Hello,
well it depends what exactly you did and what helped. I see Alexander
gave you some hints about mDNS.
If it was DNSSEC error you should see validation error messages in
journalctl -u named-pkcs11 before you disabled DNSSEC validation.
Martin^2
On 02/02/15 16:34, Gerardo Cuppari wrote:
Hi Martin, thanks for your replies!
Please, don't tell me I am getting all these errors because of the
".local" domain! If so, I will surelly kill someone haha
I checked /etc/named.conf and changed to "no" dnssec-validation and
here is what you requested:
[root@pc01 ~]# dig server.estudio.local
; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> server.estudio.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31554
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server.estudio.local. IN A
;; ANSWER SECTION:
server.estudio.local. 1200 IN A 192.168.56.2
;; AUTHORITY SECTION:
estudio.local. 86400 IN NS server.estudio.local.
;; Query time: 0 msec
;; SERVER: 192.168.56.2#53(192.168.56.2)
;; WHEN: lun feb 02 12:29:17 ART 2015
;; MSG SIZE rcvd: 79
******************************************
[root@pc01 ~]# dig -t ptr 2.56.168.192.in-addr.arpa
; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> -t ptr
2.56.168.192.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36167
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;2.56.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
2.56.168.192.in-addr.arpa. 86400 IN PTR server.estudio.local.
;; AUTHORITY SECTION:
56.168.192.in-addr.arpa. 86400 IN NS server.estudio.local.
;; ADDITIONAL SECTION:
server.estudio.local. 1200 IN A 192.168.56.2
;; Query time: 0 msec
;; SERVER: 192.168.56.2#53(192.168.56.2)
;; WHEN: lun feb 02 12:34:27 ART 2015
;; MSG SIZE rcvd: 118
2015-02-02 12:17 GMT-03:00 Martin Basti <[email protected]
<mailto:[email protected]>>:
On 02/02/15 16:07, Martin Basti wrote:
On 02/02/15 14:13, Gerardo Cuppari wrote:
Hello! I am trying to enroll one host to my IPA server (4.1.2)
and I am having one problem: the ipa-client-install script keeps
giving me errors at the "forwarding ping to json server" step.
My configuration is:
- server.estudio.local192.168.56.2Fedora Server 21ipa 4.1.2
- pc01.estudio.local192.168.56.106Fedora Works. 21
Both have firewalld down (just to test) and can reach each
other. I've been trying to get this working without success
(solved other minor issues) and so I'm asking for your help.
The only way I can make it work is by adding the --force switch
to ipa-client-install script but, that way, it just disregards
errors.
Thanks in advance!!!
Here are my tests:
SERVER
======
[root@server ~]# ipa ping
-------------------------------------------
IPA server version 4.1.2. API version 2.109
-------------------------------------------
CLIENT
======
[root@pc01 ~]# dig server
; <<>> DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 <<>> server
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29286
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server. IN A
;; Query time: 10 msec
;; SERVER: 192.168.56.2#53(192.168.56.2)
;; WHEN: lun feb 02 09:51:07 ART 2015
;; MSG SIZE rcvd: 35
***********************************************
[root@pc01 ~]# nslookup server
Server: 192.168.56.2
Address: 192.168.56.2#53
Name: server.estudio.local
Address: 192.168.56.2
***********************************************
Here I disable chronyd so I can run the script without NTP sync
errors:
[root@pc01 ~]# systemctl disable chronyd
Removed symlink
/etc/systemd/system/multi-user.target.wants/chronyd.service.
[root@pc01 ~]# service chronyd stop
Redirecting to /bin/systemctl stop chronyd.service
***********************************************
Without having "server.estudio.local" on /etc/hosts file:
[root@pc01 ~]# ipa-client-install --enable-dns-updates
--mkhomedir --ssh-trust-dns
Skip server.estudio.local: cannot verify if this is an IPA server
Provide your IPA server name (ex: ipa.example.com
<http://ipa.example.com>):
Skip server.estudio.local: cannot verify if this is an IPA server
Failed to verify that server.estudio.local is an IPA Server.
This may mean that the remote server is not up or is not
reachable due to network or firewall settings.
Please make sure the following ports are opened in the firewall
settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client
working properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.
***********************************************
Here I added hostname and IP address to /etc/hosts file (don't
know why it doesn't work without it):
[root@pc01 ~]# ipa-client-install --enable-dns-updates
--mkhomedir --ssh-trust-dns
Discovery was successful!
Hostname: pc01.estudio.local
Realm: ESTUDIO.LOCAL
DNS Domain: estudio.local
IPA Server: server.estudio.local
BaseDN: dc=estudio,dc=local
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
User authorized to enroll computers: admin
Password for [email protected] <mailto:[email protected]>:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=ESTUDIO.LOCAL
Issuer: CN=Certificate Authority,O=ESTUDIO.LOCAL
Valid From: Fri Jan 30 12:02:01 2015 UTC
Valid Until: Tue Jan 30 12:02:01 2035 UTC
Enrolled in IPA realm ESTUDIO.LOCAL
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm ESTUDIO.LOCAL
trying https://server.estudio.local/ipa/json
Forwarding 'ping' to json server
'https://server.estudio.local/ipa/json'
Cannot connect to the server due to Kerberos error: Kerberos
error: ('Unspecified GSS failure. Minor code may provide more
information', 851968)/("Cannot contact any KDC for realm
'ESTUDIO.LOCAL'", -1765328228). Trying with delegate=True
trying https://server.estudio.local/ipa/json
Forwarding 'ping' to json server
'https://server.estudio.local/ipa/json'
Second connect with delegate=True also failed: Kerberos error:
('Unspecified GSS failure. Minor code may provide more
information', 851968)/("Cannot contact any KDC for realm
'ESTUDIO.LOCAL'", -1765328228)
Cannot connect to the IPA server RPC interface: Kerberos error:
('Unspecified GSS failure. Minor code may provide more
information', 851968)/("Cannot contact any KDC for realm
'ESTUDIO.LOCAL'", -1765328228)
Installation failed. Rolling back changes.
Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned
non-zero exit status 255
Failed to remove /etc/ipa/nssdb/cert8.db: [Errno 2] No existe el
fichero o el directorio: '/etc/ipa/nssdb/cert8.db'
Failed to remove /etc/ipa/nssdb/key3.db: [Errno 2] No existe el
fichero o el directorio: '/etc/ipa/nssdb/key3.db'
Failed to remove /etc/ipa/nssdb/secmod.db: [Errno 2] No existe
el fichero o el directorio: '/etc/ipa/nssdb/secmod.db'
Failed to remove /etc/ipa/nssdb/pwdfile.txt: [Errno 2] No existe
el fichero o el directorio: '/etc/ipa/nssdb/pwdfile.txt'
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm:
host/domain name not found.
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved
to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
***********************************************
Hello
dig returns servfail, it may be issue.
You used dig with wrong name, please use dig server.estudio.local
and send result?
Can you check please /etc/named.conf on server, if there is
dnssec-validation true ?
If yes, please set the dnssec-validation to no, because you use
domain name .local. it may cause troubles.
If troubles persist, please send journalctl -u named-pkcs11 log.
Martin^2
--
Martin Basti
--
Martin Basti
--
Martin Basti
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
