Re: [Freeipa-users] still failing to get a RHEL 5 client to join, LDAP bind issue?

Armstrong, Kenneth Lawrence Fri, 26 Jul 2013 07:38:41 -0700

On Fri, 2013-07-26 at 10:20 -0400, Rob Crittenden wrote:


Armstrong, Kenneth Lawrence wrote:
> On Fri, 2013-07-26 at 06:21 -0400, Eduardo Minguez wrote:
> Ok, if I have time, I'll try with a RHEL 5.8 client today.
>
>
> As for debug output, this is what I get:
>
> [root@r5-idmclient <mailto:root@r5-idmclient> ~]# ipa-client-install
> --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
> --enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d
> root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
> options: {'conf_ntp': False, 'domain': 'lnxrealmtest.liberty.edu',
> 'uninstall': False, 'force': False, 'sssd': True,
> 'krb5_offline_passwords': True, 'hostname': None, 'permit': False,
> 'server': 'lnxrealmtest01.liberty.edu', 'prompt_password': False,
> 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False,
> 'debug': True, 'on_master': False, 'ca_cert_file': '/etc/ipa/ca.crt',
> 'realm_name': None, 'unattended': None, 'ntp_server': None, 'principal':
> None}
> root        : DEBUG    missing options might be asked for interactively
> later
>
> root        : DEBUG    Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> root        : DEBUG    Loading StateFile from
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> root        : DEBUG    [ipadnssearchkrb]
> root        : DEBUG    [ipacheckldap]
> root        : DEBUG    Init ldap with: ldap://lnxrealmtest01.liberty.edu:389
> root        : ERROR    LDAP Error: Connect error: TLS: hostname does not
> match CN in peer certificate
> root        : DEBUG    will use domain: lnxrealmtest.liberty.edu
>
> root        : DEBUG    will use server: lnxrealmtest01.liberty.edu
>
> Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
> This may mean that the remote server is not up or is not reachable
> due to network or firewall settings.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
>
> I do have an A record and PTR record for both lnxrealmtest01.liberty.edu
> and lnxrealmtest.lnxrealmtest.liberty.edu.
>
> The part that confuses me (I'm still new to the innards of SSL) is this:
>
> DAP Error: Connect error: TLS: hostname does not match CN in peer
> certificate
>
> When I look at the cert using:
>
> openssl x509 -in /etc/ipa/ca.crt -noout -text
>
> I see this:
>
> Issuer: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
>          Validity
>              Not Before: Jul 25 18:22:53 2013 GMT
>              Not After : Jul 25 18:22:53 2033 GMT
>          Subject: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
>
>
> and ...
>
> OCSP - URI:http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp

No, you looked at the wrong certificate.

To look at it use:

# certutil -L -d /etc/dirsrv/slapd-LNXREALMTEST-LIBERTY-EDU -n Server-Cert

rob


Ok, that makes sense.  The CN in that cert is correct, so I corrected my 
command.  It's still failing on binding a user it looks like.

I've attached the complete output.

-Kenny

[root@r5-idmclient ~]# ipa-client-install --server 
lnxrealmtest01.lnxrealmtest.liberty.edu --domain lnxrealmtest.liberty.edu 
--enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d
root        : DEBUG    /usr/sbin/ipa-client-install was invoked with options: 
{'conf_ntp': False, 'domain': 'lnxrealmtest.liberty.edu', 'uninstall': False, 
'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 
'permit': False, 'server': 'lnxrealmtest01.lnxrealmtest.liberty.edu', 
'prompt_password': False, 'mkhomedir': False, 'dns_updates': True, 
'preserve_sssd': False, 'debug': True, 'on_master': False, 'ca_cert_file': 
'/etc/ipa/ca.crt', 'realm_name': None, 'unattended': None, 'ntp_server': None, 
'principal': None}
root        : DEBUG    missing options might be asked for interactively later

root        : DEBUG    Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root        : DEBUG    Loading StateFile from 
'/var/lib/ipa-client/sysrestore/sysrestore.state'
root        : DEBUG    [ipadnssearchkrb]
root        : DEBUG    [ipacheckldap]
root        : DEBUG    Init ldap with: 
ldap://lnxrealmtest01.lnxrealmtest.liberty.edu:389
root        : DEBUG    Search LDAP server for IPA base DN
root        : DEBUG    Check if naming context 
'dc=lnxrealmtest,dc=liberty,dc=edu' is for IPA
root        : DEBUG    Naming context 'dc=lnxrealmtest,dc=liberty,dc=edu' is a 
valid IPA context
root        : DEBUG    Search for (objectClass=krbRealmContainer) in 
dc=lnxrealmtest,dc=liberty,dc=edu(sub)
root        : DEBUG    Found: 
[('cn=LNXREALMTEST.LIBERTY.EDU,cn=kerberos,dc=lnxrealmtest,dc=liberty,dc=edu', 
{'krbSubTrees': ['dc=lnxrealmtest,dc=liberty,dc=edu'], 'cn': 
['LNXREALMTEST.LIBERTY.EDU'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 
'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 
'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 
'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 
'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 
'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 
'arcfour-hmac:special'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': 
['604800']})]
root        : DEBUG    will use domain: lnxrealmtest.liberty.edu

root        : DEBUG    will use server: lnxrealmtest01.lnxrealmtest.liberty.edu

DNS domain 'lnxrealmtest.liberty.edu' is not configured for automatic KDC 
address lookup.
KDC address will be set to fixed value.

Discovery was successful!
root        : DEBUG    will use cli_realm: LNXREALMTEST.LIBERTY.EDU

root        : DEBUG    will use cli_basedn: dc=lnxrealmtest,dc=liberty,dc=edu

Hostname: r5-idmclient.lnxrealmtest.liberty.edu
Realm: LNXREALMTEST.LIBERTY.EDU
DNS Domain: lnxrealmtest.liberty.edu
IPA Server: lnxrealmtest01.lnxrealmtest.liberty.edu
BaseDN: dc=lnxrealmtest,dc=liberty,dc=edu


Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
root        : DEBUG    will use principal: admin

Synchronizing time with KDC...
root        : DEBUG    args=/usr/sbin/ntpdate -U ntp -s -b 
lnxrealmtest01.lnxrealmtest.liberty.edu
root        : DEBUG    stdout=
root        : DEBUG    stderr=
root        : DEBUG    Writing Kerberos configuration to /tmp/tmpjdlwWE:
#File modified by ipa-client-install

[libdefaults]
  default_realm = LNXREALMTEST.LIBERTY.EDU
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  LNXREALMTEST.LIBERTY.EDU = {
    kdc = lnxrealmtest01.lnxrealmtest.liberty.edu:88
    admin_server = lnxrealmtest01.lnxrealmtest.liberty.edu:749
    default_domain = lnxrealmtest.liberty.edu
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .lnxrealmtest.liberty.edu = LNXREALMTEST.LIBERTY.EDU
  lnxrealmtest.liberty.edu = LNXREALMTEST.LIBERTY.EDU


Password for ad...@lnxrealmtest.liberty.edu: 
root        : DEBUG    args=kinit ad...@lnxrealmtest.liberty.edu
root        : DEBUG    stdout=Password for ad...@lnxrealmtest.liberty.edu: 

root        : DEBUG    stderr=

root        : DEBUG    trying to retrieve CA cert from file /etc/ipa/ca.crt
root        : DEBUG    CA cert provided by user, use it!
root        : DEBUG    args=/usr/sbin/ipa-join -s 
lnxrealmtest01.lnxrealmtest.liberty.edu -b dc=lnxrealmtest,dc=liberty,dc=edu -d
root        : DEBUG    stdout=
root        : DEBUG    stderr=XML-RPC CALL:

<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.18-348.12.1.el5</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n

* About to connect() to lnxrealmtest01.lnxrealmtest.liberty.edu port 443
* Expire at 1374849129 / 668655 (300000ms)
*   Trying 10.203.60.225... * Expire at 1374849129 / 668819 (300000ms)
* Expire at 1374849129 / 669364 (300000ms)
* Connected to lnxrealmtest01.lnxrealmtest.liberty.edu (10.203.60.225) port 443
* successfully set certificate verify locations:
*   CAfile: /etc/ipa/ca.crt
  CApath: none
* SSL connection using AES256-SHA
* Server certificate:
*        subject: 
/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.lnxrealmtest.liberty.edu
*        start date: 2013-07-25 18:27:02 GMT
*        expire date: 2015-07-26 18:27:02 GMT
*        common name: lnxrealmtest01.lnxrealmtest.liberty.edu (matched)
*        issuer: /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
* SSL certificate verify ok.
> POST /ipa/xml HTTP/1.1
Host: lnxrealmtest01.lnxrealmtest.liberty.edu
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/2.1.3
Referer: https://lnxrealmtest01.lnxrealmtest.liberty.edu/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 491

<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>join</methodName>
<params>
<param><value><array><data>
<value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>
</data></array></value></param>
<param><value><struct>
<member><name>nsosversion</name>
<value><string>2.6.18-348.12.1.el5</string></value></member>
<member><name>nshardwareplatform</name>
<value><string>x86_64</string></value></member>
</struct></value></param>
</params>
</methodCall>
< HTTP/1.1 401 Authorization Required
< Date: Fri, 26 Jul 2013 14:27:09 GMT
< Server: Apache/2.2.15 (Red Hat)
< WWW-Authenticate: Negotiate
< Last-Modified: Tue, 21 May 2013 05:58:14 GMT
< ETag: "7f4ae-55a-4dd342284a980"
< Accept-Ranges: bytes
< Content-Length: 1370
< Connection: close
< Content-Type: text/html; charset=UTF-8
* Expire cleared
* Closing connection #0
* Issue another request to this URL: 
'https://lnxrealmtest01.lnxrealmtest.liberty.edu:443/ipa/xml'
* About to connect() to lnxrealmtest01.lnxrealmtest.liberty.edu port 443
* Expire at 1374849129 / 836783 (300000ms)
*   Trying 10.203.60.225... * Expire at 1374849129 / 836832 (300000ms)
* Expire at 1374849129 / 837258 (300000ms)
* Connected to lnxrealmtest01.lnxrealmtest.liberty.edu (10.203.60.225) port 443
* successfully set certificate verify locations:
*   CAfile: /etc/ipa/ca.crt
  CApath: none
* SSL re-using session ID
* SSL connection using AES256-SHA
* Server certificate:
*        subject: 
/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.lnxrealmtest.liberty.edu
*        start date: 2013-07-25 18:27:02 GMT
*        expire date: 2015-07-26 18:27:02 GMT
*        common name: lnxrealmtest01.lnxrealmtest.liberty.edu (matched)
*        issuer: /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
* SSL certificate verify ok.
* Server auth using GSS-Negotiate with user ''
> POST /ipa/xml HTTP/1.1
Authorization: Negotiate 
YIIFYQYJKoZIhvcSAQICAQBuggVQMIIFTKADAgEFoQMCAQ6iBwMFAAAAAACjggF1YYIBcTCCAW2gAwIBBaEaGxhMTlhSRUFMTVRFU1QuTElCRVJUWS5FRFWiOjA4oAMCAQOhMTAvGwRIVFRQGydsbnhyZWFsbXRlc3QwMS5sbnhyZWFsbXRlc3QubGliZXJ0eS5lZHWjggEMMIIBCKADAgESoQMCAQKigfsEgfgGhr2UtXiyoIPDkV1E+Xor/kyYZXqiWtdraQVeMx/H2E/NUhh0t6/Ob0jUHLVA3OkYRP71VVvYQHPAeVxiDYUFdv3jmz+mkocbhURbqH/REusw8tjfAli66IbdOhYoPBn2X+x09a3CHbWpYlPTdt9E5U0/zvOqDpiVOdXCBXJ4lqyzch4DRJkKDHgk+iXoUdtFfM+ZB/kJDqHFjd4+wWXEGiw5ykgfR21ypgzEcMUiTCqYlqd8efecAw+I4CFzkUdWI61jnZTRsvOEpSEy7H6JC1O14Tusk11jOQRM7jfqXHGuAyAfJFY2h5uqpJg+/RVl8ghz+oPfe6SCA7wwggO4oAMCARKiggOvBIIDqzUOR/8jES5PVmqWUrqCww7YTUNIeBGWl60mV8Jl/dwwx8NzVwP6yfYdSE5C9XqOHO+SfAmroOkKi6XPCuHRh/mIMgtig5WhwUATCtuhmMwNQUl0veOrpuJnjy7/AoEglmy2vGJ8EMfqhKrXgR76DovRoGsr0EfdPDa4y4fKHymaysfRe1p8R7kZBVcBtVPXi5ImwOKgzzcQPTob+0smPet5Uez6AveN6wQT/huvSHOVVqb3OHKn/Ib/FBXNvWdnC8ccPzoLX6hJw/fsDbWipMrVFdYGUCmvpc3WwneTAer7VoA2av0Sk8+XE0lqg9fYQgDP0lP1vMJVbXZjJpUGRdMA3FJKM5LAskEfQ8jmzhPw6BxpZ+XgC8wdHdFk1yt6jO7leuBKQiE2hwA8Vk9lbd0vM8i86v1kOA35F/t2fZOHWNFBhUvwNKkBPpkFh9gyLxKTHCikFnUYB8AWDpu1UcG5ezGhX4meHqgRrL9FG1fpNJRpvzUrNvuIPd53scBtDUA2wUPlLrSuJWQqxYXgmTO+7Xe9PeaIRUChWW+yXUxRCIuvsnDMsXL5QN+UaahW2XOUzLIBlcRIrwKzXm4MJfWwDl/UgMhmmYGpkqeS81lNdnM4EHqkrcYN2//Zqymp1JTFiir9kOEhUrHt48YSvqh8vM/+13iTQRC0gzEZo3qZEl9KnDYfcQUPHl0SR9ijYwotwm3q3h1j+BOZiVLTUr/H7gCb+FUEOi7SnO0xdgAca+7qi13AcyNtnPi53JUyZTHeEacj+5akYTtdogua8mC4ZZ/k74sfdIocJhkezRCQKVvkfxrHR1r2SfKtLhfKG8B54NSVLfwbZR01gjiFlRMfgkbvi6QC/TwOcti0KGH5+LgHyX7iM8obg80dMokEzK1FcqLyF0YVVDyVVOv/ov6Dnc7enfeWTjuuv89wYp6xMIEHzWapuPBk8QPg01OUQztpURXoGE+IlFjB1yBUoEZ6qn6UgLjfTmJdaejPhX81vUK/9j8OhsaUJdU6890EpN4YhWZNPY/zgtB8oronxHgqP8YNhPHpSIahnL/KOS1quxYyP9kT31LWpVxFsM3p31plszWVi+Vu4bgO0un9zoJ1pjDVZb9gUBoGPko1qspogBYBQxkM9bjOgYOwkbD2WA47ATX2dye5cKQJUaGEen4fzCMVAmTqwSNNq5hH4pDuSn8xAZF08o4veRyuzTdbfup796jDa/MAfj3Sa2x3FbBeZ6i+g+bPX5j5Bw==
Host: lnxrealmtest01.lnxrealmtest.liberty.edu
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/2.1.3
Referer: https://lnxrealmtest01.lnxrealmtest.liberty.edu/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 491

<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>join</methodName>
<params>
<param><value><array><data>
<value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>
</data></array></value></param>
<param><value><struct>
<member><name>nsosversion</name>
<value><string>2.6.18-348.12.1.el5</string></value></member>
<member><name>nshardwareplatform</name>
<value><string>x86_64</string></value></member>
</struct></value></param>
</params>
</methodCall>
< HTTP/1.1 200 Success
< Date: Fri, 26 Jul 2013 14:27:09 GMT
< Server: Apache/2.2.15 (Red Hat)
* Added cookie ipa_session="990285779c106b0e0befd81140292a7e" for domain 
lnxrealmtest01.lnxrealmtest.liberty.edu, path /ipa, expire 1374850029
< Set-Cookie: ipa_session=990285779c106b0e0befd81140292a7e; 
Domain=lnxrealmtest01.lnxrealmtest.liberty.edu; Path=/ipa; Expires=Fri, 26 Jul 
2013 14:47:09 GMT; Secure; HttpOnly
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: text/plain; charset=UTF-8
* Expire cleared
* Closing connection #0
XML-RPC RESPONSE:

<?xml version='1.0' encoding='UTF-8'?>\n
<methodResponse>\n
<params>\n
<param>\n
<value><array><data>\n
<value><string>fqdn=r5-idmclient.lnxrealmtest.liberty.edu,cn=computers,cn=accounts,dc=lnxrealmtest,dc=liberty,dc=edu</string></value>\n
<value><struct>\n
<member>\n
<name>dn</name>\n
<value><string>fqdn=r5-idmclient.lnxrealmtest.liberty.edu,cn=computers,cn=accounts,dc=lnxrealmtest,dc=liberty,dc=edu</string></value>\n
</member>\n
<member>\n
<name>ipacertificatesubjectbase</name>\n
<value><array><data>\n
<value><string>O=LNXREALMTEST.LIBERTY.EDU</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>has_keytab</name>\n
<value><boolean>0</boolean></value>\n
</member>\n
<member>\n
<name>cn</name>\n
<value><array><data>\n
<value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>objectclass</name>\n
<value><array><data>\n
<value><string>ipaobject</string></value>\n
<value><string>nshost</string></value>\n
<value><string>ipahost</string></value>\n
<value><string>pkiuser</string></value>\n
<value><string>ipaservice</string></value>\n
<value><string>krbprincipalaux</string></value>\n
<value><string>krbprincipal</string></value>\n
<value><string>ieee802device</string></value>\n
<value><string>ipasshhost</string></value>\n
<value><string>top</string></value>\n
<value><string>ipaSshGroupOfPubKeys</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>fqdn</name>\n
<value><array><data>\n
<value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>managing_host</name>\n
<value><array><data>\n
<value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>has_password</name>\n
<value><boolean>0</boolean></value>\n
</member>\n
<member>\n
<name>ipauniqueid</name>\n
<value><array><data>\n
<value><string>ce85845c-f55f-11e2-96b8-0050568821b2</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>krbprincipalname</name>\n
<value><array><data>\n
<value><string>host/r5-idmclient.lnxrealmtest.liberty....@lnxrealmtest.liberty.edu</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>managedby_host</name>\n
<value><array><data>\n
<value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>serverhostname</name>\n
<value><array><data>\n
<value><string>r5-idmclient</string></value>\n
</data></array></value>\n
</member>\n
</struct></value>\n
</data></array></value>\n
</param>\n
</params>\n
</methodResponse>\n

SASL Bind failed Local error (-2) !
child exited with 9

Joining realm failed: XML-RPC CALL:

<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.18-348.12.1.el5</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n

* About to connect() to lnxrealmtest01.lnxrealmtest.liberty.edu port 443
* Expire at 1374849129 / 668655 (300000ms)
*   Trying 10.203.60.225... * Expire at 1374849129 / 668819 (300000ms)
* Expire at 1374849129 / 669364 (300000ms)
* Connected to lnxrealmtest01.lnxrealmtest.liberty.edu (10.203.60.225) port 443
* successfully set certificate verify locations:
*   CAfile: /etc/ipa/ca.crt
  CApath: none
* SSL connection using AES256-SHA
* Server certificate:
*        subject: 
/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.lnxrealmtest.liberty.edu
*        start date: 2013-07-25 18:27:02 GMT
*        expire date: 2015-07-26 18:27:02 GMT
*        common name: lnxrealmtest01.lnxrealmtest.liberty.edu (matched)
*        issuer: /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
* SSL certificate verify ok.
> POST /ipa/xml HTTP/1.1
Host: lnxrealmtest01.lnxrealmtest.liberty.edu
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/2.1.3
Referer: https://lnxrealmtest01.lnxrealmtest.liberty.edu/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 491

<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>join</methodName>
<params>
<param><value><array><data>
<value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>
</data></array></value></param>
<param><value><struct>
<member><name>nsosversion</name>
<value><string>2.6.18-348.12.1.el5</string></value></member>
<member><name>nshardwareplatform</name>
<value><string>x86_64</string></value></member>
</struct></value></param>
</params>
</methodCall>
< HTTP/1.1 401 Authorization Required
< Date: Fri, 26 Jul 2013 14:27:09 GMT
< Server: Apache/2.2.15 (Red Hat)
< WWW-Authenticate: Negotiate
< Last-Modified: Tue, 21 May 2013 05:58:14 GMT
< ETag: "7f4ae-55a-4dd342284a980"
< Accept-Ranges: bytes
< Content-Length: 1370
< Connection: close
< Content-Type: text/html; charset=UTF-8
* Expire cleared
* Closing connection #0
* Issue another request to this URL: 
'https://lnxrealmtest01.lnxrealmtest.liberty.edu:443/ipa/xml'
* About to connect() to lnxrealmtest01.lnxrealmtest.liberty.edu port 443
* Expire at 1374849129 / 836783 (300000ms)
*   Trying 10.203.60.225... * Expire at 1374849129 / 836832 (300000ms)
* Expire at 1374849129 / 837258 (300000ms)
* Connected to lnxrealmtest01.lnxrealmtest.liberty.edu (10.203.60.225) port 443
* successfully set certificate verify locations:
*   CAfile: /etc/ipa/ca.crt
  CApath: none
* SSL re-using session ID
* SSL connection using AES256-SHA
* Server certificate:
*        subject: 
/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.lnxrealmtest.liberty.edu
*        start date: 2013-07-25 18:27:02 GMT
*        expire date: 2015-07-26 18:27:02 GMT
*        common name: lnxrealmtest01.lnxrealmtest.liberty.edu (matched)
*        issuer: /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
* SSL certificate verify ok.
* Server auth using GSS-Negotiate with user ''
> POST /ipa/xml HTTP/1.1
Authorization: Negotiate 
YIIFYQYJKoZIhvcSAQICAQBuggVQMIIFTKADAgEFoQMCAQ6iBwMFAAAAAACjggF1YYIBcTCCAW2gAwIBBaEaGxhMTlhSRUFMTVRFU1QuTElCRVJUWS5FRFWiOjA4oAMCAQOhMTAvGwRIVFRQGydsbnhyZWFsbXRlc3QwMS5sbnhyZWFsbXRlc3QubGliZXJ0eS5lZHWjggEMMIIBCKADAgESoQMCAQKigfsEgfgGhr2UtXiyoIPDkV1E+Xor/kyYZXqiWtdraQVeMx/H2E/NUhh0t6/Ob0jUHLVA3OkYRP71VVvYQHPAeVxiDYUFdv3jmz+mkocbhURbqH/REusw8tjfAli66IbdOhYoPBn2X+x09a3CHbWpYlPTdt9E5U0/zvOqDpiVOdXCBXJ4lqyzch4DRJkKDHgk+iXoUdtFfM+ZB/kJDqHFjd4+wWXEGiw5ykgfR21ypgzEcMUiTCqYlqd8efecAw+I4CFzkUdWI61jnZTRsvOEpSEy7H6JC1O14Tusk11jOQRM7jfqXHGuAyAfJFY2h5uqpJg+/RVl8ghz+oPfe6SCA7wwggO4oAMCARKiggOvBIIDqzUOR/8jES5PVmqWUrqCww7YTUNIeBGWl60mV8Jl/dwwx8NzVwP6yfYdSE5C9XqOHO+SfAmroOkKi6XPCuHRh/mIMgtig5WhwUATCtuhmMwNQUl0veOrpuJnjy7/AoEglmy2vGJ8EMfqhKrXgR76DovRoGsr0EfdPDa4y4fKHymaysfRe1p8R7kZBVcBtVPXi5ImwOKgzzcQPTob+0smPet5Uez6AveN6wQT/huvSHOVVqb3OHKn/Ib/FBXNvWdnC8ccPzoLX6hJw/fsDbWipMrVFdYGUCmvpc3WwneTAer7VoA2av0Sk8+XE0lqg9fYQgDP0lP1vMJVbXZjJpUGRdMA3FJKM5LAskEfQ8jmzhPw6BxpZ+XgC8wdHdFk1yt6jO7leuBKQiE2hwA8Vk9lbd0vM8i86v1kOA35F/t2fZOHWNFBhUvwNKkBPpkFh9gyLxKTHCikFnUYB8AWDpu1UcG5ezGhX4meHqgRrL9FG1fpNJRpvzUrNvuIPd53scBtDUA2wUPlLrSuJWQqxYXgmTO+7Xe9PeaIRUChWW+yXUxRCIuvsnDMsXL5QN+UaahW2XOUzLIBlcRIrwKzXm4MJfWwDl/UgMhmmYGpkqeS81lNdnM4EHqkrcYN2//Zqymp1JTFiir9kOEhUrHt48YSvqh8vM/+13iTQRC0gzEZo3qZEl9KnDYfcQUPHl0SR9ijYwotwm3q3h1j+BOZiVLTUr/H7gCb+FUEOi7SnO0xdgAca+7qi13AcyNtnPi53JUyZTHeEacj+5akYTtdogua8mC4ZZ/k74sfdIocJhkezRCQKVvkfxrHR1r2SfKtLhfKG8B54NSVLfwbZR01gjiFlRMfgkbvi6QC/TwOcti0KGH5+LgHyX7iM8obg80dMokEzK1FcqLyF0YVVDyVVOv/ov6Dnc7enfeWTjuuv89wYp6xMIEHzWapuPBk8QPg01OUQztpURXoGE+IlFjB1yBUoEZ6qn6UgLjfTmJdaejPhX81vUK/9j8OhsaUJdU6890EpN4YhWZNPY/zgtB8oronxHgqP8YNhPHpSIahnL/KOS1quxYyP9kT31LWpVxFsM3p31plszWVi+Vu4bgO0un9zoJ1pjDVZb9gUBoGPko1qspogBYBQxkM9bjOgYOwkbD2WA47ATX2dye5cKQJUaGEen4fzCMVAmTqwSNNq5hH4pDuSn8xAZF08o4veRyuzTdbfup796jDa/MAfj3Sa2x3FbBeZ6i+g+bPX5j5Bw==
Host: lnxrealmtest01.lnxrealmtest.liberty.edu
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/2.1.3
Referer: https://lnxrealmtest01.lnxrealmtest.liberty.edu/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 491

<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>join</methodName>
<params>
<param><value><array><data>
<value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>
</data></array></value></param>
<param><value><struct>
<member><name>nsosversion</name>
<value><string>2.6.18-348.12.1.el5</string></value></member>
<member><name>nshardwareplatform</name>
<value><string>x86_64</string></value></member>
</struct></value></param>
</params>
</methodCall>
< HTTP/1.1 200 Success
< Date: Fri, 26 Jul 2013 14:27:09 GMT
< Server: Apache/2.2.15 (Red Hat)
* Added cookie ipa_session="990285779c106b0e0befd81140292a7e" for domain 
lnxrealmtest01.lnxrealmtest.liberty.edu, path /ipa, expire 1374850029
< Set-Cookie: ipa_session=990285779c106b0e0befd81140292a7e; 
Domain=lnxrealmtest01.lnxrealmtest.liberty.edu; Path=/ipa; Expires=Fri, 26 Jul 
2013 14:47:09 GMT; Secure; HttpOnly
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: text/plain; charset=UTF-8
* Expire cleared
* Closing connection #0
XML-RPC RESPONSE:

<?xml version='1.0' encoding='UTF-8'?>\n
<methodResponse>\n
<params>\n
<param>\n
<value><array><data>\n
<value><string>fqdn=r5-idmclient.lnxrealmtest.liberty.edu,cn=computers,cn=accounts,dc=lnxrealmtest,dc=liberty,dc=edu</string></value>\n
<value><struct>\n
<member>\n
<name>dn</name>\n
<value><string>fqdn=r5-idmclient.lnxrealmtest.liberty.edu,cn=computers,cn=accounts,dc=lnxrealmtest,dc=liberty,dc=edu</string></value>\n
</member>\n
<member>\n
<name>ipacertificatesubjectbase</name>\n
<value><array><data>\n
<value><string>O=LNXREALMTEST.LIBERTY.EDU</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>has_keytab</name>\n
<value><boolean>0</boolean></value>\n
</member>\n
<member>\n
<name>cn</name>\n
<value><array><data>\n
<value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>objectclass</name>\n
<value><array><data>\n
<value><string>ipaobject</string></value>\n
<value><string>nshost</string></value>\n
<value><string>ipahost</string></value>\n
<value><string>pkiuser</string></value>\n
<value><string>ipaservice</string></value>\n
<value><string>krbprincipalaux</string></value>\n
<value><string>krbprincipal</string></value>\n
<value><string>ieee802device</string></value>\n
<value><string>ipasshhost</string></value>\n
<value><string>top</string></value>\n
<value><string>ipaSshGroupOfPubKeys</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>fqdn</name>\n
<value><array><data>\n
<value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>managing_host</name>\n
<value><array><data>\n
<value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>has_password</name>\n
<value><boolean>0</boolean></value>\n
</member>\n
<member>\n
<name>ipauniqueid</name>\n
<value><array><data>\n
<value><string>ce85845c-f55f-11e2-96b8-0050568821b2</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>krbprincipalname</name>\n
<value><array><data>\n
<value><string>host/r5-idmclient.lnxrealmtest.liberty....@lnxrealmtest.liberty.edu</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>managedby_host</name>\n
<value><array><data>\n
<value><string>r5-idmclient.lnxrealmtest.liberty.edu</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>serverhostname</name>\n
<value><array><data>\n
<value><string>r5-idmclient</string></value>\n
</data></array></value>\n
</member>\n
</struct></value>\n
</data></array></value>\n
</param>\n
</params>\n
</methodResponse>\n

SASL Bind failed Local error (-2) !
child exited with 9
root        : DEBUG    args=kdestroy
root        : DEBUG    stdout=
root        : DEBUG    stderr=
Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root@r5-idmclient ~]#

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] still failing to get a RHEL 5 client to join, LDAP bind issue?

Reply via email to