Hi, Rob Thanks!!
The version the xmlrpc-c of my server IPA: xmlrpc-c-1.16.24-1210.1840.el6.x86_64 xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 The version the xmlrpc-c of my client IPA xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 xmlrpc-c-1.16.24-1210.1840.el6.x86_64 libiqxmlrpc-0.12.4-0.parallels.i686 xmlrpc-c-c++-1.16.24-1210.1840.el6.x86_64 The versions are the same, but the libcurl is different It's the version curl IPA server [root@freeipa log]# rpm -qa | grep curl python-pycurl-7.19.0-8.el6.x86_64 curl-7.19.7-46.el6.x86_64 libcurl-7.19.7-46.el6.x86_64 [root@freeipa log]# It's the version curl PPA server(IPA Client) [root@ppa named]# rpm -qa | grep curl curl-7.31.0-1.el6.x86_64 python-pycurl-7.19.0-8.el6.x86_64 libcurl-7.31.0-1.el6.x86_64 libcurl-7.31.0-1.el6.i686 Sorry, my english is not very well Regards. -----Original Message----- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: viernes 29 de abril de 2016 11:14 a.m. To: Jose Alvarez R. <jalva...@cyberfuel.com>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 Jose Alvarez R. wrote: > Hi Rob, Thanks for your response > > Yes, It's with admin. I assume this is a problem with your version of xmlrpc-c. We use standard calls xmlrpc-c calls to setup authentication and IIRC that links against libcurl which provides the Kerberos/GSSAPI support. On EL6 you need xmlrpc-c >= 1.16.24-1200.1840.2 I'm confused about the versions. You mention PPA but include what look like RPM versions that seem to point to RHEL 6. rob > > I execute the command "ipa-client-install --debug" > ---------------------------------------------------------------------- > --- > > > [root@ppa named]# ipa-client-install --debug > /usr/sbin/ipa-client-install was invoked with options: {'domain': > None, > 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, > 'primary': False, 'mkhomedir > ': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, > 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': > False, 'principal': None > , 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, > 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, > 'conf_sudo': True, 'conf_ssh': Tr > ue, 'force_join': False, 'ca_cert_file': None, 'server': None, > 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': > False, 'uninstall': False} > missing options might be asked for interactively later Loading Index > file from '/var/lib/ipa-client/sysrestore/sysrestore.index' > Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' > [IPA Discovery] > Starting IPA discovery with domain=None, servers=None, > hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in > "cyberfuel.com" (domain of the > hostname) and its sub-domains > Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > DNS record found: > DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior > ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} > [Kerberos realm search] > Search DNS for TXT record of _kerberos.cyberfuel.com. > DNS record found: > DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:C > YBERFU > EL.COM} > Search DNS for SRV record of _kerberos._udp.cyberfuel.com. > DNS record found: > DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={p > riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} > [LDAP server check] > Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA > server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 > Search LDAP server for IPA base DN Check if naming context > 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' > is a valid IPA context Search for (objectClass=krbRealmContainer) in > dc=cyberfuel,dc=com (sub) > Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com > Discovery result: Success; server=freeipa.cyberfuel.com, > domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, > basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com > will use discovered domain: cyberfuel.com Start searching for LDAP SRV > record in "cyberfuel.com" (Validating DNS > Discovery) and its sub-domains > Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > DNS record found: > DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior > ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} > DNS validated, enabling discovery > will use discovered server: freeipa.cyberfuel.com Discovery was > successful! > will use discovered realm: CYBERFUEL.COM will use discovered basedn: > dc=cyberfuel,dc=com > Hostname: ppa.cyberfuel.com > Hostname source: Machine's FQDN > Realm: CYBERFUEL.COM > Realm source: Discovered from LDAP DNS records in > freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: > Discovered LDAP SRV records from cyberfuel.com (domain of the > hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: > Discovered from LDAP DNS records in freeipa.cyberfuel.com > BaseDN: dc=cyberfuel,dc=com > BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 > > Continue to configure the system with these values? [no]: no > Installation failed. Rolling back changes. > IPA client is not configured on this system. > [root@ppa named]# > [root@ppa named]# ipa-client-install --debug > /usr/sbin/ipa-client-install was invoked with options: {'domain': > None, > 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, > 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': > True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'nisdomain': > None, 'no_nisdomain': False, 'principal': None, 'hostname': None, 'no_ac': > False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, > 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': > True, 'force_join': False, 'ca_cert_file': None, 'server': None, > 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': > False, 'uninstall': False} > missing options might be asked for interactively later Loading Index > file from '/var/lib/ipa-client/sysrestore/sysrestore.index' > Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' > [IPA Discovery] > Starting IPA discovery with domain=None, servers=None, > hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in > "cyberfuel.com" (domain of the > hostname) and its sub-domains > Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > DNS record found: > DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior > ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} > [Kerberos realm search] > Search DNS for TXT record of _kerberos.cyberfuel.com. > DNS record found: > DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:C > YBERFU > EL.COM} > Search DNS for SRV record of _kerberos._udp.cyberfuel.com. > DNS record found: > DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={p > riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} > [LDAP server check] > Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA > server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 > Search LDAP server for IPA base DN Check if naming context > 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' > is a valid IPA context Search for (objectClass=krbRealmContainer) in > dc=cyberfuel,dc=com (sub) > Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com > Discovery result: Success; server=freeipa.cyberfuel.com, > domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, > basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com > will use discovered domain: cyberfuel.com Start searching for LDAP SRV > record in "cyberfuel.com" (Validating DNS > Discovery) and its sub-domains > Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > DNS record found: > DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior > ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} > DNS validated, enabling discovery > will use discovered server: freeipa.cyberfuel.com Discovery was > successful! > will use discovered realm: CYBERFUEL.COM will use discovered basedn: > dc=cyberfuel,dc=com > Hostname: ppa.cyberfuel.com > Hostname source: Machine's FQDN > Realm: CYBERFUEL.COM > Realm source: Discovered from LDAP DNS records in > freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: > Discovered LDAP SRV records from cyberfuel.com (domain of the > hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: > Discovered from LDAP DNS records in freeipa.cyberfuel.com > BaseDN: dc=cyberfuel,dc=com > BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 > > Continue to configure the system with these values? [no]: yes > args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM > stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file > or directory > > User authorized to enroll computers: admin will use principal provided > as option: admin Synchronizing time with KDC... > Search DNS for SRV record of _ntp._udp.cyberfuel.com. > No DNS record found > args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout= > stderr= Writing Kerberos configuration to /tmp/tmpqWSatK: > #File modified by ipa-client-install > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [libdefaults] > default_realm = CYBERFUEL.COM > dns_lookup_realm = false > dns_lookup_kdc = false > rdns = false > ticket_lifetime = 24h > forwardable = yes > udp_preference_limit = 0 > > > [realms] > CYBERFUEL.COM = { > kdc = freeipa.cyberfuel.com:88 > master_kdc = freeipa.cyberfuel.com:88 > admin_server = freeipa.cyberfuel.com:749 > default_domain = cyberfuel.com > pkinit_anchors = FILE:/etc/ipa/ca.crt > > } > > > [domain_realm] > .cyberfuel.com = CYBERFUEL.COM > cyberfuel.com = CYBERFUEL.COM > > > > Password for ad...@cyberfuel.com: > args=kinit ad...@cyberfuel.com > stdout=Password for ad...@cyberfuel.com: > > stderr= > trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com > Existing CA cert and Retrieved CA cert are identical > args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b > dc=cyberfuel,dc=com -d stdout= stderr=XML-RPC CALL: > > <?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n > <methodName>join</methodName>\r\n <params>\r\n > <param><value><array><data>\r\n > <value><string>ppa.cyberfuel.com</string></value>\r\n > </data></array></value></param>\r\n > <param><value><struct>\r\n > <member><name>nsosversion</name>\r\n > <value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\n > <member><name>nshardwareplatform</name>\r\n > <value><string>x86_64</string></value></member>\r\n > </struct></value></param>\r\n > </params>\r\n > </methodCall>\r\n > > * About to connect() to freeipa.cyberfuel.com port 443 (#0) > * Trying 192.168.20.90... > * Adding handle: conn: 0x10bb2f0 > * Adding handle: send: 0 > * Adding handle: recv: 0 > * Curl_addHandleToPipeline: length: 1 > * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 > * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) > * successfully set certificate verify locations: > * CAfile: /etc/ipa/ca.crt > CApath: none > * SSL connection using AES256-SHA > * Server certificate: > * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com > * start date: 2015-09-30 17:52:11 GMT > * expire date: 2017-09-30 17:52:11 GMT > * common name: freeipa.cyberfuel.com (matched) > * issuer: O=CYBERFUEL.COM; CN=Certificate Authority > * SSL certificate verify ok. >> POST /ipa/xml HTTP/1.1 > Host: freeipa.cyberfuel.com > Accept: */* > Content-Type: text/xml > User-Agent: ipa-join/3.0.0 > Referer: https://freeipa.cyberfuel.com/ipa/xml > X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 > Content-Length: 477 > > * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401 > Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT > * Server Apache/2.2.15 (CentOS) is not blacklisted < Server: > Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: > Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" > < Accept-Ranges: bytes > < Content-Length: 1370 > < Connection: close > < Content-Type: text/html; charset=UTF-8 < > * Closing connection 0 > HTTP response code is 401, not 200 > > Joining realm failed: XML-RPC CALL: > > <?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n > <methodName>join</methodName>\r\n <params>\r\n > <param><value><array><data>\r\n > <value><string>ppa.cyberfuel.com</string></value>\r\n > </data></array></value></param>\r\n > <param><value><struct>\r\n > <member><name>nsosversion</name>\r\n > <value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\n > <member><name>nshardwareplatform</name>\r\n > <value><string>x86_64</string></value></member>\r\n > </struct></value></param>\r\n > </params>\r\n > </methodCall>\r\n > > * About to connect() to freeipa.cyberfuel.com port 443 (#0) > * Trying 192.168.20.90... > * Adding handle: conn: 0x10bb2f0 > * Adding handle: send: 0 > * Adding handle: recv: 0 > * Curl_addHandleToPipeline: length: 1 > * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 > * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) > * successfully set certificate verify locations: > * CAfile: /etc/ipa/ca.crt > CApath: none > * SSL connection using AES256-SHA > * Server certificate: > * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com > * start date: 2015-09-30 17:52:11 GMT > * expire date: 2017-09-30 17:52:11 GMT > * common name: freeipa.cyberfuel.com (matched) > * issuer: O=CYBERFUEL.COM; CN=Certificate Authority > * SSL certificate verify ok. >> POST /ipa/xml HTTP/1.1 > Host: freeipa.cyberfuel.com > Accept: */* > Content-Type: text/xml > User-Agent: ipa-join/3.0.0 > Referer: https://freeipa.cyberfuel.com/ipa/xml > X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 > Content-Length: 477 > > * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401 > Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT > * Server Apache/2.2.15 (CentOS) is not blacklisted < Server: > Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: > Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" > < Accept-Ranges: bytes > < Content-Length: 1370 > < Connection: close > < Content-Type: text/html; charset=UTF-8 < > * Closing connection 0 > HTTP response code is 401, not 200 > > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > ------------------------------------------------- > > It's the version curl IPA server > > [root@freeipa log]# rpm -qa | grep curl > python-pycurl-7.19.0-8.el6.x86_64 > curl-7.19.7-46.el6.x86_64 > libcurl-7.19.7-46.el6.x86_64 > [root@freeipa log]# > > > It's the version curl PPA server(IPA Client) > > [root@ppa named]# rpm -qa | grep curl > curl-7.31.0-1.el6.x86_64 > python-pycurl-7.19.0-8.el6.x86_64 > libcurl-7.31.0-1.el6.x86_64 > libcurl-7.31.0-1.el6.i686 > > > The version curl is different, but the version curl PPA is the > repository Odin Plesk. > > ----------------------------------------------------- > > > [root@ppa tmp]# cat kerberos_trace.log > > [12118] 1461855578.809966: ccselect module realm chose cache > FILE:/tmp/tmptSoqDX with client principal ad...@cyberfuel.com for > server principal ldap/freeipa.cyberfuel....@cyberfuel.com > [12118] 1461855578.810171: Retrieving ad...@cyberfuel.com -> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not > found [12118] 1461855578.810252: Getting credentials > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using > ccache FILE:/tmp/tmptSoqDX [12118] 1461855578.810369: Retrieving > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from > FILE:/tmp/tmptSoqDX with > result: -1765328243/Matching credential not found [12118] > 1461855578.810451: Retrieving ad...@cyberfuel.com -> > krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmptSoqDX with result: > 0/Success > [12118] 1461855578.810476: Found cached TGT for service realm: > ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com > [12118] 1461855578.810509: Requesting tickets for > ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [12118] > 1461855578.810612: Generated subkey for TGS request: aes256-cts/7377 > [12118] 1461855578.810679: etypes requested in TGS request: > aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [12118] > 1461855578.810913: Sending request (704 bytes) to CYBERFUEL.COM > [12118] 1461855578.811239: Resolving hostname freeipa.cyberfuel.com > [12118] 1461855578.811466: Initiating TCP connection to stream > 192.168.0.90:88 > [12118] 1461855578.811935: Sending TCP request to stream > 192.168.0.90:88 [12118] 1461855578.816404: Received answer from stream > 192.168.0.90:88 [12118] 1461855578.816714: Response was from master > KDC [12118] 1461855578.816906: TGS reply is for ad...@cyberfuel.com -> > ldap/freeipa.cyberfuel....@cyberfuel.com with session key > aes256-cts/BEB2 [12118] 1461855578.816977: TGS request result: > 0/Success [12118] 1461855578.817018: Received creds for desired > service ldap/freeipa.cyberfuel....@cyberfuel.com > [12118] 1461855578.817066: Removing ad...@cyberfuel.com -> > ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmptSoqDX > [12118] 1461855578.817107: Storing ad...@cyberfuel.com -> > ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmptSoqDX > [12118] 1461855578.817413: Creating authenticator for > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com, > seqnum 299651167, subkey aes256-cts/98D3, session key aes256-cts/BEB2 > [12118] 1461855578.874786: ccselect module realm chose cache > FILE:/tmp/tmptSoqDX with client principal ad...@cyberfuel.com for > server principal ldap/freeipa.cyberfuel....@cyberfuel.com > [12118] 1461855578.874938: Retrieving ad...@cyberfuel.com -> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not > found [12118] 1461855578.875079: Read AP-REP, time 1461855578.817442, > subkey aes256-cts/4B32, seqnum 706045221 [17304] 1461858424.873888: > ccselect module realm chose cache FILE:/tmp/tmpH0QF6P with client > principal ad...@cyberfuel.com for server principal > ldap/freeipa.cyberfuel....@cyberfuel.com > [17304] 1461858424.874126: Retrieving ad...@cyberfuel.com -> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not > found [17304] 1461858424.874220: Getting credentials > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using > ccache FILE:/tmp/tmpH0QF6P [17304] 1461858424.874413: Retrieving > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from > FILE:/tmp/tmpH0QF6P with > result: -1765328243/Matching credential not found [17304] > 1461858424.874531: Retrieving ad...@cyberfuel.com -> > krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmpH0QF6P with result: > 0/Success > [17304] 1461858424.874603: Found cached TGT for service realm: > ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com > [17304] 1461858424.874631: Requesting tickets for > ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [17304] > 1461858424.874747: Generated subkey for TGS request: aes256-cts/8C33 > [17304] 1461858424.874788: etypes requested in TGS request: > aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [17304] > 1461858424.875121: Sending request (704 bytes) to CYBERFUEL.COM > [17304] 1461858424.875525: Resolving hostname freeipa.cyberfuel.com > [17304] 1461858424.875805: Initiating TCP connection to stream > 192.168.20.90:88 > [17304] 1461858424.877976: Sending TCP request to stream > 192.168.20.90:88 [17304] 1461858424.882385: Received answer from > stream 192.168.20.90:88 [17304] 1461858424.882531: Response was from > master KDC [17304] 1461858424.882775: TGS reply is for > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with > session key aes256-cts/20DA [17304] 1461858424.882850: TGS request > result: 0/Success [17304] 1461858424.882883: Received creds for > desired service ldap/freeipa.cyberfuel....@cyberfuel.com > [17304] 1461858424.882918: Removing ad...@cyberfuel.com -> > ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpH0QF6P > [17304] 1461858424.882951: Storing ad...@cyberfuel.com -> > ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmpH0QF6P > [17304] 1461858424.883271: Creating authenticator for > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com, > seqnum 443746416, subkey aes256-cts/13DE, session key aes256-cts/20DA > [17304] 1461858424.898190: ccselect module realm chose cache > FILE:/tmp/tmpH0QF6P with client principal ad...@cyberfuel.com for > server principal ldap/freeipa.cyberfuel....@cyberfuel.com > [17304] 1461858424.898401: Retrieving ad...@cyberfuel.com -> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not > found [17304] 1461858424.898615: Read AP-REP, time 1461858424.883334, > subkey aes256-cts/A0F5, seqnum 906104721 [23457] 1461863053.621386: > ccselect module realm chose cache > FILE:/tmp/tmp576FE3 with client principal ad...@cyberfuel.com for > server principal ldap/freeipa.cyberfuel....@cyberfuel.com > [23457] 1461863053.621602: Retrieving ad...@cyberfuel.com -> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not > found [23457] 1461863053.621719: Getting credentials > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using > ccache FILE:/tmp/tmp576FE3 [23457] 1461863053.621918: Retrieving > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from > FILE:/tmp/tmp576FE3 with > result: -1765328243/Matching credential not found [23457] > 1461863053.622097: Retrieving ad...@cyberfuel.com -> > krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmp576FE3 with result: > 0/Success > [23457] 1461863053.622144: Found cached TGT for service realm: > ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com > [23457] 1461863053.622176: Requesting tickets for > ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [23457] > 1461863053.622288: Generated subkey for TGS request: aes256-cts/897C > [23457] 1461863053.622331: etypes requested in TGS request: > aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23457] > 1461863053.622662: Sending request (704 bytes) to CYBERFUEL.COM > [23457] 1461863053.623133: Resolving hostname freeipa.cyberfuel.com > [23457] 1461863053.623367: Initiating TCP connection to stream > 192.168.20.90:88 > [23457] 1461863053.623866: Sending TCP request to stream > 192.168.20.90:88 [23457] 1461863053.627939: Received answer from > stream 192.168.20.90:88 [23457] 1461863053.628229: Response was from > master KDC [23457] 1461863053.628485: TGS reply is for > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with > session key aes256-cts/9E88 [23457] 1461863053.628560: TGS request > result: 0/Success [23457] 1461863053.628610: Received creds for > desired service ldap/freeipa.cyberfuel....@cyberfuel.com > [23457] 1461863053.628655: Removing ad...@cyberfuel.com -> > ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmp576FE3 > [23457] 1461863053.628689: Storing ad...@cyberfuel.com -> > ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmp576FE3 > [23457] 1461863053.629119: Creating authenticator for > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com, > seqnum 13046067, subkey aes256-cts/BAC3, session key aes256-cts/9E88 > [23457] 1461863053.640471: ccselect module realm chose cache > FILE:/tmp/tmp576FE3 with client principal ad...@cyberfuel.com for > server principal ldap/freeipa.cyberfuel....@cyberfuel.com > [23457] 1461863053.640721: Retrieving ad...@cyberfuel.com -> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not > found [23457] 1461863053.640909: Read AP-REP, time 1461863053.629208, > subkey aes256-cts/8866, seqnum 421358565 [23749] 1461863277.525338: > ccselect module realm chose cache FILE:/tmp/tmprfuOsj with client > principal ad...@cyberfuel.com for server principal > ldap/freeipa.cyberfuel....@cyberfuel.com > [23749] 1461863277.525435: Retrieving ad...@cyberfuel.com -> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not > found [23749] 1461863277.525469: Getting credentials > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using > ccache FILE:/tmp/tmprfuOsj [23749] 1461863277.525529: Retrieving > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from > FILE:/tmp/tmprfuOsj with > result: -1765328243/Matching credential not found [23749] > 1461863277.525572: Retrieving ad...@cyberfuel.com -> > krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmprfuOsj with result: > 0/Success > [23749] 1461863277.525584: Found cached TGT for service realm: > ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com > [23749] 1461863277.525593: Requesting tickets for > ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [23749] > 1461863277.525645: Generated subkey for TGS request: aes256-cts/C22D > [23749] 1461863277.525662: etypes requested in TGS request: > aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23749] > 1461863277.525806: Sending request (704 bytes) to CYBERFUEL.COM > [23749] 1461863277.526052: Resolving hostname freeipa.cyberfuel.com > [23749] 1461863277.526161: Initiating TCP connection to stream > 192.168.20.90:88 > [23749] 1461863277.526440: Sending TCP request to stream > 192.168.20.90:88 [23749] 1461863277.530652: Received answer from > stream 192.168.20.90:88 [23749] 1461863277.530737: Response was from > master KDC [23749] 1461863277.530881: TGS reply is for > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with > session key aes256-cts/79C3 [23749] 1461863277.530931: TGS request > result: 0/Success [23749] 1461863277.530948: Received creds for > desired service ldap/freeipa.cyberfuel....@cyberfuel.com > [23749] 1461863277.530962: Removing ad...@cyberfuel.com -> > ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmprfuOsj > [23749] 1461863277.530971: Storing ad...@cyberfuel.com -> > ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmprfuOsj > [23749] 1461863277.531133: Creating authenticator for > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com, > seqnum 1019693263, subkey aes256-cts/B3E0, session key aes256-cts/79C3 > [23749] 1461863277.542808: ccselect module realm chose cache > FILE:/tmp/tmprfuOsj with client principal ad...@cyberfuel.com for > server principal ldap/freeipa.cyberfuel....@cyberfuel.com > [23749] 1461863277.542889: Retrieving ad...@cyberfuel.com -> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not > found [23749] 1461863277.542988: Read AP-REP, time 1461863277.531150, > subkey aes256-cts/5194, seqnum 376027188 [25544] 1461864401.258277: > ccselect module realm chose cache FILE:/tmp/tmpbzX7EN with client > principal ad...@cyberfuel.com for server principal > ldap/freeipa.cyberfuel....@cyberfuel.com > [25544] 1461864401.258584: Retrieving ad...@cyberfuel.com -> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not > found [25544] 1461864401.258678: Getting credentials > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using > ccache FILE:/tmp/tmpbzX7EN [25544] 1461864401.258873: Retrieving > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from > FILE:/tmp/tmpbzX7EN with > result: -1765328243/Matching credential not found [25544] > 1461864401.259040: Retrieving ad...@cyberfuel.com -> > krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmpbzX7EN with result: > 0/Success > [25544] 1461864401.259076: Found cached TGT for service realm: > ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com > [25544] 1461864401.259102: Requesting tickets for > ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [25544] > 1461864401.259244: Generated subkey for TGS request: aes256-cts/277A > [25544] 1461864401.259291: etypes requested in TGS request: > aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [25544] > 1461864401.259676: Sending request (704 bytes) to CYBERFUEL.COM > [25544] 1461864401.260108: Resolving hostname freeipa.cyberfuel.com > [25544] 1461864401.260361: Initiating TCP connection to stream > 192.168.20.90:88 > [25544] 1461864401.260980: Sending TCP request to stream > 192.168.20.90:88 [25544] 1461864401.264399: Received answer from > stream 192.168.20.90:88 [25544] 1461864401.264593: Response was from > master KDC [25544] 1461864401.264893: TGS reply is for > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with > session key aes256-cts/9106 [25544] 1461864401.264966: TGS request > result: 0/Success [25544] 1461864401.264996: Received creds for > desired service ldap/freeipa.cyberfuel....@cyberfuel.com > [25544] 1461864401.265029: Removing ad...@cyberfuel.com -> > ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpbzX7EN > [25544] 1461864401.265058: Storing ad...@cyberfuel.com -> > ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmpbzX7EN > [25544] 1461864401.265581: Creating authenticator for > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com, > seqnum 921501424, subkey aes256-cts/99EA, session key aes256-cts/9106 > [25544] 1461864401.275884: ccselect module realm chose cache > FILE:/tmp/tmpbzX7EN with client principal ad...@cyberfuel.com for > server principal ldap/freeipa.cyberfuel....@cyberfuel.com > [25544] 1461864401.276059: Retrieving ad...@cyberfuel.com -> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not > found [25544] 1461864401.276196: Read AP-REP, time 1461864401.265627, > subkey aes256-cts/0E9F, seqnum 871496824 [18097] 1461937028.664354: > ccselect module realm chose cache > FILE:/tmp/tmpF9x_o8 with client principal ad...@cyberfuel.com for > server principal ldap/freeipa.cyberfuel....@cyberfuel.com > [18097] 1461937028.664456: Retrieving ad...@cyberfuel.com -> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not > found [18097] 1461937028.664490: Getting credentials > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using > ccache FILE:/tmp/tmpF9x_o8 [18097] 1461937028.664549: Retrieving > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from > FILE:/tmp/tmpF9x_o8 with > result: -1765328243/Matching credential not found [18097] > 1461937028.664590: Retrieving ad...@cyberfuel.com -> > krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmpF9x_o8 with result: > 0/Success > [18097] 1461937028.664601: Found cached TGT for service realm: > ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com > [18097] 1461937028.664611: Requesting tickets for > ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [18097] > 1461937028.664700: Generated subkey for TGS request: aes256-cts/6372 > [18097] 1461937028.664727: etypes requested in TGS request: > aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [18097] > 1461937028.664865: Sending request (704 bytes) to CYBERFUEL.COM > [18097] 1461937028.665035: Resolving hostname freeipa.cyberfuel.com > [18097] 1461937028.665136: Initiating TCP connection to stream > 192.168.20.90:88 > [18097] 1461937028.665510: Sending TCP request to stream > 192.168.20.90:88 [18097] 1461937028.668919: Received answer from > stream 192.168.20.90:88 [18097] 1461937028.668984: Response was from > master KDC [18097] 1461937028.669109: TGS reply is for > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with > session key aes256-cts/9592 [18097] 1461937028.669136: TGS request > result: 0/Success [18097] 1461937028.669156: Received creds for > desired service ldap/freeipa.cyberfuel....@cyberfuel.com > [18097] 1461937028.669167: Removing ad...@cyberfuel.com -> > ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpF9x_o8 > [18097] 1461937028.669176: Storing ad...@cyberfuel.com -> > ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmpF9x_o8 > [18097] 1461937028.669304: Creating authenticator for > ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com, > seqnum 940175329, subkey aes256-cts/53B9, session key aes256-cts/9592 > [18097] 1461937028.676414: ccselect module realm chose cache > FILE:/tmp/tmpF9x_o8 with client principal ad...@cyberfuel.com for > server principal ldap/freeipa.cyberfuel....@cyberfuel.com > [18097] 1461937028.676470: Retrieving ad...@cyberfuel.com -> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not > found [18097] 1461937028.676534: Read AP-REP, time 1461937028.669328, > subkey aes256-cts/26C4, seqnum 864174069 > > ----------------------------------- > > > Regards > > Jose Alvarez > > > -----Original Message----- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: viernes 29 de abril de 2016 09:34 a.m. > To: Jose Alvarez R. <jalva...@cyberfuel.com>; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 > > Jose Alvarez R. wrote: >> Hi Users >> >> You can help me? >> >> I have the problem for join a client to my FREEIPA Server. The >> version IPA Server is 3.0 and IP client is 3.0 >> >> When I join my client to IPA server show these errors: >> >> [root@ppa ~]# tail -f /var/log/ipaclient-install.log >> >> 2016-04-28T17:26:41Z DEBUG stderr= >> >> 2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from >> ldap://freeipa.cyberfuel.com >> >> 2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are >> identical >> >> 2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s >> freeipa.cyberfuel.com -b dc=cyberfuel,dc=com >> >> 2016-04-28T17:26:41Z DEBUG stdout= >> >> 2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200 >> >> 2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code >> is 401, not 200 >> >> 2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes. >> >> 2016-04-28T17:26:41Z ERROR IPA client is not configured on this system. > > I'd look in the 389-ds access and error logs on the IPA server to see > if there are any more details. Look for the BIND from the client and > see what happens. > > More context from the log file might be helpful. I believe if you run > the client installer with --debug then additional flags are passed to > ipa-join to include the XML-RPC conversation and that might be useful too. > > What account are you using to enroll with, admin? > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project