On Fri, 2013-07-26 at 10:20 -0400, Rob Crittenden wrote:
Armstrong, Kenneth Lawrence wrote: > On Fri, 2013-07-26 at 06:21 -0400, Eduardo Minguez wrote: > Ok, if I have time, I'll try with a RHEL 5.8 client today. > > > As for debug output, this is what I get: > > [root@r5-idmclient <mailto:root@r5-idmclient> ~]# ipa-client-install > --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu > --enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d > root : DEBUG /usr/sbin/ipa-client-install was invoked with > options: {'conf_ntp': False, 'domain': 'lnxrealmtest.liberty.edu', > 'uninstall': False, 'force': False, 'sssd': True, > 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, > 'server': 'lnxrealmtest01.liberty.edu', 'prompt_password': False, > 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, > 'debug': True, 'on_master': False, 'ca_cert_file': '/etc/ipa/ca.crt', > 'realm_name': None, 'unattended': None, 'ntp_server': None, 'principal': > None} > root : DEBUG missing options might be asked for interactively > later > > root : DEBUG Loading Index file from > '/var/lib/ipa-client/sysrestore/sysrestore.index' > root : DEBUG Loading StateFile from > '/var/lib/ipa-client/sysrestore/sysrestore.state' > root : DEBUG [ipadnssearchkrb] > root : DEBUG [ipacheckldap] > root : DEBUG Init ldap with: ldap://lnxrealmtest01.liberty.edu:389 > root : ERROR LDAP Error: Connect error: TLS: hostname does not > match CN in peer certificate > root : DEBUG will use domain: lnxrealmtest.liberty.edu > > root : DEBUG will use server: lnxrealmtest01.liberty.edu > > Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server. > This may mean that the remote server is not up or is not reachable > due to network or firewall settings. > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > > I do have an A record and PTR record for both lnxrealmtest01.liberty.edu > and lnxrealmtest.lnxrealmtest.liberty.edu. > > The part that confuses me (I'm still new to the innards of SSL) is this: > > DAP Error: Connect error: TLS: hostname does not match CN in peer > certificate > > When I look at the cert using: > > openssl x509 -in /etc/ipa/ca.crt -noout -text > > I see this: > > Issuer: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority > Validity > Not Before: Jul 25 18:22:53 2013 GMT > Not After : Jul 25 18:22:53 2033 GMT > Subject: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority > > > and ... > > OCSP - URI:http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp No, you looked at the wrong certificate. To look at it use: # certutil -L -d /etc/dirsrv/slapd-LNXREALMTEST-LIBERTY-EDU -n Server-Cert rob Ok, that makes sense. The CN in that cert is correct, so I corrected my command. It's still failing on binding a user it looks like. I've attached the complete output. -Kenny
[root@r5-idmclient ~]# ipa-client-install --server lnxrealmtest01.lnxrealmtest.liberty.edu --domain lnxrealmtest.liberty.edu --enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': False, 'domain': 'lnxrealmtest.liberty.edu', 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, 'server': 'lnxrealmtest01.lnxrealmtest.liberty.edu', 'prompt_password': False, 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, 'debug': True, 'on_master': False, 'ca_cert_file': '/etc/ipa/ca.crt', 'realm_name': None, 'unattended': None, 'ntp_server': None, 'principal': None} root : DEBUG missing options might be asked for interactively later root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root : DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' root : DEBUG [ipadnssearchkrb] root : DEBUG [ipacheckldap] root : DEBUG Init ldap with: ldap://lnxrealmtest01.lnxrealmtest.liberty.edu:389 root : DEBUG Search LDAP server for IPA base DN root : DEBUG Check if naming context 'dc=lnxrealmtest,dc=liberty,dc=edu' is for IPA root : DEBUG Naming context 'dc=lnxrealmtest,dc=liberty,dc=edu' is a valid IPA context root : DEBUG Search for (objectClass=krbRealmContainer) in dc=lnxrealmtest,dc=liberty,dc=edu(sub) root : DEBUG Found: [('cn=LNXREALMTEST.LIBERTY.EDU,cn=kerberos,dc=lnxrealmtest,dc=liberty,dc=edu', {'krbSubTrees': ['dc=lnxrealmtest,dc=liberty,dc=edu'], 'cn': ['LNXREALMTEST.LIBERTY.EDU'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})] root : DEBUG will use domain: lnxrealmtest.liberty.edu root : DEBUG will use server: lnxrealmtest01.lnxrealmtest.liberty.edu DNS domain 'lnxrealmtest.liberty.edu' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! root : DEBUG will use cli_realm: LNXREALMTEST.LIBERTY.EDU root : DEBUG will use cli_basedn: dc=lnxrealmtest,dc=liberty,dc=edu Hostname: r5-idmclient.lnxrealmtest.liberty.edu Realm: LNXREALMTEST.LIBERTY.EDU DNS Domain: lnxrealmtest.liberty.edu IPA Server: lnxrealmtest01.lnxrealmtest.liberty.edu BaseDN: dc=lnxrealmtest,dc=liberty,dc=edu Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin root : DEBUG will use principal: admin Synchronizing time with KDC... root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b lnxrealmtest01.lnxrealmtest.liberty.edu root : DEBUG stdout= root : DEBUG stderr= root : DEBUG Writing Kerberos configuration to /tmp/tmpjdlwWE: #File modified by ipa-client-install [libdefaults] default_realm = LNXREALMTEST.LIBERTY.EDU dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] LNXREALMTEST.LIBERTY.EDU = { kdc = lnxrealmtest01.lnxrealmtest.liberty.edu:88 admin_server = lnxrealmtest01.lnxrealmtest.liberty.edu:749 default_domain = lnxrealmtest.liberty.edu pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .lnxrealmtest.liberty.edu = LNXREALMTEST.LIBERTY.EDU lnxrealmtest.liberty.edu = LNXREALMTEST.LIBERTY.EDU Password for ad...@lnxrealmtest.liberty.edu: root : DEBUG args=kinit ad...@lnxrealmtest.liberty.edu root : DEBUG stdout=Password for ad...@lnxrealmtest.liberty.edu: root : DEBUG stderr= root : DEBUG trying to retrieve CA cert from file /etc/ipa/ca.crt root : DEBUG CA cert provided by user, use it! root : DEBUG args=/usr/sbin/ipa-join -s lnxrealmtest01.lnxrealmtest.liberty.edu -b dc=lnxrealmtest,dc=liberty,dc=edu -d root : DEBUG stdout= root : DEBUG stderr=XML-RPC CALL: <?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n <methodName>join</methodName>\r\n <params>\r\n <param><value><array><data>\r\n <value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\r\n </data></array></value></param>\r\n <param><value><struct>\r\n <member><name>nsosversion</name>\r\n <value><string>2.6.18-348.12.1.el5</string></value></member>\r\n <member><name>nshardwareplatform</name>\r\n <value><string>x86_64</string></value></member>\r\n </struct></value></param>\r\n </params>\r\n </methodCall>\r\n * About to connect() to lnxrealmtest01.lnxrealmtest.liberty.edu port 443 * Expire at 1374849129 / 668655 (300000ms) * Trying 10.203.60.225... * Expire at 1374849129 / 668819 (300000ms) * Expire at 1374849129 / 669364 (300000ms) * Connected to lnxrealmtest01.lnxrealmtest.liberty.edu (10.203.60.225) port 443 * successfully set certificate verify locations: * CAfile: /etc/ipa/ca.crt CApath: none * SSL connection using AES256-SHA * Server certificate: * subject: /O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.lnxrealmtest.liberty.edu * start date: 2013-07-25 18:27:02 GMT * expire date: 2015-07-26 18:27:02 GMT * common name: lnxrealmtest01.lnxrealmtest.liberty.edu (matched) * issuer: /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority * SSL certificate verify ok. > POST /ipa/xml HTTP/1.1 Host: lnxrealmtest01.lnxrealmtest.liberty.edu Accept: */* Content-Type: text/xml User-Agent: ipa-join/2.1.3 Referer: https://lnxrealmtest01.lnxrealmtest.liberty.edu/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 491 <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>join</methodName> <params> <param><value><array><data> <value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value> </data></array></value></param> <param><value><struct> <member><name>nsosversion</name> <value><string>2.6.18-348.12.1.el5</string></value></member> <member><name>nshardwareplatform</name> <value><string>x86_64</string></value></member> </struct></value></param> </params> </methodCall> < HTTP/1.1 401 Authorization Required < Date: Fri, 26 Jul 2013 14:27:09 GMT < Server: Apache/2.2.15 (Red Hat) < WWW-Authenticate: Negotiate < Last-Modified: Tue, 21 May 2013 05:58:14 GMT < ETag: "7f4ae-55a-4dd342284a980" < Accept-Ranges: bytes < Content-Length: 1370 < Connection: close < Content-Type: text/html; charset=UTF-8 * Expire cleared * Closing connection #0 * Issue another request to this URL: 'https://lnxrealmtest01.lnxrealmtest.liberty.edu:443/ipa/xml' * About to connect() to lnxrealmtest01.lnxrealmtest.liberty.edu port 443 * Expire at 1374849129 / 836783 (300000ms) * Trying 10.203.60.225... * Expire at 1374849129 / 836832 (300000ms) * Expire at 1374849129 / 837258 (300000ms) * Connected to lnxrealmtest01.lnxrealmtest.liberty.edu (10.203.60.225) port 443 * successfully set certificate verify locations: * CAfile: /etc/ipa/ca.crt CApath: none * SSL re-using session ID * SSL connection using AES256-SHA * Server certificate: * subject: /O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.lnxrealmtest.liberty.edu * start date: 2013-07-25 18:27:02 GMT * expire date: 2015-07-26 18:27:02 GMT * common name: lnxrealmtest01.lnxrealmtest.liberty.edu (matched) * issuer: /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority * SSL certificate verify ok. * Server auth using GSS-Negotiate with user '' > POST /ipa/xml HTTP/1.1 Authorization: Negotiate YIIFYQYJKoZIhvcSAQICAQBuggVQMIIFTKADAgEFoQMCAQ6iBwMFAAAAAACjggF1YYIBcTCCAW2gAwIBBaEaGxhMTlhSRUFMTVRFU1QuTElCRVJUWS5FRFWiOjA4oAMCAQOhMTAvGwRIVFRQGydsbnhyZWFsbXRlc3QwMS5sbnhyZWFsbXRlc3QubGliZXJ0eS5lZHWjggEMMIIBCKADAgESoQMCAQKigfsEgfgGhr2UtXiyoIPDkV1E+Xor/kyYZXqiWtdraQVeMx/H2E/NUhh0t6/Ob0jUHLVA3OkYRP71VVvYQHPAeVxiDYUFdv3jmz+mkocbhURbqH/REusw8tjfAli66IbdOhYoPBn2X+x09a3CHbWpYlPTdt9E5U0/zvOqDpiVOdXCBXJ4lqyzch4DRJkKDHgk+iXoUdtFfM+ZB/kJDqHFjd4+wWXEGiw5ykgfR21ypgzEcMUiTCqYlqd8efecAw+I4CFzkUdWI61jnZTRsvOEpSEy7H6JC1O14Tusk11jOQRM7jfqXHGuAyAfJFY2h5uqpJg+/RVl8ghz+oPfe6SCA7wwggO4oAMCARKiggOvBIIDqzUOR/8jES5PVmqWUrqCww7YTUNIeBGWl60mV8Jl/dwwx8NzVwP6yfYdSE5C9XqOHO+SfAmroOkKi6XPCuHRh/mIMgtig5WhwUATCtuhmMwNQUl0veOrpuJnjy7/AoEglmy2vGJ8EMfqhKrXgR76DovRoGsr0EfdPDa4y4fKHymaysfRe1p8R7kZBVcBtVPXi5ImwOKgzzcQPTob+0smPet5Uez6AveN6wQT/huvSHOVVqb3OHKn/Ib/FBXNvWdnC8ccPzoLX6hJw/fsDbWipMrVFdYGUCmvpc3WwneTAer7VoA2av0Sk8+XE0lqg9fYQgDP0lP1vMJVbXZjJpUGRdMA3FJKM5LAskEfQ8jmzhPw6BxpZ+XgC8wdHdFk1yt6jO7leuBKQiE2hwA8Vk9lbd0vM8i86v1kOA35F/t2fZOHWNFBhUvwNKkBPpkFh9gyLxKTHCikFnUYB8AWDpu1UcG5ezGhX4meHqgRrL9FG1fpNJRpvzUrNvuIPd53scBtDUA2wUPlLrSuJWQqxYXgmTO+7Xe9PeaIRUChWW+yXUxRCIuvsnDMsXL5QN+UaahW2XOUzLIBlcRIrwKzXm4MJfWwDl/UgMhmmYGpkqeS81lNdnM4EHqkrcYN2//Zqymp1JTFiir9kOEhUrHt48YSvqh8vM/+13iTQRC0gzEZo3qZEl9KnDYfcQUPHl0SR9ijYwotwm3q3h1j+BOZiVLTUr/H7gCb+FUEOi7SnO0xdgAca+7qi13AcyNtnPi53JUyZTHeEacj+5akYTtdogua8mC4ZZ/k74sfdIocJhkezRCQKVvkfxrHR1r2SfKtLhfKG8B54NSVLfwbZR01gjiFlRMfgkbvi6QC/TwOcti0KGH5+LgHyX7iM8obg80dMokEzK1FcqLyF0YVVDyVVOv/ov6Dnc7enfeWTjuuv89wYp6xMIEHzWapuPBk8QPg01OUQztpURXoGE+IlFjB1yBUoEZ6qn6UgLjfTmJdaejPhX81vUK/9j8OhsaUJdU6890EpN4YhWZNPY/zgtB8oronxHgqP8YNhPHpSIahnL/KOS1quxYyP9kT31LWpVxFsM3p31plszWVi+Vu4bgO0un9zoJ1pjDVZb9gUBoGPko1qspogBYBQxkM9bjOgYOwkbD2WA47ATX2dye5cKQJUaGEen4fzCMVAmTqwSNNq5hH4pDuSn8xAZF08o4veRyuzTdbfup796jDa/MAfj3Sa2x3FbBeZ6i+g+bPX5j5Bw== Host: lnxrealmtest01.lnxrealmtest.liberty.edu Accept: */* Content-Type: text/xml User-Agent: ipa-join/2.1.3 Referer: https://lnxrealmtest01.lnxrealmtest.liberty.edu/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 491 <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>join</methodName> <params> <param><value><array><data> <value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value> </data></array></value></param> <param><value><struct> <member><name>nsosversion</name> <value><string>2.6.18-348.12.1.el5</string></value></member> <member><name>nshardwareplatform</name> <value><string>x86_64</string></value></member> </struct></value></param> </params> </methodCall> < HTTP/1.1 200 Success < Date: Fri, 26 Jul 2013 14:27:09 GMT < Server: Apache/2.2.15 (Red Hat) * Added cookie ipa_session="990285779c106b0e0befd81140292a7e" for domain lnxrealmtest01.lnxrealmtest.liberty.edu, path /ipa, expire 1374850029 < Set-Cookie: ipa_session=990285779c106b0e0befd81140292a7e; Domain=lnxrealmtest01.lnxrealmtest.liberty.edu; Path=/ipa; Expires=Fri, 26 Jul 2013 14:47:09 GMT; Secure; HttpOnly < Connection: close < Transfer-Encoding: chunked < Content-Type: text/plain; charset=UTF-8 * Expire cleared * Closing connection #0 XML-RPC RESPONSE: <?xml version='1.0' encoding='UTF-8'?>\n <methodResponse>\n <params>\n <param>\n <value><array><data>\n <value><string>fqdn=r5-idmclient.lnxrealmtest.liberty.edu,cn=computers,cn=accounts,dc=lnxrealmtest,dc=liberty,dc=edu</string></value>\n <value><struct>\n <member>\n <name>dn</name>\n <value><string>fqdn=r5-idmclient.lnxrealmtest.liberty.edu,cn=computers,cn=accounts,dc=lnxrealmtest,dc=liberty,dc=edu</string></value>\n </member>\n <member>\n <name>ipacertificatesubjectbase</name>\n <value><array><data>\n <value><string>O=LNXREALMTEST.LIBERTY.EDU</string></value>\n </data></array></value>\n </member>\n <member>\n <name>has_keytab</name>\n <value><boolean>0</boolean></value>\n </member>\n <member>\n <name>cn</name>\n <value><array><data>\n <value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\n </data></array></value>\n </member>\n <member>\n <name>objectclass</name>\n <value><array><data>\n <value><string>ipaobject</string></value>\n <value><string>nshost</string></value>\n <value><string>ipahost</string></value>\n <value><string>pkiuser</string></value>\n <value><string>ipaservice</string></value>\n <value><string>krbprincipalaux</string></value>\n <value><string>krbprincipal</string></value>\n <value><string>ieee802device</string></value>\n <value><string>ipasshhost</string></value>\n <value><string>top</string></value>\n <value><string>ipaSshGroupOfPubKeys</string></value>\n </data></array></value>\n </member>\n <member>\n <name>fqdn</name>\n <value><array><data>\n <value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\n </data></array></value>\n </member>\n <member>\n <name>managing_host</name>\n <value><array><data>\n <value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\n </data></array></value>\n </member>\n <member>\n <name>has_password</name>\n <value><boolean>0</boolean></value>\n </member>\n <member>\n <name>ipauniqueid</name>\n <value><array><data>\n <value><string>ce85845c-f55f-11e2-96b8-0050568821b2</string></value>\n </data></array></value>\n </member>\n <member>\n <name>krbprincipalname</name>\n <value><array><data>\n <value><string>host/r5-idmclient.lnxrealmtest.liberty....@lnxrealmtest.liberty.edu</string></value>\n </data></array></value>\n </member>\n <member>\n <name>managedby_host</name>\n <value><array><data>\n <value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\n </data></array></value>\n </member>\n <member>\n <name>serverhostname</name>\n <value><array><data>\n <value><string>r5-idmclient</string></value>\n </data></array></value>\n </member>\n </struct></value>\n </data></array></value>\n </param>\n </params>\n </methodResponse>\n SASL Bind failed Local error (-2) ! child exited with 9 Joining realm failed: XML-RPC CALL: <?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n <methodName>join</methodName>\r\n <params>\r\n <param><value><array><data>\r\n <value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\r\n </data></array></value></param>\r\n <param><value><struct>\r\n <member><name>nsosversion</name>\r\n <value><string>2.6.18-348.12.1.el5</string></value></member>\r\n <member><name>nshardwareplatform</name>\r\n <value><string>x86_64</string></value></member>\r\n </struct></value></param>\r\n </params>\r\n </methodCall>\r\n * About to connect() to lnxrealmtest01.lnxrealmtest.liberty.edu port 443 * Expire at 1374849129 / 668655 (300000ms) * Trying 10.203.60.225... * Expire at 1374849129 / 668819 (300000ms) * Expire at 1374849129 / 669364 (300000ms) * Connected to lnxrealmtest01.lnxrealmtest.liberty.edu (10.203.60.225) port 443 * successfully set certificate verify locations: * CAfile: /etc/ipa/ca.crt CApath: none * SSL connection using AES256-SHA * Server certificate: * subject: /O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.lnxrealmtest.liberty.edu * start date: 2013-07-25 18:27:02 GMT * expire date: 2015-07-26 18:27:02 GMT * common name: lnxrealmtest01.lnxrealmtest.liberty.edu (matched) * issuer: /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority * SSL certificate verify ok. > POST /ipa/xml HTTP/1.1 Host: lnxrealmtest01.lnxrealmtest.liberty.edu Accept: */* Content-Type: text/xml User-Agent: ipa-join/2.1.3 Referer: https://lnxrealmtest01.lnxrealmtest.liberty.edu/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 491 <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>join</methodName> <params> <param><value><array><data> <value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value> </data></array></value></param> <param><value><struct> <member><name>nsosversion</name> <value><string>2.6.18-348.12.1.el5</string></value></member> <member><name>nshardwareplatform</name> <value><string>x86_64</string></value></member> </struct></value></param> </params> </methodCall> < HTTP/1.1 401 Authorization Required < Date: Fri, 26 Jul 2013 14:27:09 GMT < Server: Apache/2.2.15 (Red Hat) < WWW-Authenticate: Negotiate < Last-Modified: Tue, 21 May 2013 05:58:14 GMT < ETag: "7f4ae-55a-4dd342284a980" < Accept-Ranges: bytes < Content-Length: 1370 < Connection: close < Content-Type: text/html; charset=UTF-8 * Expire cleared * Closing connection #0 * Issue another request to this URL: 'https://lnxrealmtest01.lnxrealmtest.liberty.edu:443/ipa/xml' * About to connect() to lnxrealmtest01.lnxrealmtest.liberty.edu port 443 * Expire at 1374849129 / 836783 (300000ms) * Trying 10.203.60.225... * Expire at 1374849129 / 836832 (300000ms) * Expire at 1374849129 / 837258 (300000ms) * Connected to lnxrealmtest01.lnxrealmtest.liberty.edu (10.203.60.225) port 443 * successfully set certificate verify locations: * CAfile: /etc/ipa/ca.crt CApath: none * SSL re-using session ID * SSL connection using AES256-SHA * Server certificate: * subject: /O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.lnxrealmtest.liberty.edu * start date: 2013-07-25 18:27:02 GMT * expire date: 2015-07-26 18:27:02 GMT * common name: lnxrealmtest01.lnxrealmtest.liberty.edu (matched) * issuer: /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority * SSL certificate verify ok. * Server auth using GSS-Negotiate with user '' > POST /ipa/xml HTTP/1.1 Authorization: Negotiate YIIFYQYJKoZIhvcSAQICAQBuggVQMIIFTKADAgEFoQMCAQ6iBwMFAAAAAACjggF1YYIBcTCCAW2gAwIBBaEaGxhMTlhSRUFMTVRFU1QuTElCRVJUWS5FRFWiOjA4oAMCAQOhMTAvGwRIVFRQGydsbnhyZWFsbXRlc3QwMS5sbnhyZWFsbXRlc3QubGliZXJ0eS5lZHWjggEMMIIBCKADAgESoQMCAQKigfsEgfgGhr2UtXiyoIPDkV1E+Xor/kyYZXqiWtdraQVeMx/H2E/NUhh0t6/Ob0jUHLVA3OkYRP71VVvYQHPAeVxiDYUFdv3jmz+mkocbhURbqH/REusw8tjfAli66IbdOhYoPBn2X+x09a3CHbWpYlPTdt9E5U0/zvOqDpiVOdXCBXJ4lqyzch4DRJkKDHgk+iXoUdtFfM+ZB/kJDqHFjd4+wWXEGiw5ykgfR21ypgzEcMUiTCqYlqd8efecAw+I4CFzkUdWI61jnZTRsvOEpSEy7H6JC1O14Tusk11jOQRM7jfqXHGuAyAfJFY2h5uqpJg+/RVl8ghz+oPfe6SCA7wwggO4oAMCARKiggOvBIIDqzUOR/8jES5PVmqWUrqCww7YTUNIeBGWl60mV8Jl/dwwx8NzVwP6yfYdSE5C9XqOHO+SfAmroOkKi6XPCuHRh/mIMgtig5WhwUATCtuhmMwNQUl0veOrpuJnjy7/AoEglmy2vGJ8EMfqhKrXgR76DovRoGsr0EfdPDa4y4fKHymaysfRe1p8R7kZBVcBtVPXi5ImwOKgzzcQPTob+0smPet5Uez6AveN6wQT/huvSHOVVqb3OHKn/Ib/FBXNvWdnC8ccPzoLX6hJw/fsDbWipMrVFdYGUCmvpc3WwneTAer7VoA2av0Sk8+XE0lqg9fYQgDP0lP1vMJVbXZjJpUGRdMA3FJKM5LAskEfQ8jmzhPw6BxpZ+XgC8wdHdFk1yt6jO7leuBKQiE2hwA8Vk9lbd0vM8i86v1kOA35F/t2fZOHWNFBhUvwNKkBPpkFh9gyLxKTHCikFnUYB8AWDpu1UcG5ezGhX4meHqgRrL9FG1fpNJRpvzUrNvuIPd53scBtDUA2wUPlLrSuJWQqxYXgmTO+7Xe9PeaIRUChWW+yXUxRCIuvsnDMsXL5QN+UaahW2XOUzLIBlcRIrwKzXm4MJfWwDl/UgMhmmYGpkqeS81lNdnM4EHqkrcYN2//Zqymp1JTFiir9kOEhUrHt48YSvqh8vM/+13iTQRC0gzEZo3qZEl9KnDYfcQUPHl0SR9ijYwotwm3q3h1j+BOZiVLTUr/H7gCb+FUEOi7SnO0xdgAca+7qi13AcyNtnPi53JUyZTHeEacj+5akYTtdogua8mC4ZZ/k74sfdIocJhkezRCQKVvkfxrHR1r2SfKtLhfKG8B54NSVLfwbZR01gjiFlRMfgkbvi6QC/TwOcti0KGH5+LgHyX7iM8obg80dMokEzK1FcqLyF0YVVDyVVOv/ov6Dnc7enfeWTjuuv89wYp6xMIEHzWapuPBk8QPg01OUQztpURXoGE+IlFjB1yBUoEZ6qn6UgLjfTmJdaejPhX81vUK/9j8OhsaUJdU6890EpN4YhWZNPY/zgtB8oronxHgqP8YNhPHpSIahnL/KOS1quxYyP9kT31LWpVxFsM3p31plszWVi+Vu4bgO0un9zoJ1pjDVZb9gUBoGPko1qspogBYBQxkM9bjOgYOwkbD2WA47ATX2dye5cKQJUaGEen4fzCMVAmTqwSNNq5hH4pDuSn8xAZF08o4veRyuzTdbfup796jDa/MAfj3Sa2x3FbBeZ6i+g+bPX5j5Bw== Host: lnxrealmtest01.lnxrealmtest.liberty.edu Accept: */* Content-Type: text/xml User-Agent: ipa-join/2.1.3 Referer: https://lnxrealmtest01.lnxrealmtest.liberty.edu/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 491 <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>join</methodName> <params> <param><value><array><data> <value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value> </data></array></value></param> <param><value><struct> <member><name>nsosversion</name> <value><string>2.6.18-348.12.1.el5</string></value></member> <member><name>nshardwareplatform</name> <value><string>x86_64</string></value></member> </struct></value></param> </params> </methodCall> < HTTP/1.1 200 Success < Date: Fri, 26 Jul 2013 14:27:09 GMT < Server: Apache/2.2.15 (Red Hat) * Added cookie ipa_session="990285779c106b0e0befd81140292a7e" for domain lnxrealmtest01.lnxrealmtest.liberty.edu, path /ipa, expire 1374850029 < Set-Cookie: ipa_session=990285779c106b0e0befd81140292a7e; Domain=lnxrealmtest01.lnxrealmtest.liberty.edu; Path=/ipa; Expires=Fri, 26 Jul 2013 14:47:09 GMT; Secure; HttpOnly < Connection: close < Transfer-Encoding: chunked < Content-Type: text/plain; charset=UTF-8 * Expire cleared * Closing connection #0 XML-RPC RESPONSE: <?xml version='1.0' encoding='UTF-8'?>\n <methodResponse>\n <params>\n <param>\n <value><array><data>\n <value><string>fqdn=r5-idmclient.lnxrealmtest.liberty.edu,cn=computers,cn=accounts,dc=lnxrealmtest,dc=liberty,dc=edu</string></value>\n <value><struct>\n <member>\n <name>dn</name>\n <value><string>fqdn=r5-idmclient.lnxrealmtest.liberty.edu,cn=computers,cn=accounts,dc=lnxrealmtest,dc=liberty,dc=edu</string></value>\n </member>\n <member>\n <name>ipacertificatesubjectbase</name>\n <value><array><data>\n <value><string>O=LNXREALMTEST.LIBERTY.EDU</string></value>\n </data></array></value>\n </member>\n <member>\n <name>has_keytab</name>\n <value><boolean>0</boolean></value>\n </member>\n <member>\n <name>cn</name>\n <value><array><data>\n <value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\n </data></array></value>\n </member>\n <member>\n <name>objectclass</name>\n <value><array><data>\n <value><string>ipaobject</string></value>\n <value><string>nshost</string></value>\n <value><string>ipahost</string></value>\n <value><string>pkiuser</string></value>\n <value><string>ipaservice</string></value>\n <value><string>krbprincipalaux</string></value>\n <value><string>krbprincipal</string></value>\n <value><string>ieee802device</string></value>\n <value><string>ipasshhost</string></value>\n <value><string>top</string></value>\n <value><string>ipaSshGroupOfPubKeys</string></value>\n </data></array></value>\n </member>\n <member>\n <name>fqdn</name>\n <value><array><data>\n <value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\n </data></array></value>\n </member>\n <member>\n <name>managing_host</name>\n <value><array><data>\n <value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\n </data></array></value>\n </member>\n <member>\n <name>has_password</name>\n <value><boolean>0</boolean></value>\n </member>\n <member>\n <name>ipauniqueid</name>\n <value><array><data>\n <value><string>ce85845c-f55f-11e2-96b8-0050568821b2</string></value>\n </data></array></value>\n </member>\n <member>\n <name>krbprincipalname</name>\n <value><array><data>\n <value><string>host/r5-idmclient.lnxrealmtest.liberty....@lnxrealmtest.liberty.edu</string></value>\n </data></array></value>\n </member>\n <member>\n <name>managedby_host</name>\n <value><array><data>\n <value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\n </data></array></value>\n </member>\n <member>\n <name>serverhostname</name>\n <value><array><data>\n <value><string>r5-idmclient</string></value>\n </data></array></value>\n </member>\n </struct></value>\n </data></array></value>\n </param>\n </params>\n </methodResponse>\n SASL Bind failed Local error (-2) ! child exited with 9 root : DEBUG args=kdestroy root : DEBUG stdout= root : DEBUG stderr= Installation failed. Rolling back changes. IPA client is not configured on this system. [root@r5-idmclient ~]#
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users