I have 3 x AD setups but the client points to the right DNS domain and the IPA server for DNS....I can halt all the ADs and re-try.
regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 4 August 2011 9:38 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: > Hi, > > Hopefully these will help. It shows that you have two clients, one of which has a working libcurl and another that does not. The client 130.195.53.109 does not have a working libcurl as can be seen in the error log with the error "Client didn't delegate us their credential" and the principal error. The HTTP response is a 500. The second client is 130.195.53.104 and does have a working libcurl. The authentication is not accepted though and the request rejected with a 401. Do you have another KDC somewhere on your network? In the RHEL bits we had dns_lookup_kdc and dns_realm_kdc both set to True which causes the enrollment to use the wrong KDC even if you have things otherwise entered properly. You should be able to work around this by using the --force flag in ipa-client-install. rob > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rob Crittenden [rcrit...@redhat.com] > Sent: Thursday, 4 August 2011 8:42 a.m. > To: Steven Jones > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] version mismatch while joining a client ? > > Steven Jones wrote: >> Hi, >> >> Client >> ========== >> rhel61-64cl04.unix.vuw.ac.nz >> Linux rhel61-64cl04.unix.vuw.ac.nz 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun >> 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux >> ipa-client-2.0.0-23.el6_1.1.x86_64 >> libcurl-7.19.7-26.el6.x86_64 >> Red Hat Enterprise Linux Client release 6.1 (Santiago) >> ========== >> >> Server >> ========== >> Linux vuwunicoipamt01 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 >> EDT 2011 x86_64 x86_64 x86_64 GNU/Linux >> libcurl-7.19.7-26.el6_1.1.x86_64 >> ipa-client-2.0.0-23.el6_1.1.x86_64 >> ipa-server-2.0.0-23.el6_1.1.x86_64 >> Red Hat Enterprise Linux Server release 6.1 (Santiago) >> ========== >> >> install output >> ========== >> [root@rhel61-64cl04 ~]# ipa-client-install --mkhomedir --server >> vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -d >> root : DEBUG /usr/sbin/ipa-client-install was invoked with >> options: {'conf_ntp': True, 'domain': 'unix.vuw.ac.nz', 'uninstall': False, >> 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': >> 'vuwunicoipamt01.unix.vuw.ac.nz', 'prompt_password': False, 'realm_name': >> None, 'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server': >> None, 'mkhomedir': True, 'unattended': None, 'principal': None} >> root : DEBUG missing options might be asked for interactively later >> >> root : DEBUG Loading Index file from >> '/var/lib/ipa-client/sysrestore/sysrestore.index' >> root : DEBUG [ipacheckldap] >> root : DEBUG args=/usr/bin/wget -O /tmp/tmpaaTaqF/ca.crt >> http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt >> root : DEBUG stdout= >> root : DEBUG stderr=--2011-08-03 09:01:14-- >> http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt >> Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236 >> Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected. >> HTTP request sent, awaiting response... 200 OK >> Length: 779 [application/x-x509-ca-cert] >> Saving to: `/tmp/tmpaaTaqF/ca.crt' >> >> 0K 100% 132M=0s >> >> 2011-08-03 09:01:14 (132 MB/s) - `/tmp/tmpaaTaqF/ca.crt' saved [779/779] >> >> >> root : DEBUG Init ldap with: >> ldap://vuwunicoipamt01.unix.vuw.ac.nz:389 >> root : DEBUG Search rootdse >> root : DEBUG Search for (info=*) in >> dc=unix,dc=vuw,dc=ac,dc=nz(base) >> root : DEBUG Found: [('dc=unix,dc=vuw,dc=ac,dc=nz', >> {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', >> 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': >> ['unix.vuw.ac.nz'], 'dc': ['unix'], 'nisDomain': ['unix.vuw.ac.nz']})] >> root : DEBUG Search for (objectClass=krbRealmContainer) in >> dc=unix,dc=vuw,dc=ac,dc=nz(sub) >> root : DEBUG Found: >> [('cn=UNIX.VUW.AC.NZ,cn=kerberos,dc=unix,dc=vuw,dc=ac,dc=nz', >> {'krbSubTrees': ['dc=unix,dc=vuw,dc=ac,dc=nz'], 'cn': ['UNIX.VUW.AC.NZ'], >> 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', >> 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', >> 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], >> 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', >> 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', >> 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', >> 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', >> 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], >> 'krbMaxRenewableAge': ['604800']})] >> root : DEBUG will use domain: unix.vuw.ac.nz >> >> root : DEBUG will use server: vuwunicoipamt01.unix.vuw.ac.nz >> >> Discovery was successful! >> root : DEBUG will use cli_realm: UNIX.VUW.AC.NZ >> >> root : DEBUG will use cli_basedn: dc=unix,dc=vuw,dc=ac,dc=nz >> >> Hostname: rhel61-64cl04.unix.vuw.ac.nz >> Realm: UNIX.VUW.AC.NZ >> DNS Domain: unix.vuw.ac.nz >> IPA Server: vuwunicoipamt01.unix.vuw.ac.nz >> BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz >> >> >> Continue to configure the system with these values? [no]: yes >> Enrollment principal: admin >> root : DEBUG will use principal: admin >> >> root : DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt >> http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt >> root : DEBUG stdout= >> root : DEBUG stderr=--2011-08-03 09:01:22-- >> http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt >> Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236 >> Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected. >> HTTP request sent, awaiting response... 200 OK >> Length: 779 [application/x-x509-ca-cert] >> Saving to: `/etc/ipa/ca.crt' >> >> 0K 100% 96.5M=0s >> >> 2011-08-03 09:01:22 (96.5 MB/s) - `/etc/ipa/ca.crt' saved [779/779] >> >> >> Password for ad...@unix.vuw.ac.nz: >> root : DEBUG args=kinit ad...@unix.vuw.ac.nz >> root : DEBUG stdout=Password for ad...@unix.vuw.ac.nz: >> >> root : DEBUG stderr= >> >> root : DEBUG args=/usr/sbin/ipa-join -s >> vuwunicoipamt01.unix.vuw.ac.nz -d >> root : DEBUG stdout= >> root : DEBUG stderr=XML-RPC CALL: >> >> <?xml version="1.0" encoding="UTF-8"?>\r\n >> <methodCall>\r\n >> <methodName>join</methodName>\r\n >> <params>\r\n >> <param><value><array><data>\r\n >> <value><string>rhel61-64cl04.unix.vuw.ac.nz</string></value>\r\n >> </data></array></value></param>\r\n >> <param><value><struct>\r\n >> <member><name>nsosversion</name>\r\n >> <value><string>2.6.32-131.6.1.el6.x86_64</string></value></member>\r\n >> <member><name>nshardwareplatform</name>\r\n >> <value><string>x86_64</string></value></member>\r\n >> </struct></value></param>\r\n >> </params>\r\n >> </methodCall>\r\n >> >> HTTP response code is 401, not 200 >> >> Joining realm failed because of failing XML-RPC request. >> This error may be caused by incompatible server/client major versions. >> root : DEBUG args=kdestroy >> root : DEBUG stdout= >> root : DEBUG stderr= >> [root@rhel61-64cl04 ~]# >> ========== >> >> Error log >> ========== >> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: >> KeyError(140510308317152,) in<module 'threading' from >> '/usr/lib64/python2.6/threading.pyc'> ignored >> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: >> KeyError(140510308317152,) in<module 'threading' from >> '/usr/lib64/python2.6/threading.pyc'> ignored >> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: >> KeyError(140510308317152,) in<module 'threading' from >> '/usr/lib64/python2.6/threading.pyc'> ignored >> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: >> KeyError(140510308317152,) in<module 'threading' from >> '/usr/lib64/python2.6/threading.pyc'> ignored >> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: >> KeyError(140510308317152,) in<module 'threading' from >> '/usr/lib64/python2.6/threading.pyc'> ignored >> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: >> KeyError(140510308317152,) in<module 'threading' from >> '/usr/lib64/python2.6/threading.pyc'> ignored >> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: >> KeyError(140510308317152,) in<module 'threading' from >> '/usr/lib64/python2.6/threading.pyc'> ignored >> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: >> KeyError(140510308317152,) in<module 'threading' from >> '/usr/lib64/python2.6/threading.pyc'> ignored >> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: >> KeyError(140510308317152,) in<module 'threading' from >> '/usr/lib64/python2.6/threading.pyc'> ignored >> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: >> KeyError(140510308317152,) in<module 'threading' from >> '/usr/lib64/python2.6/threading.pyc'> ignored >> [Wed Aug 03 09:04:57 2011] [notice] caught SIGTERM, shutting down >> [Wed Aug 03 09:04:58 2011] [notice] SELinux policy enabled; httpd running as >> context unconfined_u:system_r:httpd_t:s0 >> [Wed Aug 03 09:04:58 2011] [notice] suEXEC mechanism enabled (wrapper: >> /usr/sbin/suexec) >> [Wed Aug 03 09:04:58 2011] [notice] Digest: generating secret for digest >> authentication ... >> [Wed Aug 03 09:04:58 2011] [notice] Digest: done >> [Wed Aug 03 09:04:58 2011] [warn] mod_wsgi: Compiled for Python/2.6.2. >> [Wed Aug 03 09:04:58 2011] [warn] mod_wsgi: Runtime using Python/2.6.6. >> [Wed Aug 03 09:04:59 2011] [notice] Apache/2.2.15 (Unix) DAV/2 >> mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 >> configured -- resuming normal operations >> [Wed Aug 03 09:05:01 2011] [error] ipa: INFO: *** PROCESS START *** >> [Wed Aug 03 09:05:01 2011] [error] ipa: INFO: *** PROCESS START *** >> ========== >> > > This appears to be a different issue. If it were the libcurl problem on > the server side we would see something like: > > AttributeError: 'thread._local' object has no attribute 'principal' > > Because you are getting a 401 and not a 500 it means that the principal > is not being authenticated. > > I suspect that this is a kerberos problem. Can you check > /var/log/krb5kdc to see if it is getting a service ticket request from > your client? > > Another thing to try is to set LogLevel debug in > /etc/httpd/conf.d/nss.conf and restart Apache. This will provide much > more logging information on the Negotiate request from the client. > > rob _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users