----- Original Message -----

> From: "Dmitri Pal" <d...@redhat.com>
> To: freeipa-users@redhat.com
> Sent: Thursday, 25 July, 2013 11:35:32 PM
> Subject: Re: [Freeipa-users] still failing to get a RHEL 5 client to
> join, LDAP bind issue?

> On 07/25/2013 03:51 PM, Armstrong, Kenneth Lawrence wrote:
> > I am still having issues trying to get a RHEL 5.9 client to join a
> > RHEL 6.4 IdM domain.
> 

> > All packages on both systems updated.
> 

> > First problem is this:
> 

> > ipa-client-install --server lnxrealmtest01.liberty.edu --domain
> > lnxrealmtest.liberty.edu --enable-dns-updates
> 

> > Which fails with:
> 

> > root : ERROR Cannot obtain CA certificate
> 
> > ' ldap://lnxrealmtest01.liberty.edu ' doesn't have a certificate.
> 
> > Installation failed. Rolling back changes.
> 
> > IPA client is not configured on this system.
> 

> > All of the appropriate ports are open on the IdM server, and I
> > verified this by telnetting to all of them.
> 

> > I worked around this by running this:
> 

> > wget -O /etc/ipa/ca.crt
> > http://lnxrealmtest01.liberty.edu/ipa/config/ca.crt
> 

> > Then ran:
> 

> > ipa-client-install --server lnxrealmtest01.lnxrealmtest.liberty.edu
> > --domain lnxrealmtest.liberty.edu --enable-dns-updates --no-ntp
> > --ca-cert-file=/etc/ipa/ca.crt
> 

> > And I was having better results, so apparently the RHEL 5.9
> > ipa-client-install does not want to download my cert.
> 

> This rings the bell. It sounds like a known issue for 5.9 openssl
> libraries.
> Rob can you add details please?

> > On to the next problem:
> 

> > User authorized to enroll computers: admin
> 
> > Synchronizing time with KDC...
> 
> > Password for ad...@lnxrealmtest.liberty.edu :
> 

> > Joining realm failed: SASL Bind failed Local error (-2) !
> 
> > child exited with 9
> 
> > Installation failed. Rolling back changes.
> 

Run ipa-client-install with "-d" debug flag to get more information. I've had 
the same issue due to DNS reverse for the server not being correct (check the 
krb log in the server) 

> > It is the same user that I use to login to the web interface, and I
> > am 100% positive that I am not entering the password incorrectly.
> > So
> > why else would the admin user not be able to bind to my IdM setup?
> 

> > -Kenny
> 

> > _______________________________________________
> 
> > Freeipa-users mailing list Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> --
> Thank you,
> Dmitri Pal

> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.

> -------------------------------
> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-- 

Eduardo Mínguez Pérez 
Infrastructure Consultant (RHCE, RHCSA) 
Red Hat - Spain 
Mobile: +34 629803049 (CET/CEST) 
E-mail: eming...@redhat.com 
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to