Jose Alvarez R. via FreeIPA-users wrote:
Hello
A question
What another way I can enroll my server client on my IPA server ?
I have a server IPA with S.O. Fedora 24 and
freeipa-server-4.3.3-1.fc24.x86_64
My client server have a S.O. CentOS release 5.10 with
ipa-client-2.1.3-7.el5
This is the “ipa-client-install –d”
[root@l1 ~]# ipa-client-install -d
root : DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'conf_ntp': True, 'domain': None, 'uninstall': False,
'force':
False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname':
None,
'permit': False, 'server': None, 'prompt_password': False,
'mkhomedir':
False, 'dns_updates': False, 'preserve_sssd': False, 'debug':
True,
'on_master': False, 'ca_cert_file': None, 'realm_name': None,
'unattended': None, 'ntp_server': None, 'principal': None}
root : DEBUG missing options might be asked for interactively
later
root : DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root : DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
root : DEBUG [IPA Discovery]
root : DEBUG Starting IPA discovery with domain=None,
servers=None,
hostname=l1.example.com
root : DEBUG [ipadnssearchldap(example.com)]
root : DEBUG [ipadnssearchkrb]
root : DEBUG [ipacheckldap]
root : DEBUG Verifying that
ipa.example.com (realm
EXAMPLE.COM) is an IPA server
root : DEBUG Init ldap with: ldap://ipa.example.com:389
root : DEBUG Search LDAP server for IPA base DN
root : DEBUG Check if naming context 'cn=changelog' is for IPA
root : DEBUG Info attribute with IPA server version not found
root : DEBUG Check if naming context 'dc=example,dc=com' is
for IPA
root : DEBUG Naming context 'dc=example,dc=com' is a valid IPA
context
root : DEBUG Search for (objectClass=krbRealmContainer) in
dc=example,dc=com(sub)
root : DEBUG Found:
[('cn=example.COM,cn=kerberos,dc=example,dc=com', {'objectClass':
['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'cn':
['example.COM']})]
root : DEBUG Discovery result: Success;
server=ipa.example.com,
domain=example.com,
kdc=ipa.example.com,
basedn=dc=example,dc=com
root : DEBUG Validated servers:
ipa.example.com
root : DEBUG will use domain:
example.com
root : DEBUG [ipadnssearchldap(example.com)]
root : DEBUG DNS validated, enabling discovery
root : DEBUG will use discovered server:
ipa.example.com
Discovery was successful!
root : DEBUG will use cli_realm:
EXAMPLE.COM
root : DEBUG will use cli_basedn: dc=example,dc=com
Hostname:
l1.example.com
Realm:
example.COM
DNS Domain:
example.com
IPA Server:
ipa.example.com
BaseDN: dc=example,dc=com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
root : DEBUG will use principal: admin
Synchronizing time with KDC...
root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b
ipa.example.com
root : DEBUG stdout=
root : DEBUG stderr=
root : DEBUG Writing Kerberos configuration to /tmp/tmpSeQjKB:
#File modified by ipa-client-install
[libdefaults]
default_realm =
EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
example.COM = {
kdc = ipa.example.com:88
master_kdc = ipa.example.com:88
admin_server = ipa.example.com:749
default_domain =
example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.example.com =
EXAMPLE.COM
example.com =
EXAMPLE.COM
Password for admin(a)EXAMPLE.COM:
root : DEBUG args=kinit admin(a)EXAMPLE.COM
root : DEBUG stdout=Password for admin(a)EXAMPLE.COM:
root : DEBUG stderr=
root : DEBUG trying to retrieve CA cert via LDAP from
ldap://ipa.example.com
root : DEBUG Existing CA cert and Retrieved CA cert are identical
In the line “*root : DEBUG Existing CA cert and Retrieved CA
cert are identical*” It’s don’t progress.
I'm surprised it would end here as this isn't an error case. There is
nothing after this line in the output or in /var/log/ipaclient-install.log?
rob