I execute the command "ipa-client-install --debug"
----------------------------------------------------------------------
---
[root@ppa named]# ipa-client-install --debug
/usr/sbin/ipa-client-install was invoked with options: {'domain':
None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir
': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain':
False, 'principal': None
, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,
'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False,
'conf_sudo': True, 'conf_ssh': Tr
ue, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
False, 'uninstall': False}
missing options might be asked for interactively later Loading Index
file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
"cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:C
YBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={p
riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN Check if naming context
'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
is a valid IPA context Search for (objectClass=krbRealmContainer) in
dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com Start searching for LDAP SRV
record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com Discovery was
successful!
will use discovered realm: CYBERFUEL.COM will use discovered basedn:
dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in
freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source:
Discovered LDAP SRV records from cyberfuel.com (domain of the
hostname) IPA Server: freeipa.cyberfuel.com IPA Server source:
Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: no
Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root@ppa named]#
[root@ppa named]# ipa-client-install --debug
/usr/sbin/ipa-client-install was invoked with options: {'domain':
None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd':
True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None,
None, 'no_nisdomain': False, 'principal': None, 'hostname': None, 'no_ac':
False, 'unattended': None, 'sssd': True, 'trust_sshfp': False,
'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh':
True, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
False, 'uninstall': False}
missing options might be asked for interactively later Loading Index
file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
"cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:C
YBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={p
riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN Check if naming context
'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
is a valid IPA context Search for (objectClass=krbRealmContainer) in
dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com Start searching for LDAP SRV
record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com Discovery was
successful!
will use discovered realm: CYBERFUEL.COM will use discovered basedn:
dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in
freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source:
Discovered LDAP SRV records from cyberfuel.com (domain of the
hostname) IPA Server: freeipa.cyberfuel.com IPA Server source:
Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file
or directory
User authorized to enroll computers: admin will use principal provided
as option: admin Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.cyberfuel.com.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout=
stderr= Writing Kerberos configuration to /tmp/tmpqWSatK:
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = CYBERFUEL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
CYBERFUEL.COM = {
kdc = freeipa.cyberfuel.com:88
master_kdc = freeipa.cyberfuel.com:88
admin_server = freeipa.cyberfuel.com:749
default_domain = cyberfuel.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.cyberfuel.com = CYBERFUEL.COM
cyberfuel.com = CYBERFUEL.COM
Password for ad...@cyberfuel.com:
args=kinit ad...@cyberfuel.com
stdout=Password for ad...@cyberfuel.com:
stderr=
trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
Existing CA cert and Retrieved CA cert are identical
args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b
dc=cyberfuel,dc=com -d stdout= stderr=XML-RPC CALL:
<?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n
<methodName>join</methodName>\r\n <params>\r\n
<param><value><array><data>\r\n
<value><string>ppa.cyberfuel.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n
* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90...
* Adding handle: conn: 0x10bb2f0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
* Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using AES256-SHA
* Server certificate:
* subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
* start date: 2015-09-30 17:52:11 GMT
* expire date: 2017-09-30 17:52:11 GMT
* common name: freeipa.cyberfuel.com (matched)
* issuer: O=CYBERFUEL.COM; CN=Certificate Authority
* SSL certificate verify ok.
POST /ipa/xml HTTP/1.1
Host: freeipa.cyberfuel.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: https://freeipa.cyberfuel.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 477
* upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401
Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT
* Server Apache/2.2.15 (CentOS) is not blacklisted < Server:
Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified:
Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000"
< Accept-Ranges: bytes
< Content-Length: 1370
< Connection: close
< Content-Type: text/html; charset=UTF-8 <
* Closing connection 0
HTTP response code is 401, not 200
Joining realm failed: XML-RPC CALL:
<?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n
<methodName>join</methodName>\r\n <params>\r\n
<param><value><array><data>\r\n
<value><string>ppa.cyberfuel.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n
* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90...
* Adding handle: conn: 0x10bb2f0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
* Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using AES256-SHA
* Server certificate:
* subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
* start date: 2015-09-30 17:52:11 GMT
* expire date: 2017-09-30 17:52:11 GMT
* common name: freeipa.cyberfuel.com (matched)
* issuer: O=CYBERFUEL.COM; CN=Certificate Authority
* SSL certificate verify ok.
POST /ipa/xml HTTP/1.1
Host: freeipa.cyberfuel.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: https://freeipa.cyberfuel.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 477
* upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401
Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT
* Server Apache/2.2.15 (CentOS) is not blacklisted < Server:
Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified:
Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000"
< Accept-Ranges: bytes
< Content-Length: 1370
< Connection: close
< Content-Type: text/html; charset=UTF-8 <
* Closing connection 0
HTTP response code is 401, not 200
Installation failed. Rolling back changes.
IPA client is not configured on this system.
-------------------------------------------------
It's the version curl IPA server
[root@freeipa log]# rpm -qa | grep curl
python-pycurl-7.19.0-8.el6.x86_64
curl-7.19.7-46.el6.x86_64
libcurl-7.19.7-46.el6.x86_64
[root@freeipa log]#
It's the version curl PPA server(IPA Client)
[root@ppa named]# rpm -qa | grep curl
curl-7.31.0-1.el6.x86_64
python-pycurl-7.19.0-8.el6.x86_64
libcurl-7.31.0-1.el6.x86_64
libcurl-7.31.0-1.el6.i686
The version curl is different, but the version curl PPA is the
repository Odin Plesk.
-----------------------------------------------------
[root@ppa tmp]# cat kerberos_trace.log
[12118] 1461855578.809966: ccselect module realm chose cache
FILE:/tmp/tmptSoqDX with client principal ad...@cyberfuel.com for
server principal ldap/freeipa.cyberfuel....@cyberfuel.com
[12118] 1461855578.810171: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not
found [12118] 1461855578.810252: Getting credentials
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using
ccache FILE:/tmp/tmptSoqDX [12118] 1461855578.810369: Retrieving
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from
FILE:/tmp/tmptSoqDX with
result: -1765328243/Matching credential not found [12118]
1461855578.810451: Retrieving ad...@cyberfuel.com ->
krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmptSoqDX with result:
0/Success
[12118] 1461855578.810476: Found cached TGT for service realm:
ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
[12118] 1461855578.810509: Requesting tickets for
ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [12118]
1461855578.810612: Generated subkey for TGS request: aes256-cts/7377
[12118] 1461855578.810679: etypes requested in TGS request:
aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [12118]
1461855578.810913: Sending request (704 bytes) to CYBERFUEL.COM
[12118] 1461855578.811239: Resolving hostname freeipa.cyberfuel.com
[12118] 1461855578.811466: Initiating TCP connection to stream
192.168.0.90:88
[12118] 1461855578.811935: Sending TCP request to stream
192.168.0.90:88 [12118] 1461855578.816404: Received answer from stream
192.168.0.90:88 [12118] 1461855578.816714: Response was from master
KDC [12118] 1461855578.816906: TGS reply is for ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com with session key
aes256-cts/BEB2 [12118] 1461855578.816977: TGS request result:
0/Success [12118] 1461855578.817018: Received creds for desired
service ldap/freeipa.cyberfuel....@cyberfuel.com
[12118] 1461855578.817066: Removing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmptSoqDX
[12118] 1461855578.817107: Storing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmptSoqDX
[12118] 1461855578.817413: Creating authenticator for
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com,
seqnum 299651167, subkey aes256-cts/98D3, session key aes256-cts/BEB2
[12118] 1461855578.874786: ccselect module realm chose cache
FILE:/tmp/tmptSoqDX with client principal ad...@cyberfuel.com for
server principal ldap/freeipa.cyberfuel....@cyberfuel.com
[12118] 1461855578.874938: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not
found [12118] 1461855578.875079: Read AP-REP, time 1461855578.817442,
subkey aes256-cts/4B32, seqnum 706045221 [17304] 1461858424.873888:
ccselect module realm chose cache FILE:/tmp/tmpH0QF6P with client
principal ad...@cyberfuel.com for server principal
ldap/freeipa.cyberfuel....@cyberfuel.com
[17304] 1461858424.874126: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not
found [17304] 1461858424.874220: Getting credentials
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using
ccache FILE:/tmp/tmpH0QF6P [17304] 1461858424.874413: Retrieving
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from
FILE:/tmp/tmpH0QF6P with
result: -1765328243/Matching credential not found [17304]
1461858424.874531: Retrieving ad...@cyberfuel.com ->
krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmpH0QF6P with result:
0/Success
[17304] 1461858424.874603: Found cached TGT for service realm:
ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
[17304] 1461858424.874631: Requesting tickets for
ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [17304]
1461858424.874747: Generated subkey for TGS request: aes256-cts/8C33
[17304] 1461858424.874788: etypes requested in TGS request:
aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [17304]
1461858424.875121: Sending request (704 bytes) to CYBERFUEL.COM
[17304] 1461858424.875525: Resolving hostname freeipa.cyberfuel.com
[17304] 1461858424.875805: Initiating TCP connection to stream
192.168.20.90:88
[17304] 1461858424.877976: Sending TCP request to stream
192.168.20.90:88 [17304] 1461858424.882385: Received answer from
stream 192.168.20.90:88 [17304] 1461858424.882531: Response was from
master KDC [17304] 1461858424.882775: TGS reply is for
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with
session key aes256-cts/20DA [17304] 1461858424.882850: TGS request
result: 0/Success [17304] 1461858424.882883: Received creds for
desired service ldap/freeipa.cyberfuel....@cyberfuel.com
[17304] 1461858424.882918: Removing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpH0QF6P
[17304] 1461858424.882951: Storing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmpH0QF6P
[17304] 1461858424.883271: Creating authenticator for
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com,
seqnum 443746416, subkey aes256-cts/13DE, session key aes256-cts/20DA
[17304] 1461858424.898190: ccselect module realm chose cache
FILE:/tmp/tmpH0QF6P with client principal ad...@cyberfuel.com for
server principal ldap/freeipa.cyberfuel....@cyberfuel.com
[17304] 1461858424.898401: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not
found [17304] 1461858424.898615: Read AP-REP, time 1461858424.883334,
subkey aes256-cts/A0F5, seqnum 906104721 [23457] 1461863053.621386:
ccselect module realm chose cache
FILE:/tmp/tmp576FE3 with client principal ad...@cyberfuel.com for
server principal ldap/freeipa.cyberfuel....@cyberfuel.com
[23457] 1461863053.621602: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not
found [23457] 1461863053.621719: Getting credentials
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using
ccache FILE:/tmp/tmp576FE3 [23457] 1461863053.621918: Retrieving
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from
FILE:/tmp/tmp576FE3 with
result: -1765328243/Matching credential not found [23457]
1461863053.622097: Retrieving ad...@cyberfuel.com ->
krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmp576FE3 with result:
0/Success
[23457] 1461863053.622144: Found cached TGT for service realm:
ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
[23457] 1461863053.622176: Requesting tickets for
ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [23457]
1461863053.622288: Generated subkey for TGS request: aes256-cts/897C
[23457] 1461863053.622331: etypes requested in TGS request:
aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23457]
1461863053.622662: Sending request (704 bytes) to CYBERFUEL.COM
[23457] 1461863053.623133: Resolving hostname freeipa.cyberfuel.com
[23457] 1461863053.623367: Initiating TCP connection to stream
192.168.20.90:88
[23457] 1461863053.623866: Sending TCP request to stream
192.168.20.90:88 [23457] 1461863053.627939: Received answer from
stream 192.168.20.90:88 [23457] 1461863053.628229: Response was from
master KDC [23457] 1461863053.628485: TGS reply is for
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with
session key aes256-cts/9E88 [23457] 1461863053.628560: TGS request
result: 0/Success [23457] 1461863053.628610: Received creds for
desired service ldap/freeipa.cyberfuel....@cyberfuel.com
[23457] 1461863053.628655: Removing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmp576FE3
[23457] 1461863053.628689: Storing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmp576FE3
[23457] 1461863053.629119: Creating authenticator for
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com,
seqnum 13046067, subkey aes256-cts/BAC3, session key aes256-cts/9E88
[23457] 1461863053.640471: ccselect module realm chose cache
FILE:/tmp/tmp576FE3 with client principal ad...@cyberfuel.com for
server principal ldap/freeipa.cyberfuel....@cyberfuel.com
[23457] 1461863053.640721: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not
found [23457] 1461863053.640909: Read AP-REP, time 1461863053.629208,
subkey aes256-cts/8866, seqnum 421358565 [23749] 1461863277.525338:
ccselect module realm chose cache FILE:/tmp/tmprfuOsj with client
principal ad...@cyberfuel.com for server principal
ldap/freeipa.cyberfuel....@cyberfuel.com
[23749] 1461863277.525435: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not
found [23749] 1461863277.525469: Getting credentials
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using
ccache FILE:/tmp/tmprfuOsj [23749] 1461863277.525529: Retrieving
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from
FILE:/tmp/tmprfuOsj with
result: -1765328243/Matching credential not found [23749]
1461863277.525572: Retrieving ad...@cyberfuel.com ->
krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmprfuOsj with result:
0/Success
[23749] 1461863277.525584: Found cached TGT for service realm:
ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
[23749] 1461863277.525593: Requesting tickets for
ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [23749]
1461863277.525645: Generated subkey for TGS request: aes256-cts/C22D
[23749] 1461863277.525662: etypes requested in TGS request:
aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23749]
1461863277.525806: Sending request (704 bytes) to CYBERFUEL.COM
[23749] 1461863277.526052: Resolving hostname freeipa.cyberfuel.com
[23749] 1461863277.526161: Initiating TCP connection to stream
192.168.20.90:88
[23749] 1461863277.526440: Sending TCP request to stream
192.168.20.90:88 [23749] 1461863277.530652: Received answer from
stream 192.168.20.90:88 [23749] 1461863277.530737: Response was from
master KDC [23749] 1461863277.530881: TGS reply is for
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with
session key aes256-cts/79C3 [23749] 1461863277.530931: TGS request
result: 0/Success [23749] 1461863277.530948: Received creds for
desired service ldap/freeipa.cyberfuel....@cyberfuel.com
[23749] 1461863277.530962: Removing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmprfuOsj
[23749] 1461863277.530971: Storing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmprfuOsj
[23749] 1461863277.531133: Creating authenticator for
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com,
seqnum 1019693263, subkey aes256-cts/B3E0, session key aes256-cts/79C3
[23749] 1461863277.542808: ccselect module realm chose cache
FILE:/tmp/tmprfuOsj with client principal ad...@cyberfuel.com for
server principal ldap/freeipa.cyberfuel....@cyberfuel.com
[23749] 1461863277.542889: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not
found [23749] 1461863277.542988: Read AP-REP, time 1461863277.531150,
subkey aes256-cts/5194, seqnum 376027188 [25544] 1461864401.258277:
ccselect module realm chose cache FILE:/tmp/tmpbzX7EN with client
principal ad...@cyberfuel.com for server principal
ldap/freeipa.cyberfuel....@cyberfuel.com
[25544] 1461864401.258584: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not
found [25544] 1461864401.258678: Getting credentials
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using
ccache FILE:/tmp/tmpbzX7EN [25544] 1461864401.258873: Retrieving
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from
FILE:/tmp/tmpbzX7EN with
result: -1765328243/Matching credential not found [25544]
1461864401.259040: Retrieving ad...@cyberfuel.com ->
krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmpbzX7EN with result:
0/Success
[25544] 1461864401.259076: Found cached TGT for service realm:
ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
[25544] 1461864401.259102: Requesting tickets for
ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [25544]
1461864401.259244: Generated subkey for TGS request: aes256-cts/277A
[25544] 1461864401.259291: etypes requested in TGS request:
aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [25544]
1461864401.259676: Sending request (704 bytes) to CYBERFUEL.COM
[25544] 1461864401.260108: Resolving hostname freeipa.cyberfuel.com
[25544] 1461864401.260361: Initiating TCP connection to stream
192.168.20.90:88
[25544] 1461864401.260980: Sending TCP request to stream
192.168.20.90:88 [25544] 1461864401.264399: Received answer from
stream 192.168.20.90:88 [25544] 1461864401.264593: Response was from
master KDC [25544] 1461864401.264893: TGS reply is for
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with
session key aes256-cts/9106 [25544] 1461864401.264966: TGS request
result: 0/Success [25544] 1461864401.264996: Received creds for
desired service ldap/freeipa.cyberfuel....@cyberfuel.com
[25544] 1461864401.265029: Removing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpbzX7EN
[25544] 1461864401.265058: Storing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmpbzX7EN
[25544] 1461864401.265581: Creating authenticator for
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com,
seqnum 921501424, subkey aes256-cts/99EA, session key aes256-cts/9106
[25544] 1461864401.275884: ccselect module realm chose cache
FILE:/tmp/tmpbzX7EN with client principal ad...@cyberfuel.com for
server principal ldap/freeipa.cyberfuel....@cyberfuel.com
[25544] 1461864401.276059: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not
found [25544] 1461864401.276196: Read AP-REP, time 1461864401.265627,
subkey aes256-cts/0E9F, seqnum 871496824 [18097] 1461937028.664354:
ccselect module realm chose cache
FILE:/tmp/tmpF9x_o8 with client principal ad...@cyberfuel.com for
server principal ldap/freeipa.cyberfuel....@cyberfuel.com
[18097] 1461937028.664456: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not
found [18097] 1461937028.664490: Getting credentials
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using
ccache FILE:/tmp/tmpF9x_o8 [18097] 1461937028.664549: Retrieving
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from
FILE:/tmp/tmpF9x_o8 with
result: -1765328243/Matching credential not found [18097]
1461937028.664590: Retrieving ad...@cyberfuel.com ->
krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmpF9x_o8 with result:
0/Success
[18097] 1461937028.664601: Found cached TGT for service realm:
ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
[18097] 1461937028.664611: Requesting tickets for
ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [18097]
1461937028.664700: Generated subkey for TGS request: aes256-cts/6372
[18097] 1461937028.664727: etypes requested in TGS request:
aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [18097]
1461937028.664865: Sending request (704 bytes) to CYBERFUEL.COM
[18097] 1461937028.665035: Resolving hostname freeipa.cyberfuel.com
[18097] 1461937028.665136: Initiating TCP connection to stream
192.168.20.90:88
[18097] 1461937028.665510: Sending TCP request to stream
192.168.20.90:88 [18097] 1461937028.668919: Received answer from
stream 192.168.20.90:88 [18097] 1461937028.668984: Response was from
master KDC [18097] 1461937028.669109: TGS reply is for
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with
session key aes256-cts/9592 [18097] 1461937028.669136: TGS request
result: 0/Success [18097] 1461937028.669156: Received creds for
desired service ldap/freeipa.cyberfuel....@cyberfuel.com
[18097] 1461937028.669167: Removing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpF9x_o8
[18097] 1461937028.669176: Storing ad...@cyberfuel.com ->
ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmpF9x_o8
[18097] 1461937028.669304: Creating authenticator for
ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com,
seqnum 940175329, subkey aes256-cts/53B9, session key aes256-cts/9592
[18097] 1461937028.676414: ccselect module realm chose cache
FILE:/tmp/tmpF9x_o8 with client principal ad...@cyberfuel.com for
server principal ldap/freeipa.cyberfuel....@cyberfuel.com
[18097] 1461937028.676470: Retrieving ad...@cyberfuel.com ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not
found [18097] 1461937028.676534: Read AP-REP, time 1461937028.669328,
subkey aes256-cts/26C4, seqnum 864174069
-----------------------------------
Regards
Jose Alvarez
-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: viernes 29 de abril de 2016 09:34 a.m.
To: Jose Alvarez R. <jalva...@cyberfuel.com>; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] HTTP response code is 401, not 200
Jose Alvarez R. wrote:
Hi Users
You can help me?
I have the problem for join a client to my FREEIPA Server. The
version IPA Server is 3.0 and IP client is 3.0
When I join my client to IPA server show these errors:
[root@ppa ~]# tail -f /var/log/ipaclient-install.log
2016-04-28T17:26:41Z DEBUG stderr=
2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from
ldap://freeipa.cyberfuel.com
2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are
identical
2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s
freeipa.cyberfuel.com -b dc=cyberfuel,dc=com
2016-04-28T17:26:41Z DEBUG stdout=
2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200
2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code
is 401, not 200
2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes.
2016-04-28T17:26:41Z ERROR IPA client is not configured on this system.
I'd look in the 389-ds access and error logs on the IPA server to see
if there are any more details. Look for the BIND from the client and
see what happens.
More context from the log file might be helpful. I believe if you run
the client installer with --debug then additional flags are passed to
ipa-join to include the XML-RPC conversation and that might be useful too.
What account are you using to enroll with, admin?
rob
