whats AWS?
regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, 19 February 2013 3:35 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Cannot obtain CA Certificate On 02/18/2013 09:06 PM, John Moyer wrote: Peter, The client is pointing to DNS for the server. Here is the log info from the ipa-client-log (in /var/log/). I haven't tried the other stuff yet, I'll respond back when I get a chance to check out the CA cert things. 2013-02-19T02:01:37Z DEBUG args=kinit ipa-b...@example.com<mailto:ipa-b...@example.com> 2013-02-19T02:01:37Z DEBUG stdout=Password for ipa-b...@example.com<mailto:ipa-b...@example.com>: 2013-02-19T02:01:37Z DEBUG stderr= 2013-02-19T02:01:37Z DEBUG trying to retrieve CA cert via LDAP from ldap://ipa1.example.com<UrlBlockedError.aspx> 2013-02-19T02:01:37Z DEBUG get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/c...@example.com<mailto:krbtgt/c...@example.com> not found in Kerberos database) 2013-02-19T02:01:37Z DEBUG {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/c...@example.com<mailto:krbtgt/c...@example.com> not found in Kerberos database)', 'desc': 'Local error'} 2013-02-19T02:01:37Z ERROR Cannot obtain CA certificate 'ldap://ipa1.example.com'<UrlBlockedError.aspx> doesn't have a certificate. 2013-02-19T02:01:37Z DEBUG args=kdestroy 2013-02-19T02:01:37Z DEBUG stdout= 2013-02-19T02:01:37Z DEBUG stderr= Can the server resolve the client in the same way as client resolves itself? In AWS it might be an issue because it changes system names dynamically and thus you client host when restarted might have a different name or be not resolvable by the server. The fact that AWS changes names under you makes IPA not usable in AWS environment. https://fedorahosted.org/freeipa/ticket/2715 Thanks, _____________________________________________________ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com<mailto:john.mo...@digitalreasoning.com> Office: 703.678.2311 Mobile: 240.460.0023 Fax: 703.678.2312 www.digitalreasoning.com<http://www.digitalreasoning.com/> On Feb 18, 2013, at 8:42 PM, Peter Brown <rendhal...@gmail.com<mailto:rendhal...@gmail.com>> wrote: On 19 February 2013 11:03, John Moyer <john.mo...@digitalreasoning.com<mailto:john.mo...@digitalreasoning.com>> wrote: Peter, Thanks for the response, I just checked out my security group settings, I did have some ports blocked, however, allowing them did not help. I installed mmap on the client and did a port scan of the server and got the follow: PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 389/tcp open ldap 443/tcp open https 464/tcp open kpasswd5 636/tcp open ldapssl 749/tcp open kerberos-adm There is a couple of UDP ports that need to be open as well 464 and 88 from memory. They shouldn't affect your ability to download the ca cert. Have you checked the ipa-client log file? I can't remember where that gets saved right now but it should mention the location when you run the ipa-client command. I tried to enroll again and got the same error as seen here: Synchronizing time with KDC... ipa : ERROR Cannot obtain CA certificate Thanks, _____________________________________________________ John Moyer On Feb 18, 2013, at 7:24 PM, Peter Brown <rendhal...@gmail.com<mailto:rendhal...@gmail.com>> wrote: Hi John, I ran into a similar issue with setting up a 2.2 client with a 3.1 server. It turned out to be that port 80 wasn't open on the freeipa server. I would check your ports and see if the right ones are open. I also find that setting up the SRV and TXT records in your dns zone makes setting up clients a lot simpler. On 19 February 2013 00:58, John Moyer <john.mo...@digitalreasoning.com<mailto:john.mo...@digitalreasoning.com>> wrote: Hello all, I am having an issue using IPA 2.2.0. I am trying to put together a proof of concept set of systems. I've stood up 2 servers on AWS. One is the server one is the client. I am using CentOS 6 to do all this testing on, with the default IPA packages provided from CentOS. I had a fully operational proof of concept finished fully scripted to be built without issues. I shutdown and started these as needed to show to people to get approval for the project. The other day the client stopped enrolling to the IPA server, I have no idea why I assume a patch pushed out broke something since it is a fully scripted install. It does get the most recent patches each time I stand it up so it definitely would pull any new patches that came out. After investigating I am getting this error when I try to manually enroll the client. I haven't been able to find any reference to this error anywhere on the net. Any help would be greatly appreciated! Let me know if any additional details are needed. PLEASE NOTE: Everything below has been sanitized [root@client ~]# ipa-client-install --domain=example.com<http://example.com/> --server=ipa1.example.com<http://ipa1.example.com/> --realm=EXAMPLE.COM<http://example.com/> --configure-ssh --configure-sshd -p ipa-bind -w "blah" -U DNS domain 'example.com<http://example.com/>' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: client.ec2.internal Realm: EXAMPLE.COM<http://example.com/> DNS Domain: digitalreasoning.com<http://digitalreasoning.com/> IPA Server: ipa1.example.com<http://ipa1.example.com/> BaseDN: dc=example,dc=com Synchronizing time with KDC... ipa : ERROR Cannot obtain CA certificate 'ldap://ipa1.example.com' doesn't have a certificate. Installation failed. Rolling back changes. IPA client is not configured on this system. Thanks, _____________________________________________________ John Moyer _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
