Thank you, Rob. For reference, my full log can be found here: http://pastebin.com/6VLaQjYw
But I would postulate that the interesting bit is this: > 2016-10-11T22:10:15Z DEBUG stdout=Outgoing update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > ;; UPDATE SECTION: > > trainmaster.ipa.rxrhouse.net. 0 ANY A > > >> Outgoing update query: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23971 > > ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; QUESTION SECTION: > > ;350449427.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY > > >> ;; ADDITIONAL SECTION: > > 350449427.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1476223815 >> 1476223815 3 NOERROR 683 >> YIICpwYJKoZIhvcSAQICAQBuggKWMIICkqADAgEFoQMCAQ6iBwMFACAA >> AACjggGIYYIBhDCCAYCgAwIBBaESGxBJUEEuUlhSSE9VU0UuTkVUoiow >> KKADAgEBoSEwHxsDRE5TGxhpcGEtcGRjLmlwYS5yeHJob3VzZS5uZXSj >> ggE3MIIBM6ADAgESoQMCAQKiggElBIIBIeFubKS/x0aKfc7u/f9Z5Ro8 >> pZZ4RkIlwOWAAuiSxJNmoaIhYgYNitn2pkAII+eKtdialtAI/1418exm >> sM7zahCj0MWpBIYQZB4tsN9JZMaKF7SK5TlewH9mZitjd+hbQ5iwjklV >> 8P6OOMsIRIytywnd8eD/988GQz3C5CfBU1pQM5Bkox4vSRawZJRUy0xx >> C8H4nOOPsJZd9AozsaAZSR4EeA05IbW+gxxIeXjShPDwRF6fs4sNxZUt >> FEkdujVZOaM4M4olLadzScsXDi2pO/8WqjJdDwMfLD95+CHSiFMSyJqy >> nwem6dzJTJvyLTq4fKO+ajmUHw5tV30Pg7w9krEiFSTuFkCmKW1a2GQo >> 5Lm3VQF34cnYTA+5K8yEwLiTqX+kgfAwge2gAwIBEqKB5QSB4u9m77de >> VD1pQ+DUyBKaC2jOgD/uUWAyfNNojNAtKAMGbHzDWSRASe1Xd+RNgwIa >> QdT2PC6kHbJMz9jaJu/0fxC9JmPp6Qe6p8CGaQ6IvPGm4838TlGdGhuS >> YpUwVAEqvl85S23+yT3Qo/O8Qffhi4i/WDdiBHGGDrKF4CCZXJrr/F+L Pd8oabRE81h+ >> 4Tu7KBTApBwWYFYQSct7Q9ZrFiUuQzbpc2ZjXaVLi3ai >> uvH2NLWvLwxt8Z8PYRHgTrEYb/QfEluP2qfbo6XuO4UHoF7rN8d28bnw >> bhUsEYaVs1r8Pxk= 0 > > >> >> 2016-10-11T22:10:15Z DEBUG stderr=Reply from SOA query: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18681 > > ;; flags: qr rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; QUESTION SECTION: > > ;trainmaster.ipa.rxrhouse.net. IN SOA > > >> ;; AUTHORITY SECTION: > > ipa.rxrhouse.net. 60 IN SOA ipa-pdc.ipa.rxrhouse.net. >> hostmaster.ipa.rxrhouse.net. 1476221978 3600 900 1209600 3600 > > >> ;; ADDITIONAL SECTION: > > ipa-pdc.ipa.rxrhouse.net. 353 IN A 10.42.0.11 > > >> Found zone name: ipa.rxrhouse.net > > The master is: ipa-pdc.ipa.rxrhouse.net > > start_gssrequest > > Found realm from ticket: IPA.RXRHOUSE.NET <http://ipa.rxrhouse.net/> > > send_gssrequest > > recvmsg reply from GSS-TSIG query > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23971 > > ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > > ;350449427.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY > > >> ;; ANSWER SECTION: > > 350449427.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1466641678 >> 1466728078 3 NOERROR 101 >> YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MjMw >> MDI3NThapQUCAwVDn6YDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg >> AwIBAaELMAkbB2FkLXBkYyQ= 0 > > >> dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS >> failure. Minor code may provide more information, Minor = Message stream >> modified. > > >> 2016-10-11T22:10:15Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g >> /etc/ipa/.dns_update.txt' returned non-zero exit status 1 > > 2016-10-11T22:10:15Z ERROR Failed to update DNS records. > > > This isn't the first time I've seen this "Unspecified GSS failure [...] Message stream modified" error, and I suspect it to be the root of my problem... But my google-foo is not strong with this one... I'm not sure how to proceed. On Tue, Oct 11, 2016 at 3:52 PM, Rob Crittenden <[email protected]> wrote: > Tyrell Jentink wrote: > >> First off... new to the list, thank you in advance for your assistance! >> >> My server is Fedora 24 Server, running in a VirtualBox virtual machine. >> I have FreeIPA Server 4.3.2-2.fc24, installed from the standard >> repositories, and dnf says it's up to date. FreeIPA has a trust set up >> with an Windows Server 2012r2 ActiveDirectory server, and it APPEARS to >> be working... >> >> The first client I connected was a Raspberry Pi running Pidora. This >> client appears to have connected fine, and appears to be working (I >> guess I haven't tried logging in as an ActiveDirectory user; But it's >> certainly NOT having any DNS issues, as other clients are; See below...) >> >> Then I tried connecting a second client, a system running Fedora 24 with >> FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to >> plan... Here's the output of ipa-client-install: >> >> Discovery was successful! >> Client hostname: trainmaster.ipa.rxrhouse.net >> <http://trainmaster.ipa.rxrhouse.net> >> Realm: IPA.RXRHOUSE.NET <http://IPA.RXRHOUSE.NET> >> DNS Domain: ipa.rxrhouse.net <http://ipa.rxrhouse.net> >> IPA Server: ipa-pdc.ipa.rxrhouse.net <http://ipa-pdc.ipa.rxrhouse.net >> > >> BaseDN: dc=ipa,dc=rxrhouse,dc=net >> Continue to configure the system with these values? [no]: yes >> Synchronizing time with KDC... >> Attempting to sync time using ntpd. Will timeout after 15 seconds >> Attempting to sync time using ntpd. Will timeout after 15 seconds >> Unable to sync time with NTP server, assuming the time is in sync. >> Please check >> >> that 123 UDP port is opened. >> User authorized to enroll computers: admin >> Password for [email protected] <mailto:[email protected]>: >> Successfully retrieved CA cert >> Subject: CN=Certificate Authority,O=IPA.RXRHOUSE.NET >> <http://IPA.RXRHOUSE.NET> >> Issuer: CN=Certificate Authority,O=IPA.RXRHOUSE.NET >> <http://IPA.RXRHOUSE.NET> >> Valid From: Thu Sep 08 17:27:47 2016 UTC >> Valid Until: Mon Sep 08 17:27:47 2036 UTC >> Enrolled in IPA realm IPA.RXRHOUSE.NET <http://IPA.RXRHOUSE.NET> >> Created /etc/ipa/default.conf >> New SSSD config will be created >> Configured sudoers in /etc/nsswitch.conf >> Configured /etc/sssd/sssd.conf >> Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET >> <http://IPA.RXRHOUSE.NET> >> trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json >> Forwarding 'ping' to json server >> 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json' >> Forwarding 'ca_is_enabled' to json server >> 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json' >> Systemwide CA database updated. >> Failed to update DNS records. >> Missing reverse record(s) for address(es): 10.42.0.100. >> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub >> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub >> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub >> Forwarding 'host_mod' to json server >> 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json' >> Could not update DNS SSHFP records. >> SSSD enabled >> Configured /etc/openldap/ldap.conf >> NTP enabled >> Configured /etc/ssh/ssh_config >> Configured /etc/ssh/sshd_config >> Configuring ipa.rxrhouse.net <http://ipa.rxrhouse.net> as NIS domain. >> Client configuration complete. >> >> >> Of concern, the installer failed to update DNS records, resulting in a >> missing reverse record, and eventually failing to update the DNS SSHFP >> records. Looking in the Web UI for FreeIPA server, I see that the >> client is registered, but it doesn't have any SSH keys , and as >> expected, doesn't have a reverse zone... But the Raspberry Pi DOES. >> >> Just to be fully sure something was wrong... I tried connecting with a >> clean install of Fedora 24 running in a virtual machine, and had the >> same issue. I've googled around, and can't find anyone having any >> similar issues... And I didn't accidentally stumble across anything >> interesting while exploring logs... But I honestly don't know where to >> look. >> >> TO BE CLEAR, things appear to work just fine from freeipa-client version >> 3.3.3-4.fc20 on pidora on a Raspberry Pi, but it's NOT working with the >> latest versions from Fedora 24 on x86_64 hardware... >> >> Where should I look first? Thank you for any assistance... >> > > Look in /var/log/ipaclient-install.log for debug logging of the install. > > rob > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
