Armstrong, Kenneth Lawrence wrote:
On Fri, 2013-07-26 at 10:20 -0400, Rob Crittenden wrote:
Armstrong, Kenneth Lawrence wrote:
> On Fri, 2013-07-26 at 06:21 -0400, Eduardo Minguez wrote:
> Ok, if I have time, I'll try with a RHEL 5.8 client today.
>
>
> As for debug output, this is what I get:
>
> [root@r5-idmclient <mailto:root@r5-idmclient> ~]# ipa-client-install
> --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
> --enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d
> root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
> options: {'conf_ntp': False, 'domain': 'lnxrealmtest.liberty.edu',
> 'uninstall': False, 'force': False, 'sssd': True,
> 'krb5_offline_passwords': True, 'hostname': None, 'permit': False,
> 'server': 'lnxrealmtest01.liberty.edu', 'prompt_password': False,
> 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False,
> 'debug': True, 'on_master': False, 'ca_cert_file': '/etc/ipa/ca.crt',
> 'realm_name': None, 'unattended': None, 'ntp_server': None, 'principal':
> None}
> root        : DEBUG    missing options might be asked for interactively
> later
>
> root        : DEBUG    Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> root        : DEBUG    Loading StateFile from
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> root        : DEBUG    [ipadnssearchkrb]
> root        : DEBUG    [ipacheckldap]
> root        : DEBUG    Init ldap with: ldap://lnxrealmtest01.liberty.edu:389
> root        : ERROR    LDAP Error: Connect error: TLS: hostname does not
> match CN in peer certificate
> root        : DEBUG    will use domain: lnxrealmtest.liberty.edu
>
> root        : DEBUG    will use server: lnxrealmtest01.liberty.edu
>
> Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
> This may mean that the remote server is not up or is not reachable
> due to network or firewall settings.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
>
> I do have an A record and PTR record for both lnxrealmtest01.liberty.edu
> and lnxrealmtest.lnxrealmtest.liberty.edu.
>
> The part that confuses me (I'm still new to the innards of SSL) is this:
>
> DAP Error: Connect error: TLS: hostname does not match CN in peer
> certificate
>
> When I look at the cert using:
>
> openssl x509 -in /etc/ipa/ca.crt -noout -text
>
> I see this:
>
> Issuer: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
>          Validity
>              Not Before: Jul 25 18:22:53 2013 GMT
>              Not After : Jul 25 18:22:53 2033 GMT
>          Subject: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
>
>
> and ...
>
> OCSP - URI:http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp

No, you looked at the wrong certificate.

To look at it use:

# certutil -L -d /etc/dirsrv/slapd-LNXREALMTEST-LIBERTY-EDU -n Server-Cert

rob

Ok, that makes sense.  The CN in that cert is correct, so I corrected my
command.  It's still failing on binding a user it looks like.

I've attached the complete output.

Take a look at your 389-ds error log and the KDC log. The only thing we get on the client side is LOCAL_ERROR.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to