Hi Martin, thanks for your replies! Please, don't tell me I am getting all these errors because of the ".local" domain! If so, I will surelly kill someone haha
I checked /etc/named.conf and changed to "no" dnssec-validation and here is what you requested: [root@pc01 ~]# dig server.estudio.local ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> server.estudio.local ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31554 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;server.estudio.local. IN A ;; ANSWER SECTION: server.estudio.local. 1200 IN A 192.168.56.2 ;; AUTHORITY SECTION: estudio.local. 86400 IN NS server.estudio.local. ;; Query time: 0 msec ;; SERVER: 192.168.56.2#53(192.168.56.2) ;; WHEN: lun feb 02 12:29:17 ART 2015 ;; MSG SIZE rcvd: 79 ****************************************** [root@pc01 ~]# dig -t ptr 2.56.168.192.in-addr.arpa ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> -t ptr 2.56.168.192.in-addr.arpa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36167 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;2.56.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 2.56.168.192.in-addr.arpa. 86400 IN PTR server.estudio.local. ;; AUTHORITY SECTION: 56.168.192.in-addr.arpa. 86400 IN NS server.estudio.local. ;; ADDITIONAL SECTION: server.estudio.local. 1200 IN A 192.168.56.2 ;; Query time: 0 msec ;; SERVER: 192.168.56.2#53(192.168.56.2) ;; WHEN: lun feb 02 12:34:27 ART 2015 ;; MSG SIZE rcvd: 118 2015-02-02 12:17 GMT-03:00 Martin Basti <[email protected]>: > On 02/02/15 16:07, Martin Basti wrote: > > On 02/02/15 14:13, Gerardo Cuppari wrote: > > Hello! I am trying to enroll one host to my IPA server (4.1.2) and I am > having one problem: the ipa-client-install script keeps giving me errors at > the "forwarding ping to json server" step. > > My configuration is: > - server.estudio.local 192.168.56.2 Fedora Server 21 ipa 4.1.2 > - pc01.estudio.local 192.168.56.106 Fedora Works. 21 > > Both have firewalld down (just to test) and can reach each other. I've > been trying to get this working without success (solved other minor issues) > and so I'm asking for your help. > The only way I can make it work is by adding the --force switch to > ipa-client-install script but, that way, it just disregards errors. > > Thanks in advance!!! > > Here are my tests: > > SERVER > ====== > [root@server ~]# ipa ping > ------------------------------------------- > IPA server version 4.1.2. API version 2.109 > ------------------------------------------- > > CLIENT > ====== > [root@pc01 ~]# dig server > > ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> server > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29286 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;server. IN A > > ;; Query time: 10 msec > ;; SERVER: 192.168.56.2#53(192.168.56.2) > ;; WHEN: lun feb 02 09:51:07 ART 2015 > ;; MSG SIZE rcvd: 35 > > *********************************************** > > [root@pc01 ~]# nslookup server > Server: 192.168.56.2 > Address: 192.168.56.2#53 > > Name: server.estudio.local > Address: 192.168.56.2 > > *********************************************** > > Here I disable chronyd so I can run the script without NTP sync errors: > > [root@pc01 ~]# systemctl disable chronyd > Removed symlink > /etc/systemd/system/multi-user.target.wants/chronyd.service. > [root@pc01 ~]# service chronyd stop > Redirecting to /bin/systemctl stop chronyd.service > > *********************************************** > > Without having "server.estudio.local" on /etc/hosts file: > > [root@pc01 ~]# ipa-client-install --enable-dns-updates --mkhomedir > --ssh-trust-dns > Skip server.estudio.local: cannot verify if this is an IPA server > Provide your IPA server name (ex: ipa.example.com): > Skip server.estudio.local: cannot verify if this is an IPA server > Failed to verify that server.estudio.local is an IPA Server. > This may mean that the remote server is not up or is not reachable due to > network or firewall settings. > Please make sure the following ports are opened in the firewall settings: > TCP: 80, 88, 389 > UDP: 88 (at least one of TCP/UDP ports 88 has to be open) > Also note that following ports are necessary for ipa-client working > properly after enrollment: > TCP: 464 > UDP: 464, 123 (if NTP enabled) > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > > *********************************************** > > Here I added hostname and IP address to /etc/hosts file (don't know why > it doesn't work without it): > > [root@pc01 ~]# ipa-client-install --enable-dns-updates --mkhomedir > --ssh-trust-dns > Discovery was successful! > Hostname: pc01.estudio.local > Realm: ESTUDIO.LOCAL > DNS Domain: estudio.local > IPA Server: server.estudio.local > BaseDN: dc=estudio,dc=local > > Continue to configure the system with these values? [no]: yes > Synchronizing time with KDC... > User authorized to enroll computers: admin > Password for [email protected]: > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=ESTUDIO.LOCAL > Issuer: CN=Certificate Authority,O=ESTUDIO.LOCAL > Valid From: Fri Jan 30 12:02:01 2015 UTC > Valid Until: Tue Jan 30 12:02:01 2035 UTC > > Enrolled in IPA realm ESTUDIO.LOCAL > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm ESTUDIO.LOCAL > trying https://server.estudio.local/ipa/json > Forwarding 'ping' to json server 'https://server.estudio.local/ipa/json' > Cannot connect to the server due to Kerberos error: Kerberos error: > ('Unspecified GSS failure. Minor code may provide more information', > 851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", -1765328228). > Trying with delegate=True > trying https://server.estudio.local/ipa/json > Forwarding 'ping' to json server 'https://server.estudio.local/ipa/json' > Second connect with delegate=True also failed: Kerberos error: > ('Unspecified GSS failure. Minor code may provide more information', > 851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", -1765328228) > Cannot connect to the IPA server RPC interface: Kerberos error: > ('Unspecified GSS failure. Minor code may provide more information', > 851968)/("Cannot contact any KDC for realm 'ESTUDIO.LOCAL'", -1765328228) > Installation failed. Rolling back changes. > Failed to list certificates in /etc/ipa/nssdb: Command > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit > status 255 > Failed to remove /etc/ipa/nssdb/cert8.db: [Errno 2] No existe el fichero o > el directorio: '/etc/ipa/nssdb/cert8.db' > Failed to remove /etc/ipa/nssdb/key3.db: [Errno 2] No existe el fichero o > el directorio: '/etc/ipa/nssdb/key3.db' > Failed to remove /etc/ipa/nssdb/secmod.db: [Errno 2] No existe el fichero > o el directorio: '/etc/ipa/nssdb/secmod.db' > Failed to remove /etc/ipa/nssdb/pwdfile.txt: [Errno 2] No existe el > fichero o el directorio: '/etc/ipa/nssdb/pwdfile.txt' > Unenrolling client from IPA server > Unenrolling host failed: Error getting default Kerberos realm: host/domain > name not found. > > Removing Kerberos service principals from /etc/krb5.keytab > Disabling client Kerberos and LDAP configurations > Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to > /etc/sssd/sssd.conf.deleted > Restoring client configuration files > nscd daemon is not installed, skip configuration > nslcd daemon is not installed, skip configuration > Client uninstall complete. > > *********************************************** > > > > Hello > > dig returns servfail, it may be issue. > > > You used dig with wrong name, please use dig server.estudio.local and > send result? > > > Can you check please /etc/named.conf on server, if there is > dnssec-validation true ? > If yes, please set the dnssec-validation to no, because you use domain > name .local. it may cause troubles. > > If troubles persist, please send journalctl -u named-pkcs11 log. > > Martin^2 > > -- > Martin Basti > > > > > > -- > Martin Basti > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
