[Freeipa-users] JSON error enrolling host (Fedora 21 / IPA 4.1.2)
Hello! I am trying to enroll one host to my IPA server (4.1.2) and I am
having one problem: the ipa-client-install script keeps giving me errors at
the "forwarding ping to json server" step.
My configuration is:
- server.estudio.local 192.168.56.2 Fedora Server 21 ipa 4.1.2
- pc01.estudio.local 192.168.56.106 Fedora Works. 21
Both have firewalld down (just to test) and can reach each other. I've been
trying to get this working without success (solved other minor issues) and
so I'm asking for your help.
The only way I can make it work is by adding the --force switch to
ipa-client-install script but, that way, it just disregards errors.
Thanks in advance!!!
Here are my tests:
SERVER
==
[root@server ~]# ipa ping
---
IPA server version 4.1.2. API version 2.109
---
CLIENT
==
[root@pc01 ~]# dig server
; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> server
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29286
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server.IN A
;; Query time: 10 msec
;; SERVER: 192.168.56.2#53(192.168.56.2)
;; WHEN: lun feb 02 09:51:07 ART 2015
;; MSG SIZE rcvd: 35
***
[root@pc01 ~]# nslookup server
Server: 192.168.56.2
Address:192.168.56.2#53
Name: server.estudio.local
Address: 192.168.56.2
***
Here I disable chronyd so I can run the script without NTP sync errors:
[root@pc01 ~]# systemctl disable chronyd
Removed symlink /etc/systemd/system/multi-user.target.wants/chronyd.service.
[root@pc01 ~]# service chronyd stop
Redirecting to /bin/systemctl stop chronyd.service
***
Without having "server.estudio.local" on /etc/hosts file:
[root@pc01 ~]# ipa-client-install --enable-dns-updates --mkhomedir
--ssh-trust-dns
Skip server.estudio.local: cannot verify if this is an IPA server
Provide your IPA server name (ex: ipa.example.com): server.estudio.local
Skip server.estudio.local: cannot verify if this is an IPA server
Failed to verify that server.estudio.local is an IPA Server.
This may mean that the remote server is not up or is not reachable due to
network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working
properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.
***
Here I added hostname and IP address to /etc/hosts file (don't know why it
doesn't work without it):
[root@pc01 ~]# ipa-client-install --enable-dns-updates --mkhomedir
--ssh-trust-dns
Discovery was successful!
Hostname: pc01.estudio.local
Realm: ESTUDIO.LOCAL
DNS Domain: estudio.local
IPA Server: server.estudio.local
BaseDN: dc=estudio,dc=local
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
User authorized to enroll computers: admin
Password for admin@ESTUDIO.LOCAL:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=ESTUDIO.LOCAL
Issuer: CN=Certificate Authority,O=ESTUDIO.LOCAL
Valid From: Fri Jan 30 12:02:01 2015 UTC
Valid Until: Tue Jan 30 12:02:01 2035 UTC
Enrolled in IPA realm ESTUDIO.LOCAL
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm ESTUDIO.LOCAL
trying https://server.estudio.local/ipa/json
Forwarding 'ping' to json server 'https://server.estudio.local/ipa/json'
Cannot connect to the server due to Kerberos error: Kerberos error:
('Unspecified GSS failure. Minor code may provide more information',
851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", -1765328228).
Trying with delegate=True
trying https://server.estudio.local/ipa/json
Forwarding 'ping' to json server 'https://server.estudio.local/ipa/json'
Second connect with delegate=True also failed: Kerberos error:
('Unspecified GSS failure. Minor code may provide more information',
851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", -1765328228)
Cannot connect to the IPA server RPC interface: Kerberos error:
('Unspecified GSS failure. Minor code may provide more information',
851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", -1765328228)
Installation failed. Rolling back changes.
Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil'
'-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255
Failed to remove /etc/ipa/nssdb/cert
[Freeipa-users] JSON error enrolling host (Fedora 21 / IPA 4.1.2)
Well, I just reinstalled everything without the ".local" in the domain and everything worked at first. Sorry for the troubles... Odd is that with ipa 3 on Centos 7 everything worked with domain "estudio.local" Thanks again! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] JSON error enrolling host (Fedora 21 / IPA 4.1.2)
Well, that explains why I had a lot of mDNS traffic flowing... Finally I just removed the ".local" from the domain and everything works as intended. Now I am fighting with autofs and kerberized NFS... Is there any up-to-date guide that you can point me to? Thanks! 2015-02-02 16:33 GMT-03:00 Alexander Bokovoy : > On Mon, 02 Feb 2015, Gerardo Cuppari wrote: > >> Well, I just reinstalled everything without the ".local" in the domain and >> everything worked at first. Sorry for the troubles... >> >> Odd is that with ipa 3 on Centos 7 everything worked with domain >> "estudio.local" >> > Do you have avahi activated and 'hosts: files mdns4_minimal > [notfound=RETURN] ...' > in your /etc/nsswitch.conf? > > Avahi overtakes .local domain because RFC 6762 reserves .local for > multicast DNS name resolution protocol. > > http://en.wikipedia.org/wiki/.local#Multicast_DNS_standard > > "Any DNS query for a name ending with .local MUST be sent to the mDNS > IPv4 link-local multicast address 224.0.0.251 (or its IPv6 equivalent > FF02::FB)…" > > Fedora chose to follow this policy and force use of mDNS resolver > through [notfound=RETURN] option (i.e., get .local names resolved via > /etc/hosts and mDNS only). > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] autofs - nfsnobody
Hello there again! I'm bothering you again because I am having some problems with autofs/NFS and IPA. All files created from a regular user (enrolled client) gets the nfsnobody user and group. Folder gets auto mounted. Thanks in advance! Here is what I did to configure it at server (server.estudio) and client (pc01.estudio): SERVER = ipa service-add nfs/server.estudio ipa-getkeytab -s server.estudio -p nfs/server.estudio -k /etc/krb5.keytab ipa-client-automount mkdir /export chmod 777 /export echo /export *(rw,sync,sec=sys:krb5:krb5i:krb5p) >> /etc/exports reboot ** CLIENT ipa-getkeytab -s server.estudio -p host/server.estudio@ESTUDIO -k /etc/krb5.keytab ipa-client-automount reboot echo aaa >> /export/aaa [user@pc01 /]$ ls -la /export total 12 drwxrwxrwx. 2 root root 4096 feb 3 13:36 . dr-xr-xr-x. 21 root root 4096 feb 3 13:36 .. -rw-rw-r--. 1 nfsnobody nfsnobody4 feb 3 13:36 aaa -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] JSON error enrolling host (Fedora 21 / IPA 4.1.2)
Hi Martin, thanks for your replies! Please, don't tell me I am getting all these errors because of the ".local" domain! If so, I will surelly kill someone haha I checked /etc/named.conf and changed to "no" dnssec-validation and here is what you requested: [root@pc01 ~]# dig server.estudio.local ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> server.estudio.local ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31554 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;server.estudio.local. IN A ;; ANSWER SECTION: server.estudio.local. 1200IN A 192.168.56.2 ;; AUTHORITY SECTION: estudio.local. 86400 IN NS server.estudio.local. ;; Query time: 0 msec ;; SERVER: 192.168.56.2#53(192.168.56.2) ;; WHEN: lun feb 02 12:29:17 ART 2015 ;; MSG SIZE rcvd: 79 ** [root@pc01 ~]# dig -t ptr 2.56.168.192.in-addr.arpa ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> -t ptr 2.56.168.192.in-addr.arpa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36167 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;2.56.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 2.56.168.192.in-addr.arpa. 86400 IN PTR server.estudio.local. ;; AUTHORITY SECTION: 56.168.192.in-addr.arpa. 86400 IN NS server.estudio.local. ;; ADDITIONAL SECTION: server.estudio.local. 1200IN A 192.168.56.2 ;; Query time: 0 msec ;; SERVER: 192.168.56.2#53(192.168.56.2) ;; WHEN: lun feb 02 12:34:27 ART 2015 ;; MSG SIZE rcvd: 118 2015-02-02 12:17 GMT-03:00 Martin Basti : > On 02/02/15 16:07, Martin Basti wrote: > > On 02/02/15 14:13, Gerardo Cuppari wrote: > > Hello! I am trying to enroll one host to my IPA server (4.1.2) and I am > having one problem: the ipa-client-install script keeps giving me errors at > the "forwarding ping to json server" step. > > My configuration is: > - server.estudio.local 192.168.56.2 Fedora Server 21 ipa 4.1.2 > - pc01.estudio.local 192.168.56.106 Fedora Works. 21 > > Both have firewalld down (just to test) and can reach each other. I've > been trying to get this working without success (solved other minor issues) > and so I'm asking for your help. > The only way I can make it work is by adding the --force switch to > ipa-client-install script but, that way, it just disregards errors. > > Thanks in advance!!! > > Here are my tests: > > SERVER > == > [root@server ~]# ipa ping > --- > IPA server version 4.1.2. API version 2.109 > --- > > CLIENT > == > [root@pc01 ~]# dig server > > ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> server > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29286 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;server.IN A > > ;; Query time: 10 msec > ;; SERVER: 192.168.56.2#53(192.168.56.2) > ;; WHEN: lun feb 02 09:51:07 ART 2015 > ;; MSG SIZE rcvd: 35 > > *** > > [root@pc01 ~]# nslookup server > Server: 192.168.56.2 > Address:192.168.56.2#53 > > Name: server.estudio.local > Address: 192.168.56.2 > > *** > > Here I disable chronyd so I can run the script without NTP sync errors: > > [root@pc01 ~]# systemctl disable chronyd > Removed symlink > /etc/systemd/system/multi-user.target.wants/chronyd.service. > [root@pc01 ~]# service chronyd stop > Redirecting to /bin/systemctl stop chronyd.service > > *** > > Without having "server.estudio.local" on /etc/hosts file: > > [root@pc01 ~]# ipa-client-install --enable-dns-updates --mkhomedir > --ssh-trust-dns > Skip server.estudio.local: cannot verify if this is an IPA server > Provide your IPA server name (ex: ipa.example.com): > Skip server.estudio.local: cannot verify if this is an IPA server > Failed to verify that server.estudio.local is an IPA Server. > This may mean that the remote server is not up or is not reachable due to > network or firewall settings. >
