JR Aquino wrote:
On Sep 19, 2011, at 10:16 PM, JR Aquino wrote:
We're having significant reproducible problems with rhel 5.7 + FreeIPA master...
I'm not sure if it is localized to us or even which side is responsible for the
error...
Has anyone had success with rhel 5.7's repo included FreeIPA client joining a
fedora based FreeIPA server?
We are essentially dead in the water at this point.
Sent from my iPad
Begin forwarded message:
From: Brett
Campbell<<mailto:[email protected]>[email protected]<mailto:[email protected]>>
Date: September 19, 2011 6:48:55 PM PDT
To: JR
Aquino<<mailto:[email protected]>[email protected]<mailto:[email protected]>>
Cc: Jason
Vagalatos<<mailto:[email protected]>[email protected]<mailto:[email protected]>>
Subject: RE: Still failing on 5.7 with the same error........
Apparently this error is printed from FreeIPA code and not an underlying
library.
Here’s the relevant bit from ipa-getkeytab.c:
/* Format of response
*
* KeytabGetRequest ::= SEQUENCE {
* new_kvno Int32
* SEQUENCE OF KeyTypes
* }
*
* * List of accepted enctypes *
* KeyTypes ::= SEQUENCE {
* enctype Int32
* }
*/
rtag = ber_scanf(sctrl, "{i{",&kvno);
if (rtag == LBER_ERROR) {
fprintf(stderr, "ber_scanf() failed, Invalid control ?!\n");
goto error_out;
}
However, the call that’s failing (ber_scanf()) is one from the openldap library:
[root@util1 Server]# strings /usr/lib/liblber-2.3.so.0 |grep ber_scanf
ber_scanf
ber_scanf fmt (%s) ber:
ber_scanf: unknown fmt %c
ber_scanf
From: /O=EXPERTCITY.COM/OU=BETA.EXPERTCITY/CN=RECIPIENTS/CN=BRETT.CAMPBELL On
Behalf Of Brett Campbell
Sent: Monday, September 19, 2011 6:29 PM
To:<mailto:[email protected]> <mailto:[email protected]>
[email protected]<mailto:[email protected]>
Subject: Still failing on 5.7 with the same error........
Are you sure it’s not the server? Can you check the logs?
[root@util1 Server]# cat /etc/issue
Red Hat Enterprise Linux Server release 5.7 (Tikanga)
Kernel \r on an \m
[root@util1 Server]#
[root@util1 Server]#
[root@util1 Server]#
[root@util1 Server]# rpm --aid -ivh /tmp/ipa-client-2.0-14.el5_7.1.x86_64.rpm
certmonger-0.42-1.el5.x86_64.rpm cyrus-sasl-gssapi-2.1.22-5.el5_4.3.x86_64.rpm
sssd-client-1.5.1-37.el5.x86_64.rpm sssd-1.5.1-37.el5.x86_64.rpm
xmlrpc-c-1.16.24-1206.1840.el5.x86_64.rpm libcollection-0.6.0-10.el5.x86_64.rpm
libdhash-0.4.2-10.el5.x86_64.rpm libldb-0.9.10-33.el5.x86_64.rpm
libtdb-1.2.1-6.el5.x86_64.rpm openssl-devel-0.9.8e-20.el5.x86_64.rpm
libref_array-0.1.1-10.el5.x86_64.rpm libpath_utils-0.2.1-10.el5.x86_64.rpm
libini_config-0.6.1-10.el5.x86_64.rpm libref_array-0.1.1-10.el5.x86_64.rpm
openldap24-libs-2.4.23-5.el5.x86_64.rpm
xmlrpc-c-client-1.16.24-1206.1840.el5.x86_64.rpm
libtalloc-2.0.1-11.el5.x86_64.rpm c-ares-1.6.0-5.el5.x86_64.rpm
krb5-devel-1.6.1-62.el5.x86_64.rpm zlib-devel-1.2.3-4.el5.x86_64.rpm
libtevent-0.9.8-10.el5.x86_64.rpm e2fsprogs-devel-1.39-33.el5.x86_64.rpm
keyutils-libs-devel-1.2-1.el5.x86_64.rpm
libselinux-devel-1.33.4-5.7.el5.x86_64.rpm libsepol-devel-1.15.2
-3.el5.x86_64.rpm
warning: /tmp/ipa-client-2.0-14.el5_7.1.x86_64.rpm: Header V3 DSA signature:
NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:libtalloc ########################################### [ 4%]
2:libtevent ########################################### [ 8%]
3:xmlrpc-c ########################################### [ 12%]
4:xmlrpc-c-client ########################################### [ 15%]
5:libref_array ########################################### [ 19%]
6:libtdb ########################################### [ 23%]
7:libcollection ########################################### [ 27%]
8:cyrus-sasl-gssapi ########################################### [ 31%]
9:libldb ########################################### [ 35%]
10:certmonger ########################################### [ 38%]
11:c-ares ########################################### [ 42%]
12:openldap24-libs ########################################### [ 46%]
13:libpath_utils ########################################### [ 50%]
14:libini_config ########################################### [ 54%]
15:libdhash ########################################### [ 58%]
16:sssd-client ########################################### [ 62%]
17:sssd ########################################### [ 65%]
18:libsepol-devel ########################################### [ 69%]
19:libselinux-devel ########################################### [ 73%]
20:keyutils-libs-devel ########################################### [ 77%]
21:e2fsprogs-devel ########################################### [ 81%]
22:krb5-devel ########################################### [ 85%]
23:zlib-devel ########################################### [ 88%]
24:ipa-client ########################################### [ 92%]
25:openssl-devel ########################################### [ 96%]
26:libref_array ########################################### [100%]
[root@util1 Server]#
[root@util1 Server]#
[root@util1 Server]#
[root@util1 Server]#
[root@util1 Server]# ipa-client-install --unattended --password='n7 I,6TN+!TF'
--domain=expertcity.com --server=authstage1.ops.expertcity.com
--hostname=$(hostname) --no-ntp
Realm:<http://EXPERTCITY.COM> <http://EXPERTCITY.COM>
EXPERTCITY.COM<http://EXPERTCITY.COM>
DNS Domain:<http://expertcity.com> <http://expertcity.com>
expertcity.com<http://expertcity.com>
IPA Server:<http://authstage1.ops.expertcity.com>
<http://authstage1.ops.expertcity.com>
authstage1.ops.expertcity.com<http://authstage1.ops.expertcity.com>
BaseDN: dc=expertcity,dc=com
Joining realm failed: ber_scanf() failed, Invalid control ?!
child exited with 9
Certificate subject base is: O=EXPERTCITY.COM
[root@util1 Server]#
[root@util1 Server]#
[root@util1 Server]#
[root@util1 Server]# ipa-client-install --unattended --password='n7 I,6TN+!TF'
--domain=expertcity.com --server=authstage1.ops.expertcity.com
--hostname=$(hostname) --no-ntp
Realm:<http://EXPERTCITY.COM> <http://EXPERTCITY.COM>
EXPERTCITY.COM<http://EXPERTCITY.COM>
DNS Domain:<http://expertcity.com> <http://expertcity.com>
expertcity.com<http://expertcity.com>
IPA Server:<http://authstage1.ops.expertcity.com>
<http://authstage1.ops.expertcity.com>
authstage1.ops.expertcity.com<http://authstage1.ops.expertcity.com>
BaseDN: dc=expertcity,dc=com
Joining realm failed: Host is already joined.
Certificate subject base is: O=EXPERTCITY.COM
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
Simo recently fixed a bug in master that was preventing users keytabs from
being recognized as non expired... Following a hunch, I updated the Stage
Server with the newest master and now I get a completely new error from the
RHEL 5.7 Client:
Joining realm failed because of failing XML-RPC request.
This error may be caused by incompatible server/client major versions.
What version of ipa-client are you using?
Check ipaclient-install.log for potentially more details, and the Apache
log on the IPA server as well.
If the Apache side is logging an error about context.principal you need
to update your ipa-client software which should pull in updated xmlrpc-c
and curl libraries.
rob
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
