Re: [Freeipa-users] version mismatch while joining a client ?
Hi, Only if yum did it by itself.I simply do yum -y install regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Simo Sorce [s...@redhat.com] Sent: Friday, 5 August 2011 11:59 p.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? On Thu, 2011-08-04 at 23:32 +, Steven Jones wrote: > I think you mean 04? > > I am getting a sasl failed. Have you installed i686 packages on a x86_64 machine ? -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
On Thu, 2011-08-04 at 23:32 +, Steven Jones wrote: > I think you mean 04? > > I am getting a sasl failed. Have you installed i686 packages on a x86_64 machine ? -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
Hi, Well the hostname itself isnt there, but thats normal with dhcp'd workstations? I thought it looked at /etc/sysconfig/network ? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 5 August 2011 2:49 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: > I already included the krb5kdc log This sticks out. Can you check /etc/hosts on that client. ldap/localh...@unix.vuw.ac.nz, Server not found in Kerberos database > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: Rob Crittenden [rcrit...@redhat.com] > Sent: Friday, 5 August 2011 10:11 a.m. > To: Steven Jones > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] version mismatch while joining a client ? > > Steven Jones wrote: >> Hi, >> >> Trying with two rhel61-64bit-clones "04" and "05" >> >> They should give the same failures? but are not?..confused, 04 (the >> first clone has 1/2 joined as its in IPA, but it doesnt say "enrolled and a >> date", 05 failed totally. > > 04 is failing because it apparently still has an updated libcurl. It is > getting a 500 error back. The installation continues because you had the > --force flag. This means it proceeds on errors, so it tried to set > things up but since it didn't get a keytab sssd can't authenticate. > > 05 actually enrolled successfully but was unable to retrieve a keytab. > You can try running ipa-getkeytab from the command-line again. To do > this you'll need to copy a krb5.conf from a working system (say the IPA > server. > > # kinit admin > # ipa-getkeytab -s vuwunicoipamt01.unix.vuw.ac.nz -k /etc/krb5.keytab -p > host/rhel61-64cl04.unix.vuw.ac...@unix.vuw.ac.nz > > You may also want to look at the krb5kdc.log and the 389-ds access log, > they may hold clues as well. > >> >> I know Im short on sleep but I really don't understand what's going on here >> and why its so hard to make basic stuff work. >> >> :/ >> >> I have included the logs off each, logs off the IPA server and out's from >> the attempt to join. from each guest. Anything else needed? >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> >> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on >> behalf of Steven Jones [steven.jo...@vuw.ac.nz] >> Sent: Friday, 5 August 2011 8:42 a.m. >> To: Rob Crittenden >> Cc: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] version mismatch while joining a client ? >> >> Hi, >> >> Yes the first is F15. >> >> I am halting all the AD machines I will retry without the --force first to >> test this, when I built IPA originally there was no AD to conflict. >> >> However its plain weird because the RHEL6.1 client points to the IPA server >> for DNS. >> >> I will get back to you. >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> >> From: Rob Crittenden [rcrit...@redhat.com] >> Sent: Friday, 5 August 2011 1:24 a.m. >> To: Steven Jones >> Cc: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] version mismatch while joining a client ? >> >> Steven Jones wrote: >>> Hi, >>> >>> I have also done this on a new f15 client and it also fails. >>> >>> But its saying, >>> >>> 500 and not 401 which is the rhel6.1 failure. >>> >>> "HTTP response code is 401, not 200" == RHEL61 >>> "HTTP response code is 500, not 200" == FED15 >> >> Assuming that the Fedora 15 client is 130.195.53.109 that I had seen in >> a previous log it has a libcurl that does not do ticket delegation. >> >> 500 is an HTTP server error, we assume a principal will be there and it >> isn't and things blow up (this is handled more gracefully in our dev tree). >> >> 401 is a HTTP authorization error, the user provide is now allowed to &g
Re: [Freeipa-users] version mismatch while joining a client ?
Steven Jones wrote: I already included the krb5kdc log This sticks out. Can you check /etc/hosts on that client. ldap/localh...@unix.vuw.ac.nz, Server not found in Kerberos database regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 5 August 2011 10:11 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: Hi, Trying with two rhel61-64bit-clones "04" and "05" They should give the same failures? but are not?..confused, 04 (the first clone has 1/2 joined as its in IPA, but it doesnt say "enrolled and a date", 05 failed totally. 04 is failing because it apparently still has an updated libcurl. It is getting a 500 error back. The installation continues because you had the --force flag. This means it proceeds on errors, so it tried to set things up but since it didn't get a keytab sssd can't authenticate. 05 actually enrolled successfully but was unable to retrieve a keytab. You can try running ipa-getkeytab from the command-line again. To do this you'll need to copy a krb5.conf from a working system (say the IPA server. # kinit admin # ipa-getkeytab -s vuwunicoipamt01.unix.vuw.ac.nz -k /etc/krb5.keytab -p host/rhel61-64cl04.unix.vuw.ac...@unix.vuw.ac.nz You may also want to look at the krb5kdc.log and the 389-ds access log, they may hold clues as well. I know Im short on sleep but I really don't understand what's going on here and why its so hard to make basic stuff work. :/ I have included the logs off each, logs off the IPA server and out's from the attempt to join. from each guest. Anything else needed? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 5 August 2011 8:42 a.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Hi, Yes the first is F15. I am halting all the AD machines I will retry without the --force first to test this, when I built IPA originally there was no AD to conflict. However its plain weird because the RHEL6.1 client points to the IPA server for DNS. I will get back to you. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 5 August 2011 1:24 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: Hi, I have also done this on a new f15 client and it also fails. But its saying, 500 and not 401 which is the rhel6.1 failure. "HTTP response code is 401, not 200" == RHEL61 "HTTP response code is 500, not 200" == FED15 Assuming that the Fedora 15 client is 130.195.53.109 that I had seen in a previous log it has a libcurl that does not do ticket delegation. 500 is an HTTP server error, we assume a principal will be there and it isn't and things blow up (this is handled more gracefully in our dev tree). 401 is a HTTP authorization error, the user provide is now allowed to access the server. I'm guessing this is because the client is using the wrong kerberos server. We have this addressed too in the dev tree, we disable dns lookups in krb5.conf. In the meantime --force should make it use the info you provide. rob == more fed15-install-error [root@fed15-64-ws02 ~]# ipa-client-install --mkhomedir --server vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -d root: DEBUG/usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': 'unix.vuw.ac.nz' , 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': 'vuwunicoipamt01.unix.vuw. ac.nz', 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server' : None, 'mkhomedir': True, 'unattended': None, 'principal': None} root: DEBUGmissing options might be asked for interactively later root: DEBUGLoading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root: DEBUG[ipacheckldap] root: DEBUGargs=/usr/bin/wget -O /tmp/tmpsyC9Zx/ca.crt http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt root: DEB
Re: [Freeipa-users] version mismatch while joining a client ?
I already included the krb5kdc log regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 5 August 2011 10:11 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: > Hi, > > Trying with two rhel61-64bit-clones "04" and "05" > > They should give the same failures? but are not?..confused, 04 (the first > clone has 1/2 joined as its in IPA, but it doesnt say "enrolled and a date", > 05 failed totally. 04 is failing because it apparently still has an updated libcurl. It is getting a 500 error back. The installation continues because you had the --force flag. This means it proceeds on errors, so it tried to set things up but since it didn't get a keytab sssd can't authenticate. 05 actually enrolled successfully but was unable to retrieve a keytab. You can try running ipa-getkeytab from the command-line again. To do this you'll need to copy a krb5.conf from a working system (say the IPA server. # kinit admin # ipa-getkeytab -s vuwunicoipamt01.unix.vuw.ac.nz -k /etc/krb5.keytab -p host/rhel61-64cl04.unix.vuw.ac...@unix.vuw.ac.nz You may also want to look at the krb5kdc.log and the 389-ds access log, they may hold clues as well. > > I know Im short on sleep but I really don't understand what's going on here > and why its so hard to make basic stuff work. > > :/ > > I have included the logs off each, logs off the IPA server and out's from > the attempt to join. from each guest. Anything else needed? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Steven Jones [steven.jo...@vuw.ac.nz] > Sent: Friday, 5 August 2011 8:42 a.m. > To: Rob Crittenden > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] version mismatch while joining a client ? > > Hi, > > Yes the first is F15. > > I am halting all the AD machines I will retry without the --force first to > test this, when I built IPA originally there was no AD to conflict. > > However its plain weird because the RHEL6.1 client points to the IPA server > for DNS. > > I will get back to you. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________ > From: Rob Crittenden [rcrit...@redhat.com] > Sent: Friday, 5 August 2011 1:24 a.m. > To: Steven Jones > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] version mismatch while joining a client ? > > Steven Jones wrote: >> Hi, >> >> I have also done this on a new f15 client and it also fails. >> >> But its saying, >> >> 500 and not 401 which is the rhel6.1 failure. >> >> "HTTP response code is 401, not 200" == RHEL61 >> "HTTP response code is 500, not 200" == FED15 > > Assuming that the Fedora 15 client is 130.195.53.109 that I had seen in > a previous log it has a libcurl that does not do ticket delegation. > > 500 is an HTTP server error, we assume a principal will be there and it > isn't and things blow up (this is handled more gracefully in our dev tree). > > 401 is a HTTP authorization error, the user provide is now allowed to > access the server. I'm guessing this is because the client is using the > wrong kerberos server. We have this addressed too in the dev tree, we > disable dns lookups in krb5.conf. In the meantime --force should make it > use the info you provide. > > rob > > >> >> >> == >> more fed15-install-error >> [root@fed15-64-ws02 ~]# ipa-client-install --mkhomedir --server >> vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -d >> root: DEBUG/usr/sbin/ipa-client-install was invoked with >> options: {'conf_ntp': True, 'domain': 'unix.vuw.ac.nz' >> , 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, >> 'permit': False, 'server': 'vuwunicoipamt01.unix.vuw. >> ac.nz', 'prompt_password': False, 'realm_name': None, 'dns_updates': False, >> 'debug': True, 'on_master': False, 'ntp_server' >> : None, 'mkhomedir': True, '
Re: [Freeipa-users] version mismatch while joining a client ?
Steven Jones wrote: Hi, Trying with two rhel61-64bit-clones "04" and "05" They should give the same failures? but are not?..confused, 04 (the first clone has 1/2 joined as its in IPA, but it doesnt say "enrolled and a date", 05 failed totally. 04 is failing because it apparently still has an updated libcurl. It is getting a 500 error back. The installation continues because you had the --force flag. This means it proceeds on errors, so it tried to set things up but since it didn't get a keytab sssd can't authenticate. 05 actually enrolled successfully but was unable to retrieve a keytab. You can try running ipa-getkeytab from the command-line again. To do this you'll need to copy a krb5.conf from a working system (say the IPA server. # kinit admin # ipa-getkeytab -s vuwunicoipamt01.unix.vuw.ac.nz -k /etc/krb5.keytab -p host/rhel61-64cl04.unix.vuw.ac...@unix.vuw.ac.nz You may also want to look at the krb5kdc.log and the 389-ds access log, they may hold clues as well. I know Im short on sleep but I really don't understand what's going on here and why its so hard to make basic stuff work. :/ I have included the logs off each, logs off the IPA server and out's from the attempt to join. from each guest. Anything else needed? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 5 August 2011 8:42 a.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Hi, Yes the first is F15. I am halting all the AD machines I will retry without the --force first to test this, when I built IPA originally there was no AD to conflict. However its plain weird because the RHEL6.1 client points to the IPA server for DNS. I will get back to you. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 5 August 2011 1:24 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: Hi, I have also done this on a new f15 client and it also fails. But its saying, 500 and not 401 which is the rhel6.1 failure. "HTTP response code is 401, not 200" == RHEL61 "HTTP response code is 500, not 200" == FED15 Assuming that the Fedora 15 client is 130.195.53.109 that I had seen in a previous log it has a libcurl that does not do ticket delegation. 500 is an HTTP server error, we assume a principal will be there and it isn't and things blow up (this is handled more gracefully in our dev tree). 401 is a HTTP authorization error, the user provide is now allowed to access the server. I'm guessing this is because the client is using the wrong kerberos server. We have this addressed too in the dev tree, we disable dns lookups in krb5.conf. In the meantime --force should make it use the info you provide. rob == more fed15-install-error [root@fed15-64-ws02 ~]# ipa-client-install --mkhomedir --server vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -d root: DEBUG/usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': 'unix.vuw.ac.nz' , 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': 'vuwunicoipamt01.unix.vuw. ac.nz', 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server' : None, 'mkhomedir': True, 'unattended': None, 'principal': None} root: DEBUGmissing options might be asked for interactively later root: DEBUGLoading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root: DEBUG[ipacheckldap] root: DEBUGargs=/usr/bin/wget -O /tmp/tmpsyC9Zx/ca.crt http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt root: DEBUGstdout= root: DEBUGstderr=--2011-08-03 15:18:07-- http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236 Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 779 [application/x-x509-ca-cert] Saving to: “/tmp/tmpsyC9Zx/ca.crt” 0K 100% 111M=0s 2011-08-03 15:18:07 (111 MB/s) - “/tmp/tmpsyC9Zx/ca.crt” saved [779
Re: [Freeipa-users] version mismatch while joining a client ?
Hi, Yes the first is F15. I am halting all the AD machines I will retry without the --force first to test this, when I built IPA originally there was no AD to conflict. However its plain weird because the RHEL6.1 client points to the IPA server for DNS. I will get back to you. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 5 August 2011 1:24 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: > Hi, > > I have also done this on a new f15 client and it also fails. > > But its saying, > > 500 and not 401 which is the rhel6.1 failure. > > "HTTP response code is 401, not 200" == RHEL61 > "HTTP response code is 500, not 200" == FED15 Assuming that the Fedora 15 client is 130.195.53.109 that I had seen in a previous log it has a libcurl that does not do ticket delegation. 500 is an HTTP server error, we assume a principal will be there and it isn't and things blow up (this is handled more gracefully in our dev tree). 401 is a HTTP authorization error, the user provide is now allowed to access the server. I'm guessing this is because the client is using the wrong kerberos server. We have this addressed too in the dev tree, we disable dns lookups in krb5.conf. In the meantime --force should make it use the info you provide. rob > > > == > more fed15-install-error > [root@fed15-64-ws02 ~]# ipa-client-install --mkhomedir --server > vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -d > root: DEBUG/usr/sbin/ipa-client-install was invoked with options: > {'conf_ntp': True, 'domain': 'unix.vuw.ac.nz' > , 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, > 'permit': False, 'server': 'vuwunicoipamt01.unix.vuw. > ac.nz', 'prompt_password': False, 'realm_name': None, 'dns_updates': False, > 'debug': True, 'on_master': False, 'ntp_server' > : None, 'mkhomedir': True, 'unattended': None, 'principal': None} > root: DEBUGmissing options might be asked for interactively later > > root: DEBUGLoading Index file from > '/var/lib/ipa-client/sysrestore/sysrestore.index' > root: DEBUG[ipacheckldap] > root: DEBUGargs=/usr/bin/wget -O /tmp/tmpsyC9Zx/ca.crt > http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt > root: DEBUGstdout= > root: DEBUGstderr=--2011-08-03 15:18:07-- > http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt > Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236 > Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected. > HTTP request sent, awaiting response... 200 OK > Length: 779 [application/x-x509-ca-cert] > Saving to: “/tmp/tmpsyC9Zx/ca.crt” > > 0K 100% 111M=0s > > 2011-08-03 15:18:07 (111 MB/s) - “/tmp/tmpsyC9Zx/ca.crt” saved [779/779] > > > root: DEBUGInit ldap with: > ldap://vuwunicoipamt01.unix.vuw.ac.nz:389 > root: DEBUGSearch rootdse > root: DEBUGSearch for (info=*) in dc=unix,dc=vuw,dc=ac,dc=nz(base) > root: DEBUGFound: [('dc=unix,dc=vuw,dc=ac,dc=nz', {'objectClass': > ['top', 'domain', 'pilotObject', 'nisDomainOb > ject', 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': > ['unix.vuw.ac.nz'], 'dc': ['unix'], 'nisDomain': [ > 'unix.vuw.ac.nz']})] > root: DEBUGSearch for (objectClass=krbRealmContainer) in > dc=unix,dc=vuw,dc=ac,dc=nz(sub) > root: DEBUGFound: > [('cn=UNIX.VUW.AC.NZ,cn=kerberos,dc=unix,dc=vuw,dc=ac,dc=nz', {'krbSubTrees': > ['dc=unix,dc=vu > w,dc=ac,dc=nz'], 'cn': ['UNIX.VUW.AC.NZ'], 'krbDefaultEncSaltTypes': > ['aes256-cts:special', 'aes128-cts:special', 'des3-hma > c-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', > 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScop > e': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', > 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special > ', 'des3-hmac-s
Re: [Freeipa-users] version mismatch while joining a client ?
: DEBUGwill use principal: admin root: DEBUGargs=/usr/bin/wget -O /etc/ipa/ca.crt http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt root: DEBUGstdout= root: DEBUGstderr=--2011-08-03 15:18:12-- http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236 Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 779 [application/x-x509-ca-cert] Saving to: “/etc/ipa/ca.crt” 0K 100% 112M=0s 2011-08-03 15:18:12 (112 MB/s) - “/etc/ipa/ca.crt” saved [779/779] root: DEBUGWriting Kerberos configuration to /tmp/tmpiFqnW9: #File modified by ipa-client-install [libdefaults] default_realm = UNIX.VUW.AC.NZ dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] UNIX.VUW.AC.NZ = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .unix.vuw.ac.nz = UNIX.VUW.AC.NZ unix.vuw.ac.nz = UNIX.VUW.AC.NZ [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Password for ad...@unix.vuw.ac.nz: root: DEBUGargs=kinit ad...@unix.vuw.ac.nz root: DEBUGstdout=Password for ad...@unix.vuw.ac.nz: root: DEBUGstderr= root: DEBUGargs=/usr/sbin/ipa-join -s vuwunicoipamt01.unix.vuw.ac.nz -d root: DEBUGstdout= root: DEBUGstderr=XML-RPC CALL: \r\n \r\n join\r\n \r\n \r\n fed15-64-ws02.unix.vuw.ac.nz\r\n \r\n \r\n nsosversion\r\n 2.6.38.6-26.rc1.fc15.x86_64\r\n nshardwareplatform\r\n x86_64\r\n \r\n \r\n \r\n HTTP response code is 500, not 200 Joining realm failed because of failing XML-RPC request. This error may be caused by incompatible server/client major versions. root: DEBUGargs=kdestroy root: DEBUGstdout= root: DEBUGstderr= [root@fed15-64-ws02 ~]# === regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Wednesday, 3 August 2011 9:35 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Hi, Client == rhel61-64cl04.unix.vuw.ac.nz Linux rhel61-64cl04.unix.vuw.ac.nz 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux ipa-client-2.0.0-23.el6_1.1.x86_64 libcurl-7.19.7-26.el6.x86_64 Red Hat Enterprise Linux Client release 6.1 (Santiago) == Server == Linux vuwunicoipamt01 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux libcurl-7.19.7-26.el6_1.1.x86_64 ipa-client-2.0.0-23.el6_1.1.x86_64 ipa-server-2.0.0-23.el6_1.1.x86_64 Red Hat Enterprise Linux Server release 6.1 (Santiago) == install output == [root@rhel61-64cl04 ~]# ipa-client-install --mkhomedir --server vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -d root: DEBUG/usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': 'unix.vuw.ac.nz', 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': 'vuwunicoipamt01.unix.vuw.ac.nz', 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir': True, 'unattended': None, 'principal': None} root: DEBUGmissing options might be asked for interactively later root: DEBUGLoading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root: DEBUG[ipacheckldap] root: DEBUGargs=/usr/bin/wget -O /tmp/tmpaaTaqF/ca.crt http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt root: DEBUGstdout= root: DEBUGstderr=--2011-08-03 09:01:14-- http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236 Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 779 [application/x-x509-ca-cert] Saving to: `/tmp/tmpaaTaqF/ca.crt' 0K 100% 132M=0s 2011-08-03 09:01:14 (132 MB/s) - `/tmp/tmpaaTaqF/ca.crt' saved [779/779] root: DEBUGInit ldap with: ldap://vuwunicoipamt01.unix.vuw.ac.nz:389 root: DEBUGSearch rootdse root
Re: [Freeipa-users] version mismatch while joining a client ?
I have 3 x AD setups but the client points to the right DNS domain and the IPA server for DNSI can halt all the ADs and re-try. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 4 August 2011 9:38 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: > Hi, > > Hopefully these will help. It shows that you have two clients, one of which has a working libcurl and another that does not. The client 130.195.53.109 does not have a working libcurl as can be seen in the error log with the error "Client didn't delegate us their credential" and the principal error. The HTTP response is a 500. The second client is 130.195.53.104 and does have a working libcurl. The authentication is not accepted though and the request rejected with a 401. Do you have another KDC somewhere on your network? In the RHEL bits we had dns_lookup_kdc and dns_realm_kdc both set to True which causes the enrollment to use the wrong KDC even if you have things otherwise entered properly. You should be able to work around this by using the --force flag in ipa-client-install. rob > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: Rob Crittenden [rcrit...@redhat.com] > Sent: Thursday, 4 August 2011 8:42 a.m. > To: Steven Jones > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] version mismatch while joining a client ? > > Steven Jones wrote: >> Hi, >> >> Client >> == >> rhel61-64cl04.unix.vuw.ac.nz >> Linux rhel61-64cl04.unix.vuw.ac.nz 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun >> 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux >> ipa-client-2.0.0-23.el6_1.1.x86_64 >> libcurl-7.19.7-26.el6.x86_64 >> Red Hat Enterprise Linux Client release 6.1 (Santiago) >> == >> >> Server >> == >> Linux vuwunicoipamt01 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 >> EDT 2011 x86_64 x86_64 x86_64 GNU/Linux >> libcurl-7.19.7-26.el6_1.1.x86_64 >> ipa-client-2.0.0-23.el6_1.1.x86_64 >> ipa-server-2.0.0-23.el6_1.1.x86_64 >> Red Hat Enterprise Linux Server release 6.1 (Santiago) >> == >> >> install output >> == >> [root@rhel61-64cl04 ~]# ipa-client-install --mkhomedir --server >> vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -d >> root: DEBUG/usr/sbin/ipa-client-install was invoked with >> options: {'conf_ntp': True, 'domain': 'unix.vuw.ac.nz', 'uninstall': False, >> 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': >> 'vuwunicoipamt01.unix.vuw.ac.nz', 'prompt_password': False, 'realm_name': >> None, 'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server': >> None, 'mkhomedir': True, 'unattended': None, 'principal': None} >> root: DEBUGmissing options might be asked for interactively later >> >> root: DEBUGLoading Index file from >> '/var/lib/ipa-client/sysrestore/sysrestore.index' >> root: DEBUG[ipacheckldap] >> root: DEBUGargs=/usr/bin/wget -O /tmp/tmpaaTaqF/ca.crt >> http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt >> root: DEBUGstdout= >> root: DEBUGstderr=--2011-08-03 09:01:14-- >> http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt >> Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236 >> Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected. >> HTTP request sent, awaiting response... 200 OK >> Length: 779 [application/x-x509-ca-cert] >> Saving to: `/tmp/tmpaaTaqF/ca.crt' >> >>0K 100% 132M=0s >> >> 2011-08-03 09:01:14 (132 MB/s) - `/tmp/tmpaaTaqF/ca.crt' saved [779/779] >> >> >> root: DEBUGInit ldap with: >> ldap://vuwunicoipamt01.unix.vuw.ac.nz:389 >> root: DEBUGSearch rootdse >> root: DEBUGSearch for (info=*) in >> dc=unix,dc=vuw,dc=ac,dc=nz(base) >> root: DEBUGFound: [('dc=unix,dc=vuw,dc=ac,dc=nz', >> {'objectClass': ['top', 'domain
Re: [Freeipa-users] version mismatch while joining a client ?
Steven Jones wrote: Hi, Hopefully these will help. It shows that you have two clients, one of which has a working libcurl and another that does not. The client 130.195.53.109 does not have a working libcurl as can be seen in the error log with the error "Client didn't delegate us their credential" and the principal error. The HTTP response is a 500. The second client is 130.195.53.104 and does have a working libcurl. The authentication is not accepted though and the request rejected with a 401. Do you have another KDC somewhere on your network? In the RHEL bits we had dns_lookup_kdc and dns_realm_kdc both set to True which causes the enrollment to use the wrong KDC even if you have things otherwise entered properly. You should be able to work around this by using the --force flag in ipa-client-install. rob regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 4 August 2011 8:42 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: Hi, Client == rhel61-64cl04.unix.vuw.ac.nz Linux rhel61-64cl04.unix.vuw.ac.nz 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux ipa-client-2.0.0-23.el6_1.1.x86_64 libcurl-7.19.7-26.el6.x86_64 Red Hat Enterprise Linux Client release 6.1 (Santiago) == Server == Linux vuwunicoipamt01 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux libcurl-7.19.7-26.el6_1.1.x86_64 ipa-client-2.0.0-23.el6_1.1.x86_64 ipa-server-2.0.0-23.el6_1.1.x86_64 Red Hat Enterprise Linux Server release 6.1 (Santiago) == install output == [root@rhel61-64cl04 ~]# ipa-client-install --mkhomedir --server vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -d root: DEBUG/usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': 'unix.vuw.ac.nz', 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': 'vuwunicoipamt01.unix.vuw.ac.nz', 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir': True, 'unattended': None, 'principal': None} root: DEBUGmissing options might be asked for interactively later root: DEBUGLoading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root: DEBUG[ipacheckldap] root: DEBUGargs=/usr/bin/wget -O /tmp/tmpaaTaqF/ca.crt http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt root: DEBUGstdout= root: DEBUGstderr=--2011-08-03 09:01:14-- http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236 Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 779 [application/x-x509-ca-cert] Saving to: `/tmp/tmpaaTaqF/ca.crt' 0K 100% 132M=0s 2011-08-03 09:01:14 (132 MB/s) - `/tmp/tmpaaTaqF/ca.crt' saved [779/779] root: DEBUGInit ldap with: ldap://vuwunicoipamt01.unix.vuw.ac.nz:389 root: DEBUGSearch rootdse root: DEBUGSearch for (info=*) in dc=unix,dc=vuw,dc=ac,dc=nz(base) root: DEBUGFound: [('dc=unix,dc=vuw,dc=ac,dc=nz', {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': ['unix.vuw.ac.nz'], 'dc': ['unix'], 'nisDomain': ['unix.vuw.ac.nz']})] root: DEBUGSearch for (objectClass=krbRealmContainer) in dc=unix,dc=vuw,dc=ac,dc=nz(sub) root: DEBUGFound: [('cn=UNIX.VUW.AC.NZ,cn=kerberos,dc=unix,dc=vuw,dc=ac,dc=nz', {'krbSubTrees': ['dc=unix,dc=vuw,dc=ac,dc=nz'], 'cn': ['UNIX.VUW.AC.NZ'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hma
Re: [Freeipa-users] version mismatch while joining a client ?
15:18:12 (112 MB/s) - “/etc/ipa/ca.crt” saved [779/779] root: DEBUGWriting Kerberos configuration to /tmp/tmpiFqnW9: #File modified by ipa-client-install [libdefaults] default_realm = UNIX.VUW.AC.NZ dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] UNIX.VUW.AC.NZ = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .unix.vuw.ac.nz = UNIX.VUW.AC.NZ unix.vuw.ac.nz = UNIX.VUW.AC.NZ [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Password for ad...@unix.vuw.ac.nz: root: DEBUGargs=kinit ad...@unix.vuw.ac.nz root: DEBUGstdout=Password for ad...@unix.vuw.ac.nz: root: DEBUGstderr= root: DEBUGargs=/usr/sbin/ipa-join -s vuwunicoipamt01.unix.vuw.ac.nz -d root: DEBUGstdout= root: DEBUGstderr=XML-RPC CALL: \r\n \r\n join\r\n \r\n \r\n fed15-64-ws02.unix.vuw.ac.nz\r\n \r\n \r\n nsosversion\r\n 2.6.38.6-26.rc1.fc15.x86_64\r\n nshardwareplatform\r\n x86_64\r\n \r\n \r\n \r\n HTTP response code is 500, not 200 Joining realm failed because of failing XML-RPC request. This error may be caused by incompatible server/client major versions. root: DEBUGargs=kdestroy root: DEBUGstdout= root: DEBUGstderr= [root@fed15-64-ws02 ~]# === regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Wednesday, 3 August 2011 9:35 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Hi, Client == rhel61-64cl04.unix.vuw.ac.nz Linux rhel61-64cl04.unix.vuw.ac.nz 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux ipa-client-2.0.0-23.el6_1.1.x86_64 libcurl-7.19.7-26.el6.x86_64 Red Hat Enterprise Linux Client release 6.1 (Santiago) == Server == Linux vuwunicoipamt01 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux libcurl-7.19.7-26.el6_1.1.x86_64 ipa-client-2.0.0-23.el6_1.1.x86_64 ipa-server-2.0.0-23.el6_1.1.x86_64 Red Hat Enterprise Linux Server release 6.1 (Santiago) == install output == [root@rhel61-64cl04 ~]# ipa-client-install --mkhomedir --server vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -d root: DEBUG/usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': 'unix.vuw.ac.nz', 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': 'vuwunicoipamt01.unix.vuw.ac.nz', 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir': True, 'unattended': None, 'principal': None} root: DEBUGmissing options might be asked for interactively later root: DEBUGLoading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root: DEBUG[ipacheckldap] root: DEBUGargs=/usr/bin/wget -O /tmp/tmpaaTaqF/ca.crt http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt root: DEBUGstdout= root: DEBUGstderr=--2011-08-03 09:01:14-- http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236 Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 779 [application/x-x509-ca-cert] Saving to: `/tmp/tmpaaTaqF/ca.crt' 0K 100% 132M=0s 2011-08-03 09:01:14 (132 MB/s) - `/tmp/tmpaaTaqF/ca.crt' saved [779/779] root: DEBUGInit ldap with: ldap://vuwunicoipamt01.unix.vuw.ac.nz:389 root: DEBUGSearch rootdse root: DEBUGSearch for (info=*) in dc=unix,dc=vuw,dc=ac,dc=nz(base) root: DEBUGFound: [('dc=unix,dc=vuw,dc=ac,dc=nz', {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': ['unix.vuw.ac.nz'], 'dc': ['unix'], 'nisDomain': ['unix.vuw.ac.nz']})] root: DEBUGSearch for (objectClass=krbRealmContainer) in dc=unix,dc=vuw,dc=ac,dc=nz(sub) root: DEBUGFound: [('cn=UNIX.VUW.AC.NZ,cn=kerberos,dc=unix,dc=vuw,
Re: [Freeipa-users] version mismatch while joining a client ?
Steven Jones wrote: Hi, Client == rhel61-64cl04.unix.vuw.ac.nz Linux rhel61-64cl04.unix.vuw.ac.nz 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux ipa-client-2.0.0-23.el6_1.1.x86_64 libcurl-7.19.7-26.el6.x86_64 Red Hat Enterprise Linux Client release 6.1 (Santiago) == Server == Linux vuwunicoipamt01 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux libcurl-7.19.7-26.el6_1.1.x86_64 ipa-client-2.0.0-23.el6_1.1.x86_64 ipa-server-2.0.0-23.el6_1.1.x86_64 Red Hat Enterprise Linux Server release 6.1 (Santiago) == install output == [root@rhel61-64cl04 ~]# ipa-client-install --mkhomedir --server vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -d root: DEBUG/usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': 'unix.vuw.ac.nz', 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': 'vuwunicoipamt01.unix.vuw.ac.nz', 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir': True, 'unattended': None, 'principal': None} root: DEBUGmissing options might be asked for interactively later root: DEBUGLoading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root: DEBUG[ipacheckldap] root: DEBUGargs=/usr/bin/wget -O /tmp/tmpaaTaqF/ca.crt http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt root: DEBUGstdout= root: DEBUGstderr=--2011-08-03 09:01:14-- http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236 Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 779 [application/x-x509-ca-cert] Saving to: `/tmp/tmpaaTaqF/ca.crt' 0K 100% 132M=0s 2011-08-03 09:01:14 (132 MB/s) - `/tmp/tmpaaTaqF/ca.crt' saved [779/779] root: DEBUGInit ldap with: ldap://vuwunicoipamt01.unix.vuw.ac.nz:389 root: DEBUGSearch rootdse root: DEBUGSearch for (info=*) in dc=unix,dc=vuw,dc=ac,dc=nz(base) root: DEBUGFound: [('dc=unix,dc=vuw,dc=ac,dc=nz', {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': ['unix.vuw.ac.nz'], 'dc': ['unix'], 'nisDomain': ['unix.vuw.ac.nz']})] root: DEBUGSearch for (objectClass=krbRealmContainer) in dc=unix,dc=vuw,dc=ac,dc=nz(sub) root: DEBUGFound: [('cn=UNIX.VUW.AC.NZ,cn=kerberos,dc=unix,dc=vuw,dc=ac,dc=nz', {'krbSubTrees': ['dc=unix,dc=vuw,dc=ac,dc=nz'], 'cn': ['UNIX.VUW.AC.NZ'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})] root: DEBUGwill use domain: unix.vuw.ac.nz root: DEBUGwill use server: vuwunicoipamt01.unix.vuw.ac.nz Discovery was successful! root: DEBUGwill use cli_realm: UNIX.VUW.AC.NZ root: DEBUGwill use cli_basedn: dc=unix,dc=vuw,dc=ac,dc=nz Hostname: rhel61-64cl04.unix.vuw.ac.nz Realm: UNIX.VUW.AC.NZ DNS Domain: unix.vuw.ac.nz IPA Server: vuwunicoipamt01.unix.vuw.ac.nz BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes Enrollment principal: admin root: DEBUGwill use principal: admin root: DEBUGargs=/usr/bin/wget -O /etc/ipa/ca.crt http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt root: DEBUGstdout= root: DEBUGstderr=--2011-08-03 09:01:22-- http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236 Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 779 [application/x-x509-ca-cert] Saving to: `/etc/ipa/ca.crt' 0K 100% 96.5M=0s 2011-08-03 09:01:22 (96.5 MB/s) - `/etc/ipa/ca.crt' saved [779/779] Password for ad...@unix.vuw.ac.nz: root: DEBUGargs=kinit ad...@unix.vuw.ac.nz root: DEBUGstdout=Password for ad...@unix.vuw.ac.nz: root: DEBUGstderr= root: DEBUGargs=/usr/sbin/ipa-join -s vuwunicoipamt01.unix.vuw.ac.nz -
Re: [Freeipa-users] version mismatch while joining a client ?
crt Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236 Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 779 [application/x-x509-ca-cert] Saving to: `/etc/ipa/ca.crt' 0K 100% 96.5M=0s 2011-08-03 09:01:22 (96.5 MB/s) - `/etc/ipa/ca.crt' saved [779/779] Password for ad...@unix.vuw.ac.nz: root: DEBUGargs=kinit ad...@unix.vuw.ac.nz root: DEBUGstdout=Password for ad...@unix.vuw.ac.nz: root: DEBUGstderr= root: DEBUGargs=/usr/sbin/ipa-join -s vuwunicoipamt01.unix.vuw.ac.nz -d root: DEBUGstdout= root: DEBUGstderr=XML-RPC CALL: \r\n \r\n join\r\n \r\n \r\n rhel61-64cl04.unix.vuw.ac.nz\r\n \r\n \r\n nsosversion\r\n 2.6.32-131.6.1.el6.x86_64\r\n nshardwareplatform\r\n x86_64\r\n \r\n \r\n \r\n HTTP response code is 401, not 200 Joining realm failed because of failing XML-RPC request. This error may be caused by incompatible server/client major versions. root: DEBUGargs=kdestroy root: DEBUGstdout= root: DEBUGstderr= [root@rhel61-64cl04 ~]# == Error log == [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in ignored [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in ignored [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in ignored [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in ignored [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in ignored [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in ignored [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in ignored [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in ignored [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in ignored [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in ignored [Wed Aug 03 09:04:57 2011] [notice] caught SIGTERM, shutting down [Wed Aug 03 09:04:58 2011] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Wed Aug 03 09:04:58 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Wed Aug 03 09:04:58 2011] [notice] Digest: generating secret for digest authentication ... [Wed Aug 03 09:04:58 2011] [notice] Digest: done [Wed Aug 03 09:04:58 2011] [warn] mod_wsgi: Compiled for Python/2.6.2. [Wed Aug 03 09:04:58 2011] [warn] mod_wsgi: Runtime using Python/2.6.6. [Wed Aug 03 09:04:59 2011] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations [Wed Aug 03 09:05:01 2011] [error] ipa: INFO: *** PROCESS START *** [Wed Aug 03 09:05:01 2011] [error] ipa: INFO: *** PROCESS START *** == regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 3 August 2011 1:48 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: > > Yesenrolement now fails, previous messages I attached show that I think, > it used to work. > > History, I had to remove all my working IPA clients due to a disk space > problem on our SAN (we didnt have any). So I managed to keep the working IPA > server and 2 x RHEL5 64 bit servers and the one un-configured template of > RHEL6.1 64bit client I had. This I used to make client side clones off > previously and connected them to IPA server and they worked. > > So lastweek I went back and with a running ipa server, I cloned in the old > client/template and got the mis-match, so I put them on the production > network and patched, same mismatch problem. > > I can do a sosreport of the old template I think and the client to look at > the differences if that helps. I'm having a hard time following exactly what you are doing, on what machine. I think we need to be more systematic. Can you choose a machine to act as the client and provide the following: - distro and architecture (e.g. RHEL 6.1 on x86_64) - rpm -q curl libcurl - rpm -q ipa-client On the IPA server: - rpm -q ipa-server Start with a client that is not enrolled. If it has previously been enrolled run: ipa-client-install --uninstall -U Now run ipa-client-install and answer the questions as appropriate for your install. If it fails please provide the following: - any stdout you get from the client install - attach the full /var/log/ipaclient-install.log - attach the last 100 lines from /var/log/httpd/error_log from the IPA server rob ipaclient-install.log Description: ipaclient-install.log ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
Steven Jones wrote: Yesenrolement now fails, previous messages I attached show that I think, it used to work. History, I had to remove all my working IPA clients due to a disk space problem on our SAN (we didnt have any). So I managed to keep the working IPA server and 2 x RHEL5 64 bit servers and the one un-configured template of RHEL6.1 64bit client I had. This I used to make client side clones off previously and connected them to IPA server and they worked. So lastweek I went back and with a running ipa server, I cloned in the old client/template and got the mis-match, so I put them on the production network and patched, same mismatch problem. I can do a sosreport of the old template I think and the client to look at the differences if that helps. I'm having a hard time following exactly what you are doing, on what machine. I think we need to be more systematic. Can you choose a machine to act as the client and provide the following: - distro and architecture (e.g. RHEL 6.1 on x86_64) - rpm -q curl libcurl - rpm -q ipa-client On the IPA server: - rpm -q ipa-server Start with a client that is not enrolled. If it has previously been enrolled run: ipa-client-install --uninstall -U Now run ipa-client-install and answer the questions as appropriate for your install. If it fails please provide the following: - any stdout you get from the client install - attach the full /var/log/ipaclient-install.log - attach the last 100 lines from /var/log/httpd/error_log from the IPA server rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
8><- According to this you have the version of libcurl that supports ticket forwarding. Are you saying you still get an error when you try enrollment? This has to be installed on each client, not the server. 8>< Yesenrolement now fails, previous messages I attached show that I think, it used to work. History, I had to remove all my working IPA clients due to a disk space problem on our SAN (we didnt have any). So I managed to keep the working IPA server and 2 x RHEL5 64 bit servers and the one un-configured template of RHEL6.1 64bit client I had. This I used to make client side clones off previously and connected them to IPA server and they worked. So lastweek I went back and with a running ipa server, I cloned in the old client/template and got the mis-match, so I put them on the production network and patched, same mismatch problem. I can do a sosreport of the old template I think and the client to look at the differences if that helps. regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
Sorry, what's insulting? That it is not unusual for Red Hat to break dependencies in yum/up2date? This is a fact, as a customer its was not unusual that I experienced failures at RHN. This was several times a year within the dependencies, it is getting better, but libcurl shows an oops still happens. Bear in mind that IPA will be like AD, breaking AD in Organisations throughout the World would be a major event and a PR disaster for Microsoft. Equally in the future having the same event with IPA will be a major issue for Red Hat and their customers. So at Red Hat I would hope someone is taking a strategic look at the libcurl event and putting in place or modifying "something" (policy/protocol/proceedure etc) to try an ensure it or similar never happens again. You will be mission critical, you have to think like that. Indeed I will take this up with Red Hat to determine what Red Hat has done at a high level to ensure it wont happen again. Otherwise anything else said was in no way meant to be insulting, (indeed the wasn't if this is what you refer to). So I will conclude that you have mis-read / mis-construed what I have said. Otherwise I am happy to apologise. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 2 August 2011 8:51 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: > As below, I have that rpm and I have a failure. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > steven.jo...@vuw.ac.nz0064 4 463 6272 > > 8>< > > rpm -q --changelog will show the history of the package, including the v-r. > > So looks like 7.19.7-26 is what you want. > > 8><-- > > See attached, its what I have, so there must be some other issue? > >> >> I seem to be getting bogged down with RH supportseems the gdowngrade >> wnet from x86_64 to i686 but still the same subpatch -26I think I want >> -16? > > That is very odd. Perhaps try with arch appended: > > # yum downgrade curl.x86_64 libcurl*.x86_64 curl.i686 libcurl*.i686 > > rob > > 8>< > > I find it not unusual for RH to break yum.. > > regards rpm -e != yum downgrade According to this you have the version of libcurl that supports ticket forwarding. Are you saying you still get an error when you try enrollment? This has to be installed on each client, not the server. The insulting comments are not necessary. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
Steven Jones wrote: As below, I have that rpm and I have a failure. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ steven.jo...@vuw.ac.nz0064 4 463 6272 8>< rpm -q --changelog will show the history of the package, including the v-r. So looks like 7.19.7-26 is what you want. 8><-- See attached, its what I have, so there must be some other issue? I seem to be getting bogged down with RH supportseems the gdowngrade wnet from x86_64 to i686 but still the same subpatch -26I think I want -16? That is very odd. Perhaps try with arch appended: # yum downgrade curl.x86_64 libcurl*.x86_64 curl.i686 libcurl*.i686 rob 8>< I find it not unusual for RH to break yum.. regards rpm -e != yum downgrade According to this you have the version of libcurl that supports ticket forwarding. Are you saying you still get an error when you try enrollment? This has to be installed on each client, not the server. The insulting comments are not necessary. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
Steven Jones wrote: Hi, For RHEL6.1 64bit, Can you tell me which "old" libcurl is the right one? rpm -q --changelog will show the history of the package, including the v-r. So looks like 7.19.7-26 is what you want. I seem to be getting bogged down with RH supportseems the gdowngrade wnet from x86_64 to i686 but still the same subpatch -26I think I want -16? That is very odd. Perhaps try with arch appended: # yum downgrade curl.x86_64 libcurl*.x86_64 curl.i686 libcurl*.i686 rob :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 29 July 2011 10:17 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: client install attempt info What version of libcurl do you have installed on the client? I realize you downgraded it, just curious what you ended up with. Can you look on the server and see if there is an exception related to principal not being set? rob regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 29 July 2011 9:59 a.m. Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? I just downgraded libcurl and curl on rhel6.1 clientstill broken. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
Sylvain PANNETRAT wrote: Hi, You can take the file with F14 intallation DVD. It work for me. You may need to make a script to be able to swap you libcurl file, because when you install the old version, yum doesn't work any more. This has worked consistently for me on multiple distros: # yum downgrade curl libcurl* If you want to manually downgrade then fetching the last release from koji is probably a better way. rob Regards, Sylvain PANNETRAT Le 01/08/11 00:30, Steven Jones a écrit : Hi, For RHEL6.1 64bit, Can you tell me which "old" libcurl is the right one? I seem to be getting bogged down with RH supportseems the gdowngrade wnet from x86_64 to i686 but still the same subpatch -26I think I want -16? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 29 July 2011 10:17 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: client install attempt info What version of libcurl do you have installed on the client? I realize you downgraded it, just curious what you ended up with. Can you look on the server and see if there is an exception related to principal not being set? rob regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 29 July 2011 9:59 a.m. Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? I just downgraded libcurl and curl on rhel6.1 clientstill broken. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
Hi, You can take the file with F14 intallation DVD. It work for me. You may need to make a script to be able to swap you libcurl file, because when you install the old version, yum doesn't work any more. Regards, Sylvain PANNETRAT Le 01/08/11 00:30, Steven Jones a écrit : Hi, For RHEL6.1 64bit, Can you tell me which "old" libcurl is the right one? I seem to be getting bogged down with RH supportseems the gdowngrade wnet from x86_64 to i686 but still the same subpatch -26I think I want -16? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 29 July 2011 10:17 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: client install attempt info What version of libcurl do you have installed on the client? I realize you downgraded it, just curious what you ended up with. Can you look on the server and see if there is an exception related to principal not being set? rob regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 29 July 2011 9:59 a.m. Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? I just downgraded libcurl and curl on rhel6.1 clientstill broken. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
Hi, For RHEL6.1 64bit, Can you tell me which "old" libcurl is the right one? I seem to be getting bogged down with RH supportseems the gdowngrade wnet from x86_64 to i686 but still the same subpatch -26I think I want -16? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 29 July 2011 10:17 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: > client install attempt info What version of libcurl do you have installed on the client? I realize you downgraded it, just curious what you ended up with. Can you look on the server and see if there is an exception related to principal not being set? rob > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Steven Jones [steven.jo...@vuw.ac.nz] > Sent: Friday, 29 July 2011 9:59 a.m. > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] version mismatch while joining a client ? > > I just downgraded libcurl and curl on rhel6.1 clientstill broken. > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
I have a case with RH support on why I cant downgradewill egt back to you. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 29 July 2011 10:27 a.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? hmm I think thats stuffed, I dont think it downgradedlibcurl...doh regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 29 July 2011 10:25 a.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? its in the XXXfail script which was the screenshot.. I ran rpm -q when it failed regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 29 July 2011 10:17 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: > client install attempt info What version of libcurl do you have installed on the client? I realize you downgraded it, just curious what you ended up with. Can you look on the server and see if there is an exception related to principal not being set? rob > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Steven Jones [steven.jo...@vuw.ac.nz] > Sent: Friday, 29 July 2011 9:59 a.m. > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] version mismatch while joining a client ? > > I just downgraded libcurl and curl on rhel6.1 clientstill broken. > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
hmm I think thats stuffed, I dont think it downgradedlibcurl...doh regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 29 July 2011 10:25 a.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? its in the XXXfail script which was the screenshot.. I ran rpm -q when it failed regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 29 July 2011 10:17 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: > client install attempt info What version of libcurl do you have installed on the client? I realize you downgraded it, just curious what you ended up with. Can you look on the server and see if there is an exception related to principal not being set? rob > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Steven Jones [steven.jo...@vuw.ac.nz] > Sent: Friday, 29 July 2011 9:59 a.m. > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] version mismatch while joining a client ? > > I just downgraded libcurl and curl on rhel6.1 clientstill broken. > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
its in the XXXfail script which was the screenshot.. I ran rpm -q when it failed regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 29 July 2011 10:17 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: > client install attempt info What version of libcurl do you have installed on the client? I realize you downgraded it, just curious what you ended up with. Can you look on the server and see if there is an exception related to principal not being set? rob > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Steven Jones [steven.jo...@vuw.ac.nz] > Sent: Friday, 29 July 2011 9:59 a.m. > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] version mismatch while joining a client ? > > I just downgraded libcurl and curl on rhel6.1 clientstill broken. > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
Steven Jones wrote: client install attempt info What version of libcurl do you have installed on the client? I realize you downgraded it, just curious what you ended up with. Can you look on the server and see if there is an exception related to principal not being set? rob regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 29 July 2011 9:59 a.m. Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? I just downgraded libcurl and curl on rhel6.1 clientstill broken. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
client install attempt info regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 29 July 2011 9:59 a.m. Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? I just downgraded libcurl and curl on rhel6.1 clientstill broken. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ client-libcurl-fail1 Description: client-libcurl-fail1 ipaclient-install.log Description: ipaclient-install.log ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
Steven Jones wrote: I just downgraded libcurl and curl on rhel6.1 clientstill broken. Broken how? We need logs, command output, etc. to diagnose the problem. rob regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 28 July 2011 9:13 a.m. To: Steven Jones Cc: Robert M. Albrecht; freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: Hi, It appears this change also effects RHEL6.1 as wellI have the same message when I try and join new machines. Yes, updates were done for at least Fedora 14, 15, rawhide, EL5 and EL6. This was considered a security issue so updates were pushed everywhere. rob regards Steven Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 8><- Joining realm failed because of failing XML-RPC request. This error may be caused by incompatible server/client major versions. 8><- I think this is the problem caused by a recent libcurl change. libcurl recently dropped support for GSSAPI ticket delegation which is needed for the enrollment. If you look in the Apache error log on the IPA server I'll bet there is an error about principal. We're waiting on upstream to add support for forwarding back in. Until then your options are limited. The change was made because it was considered a security issue: whenever forwarding was allow the ticket was sent whether it was requested or not. Downgrading libcurl will fix the problem for enrollment. You should evaluate the CVE to decide the course of action: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2192 rob 8>< ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
I just downgraded libcurl and curl on rhel6.1 clientstill broken. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 28 July 2011 9:13 a.m. To: Steven Jones Cc: Robert M. Albrecht; freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: > Hi, > > It appears this change also effects RHEL6.1 as wellI have the same > message when I try and join new machines. Yes, updates were done for at least Fedora 14, 15, rawhide, EL5 and EL6. This was considered a security issue so updates were pushed everywhere. rob > > regards > > Steven > Technical Specialist - Linux RHCE > Victoria University, Wellington, NZ > > 8><- > >> Joining realm failed because of failing XML-RPC request. >> This error may be caused by incompatible server/client major versions. > > 8><- > > I think this is the problem caused by a recent libcurl change. libcurl > recently dropped support for GSSAPI ticket delegation which is needed > for the enrollment. If you look in the Apache error log on the IPA > server I'll bet there is an error about principal. > > We're waiting on upstream to add support for forwarding back in. Until > then your options are limited. The change was made because it was > considered a security issue: whenever forwarding was allow the ticket > was sent whether it was requested or not. > > Downgrading libcurl will fix the problem for enrollment. You should > evaluate the CVE to decide the course of action: > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2192 > > rob > > 8>< ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
Steven Jones wrote: Hi, It appears this change also effects RHEL6.1 as wellI have the same message when I try and join new machines. Yes, updates were done for at least Fedora 14, 15, rawhide, EL5 and EL6. This was considered a security issue so updates were pushed everywhere. rob regards Steven Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 8><- Joining realm failed because of failing XML-RPC request. This error may be caused by incompatible server/client major versions. 8><- I think this is the problem caused by a recent libcurl change. libcurl recently dropped support for GSSAPI ticket delegation which is needed for the enrollment. If you look in the Apache error log on the IPA server I'll bet there is an error about principal. We're waiting on upstream to add support for forwarding back in. Until then your options are limited. The change was made because it was considered a security issue: whenever forwarding was allow the ticket was sent whether it was requested or not. Downgrading libcurl will fix the problem for enrollment. You should evaluate the CVE to decide the course of action: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2192 rob 8>< ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
Hi, It appears this change also effects RHEL6.1 as wellI have the same message when I try and join new machines. regards Steven Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 8><- > Joining realm failed because of failing XML-RPC request. > This error may be caused by incompatible server/client major versions. 8><- I think this is the problem caused by a recent libcurl change. libcurl recently dropped support for GSSAPI ticket delegation which is needed for the enrollment. If you look in the Apache error log on the IPA server I'll bet there is an error about principal. We're waiting on upstream to add support for forwarding back in. Until then your options are limited. The change was made because it was considered a security issue: whenever forwarding was allow the ticket was sent whether it was requested or not. Downgrading libcurl will fix the problem for enrollment. You should evaluate the CVE to decide the course of action: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2192 rob 8>< ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
Robert M. Albrecht wrote: Hi, I tried to join my first client (another fully patched F15, like the ipa-server). Joining realm failed because of failing XML-RPC request. This error may be caused by incompatible server/client major versions. I think this is the problem caused by a recent libcurl change. libcurl recently dropped support for GSSAPI ticket delegation which is needed for the enrollment. If you look in the Apache error log on the IPA server I'll bet there is an error about principal. We're waiting on upstream to add support for forwarding back in. Until then your options are limited. The change was made because it was considered a security issue: whenever forwarding was allow the ticket was sent whether it was requested or not. Downgrading libcurl will fix the problem for enrollment. You should evaluate the CVE to decide the course of action: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2192 rob [root@chessur ~]# ipa-client-install --debug --enable-dns-updates root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'realm_name': None, 'dns_updates': True, 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir': False, 'unattended': None, 'principal': None} root : DEBUG missing options might be asked for interactively later root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' ^C^C^C^C^C^C^C^C^C[root@chessur ~]# ipa-client-install --debug --enable-dns-updates root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'realm_name': None, 'dns_updates': True, 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir': False, 'unattended': None, 'principal': None} root : DEBUG missing options might be asked for interactively later root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root : DEBUG [ipadnssearchldap(vorlon.lan)] root : DEBUG [ipadnssearchkrb] root : DEBUG [ipacheckldap] root : DEBUG args=/usr/bin/wget -O /tmp/tmpLob8Sc/ca.crt http://zerberus.vorlon.lan/ipa/config/ca.crt root : DEBUG stdout= root : DEBUG stderr=--2011-07-26 15:34:18-- http://zerberus.vorlon.lan/ipa/config/ca.crt Auflösen des Hostnamen »zerberus.vorlon.lan« 192.168.0.230 Verbindungsaufbau zu zerberus.vorlon.lan|192.168.0.230|:80... verbunden. HTTP Anforderung gesendet, warte auf Antwort... 200 OK Länge: 767 [application/x-x509-ca-cert] In »»/tmp/tmpLob8Sc/ca.crt«« speichern. 0K 100% 96,8M=0s 2011-07-26 15:34:18 (96,8 MB/s) - »»/tmp/tmpLob8Sc/ca.crt«« gespeichert [767/767] root : DEBUG Init ldap with: ldap://zerberus.vorlon.lan:389 root : DEBUG Search rootdse root : DEBUG Search for (info=*) in dc=vorlon,dc=lan(base) root : DEBUG Found: [('dc=vorlon,dc=lan', {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': ['vorlon.lan'], 'dc': ['vorlon'], 'nisDomain': ['vorlon.lan']})] root : DEBUG Search for (objectClass=krbRealmContainer) in dc=vorlon,dc=lan(sub) root : DEBUG Found: [('cn=VORLON.LAN,cn=kerberos,dc=vorlon,dc=lan', {'krbSubTrees': ['dc=vorlon,dc=lan'], 'cn': ['VORLON.LAN'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})] root : DEBUG will use domain: vorlon.lan root : DEBUG will use server: zerberus.vorlon.lan Discovery was successful! root : DEBUG will use cli_realm: VORLON.LAN root : DEBUG will use cli_basedn: dc=vorlon,dc=lan Hostname: chessur.vorlon.lan Realm: VORLON.LAN DNS Domain: vorlon.lan IPA Server: zerberus.vorlon.lan BaseDN: dc=vorlon,dc=lan Continue to configure the system with these values? [no]: yes Enrollment principal: admin root : DEBUG will use principal: admin root : DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt http://zerberus.vorlon.lan/ipa/config/ca.crt root : DEBUG stdout= root : DEBUG stderr=--2011-07-26 15:34:28-- http://zerberus.vorlon.lan/ipa/config/ca.crt Auflösen des Hostnamen »zerberus.vorlon.lan« 192.168.0.230 Verbindungsaufbau zu zerberus.vorlon.lan|192.168.0.230|:80... verbunden. HTTP Anforderung gesendet, warte auf Antwort... 200 OK Länge: 767 [application/x-x509-ca-cert] In »»/etc/ip
[Freeipa-users] version mismatch while joining a client ?
Hi, I tried to join my first client (another fully patched F15, like the ipa-server). Joining realm failed because of failing XML-RPC request. This error may be caused by incompatible server/client major versions. [root@chessur ~]# ipa-client-install --debug --enable-dns-updates root: DEBUG/usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'realm_name': None, 'dns_updates': True, 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir': False, 'unattended': None, 'principal': None} root: DEBUGmissing options might be asked for interactively later root: DEBUGLoading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' ^C^C^C^C^C^C^C^C^C[root@chessur ~]# ipa-client-install --debug --enable-dns-updates root: DEBUG/usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'realm_name': None, 'dns_updates': True, 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir': False, 'unattended': None, 'principal': None} root: DEBUGmissing options might be asked for interactively later root: DEBUGLoading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root: DEBUG[ipadnssearchldap(vorlon.lan)] root: DEBUG[ipadnssearchkrb] root: DEBUG[ipacheckldap] root: DEBUGargs=/usr/bin/wget -O /tmp/tmpLob8Sc/ca.crt http://zerberus.vorlon.lan/ipa/config/ca.crt root: DEBUGstdout= root: DEBUGstderr=--2011-07-26 15:34:18-- http://zerberus.vorlon.lan/ipa/config/ca.crt Auflösen des Hostnamen »zerberus.vorlon.lan« 192.168.0.230 Verbindungsaufbau zu zerberus.vorlon.lan|192.168.0.230|:80... verbunden. HTTP Anforderung gesendet, warte auf Antwort... 200 OK Länge: 767 [application/x-x509-ca-cert] In »»/tmp/tmpLob8Sc/ca.crt«« speichern. 0K 100% 96,8M=0s 2011-07-26 15:34:18 (96,8 MB/s) - »»/tmp/tmpLob8Sc/ca.crt«« gespeichert [767/767] root: DEBUGInit ldap with: ldap://zerberus.vorlon.lan:389 root: DEBUGSearch rootdse root: DEBUGSearch for (info=*) in dc=vorlon,dc=lan(base) root: DEBUGFound: [('dc=vorlon,dc=lan', {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': ['vorlon.lan'], 'dc': ['vorlon'], 'nisDomain': ['vorlon.lan']})] root: DEBUGSearch for (objectClass=krbRealmContainer) in dc=vorlon,dc=lan(sub) root: DEBUGFound: [('cn=VORLON.LAN,cn=kerberos,dc=vorlon,dc=lan', {'krbSubTrees': ['dc=vorlon,dc=lan'], 'cn': ['VORLON.LAN'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})] root: DEBUGwill use domain: vorlon.lan root: DEBUGwill use server: zerberus.vorlon.lan Discovery was successful! root: DEBUGwill use cli_realm: VORLON.LAN root: DEBUGwill use cli_basedn: dc=vorlon,dc=lan Hostname: chessur.vorlon.lan Realm: VORLON.LAN DNS Domain: vorlon.lan IPA Server: zerberus.vorlon.lan BaseDN: dc=vorlon,dc=lan Continue to configure the system with these values? [no]: yes Enrollment principal: admin root: DEBUGwill use principal: admin root: DEBUGargs=/usr/bin/wget -O /etc/ipa/ca.crt http://zerberus.vorlon.lan/ipa/config/ca.crt root: DEBUGstdout= root: DEBUGstderr=--2011-07-26 15:34:28-- http://zerberus.vorlon.lan/ipa/config/ca.crt Auflösen des Hostnamen »zerberus.vorlon.lan« 192.168.0.230 Verbindungsaufbau zu zerberus.vorlon.lan|192.168.0.230|:80... verbunden. HTTP Anforderung gesendet, warte auf Antwort... 200 OK Länge: 767 [application/x-x509-ca-cert] In »»/etc/ipa/ca.crt«« speichern. 0K 100% 64,6M=0s 2011-07-26 15:34:28 (64,6 MB/s) - »»/etc/ipa/ca.crt«« gespeichert [767/767] root: DEBUGWriting Kerberos configuration to /tmp/tmphXdPGl: #File modified by ipa-client-install [libdefaults] default_realm = VORLON.LAN dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifet