Re: [Freeipa-users] version mismatch while joining a client ?

[Rob Crittenden]

Steven Jones wrote:
Hi,
Hopefully these will help.

It shows that you have two clients, one of which has a working libcurl 
and another that does not.

The client 130.195.53.109 does not have a working libcurl as can be seen 
in the error log with the error "Client didn't delegate us their 
credential" and the principal error. The HTTP response is a 500.

The second client is 130.195.53.104 and does have a working libcurl. The 
authentication is not accepted though and the request rejected with a 401.

Do you have another KDC somewhere on your network? In the RHEL bits we 
had dns_lookup_kdc and dns_realm_kdc both set to True which causes the 
enrollment to use the wrong KDC even if you have things otherwise 
entered properly.

You should be able to work around this by using the --force flag in 
ipa-client-install.

rob



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Thursday, 4 August 2011 8:42 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] version mismatch while joining a client ?

Steven Jones wrote:
Hi,

Client
==========
rhel61-64cl04.unix.vuw.ac.nz
Linux rhel61-64cl04.unix.vuw.ac.nz 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 
14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
ipa-client-2.0.0-23.el6_1.1.x86_64
libcurl-7.19.7-26.el6.x86_64
Red Hat Enterprise Linux Client release 6.1 (Santiago)
==========

Server
==========
Linux vuwunicoipamt01 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 
2011 x86_64 x86_64 x86_64 GNU/Linux
libcurl-7.19.7-26.el6_1.1.x86_64
ipa-client-2.0.0-23.el6_1.1.x86_64
ipa-server-2.0.0-23.el6_1.1.x86_64
Red Hat Enterprise Linux Server release 6.1 (Santiago)
==========

install output
==========
[root@rhel61-64cl04 ~]# ipa-client-install --mkhomedir --server 
vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -d
root        : DEBUG    /usr/sbin/ipa-client-install was invoked with options: 
{'conf_ntp': True, 'domain': 'unix.vuw.ac.nz', 'uninstall': False, 'force': 
False, 'sssd': True, 'hostname': None, 'permit': False, 'server': 
'vuwunicoipamt01.unix.vuw.ac.nz', 'prompt_password': False, 'realm_name': None, 
'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server': None, 
'mkhomedir': True, 'unattended': None, 'principal': None}
root        : DEBUG    missing options might be asked for interactively later

root        : DEBUG    Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root        : DEBUG    [ipacheckldap]
root        : DEBUG    args=/usr/bin/wget -O /tmp/tmpaaTaqF/ca.crt 
http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
root        : DEBUG    stdout=
root        : DEBUG    stderr=--2011-08-03 09:01:14--  
http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236
Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 779 [application/x-x509-ca-cert]
Saving to: `/tmp/tmpaaTaqF/ca.crt'

       0K                                                       100%  132M=0s

2011-08-03 09:01:14 (132 MB/s) - `/tmp/tmpaaTaqF/ca.crt' saved [779/779]


root        : DEBUG    Init ldap with: ldap://vuwunicoipamt01.unix.vuw.ac.nz:389
root        : DEBUG    Search rootdse
root        : DEBUG    Search for (info=*) in dc=unix,dc=vuw,dc=ac,dc=nz(base)
root        : DEBUG    Found: [('dc=unix,dc=vuw,dc=ac,dc=nz', {'objectClass': 
['top', 'domain', 'pilotObject', 'nisDomainObject', 'domainRelatedObject'], 
'info': ['IPA V2.0'], 'associatedDomain': ['unix.vuw.ac.nz'], 'dc': ['unix'], 
'nisDomain': ['unix.vuw.ac.nz']})]
root        : DEBUG    Search for (objectClass=krbRealmContainer) in 
dc=unix,dc=vuw,dc=ac,dc=nz(sub)
root        : DEBUG    Found: 
[('cn=UNIX.VUW.AC.NZ,cn=kerberos,dc=unix,dc=vuw,dc=ac,dc=nz', {'krbSubTrees': 
['dc=unix,dc=vuw,dc=ac,dc=nz'], 'cn': ['UNIX.VUW.AC.NZ'], 
'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 
'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 
'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 
'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 
'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 
'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 
'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 
'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 
'krbMaxRenewableAge': ['604800']})]
root        : DEBUG    will use domain: unix.vuw.ac.nz

root        : DEBUG    will use server: vuwunicoipamt01.unix.vuw.ac.nz

Discovery was successful!
root        : DEBUG    will use cli_realm: UNIX.VUW.AC.NZ

root        : DEBUG    will use cli_basedn: dc=unix,dc=vuw,dc=ac,dc=nz

Hostname: rhel61-64cl04.unix.vuw.ac.nz
Realm: UNIX.VUW.AC.NZ
DNS Domain: unix.vuw.ac.nz
IPA Server: vuwunicoipamt01.unix.vuw.ac.nz
BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz


Continue to configure the system with these values? [no]: yes
Enrollment principal: admin
root        : DEBUG    will use principal: admin

root        : DEBUG    args=/usr/bin/wget -O /etc/ipa/ca.crt 
http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
root        : DEBUG    stdout=
root        : DEBUG    stderr=--2011-08-03 09:01:22--  
http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236
Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 779 [application/x-x509-ca-cert]
Saving to: `/etc/ipa/ca.crt'

       0K                                                       100% 96.5M=0s

2011-08-03 09:01:22 (96.5 MB/s) - `/etc/ipa/ca.crt' saved [779/779]


Password for ad...@unix.vuw.ac.nz:
root        : DEBUG    args=kinit ad...@unix.vuw.ac.nz
root        : DEBUG    stdout=Password for ad...@unix.vuw.ac.nz:

root        : DEBUG    stderr=

root        : DEBUG    args=/usr/sbin/ipa-join -s 
vuwunicoipamt01.unix.vuw.ac.nz -d
root        : DEBUG    stdout=
root        : DEBUG    stderr=XML-RPC CALL:

<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>rhel61-64cl04.unix.vuw.ac.nz</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-131.6.1.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n

HTTP response code is 401, not 200

Joining realm failed because of failing XML-RPC request.
    This error may be caused by incompatible server/client major versions.
root        : DEBUG    args=kdestroy
root        : DEBUG    stdout=
root        : DEBUG    stderr=
[root@rhel61-64cl04 ~]#
==========

Error log
==========
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [notice] caught SIGTERM, shutting down
[Wed Aug 03 09:04:58 2011] [notice] SELinux policy enabled; httpd running as 
context unconfined_u:system_r:httpd_t:s0
[Wed Aug 03 09:04:58 2011] [notice] suEXEC mechanism enabled (wrapper: 
/usr/sbin/suexec)
[Wed Aug 03 09:04:58 2011] [notice] Digest: generating secret for digest 
authentication ...
[Wed Aug 03 09:04:58 2011] [notice] Digest: done
[Wed Aug 03 09:04:58 2011] [warn] mod_wsgi: Compiled for Python/2.6.2.
[Wed Aug 03 09:04:58 2011] [warn] mod_wsgi: Runtime using Python/2.6.6.
[Wed Aug 03 09:04:59 2011] [notice] Apache/2.2.15 (Unix) DAV/2 
mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 
configured -- resuming normal operations
[Wed Aug 03 09:05:01 2011] [error] ipa: INFO: *** PROCESS START ***
[Wed Aug 03 09:05:01 2011] [error] ipa: INFO: *** PROCESS START ***
==========


This appears to be a different issue. If it were the libcurl problem on
the server side we would see something like:

AttributeError: 'thread._local' object has no attribute 'principal'

Because you are getting a 401 and not a 500 it means that the principal
is not being authenticated.

I suspect that this is a kerberos problem. Can you check
/var/log/krb5kdc to see if it is getting a service ticket request from
your client?

Another thing to try is to set LogLevel debug in
/etc/httpd/conf.d/nss.conf and restart Apache. This will provide much
more logging information on the Negotiate request from the client.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users