Steven Jones wrote:
Logs.....


Sorry, had you set the level in the wrong file. Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?

rob

________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 25 May 2011 8:51 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 
- httpd logs

Steven Jones wrote:
Hi,

So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1

Is there a solution to this?

Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
and try the join again?

This should give more feedback why mod_auth_kerb/kerberos is rejecting
the credentials.

rob



regards
________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Tuesday, 24 May 2011 4:24 p.m.
To: Rob Crittenden
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 
- httpd logs

I must be going blind in my old age.....anyway here they are.

regards
________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Tuesday, 24 May 2011 2:58 p.m.
To: Rob Crittenden
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

Hi,

1) Screen data of the install from using the -d option.  (attach d.out)

2) ipa-install log

3) there are no httpd logs in /var/log/httpd/ it is an empty directory.

4) "Did you also run kinit before manually
running ipa-join in your testing?"  Yes....

5) For DNS I added,

   allow query {any;};

into /etc/named.conf clients were then not denied DNS.

regards



________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Tuesday, 24 May 2011 2:24 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

Steven Jones wrote:
ran the ipa-join manually and krb5.conf was not configured, scp'd that over 
from the ipa-server and re-ran ipa-join, still getting the same 401 failure...

This is a different mismatch than you were seeing with 5.6 (and a
completely different error message).

A few things to note:

- In general, when you reference any IPA server you should always use
the fully-qualified name. The SSL error you had was because the name did
not match the certificate.
- The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
you can always check the Apache error/access logs for diagnostic
information.
- The integrated DNS stores information in LDAP, not flat files, so
having no data in /var/named is not surprising.

ipa-join needs authentication in the form of a TGT or a one-time
password. It definitely did one in the log you provided and you still
got a 401, which is strange. Did you also run kinit before manually
running ipa-join in your testing?

Running ipa-join or ipa-client-install with the -d option will provide a
lot more debugging information.

I think the first place to check is the Apache error log to see why the
join call failed.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to