Hi Rob, Thanks for your response Yes, It's with admin.
I execute the command "ipa-client-install --debug" ------------------------------------------------------------------------- [root@ppa named]# ipa-client-install --debug /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir ': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': False, 'principal': None , 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': Tr ue, 'force_join': False, 'ca_cert_file': None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False} missing options might be asked for interactively later Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' [IPA Discovery] Starting IPA discovery with domain=None, servers=None, hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in "cyberfuel.com" (domain of the hostname) and its sub-domains Search DNS for SRV record of _ldap._tcp.cyberfuel.com. DNS record found: DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, port:389,weight:50,server:freeipa.cyberfuel.com.} [Kerberos realm search] Search DNS for TXT record of _kerberos.cyberfuel.com. DNS record found: DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU EL.COM} Search DNS for SRV record of _kerberos._udp.cyberfuel.com. DNS record found: DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} [LDAP server check] Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 Search LDAP server for IPA base DN Check if naming context 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' is a valid IPA context Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub) Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com Discovery result: Success; server=freeipa.cyberfuel.com, domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com will use discovered domain: cyberfuel.com Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS Discovery) and its sub-domains Search DNS for SRV record of _ldap._tcp.cyberfuel.com. DNS record found: DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, port:389,weight:50,server:freeipa.cyberfuel.com.} DNS validated, enabling discovery will use discovered server: freeipa.cyberfuel.com Discovery was successful! will use discovered realm: CYBERFUEL.COM will use discovered basedn: dc=cyberfuel,dc=com Hostname: ppa.cyberfuel.com Hostname source: Machine's FQDN Realm: CYBERFUEL.COM Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of the hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com BaseDN: dc=cyberfuel,dc=com BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 Continue to configure the system with these values? [no]: no Installation failed. Rolling back changes. IPA client is not configured on this system. [root@ppa named]# [root@ppa named]# ipa-client-install --debug /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': False, 'principal': None, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': False, 'ca_cert_file': None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False} missing options might be asked for interactively later Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' [IPA Discovery] Starting IPA discovery with domain=None, servers=None, hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in "cyberfuel.com" (domain of the hostname) and its sub-domains Search DNS for SRV record of _ldap._tcp.cyberfuel.com. DNS record found: DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, port:389,weight:50,server:freeipa.cyberfuel.com.} [Kerberos realm search] Search DNS for TXT record of _kerberos.cyberfuel.com. DNS record found: DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU EL.COM} Search DNS for SRV record of _kerberos._udp.cyberfuel.com. DNS record found: DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} [LDAP server check] Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 Search LDAP server for IPA base DN Check if naming context 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' is a valid IPA context Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub) Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com Discovery result: Success; server=freeipa.cyberfuel.com, domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com will use discovered domain: cyberfuel.com Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS Discovery) and its sub-domains Search DNS for SRV record of _ldap._tcp.cyberfuel.com. DNS record found: DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, port:389,weight:50,server:freeipa.cyberfuel.com.} DNS validated, enabling discovery will use discovered server: freeipa.cyberfuel.com Discovery was successful! will use discovered realm: CYBERFUEL.COM will use discovered basedn: dc=cyberfuel,dc=com Hostname: ppa.cyberfuel.com Hostname source: Machine's FQDN Realm: CYBERFUEL.COM Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of the hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com BaseDN: dc=cyberfuel,dc=com BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 Continue to configure the system with these values? [no]: yes args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory User authorized to enroll computers: admin will use principal provided as option: admin Synchronizing time with KDC... Search DNS for SRV record of _ntp._udp.cyberfuel.com. No DNS record found args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout= stderr= Writing Kerberos configuration to /tmp/tmpqWSatK: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = CYBERFUEL.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 [realms] CYBERFUEL.COM = { kdc = freeipa.cyberfuel.com:88 master_kdc = freeipa.cyberfuel.com:88 admin_server = freeipa.cyberfuel.com:749 default_domain = cyberfuel.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .cyberfuel.com = CYBERFUEL.COM cyberfuel.com = CYBERFUEL.COM Password for ad...@cyberfuel.com: args=kinit ad...@cyberfuel.com stdout=Password for ad...@cyberfuel.com: stderr= trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com Existing CA cert and Retrieved CA cert are identical args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com -d stdout= stderr=XML-RPC CALL: <?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n <methodName>join</methodName>\r\n <params>\r\n <param><value><array><data>\r\n <value><string>ppa.cyberfuel.com</string></value>\r\n </data></array></value></param>\r\n <param><value><struct>\r\n <member><name>nsosversion</name>\r\n <value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\n <member><name>nshardwareplatform</name>\r\n <value><string>x86_64</string></value></member>\r\n </struct></value></param>\r\n </params>\r\n </methodCall>\r\n * About to connect() to freeipa.cyberfuel.com port 443 (#0) * Trying 192.168.20.90... * Adding handle: conn: 0x10bb2f0 * Adding handle: send: 0 * Adding handle: recv: 0 * Curl_addHandleToPipeline: length: 1 * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) * successfully set certificate verify locations: * CAfile: /etc/ipa/ca.crt CApath: none * SSL connection using AES256-SHA * Server certificate: * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com * start date: 2015-09-30 17:52:11 GMT * expire date: 2017-09-30 17:52:11 GMT * common name: freeipa.cyberfuel.com (matched) * issuer: O=CYBERFUEL.COM; CN=Certificate Authority * SSL certificate verify ok. > POST /ipa/xml HTTP/1.1 Host: freeipa.cyberfuel.com Accept: */* Content-Type: text/xml User-Agent: ipa-join/3.0.0 Referer: https://freeipa.cyberfuel.com/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 477 * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401 Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT * Server Apache/2.2.15 (CentOS) is not blacklisted < Server: Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" < Accept-Ranges: bytes < Content-Length: 1370 < Connection: close < Content-Type: text/html; charset=UTF-8 < * Closing connection 0 HTTP response code is 401, not 200 Joining realm failed: XML-RPC CALL: <?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n <methodName>join</methodName>\r\n <params>\r\n <param><value><array><data>\r\n <value><string>ppa.cyberfuel.com</string></value>\r\n </data></array></value></param>\r\n <param><value><struct>\r\n <member><name>nsosversion</name>\r\n <value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\n <member><name>nshardwareplatform</name>\r\n <value><string>x86_64</string></value></member>\r\n </struct></value></param>\r\n </params>\r\n </methodCall>\r\n * About to connect() to freeipa.cyberfuel.com port 443 (#0) * Trying 192.168.20.90... * Adding handle: conn: 0x10bb2f0 * Adding handle: send: 0 * Adding handle: recv: 0 * Curl_addHandleToPipeline: length: 1 * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) * successfully set certificate verify locations: * CAfile: /etc/ipa/ca.crt CApath: none * SSL connection using AES256-SHA * Server certificate: * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com * start date: 2015-09-30 17:52:11 GMT * expire date: 2017-09-30 17:52:11 GMT * common name: freeipa.cyberfuel.com (matched) * issuer: O=CYBERFUEL.COM; CN=Certificate Authority * SSL certificate verify ok. > POST /ipa/xml HTTP/1.1 Host: freeipa.cyberfuel.com Accept: */* Content-Type: text/xml User-Agent: ipa-join/3.0.0 Referer: https://freeipa.cyberfuel.com/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 477 * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401 Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT * Server Apache/2.2.15 (CentOS) is not blacklisted < Server: Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" < Accept-Ranges: bytes < Content-Length: 1370 < Connection: close < Content-Type: text/html; charset=UTF-8 < * Closing connection 0 HTTP response code is 401, not 200 Installation failed. Rolling back changes. IPA client is not configured on this system. ------------------------------------------------- It's the version curl IPA server [root@freeipa log]# rpm -qa | grep curl python-pycurl-7.19.0-8.el6.x86_64 curl-7.19.7-46.el6.x86_64 libcurl-7.19.7-46.el6.x86_64 [root@freeipa log]# It's the version curl PPA server(IPA Client) [root@ppa named]# rpm -qa | grep curl curl-7.31.0-1.el6.x86_64 python-pycurl-7.19.0-8.el6.x86_64 libcurl-7.31.0-1.el6.x86_64 libcurl-7.31.0-1.el6.i686 The version curl is different, but the version curl PPA is the repository Odin Plesk. ----------------------------------------------------- [root@ppa tmp]# cat kerberos_trace.log [12118] 1461855578.809966: ccselect module realm chose cache FILE:/tmp/tmptSoqDX with client principal ad...@cyberfuel.com for server principal ldap/freeipa.cyberfuel....@cyberfuel.com [12118] 1461855578.810171: Retrieving ad...@cyberfuel.com -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not found [12118] 1461855578.810252: Getting credentials ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using ccache FILE:/tmp/tmptSoqDX [12118] 1461855578.810369: Retrieving ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not found [12118] 1461855578.810451: Retrieving ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmptSoqDX with result: 0/Success [12118] 1461855578.810476: Found cached TGT for service realm: ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com [12118] 1461855578.810509: Requesting tickets for ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [12118] 1461855578.810612: Generated subkey for TGS request: aes256-cts/7377 [12118] 1461855578.810679: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [12118] 1461855578.810913: Sending request (704 bytes) to CYBERFUEL.COM [12118] 1461855578.811239: Resolving hostname freeipa.cyberfuel.com [12118] 1461855578.811466: Initiating TCP connection to stream 192.168.0.90:88 [12118] 1461855578.811935: Sending TCP request to stream 192.168.0.90:88 [12118] 1461855578.816404: Received answer from stream 192.168.0.90:88 [12118] 1461855578.816714: Response was from master KDC [12118] 1461855578.816906: TGS reply is for ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with session key aes256-cts/BEB2 [12118] 1461855578.816977: TGS request result: 0/Success [12118] 1461855578.817018: Received creds for desired service ldap/freeipa.cyberfuel....@cyberfuel.com [12118] 1461855578.817066: Removing ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmptSoqDX [12118] 1461855578.817107: Storing ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmptSoqDX [12118] 1461855578.817413: Creating authenticator for ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com, seqnum 299651167, subkey aes256-cts/98D3, session key aes256-cts/BEB2 [12118] 1461855578.874786: ccselect module realm chose cache FILE:/tmp/tmptSoqDX with client principal ad...@cyberfuel.com for server principal ldap/freeipa.cyberfuel....@cyberfuel.com [12118] 1461855578.874938: Retrieving ad...@cyberfuel.com -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not found [12118] 1461855578.875079: Read AP-REP, time 1461855578.817442, subkey aes256-cts/4B32, seqnum 706045221 [17304] 1461858424.873888: ccselect module realm chose cache FILE:/tmp/tmpH0QF6P with client principal ad...@cyberfuel.com for server principal ldap/freeipa.cyberfuel....@cyberfuel.com [17304] 1461858424.874126: Retrieving ad...@cyberfuel.com -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not found [17304] 1461858424.874220: Getting credentials ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using ccache FILE:/tmp/tmpH0QF6P [17304] 1461858424.874413: Retrieving ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not found [17304] 1461858424.874531: Retrieving ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmpH0QF6P with result: 0/Success [17304] 1461858424.874603: Found cached TGT for service realm: ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com [17304] 1461858424.874631: Requesting tickets for ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [17304] 1461858424.874747: Generated subkey for TGS request: aes256-cts/8C33 [17304] 1461858424.874788: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [17304] 1461858424.875121: Sending request (704 bytes) to CYBERFUEL.COM [17304] 1461858424.875525: Resolving hostname freeipa.cyberfuel.com [17304] 1461858424.875805: Initiating TCP connection to stream 192.168.20.90:88 [17304] 1461858424.877976: Sending TCP request to stream 192.168.20.90:88 [17304] 1461858424.882385: Received answer from stream 192.168.20.90:88 [17304] 1461858424.882531: Response was from master KDC [17304] 1461858424.882775: TGS reply is for ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with session key aes256-cts/20DA [17304] 1461858424.882850: TGS request result: 0/Success [17304] 1461858424.882883: Received creds for desired service ldap/freeipa.cyberfuel....@cyberfuel.com [17304] 1461858424.882918: Removing ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpH0QF6P [17304] 1461858424.882951: Storing ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmpH0QF6P [17304] 1461858424.883271: Creating authenticator for ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com, seqnum 443746416, subkey aes256-cts/13DE, session key aes256-cts/20DA [17304] 1461858424.898190: ccselect module realm chose cache FILE:/tmp/tmpH0QF6P with client principal ad...@cyberfuel.com for server principal ldap/freeipa.cyberfuel....@cyberfuel.com [17304] 1461858424.898401: Retrieving ad...@cyberfuel.com -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not found [17304] 1461858424.898615: Read AP-REP, time 1461858424.883334, subkey aes256-cts/A0F5, seqnum 906104721 [23457] 1461863053.621386: ccselect module realm chose cache FILE:/tmp/tmp576FE3 with client principal ad...@cyberfuel.com for server principal ldap/freeipa.cyberfuel....@cyberfuel.com [23457] 1461863053.621602: Retrieving ad...@cyberfuel.com -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not found [23457] 1461863053.621719: Getting credentials ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using ccache FILE:/tmp/tmp576FE3 [23457] 1461863053.621918: Retrieving ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not found [23457] 1461863053.622097: Retrieving ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmp576FE3 with result: 0/Success [23457] 1461863053.622144: Found cached TGT for service realm: ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com [23457] 1461863053.622176: Requesting tickets for ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [23457] 1461863053.622288: Generated subkey for TGS request: aes256-cts/897C [23457] 1461863053.622331: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23457] 1461863053.622662: Sending request (704 bytes) to CYBERFUEL.COM [23457] 1461863053.623133: Resolving hostname freeipa.cyberfuel.com [23457] 1461863053.623367: Initiating TCP connection to stream 192.168.20.90:88 [23457] 1461863053.623866: Sending TCP request to stream 192.168.20.90:88 [23457] 1461863053.627939: Received answer from stream 192.168.20.90:88 [23457] 1461863053.628229: Response was from master KDC [23457] 1461863053.628485: TGS reply is for ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with session key aes256-cts/9E88 [23457] 1461863053.628560: TGS request result: 0/Success [23457] 1461863053.628610: Received creds for desired service ldap/freeipa.cyberfuel....@cyberfuel.com [23457] 1461863053.628655: Removing ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmp576FE3 [23457] 1461863053.628689: Storing ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmp576FE3 [23457] 1461863053.629119: Creating authenticator for ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com, seqnum 13046067, subkey aes256-cts/BAC3, session key aes256-cts/9E88 [23457] 1461863053.640471: ccselect module realm chose cache FILE:/tmp/tmp576FE3 with client principal ad...@cyberfuel.com for server principal ldap/freeipa.cyberfuel....@cyberfuel.com [23457] 1461863053.640721: Retrieving ad...@cyberfuel.com -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not found [23457] 1461863053.640909: Read AP-REP, time 1461863053.629208, subkey aes256-cts/8866, seqnum 421358565 [23749] 1461863277.525338: ccselect module realm chose cache FILE:/tmp/tmprfuOsj with client principal ad...@cyberfuel.com for server principal ldap/freeipa.cyberfuel....@cyberfuel.com [23749] 1461863277.525435: Retrieving ad...@cyberfuel.com -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not found [23749] 1461863277.525469: Getting credentials ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using ccache FILE:/tmp/tmprfuOsj [23749] 1461863277.525529: Retrieving ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not found [23749] 1461863277.525572: Retrieving ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmprfuOsj with result: 0/Success [23749] 1461863277.525584: Found cached TGT for service realm: ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com [23749] 1461863277.525593: Requesting tickets for ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [23749] 1461863277.525645: Generated subkey for TGS request: aes256-cts/C22D [23749] 1461863277.525662: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23749] 1461863277.525806: Sending request (704 bytes) to CYBERFUEL.COM [23749] 1461863277.526052: Resolving hostname freeipa.cyberfuel.com [23749] 1461863277.526161: Initiating TCP connection to stream 192.168.20.90:88 [23749] 1461863277.526440: Sending TCP request to stream 192.168.20.90:88 [23749] 1461863277.530652: Received answer from stream 192.168.20.90:88 [23749] 1461863277.530737: Response was from master KDC [23749] 1461863277.530881: TGS reply is for ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with session key aes256-cts/79C3 [23749] 1461863277.530931: TGS request result: 0/Success [23749] 1461863277.530948: Received creds for desired service ldap/freeipa.cyberfuel....@cyberfuel.com [23749] 1461863277.530962: Removing ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmprfuOsj [23749] 1461863277.530971: Storing ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmprfuOsj [23749] 1461863277.531133: Creating authenticator for ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com, seqnum 1019693263, subkey aes256-cts/B3E0, session key aes256-cts/79C3 [23749] 1461863277.542808: ccselect module realm chose cache FILE:/tmp/tmprfuOsj with client principal ad...@cyberfuel.com for server principal ldap/freeipa.cyberfuel....@cyberfuel.com [23749] 1461863277.542889: Retrieving ad...@cyberfuel.com -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not found [23749] 1461863277.542988: Read AP-REP, time 1461863277.531150, subkey aes256-cts/5194, seqnum 376027188 [25544] 1461864401.258277: ccselect module realm chose cache FILE:/tmp/tmpbzX7EN with client principal ad...@cyberfuel.com for server principal ldap/freeipa.cyberfuel....@cyberfuel.com [25544] 1461864401.258584: Retrieving ad...@cyberfuel.com -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not found [25544] 1461864401.258678: Getting credentials ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using ccache FILE:/tmp/tmpbzX7EN [25544] 1461864401.258873: Retrieving ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not found [25544] 1461864401.259040: Retrieving ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmpbzX7EN with result: 0/Success [25544] 1461864401.259076: Found cached TGT for service realm: ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com [25544] 1461864401.259102: Requesting tickets for ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [25544] 1461864401.259244: Generated subkey for TGS request: aes256-cts/277A [25544] 1461864401.259291: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [25544] 1461864401.259676: Sending request (704 bytes) to CYBERFUEL.COM [25544] 1461864401.260108: Resolving hostname freeipa.cyberfuel.com [25544] 1461864401.260361: Initiating TCP connection to stream 192.168.20.90:88 [25544] 1461864401.260980: Sending TCP request to stream 192.168.20.90:88 [25544] 1461864401.264399: Received answer from stream 192.168.20.90:88 [25544] 1461864401.264593: Response was from master KDC [25544] 1461864401.264893: TGS reply is for ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with session key aes256-cts/9106 [25544] 1461864401.264966: TGS request result: 0/Success [25544] 1461864401.264996: Received creds for desired service ldap/freeipa.cyberfuel....@cyberfuel.com [25544] 1461864401.265029: Removing ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpbzX7EN [25544] 1461864401.265058: Storing ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmpbzX7EN [25544] 1461864401.265581: Creating authenticator for ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com, seqnum 921501424, subkey aes256-cts/99EA, session key aes256-cts/9106 [25544] 1461864401.275884: ccselect module realm chose cache FILE:/tmp/tmpbzX7EN with client principal ad...@cyberfuel.com for server principal ldap/freeipa.cyberfuel....@cyberfuel.com [25544] 1461864401.276059: Retrieving ad...@cyberfuel.com -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not found [25544] 1461864401.276196: Read AP-REP, time 1461864401.265627, subkey aes256-cts/0E9F, seqnum 871496824 [18097] 1461937028.664354: ccselect module realm chose cache FILE:/tmp/tmpF9x_o8 with client principal ad...@cyberfuel.com for server principal ldap/freeipa.cyberfuel....@cyberfuel.com [18097] 1461937028.664456: Retrieving ad...@cyberfuel.com -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not found [18097] 1461937028.664490: Getting credentials ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using ccache FILE:/tmp/tmpF9x_o8 [18097] 1461937028.664549: Retrieving ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not found [18097] 1461937028.664590: Retrieving ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmpF9x_o8 with result: 0/Success [18097] 1461937028.664601: Found cached TGT for service realm: ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com [18097] 1461937028.664611: Requesting tickets for ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [18097] 1461937028.664700: Generated subkey for TGS request: aes256-cts/6372 [18097] 1461937028.664727: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [18097] 1461937028.664865: Sending request (704 bytes) to CYBERFUEL.COM [18097] 1461937028.665035: Resolving hostname freeipa.cyberfuel.com [18097] 1461937028.665136: Initiating TCP connection to stream 192.168.20.90:88 [18097] 1461937028.665510: Sending TCP request to stream 192.168.20.90:88 [18097] 1461937028.668919: Received answer from stream 192.168.20.90:88 [18097] 1461937028.668984: Response was from master KDC [18097] 1461937028.669109: TGS reply is for ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with session key aes256-cts/9592 [18097] 1461937028.669136: TGS request result: 0/Success [18097] 1461937028.669156: Received creds for desired service ldap/freeipa.cyberfuel....@cyberfuel.com [18097] 1461937028.669167: Removing ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpF9x_o8 [18097] 1461937028.669176: Storing ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmpF9x_o8 [18097] 1461937028.669304: Creating authenticator for ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com, seqnum 940175329, subkey aes256-cts/53B9, session key aes256-cts/9592 [18097] 1461937028.676414: ccselect module realm chose cache FILE:/tmp/tmpF9x_o8 with client principal ad...@cyberfuel.com for server principal ldap/freeipa.cyberfuel....@cyberfuel.com [18097] 1461937028.676470: Retrieving ad...@cyberfuel.com -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not found [18097] 1461937028.676534: Read AP-REP, time 1461937028.669328, subkey aes256-cts/26C4, seqnum 864174069 ----------------------------------- Regards Jose Alvarez -----Original Message----- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: viernes 29 de abril de 2016 09:34 a.m. To: Jose Alvarez R. <jalva...@cyberfuel.com>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 Jose Alvarez R. wrote: > Hi Users > > You can help me? > > I have the problem for join a client to my FREEIPA Server. The version > IPA Server is 3.0 and IP client is 3.0 > > When I join my client to IPA server show these errors: > > [root@ppa ~]# tail -f /var/log/ipaclient-install.log > > 2016-04-28T17:26:41Z DEBUG stderr= > > 2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from > ldap://freeipa.cyberfuel.com > > 2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are > identical > > 2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s > freeipa.cyberfuel.com -b dc=cyberfuel,dc=com > > 2016-04-28T17:26:41Z DEBUG stdout= > > 2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200 > > 2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code is > 401, not 200 > > 2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes. > > 2016-04-28T17:26:41Z ERROR IPA client is not configured on this system. I'd look in the 389-ds access and error logs on the IPA server to see if there are any more details. Look for the BIND from the client and see what happens. More context from the log file might be helpful. I believe if you run the client installer with --debug then additional flags are passed to ipa-join to include the XML-RPC conversation and that might be useful too. What account are you using to enroll with, admin? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project