Re: [Freeipa-users] FreeIPA 4.0.0 "Peer's certificate issuer has been marked as not trusted by the user."
> So the question now is: why is DNS discovery pre-empting the specific > parameters provided on the command line? According to the output below, > it looks like it understands server and domain are forced, but it does a dns > lookup on realm? Tried again with the "stock" Fedora-20 version of freeipa-server 3.3.5. Same thing. Seems that the ipa-client-install allows the value in DNS to override the value provided on the command line, at least for the realm. Created a ticket to take this off list: https://fedorahosted.org/freeipa/ticket/ I understand that if my DNS was right, I wouldn't have this problem, but if the --realm option is going to be provided, it should work. :) Anyway, I need to wait for the network people to fix my DNS. Thanks for your help. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.0.0 "Peer's certificate issuer has been marked as not trusted by the user."
> This is definitely TXT record of _kerberos.usfs-i2.umt.edu issue because > when we fetch the realm value (as cn=USFS-I2.UMT.EDU), we compare the > strings "USFS-I2.UMT.EDU" and "usfs-i2.umt.edu" (of TXT record > _kerberos.usfs-i2.umt.edu) to be exact match, i.e. including case. > > After all, it is Kerberos realm name, which must be upper-cased. > As a work-around, use --realm option to force the right casing of the realm. Fresh reinstall. ipa-server-install --realm USFS-I2.UMT.EDU. No dice. Too late, it occurred to me that ipa-client-install, when run at the end of the server install, already has the realm command line option populated with the correct realm (went back and checked): Configuration of client side components failed! ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'usfs-i2.umt.edu' '--server' 'ipa.usfs-i2.umt.edu' '--realm' 'USFS-I2.UMT.EDU' '--hostname' 'ipa.usfs-i2.umt.edu'' returned non-zero exit status 1 So the question now is: why is DNS discovery pre-empting the specific parameters provided on the command line? According to the output below, it looks like it understands server and domain are forced, but it does a dns lookup on realm? 2014-07-16T21:20:51Z WARNING Using existing certificate '/etc/ipa/ca.crt'. 2014-07-16T21:20:51Z DEBUG [IPA Discovery] 2014-07-16T21:20:51Z DEBUG Starting IPA discovery with domain=usfs-i2.umt.edu, servers=['ipa.usfs-i2.umt.edu'], hostname=ipa.usfs-i2.umt.edu 2014-07-16T21:20:51Z DEBUG Server and domain forced 2014-07-16T21:20:51Z DEBUG [Kerberos realm search] 2014-07-16T21:20:51Z DEBUG Search DNS for TXT record of _kerberos.usfs-i2.umt.edu 2014-07-16T21:20:51Z DEBUG DNS record found: "usfs-i2.umt.edu." 2014-07-16T21:20:51Z DEBUG Search DNS for SRV record of _kerberos._udp.usfs-i2.umt.edu. 2014-07-16T21:20:51Z DEBUG DNS record found: 0 100 88 ipa.usfs-i2.umt.edu. 2014-07-16T21:20:51Z DEBUG [LDAP server check] 2014-07-16T21:20:51Z DEBUG Verifying that ipa.usfs-i2.umt.edu (realm usfs-i2.umt.edu.) is an IPA server 2014-07-16T21:20:51Z DEBUG Init LDAP connection to: ipa.usfs-i2.umt.edu 2014-07-16T21:20:51Z DEBUG Search LDAP server for IPA base DN 2014-07-16T21:20:51Z DEBUG Check if naming context 'dc=usfs-i2,dc=umt,dc=edu' is for IPA 2014-07-16T21:20:51Z DEBUG Naming context 'dc=usfs-i2,dc=umt,dc=edu' is a valid IPA context 2014-07-16T21:20:51Z DEBUG Search for (objectClass=krbRealmContainer) in dc=usfs-i2,dc=umt,dc=edu (sub) 2014-07-16T21:20:51Z DEBUG Found: cn=USFS-I2.UMT.EDU,cn=kerberos,dc=usfs-i2,dc=umt,dc=edu 2014-07-16T21:20:51Z WARNING Skip ipa.usfs-i2.umt.edu: cannot verify if this is an IPA server This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.0.0 "Peer's certificate issuer has been marked as not trusted by the user."
On Wed, 16 Jul 2014, Nordgren, Bryce L -FS wrote: On Wed, 16 Jul 2014, Nordgren, Bryce L -FS wrote: > DNS A, SRV, and TXT >entries are in place. Reverse DNS works. My text DNS entry is possibly hosed, as it's in lowercase. I put in a request to capitalize it. [root@ipa yum.repos.d]# host -t TXT _kerberos.usfs-i2.umt.edu _kerberos.usfs-i2.umt.edu descriptive text "usfs-i2.umt.edu." Check /var/log/ipaclient-install.log first, as your IPA client install did not finish, thus certificates store wasn't created properly and does not contain IPA CA certificate yet. For someone on vacation you sure spend a lot of time geeking out. :) From the below, I think my next thing to try is to wipe the machine and ipa-server-install --realm=USFS-I2.UMT.EDU to override DNS until it gets fixed. Would you concur? Thanks for pointing me at the logfile. 2014-07-16T19:28:16Z WARNING Using existing certificate '/etc/ipa/ca.crt'. 2014-07-16T19:28:16Z DEBUG [IPA Discovery] 2014-07-16T19:28:16Z DEBUG Starting IPA discovery with domain=usfs-i2.umt.edu, servers=['ipa.usfs-i2.umt.edu'], hostname=ipa.usfs-i2.umt.edu 2014-07-16T19:28:16Z DEBUG Server and domain forced 2014-07-16T19:28:16Z DEBUG [Kerberos realm search] 2014-07-16T19:28:16Z DEBUG Search DNS for TXT record of _kerberos.usfs-i2.umt.edu 2014-07-16T19:28:16Z DEBUG DNS record found: "usfs-i2.umt.edu." 2014-07-16T19:28:16Z DEBUG Search DNS for SRV record of _kerberos._udp.usfs-i2.umt.edu. 2014-07-16T19:28:16Z DEBUG DNS record found: 0 100 88 ipa.usfs-i2.umt.edu. 2014-07-16T19:28:16Z DEBUG [LDAP server check] 2014-07-16T19:28:16Z DEBUG Verifying that ipa.usfs-i2.umt.edu (realm usfs-i2.umt.edu.) is an IPA server 2014-07-16T19:28:16Z DEBUG Init LDAP connection to: ipa.usfs-i2.umt.edu 2014-07-16T19:28:16Z DEBUG Search LDAP server for IPA base DN 2014-07-16T19:28:16Z DEBUG Check if naming context 'dc=usfs-i2,dc=umt,dc=edu' is for IPA 2014-07-16T19:28:16Z DEBUG Naming context 'dc=usfs-i2,dc=umt,dc=edu' is a valid IPA context 2014-07-16T19:28:16Z DEBUG Search for (objectClass=krbRealmContainer) in dc=usfs-i2,dc=umt,dc=edu (sub) 2014-07-16T19:28:16Z DEBUG Found: cn=USFS-I2.UMT.EDU,cn=kerberos,dc=usfs-i2,dc=umt,dc=edu 2014-07-16T19:28:16Z WARNING Skip ipa.usfs-i2.umt.edu: cannot verify if this is an IPA server 2014-07-16T19:28:16Z DEBUG Discovery result: REALM_NOT_FOUND; server=None, domain=usfs-i2.umt.edu, kdc=ipa.usfs-i2.umt.edu, basedn=dc=usfs-i2,dc=umt,dc=edu 2014-07-16T19:28:16Z DEBUG Validated servers: 2014-07-16T19:28:16Z ERROR Failed to verify that ipa.usfs-i2.umt.edu is an IPA Server. This is definitely TXT record of _kerberos.usfs-i2.umt.edu issue because when we fetch the realm value (as cn=USFS-I2.UMT.EDU), we compare the strings "USFS-I2.UMT.EDU" and "usfs-i2.umt.edu" (of TXT record _kerberos.usfs-i2.umt.edu) to be exact match, i.e. including case. After all, it is Kerberos realm name, which must be upper-cased. As a work-around, use --realm option to force the right casing of the realm. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.0.0 "Peer's certificate issuer has been marked as not trusted by the user."
> On Wed, 16 Jul 2014, Nordgren, Bryce L -FS wrote: > > DNS A, SRV, and TXT > >entries are in place. Reverse DNS works. My text DNS entry is possibly hosed, as it's in lowercase. I put in a request to capitalize it. [root@ipa yum.repos.d]# host -t TXT _kerberos.usfs-i2.umt.edu _kerberos.usfs-i2.umt.edu descriptive text "usfs-i2.umt.edu." > Check /var/log/ipaclient-install.log first, as your IPA client install did > not finish, > thus certificates store wasn't created properly and does not contain IPA CA > certificate yet. For someone on vacation you sure spend a lot of time geeking out. :) From the below, I think my next thing to try is to wipe the machine and ipa-server-install --realm=USFS-I2.UMT.EDU to override DNS until it gets fixed. Would you concur? Thanks for pointing me at the logfile. 2014-07-16T19:28:16Z WARNING Using existing certificate '/etc/ipa/ca.crt'. 2014-07-16T19:28:16Z DEBUG [IPA Discovery] 2014-07-16T19:28:16Z DEBUG Starting IPA discovery with domain=usfs-i2.umt.edu, servers=['ipa.usfs-i2.umt.edu'], hostname=ipa.usfs-i2.umt.edu 2014-07-16T19:28:16Z DEBUG Server and domain forced 2014-07-16T19:28:16Z DEBUG [Kerberos realm search] 2014-07-16T19:28:16Z DEBUG Search DNS for TXT record of _kerberos.usfs-i2.umt.edu 2014-07-16T19:28:16Z DEBUG DNS record found: "usfs-i2.umt.edu." 2014-07-16T19:28:16Z DEBUG Search DNS for SRV record of _kerberos._udp.usfs-i2.umt.edu. 2014-07-16T19:28:16Z DEBUG DNS record found: 0 100 88 ipa.usfs-i2.umt.edu. 2014-07-16T19:28:16Z DEBUG [LDAP server check] 2014-07-16T19:28:16Z DEBUG Verifying that ipa.usfs-i2.umt.edu (realm usfs-i2.umt.edu.) is an IPA server 2014-07-16T19:28:16Z DEBUG Init LDAP connection to: ipa.usfs-i2.umt.edu 2014-07-16T19:28:16Z DEBUG Search LDAP server for IPA base DN 2014-07-16T19:28:16Z DEBUG Check if naming context 'dc=usfs-i2,dc=umt,dc=edu' is for IPA 2014-07-16T19:28:16Z DEBUG Naming context 'dc=usfs-i2,dc=umt,dc=edu' is a valid IPA context 2014-07-16T19:28:16Z DEBUG Search for (objectClass=krbRealmContainer) in dc=usfs-i2,dc=umt,dc=edu (sub) 2014-07-16T19:28:16Z DEBUG Found: cn=USFS-I2.UMT.EDU,cn=kerberos,dc=usfs-i2,dc=umt,dc=edu 2014-07-16T19:28:16Z WARNING Skip ipa.usfs-i2.umt.edu: cannot verify if this is an IPA server 2014-07-16T19:28:16Z DEBUG Discovery result: REALM_NOT_FOUND; server=None, domain=usfs-i2.umt.edu, kdc=ipa.usfs-i2.umt.edu, basedn=dc=usfs-i2,dc=umt,dc=edu 2014-07-16T19:28:16Z DEBUG Validated servers: 2014-07-16T19:28:16Z ERROR Failed to verify that ipa.usfs-i2.umt.edu is an IPA Server. This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.0.0 "Peer's certificate issuer has been marked as not trusted by the user."
On Wed, 16 Jul 2014, Nordgren, Bryce L -FS wrote: On a clean Fedora 20, minimal install, system using the netinstall iso, I'm getting an error all the way at the end of the ipa-server-install process (when it tries to run ipa-client-install). I put the fqdn of the hostname in /etc/hostname and "ipaddr ipa.usfs-i2.umt.edu ipa" in /etc/hosts and rebooted. Hostname returns the fqdn. DNS A, SRV, and TXT entries are in place. Reverse DNS works. Copr repository installed, and fedora-updates-testing enabled (for required version of dirsrv). Yum refused to install freeipa-server for reason of unsatisfied dependencies, but dnf succeeded. Tail end of ipa-server-install is here, followed by a successful kinit and a failed "ipa" command. I can fix the cert issue on the server by following http://www.iamlinux.com/2014/06/ipa-commands-fails-with-peers-certificate-issuer-has-been-marked-as-not-trusted-by-the-user-error/. This allows ipa commands on the server to work. However, ipa-client-install on the client fails with the same "Peer's certificate issuer has been marked as not trusted by the user." Is this a dorky new user problem or should I file a bug? Check /var/log/ipaclient-install.log first, as your IPA client install did not finish, thus certificates store wasn't created properly and does not contain IPA CA certificate yet. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project