Hide Forgot
Description of problem: For enrollment using Kerberos credentials we create a temporary krb5.conf. The contents of this should be logged at debug log level for debugging purposes. We also attempt to update DNS and create a nsupdate file, this should be logged as well. It is not easy/possible to discern the contents of these using other information from the current logs.
Once the patches are applied, to verify the bug: Look in /var/log/ipaclient-install.log for: Writing Kerberos configuration to /tmp/XXXXXXXX You should see a copy of the temporary krb5.conf used during enrollment. and Writing nsupdate commands to /tmp/XXXXXXXXX It should contain the nsupdate sent to the IPA server. It will look something like: zone example.com. update delete lion.example.com. IN A send update add lion.example.com. 1200 IN A 192.168.166.32 send
https://fedorahosted.org/freeipa/ticket/1093 https://fedorahosted.org/freeipa/ticket/1094
master: 8472dc26b7e261090b73e0dba488df23917830fa ipa-2-0: d615e45a8f99af25086aef03ae8b724be630d48a and master: 8472dc26b7e261090b73e0dba488df23917830fa ipa-2-0: d615e45a8f99af25086aef03ae8b724be630d48a
partially verified: <snip_of_install_log> 2011-09-21 13:49:52,547 DEBUG Writing Kerberos configuration to /tmp/tmplwFeOn: #File modified by ipa-client-install [libdefaults] default_realm = TESTRELM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] TESTRELM = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .testrelm = TESTRELM testrelm = TESTRELM [appdefaults] pam = { debug = false krb4_convert = false } </snip> However, I do not see any debug output for nsupdate
To see the nsupdate output you need to either add the command-line option --enable-dns-updates or have the client configured to use the IPA DNS but not have the client hostname in DNS.
Will test with above options
Verified using ipa-client-2.1.1-3.el6.x86_64 Installed using cmd: ipa-client-install --enable-dns-updates In addition to the debug section for kerberos in the log, also saw: <snip_of_install_log> 2011-09-22 13:27:39,096 DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt: zone testrelm. update delete ipaqavmh.testrelm. IN A send update add ipaqavmh.testrelm. 1200 IN A 10.16.98.193 send </snip>
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: If installing an IPA client fails it is not always clear why. Consequence: Debugging some installation failures can be very difficult. Fix: Add more debugging to the IPA client installation log, /var/log/ipaclient-install.log, so that problems can be more easily debugged. Result: Reasons for failure are more apparent.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html