Hi Rob 

Thanks for your response.

The PPA is hosting Control Panel of the company
Several packages were installed by this software. Because they use their own


Jose Alvarez

-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: lunes 2 de mayo de 2016 01:15 p.m.
To: Jose Alvarez R. <jalva...@cyberfuel.com>
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] HTTP response code is 401, not 200

Jose Alvarez R. wrote:
> *Hi, Rob*
> **
> *I did what you indicated to me, but still gives the same problem.*
> **
> *Can you help me ?*

The problem is client side, not server side, so you need to install the 
updated bits on the client. I don't know what the reference to PPA is.

If that doesn't fix things then it's hard to say. There are only a 
couple of moving parts and you just ruled out the server since another 
client can enroll ok.

The non-working log shows the server sending WWW-Authenticate: Negotiate 
and the client just gives up. In the working version the client 
correctly responds with an Authorization header and things proceed so I 
think the problem is in either libcurl or xmlrpc-c.


> **
> *Thanks, Regards*
> **
> *Jose Alvarez*
> -----Original Message-----
> From: freeipa-users-boun...@redhat.com
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jose Alvarez R.
> Sent: viernes 29 de abril de 2016 02:53 p.m.
> To: 'Rob Crittenden' <rcrit...@redhat.com>
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] HTTP response code is 401, not 200
> Hi, Rob
> Thanks for your response
> The link https://bugzilla.redhat.com/show_bug.cgi?id=719945I not have
> access..
> I tried to install xmlrpc-c-1.16.24-1210.1840.el6.src.rpm in the server
> PPA(Client IPA), but still shows the same error.
> A moment ago I added another client server with same version xmlrpc and
> installed correctly.
> Thanks Regards.
> [root@bk1 ~]# ipa-client-install --debug
> /usr/sbin/ipa-client-install was invoked with options: {'domain': None,
> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
> 'primary': False, 'mkhomedir'on_master': False, 'ntp_server': None,
> 'nisdomain': None, 'no_nisdomain': False, 'principal': None, 'hostname':
> None, 'no_ac': False, 'unattended': None, 'sssd': True,nf_sudo': True,
> 'conf_ssh': True, 'force_join': False, 'ca_cert_file': None, 'server':
> 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
> missing options might be asked for interactively later
> Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
> [IPA Discovery]
> Starting IPA discovery with domain=None, servers=None,
> hostname=bk1.cyberfuel.com
> Start searching for LDAP SRV record in "cyberfuel.com" (domain of the
> hostname) and its sub-domains
> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
> DNS record found:
> port:389,weight:50,server:freeipa.cyberfuel.com.}
> [Kerberos realm search]
> Search DNS for TXT record of _kerberos.cyberfuel.com.
> DNS record found:
> Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
> DNS record found:
> y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
> [LDAP server check]
> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
> Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
> Search LDAP server for IPA base DN
> Check if naming context 'dc=cyberfuel,dc=com' is for IPA
> Naming context 'dc=cyberfuel,dc=com' is a valid IPA context
> Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub)
> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
> Discovery result: Success; server=freeipa.cyberfuel.com,
> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
> Validated servers: freeipa.cyberfuel.com
> will use discovered domain: cyberfuel.com
> Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS
> Discovery) and its sub-domains
> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
> DNS record found:
> port:389,weight:50,server:freeipa.cyberfuel.com.}
> DNS validated, enabling discovery
> will use discovered server: freeipa.cyberfuel.com
> Discovery was successful!
> will use discovered realm: CYBERFUEL.COM
> will use discovered basedn: dc=cyberfuel,dc=com
> Hostname: bk1.cyberfuel.com
> Hostname source: Machine's FQDN
> Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
> DNS Domain: cyberfuel.com
> DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain
> the hostname)
> IPA Server: freeipa.cyberfuel.com
> IPA Server source: Discovered from LDAP DNS records in
> BaseDN: dc=cyberfuel,dc=com
> BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
> Continue to configure the system with these values? [no]: yes
> args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
> stdout=
> stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory
> User authorized to enroll computers: admin
> will use principal provided as option: admin
> Synchronizing time with KDC...
> Search DNS for SRV record of _ntp._udp.cyberfuel.com.
> No DNS record found
> args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
> stdout=
> stderr=
> args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
> stdout=
> stderr=
> args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
> stdout=
> stderr=
> Unable to sync time with IPA NTP server, assuming the time is in sync.
> Please check that 123 UDP port is opened.
> Writing Kerberos configuration to /tmp/tmp5msIum:
> #File modified by ipa-client-install
> includedir /var/lib/sss/pubconf/krb5.include.d/
> [libdefaults]
>    default_realm = CYBERFUEL.COM
>    dns_lookup_realm = false
>    dns_lookup_kdc = false
>    rdns = false
>    ticket_lifetime = 24h
>    forwardable = yes
>    udp_preference_limit = 0
> [realms]
>      kdc = freeipa.cyberfuel.com:88
>      master_kdc = freeipa.cyberfuel.com:88
>      admin_server = freeipa.cyberfuel.com:749
>      default_domain = cyberfuel.com
>      pkinit_anchors = FILE:/etc/ipa/ca.crt
>    }
> [domain_realm]
>    .cyberfuel.com = CYBERFUEL.COM
>    cyberfuel.com = CYBERFUEL.COM
> Password for ad...@cyberfuel.com <mailto:ad...@cyberfuel.com>:
> args=kinit ad...@cyberfuel.com <mailto:ad...@cyberfuel.com>
> stdout=Password for ad...@cyberfuel.com <mailto:ad...@cyberfuel.com>:
> stderr=
> trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
> Successfully retrieved CA cert
>      Subject:     CN=Certificate Authority,O=CYBERFUEL.COM
>      Issuer:      CN=Certificate Authority,O=CYBERFUEL.COM
>      Valid From:  Wed Sep 30 17:46:50 2015 UTC
>      Valid Until: Sun Sep 30 17:46:50 2035 UTC
> args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com -d
> stdout=
> stderr=XML-RPC CALL:
> <?xml version="1.0" encoding="UTF-8"?>\r\n
> <methodCall>\r\n
> <methodName>join</methodName>\r\n
> <params>\r\n
> <param><value><array><data>\r\n
> <value><string>bk1.cyberfuel.com</string></value>\r\n
> </data></array></value></param>\r\n
> <param><value><struct>\r\n
> <member><name>nsosversion</name>\r\n
> <value><string>2.6.32-573.12.1.el6.x86_64</string></value></member>\r\n
> <member><name>nshardwareplatform</name>\r\n
> <value><string>x86_64</string></value></member>\r\n
> </struct></value></param>\r\n
> </params>\r\n
> </methodCall>\r\n
> * About to connect() to freeipa.cyberfuel.com port 443 (#0)
> *   Trying * Connected to freeipa.cyberfuel.com
> ( port 443 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> *   CAfile: /etc/ipa/ca.crt
>    CApath: none
> * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
> * Server certificate:
> *       subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM
> *       start date: Sep 30 17:52:11 2015 GMT
> *       expire date: Sep 30 17:52:11 2017 GMT
> *       common name: freeipa.cyberfuel.com
> *       issuer: CN=Certificate Authority,O=CYBERFUEL.COM
>  > POST /ipa/xml HTTP/1.1
> Host: freeipa.cyberfuel.com
> Accept: */*
> Content-Type: text/xml
> User-Agent: ipa-join/3.0.0
> Referer: https://freeipa.cyberfuel.com/ipa/xml
> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
> Content-Length: 478
> < HTTP/1.1 401 Authorization Required
> < Date: Fri, 29 Apr 2016 20:42:25 GMT
> < Server: Apache/2.2.15 (CentOS)
> < WWW-Authenticate: Negotiate
> < Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT
> < ETag: "a0528-55a-53051ba8f7000"
> < Accept-Ranges: bytes
> < Content-Length: 1370
> < Connection: close
> < Content-Type: text/html; charset=UTF-8
> <
> * Closing connection #0
> * Issue another request to this URL:
> 'https://freeipa.cyberfuel.com:443/ipa/xml'
> * About to connect() to freeipa.cyberfuel.com port 443 (#0)
> *   Trying * Connected to freeipa.cyberfuel.com
> ( port 443 (#0)
> *   CAfile: /etc/ipa/ca.crt
>    CApath: none
> * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
> * Server certificate:
> *       subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM
> *       start date: Sep 30 17:52:11 2015 GMT
> *       expire date: Sep 30 17:52:11 2017 GMT
> *       common name: freeipa.cyberfuel.com
> *       issuer: CN=Certificate Authority,O=CYBERFUEL.COM
> * Server auth using GSS-Negotiate with user ''
>  > POST /ipa/xml HTTP/1.1
> Authorization: Negotiate
> jFb8kKwop5o7yTyXsQmW4g0rdCam07GuRObob6yQ=
> Host: freeipa.cyberfuel.com
> Accept: */*
> Content-Type: text/xml
> User-Agent: ipa-join/3.0.0
> Referer: https://freeipa.cyberfuel.com/ipa/xml
> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
> Content-Length: 478
> < HTTP/1.1 200 Success
> < Date: Fri, 29 Apr 2016 20:42:25 GMT
> < Server: Apache/2.2.15 (CentOS)
> * Added cookie ipa_session="4aeb2b4e2cfacb0691a94b71e2d0a0c9" for domain
> freeipa.cyberfuel.com, path /ipa, expire 1461963745
> < Set-Cookie: ipa_session=4aeb2b4e2cfacb0691a94b71e2d0a0c9;
> Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:25
> GMT; Secure; HttpOnly
> < Connection: close
> < Transfer-Encoding: chunked
> < Content-Type: text/xml; charset=utf-8
> <
> * Expire cleared
> * Closing connection #0
> <?xml version='1.0' encoding='UTF-8'?>\n
> <methodResponse>\n
> <params>\n
> <param>\n
> <value><array><data>\n
> dc=com</string></value>\n
> <value><struct>\n
> <member>\n
> <name>dn</name>\n
> dc=com</string></value>\n
> </member>\n
> <member>\n
> <name>ipacertificatesubjectbase</name>\n
> <value><array><data>\n
> <value><string>O=CYBERFUEL.COM</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>has_keytab</name>\n
> <value><boolean>0</boolean></value>\n
> </member>\n
> <member>\n
> <name>objectclass</name>\n
> <value><array><data>\n
> <value><string>ipaobject</string></value>\n
> <value><string>nshost</string></value>\n
> <value><string>ipahost</string></value>\n
> <value><string>pkiuser</string></value>\n
> <value><string>ipaservice</string></value>\n
> <value><string>krbprincipalaux</string></value>\n
> <value><string>krbprincipal</string></value>\n
> <value><string>ieee802device</string></value>\n
> <value><string>ipasshhost</string></value>\n
> <value><string>top</string></value>\n
> <value><string>ipaSshGroupOfPubKeys</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>fqdn</name>\n
> <value><array><data>\n
> <value><string>bk1.cyberfuel.com</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>has_password</name>\n
> <value><boolean>0</boolean></value>\n
> </member>\n
> <member>\n
> <name>ipauniqueid</name>\n
> <value><array><data>\n
> <value><string>e1a08eb8-0e4a-11e6-8c5b-005056b027f1</string></value>\n
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>krbprincipalname</name>\n
> <value><array><data>\n
> <value><string>host/bk1.cyberfuel....@cyberfuel.com</string></value>\n
> <mailto:host/bk1.cyberfuel....@cyberfuel.com%3c/string%3e%3c/value%3e\n>
> </data></array></value>\n
> </member>\n
> <member>\n
> <name>managedby_host</name>\n
> <value><array><data>\n
> <value><string>bk1.cyberfuel.com</string></value>\n
> </data></array></value>\n
> </member>\n
> </struct></value>\n
> </data></array></value>\n
> </param>\n
> </params>\n
> </methodResponse>\n
> Keytab successfully retrieved and stored in: /etc/krb5.keytab
> Certificate subject base is: O=CYBERFUEL.COM
> Enrolled in IPA realm CYBERFUEL.COM
> args=kdestroy
> stdout=
> stderr=
> Attempting to get host TGT...
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/bk1.cyberfuel....@cyberfuel.com
> <mailto:host/bk1.cyberfuel....@cyberfuel.com>
> stdout=
> stderr=
> Attempt 1/5 succeeded.
> Backing up system configuration file '/etc/ipa/default.conf'
>    -> Not backing up - '/etc/ipa/default.conf' doesn't exist
> Created /etc/ipa/default.conf
> importing all plugin modules in
> '/usr/lib/python2.6/site-packages/ipalib/plugins'...
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
> args=klist -V
> stdout=Kerberos 5 version 1.10.3
> stderr=
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
> importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
> Backing up system configuration file '/etc/sssd/sssd.conf'
>    -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist
> New SSSD config will be created
> Backing up system configuration file '/etc/nsswitch.conf'
> Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
> Configured sudoers in /etc/nsswitch.conf
> Configured /etc/sssd/sssd.conf
> args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i
> /etc/ipa/ca.crt
> stdout=
> stderr=
> Backing up system configuration file '/etc/krb5.conf'
> Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
> Writing Kerberos configuration to /etc/krb5.conf:
> #File modified by ipa-client-install
> includedir /var/lib/sss/pubconf/krb5.include.d/
> [libdefaults]
>    default_realm = CYBERFUEL.COM
>    dns_lookup_realm = true
>    dns_lookup_kdc = true
>    rdns = false
>    ticket_lifetime = 24h
>    forwardable = yes
>    udp_preference_limit = 0
> [realms]
>      pkinit_anchors = FILE:/etc/ipa/ca.crt
>    }
> [domain_realm]
>    .cyberfuel.com = CYBERFUEL.COM
>    cyberfuel.com = CYBERFUEL.COM
> Configured /etc/krb5.conf for IPA realm CYBERFUEL.COM
> args=keyctl search @s user
> ipa_session_cookie:host/bk1.cyberfuel....@cyberfuel.com
> stdout=
> stderr=keyctl_search: Required key not available
> args=keyctl search @s user
> ipa_session_cookie:host/bk1.cyberfuel....@cyberfuel.com
> stdout=
> stderr=keyctl_search: Required key not available
> failed to find session_cookie in persistent storage for principal
> 'host/bk1.cyberfuel....@cyberfuel.com'
> trying https://freeipa.cyberfuel.com/ipa/xml
> Created connection context.xmlclient
> raw: env(None, server=True)
> env(None, server=True, all=True)
> Forwarding 'env' to server u'https://freeipa.cyberfuel.com/ipa/xml'
> NSSConnection init freeipa.cyberfuel.com
> Connecting:
> auth_certificate_callback: check_sig=True is_server=False
> Data:
>          Version:       3 (0x2)
>          Serial Number: 10 (0xa)
>          Signature Algorithm:
>              Algorithm: PKCS #1 SHA-256 With RSA Encryption
>          Issuer: CN=Certificate Authority,O=CYBERFUEL.COM
>          Validity:
>              Not Before: Wed Sep 30 17:52:11 2015 UTC
>              Not After:  Sat Sep 30 17:52:11 2017 UTC
>          Subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM
>          Subject Public Key Info:
>              Public Key Algorithm:
>                  Algorithm: PKCS #1 RSA Encryption
>              RSA Public Key:
>                  Modulus:
>                      ad:e7:d2:7f:c3:e1:91:0a:03:6d:5c:ba:54:14:3e:00:
>                      0e:f9:e7:61:85:3c:4f:1b:8f:a8:fb:e4:b4:92:a3:7c:
>                      7d:bb:06:b4:b8:43:8a:20:86:17:71:a2:a3:6a:a1:51:
>                      e5:89:44:0f:a1:43:67:3b:46:76:b0:81:9e:10:43:56:
>                      86:9f:27:46:e1:5e:b3:d6:8c:17:73:e3:17:7d:e7:eb:
>                      a4:78:9c:7a:e8:6f:00:f8:36:d9:71:88:e1:90:bf:98:
>                      fa:40:0f:88:f4:2e:d8:a2:b3:a5:0c:5a:81:8b:2e:cf:
>                      22:f9:cb:6d:bf:85:7c:c9:7f:17:de:5d:d4:1a:2b:09:
>                      5b:1b:99:11:22:3f:1e:49:5f:26:1a:25:2f:a4:50:2a:
>                      8b:f2:3c:12:db:45:3f:f4:06:64:a2:30:5f:f4:a1:c9:
>                      2c:8c:60:b5:c6:aa:25:2e:1e:31:c2:ad:2c:63:b0:a4:
>                      bb:2c:fc:f8:b6:f9:13:eb:09:bc:b0:c1:4c:06:06:09:
>                      2f:f9:08:ba:7d:a4:0a:57:d1:8e:86:87:cb:f9:3a:58:
>                      60:f9:34:e1:5b:34:d1:2f:8e:54:87:2a:74:9c:e2:d6:
>                      83:4f:78:6b:59:1e:95:ec:67:6e:86:25:ad:f0:d3:6c:
>                      96:9c:db:c3:e5:3f:e5:bc:f4:ff:55:55:18:a8:3e:5d
>                  Exponent:
>                      65537 (0x10001)
>      Signed Extensions: (5 total)
>          Name:     Certificate Authority Key Identifier
>          Critical: False
>          Key ID:
>              31:4f:83:e1:70:d7:ea:96:e5:1b:b1:c2:2c:d8:8a:a8:
>              d1:87:fa:ff
>          Serial Number: None
>          General Names: [0 total]
>          Name:     Authority Information Access
>          Critical: False
>          Authority Information Access: [1 total]
>              Info [1]:
>                  Method:   PKIX Online Certificate Status Protocol
>                  Location: URI: http://freeipa.cyberfuel.com:80/ca/ocsp
> Name:     Certificate Key Usage
>          Critical: True
>          Usages:
>              Digital Signature
>              Non-Repudiation
>              Key Encipherment
>              Data Encipherment
>          Name:     Extended Key Usage
>          Critical: False
>          Usages:
>              TLS Web Server Authentication Certificate
>              TLS Web Client Authentication Certificate
>          Name:     Certificate Subject Key ID
>          Critical: False
>          Data:
>              73:ed:ac:87:d3:0e:04:84:66:5c:1a:e1:10:8d:f8:e1:
>              89:b9:1e:70
>      Signature:
>          Signature Algorithm:
>              Algorithm: PKCS #1 SHA-256 With RSA Encryption
>          Signature:
>              40:da:c2:6b:20:08:7c:4a:05:1a:e2:cc:49:7f:25:6c:
>              48:3a:73:3c:b6:ab:35:6c:1a:d9:78:15:60:48:0b:0e:
>              c1:3c:bf:76:90:35:bf:67:b5:9d:88:1c:98:ce:3b:8a:
>              f6:86:c7:f9:1e:7b:3c:cd:98:00:99:23:a4:06:4f:ed:
>              0f:ee:44:65:9d:db:b6:9d:cc:cf:cb:83:f8:7c:23:93:
>              2a:0b:40:bb:5b:31:c5:9e:ed:74:eb:c0:c9:cc:30:1e:
>              78:19:69:64:60:24:58:f5:a7:6f:3b:bb:f6:7c:72:5c:
>              1c:50:33:0f:df:49:b7:0a:cb:ac:3f:7b:4f:e7:42:e9:
>              3b:19:e0:15:a3:fe:e3:43:aa:23:69:d0:28:7a:64:b7:
>              19:e3:8a:a9:bc:48:3a:de:f7:c0:67:8b:02:e9:af:74:
>              49:33:5e:2f:21:0b:4c:f3:3d:63:ea:1e:2e:4d:e9:ed:
>              af:ef:61:35:ad:86:2b:93:ab:b6:7d:45:ed:b1:9b:12:
>              57:fc:55:ef:42:46:01:63:b1:b9:84:e9:f4:46:fb:39:
>              fa:1e:55:2e:20:32:c1:45:ad:ac:54:c9:e6:4e:ca:f1:
>              fb:da:9a:b5:bc:8b:6c:43:86:4e:df:06:97:46:3e:9b:
>              a2:a1:ff:41:6e:80:df:a7:bd:5d:96:2c:ba:e0:d2:56
>          Fingerprint (MD5):
>              09:ad:08:87:8b:64:04:0f:d2:6c:25:ac:b1:1e:e1:48
>          Fingerprint (SHA1):
>              c9:a0:1f:6d:8e:f6:d9:9b:53:6e:6b:92:ea:7c:ae:79:
>              ca:4d:09:98
> approved_usage = SSL Server intended_usage = SSL Server
> cert valid True for "CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM"
> handshake complete, peer =
> Protocol: TLS1.2
> received Set-Cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd;
> Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30
> GMT; Secure; HttpOnly'
> storing cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd;
> Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30
> GMT; Secure; HttpOnly' for prin
> args=keyctl search @s user
> ipa_session_cookie:host/bk1.cyberfuel....@cyberfuel.com
> stdout=
> stderr=keyctl_search: Required key not available
> args=keyctl search @s user
> ipa_session_cookie:host/bk1.cyberfuel....@cyberfuel.com
> stdout=
> stderr=keyctl_search: Required key not available
> args=keyctl padd user
> ipa_session_cookie:host/bk1.cyberfuel....@cyberfuel.com @s
> stdout=640092261
> stderr=
> Hostname (bk1.cyberfuel.com) not found in DNS
> Writing nsupdate commands to /etc/ipa/.dns_update.txt:
> zone cyberfuel.com.
> update delete bk1.cyberfuel.com. IN A
> send
> update add bk1.cyberfuel.com. 1200 IN A
> send
> args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
> stdout=
> stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
> Minor code may provide more information, Minor = Server
> DNS/ns1.cyberfuel....@cyberfuel.com
> <mailto:DNS/ns1.cyberfuel....@cyberfuel.com> no
> nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt'
> returned non-zero exit status 1
> Failed to update DNS records.
> args=/sbin/service messagebus start
> stdout=Starting system message bus:                        [  OK  ]
> stderr=
> args=/sbin/service messagebus status
> stdout=messagebus (pid  41820) is running...
> stderr=
> args=/sbin/service certmonger restart
> stdout=Stopping certmonger:                                [FAILED]
> Starting certmonger:                                       [  OK  ]
> stderr=
> args=/sbin/service certmonger status
> stdout=certmonger (pid  41859) is running...
> stderr=
> args=/sbin/service certmonger restart
> stdout=Stopping certmonger:                                [  OK  ]
> Starting certmonger:                                       [  OK  ]
> stderr=
> args=/sbin/service certmonger status
> stdout=certmonger (pid  41927) is running...
> stderr=
> args=/sbin/chkconfig certmonger on
> stdout=
> stderr=
> args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate -
> bk1.cyberfuel.com -N CN=bk1.cyberfuel.com,O=CYBERFUEL.COM -K
> host/bk1.cyberfuel....@cyberfuel.co
> <mailto:host/bk1.cyberfuel....@cyberfuel.co>
> stdout=New signing request "20160429204235" added.
> stderr=
> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
> raw: host_mod(u'bk1.cyberfuel.com', ipasshpubkey=[u'ssh-rsa
> wfpc='], updatedns=False)
> host_mod(u'bk1.cyberfuel.com', random=False, ipasshpubkey=(u'ssh-rsa
> wfpc='), rights=False, updatedns=False, all=False, raw=False,
> no_members=False)
> Forwarding 'host_mod' to server u'https://freeipa.cyberfuel.com/ipa/xml'
> NSSConnection init freeipa.cyberfuel.com
> Connecting:
> handshake complete, peer =
> Protocol: TLS1.2
> received Set-Cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0;
> Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35
> GMT; Secure; HttpOnly'
> storing cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0;
> Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35
> GMT; Secure; HttpOnly' for prin
> args=keyctl search @s user
> ipa_session_cookie:host/bk1.cyberfuel....@cyberfuel.com
> stdout=640092261
> stderr=
> args=keyctl search @s user
> ipa_session_cookie:host/bk1.cyberfuel....@cyberfuel.com
> stdout=640092261
> stderr=
> args=keyctl pupdate 640092261
> stdout=
> stderr=
> Writing nsupdate commands to /etc/ipa/.dns_update.txt:
> zone cyberfuel.com.
> update delete bk1.cyberfuel.com. IN SSHFP
> send
> update add bk1.cyberfuel.com. 1200 IN SSHFP 1 1
> B40F0F3FF14223B021F206C3E3276AC48F6EEAF0
> update add bk1.cyberfuel.com. 1200 IN SSHFP 2 1
> 30D2331BC69452EFE65445B5C990773EA41A2FE8
> send
> args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
> stdout=
> stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
> Minor code may provide more information, Minor = Server
> DNS/ns1.cyberfuel....@cyberfuel.com
> <mailto:DNS/ns1.cyberfuel....@cyberfuel.com> no
> nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt'
> returned non-zero exit status 1
> Could not update DNS SSHFP records.
> args=/sbin/service nscd status
> stdout=
> stderr=nscd: unrecognized service
> Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
> Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
> args=/usr/sbin/authconfig --enablesssdauth --update --enablesssd
> stdout=
> stderr=
> SSSD enabled
> Configuring cyberfuel.com as NIS domain
> args=/bin/nisdomainname
> stdout=(none)
> stderr=
> Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
> args=/usr/sbin/authconfig --update --nisdomain cyberfuel.com
> stdout=
> stderr=
> args=/bin/nisdomainname cyberfuel.com
> stdout=
> stderr=
> args=/sbin/service sssd restart
> stdout=Stopping sssd:                                      [FAILED]
> Starting sssd:                                             [  OK  ]
> stderr=cat: /var/run/sssd.pid: No such file or directory
> args=/sbin/service sssd status
> stdout=sssd (pid  42071) is running...
> stderr=
> args=/sbin/chkconfig sssd on
> stdout=
> stderr=
> Backing up system configuration file '/etc/openldap/ldap.conf'
> Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
> Configured /etc/openldap/ldap.conf
> args=getent passwd admin
> stdout=admin:*:1045400000:1045400000:Administrator:/home/admin:/bin/bash
> stderr=
> Backing up system configuration file '/etc/ntp/step-tickers'
> Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
> args=/usr/sbin/selinuxenabled
> stdout=
> stderr=
> args=/sbin/chkconfig ntpd
> stdout=
> stderr=
> Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
> Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
> Backing up system configuration file '/etc/ntp.conf'
> Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
> args=/usr/sbin/selinuxenabled
> stdout=
> stderr=
> Backing up system configuration file '/etc/sysconfig/ntpd'
> Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
> args=/usr/sbin/selinuxenabled
> stdout=
> stderr=
> args=/sbin/chkconfig ntpd on
> stdout=
> stderr=
> args=/sbin/service ntpd restart
> stdout=Shutting down ntpd:                                 [  OK  ]
> Starting ntpd:                                             [  OK  ]
> stderr=
> args=/sbin/service ntpd status
> stdout=ntpd (pid  42133) is running...
> stderr=
> NTP enabled
> Backing up system configuration file '/etc/ssh/ssh_config'
> Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
> Configured /etc/ssh/ssh_config
> Backing up system configuration file '/etc/ssh/sshd_config'
> Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
> args=sshd -t -f /dev/null -o AuthorizedKeysCommand=
> stdout=
> stderr=
> Configured /etc/ssh/sshd_config
> args=/sbin/service sshd status
> stdout=openssh-daemon (pid  46497) is running...
> stderr=
> args=/sbin/service sshd restart
> stdout=Stopping sshd:                                      [  OK  ]
> Starting sshd:                                             [  OK  ]
> stderr=
> args=/sbin/service sshd status
> stdout=openssh-daemon (pid  42190) is running...
> stderr=
> Client configuration complete.
> -----Original Message-----
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: viernes 29 de abril de 2016 12:19 p.m.
> To: Jose Alvarez R. <jalva...@cyberfuel.com
> <mailto:jalva...@cyberfuel.com>>; freeipa-users@redhat.com
> <mailto:freeipa-users@redhat.com>
> Subject: Re: [Freeipa-users] HTTP response code is 401, not 200
> Jose Alvarez R. wrote:
>  > Hi,  Rob
>  >
>  > Thanks!!
>  >
>  >
>  > The version the xmlrpc-c of my server IPA:
>  > xmlrpc-c-1.16.24-1210.1840.el6.x86_64
>  > xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64
>  >
>  >
>  > The version the xmlrpc-c of my client IPA
>  > xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64
>  > xmlrpc-c-1.16.24-1210.1840.el6.x86_64
>  > libiqxmlrpc-0.12.4-0.parallels.i686
>  > xmlrpc-c-c++-1.16.24-1210.1840.el6.x86_64
> You need xmlrpc-c-1.16.24-1200.1840.2.el6 on the client which fixed
> https://bugzilla.redhat.com/show_bug.cgi?id=719945
> The libcurl version on the client looks ok.
> This is only a client-side issue so no changes on the servers should be
> necessary IIRC. This appears to be EL 6.1 which at this point is quite
> rob
>  >
>  > The versions are the same, but the libcurl is different
>  >
>  > It's the version curl IPA server
>  > [root@freeipa log]# rpm -qa | grep curl
>  > python-pycurl-7.19.0-8.el6.x86_64
>  > curl-7.19.7-46.el6.x86_64
>  > libcurl-7.19.7-46.el6.x86_64
>  > [root@freeipa log]#
>  >
>  >
>  > It's the version curl PPA server(IPA Client) [root@ppa named]# rpm -qa
>  > | grep curl
>  > curl-7.31.0-1.el6.x86_64
>  > python-pycurl-7.19.0-8.el6.x86_64
>  > libcurl-7.31.0-1.el6.x86_64
>  > libcurl-7.31.0-1.el6.i686
>  >
>  > Sorry, my english is not very well
>  >
>  >
>  > Regards.
>  >
>  >
>  >
>  > -----Original Message-----
>> From: Rob Crittenden [mailto:rcrit...@redhat.com]
>  > Sent: viernes 29 de abril de 2016 11:14 a.m.
>> To: Jose Alvarez R. <jalva...@cyberfuel.com
> freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
>  > Subject: Re: [Freeipa-users] HTTP response code is 401, not 200
>  >
>  > Jose Alvarez R. wrote:
>  >> Hi Rob, Thanks for your response
>  >>
>  >> Yes, It's with admin.
>  >
>  > I assume this is a problem with your version of xmlrpc-c. We use
>  > standard calls xmlrpc-c calls to setup authentication and IIRC that
>  > links against libcurl which provides the Kerberos/GSSAPI support. On
>  > EL6 you need xmlrpc-c
>  >> = 1.16.24-1200.1840.2
>  >
>  > I'm confused about the versions. You mention PPA but include what look
>  > like RPM versions that seem to point to RHEL 6.
>  >
>  > rob
>  >
>  >>
>  >> I execute the command "ipa-client-install --debug"
>  >> ---------------------------------------------------------------------
>  >> -
>  >> ---
>  >>
>  >>
>  >> [root@ppa named]# ipa-client-install --debug
>  >> /usr/sbin/ipa-client-install was invoked with options: {'domain':
>  >> None,
>  >> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
>  >> 'primary': False, 'mkhomedir
>  >> ': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
>  >> 'on_master': False, 'ntp_server': None, 'nisdomain': None,
> 'no_nisdomain':
>  >> False, 'principal': None
>  >> , 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,
>  >> 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False,
>  >> 'conf_sudo': True, 'conf_ssh': Tr
>  >> ue, 'force_join': False, 'ca_cert_file': None, 'server': None,
>  >> 'prompt_password': False, 'permit': False, 'debug': True,
> 'preserve_sssd':
>  >> False, 'uninstall': False}
>  >> missing options might be asked for interactively later Loading Index
>  >> file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
>  >> Loading StateFile from
>  >> [IPA Discovery]
>  >> Starting IPA discovery with domain=None, servers=None,
>  >> hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
>  >> "cyberfuel.com" (domain of the
>  >> hostname) and its sub-domains
>  >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
>  >> DNS record found:
>  >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
>  >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
>  >> [Kerberos realm search]
>  >> Search DNS for TXT record of _kerberos.cyberfuel.com.
>  >> DNS record found:
>  >> DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:
>  >> C
>  >> YBERFU
>  >> EL.COM}
>  >> Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
>  >> DNS record found:
>  >> DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={
>  >> p riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
>  >> [LDAP server check]
>  >> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
>  >> server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
>  >> Search LDAP server for IPA base DN Check if naming context
>  >> 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
>  >> is a valid IPA context Search for (objectClass=krbRealmContainer) in
>  >> dc=cyberfuel,dc=com (sub)
>  >> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
>  >> Discovery result: Success; server=freeipa.cyberfuel.com,
>  >> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
>  >> basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
>  >> will use discovered domain: cyberfuel.com Start searching for LDAP
>  >> SRV record in "cyberfuel.com" (Validating DNS
>  >> Discovery) and its sub-domains
>  >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
>  >> DNS record found:
>  >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
>  >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
>  >> DNS validated, enabling discovery
>  >> will use discovered server: freeipa.cyberfuel.com Discovery was
>  >> successful!
>  >> will use discovered realm: CYBERFUEL.COM will use discovered basedn:
>  >> dc=cyberfuel,dc=com
>  >> Hostname: ppa.cyberfuel.com
>  >> Hostname source: Machine's FQDN
>  >> Realm: CYBERFUEL.COM
>  >> Realm source: Discovered from LDAP DNS records in
>  >> freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source:
>  >> Discovered LDAP SRV records from cyberfuel.com (domain of the
>  >> hostname) IPA Server: freeipa.cyberfuel.com IPA Server source:
>  >> Discovered from LDAP DNS records in freeipa.cyberfuel.com
>  >> BaseDN: dc=cyberfuel,dc=com
>  >> BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
>  >>
>  >> Continue to configure the system with these values? [no]: no
>  >> Installation failed. Rolling back changes.
>  >> IPA client is not configured on this system.
>  >> [root@ppa named]#
>  >> [root@ppa named]# ipa-client-install --debug
>  >> /usr/sbin/ipa-client-install was invoked with options: {'domain':
>  >> None,
>  >> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
>  >> 'primary': False, 'mkhomedir': False, 'create_sshfp': True,
>  >> True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None,
>  > 'nisdomain':
>  >> None, 'no_nisdomain': False, 'principal': None, 'hostname': None,
> 'no_ac':
>  >> False, 'unattended': None, 'sssd': True, 'trust_sshfp': False,
>  >> 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True,
> 'conf_ssh':
>  >> True, 'force_join': False, 'ca_cert_file': None, 'server': None,
>  >> 'prompt_password': False, 'permit': False, 'debug': True,
> 'preserve_sssd':
>  >> False, 'uninstall': False}
>  >> missing options might be asked for interactively later Loading Index
>  >> file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
>  >> Loading StateFile from
>  >> [IPA Discovery]
>  >> Starting IPA discovery with domain=None, servers=None,
>  >> hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
>  >> "cyberfuel.com" (domain of the
>  >> hostname) and its sub-domains
>  >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
>  >> DNS record found:
>  >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
>  >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
>  >> [Kerberos realm search]
>  >> Search DNS for TXT record of _kerberos.cyberfuel.com.
>  >> DNS record found:
>  >> DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:
>  >> C
>  >> YBERFU
>  >> EL.COM}
>  >> Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
>  >> DNS record found:
>  >> DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={
>  >> p riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
>  >> [LDAP server check]
>  >> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
>  >> server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
>  >> Search LDAP server for IPA base DN Check if naming context
>  >> 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
>  >> is a valid IPA context Search for (objectClass=krbRealmContainer) in
>  >> dc=cyberfuel,dc=com (sub)
>  >> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
>  >> Discovery result: Success; server=freeipa.cyberfuel.com,
>  >> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
>  >> basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
>  >> will use discovered domain: cyberfuel.com Start searching for LDAP
>  >> SRV record in "cyberfuel.com" (Validating DNS
>  >> Discovery) and its sub-domains
>  >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
>  >> DNS record found:
>  >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
>  >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
>  >> DNS validated, enabling discovery
>  >> will use discovered server: freeipa.cyberfuel.com Discovery was
>  >> successful!
>  >> will use discovered realm: CYBERFUEL.COM will use discovered basedn:
>  >> dc=cyberfuel,dc=com
>  >> Hostname: ppa.cyberfuel.com
>  >> Hostname source: Machine's FQDN
>  >> Realm: CYBERFUEL.COM
>  >> Realm source: Discovered from LDAP DNS records in
>  >> freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source:
>  >> Discovered LDAP SRV records from cyberfuel.com (domain of the
>  >> hostname) IPA Server: freeipa.cyberfuel.com IPA Server source:
>  >> Discovered from LDAP DNS records in freeipa.cyberfuel.com
>  >> BaseDN: dc=cyberfuel,dc=com
>  >> BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
>  >>
>  >> Continue to configure the system with these values? [no]: yes
>  >> args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
>  >> stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file
>  >> or directory
>  >>
>  >> User authorized to enroll computers: admin will use principal
>  >> provided as option: admin Synchronizing time with KDC...
>  >> Search DNS for SRV record of _ntp._udp.cyberfuel.com.
>  >> No DNS record found
>  >> args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout=
>  >> stderr= Writing Kerberos configuration to /tmp/tmpqWSatK:
>  >> #File modified by ipa-client-install
>  >>
>  >> includedir /var/lib/sss/pubconf/krb5.include.d/
>  >>
>  >> [libdefaults]
>  >>     default_realm = CYBERFUEL.COM
>  >>     dns_lookup_realm = false
>  >>     dns_lookup_kdc = false
>  >>     rdns = false
>  >>     ticket_lifetime = 24h
>  >>     forwardable = yes
>  >>     udp_preference_limit = 0
>  >>
>  >>
>  >> [realms]
>  >>     CYBERFUEL.COM = {
>  >>       kdc = freeipa.cyberfuel.com:88
>  >>       master_kdc = freeipa.cyberfuel.com:88
>  >>       admin_server = freeipa.cyberfuel.com:749
>  >>       default_domain = cyberfuel.com
>  >>       pkinit_anchors = FILE:/etc/ipa/ca.crt
>  >>
>  >>     }
>  >>
>  >>
>  >> [domain_realm]
>  >>     .cyberfuel.com = CYBERFUEL.COM
>  >>     cyberfuel.com = CYBERFUEL.COM
>  >>
>  >>
>  >>
>>> Password forad...@cyberfuel.com <mailto:ad...@cyberfuel.com>:
>>> args=kinitad...@cyberfuel.com <mailto:ad...@cyberfuel.com>
>>> stdout=Password forad...@cyberfuel.com <mailto:ad...@cyberfuel.com>:
>  >>
>  >> stderr=
>  >> trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
>  >> Existing CA cert and Retrieved CA cert are identical
>  >> args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b
>  >> dc=cyberfuel,dc=com -d stdout= stderr=XML-RPC CALL:
>  >>
>  >> <?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n
>  >> <methodName>join</methodName>\r\n <params>\r\n
>  >> <param><value><array><data>\r\n
>  >> <value><string>ppa.cyberfuel.com</string></value>\r\n
>  >> </data></array></value></param>\r\n
>  >> <param><value><struct>\r\n
>  >> <member><name>nsosversion</name>\r\n
>  >> <value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\
>  >> n <member><name>nshardwareplatform</name>\r\n
>  >> <value><string>x86_64</string></value></member>\r\n
>  >> </struct></value></param>\r\n
>  >> </params>\r\n
>  >> </methodCall>\r\n
>  >>
>  >> * About to connect() to freeipa.cyberfuel.com port 443 (#0)
>  >> *   Trying
>  >> * Adding handle: conn: 0x10bb2f0
>  >> * Adding handle: send: 0
>  >> * Adding handle: recv: 0
>  >> * Curl_addHandleToPipeline: length: 1
>  >> * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
>  >> * Connected to freeipa.cyberfuel.com ( port 443 (#0)
>  >> * successfully set certificate verify locations:
>  >> *   CAfile: /etc/ipa/ca.crt
>  >>     CApath: none
>  >> * SSL connection using AES256-SHA
>  >> * Server certificate:
>  >> *        subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
>  >> *        start date: 2015-09-30 17:52:11 GMT
>  >> *        expire date: 2017-09-30 17:52:11 GMT
>  >> *        common name: freeipa.cyberfuel.com (matched)
>  >> *        issuer: O=CYBERFUEL.COM; CN=Certificate Authority
>  >> *        SSL certificate verify ok.
>  >>> POST /ipa/xml HTTP/1.1
>  >> Host: freeipa.cyberfuel.com
>  >> Accept: */*
>  >> Content-Type: text/xml
>  >> User-Agent: ipa-join/3.0.0
>>> Referer:https://freeipa.cyberfuel.com/ipa/xml
>  >> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
>  >> Content-Length: 477
>  >>
>  >> * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401
>  >> Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT
>  >> * Server Apache/2.2.15 (CentOS) is not blacklisted < Server:
>  >> Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified:
>  >> Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000"
>  >> < Accept-Ranges: bytes
>  >> < Content-Length: 1370
>  >> < Connection: close
>  >> < Content-Type: text/html; charset=UTF-8 <
>  >> * Closing connection 0
>  >> HTTP response code is 401, not 200
>  >>
>  >> Joining realm failed: XML-RPC CALL:
>  >>
>  >> <?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n
>  >> <methodName>join</methodName>\r\n <params>\r\n
>  >> <param><value><array><data>\r\n
>  >> <value><string>ppa.cyberfuel.com</string></value>\r\n
>  >> </data></array></value></param>\r\n
>  >> <param><value><struct>\r\n
>  >> <member><name>nsosversion</name>\r\n
>  >> <value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\
>  >> n <member><name>nshardwareplatform</name>\r\n
>  >> <value><string>x86_64</string></value></member>\r\n
>  >> </struct></value></param>\r\n
>  >> </params>\r\n
>  >> </methodCall>\r\n
>  >>
>  >> * About to connect() to freeipa.cyberfuel.com port 443 (#0)
>  >> *   Trying
>  >> * Adding handle: conn: 0x10bb2f0
>  >> * Adding handle: send: 0
>  >> * Adding handle: recv: 0
>  >> * Curl_addHandleToPipeline: length: 1
>  >> * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
>  >> * Connected to freeipa.cyberfuel.com ( port 443 (#0)
>  >> * successfully set certificate verify locations:
>  >> *   CAfile: /etc/ipa/ca.crt
>  >>     CApath: none
>  >> * SSL connection using AES256-SHA
>  >> * Server certificate:
>  >> *        subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
>  >> *        start date: 2015-09-30 17:52:11 GMT
>  >> *        expire date: 2017-09-30 17:52:11 GMT
>  >> *        common name: freeipa.cyberfuel.com (matched)
>  >> *        issuer: O=CYBERFUEL.COM; CN=Certificate Authority
>  >> *        SSL certificate verify ok.
>  >>> POST /ipa/xml HTTP/1.1
>  >> Host: freeipa.cyberfuel.com
>  >> Accept: */*
>  >> Content-Type: text/xml
>  >> User-Agent: ipa-join/3.0.0
>>> Referer:https://freeipa.cyberfuel.com/ipa/xml
>  >> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
>  >> Content-Length: 477
>  >>
>  >> * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401
>  >> Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT
>  >> * Server Apache/2.2.15 (CentOS) is not blacklisted < Server:
>  >> Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified:
>  >> Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000"
>  >> < Accept-Ranges: bytes
>  >> < Content-Length: 1370
>  >> < Connection: close
>  >> < Content-Type: text/html; charset=UTF-8 <
>  >> * Closing connection 0
>  >> HTTP response code is 401, not 200
>  >>
>  >> Installation failed. Rolling back changes.
>  >> IPA client is not configured on this system.
>  >>
>  >> -------------------------------------------------
>  >>
>  >> It's the version curl IPA server
>  >>
>  >> [root@freeipa log]# rpm -qa | grep curl
>  >> python-pycurl-7.19.0-8.el6.x86_64
>  >> curl-7.19.7-46.el6.x86_64
>  >> libcurl-7.19.7-46.el6.x86_64
>  >> [root@freeipa log]#
>  >>
>  >>
>  >> It's the version curl PPA server(IPA Client)
>  >>
>  >> [root@ppa named]# rpm -qa | grep curl
>  >> curl-7.31.0-1.el6.x86_64
>  >> python-pycurl-7.19.0-8.el6.x86_64
>  >> libcurl-7.31.0-1.el6.x86_64
>  >> libcurl-7.31.0-1.el6.i686
>  >>
>  >>
>  >> The version curl is different, but the version curl PPA is the
>  >> repository Odin Plesk.
>  >>
>  >> -----------------------------------------------------
>  >>
>  >>
>  >> [root@ppa tmp]# cat kerberos_trace.log
>  >>
>  >> [12118] 1461855578.809966: ccselect module realm chose cache
>>> FILE:/tmp/tmptSoqDX with client principalad...@cyberfuel.com
>>> server principalldap/freeipa.cyberfuel....@cyberfuel.com
> <mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>
>>> [12118] 1461855578.810171: retrievingad...@cyberfuel.com
>  >> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>  >> FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not
>  >> found [12118] 1461855578.810252: Getting credentials
>>>ad...@cyberfuel.com <mailto:ad...@cyberfuel.com>->
> ldap/freeipa.cyberfuel....@cyberfuel.com
> <mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>using
>  >> ccache FILE:/tmp/tmptSoqDX [12118] 1461855578.810369: Retrieving
>>>ad...@cyberfuel.com <mailto:ad...@cyberfuel.com>->
> ldap/freeipa.cyberfuel....@cyberfuel.com
> <mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>from
>  >> FILE:/tmp/tmptSoqDX with
>  >> result: -1765328243/Matching credential not found [12118]
>>> 1461855578.810451: retrievingad...@cyberfuel.com
> <mailto:krbtgt/cyberfuel....@cyberfuel.com>from FILE:/tmp/tmptSoqDX with
> result:
>  >> 0/Success
>  >> [12118] 1461855578.810476: Found cached TGT for service realm:
>  >> ad...@cyberfuel.com <mailto:ad...@cyberfuel.com> ->
> krbtgt/cyberfuel....@cyberfuel.com
> <mailto:krbtgt/cyberfuel....@cyberfuel.com>
>  >> [12118] 1461855578.810509: Requesting tickets for
> <mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>, referrals on [12118]
>  >> 1461855578.810612: Generated subkey for TGS request: aes256-cts/7377
>  >> [12118] 1461855578.810679: etypes requested in TGS request:
>  >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [12118]
>  >> 1461855578.810913: Sending request (704 bytes) to CYBERFUEL.COM
>  >> [12118] 1461855578.811239: Resolving hostname freeipa.cyberfuel.com
>  >> [12118] 1461855578.811466: Initiating TCP connection to stream
>  >>
>  >> [12118] 1461855578.811935: Sending TCP request to stream
>  >> [12118] 1461855578.816404: Received answer from
>  >> stream
>  >> [12118] 1461855578.816714: Response was from master
>>> KDC [12118] 1461855578.816906: TGS reply is forad...@cyberfuel.com
>>> ->ldap/freeipa.cyberfuel....@cyberfuel.com
> <mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>with session key
>  >> aes256-cts/BEB2 [12118] 1461855578.816977: TGS request result:
>  >> 0/Success [12118] 1461855578.817018: Received creds for desired
>>> serviceldap/freeipa.cyberfuel....@cyberfuel.com
> <mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>
>>> [12118] 1461855578.817066: removingad...@cyberfuel.com
> <mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>from FILE:/tmp/tmptSoqDX
>>> [12118] 1461855578.817107: storingad...@cyberfuel.com
> <mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>in FILE:/tmp/tmptSoqDX
>  >> [12118] 1461855578.817413: Creating authenticator for
>  >> ad...@cyberfuel.com <mailto:ad...@cyberfuel.com> ->
> ldap/freeipa.cyberfuel....@cyberfuel.com
> <mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>,
>  >> seqnum 299651167, subkey aes256-cts/98D3, session key aes256-cts/BEB2
>  >> [12118] 1461855578.874786: ccselect module realm chose cache
>>> FILE:/tmp/tmptSoqDX with client principalad...@cyberfuel.com
>>> server principalldap/freeipa.cyberfuel....@cyberfuel.com
> <mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>
>>> [12118] 1461855578.874938: retrievingad...@cyberfuel.com
>  >> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>  >> FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not
>  >> found [12118] 1461855578.875079: Read AP-REP, time 1461855578.817442,
>  >> subkey aes256-cts/4B32, seqnum 706045221 [17304] 1461858424.873888:
>  >> ccselect module realm chose cache FILE:/tmp/tmpH0QF6P with client
>  >> principal ad...@cyberfuel.com for server principal
>  >> ldap/freeipa.cyberfuel....@cyberfuel.com
>  >> [17304] 1461858424.874126: Retrieving ad...@cyberfuel.com ->
>  >> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>  >> FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not
>  >> found [17304] 1461858424.874220: Getting credentials
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using
>  >> ccache FILE:/tmp/tmpH0QF6P [17304] 1461858424.874413: Retrieving
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from
>  >> FILE:/tmp/tmpH0QF6P with
>  >> result: -1765328243/Matching credential not found [17304]
>  >> 1461858424.874531: Retrieving ad...@cyberfuel.com ->
>  >> krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmpH0QF6P with
>  >> 0/Success
>  >> [17304] 1461858424.874603: Found cached TGT for service realm:
>  >> ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
>  >> [17304] 1461858424.874631: Requesting tickets for
>  >> ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [17304]
>  >> 1461858424.874747: Generated subkey for TGS request: aes256-cts/8C33
>  >> [17304] 1461858424.874788: etypes requested in TGS request:
>  >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [17304]
>  >> 1461858424.875121: Sending request (704 bytes) to CYBERFUEL.COM
>  >> [17304] 1461858424.875525: Resolving hostname freeipa.cyberfuel.com
>  >> [17304] 1461858424.875805: Initiating TCP connection to stream
>  >>
>  >> [17304] 1461858424.877976: Sending TCP request to stream
>  >> [17304] 1461858424.882385: Received answer from
>  >> stream [17304] 1461858424.882531: Response was from
>  >> master KDC [17304] 1461858424.882775: TGS reply is for
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with
>  >> session key aes256-cts/20DA [17304] 1461858424.882850: TGS request
>  >> result: 0/Success [17304] 1461858424.882883: Received creds for
>  >> desired service ldap/freeipa.cyberfuel....@cyberfuel.com
>  >> [17304] 1461858424.882918: Removing ad...@cyberfuel.com ->
>  >> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpH0QF6P
>  >> [17304] 1461858424.882951: Storing ad...@cyberfuel.com ->
>  >> ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmpH0QF6P
>  >> [17304] 1461858424.883271: Creating authenticator for
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com,
>  >> seqnum 443746416, subkey aes256-cts/13DE, session key aes256-cts/20DA
>  >> [17304] 1461858424.898190: ccselect module realm chose cache
>  >> FILE:/tmp/tmpH0QF6P with client principal ad...@cyberfuel.com for
>  >> server principal ldap/freeipa.cyberfuel....@cyberfuel.com
>  >> [17304] 1461858424.898401: Retrieving ad...@cyberfuel.com ->
>  >> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>  >> FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not
>  >> found [17304] 1461858424.898615: Read AP-REP, time 1461858424.883334,
>  >> subkey aes256-cts/A0F5, seqnum 906104721 [23457] 1461863053.621386:
>  >> ccselect module realm chose cache
>  >> FILE:/tmp/tmp576FE3 with client principal ad...@cyberfuel.com for
>  >> server principal ldap/freeipa.cyberfuel....@cyberfuel.com
>  >> [23457] 1461863053.621602: Retrieving ad...@cyberfuel.com ->
>  >> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>  >> FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not
>  >> found [23457] 1461863053.621719: Getting credentials
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using
>  >> ccache FILE:/tmp/tmp576FE3 [23457] 1461863053.621918: Retrieving
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from
>  >> FILE:/tmp/tmp576FE3 with
>  >> result: -1765328243/Matching credential not found [23457]
>  >> 1461863053.622097: Retrieving ad...@cyberfuel.com ->
>  >> krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmp576FE3 with
>  >> 0/Success
>  >> [23457] 1461863053.622144: Found cached TGT for service realm:
>  >> ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
>  >> [23457] 1461863053.622176: Requesting tickets for
>  >> ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [23457]
>  >> 1461863053.622288: Generated subkey for TGS request: aes256-cts/897C
>  >> [23457] 1461863053.622331: etypes requested in TGS request:
>  >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23457]
>  >> 1461863053.622662: Sending request (704 bytes) to CYBERFUEL.COM
>  >> [23457] 1461863053.623133: Resolving hostname freeipa.cyberfuel.com
>  >> [23457] 1461863053.623367: Initiating TCP connection to stream
>  >>
>  >> [23457] 1461863053.623866: Sending TCP request to stream
>  >> [23457] 1461863053.627939: Received answer from
>  >> stream [23457] 1461863053.628229: Response was from
>  >> master KDC [23457] 1461863053.628485: TGS reply is for
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with
>  >> session key aes256-cts/9E88 [23457] 1461863053.628560: TGS request
>  >> result: 0/Success [23457] 1461863053.628610: Received creds for
>  >> desired service ldap/freeipa.cyberfuel....@cyberfuel.com
>  >> [23457] 1461863053.628655: Removing ad...@cyberfuel.com ->
>  >> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmp576FE3
>  >> [23457] 1461863053.628689: Storing ad...@cyberfuel.com ->
>  >> ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmp576FE3
>  >> [23457] 1461863053.629119: Creating authenticator for
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com,
>  >> seqnum 13046067, subkey aes256-cts/BAC3, session key aes256-cts/9E88
>  >> [23457] 1461863053.640471: ccselect module realm chose cache
>  >> FILE:/tmp/tmp576FE3 with client principal ad...@cyberfuel.com for
>  >> server principal ldap/freeipa.cyberfuel....@cyberfuel.com
>  >> [23457] 1461863053.640721: Retrieving ad...@cyberfuel.com ->
>  >> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>  >> FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not
>  >> found [23457] 1461863053.640909: Read AP-REP, time 1461863053.629208,
>  >> subkey aes256-cts/8866, seqnum 421358565 [23749] 1461863277.525338:
>  >> ccselect module realm chose cache FILE:/tmp/tmprfuOsj with client
>  >> principal ad...@cyberfuel.com for server principal
>  >> ldap/freeipa.cyberfuel....@cyberfuel.com
>  >> [23749] 1461863277.525435: Retrieving ad...@cyberfuel.com ->
>  >> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>  >> FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not
>  >> found [23749] 1461863277.525469: Getting credentials
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using
>  >> ccache FILE:/tmp/tmprfuOsj [23749] 1461863277.525529: Retrieving
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from
>  >> FILE:/tmp/tmprfuOsj with
>  >> result: -1765328243/Matching credential not found [23749]
>  >> 1461863277.525572: Retrieving ad...@cyberfuel.com ->
>  >> krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmprfuOsj with
>  >> 0/Success
>  >> [23749] 1461863277.525584: Found cached TGT for service realm:
>  >> ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
>  >> [23749] 1461863277.525593: Requesting tickets for
>  >> ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [23749]
>  >> 1461863277.525645: Generated subkey for TGS request: aes256-cts/C22D
>  >> [23749] 1461863277.525662: etypes requested in TGS request:
>  >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23749]
>  >> 1461863277.525806: Sending request (704 bytes) to CYBERFUEL.COM
>  >> [23749] 1461863277.526052: Resolving hostname freeipa.cyberfuel.com
>  >> [23749] 1461863277.526161: Initiating TCP connection to stream
>  >>
>  >> [23749] 1461863277.526440: Sending TCP request to stream
>  >> [23749] 1461863277.530652: Received answer from
>  >> stream [23749] 1461863277.530737: Response was from
>  >> master KDC [23749] 1461863277.530881: TGS reply is for
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with
>  >> session key aes256-cts/79C3 [23749] 1461863277.530931: TGS request
>  >> result: 0/Success [23749] 1461863277.530948: Received creds for
>  >> desired service ldap/freeipa.cyberfuel....@cyberfuel.com
>  >> [23749] 1461863277.530962: Removing ad...@cyberfuel.com ->
>  >> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmprfuOsj
>  >> [23749] 1461863277.530971: Storing ad...@cyberfuel.com ->
>  >> ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmprfuOsj
>  >> [23749] 1461863277.531133: Creating authenticator for
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com,
>  >> seqnum 1019693263, subkey aes256-cts/B3E0, session key
>  >> aes256-cts/79C3 [23749] 1461863277.542808: ccselect module realm
>  >> chose cache FILE:/tmp/tmprfuOsj with client principal
>  >> ad...@cyberfuel.com for server principal
>  >> ldap/freeipa.cyberfuel....@cyberfuel.com
>  >> [23749] 1461863277.542889: Retrieving ad...@cyberfuel.com ->
>  >> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>  >> FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not
>  >> found [23749] 1461863277.542988: Read AP-REP, time 1461863277.531150,
>  >> subkey aes256-cts/5194, seqnum 376027188 [25544] 1461864401.258277:
>  >> ccselect module realm chose cache FILE:/tmp/tmpbzX7EN with client
>  >> principal ad...@cyberfuel.com for server principal
>  >> ldap/freeipa.cyberfuel....@cyberfuel.com
>  >> [25544] 1461864401.258584: Retrieving ad...@cyberfuel.com ->
>  >> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>  >> FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not
>  >> found [25544] 1461864401.258678: Getting credentials
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using
>  >> ccache FILE:/tmp/tmpbzX7EN [25544] 1461864401.258873: Retrieving
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from
>  >> FILE:/tmp/tmpbzX7EN with
>  >> result: -1765328243/Matching credential not found [25544]
>  >> 1461864401.259040: Retrieving ad...@cyberfuel.com ->
>  >> krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmpbzX7EN with
>  >> 0/Success
>  >> [25544] 1461864401.259076: Found cached TGT for service realm:
>  >> ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
>  >> [25544] 1461864401.259102: Requesting tickets for
>  >> ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [25544]
>  >> 1461864401.259244: Generated subkey for TGS request: aes256-cts/277A
>  >> [25544] 1461864401.259291: etypes requested in TGS request:
>  >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [25544]
>  >> 1461864401.259676: Sending request (704 bytes) to CYBERFUEL.COM
>  >> [25544] 1461864401.260108: Resolving hostname freeipa.cyberfuel.com
>  >> [25544] 1461864401.260361: Initiating TCP connection to stream
>  >>
>  >> [25544] 1461864401.260980: Sending TCP request to stream
>  >> [25544] 1461864401.264399: Received answer from
>  >> stream [25544] 1461864401.264593: Response was from
>  >> master KDC [25544] 1461864401.264893: TGS reply is for
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with
>  >> session key aes256-cts/9106 [25544] 1461864401.264966: TGS request
>  >> result: 0/Success [25544] 1461864401.264996: Received creds for
>  >> desired service ldap/freeipa.cyberfuel....@cyberfuel.com
>  >> [25544] 1461864401.265029: Removing ad...@cyberfuel.com ->
>  >> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpbzX7EN
>  >> [25544] 1461864401.265058: Storing ad...@cyberfuel.com ->
>  >> ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmpbzX7EN
>  >> [25544] 1461864401.265581: Creating authenticator for
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com,
>  >> seqnum 921501424, subkey aes256-cts/99EA, session key aes256-cts/9106
>  >> [25544] 1461864401.275884: ccselect module realm chose cache
>  >> FILE:/tmp/tmpbzX7EN with client principal ad...@cyberfuel.com for
>  >> server principal ldap/freeipa.cyberfuel....@cyberfuel.com
>  >> [25544] 1461864401.276059: Retrieving ad...@cyberfuel.com ->
>  >> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>  >> FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not
>  >> found [25544] 1461864401.276196: Read AP-REP, time 1461864401.265627,
>  >> subkey aes256-cts/0E9F, seqnum 871496824 [18097] 1461937028.664354:
>  >> ccselect module realm chose cache
>  >> FILE:/tmp/tmpF9x_o8 with client principal ad...@cyberfuel.com for
>  >> server principal ldap/freeipa.cyberfuel....@cyberfuel.com
>  >> [18097] 1461937028.664456: Retrieving ad...@cyberfuel.com ->
>  >> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>  >> FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not
>  >> found [18097] 1461937028.664490: Getting credentials
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using
>  >> ccache FILE:/tmp/tmpF9x_o8 [18097] 1461937028.664549: Retrieving
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from
>  >> FILE:/tmp/tmpF9x_o8 with
>  >> result: -1765328243/Matching credential not found [18097]
>  >> 1461937028.664590: Retrieving ad...@cyberfuel.com ->
>  >> krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmpF9x_o8 with
>  >> 0/Success
>  >> [18097] 1461937028.664601: Found cached TGT for service realm:
>  >> ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
>  >> [18097] 1461937028.664611: Requesting tickets for
>  >> ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [18097]
>  >> 1461937028.664700: Generated subkey for TGS request: aes256-cts/6372
>  >> [18097] 1461937028.664727: etypes requested in TGS request:
>  >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [18097]
>  >> 1461937028.664865: Sending request (704 bytes) to CYBERFUEL.COM
>  >> [18097] 1461937028.665035: Resolving hostname freeipa.cyberfuel.com
>  >> [18097] 1461937028.665136: Initiating TCP connection to stream
>  >>
>  >> [18097] 1461937028.665510: Sending TCP request to stream
>  >> [18097] 1461937028.668919: Received answer from
>  >> stream [18097] 1461937028.668984: Response was from
>  >> master KDC [18097] 1461937028.669109: TGS reply is for
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with
>  >> session key aes256-cts/9592 [18097] 1461937028.669136: TGS request
>  >> result: 0/Success [18097] 1461937028.669156: Received creds for
>  >> desired service ldap/freeipa.cyberfuel....@cyberfuel.com
>  >> [18097] 1461937028.669167: Removing ad...@cyberfuel.com ->
>  >> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpF9x_o8
>  >> [18097] 1461937028.669176: Storing ad...@cyberfuel.com ->
>  >> ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmpF9x_o8
>  >> [18097] 1461937028.669304: Creating authenticator for
>  >> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com,
>  >> seqnum 940175329, subkey aes256-cts/53B9, session key aes256-cts/9592
>  >> [18097] 1461937028.676414: ccselect module realm chose cache
>  >> FILE:/tmp/tmpF9x_o8 with client principal ad...@cyberfuel.com for
>  >> server principal ldap/freeipa.cyberfuel....@cyberfuel.com
>  >> [18097] 1461937028.676470: Retrieving ad...@cyberfuel.com ->
>  >> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>  >> FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not
>  >> found [18097] 1461937028.676534: Read AP-REP, time 1461937028.669328,
>  >> subkey aes256-cts/26C4, seqnum 864174069
>  >>
>  >> -----------------------------------
>  >>
>  >>
>  >> Regards
>  >>
>  >> Jose Alvarez
>  >>
>  >>
>  >> -----Original Message-----
>  >> From: Rob Crittenden [mailto:rcrit...@redhat.com]
>  >> Sent: viernes 29 de abril de 2016 09:34 a.m.
>  >> To: Jose Alvarez R. <jalva...@cyberfuel.com>;
>  >> freeipa-users@redhat.com
>  >> Subject: Re: [Freeipa-users] HTTP response code is 401, not 200
>  >>
>  >> Jose Alvarez R. wrote:
>  >>> Hi Users
>  >>>
>  >>> You can help me?
>  >>>
>  >>> I have the problem for join a client to my FREEIPA Server. The
>  >>> version IPA Server is 3.0 and IP client is 3.0
>  >>>
>  >>> When I join my client to IPA server show these errors:
>  >>>
>  >>> [root@ppa ~]# tail -f /var/log/ipaclient-install.log
>  >>>
>  >>> 2016-04-28T17:26:41Z DEBUG stderr=
>  >>>
>  >>> 2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from
>  >>> ldap://freeipa.cyberfuel.com
>  >>>
>  >>> 2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert
>  >>> are identical
>  >>>
>  >>> 2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s
>  >>> freeipa.cyberfuel.com -b dc=cyberfuel,dc=com
>  >>>
>  >>> 2016-04-28T17:26:41Z DEBUG stdout=
>  >>>
>  >>> 2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200
>  >>>
>  >>> 2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code
>  >>> is 401, not 200
>  >>>
>  >>> 2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes.
>  >>>
>  >>> 2016-04-28T17:26:41Z ERROR IPA client is not configured on this
>  >>
>  >> I'd look in the 389-ds access and error logs on the IPA server to see
>  >> if there are any more details. Look for the BIND from the client and
>  >> see what happens.
>  >>
>  >> More context from the log file might be helpful. I believe if you run
>  >> the client installer with --debug then additional flags are passed to
>  >> ipa-join to include the XML-RPC conversation and that might be useful
> too.
>  >>
>  >> What account are you using to enroll with, admin?
>  >>
>  >> rob
>  >>
>  >
>  >
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to