Re: [Freeipa-users] EXTERNAL: Re: Client Installation Error
Hey Rob, I updated my client's ipa, libcurl, and xmlrpc to what the server is using that I listed below. I am now getting the following error; Joining realm failed: HTTP response code is 401, not 200 On the server I looked at the krb5kdc.log to see if there was any errors and I'm getting the following error; IPA_Server.domain.ca krb5kdc[2029](info): TGS_REQ (4 etypes {18 17 16 23}) IP_ADDRESS_OF_CLIENT: UNKNOWN_SERVER: authtime 0, ad...@domain.ca for HTTP/ipa_ser...@domain.ca, Server not found in Kerberos Database. I've checked on the server side and the client I'm trying to add is in DNS and the host table. He can ping him fine so there is no issue with communication. Any ideas? Any other logs/information I can provide you? Thanks, Matt -Original Message- From: Joseph, Matthew (EXP) Sent: Tuesday, April 02, 2013 3:01 PM To: 'Rob Crittenden'; freeipa-users@redhat.com Subject: RE: EXTERNAL: Re: [Freeipa-users] Client Installation Error Hey Rob, I'm running 2.0.0-23.el6.x86-64. So if I upgrade to the version you listed below then I should be all good? Is this a known problem with just 2.0.0-23 or is it also previous versions? Thanks, Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 02, 2013 2:58 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Client Installation Error Joseph, Matthew (EXP) wrote: Hey, I'm trying to add a client to IPA and I'm getting the following error; Joining realm failed because of failing XML-RPC request This error may be caused by incompatible server/client major versions. Client is running Red Hat 6.1 with the following IPA and Curl packages installed; Ipa-*-2.0.0-23 Curl-7.19.7-26 Libcurl-7.19.7-26 Server is running Red Hat 6.3 with the following IPA and Curl Packages installed; Ipa-*-2.2.0-16 Curl-7.19.7-26 Libcurl-7.19.7-26 From what I've seen from other people is that the issue is with libcurl blocking GSSAPI requests. Is that still the case? If so what are my options here to get around this problem? I assume I can downgrade my Curl but will that affect anything major? Thanks, Matt Exactly what version of ipa-client do you have installed? You need 2.0.0-23.el6_1.2 to fix ticket delegation. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: Client Installation Error
Joseph, Matthew (EXP) wrote: Hey Rob, I updated my client's ipa, libcurl, and xmlrpc to what the server is using that I listed below. I am now getting the following error; Joining realm failed: HTTP response code is 401, not 200 On the server I looked at the krb5kdc.log to see if there was any errors and I'm getting the following error; IPA_Server.domain.ca krb5kdc[2029](info): TGS_REQ (4 etypes {18 17 16 23}) IP_ADDRESS_OF_CLIENT: UNKNOWN_SERVER: authtime 0, ad...@domain.ca for HTTP/ipa_ser...@domain.ca, Server not found in Kerberos Database. I've checked on the server side and the client I'm trying to add is in DNS and the host table. He can ping him fine so there is no issue with communication. Any ideas? Any other logs/information I can provide you? It may be your obfuscation, but is it a FQDN in the HTTP service principal? It should be. If you're using /etc/hosts be sure that the FQDN version is first (so foo.example.com foo rather than foo foo.example.com). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: Client Installation Error
Awesome that was the issue Rob. Thanks! Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, April 03, 2013 10:14 AM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: Re: EXTERNAL: Re: [Freeipa-users] Client Installation Error Joseph, Matthew (EXP) wrote: Hey Rob, I updated my client's ipa, libcurl, and xmlrpc to what the server is using that I listed below. I am now getting the following error; Joining realm failed: HTTP response code is 401, not 200 On the server I looked at the krb5kdc.log to see if there was any errors and I'm getting the following error; IPA_Server.domain.ca krb5kdc[2029](info): TGS_REQ (4 etypes {18 17 16 23}) IP_ADDRESS_OF_CLIENT: UNKNOWN_SERVER: authtime 0, ad...@domain.ca for HTTP/ipa_ser...@domain.ca, Server not found in Kerberos Database. I've checked on the server side and the client I'm trying to add is in DNS and the host table. He can ping him fine so there is no issue with communication. Any ideas? Any other logs/information I can provide you? It may be your obfuscation, but is it a FQDN in the HTTP service principal? It should be. If you're using /etc/hosts be sure that the FQDN version is first (so foo.example.com foo rather than foo foo.example.com). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: Client Installation Error
Hey Rob, I'm running 2.0.0-23.el6.x86-64. So if I upgrade to the version you listed below then I should be all good? Is this a known problem with just 2.0.0-23 or is it also previous versions? Thanks, Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 02, 2013 2:58 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Client Installation Error Joseph, Matthew (EXP) wrote: Hey, I'm trying to add a client to IPA and I'm getting the following error; Joining realm failed because of failing XML-RPC request This error may be caused by incompatible server/client major versions. Client is running Red Hat 6.1 with the following IPA and Curl packages installed; Ipa-*-2.0.0-23 Curl-7.19.7-26 Libcurl-7.19.7-26 Server is running Red Hat 6.3 with the following IPA and Curl Packages installed; Ipa-*-2.2.0-16 Curl-7.19.7-26 Libcurl-7.19.7-26 From what I've seen from other people is that the issue is with libcurl blocking GSSAPI requests. Is that still the case? If so what are my options here to get around this problem? I assume I can downgrade my Curl but will that affect anything major? Thanks, Matt Exactly what version of ipa-client do you have installed? You need 2.0.0-23.el6_1.2 to fix ticket delegation. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: Client Installation Error
Joseph, Matthew (EXP) wrote: Hey Rob, I'm running 2.0.0-23.el6.x86-64. So if I upgrade to the version you listed below then I should be all good? Is this a known problem with just 2.0.0-23 or is it also previous versions? It depends on the mix of curl, xmlrpc-c and ipa-client. The incompatibility was added in libcurl-7.19.7-26.el6_1.1 to address CVE-2011-2192. xmlrpc-c added new delegation support in 1.16.24-1200.1840.el6_1.1 So you either need older versions of all, or newer versions of all. rob Thanks, Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 02, 2013 2:58 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Client Installation Error Joseph, Matthew (EXP) wrote: Hey, I'm trying to add a client to IPA and I'm getting the following error; Joining realm failed because of failing XML-RPC request This error may be caused by incompatible server/client major versions. Client is running Red Hat 6.1 with the following IPA and Curl packages installed; Ipa-*-2.0.0-23 Curl-7.19.7-26 Libcurl-7.19.7-26 Server is running Red Hat 6.3 with the following IPA and Curl Packages installed; Ipa-*-2.2.0-16 Curl-7.19.7-26 Libcurl-7.19.7-26 From what I've seen from other people is that the issue is with libcurl blocking GSSAPI requests. Is that still the case? If so what are my options here to get around this problem? I assume I can downgrade my Curl but will that affect anything major? Thanks, Matt Exactly what version of ipa-client do you have installed? You need 2.0.0-23.el6_1.2 to fix ticket delegation. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users