----- Original Message ----- > From: "Dmitri Pal" <d...@redhat.com> > To: firstname.lastname@example.org > Sent: Thursday, 25 July, 2013 11:35:32 PM > Subject: Re: [Freeipa-users] still failing to get a RHEL 5 client to > join, LDAP bind issue?
> On 07/25/2013 03:51 PM, Armstrong, Kenneth Lawrence wrote: > > I am still having issues trying to get a RHEL 5.9 client to join a > > RHEL 6.4 IdM domain. > > > All packages on both systems updated. > > > First problem is this: > > > ipa-client-install --server lnxrealmtest01.liberty.edu --domain > > lnxrealmtest.liberty.edu --enable-dns-updates > > > Which fails with: > > > root : ERROR Cannot obtain CA certificate > > > ' ldap://lnxrealmtest01.liberty.edu ' doesn't have a certificate. > > > Installation failed. Rolling back changes. > > > IPA client is not configured on this system. > > > All of the appropriate ports are open on the IdM server, and I > > verified this by telnetting to all of them. > > > I worked around this by running this: > > > wget -O /etc/ipa/ca.crt > > http://lnxrealmtest01.liberty.edu/ipa/config/ca.crt > > > Then ran: > > > ipa-client-install --server lnxrealmtest01.lnxrealmtest.liberty.edu > > --domain lnxrealmtest.liberty.edu --enable-dns-updates --no-ntp > > --ca-cert-file=/etc/ipa/ca.crt > > > And I was having better results, so apparently the RHEL 5.9 > > ipa-client-install does not want to download my cert. > > This rings the bell. It sounds like a known issue for 5.9 openssl > libraries. > Rob can you add details please? > > On to the next problem: > > > User authorized to enroll computers: admin > > > Synchronizing time with KDC... > > > Password for ad...@lnxrealmtest.liberty.edu : > > > Joining realm failed: SASL Bind failed Local error (-2) ! > > > child exited with 9 > > > Installation failed. Rolling back changes. > Run ipa-client-install with "-d" debug flag to get more information. I've had the same issue due to DNS reverse for the server not being correct (check the krb log in the server) > > It is the same user that I use to login to the web interface, and I > > am 100% positive that I am not entering the password incorrectly. > > So > > why else would the admin user not be able to bind to my IdM setup? > > > -Kenny > > > _______________________________________________ > > > Freeipa-users mailing list Freeipaemail@example.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Thank you, > Dmitri Pal > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > ------------------------------- > Looking to carve out IT costs? www.redhat.com/carveoutcosts/ > _______________________________________________ > Freeipa-users mailing list > Freeipafirstname.lastname@example.org > https://www.redhat.com/mailman/listinfo/freeipa-users -- Eduardo Mínguez Pérez Infrastructure Consultant (RHCE, RHCSA) Red Hat - Spain Mobile: +34 629803049 (CET/CEST) E-mail: eming...@redhat.com
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users