Steven Jones wrote:
FYI....

Think I did it right!

:]

What was the outcome? Did you get a 401 or 500? I can't figure it out based on the logs but I do see quite a few successful authentications.

Can you isolate the log data for this one curl request?

I'd run this on the 6.1 client that you're having problems with.

thanks

rob


regards
________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 25 May 2011 3:33 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 
- httpd logs

Steven Jones wrote:
FYI

Ok, this is very strange, it isn't really trying very hard to do the
kerberos authentication.

It should be requesting the HTTP service principal and then doing the
Negotiate authentication but for some reason it is giving up.

Here is something to try (obviously replacing ipa.example.com with your
ipa server):

% kdestroy
% scp ipa.example.com:/etc/krb5.conf test-krb5.conf
% export KRB5_CONFIG=`pwd`/test-krb5.conf
% kinit admin
% klist -f (send us this output)
% curl -kv --negotiate -u : https://ipa.example.com/ipa/xml
% klist -f (send us this too)
% unset KRB5_CONFIG

You should get a 500 error and not a 401.

Some logs to capture the tail of:

Apache error and access logs
/var/log/krb5kdc.log

rob

________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 25 May 2011 9:41 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 
- httpd logs

Steven Jones wrote:
Logs.....

Sorry, had you set the level in the wrong file. Can you set LogLevel
debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?

rob

________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 25 May 2011 8:51 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 
- httpd logs

Steven Jones wrote:
Hi,

So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1

Is there a solution to this?

Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
and try the join again?

This should give more feedback why mod_auth_kerb/kerberos is rejecting
the credentials.

rob



regards
________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Tuesday, 24 May 2011 4:24 p.m.
To: Rob Crittenden
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 
- httpd logs

I must be going blind in my old age.....anyway here they are.

regards
________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Tuesday, 24 May 2011 2:58 p.m.
To: Rob Crittenden
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

Hi,

1) Screen data of the install from using the -d option.  (attach d.out)

2) ipa-install log

3) there are no httpd logs in /var/log/httpd/ it is an empty directory.

4) "Did you also run kinit before manually
running ipa-join in your testing?"  Yes....

5) For DNS I added,

     allow query {any;};

into /etc/named.conf clients were then not denied DNS.

regards



________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Tuesday, 24 May 2011 2:24 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

Steven Jones wrote:
ran the ipa-join manually and krb5.conf was not configured, scp'd that over 
from the ipa-server and re-ran ipa-join, still getting the same 401 failure...

This is a different mismatch than you were seeing with 5.6 (and a
completely different error message).

A few things to note:

- In general, when you reference any IPA server you should always use
the fully-qualified name. The SSL error you had was because the name did
not match the certificate.
- The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
you can always check the Apache error/access logs for diagnostic
information.
- The integrated DNS stores information in LDAP, not flat files, so
having no data in /var/named is not surprising.

ipa-join needs authentication in the form of a TGT or a one-time
password. It definitely did one in the log you provided and you still
got a 401, which is strange. Did you also run kinit before manually
running ipa-join in your testing?

Running ipa-join or ipa-client-install with the -d option will provide a
lot more debugging information.

I think the first place to check is the Apache error log to see why the
join call failed.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to