Tyrell Jentink wrote:
First off... new to the list, thank you in advance for your assistance!My server is Fedora 24 Server, running in a VirtualBox virtual machine. I have FreeIPA Server 4.3.2-2.fc24, installed from the standard repositories, and dnf says it's up to date. FreeIPA has a trust set up with an Windows Server 2012r2 ActiveDirectory server, and it APPEARS to be working... The first client I connected was a Raspberry Pi running Pidora. This client appears to have connected fine, and appears to be working (I guess I haven't tried logging in as an ActiveDirectory user; But it's certainly NOT having any DNS issues, as other clients are; See below...) Then I tried connecting a second client, a system running Fedora 24 with FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to plan... Here's the output of ipa-client-install: Discovery was successful! Client hostname: trainmaster.ipa.rxrhouse.net <http://trainmaster.ipa.rxrhouse.net> Realm: IPA.RXRHOUSE.NET <http://IPA.RXRHOUSE.NET> DNS Domain: ipa.rxrhouse.net <http://ipa.rxrhouse.net> IPA Server: ipa-pdc.ipa.rxrhouse.net <http://ipa-pdc.ipa.rxrhouse.net> BaseDN: dc=ipa,dc=rxrhouse,dc=net Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: admin Password for [email protected] <mailto:[email protected]>: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.RXRHOUSE.NET <http://IPA.RXRHOUSE.NET> Issuer: CN=Certificate Authority,O=IPA.RXRHOUSE.NET <http://IPA.RXRHOUSE.NET> Valid From: Thu Sep 08 17:27:47 2016 UTC Valid Until: Mon Sep 08 17:27:47 2036 UTC Enrolled in IPA realm IPA.RXRHOUSE.NET <http://IPA.RXRHOUSE.NET> Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET <http://IPA.RXRHOUSE.NET> trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json Forwarding 'ping' to json server 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json' Systemwide CA database updated. Failed to update DNS records. Missing reverse record(s) for address(es): 10.42.0.100. Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to json server 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring ipa.rxrhouse.net <http://ipa.rxrhouse.net> as NIS domain. Client configuration complete. Of concern, the installer failed to update DNS records, resulting in a missing reverse record, and eventually failing to update the DNS SSHFP records. Looking in the Web UI for FreeIPA server, I see that the client is registered, but it doesn't have any SSH keys , and as expected, doesn't have a reverse zone... But the Raspberry Pi DOES. Just to be fully sure something was wrong... I tried connecting with a clean install of Fedora 24 running in a virtual machine, and had the same issue. I've googled around, and can't find anyone having any similar issues... And I didn't accidentally stumble across anything interesting while exploring logs... But I honestly don't know where to look. TO BE CLEAR, things appear to work just fine from freeipa-client version 3.3.3-4.fc20 on pidora on a Raspberry Pi, but it's NOT working with the latest versions from Fedora 24 on x86_64 hardware... Where should I look first? Thank you for any assistance...
Look in /var/log/ipaclient-install.log for debug logging of the install. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
