Re: [Freeipa-users] HTTP response code is 401, not 200

Fri, 29 Apr 2016 10:18:12 -0700 

Jose Alvarez R. wrote:

Hi Rob, Thanks for your response

Yes, It's with admin.
I assume this is a problem with your version of xmlrpc-c. We use standard calls xmlrpc-c calls to setup authentication and IIRC that links against libcurl which provides the Kerberos/GSSAPI support. On EL6 you need xmlrpc-c >= 1.16.24-1200.1840.2
I'm confused about the versions. You mention PPA but include what look like RPM versions that seem to point to RHEL 6. 

rob



I execute the command "ipa-client-install --debug"
-------------------------------------------------------------------------


[root@ppa named]# ipa-client-install --debug
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir
': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain':
False, 'principal': None
, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,
'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False,
'conf_sudo': True, 'conf_ssh': Tr
ue, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit
y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server
Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=cyberfuel,dc=com' is for IPA
Naming context 'dc=cyberfuel,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com
Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com
Discovery was successful!
will use discovered realm: CYBERFUEL.COM
will use discovered basedn: dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
DNS Domain: cyberfuel.com
DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of
the hostname)
IPA Server: freeipa.cyberfuel.com
IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389

Continue to configure the system with these values? [no]: no
Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root@ppa named]#
[root@ppa named]# ipa-client-install --debug
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd':
True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'nisdomain':
None, 'no_nisdomain': False, 'principal': None, 'hostname': None, 'no_ac':
False, 'unattended': None, 'sssd': True, 'trust_sshfp': False,
'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh':
True, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit
y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server
Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=cyberfuel,dc=com' is for IPA
Naming context 'dc=cyberfuel,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com
Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com
Discovery was successful!
will use discovered realm: CYBERFUEL.COM
will use discovered basedn: dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
DNS Domain: cyberfuel.com
DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of
the hostname)
IPA Server: freeipa.cyberfuel.com
IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389

Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
stdout=
stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory

User authorized to enroll computers: admin
will use principal provided as option: admin
Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.cyberfuel.com.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
stdout=
stderr=
Writing Kerberos configuration to /tmp/tmpqWSatK:
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
   default_realm = CYBERFUEL.COM
   dns_lookup_realm = false
   dns_lookup_kdc = false
   rdns = false
   ticket_lifetime = 24h
   forwardable = yes
   udp_preference_limit = 0


[realms]
   CYBERFUEL.COM = {
     kdc = freeipa.cyberfuel.com:88
     master_kdc = freeipa.cyberfuel.com:88
     admin_server = freeipa.cyberfuel.com:749
     default_domain = cyberfuel.com
     pkinit_anchors = FILE:/etc/ipa/ca.crt

   }


[domain_realm]
   .cyberfuel.com = CYBERFUEL.COM
   cyberfuel.com = CYBERFUEL.COM



Password for ad...@cyberfuel.com:
args=kinit ad...@cyberfuel.com
stdout=Password for ad...@cyberfuel.com:

stderr=
trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
Existing CA cert and Retrieved CA cert are identical
args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com -d
stdout=
stderr=XML-RPC CALL:

<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>ppa.cyberfuel.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n

* About to connect() to freeipa.cyberfuel.com port 443 (#0)
*   Trying 192.168.20.90...
* Adding handle: conn: 0x10bb2f0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
* Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ipa/ca.crt
   CApath: none
* SSL connection using AES256-SHA
* Server certificate:
*        subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
*        start date: 2015-09-30 17:52:11 GMT
*        expire date: 2017-09-30 17:52:11 GMT
*        common name: freeipa.cyberfuel.com (matched)
*        issuer: O=CYBERFUEL.COM; CN=Certificate Authority
*        SSL certificate verify ok.

POST /ipa/xml HTTP/1.1

Host: freeipa.cyberfuel.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: https://freeipa.cyberfuel.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 477

* upload completely sent off: 477 out of 477 bytes
< HTTP/1.1 401 Authorization Required
< Date: Fri, 29 Apr 2016 16:16:32 GMT
* Server Apache/2.2.15 (CentOS) is not blacklisted
< Server: Apache/2.2.15 (CentOS)
< WWW-Authenticate: Negotiate
< Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT
< ETag: "a0528-55a-53051ba8f7000"
< Accept-Ranges: bytes
< Content-Length: 1370
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
* Closing connection 0
HTTP response code is 401, not 200

Joining realm failed: XML-RPC CALL:

<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>ppa.cyberfuel.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n

* About to connect() to freeipa.cyberfuel.com port 443 (#0)
*   Trying 192.168.20.90...
* Adding handle: conn: 0x10bb2f0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
* Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ipa/ca.crt
   CApath: none
* SSL connection using AES256-SHA
* Server certificate:
*        subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
*        start date: 2015-09-30 17:52:11 GMT
*        expire date: 2017-09-30 17:52:11 GMT
*        common name: freeipa.cyberfuel.com (matched)
*        issuer: O=CYBERFUEL.COM; CN=Certificate Authority
*        SSL certificate verify ok.

POST /ipa/xml HTTP/1.1

Host: freeipa.cyberfuel.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: https://freeipa.cyberfuel.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 477

* upload completely sent off: 477 out of 477 bytes
< HTTP/1.1 401 Authorization Required
< Date: Fri, 29 Apr 2016 16:16:32 GMT
* Server Apache/2.2.15 (CentOS) is not blacklisted
< Server: Apache/2.2.15 (CentOS)
< WWW-Authenticate: Negotiate
< Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT
< ETag: "a0528-55a-53051ba8f7000"
< Accept-Ranges: bytes
< Content-Length: 1370
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
* Closing connection 0
HTTP response code is 401, not 200

Installation failed. Rolling back changes.
IPA client is not configured on this system.

-------------------------------------------------

It's the version curl IPA server

[root@freeipa log]# rpm -qa | grep curl
python-pycurl-7.19.0-8.el6.x86_64
curl-7.19.7-46.el6.x86_64
libcurl-7.19.7-46.el6.x86_64
[root@freeipa log]#


It's the version curl PPA server(IPA Client)

[root@ppa named]# rpm -qa | grep curl
curl-7.31.0-1.el6.x86_64
python-pycurl-7.19.0-8.el6.x86_64
libcurl-7.31.0-1.el6.x86_64
libcurl-7.31.0-1.el6.i686


The version curl is different, but the version curl PPA is the repository
Odin Plesk.

-----------------------------------------------------


[root@ppa tmp]# cat kerberos_trace.log

[12118] 1461855578.809966: ccselect module realm chose cache
FILE:/tmp/tmptSoqDX with client principal ad...@cyberfuel.com for server
principal ldap/freeipa.cyberfuel....@cyberfuel.com
[12118] 1461855578.810171: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not found
[12118] 1461855578.810252: Getting credentials ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com using ccache FILE:/tmp/tmptSoqDX
[12118] 1461855578.810369: Retrieving ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmptSoqDX with
result: -1765328243/Matching credential not found
[12118] 1461855578.810451: Retrieving ad...@cyberfuel.com ->
krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmptSoqDX with result:
0/Success
[12118] 1461855578.810476: Found cached TGT for service realm:
ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
[12118] 1461855578.810509: Requesting tickets for
ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on
[12118] 1461855578.810612: Generated subkey for TGS request: aes256-cts/7377
[12118] 1461855578.810679: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[12118] 1461855578.810913: Sending request (704 bytes) to CYBERFUEL.COM
[12118] 1461855578.811239: Resolving hostname freeipa.cyberfuel.com
[12118] 1461855578.811466: Initiating TCP connection to stream
192.168.0.90:88
[12118] 1461855578.811935: Sending TCP request to stream 192.168.0.90:88
[12118] 1461855578.816404: Received answer from stream 192.168.0.90:88
[12118] 1461855578.816714: Response was from master KDC
[12118] 1461855578.816906: TGS reply is for ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com with session key aes256-cts/BEB2
[12118] 1461855578.816977: TGS request result: 0/Success
[12118] 1461855578.817018: Received creds for desired service
ldap/freeipa.cyberfuel....@cyberfuel.com
[12118] 1461855578.817066: Removing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmptSoqDX
[12118] 1461855578.817107: Storing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmptSoqDX
[12118] 1461855578.817413: Creating authenticator for ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com, seqnum 299651167, subkey
aes256-cts/98D3, session key aes256-cts/BEB2
[12118] 1461855578.874786: ccselect module realm chose cache
FILE:/tmp/tmptSoqDX with client principal ad...@cyberfuel.com for server
principal ldap/freeipa.cyberfuel....@cyberfuel.com
[12118] 1461855578.874938: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not found
[12118] 1461855578.875079: Read AP-REP, time 1461855578.817442, subkey
aes256-cts/4B32, seqnum 706045221
[17304] 1461858424.873888: ccselect module realm chose cache
FILE:/tmp/tmpH0QF6P with client principal ad...@cyberfuel.com for server
principal ldap/freeipa.cyberfuel....@cyberfuel.com
[17304] 1461858424.874126: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not found
[17304] 1461858424.874220: Getting credentials ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com using ccache FILE:/tmp/tmpH0QF6P
[17304] 1461858424.874413: Retrieving ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpH0QF6P with
result: -1765328243/Matching credential not found
[17304] 1461858424.874531: Retrieving ad...@cyberfuel.com ->
krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmpH0QF6P with result:
0/Success
[17304] 1461858424.874603: Found cached TGT for service realm:
ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
[17304] 1461858424.874631: Requesting tickets for
ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on
[17304] 1461858424.874747: Generated subkey for TGS request: aes256-cts/8C33
[17304] 1461858424.874788: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[17304] 1461858424.875121: Sending request (704 bytes) to CYBERFUEL.COM
[17304] 1461858424.875525: Resolving hostname freeipa.cyberfuel.com
[17304] 1461858424.875805: Initiating TCP connection to stream
192.168.20.90:88
[17304] 1461858424.877976: Sending TCP request to stream 192.168.20.90:88
[17304] 1461858424.882385: Received answer from stream 192.168.20.90:88
[17304] 1461858424.882531: Response was from master KDC
[17304] 1461858424.882775: TGS reply is for ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com with session key aes256-cts/20DA
[17304] 1461858424.882850: TGS request result: 0/Success
[17304] 1461858424.882883: Received creds for desired service
ldap/freeipa.cyberfuel....@cyberfuel.com
[17304] 1461858424.882918: Removing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpH0QF6P
[17304] 1461858424.882951: Storing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmpH0QF6P
[17304] 1461858424.883271: Creating authenticator for ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com, seqnum 443746416, subkey
aes256-cts/13DE, session key aes256-cts/20DA
[17304] 1461858424.898190: ccselect module realm chose cache
FILE:/tmp/tmpH0QF6P with client principal ad...@cyberfuel.com for server
principal ldap/freeipa.cyberfuel....@cyberfuel.com
[17304] 1461858424.898401: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not found
[17304] 1461858424.898615: Read AP-REP, time 1461858424.883334, subkey
aes256-cts/A0F5, seqnum 906104721
[23457] 1461863053.621386: ccselect module realm chose cache
FILE:/tmp/tmp576FE3 with client principal ad...@cyberfuel.com for server
principal ldap/freeipa.cyberfuel....@cyberfuel.com
[23457] 1461863053.621602: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not found
[23457] 1461863053.621719: Getting credentials ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com using ccache FILE:/tmp/tmp576FE3
[23457] 1461863053.621918: Retrieving ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmp576FE3 with
result: -1765328243/Matching credential not found
[23457] 1461863053.622097: Retrieving ad...@cyberfuel.com ->
krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmp576FE3 with result:
0/Success
[23457] 1461863053.622144: Found cached TGT for service realm:
ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
[23457] 1461863053.622176: Requesting tickets for
ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on
[23457] 1461863053.622288: Generated subkey for TGS request: aes256-cts/897C
[23457] 1461863053.622331: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[23457] 1461863053.622662: Sending request (704 bytes) to CYBERFUEL.COM
[23457] 1461863053.623133: Resolving hostname freeipa.cyberfuel.com
[23457] 1461863053.623367: Initiating TCP connection to stream
192.168.20.90:88
[23457] 1461863053.623866: Sending TCP request to stream 192.168.20.90:88
[23457] 1461863053.627939: Received answer from stream 192.168.20.90:88
[23457] 1461863053.628229: Response was from master KDC
[23457] 1461863053.628485: TGS reply is for ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com with session key aes256-cts/9E88
[23457] 1461863053.628560: TGS request result: 0/Success
[23457] 1461863053.628610: Received creds for desired service
ldap/freeipa.cyberfuel....@cyberfuel.com
[23457] 1461863053.628655: Removing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmp576FE3
[23457] 1461863053.628689: Storing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmp576FE3
[23457] 1461863053.629119: Creating authenticator for ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com, seqnum 13046067, subkey
aes256-cts/BAC3, session key aes256-cts/9E88
[23457] 1461863053.640471: ccselect module realm chose cache
FILE:/tmp/tmp576FE3 with client principal ad...@cyberfuel.com for server
principal ldap/freeipa.cyberfuel....@cyberfuel.com
[23457] 1461863053.640721: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not found
[23457] 1461863053.640909: Read AP-REP, time 1461863053.629208, subkey
aes256-cts/8866, seqnum 421358565
[23749] 1461863277.525338: ccselect module realm chose cache
FILE:/tmp/tmprfuOsj with client principal ad...@cyberfuel.com for server
principal ldap/freeipa.cyberfuel....@cyberfuel.com
[23749] 1461863277.525435: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not found
[23749] 1461863277.525469: Getting credentials ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com using ccache FILE:/tmp/tmprfuOsj
[23749] 1461863277.525529: Retrieving ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmprfuOsj with
result: -1765328243/Matching credential not found
[23749] 1461863277.525572: Retrieving ad...@cyberfuel.com ->
krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmprfuOsj with result:
0/Success
[23749] 1461863277.525584: Found cached TGT for service realm:
ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
[23749] 1461863277.525593: Requesting tickets for
ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on
[23749] 1461863277.525645: Generated subkey for TGS request: aes256-cts/C22D
[23749] 1461863277.525662: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[23749] 1461863277.525806: Sending request (704 bytes) to CYBERFUEL.COM
[23749] 1461863277.526052: Resolving hostname freeipa.cyberfuel.com
[23749] 1461863277.526161: Initiating TCP connection to stream
192.168.20.90:88
[23749] 1461863277.526440: Sending TCP request to stream 192.168.20.90:88
[23749] 1461863277.530652: Received answer from stream 192.168.20.90:88
[23749] 1461863277.530737: Response was from master KDC
[23749] 1461863277.530881: TGS reply is for ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com with session key aes256-cts/79C3
[23749] 1461863277.530931: TGS request result: 0/Success
[23749] 1461863277.530948: Received creds for desired service
ldap/freeipa.cyberfuel....@cyberfuel.com
[23749] 1461863277.530962: Removing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmprfuOsj
[23749] 1461863277.530971: Storing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmprfuOsj
[23749] 1461863277.531133: Creating authenticator for ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com, seqnum 1019693263, subkey
aes256-cts/B3E0, session key aes256-cts/79C3
[23749] 1461863277.542808: ccselect module realm chose cache
FILE:/tmp/tmprfuOsj with client principal ad...@cyberfuel.com for server
principal ldap/freeipa.cyberfuel....@cyberfuel.com
[23749] 1461863277.542889: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not found
[23749] 1461863277.542988: Read AP-REP, time 1461863277.531150, subkey
aes256-cts/5194, seqnum 376027188
[25544] 1461864401.258277: ccselect module realm chose cache
FILE:/tmp/tmpbzX7EN with client principal ad...@cyberfuel.com for server
principal ldap/freeipa.cyberfuel....@cyberfuel.com
[25544] 1461864401.258584: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not found
[25544] 1461864401.258678: Getting credentials ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com using ccache FILE:/tmp/tmpbzX7EN
[25544] 1461864401.258873: Retrieving ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpbzX7EN with
result: -1765328243/Matching credential not found
[25544] 1461864401.259040: Retrieving ad...@cyberfuel.com ->
krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmpbzX7EN with result:
0/Success
[25544] 1461864401.259076: Found cached TGT for service realm:
ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
[25544] 1461864401.259102: Requesting tickets for
ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on
[25544] 1461864401.259244: Generated subkey for TGS request: aes256-cts/277A
[25544] 1461864401.259291: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[25544] 1461864401.259676: Sending request (704 bytes) to CYBERFUEL.COM
[25544] 1461864401.260108: Resolving hostname freeipa.cyberfuel.com
[25544] 1461864401.260361: Initiating TCP connection to stream
192.168.20.90:88
[25544] 1461864401.260980: Sending TCP request to stream 192.168.20.90:88
[25544] 1461864401.264399: Received answer from stream 192.168.20.90:88
[25544] 1461864401.264593: Response was from master KDC
[25544] 1461864401.264893: TGS reply is for ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com with session key aes256-cts/9106
[25544] 1461864401.264966: TGS request result: 0/Success
[25544] 1461864401.264996: Received creds for desired service
ldap/freeipa.cyberfuel....@cyberfuel.com
[25544] 1461864401.265029: Removing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpbzX7EN
[25544] 1461864401.265058: Storing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmpbzX7EN
[25544] 1461864401.265581: Creating authenticator for ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com, seqnum 921501424, subkey
aes256-cts/99EA, session key aes256-cts/9106
[25544] 1461864401.275884: ccselect module realm chose cache
FILE:/tmp/tmpbzX7EN with client principal ad...@cyberfuel.com for server
principal ldap/freeipa.cyberfuel....@cyberfuel.com
[25544] 1461864401.276059: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not found
[25544] 1461864401.276196: Read AP-REP, time 1461864401.265627, subkey
aes256-cts/0E9F, seqnum 871496824
[18097] 1461937028.664354: ccselect module realm chose cache
FILE:/tmp/tmpF9x_o8 with client principal ad...@cyberfuel.com for server
principal ldap/freeipa.cyberfuel....@cyberfuel.com
[18097] 1461937028.664456: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not found
[18097] 1461937028.664490: Getting credentials ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com using ccache FILE:/tmp/tmpF9x_o8
[18097] 1461937028.664549: Retrieving ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpF9x_o8 with
result: -1765328243/Matching credential not found
[18097] 1461937028.664590: Retrieving ad...@cyberfuel.com ->
krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmpF9x_o8 with result:
0/Success
[18097] 1461937028.664601: Found cached TGT for service realm:
ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
[18097] 1461937028.664611: Requesting tickets for
ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on
[18097] 1461937028.664700: Generated subkey for TGS request: aes256-cts/6372
[18097] 1461937028.664727: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[18097] 1461937028.664865: Sending request (704 bytes) to CYBERFUEL.COM
[18097] 1461937028.665035: Resolving hostname freeipa.cyberfuel.com
[18097] 1461937028.665136: Initiating TCP connection to stream
192.168.20.90:88
[18097] 1461937028.665510: Sending TCP request to stream 192.168.20.90:88
[18097] 1461937028.668919: Received answer from stream 192.168.20.90:88
[18097] 1461937028.668984: Response was from master KDC
[18097] 1461937028.669109: TGS reply is for ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com with session key aes256-cts/9592
[18097] 1461937028.669136: TGS request result: 0/Success
[18097] 1461937028.669156: Received creds for desired service
ldap/freeipa.cyberfuel....@cyberfuel.com
[18097] 1461937028.669167: Removing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpF9x_o8
[18097] 1461937028.669176: Storing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmpF9x_o8
[18097] 1461937028.669304: Creating authenticator for ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com, seqnum 940175329, subkey
aes256-cts/53B9, session key aes256-cts/9592
[18097] 1461937028.676414: ccselect module realm chose cache
FILE:/tmp/tmpF9x_o8 with client principal ad...@cyberfuel.com for server
principal ldap/freeipa.cyberfuel....@cyberfuel.com
[18097] 1461937028.676470: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not found
[18097] 1461937028.676534: Read AP-REP, time 1461937028.669328, subkey
aes256-cts/26C4, seqnum 864174069

-----------------------------------


Regards

Jose Alvarez


-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: viernes 29 de abril de 2016 09:34 a.m.
To: Jose Alvarez R. <jalva...@cyberfuel.com>; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] HTTP response code is 401, not 200

Jose Alvarez R. wrote:

Hi Users

You can help me?

I have the problem for join a client to my FREEIPA Server. The version
IPA Server is 3.0 and IP client is 3.0

When I join my client to IPA server show these errors:

[root@ppa ~]# tail -f /var/log/ipaclient-install.log

2016-04-28T17:26:41Z DEBUG stderr=

2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from
ldap://freeipa.cyberfuel.com

2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are
identical

2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s
freeipa.cyberfuel.com -b dc=cyberfuel,dc=com

2016-04-28T17:26:41Z DEBUG stdout=

2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200

2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code is
401, not 200

2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes.

2016-04-28T17:26:41Z ERROR IPA client is not configured on this system.


I'd look in the 389-ds access and error logs on the IPA server to see if
there are any more details. Look for the BIND from the client and see what
happens.

More context from the log file might be helpful. I believe if you run the
client installer with --debug then additional flags are passed to ipa-join
to include the XML-RPC conversation and that might be useful too.

What account are you using to enroll with, admin?

rob



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to