Steven Jones wrote:
Logs.....
Sorry, had you set the level in the wrong file. Can you set LogLevel
debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?
rob
________________________________________
From: Rob Crittenden [[email protected]]
Sent: Wednesday, 25 May 2011 8:51 a.m.
To: Steven Jones
Cc: [email protected]
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
- httpd logs
Steven Jones wrote:
Hi,
So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
Is there a solution to this?
Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
and try the join again?
This should give more feedback why mod_auth_kerb/kerberos is rejecting
the credentials.
rob
regards
________________________________________
From: [email protected] [[email protected]] on
behalf of Steven Jones [[email protected]]
Sent: Tuesday, 24 May 2011 4:24 p.m.
To: Rob Crittenden
Cc: [email protected]
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
- httpd logs
I must be going blind in my old age.....anyway here they are.
regards
________________________________________
From: [email protected] [[email protected]] on
behalf of Steven Jones [[email protected]]
Sent: Tuesday, 24 May 2011 2:58 p.m.
To: Rob Crittenden
Cc: [email protected]
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
Hi,
1) Screen data of the install from using the -d option. (attach d.out)
2) ipa-install log
3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
4) "Did you also run kinit before manually
running ipa-join in your testing?" Yes....
5) For DNS I added,
allow query {any;};
into /etc/named.conf clients were then not denied DNS.
regards
________________________________________
From: Rob Crittenden [[email protected]]
Sent: Tuesday, 24 May 2011 2:24 p.m.
To: Steven Jones
Cc: [email protected]
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
Steven Jones wrote:
ran the ipa-join manually and krb5.conf was not configured, scp'd that over
from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
This is a different mismatch than you were seeing with 5.6 (and a
completely different error message).
A few things to note:
- In general, when you reference any IPA server you should always use
the fully-qualified name. The SSL error you had was because the name did
not match the certificate.
- The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
you can always check the Apache error/access logs for diagnostic
information.
- The integrated DNS stores information in LDAP, not flat files, so
having no data in /var/named is not surprising.
ipa-join needs authentication in the form of a TGT or a one-time
password. It definitely did one in the log you provided and you still
got a 401, which is strange. Did you also run kinit before manually
running ipa-join in your testing?
Running ipa-join or ipa-client-install with the -d option will provide a
lot more debugging information.
I think the first place to check is the Apache error log to see why the
join call failed.
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
