Very odd, those steps look correct to me. And if auto-discovery for the domain, realm,
hostname and IPA server work, then it’s not the ipa-client-install script I think.
What versions are you running? Important bits:
- freeipa packages
- kerberos packages
- sssd packages
also, what does /etc/nsswitch.conf and /etc/sssd/sssd.conf and /etc/krb5.conf look like?
Do you have a valid keytab in /etc/krb5.keytab?
Other things to compare:
/var/log/ipa-client-install.log
check if the enrollment is different between the command you run automatically vs. running
it manually when it works
John
On 29 May 2019, at 23:04, Boudjoudad Abdelkader
<boujoudad(a)gmail.com> wrote:
I was using curtin but now i'm using cloud-init post-installatio, after the
installation freeipa-client is installed and sssd.conf configured as well as krb5.conf and
krb5.keytab but the nfs mount doesn't work !
The command to deploy the script is:
maas $PROFILE machine deploy $SYSTEM_ID user_data=$(base64 -w 0 /opt/myscript.sh)
The script is executed after the installation i can see that but it seems to have a
problem with ipa-client-installation !
On Wed, May 29, 2019 at 4:59 PM John Keates <john(a)keates.nl
<mailto:john@keates.nl>> wrote:
In what phase do you run the script? It should be one of the last scripts in the final
phase for the install to work reliably. If it’s in preconfig or config phase it breaks 9
out of 10 times.
John
> On 29 May 2019, at 22:53, Boudjoudad Abdelkader <boujoudad(a)gmail.com
<mailto:boujoudad@gmail.com>> wrote:
>
> I'm using cloud-init with this script:
> locale-gen en_CA.utf8
> locale-gen en_US.utf8
>
> HOSTNAME=$(hostname)
> IP=$(hostname -i | awk '{print $1}')
> echo "$HOSTNAME.example.com <
http://example.com/>" >
/etc/hostname
>
FQDN="$HOSTNAME.example.com <
http://example.com/>"
> echo "FQDN is: $FQDN"
> sed -i "1 i\
> $IP $FQDN $HOSTNAME" /etc/hosts
> apt-get -y update
> apt-get install -y nfs-kernel-server nfs-common
> DEBIAN_FRONTEND=noninteractive apt-get -y install freeipa-client
> ipa-client-install --hostname=$(hostname -f) --server=freeipa.example.com
<
http://example.com/> --domain
example.com <
http://example.com/> --no-ntp
--unattended --principal admin --password 'Deep201' --realm
EXAMPLE.COM
<
http://example.com/> --enable-dns-updates --force --force-join
> sed -i '/ticket_lifetime/a renew_lifetime = 28d' /etc/krb5.conf
>
> I will test with only --enable-dns-updates, principal and password
> The network is configured well because i can reach the nfs server.
>
>
> On Wed, May 29, 2019 at 4:44 PM John Keates <john(a)keates.nl
<mailto:john@keates.nl>> wrote:
> What I meant was that you are already practically disabling it; you specify the
hostname, domain, server, realm on your command line but those should be discoverable.
> Here is an enrollment jinja2 template I use:
>
> ipa-client-install -U --enable-dns-updates
--principal={{freeipa.client.enroll.username}}
--password={{freeipa.client.enroll.password}}
>
> It’s all that’s needed as long as your network has the correct setup. You’d replace
the principal and password with your own of course.
> It would probably look like:
>
> ipa-client-install -U --enable-dns-updates —principal=admin --password=Deep201qa
>
> John
>
>> On 29 May 2019, at 22:39, Boudjoudad Abdelkader <boujoudad(a)gmail.com
<mailto:boujoudad@gmail.com>> wrote:
>>
>> Hi John,
>> Thank you for the quick reply,
>>
>> To disable autodiscrovery the option is ?
>> --autodiscovery=no
>>
>> On Wed, May 29, 2019 at 4:18 PM John Keates <john(a)keates.nl
<mailto:john@keates.nl>> wrote:
>> I don’t know what you are missing, but I do know that in theory your enrolment
should work with just -U for unattended and the principal and password.
>> Unless you have a special environment that requires auto discovery to be
disabled, I’d recommend using it.
>>
>> I’m enrolling clients in three ways that all work this way, one using a
Cloud-Init module, one using a SaltStack formula and one using a Lambda function that uses
SSH to connect to a machine and run the enrolment remotely.
>>
>> The text from your mount command seems to suggest a timeout issue, perhaps the
network isn’t up or DNS is broken? I’m also seeing you using an IP, it’s usually a sign of
an incomplete or improper network setup (but technically it should be fine)
>>
>> John
>>
>>> On 29 May 2019, at 22:10, Boudjoudad Abdelkader via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>>
>>> Hello,
>>> I'm trying to automate freeipa-client installation on Ubuntu with custom
script using MAAS as follow :
>>> HOSTNAME=$(hostname)
>>> IP=$(hostname -i | awk '{print $1}')
>>> echo "$HOSTNAME.example.com <
http://hostname.example.com/>"
> /etc/hostname
>>>
FQDN="$HOSTNAME.example.com <
http://hostname.example.com/>"
>>> echo "FQDN is: $FQDN"
>>> sed -i "1 i\
>>> $IP $FQDN $HOSTNAME" /etc/hosts
>>> apt-get -y update
>>> apt-get install -y nfs-kernel-server nfs-common
>>> DEBIAN_FRONTEND=noninteractive apt-get -y install freeipa-client
>>> ipa-client-install --hostname=$(hostname -f) --server=freeipa.example.com
<
http://freeipa.example.com/> --domain
example.com <
http://example.com/>
--no-ntp --unattended --principal admin --password 'Deep201qa' --realm
EXAMPLE.COM
<
http://example.com/> --enable-dns-updates
>>> sed -i '/ticket_lifetime/a renew_lifetime = 28d' /etc/krb5.conf
>>> service sssd restart
>>>
>>> After the deployment i can do kinit domain_user and ipa user-show without
any problem, but when i tried to mount an nfs in /ec/fstab with the following options i
get an error:
>>> The mount in /etc/fstab: nfs4
rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none
0 0
>>> The error:
>>> mount -av
>>> / : ignored
>>> none : ignored
>>> mount.nfs4: timeout set for Wed May 29 20:04:29 2019
>>> mount.nfs4: trying text-based options
'vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none,addr=172.16.2.11,clientaddr=IP_ADDR0ESS
>>>
>>> I tried to install freeipa-client manually and the nfs mount works:
>>> ipa-client-install
>>>
>>> What i'm missing?
>>>
>>> Thanks,
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
>>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
<
https://getfedora.org/code-of-conduct.html>
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
<
https://fedoraproject.org/wiki/Mailing_list_guidelines>
>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>
>