Armstrong, Kenneth Lawrence wrote:
I am still having issues trying to get a RHEL 5.9 client to join a RHEL
6.4 IdM domain.

All packages on both systems updated.

First problem is this:

ipa-client-install --server lnxrealmtest01.liberty.edu --domain
lnxrealmtest.liberty.edu --enable-dns-updates

Which fails with:

root        : ERROR    Cannot obtain CA certificate
'ldap://lnxrealmtest01.liberty.edu' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.

All of the appropriate ports are open on the IdM server, and I verified
this by telnetting to all of them.

I worked around this by running this:

wget -O /etc/ipa/ca.crt http://lnxrealmtest01.liberty.edu/ipa/config/ca.crt

Then ran:

ipa-client-install --server lnxrealmtest01.lnxrealmtest.liberty.edu
--domain lnxrealmtest.liberty.edu --enable-dns-updates --no-ntp
--ca-cert-file=/etc/ipa/ca.crt

And I was having better results, so apparently the RHEL 5.9
ipa-client-install does not want to download my cert.


On to the next problem:


User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for ad...@lnxrealmtest.liberty.edu
<mailto:ad...@lnxrealmtest.liberty.edu>:

Joining realm failed: SASL Bind failed Local error (-2) !
child exited with 9
Installation failed. Rolling back changes.


It is the same user that I use to login to the web interface, and I am
100% positive that I am not entering the password incorrectly.  So why
else would the admin user not be able to bind to my IdM setup?

The client install log may have more details. And I'd check the KDC log (on server /var/log/krb5kdc.log) to see why the bind failed.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to