I can't swear to this _absolutely_, but I'm pretty sure when I deployed my new FreeIPA server, it ran ipa-client-install for me 'automatically' once ipa-server-install was done. Only problem, I was using external DNS, so client-install wouldn't work. If you select external DNS during ipa-server-install, perhaps as well as generating the sample Bind config (which is very helpful), it should explicitly warn you to put your DNS config in order with a 'Press a key when your DNS config is done' message or something before proceeding to ipa-client-install?
That's true, IPA client installation is run as a part of IPA server installation. Normally, the client installation works correctly without waiting for you to deploy the DNS configuration to external DNS. In your case, I think the whole issue was caused by Bug 1011399. Normally, when a hostname is not resolvable in installation phase, ipa-server-install will refuse to install unless you specify the following flag to workaround it: --no-host-dns Do not use DNS for hostname lookup during installation Worked for me: # hostname ipa.is.not.resolvable.test # host ipa.is.not.resolvable.test Host ipa.is.not.resolvable.test not found: 3(NXDOMAIN) # ipa-server-install -p Secret123 -a Secret123 --no-host-dns The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) To accept the default shown in brackets, press the Enter key. WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Do you want to configure integrated DNS (BIND)? [no]: Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [ipa.is.not.resolvable.test]: Warning: skipping DNS resolution of host ipa.is.not.resolvable.test The domain name has been determined based on the host name. Please confirm the domain name [is.not.resolvable.test]: Unable to resolve IP address for host name Please provide the IP address to be used for this host name: 10.1.2.3 Adding [10.1.2.3 ipa.is.not.resolvable.test] to your /etc/hosts file The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [IS.NOT.RESOLVABLE.TEST]: The IPA Master Server will be configured with: Hostname: ipa.is.not.resolvable.test IP address: 10.1.2.3 Domain name: is.not.resolvable.test Realm name: IS.NOT.RESOLVABLE.TEST Continue to configure the system with these values? [no]: y The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot ... [15/15]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Restarting the directory server Restarting the KDC Sample zone file for bind has been created in /tmp/sample.zone.R1Bkc3.db Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password Currently, I am planning to close this one as a dup to Bug 1011399 unless we find a real bug in the installer.
I'm not sure it is a dupe, but it might be a bit tricky to re-create the exact circumstances I hit :/ I *think* at the time I ran it, I had the case where 'hostname' returned 'id', and 'hostname -f' returned 'id.happyassassin.net'. I believe both of those were listed on a line in /etc/hosts: 192.168.XX.YY id.happyassassin.net id so that may have satisfied the 'resolve' requirement. But none of the auto-discovery stuff was present in the DNS record for happyassassin.net, so the auto-discovery stuff in the client install failed. IIRC, anyway. It's been a busy week :/
Note that I hit 1011399 on a *different* machine, the first actual separate client I tried to configure. I'm about 99.5% sure I didn't hit exactly that on the server, or else I wouldn't ever have been able to get *past* it without IRC help.
I tried to reproduce the issues, but I was not successful so far. It would be great to get ipaserver-install.log and ipaclient-install.log from the failing machine, it should give us more answers what was happening and what actually failed. Without that in place, I am not sure what could have failed.
Sure, I can grab those, just a sec.
https://www.happyassassin.net/extras/ipaserver-install.log.xz (compressed as it's huge, for some reason) https://www.happyassassin.net/extras/ipaclient-install.log
Thanks Adam! Though this particular ipaserver-install.log won't help us as it got apparently overridden by a successful server (and client) installation you did after the failing one. ... 2013-09-23T22:23:12Z DEBUG Starting external process 2013-09-23T22:23:12Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain happyassassin.net --server id.happyassassin.net --realm HAPPYASSASSIN.NET --hostname id.happyassassin.net 2013-09-23T22:23:20Z DEBUG Process finished, return code=0 2013-09-23T22:23:20Z DEBUG stdout= 2013-09-23T22:23:20Z DEBUG stderr=Hostname: id.happyassassin.net Realm: HAPPYASSASSIN.NET DNS Domain: happyassassin.net IPA Server: id.happyassassin.net BaseDN: dc=happyassassin,dc=net New SSSD config will be created Configured /etc/sssd/sssd.conf Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. ... 2013-09-23T22:23:21Z INFO The ipa-server-install command was successful Any chance you backed up the old log or any other data that could help us recreate the issue or find the root cause of the problem?
didn't have backups configured on the system at the time as it was a brand new VM (I use single-purpose VMs for all my servers), so there was no point really :/ sorry. Can't really think of anything else to suggest ATM. When I get back home I may be able to spin up a new dummy VM and try to reproduce my process, but for now maybe we'll just have to close this.
Ok. Let's just close hits Bugzilla then. If you find any information that could help us get to the root of the issue and fix it, please just reopen or file a new bug. Anyway, thanks for testing and reporting!