Steven Jones wrote:
Hi,

Trying with two rhel61-64bit-clones "04" and "05"....

They should give the same failures? but are not?......confused, 04 (the first clone has 
1/2 joined as its in IPA, but it doesnt say "enrolled and a date", 05 failed 
totally.

04 is failing because it apparently still has an updated libcurl. It is getting a 500 error back. The installation continues because you had the --force flag. This means it proceeds on errors, so it tried to set things up but since it didn't get a keytab sssd can't authenticate.

05 actually enrolled successfully but was unable to retrieve a keytab. You can try running ipa-getkeytab from the command-line again. To do this you'll need to copy a krb5.conf from a working system (say the IPA server.

# kinit admin
# ipa-getkeytab -s vuwunicoipamt01.unix.vuw.ac.nz -k /etc/krb5.keytab -p host/rhel61-64cl04.unix.vuw.ac...@unix.vuw.ac.nz

You may also want to look at the krb5kdc.log and the 389-ds access log, they may hold clues as well.


I know Im short on sleep but I really don't understand what's going on here and 
why its so hard to make basic stuff work.

:/

I have included the logs off each, logs off the IPA  server and out's from the 
attempt to join. from each guest.  Anything else needed?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Friday, 5 August 2011 8:42 a.m.
To: Rob Crittenden
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] version mismatch while joining a client ?

Hi,

Yes the first is F15.

I am halting all the AD machines I will retry without the --force first to test 
this, when I built IPA originally there was no AD to conflict.

However its plain weird because the RHEL6.1 client points to the IPA server for 
DNS.

I will get back to you.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Friday, 5 August 2011 1:24 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] version mismatch while joining a client ?

Steven Jones wrote:
Hi,

I have also done this on a new f15 client and it also fails.

But its saying,

500 and not 401 which is the rhel6.1 failure.

"HTTP response code is 401, not 200"  == RHEL61
"HTTP response code is 500, not 200" == FED15

Assuming that the Fedora 15 client is 130.195.53.109 that I had seen in
a previous log it has a libcurl that does not do ticket delegation.

500 is an HTTP server error, we assume a principal will be there and it
isn't and things blow up (this is handled more gracefully in our dev tree).

401 is a HTTP authorization error, the user provide is now allowed to
access the server. I'm guessing this is because the client is using the
wrong kerberos server. We have this addressed too in the dev tree, we
disable dns lookups in krb5.conf. In the meantime --force should make it
use the info you provide.

rob




==============
more fed15-install-error
[root@fed15-64-ws02 ~]# ipa-client-install --mkhomedir --server 
vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -d
root        : DEBUG    /usr/sbin/ipa-client-install was invoked with options: 
{'conf_ntp': True, 'domain': 'unix.vuw.ac.nz'
, 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': 
False, 'server': 'vuwunicoipamt01.unix.vuw.
ac.nz', 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 
'debug': True, 'on_master': False, 'ntp_server'
: None, 'mkhomedir': True, 'unattended': None, 'principal': None}
root        : DEBUG    missing options might be asked for interactively later

root        : DEBUG    Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root        : DEBUG    [ipacheckldap]
root        : DEBUG    args=/usr/bin/wget -O /tmp/tmpsyC9Zx/ca.crt 
http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
root        : DEBUG    stdout=
root        : DEBUG    stderr=--2011-08-03 15:18:07--  
http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236
Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 779 [application/x-x509-ca-cert]
Saving to: “/tmp/tmpsyC9Zx/ca.crt”

       0K                                                       100%  111M=0s

2011-08-03 15:18:07 (111 MB/s) - “/tmp/tmpsyC9Zx/ca.crt” saved [779/779]


root        : DEBUG    Init ldap with: ldap://vuwunicoipamt01.unix.vuw.ac.nz:389
root        : DEBUG    Search rootdse
root        : DEBUG    Search for (info=*) in dc=unix,dc=vuw,dc=ac,dc=nz(base)
root        : DEBUG    Found: [('dc=unix,dc=vuw,dc=ac,dc=nz', {'objectClass': 
['top', 'domain', 'pilotObject', 'nisDomainOb
ject', 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': 
['unix.vuw.ac.nz'], 'dc': ['unix'], 'nisDomain': [
'unix.vuw.ac.nz']})]
root        : DEBUG    Search for (objectClass=krbRealmContainer) in 
dc=unix,dc=vuw,dc=ac,dc=nz(sub)
root        : DEBUG    Found: 
[('cn=UNIX.VUW.AC.NZ,cn=kerberos,dc=unix,dc=vuw,dc=ac,dc=nz', {'krbSubTrees': 
['dc=unix,dc=vu
w,dc=ac,dc=nz'], 'cn': ['UNIX.VUW.AC.NZ'], 'krbDefaultEncSaltTypes': 
['aes256-cts:special', 'aes128-cts:special', 'des3-hma
c-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 
'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScop
e': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 
'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special
', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 
'arcfour-hmac:special', 'des-hmac-sha1:normal'
, 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 
'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMax
RenewableAge': ['604800']})]
root        : DEBUG    will use domain: unix.vuw.ac.nz

root        : DEBUG    will use server: vuwunicoipamt01.unix.vuw.ac.nz

Discovery was successful!
root        : DEBUG    will use cli_realm: UNIX.VUW.AC.NZ

root        : DEBUG    will use cli_basedn: dc=unix,dc=vuw,dc=ac,dc=nz

Hostname: fed15-64-ws02.unix.vuw.ac.nz
Realm: UNIX.VUW.AC.NZ
DNS Domain: unix.vuw.ac.nz
IPA Server: vuwunicoipamt01.unix.vuw.ac.nz
BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz


Continue to configure the system with these values? [no]: yes
Enrollment principal: admin
root        : DEBUG    will use principal: admin

root        : DEBUG    args=/usr/bin/wget -O /etc/ipa/ca.crt 
http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
root        : DEBUG    stdout=
root        : DEBUG    stderr=--2011-08-03 15:18:12--  
http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236
Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 779 [application/x-x509-ca-cert]
Saving to: “/etc/ipa/ca.crt”

       0K                                                       100%  112M=0s

2011-08-03 15:18:12 (112 MB/s) - “/etc/ipa/ca.crt” saved [779/779]


root        : DEBUG    Writing Kerberos configuration to /tmp/tmpiFqnW9:
#File modified by ipa-client-install

[libdefaults]
    default_realm = UNIX.VUW.AC.NZ
    dns_lookup_realm = true
    dns_lookup_kdc = true
    rdns = false
    ticket_lifetime = 24h
    forwardable = yes

[realms]
    UNIX.VUW.AC.NZ = {
      pkinit_anchors = FILE:/etc/ipa/ca.crt
    }

[domain_realm]
    .unix.vuw.ac.nz = UNIX.VUW.AC.NZ
    unix.vuw.ac.nz = UNIX.VUW.AC.NZ

[appdefaults]
    pam = {
      debug = false
      ticket_lifetime = 36000
      renew_lifetime = 36000
      forwardable = true
      krb4_convert = false
    }

Password for ad...@unix.vuw.ac.nz:
root        : DEBUG    args=kinit ad...@unix.vuw.ac.nz
root        : DEBUG    stdout=Password for ad...@unix.vuw.ac.nz:

root        : DEBUG    stderr=

root        : DEBUG    args=/usr/sbin/ipa-join -s 
vuwunicoipamt01.unix.vuw.ac.nz -d
root        : DEBUG    stdout=
root        : DEBUG    stderr=XML-RPC CALL:

<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>fed15-64-ws02.unix.vuw.ac.nz</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.38.6-26.rc1.fc15.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n

HTTP response code is 500, not 200

Joining realm failed because of failing XML-RPC request.
    This error may be caused by incompatible server/client major versions.
root        : DEBUG    args=kdestroy
root        : DEBUG    stdout=
root        : DEBUG    stderr=
[root@fed15-64-ws02 ~]#
=======================

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Wednesday, 3 August 2011 9:35 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] version mismatch while joining a client ?

Hi,

Client
==========
rhel61-64cl04.unix.vuw.ac.nz
Linux rhel61-64cl04.unix.vuw.ac.nz 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 
14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
ipa-client-2.0.0-23.el6_1.1.x86_64
libcurl-7.19.7-26.el6.x86_64
Red Hat Enterprise Linux Client release 6.1 (Santiago)
==========

Server
==========
Linux vuwunicoipamt01 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 
2011 x86_64 x86_64 x86_64 GNU/Linux
libcurl-7.19.7-26.el6_1.1.x86_64
ipa-client-2.0.0-23.el6_1.1.x86_64
ipa-server-2.0.0-23.el6_1.1.x86_64
Red Hat Enterprise Linux Server release 6.1 (Santiago)
==========

install output
==========
[root@rhel61-64cl04 ~]# ipa-client-install --mkhomedir --server 
vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -d
root        : DEBUG    /usr/sbin/ipa-client-install was invoked with options: 
{'conf_ntp': True, 'domain': 'unix.vuw.ac.nz', 'uninstall': False, 'force': 
False, 'sssd': True, 'hostname': None, 'permit': False, 'server': 
'vuwunicoipamt01.unix.vuw.ac.nz', 'prompt_password': False, 'realm_name': None, 
'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server': None, 
'mkhomedir': True, 'unattended': None, 'principal': None}
root        : DEBUG    missing options might be asked for interactively later

root        : DEBUG    Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root        : DEBUG    [ipacheckldap]
root        : DEBUG    args=/usr/bin/wget -O /tmp/tmpaaTaqF/ca.crt 
http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
root        : DEBUG    stdout=
root        : DEBUG    stderr=--2011-08-03 09:01:14--  
http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236
Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 779 [application/x-x509-ca-cert]
Saving to: `/tmp/tmpaaTaqF/ca.crt'

       0K                                                       100%  132M=0s

2011-08-03 09:01:14 (132 MB/s) - `/tmp/tmpaaTaqF/ca.crt' saved [779/779]


root        : DEBUG    Init ldap with: ldap://vuwunicoipamt01.unix.vuw.ac.nz:389
root        : DEBUG    Search rootdse
root        : DEBUG    Search for (info=*) in dc=unix,dc=vuw,dc=ac,dc=nz(base)
root        : DEBUG    Found: [('dc=unix,dc=vuw,dc=ac,dc=nz', {'objectClass': 
['top', 'domain', 'pilotObject', 'nisDomainObject', 'domainRelatedObject'], 
'info': ['IPA V2.0'], 'associatedDomain': ['unix.vuw.ac.nz'], 'dc': ['unix'], 
'nisDomain': ['unix.vuw.ac.nz']})]
root        : DEBUG    Search for (objectClass=krbRealmContainer) in 
dc=unix,dc=vuw,dc=ac,dc=nz(sub)
root        : DEBUG    Found: 
[('cn=UNIX.VUW.AC.NZ,cn=kerberos,dc=unix,dc=vuw,dc=ac,dc=nz', {'krbSubTrees': 
['dc=unix,dc=vuw,dc=ac,dc=nz'], 'cn': ['UNIX.VUW.AC.NZ'], 
'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 
'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 
'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 
'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 
'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 
'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 
'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 
'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 
'krbMaxRenewableAge': ['604800']})]
root        : DEBUG    will use domain: unix.vuw.ac.nz

root        : DEBUG    will use server: vuwunicoipamt01.unix.vuw.ac.nz

Discovery was successful!
root        : DEBUG    will use cli_realm: UNIX.VUW.AC.NZ

root        : DEBUG    will use cli_basedn: dc=unix,dc=vuw,dc=ac,dc=nz

Hostname: rhel61-64cl04.unix.vuw.ac.nz
Realm: UNIX.VUW.AC.NZ
DNS Domain: unix.vuw.ac.nz
IPA Server: vuwunicoipamt01.unix.vuw.ac.nz
BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz


Continue to configure the system with these values? [no]: yes
Enrollment principal: admin
root        : DEBUG    will use principal: admin

root        : DEBUG    args=/usr/bin/wget -O /etc/ipa/ca.crt 
http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
root        : DEBUG    stdout=
root        : DEBUG    stderr=--2011-08-03 09:01:22--  
http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236
Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 779 [application/x-x509-ca-cert]
Saving to: `/etc/ipa/ca.crt'

       0K                                                       100% 96.5M=0s

2011-08-03 09:01:22 (96.5 MB/s) - `/etc/ipa/ca.crt' saved [779/779]


Password for ad...@unix.vuw.ac.nz:
root        : DEBUG    args=kinit ad...@unix.vuw.ac.nz
root        : DEBUG    stdout=Password for ad...@unix.vuw.ac.nz:

root        : DEBUG    stderr=

root        : DEBUG    args=/usr/sbin/ipa-join -s 
vuwunicoipamt01.unix.vuw.ac.nz -d
root        : DEBUG    stdout=
root        : DEBUG    stderr=XML-RPC CALL:

<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>rhel61-64cl04.unix.vuw.ac.nz</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-131.6.1.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n

HTTP response code is 401, not 200

Joining realm failed because of failing XML-RPC request.
    This error may be caused by incompatible server/client major versions.
root        : DEBUG    args=kdestroy
root        : DEBUG    stdout=
root        : DEBUG    stderr=
[root@rhel61-64cl04 ~]#
==========

Error log
==========
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) 
in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'>   ignored
[Wed Aug 03 09:04:57 2011] [notice] caught SIGTERM, shutting down
[Wed Aug 03 09:04:58 2011] [notice] SELinux policy enabled; httpd running as 
context unconfined_u:system_r:httpd_t:s0
[Wed Aug 03 09:04:58 2011] [notice] suEXEC mechanism enabled (wrapper: 
/usr/sbin/suexec)
[Wed Aug 03 09:04:58 2011] [notice] Digest: generating secret for digest 
authentication ...
[Wed Aug 03 09:04:58 2011] [notice] Digest: done
[Wed Aug 03 09:04:58 2011] [warn] mod_wsgi: Compiled for Python/2.6.2.
[Wed Aug 03 09:04:58 2011] [warn] mod_wsgi: Runtime using Python/2.6.6.
[Wed Aug 03 09:04:59 2011] [notice] Apache/2.2.15 (Unix) DAV/2 
mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 
configured -- resuming normal operations
[Wed Aug 03 09:05:01 2011] [error] ipa: INFO: *** PROCESS START ***
[Wed Aug 03 09:05:01 2011] [error] ipa: INFO: *** PROCESS START ***
==========


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 3 August 2011 1:48 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] version mismatch while joining a client ?

Steven Jones wrote:

Yes....enrolement now fails, previous messages I attached show that I think, it 
used to work.

History, I had to remove all my working IPA clients due to a disk space problem 
on our SAN (we didnt have any).  So I managed to keep the working IPA server 
and 2 x RHEL5 64 bit servers and the one un-configured template of RHEL6.1 
64bit client I had. This I used to make client side clones off previously and 
connected them to IPA server and they worked.

So lastweek I went back and with a running ipa server, I cloned in the old 
client/template and got the mis-match, so I put them on the production network 
and patched, same mismatch problem.

I can do a sosreport of the old template I think and the client to look at the 
differences if that helps.

I'm having a hard time following exactly what you are doing, on what
machine. I think we need to be more systematic.

Can you choose a machine to act as the client and provide the following:

- distro and architecture (e.g. RHEL 6.1 on x86_64)
- rpm -q curl libcurl
- rpm -q ipa-client

On the IPA server:
- rpm -q ipa-server

Start with a client that is not enrolled. If it has previously been
enrolled run: ipa-client-install --uninstall -U

Now run ipa-client-install and answer the questions as appropriate for
your install.

If it fails please provide the following:
- any stdout you get from the client install
- attach the full /var/log/ipaclient-install.log
- attach the last 100 lines from /var/log/httpd/error_log from the IPA
server

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to