Robert M. Albrecht wrote:
Hi,

I tried to join my first client (another fully patched F15, like the
ipa-server).

Joining realm failed because of failing XML-RPC request.
This error may be caused by incompatible server/client major versions.

I think this is the problem caused by a recent libcurl change. libcurl recently dropped support for GSSAPI ticket delegation which is needed for the enrollment. If you look in the Apache error log on the IPA server I'll bet there is an error about principal.

We're waiting on upstream to add support for forwarding back in. Until then your options are limited. The change was made because it was considered a security issue: whenever forwarding was allow the ticket was sent whether it was requested or not.

Downgrading libcurl will fix the problem for enrollment. You should evaluate the CVE to decide the course of action: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2192

rob



[root@chessur ~]# ipa-client-install --debug --enable-dns-updates
root : DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force':
False, 'sssd': True, 'hostname': None, 'permit': False, 'server': None,
'prompt_password': False, 'realm_name': None, 'dns_updates': True,
'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir':
False, 'unattended': None, 'principal': None}
root : DEBUG missing options might be asked for interactively
later

root : DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'

^C^C^C^C^C^C^C^C^C[root@chessur ~]# ipa-client-install --debug
--enable-dns-updates
root : DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force':
False, 'sssd': True, 'hostname': None, 'permit': False, 'server': None,
'prompt_password': False, 'realm_name': None, 'dns_updates': True,
'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir':
False, 'unattended': None, 'principal': None}
root : DEBUG missing options might be asked for interactively
later

root : DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root : DEBUG [ipadnssearchldap(vorlon.lan)]
root : DEBUG [ipadnssearchkrb]
root : DEBUG [ipacheckldap]
root : DEBUG args=/usr/bin/wget -O /tmp/tmpLob8Sc/ca.crt
http://zerberus.vorlon.lan/ipa/config/ca.crt
root : DEBUG stdout=
root : DEBUG stderr=--2011-07-26 15:34:18--
http://zerberus.vorlon.lan/ipa/config/ca.crt
Auflösen des Hostnamen »zerberus.vorlon.lan«.... 192.168.0.230
Verbindungsaufbau zu zerberus.vorlon.lan|192.168.0.230|:80... verbunden.
HTTP Anforderung gesendet, warte auf Antwort... 200 OK
Länge: 767 [application/x-x509-ca-cert]
In »»/tmp/tmpLob8Sc/ca.crt«« speichern.

0K 100% 96,8M=0s

2011-07-26 15:34:18 (96,8 MB/s) - »»/tmp/tmpLob8Sc/ca.crt«« gespeichert
[767/767]


root : DEBUG Init ldap with: ldap://zerberus.vorlon.lan:389
root : DEBUG Search rootdse
root : DEBUG Search for (info=*) in dc=vorlon,dc=lan(base)
root : DEBUG Found: [('dc=vorlon,dc=lan', {'objectClass':
['top', 'domain', 'pilotObject', 'nisDomainObject',
'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain':
['vorlon.lan'], 'dc': ['vorlon'], 'nisDomain': ['vorlon.lan']})]
root : DEBUG Search for (objectClass=krbRealmContainer) in
dc=vorlon,dc=lan(sub)
root : DEBUG Found:
[('cn=VORLON.LAN,cn=kerberos,dc=vorlon,dc=lan', {'krbSubTrees':
['dc=vorlon,dc=lan'], 'cn': ['VORLON.LAN'], 'krbDefaultEncSaltTypes':
['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special',
'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer',
'krbticketpolicyaux'], 'krbSearchScope': ['2'],
'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special',
'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal',
'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'],
'krbMaxRenewableAge': ['604800']})]
root : DEBUG will use domain: vorlon.lan

root : DEBUG will use server: zerberus.vorlon.lan

Discovery was successful!
root : DEBUG will use cli_realm: VORLON.LAN

root : DEBUG will use cli_basedn: dc=vorlon,dc=lan

Hostname: chessur.vorlon.lan
Realm: VORLON.LAN
DNS Domain: vorlon.lan
IPA Server: zerberus.vorlon.lan
BaseDN: dc=vorlon,dc=lan


Continue to configure the system with these values? [no]: yes
Enrollment principal: admin
root : DEBUG will use principal: admin

root : DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
http://zerberus.vorlon.lan/ipa/config/ca.crt
root : DEBUG stdout=
root : DEBUG stderr=--2011-07-26 15:34:28--
http://zerberus.vorlon.lan/ipa/config/ca.crt
Auflösen des Hostnamen »zerberus.vorlon.lan«.... 192.168.0.230
Verbindungsaufbau zu zerberus.vorlon.lan|192.168.0.230|:80... verbunden.
HTTP Anforderung gesendet, warte auf Antwort... 200 OK
Länge: 767 [application/x-x509-ca-cert]
In »»/etc/ipa/ca.crt«« speichern.

0K 100% 64,6M=0s

2011-07-26 15:34:28 (64,6 MB/s) - »»/etc/ipa/ca.crt«« gespeichert [767/767]


root : DEBUG Writing Kerberos configuration to /tmp/tmphXdPGl:
#File modified by ipa-client-install

[libdefaults]
default_realm = VORLON.LAN
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes

[realms]
VORLON.LAN = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
.vorlon.lan = VORLON.LAN
vorlon.lan = VORLON.LAN

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Password for ad...@vorlon.lan:
root : DEBUG args=kinit ad...@vorlon.lan
root : DEBUG stdout=Password for ad...@vorlon.lan:

root : DEBUG stderr=

root : DEBUG args=/usr/sbin/ipa-join -s zerberus.vorlon.lan -d
root : DEBUG stdout=
root : DEBUG stderr=XML-RPC CALL:

<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>chessur.vorlon.lan</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.38.8-35.fc15.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n

HTTP response code is 500, not 200

Joining realm failed because of failing XML-RPC request.
This error may be caused by incompatible server/client major versions.
root : DEBUG args=kdestroy
root : DEBUG stdout=
root : DEBUG stderr=
[root@chessur ~]#


cu romal

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to