Re: [Freeipa-users] version mismatch while joining a client ?

Wed, 03 Aug 2011 15:12:17 -0700 

I have 3 x AD setups but the client points to the right DNS domain and the IPA 
server for DNS....I can halt all the ADs and re-try.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Thursday, 4 August 2011 9:38 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] version mismatch while joining a client ?

Steven Jones wrote:
> Hi,
>
> Hopefully these will help.

It shows that you have two clients, one of which has a working libcurl
and another that does not.

The client 130.195.53.109 does not have a working libcurl as can be seen
in the error log with the error "Client didn't delegate us their
credential" and the principal error. The HTTP response is a 500.

The second client is 130.195.53.104 and does have a working libcurl. The
authentication is not accepted though and the request rejected with a 401.

Do you have another KDC somewhere on your network? In the RHEL bits we
had dns_lookup_kdc and dns_realm_kdc both set to True which causes the
enrollment to use the wrong KDC even if you have things otherwise
entered properly.

You should be able to work around this by using the --force flag in
ipa-client-install.

rob

>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: Rob Crittenden [rcrit...@redhat.com]
> Sent: Thursday, 4 August 2011 8:42 a.m.
> To: Steven Jones
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] version mismatch while joining a client ?
>
> Steven Jones wrote:
>> Hi,
>>
>> Client
>> ==========
>> rhel61-64cl04.unix.vuw.ac.nz
>> Linux rhel61-64cl04.unix.vuw.ac.nz 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 
>> 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
>> ipa-client-2.0.0-23.el6_1.1.x86_64
>> libcurl-7.19.7-26.el6.x86_64
>> Red Hat Enterprise Linux Client release 6.1 (Santiago)
>> ==========
>>
>> Server
>> ==========
>> Linux vuwunicoipamt01 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 
>> EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
>> libcurl-7.19.7-26.el6_1.1.x86_64
>> ipa-client-2.0.0-23.el6_1.1.x86_64
>> ipa-server-2.0.0-23.el6_1.1.x86_64
>> Red Hat Enterprise Linux Server release 6.1 (Santiago)
>> ==========
>>
>> install output
>> ==========
>> [root@rhel61-64cl04 ~]# ipa-client-install --mkhomedir --server 
>> vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -d
>> root        : DEBUG    /usr/sbin/ipa-client-install was invoked with 
>> options: {'conf_ntp': True, 'domain': 'unix.vuw.ac.nz', 'uninstall': False, 
>> 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': 
>> 'vuwunicoipamt01.unix.vuw.ac.nz', 'prompt_password': False, 'realm_name': 
>> None, 'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server': 
>> None, 'mkhomedir': True, 'unattended': None, 'principal': None}
>> root        : DEBUG    missing options might be asked for interactively later
>>
>> root        : DEBUG    Loading Index file from 
>> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>> root        : DEBUG    [ipacheckldap]
>> root        : DEBUG    args=/usr/bin/wget -O /tmp/tmpaaTaqF/ca.crt 
>> http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
>> root        : DEBUG    stdout=
>> root        : DEBUG    stderr=--2011-08-03 09:01:14--  
>> http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
>> Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236
>> Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 779 [application/x-x509-ca-cert]
>> Saving to: `/tmp/tmpaaTaqF/ca.crt'
>>
>>        0K                                                       100%  132M=0s
>>
>> 2011-08-03 09:01:14 (132 MB/s) - `/tmp/tmpaaTaqF/ca.crt' saved [779/779]
>>
>>
>> root        : DEBUG    Init ldap with: 
>> ldap://vuwunicoipamt01.unix.vuw.ac.nz:389
>> root        : DEBUG    Search rootdse
>> root        : DEBUG    Search for (info=*) in 
>> dc=unix,dc=vuw,dc=ac,dc=nz(base)
>> root        : DEBUG    Found: [('dc=unix,dc=vuw,dc=ac,dc=nz', 
>> {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', 
>> 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': 
>> ['unix.vuw.ac.nz'], 'dc': ['unix'], 'nisDomain': ['unix.vuw.ac.nz']})]
>> root        : DEBUG    Search for (objectClass=krbRealmContainer) in 
>> dc=unix,dc=vuw,dc=ac,dc=nz(sub)
>> root        : DEBUG    Found: 
>> [('cn=UNIX.VUW.AC.NZ,cn=kerberos,dc=unix,dc=vuw,dc=ac,dc=nz', 
>> {'krbSubTrees': ['dc=unix,dc=vuw,dc=ac,dc=nz'], 'cn': ['UNIX.VUW.AC.NZ'], 
>> 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 
>> 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 
>> 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 
>> 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 
>> 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 
>> 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 
>> 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 
>> 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 
>> 'krbMaxRenewableAge': ['604800']})]
>> root        : DEBUG    will use domain: unix.vuw.ac.nz
>>
>> root        : DEBUG    will use server: vuwunicoipamt01.unix.vuw.ac.nz
>>
>> Discovery was successful!
>> root        : DEBUG    will use cli_realm: UNIX.VUW.AC.NZ
>>
>> root        : DEBUG    will use cli_basedn: dc=unix,dc=vuw,dc=ac,dc=nz
>>
>> Hostname: rhel61-64cl04.unix.vuw.ac.nz
>> Realm: UNIX.VUW.AC.NZ
>> DNS Domain: unix.vuw.ac.nz
>> IPA Server: vuwunicoipamt01.unix.vuw.ac.nz
>> BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz
>>
>>
>> Continue to configure the system with these values? [no]: yes
>> Enrollment principal: admin
>> root        : DEBUG    will use principal: admin
>>
>> root        : DEBUG    args=/usr/bin/wget -O /etc/ipa/ca.crt 
>> http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
>> root        : DEBUG    stdout=
>> root        : DEBUG    stderr=--2011-08-03 09:01:22--  
>> http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
>> Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236
>> Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 779 [application/x-x509-ca-cert]
>> Saving to: `/etc/ipa/ca.crt'
>>
>>        0K                                                       100% 96.5M=0s
>>
>> 2011-08-03 09:01:22 (96.5 MB/s) - `/etc/ipa/ca.crt' saved [779/779]
>>
>>
>> Password for ad...@unix.vuw.ac.nz:
>> root        : DEBUG    args=kinit ad...@unix.vuw.ac.nz
>> root        : DEBUG    stdout=Password for ad...@unix.vuw.ac.nz:
>>
>> root        : DEBUG    stderr=
>>
>> root        : DEBUG    args=/usr/sbin/ipa-join -s 
>> vuwunicoipamt01.unix.vuw.ac.nz -d
>> root        : DEBUG    stdout=
>> root        : DEBUG    stderr=XML-RPC CALL:
>>
>> <?xml version="1.0" encoding="UTF-8"?>\r\n
>> <methodCall>\r\n
>> <methodName>join</methodName>\r\n
>> <params>\r\n
>> <param><value><array><data>\r\n
>> <value><string>rhel61-64cl04.unix.vuw.ac.nz</string></value>\r\n
>> </data></array></value></param>\r\n
>> <param><value><struct>\r\n
>> <member><name>nsosversion</name>\r\n
>> <value><string>2.6.32-131.6.1.el6.x86_64</string></value></member>\r\n
>> <member><name>nshardwareplatform</name>\r\n
>> <value><string>x86_64</string></value></member>\r\n
>> </struct></value></param>\r\n
>> </params>\r\n
>> </methodCall>\r\n
>>
>> HTTP response code is 401, not 200
>>
>> Joining realm failed because of failing XML-RPC request.
>>     This error may be caused by incompatible server/client major versions.
>> root        : DEBUG    args=kdestroy
>> root        : DEBUG    stdout=
>> root        : DEBUG    stderr=
>> [root@rhel61-64cl04 ~]#
>> ==========
>>
>> Error log
>> ==========
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: 
>> KeyError(140510308317152,) in<module 'threading' from 
>> '/usr/lib64/python2.6/threading.pyc'>   ignored
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: 
>> KeyError(140510308317152,) in<module 'threading' from 
>> '/usr/lib64/python2.6/threading.pyc'>   ignored
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: 
>> KeyError(140510308317152,) in<module 'threading' from 
>> '/usr/lib64/python2.6/threading.pyc'>   ignored
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: 
>> KeyError(140510308317152,) in<module 'threading' from 
>> '/usr/lib64/python2.6/threading.pyc'>   ignored
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: 
>> KeyError(140510308317152,) in<module 'threading' from 
>> '/usr/lib64/python2.6/threading.pyc'>   ignored
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: 
>> KeyError(140510308317152,) in<module 'threading' from 
>> '/usr/lib64/python2.6/threading.pyc'>   ignored
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: 
>> KeyError(140510308317152,) in<module 'threading' from 
>> '/usr/lib64/python2.6/threading.pyc'>   ignored
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: 
>> KeyError(140510308317152,) in<module 'threading' from 
>> '/usr/lib64/python2.6/threading.pyc'>   ignored
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: 
>> KeyError(140510308317152,) in<module 'threading' from 
>> '/usr/lib64/python2.6/threading.pyc'>   ignored
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: 
>> KeyError(140510308317152,) in<module 'threading' from 
>> '/usr/lib64/python2.6/threading.pyc'>   ignored
>> [Wed Aug 03 09:04:57 2011] [notice] caught SIGTERM, shutting down
>> [Wed Aug 03 09:04:58 2011] [notice] SELinux policy enabled; httpd running as 
>> context unconfined_u:system_r:httpd_t:s0
>> [Wed Aug 03 09:04:58 2011] [notice] suEXEC mechanism enabled (wrapper: 
>> /usr/sbin/suexec)
>> [Wed Aug 03 09:04:58 2011] [notice] Digest: generating secret for digest 
>> authentication ...
>> [Wed Aug 03 09:04:58 2011] [notice] Digest: done
>> [Wed Aug 03 09:04:58 2011] [warn] mod_wsgi: Compiled for Python/2.6.2.
>> [Wed Aug 03 09:04:58 2011] [warn] mod_wsgi: Runtime using Python/2.6.6.
>> [Wed Aug 03 09:04:59 2011] [notice] Apache/2.2.15 (Unix) DAV/2 
>> mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 
>> configured -- resuming normal operations
>> [Wed Aug 03 09:05:01 2011] [error] ipa: INFO: *** PROCESS START ***
>> [Wed Aug 03 09:05:01 2011] [error] ipa: INFO: *** PROCESS START ***
>> ==========
>>
>
> This appears to be a different issue. If it were the libcurl problem on
> the server side we would see something like:
>
> AttributeError: 'thread._local' object has no attribute 'principal'
>
> Because you are getting a 401 and not a 500 it means that the principal
> is not being authenticated.
>
> I suspect that this is a kerberos problem. Can you check
> /var/log/krb5kdc to see if it is getting a service ticket request from
> your client?
>
> Another thing to try is to set LogLevel debug in
> /etc/httpd/conf.d/nss.conf and restart Apache. This will provide much
> more logging information on the Negotiate request from the client.
>
> rob


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to