     Discovery was successful!
>>>     Client hostname: trainmaster.ipa.rxrhouse.net
>>>     <http://trainmaster.ipa.rxrhouse.net>
>>>     DNS Domain: ipa.rxrhouse.net <http://ipa.rxrhouse.net>
>>>     IPA Server: ipa-pdc.ipa.rxrhouse.net <http://ipa-pdc.ipa.rxrhouse.n
>>> et>
>>>     BaseDN: dc=ipa,dc=rxrhouse,dc=net
>>>     Continue to configure the system with these values? [no]: yes
>>>     Synchronizing time with KDC...
>>>     Attempting to sync time using ntpd.  Will timeout after 15 seconds
>>>     Attempting to sync time using ntpd.  Will timeout after 15 seconds
>>>     Unable to sync time with NTP server, assuming the time is in sync.
>>>     Please check
>>>                                       that 123 UDP port is opened.
>>>     User authorized to enroll computers: admin
>>>     Password for ad...@ipa.rxrhouse.net <mailto:ad...@ipa.rxrhouse.net>:
>>>     Successfully retrieved CA cert
>>>          Subject:     CN=Certificate Authority,O=IPA.RXRHOUSE.NET
>>>     <http://IPA.RXRHOUSE.NET>
>>>          Issuer:      CN=Certificate Authority,O=IPA.RXRHOUSE.NET
>>>     <http://IPA.RXRHOUSE.NET>
>>>          Valid From:  Thu Sep 08 17:27:47 2016 UTC
>>>          Valid Until: Mon Sep 08 17:27:47 2036 UTC
>>>     Enrolled in IPA realm IPA.RXRHOUSE.NET <http://IPA.RXRHOUSE.NET>
>>>     Created /etc/ipa/default.conf
>>>     New SSSD config will be created
>>>     Configured sudoers in /etc/nsswitch.conf
>>>     Configured /etc/sssd/sssd.conf
>>>     Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET
>>>     <http://IPA.RXRHOUSE.NET>
>>>     trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json
>>>     Forwarding 'ping' to json server
>>>     'https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
>>>     Forwarding 'ca_is_enabled' to json server
>>>     'https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
>>>     Systemwide CA database updated.
>>>     Failed to update DNS records.
>>>     Missing reverse record(s) for address(es):
>>>     Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
>>>     Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
>>>     Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
>>>     Forwarding 'host_mod' to json server
>>>     'https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
>>>     Could not update DNS SSHFP records.
>>>     SSSD enabled
>>>     Configured /etc/openldap/ldap.conf
>>>     NTP enabled
>>>     Configured /etc/ssh/ssh_config
>>>     Configured /etc/ssh/sshd_config
>>>     Configuring ipa.rxrhouse.net <http://ipa.rxrhouse.net> as NIS
>>> domain.
>>>     Client configuration complete.
>>> Of concern, the installer failed to update DNS records, resulting in a
>>> missing reverse record, and eventually failing to update the DNS SSHFP
>>> records.  Looking in the Web UI for FreeIPA server, I see that the
>>> client is registered, but it doesn't have any SSH keys , and as
>>> expected, doesn't have a reverse zone...  But the Raspberry Pi DOES.
>>> Just to be fully sure something was wrong...  I tried connecting with a
>>> clean install of Fedora 24 running in a virtual machine, and had the
>>> same issue.  I've googled around, and can't find anyone having any
>>> similar issues...  And I didn't accidentally stumble across anything
>>> interesting while exploring logs...  But I honestly don't know where to
>>> look.
>>> TO BE CLEAR, things appear to work just fine from freeipa-client version
>>> 3.3.3-4.fc20  on pidora on a Raspberry Pi, but it's NOT working with the
>>> latest versions from Fedora 24 on x86_64 hardware...
>>> Where should I look first?  Thank you for any assistance...
>> Look in /var/log/ipaclient-install.log for debug logging of the install.
>> rob
