Product SiteDocumentation Site

3.11. Troubleshooting Client Installations

For clients configured using ipa-client-install, the client installation log is located in /var/log/ipaclient-install.log. The FreeIPA logs, both for the server and client and for FreeIPA-associated services, are covered in Section 18.1.3, “Checking FreeIPA Server Logs”.
These are some issues and workarounds for client installation problems.

3.11.1. The client can't resolve reverse hostnames when using an external DNS.

While FreeIPA can host its own DNS server as part of the domain services, it can also use external DNS name server. However, because of some of the limitations of reverse DNS, there can be problems with resolving reverse lookups if the external DNS is listed in the client's /etc/resolv.conf file or if there are other resources on the network with SRV records, like Active Directory.
The problem is that the external DNS name server returns the wrong hostname for the FreeIPA server.
One way this exhibits is errors with finding the FreeIPA server in the Kerberos database:
Jun 30 11:11:48 server1 krb5kdc[1279](info): AS_REQ (4 etypes {18 17 16 23}) NEEDED_PREAUTH: admin EXAMPLE COM for krbtgt/EXAMPLE COM EXAMPLE COM, Additional pre-authentication required
Jun 30 11:11:48 server1 krb5kdc[1279](info): AS_REQ (4 etypes {18 17 16 23}) ISSUE: authtime 1309425108, etypes {rep=18 tkt=18 ses=18}, admin EXAMPLE COM for krbtgt/EXAMPLE COM EXAMPLE COM
Jun 30 11:11:49 server1 krb5kdc[1279](info): TGS_REQ (4 etypes {18 17 16 23}) UNKNOWN_SERVER: authtime 0,  admin EXAMPLE COM for HTTP/, Server not found in Kerberos database
There are several ways to work around this issue:
  • Edit the /etc/resolv.conf file to remove the external DNS name server references.
  • Add reverse lookup records for each FreeIPA server.
  • Give the FreeIPA client or domain a subnet and forward all requests for that subnet.

3.11.2. The client is not added to the DNS zone.

If a client is in a subnet not controlled by a FreeIPA DNS server, then the nsupdate command may fail to add the client to the DNS zone when ipa-client-install runs.
If FreeIPA is managing the DNS domain, then add a zone entry for the client manually, as described in Section 9.5, “Managing DNS Record Entries”. For example:
[jsmith@ipaserver ~]$ kinit admin
[jsmith@ipaserver ~]$ ipa dnsrecord-add www --a-rec
If the DNS domain is managed outside of FreeIPA, the resource record can be added manually to the zone configuration. For information on DNS in Fedora, see the DNS chapter in the Deployment Guide.