On Fri, 2013-07-26 at 14:59 +0000, Armstrong, Kenneth Lawrence wrote:
On Fri, 2013-07-26 at 10:47 -0400, Rob Crittenden wrote:


Armstrong, Kenneth Lawrence wrote:
> On Fri, 2013-07-26 at 10:20 -0400, Rob Crittenden wrote:
>> Armstrong, Kenneth Lawrence wrote:
>> > On Fri, 2013-07-26 at 06:21 -0400, Eduardo Minguez wrote:
>> > Ok, if I have time, I'll try with a RHEL 5.8 client today.
>> >
>> >
>> > As for debug output, this is what I get:
>> >
>> > [root@r5-idmclient <mailto:root@r5-idmclient> ~]# ipa-client-install
>> > --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
>> > --enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d
>> > root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
>> > options: {'conf_ntp': False, 'domain': 'lnxrealmtest.liberty.edu',
>> > 'uninstall': False, 'force': False, 'sssd': True,
>> > 'krb5_offline_passwords': True, 'hostname': None, 'permit': False,
>> > 'server': 'lnxrealmtest01.liberty.edu', 'prompt_password': False,
>> > 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False,
>> > 'debug': True, 'on_master': False, 'ca_cert_file': '/etc/ipa/ca.crt',
>> > 'realm_name': None, 'unattended': None, 'ntp_server': None, 'principal':
>> > None}
>> > root        : DEBUG    missing options might be asked for interactively
>> > later
>> >
>> > root        : DEBUG    Loading Index file from
>> > '/var/lib/ipa-client/sysrestore/sysrestore.index'
>> > root        : DEBUG    Loading StateFile from
>> > '/var/lib/ipa-client/sysrestore/sysrestore.state'
>> > root        : DEBUG    [ipadnssearchkrb]
>> > root        : DEBUG    [ipacheckldap]
>> > root        : DEBUG    Init ldap with: 
>> > ldap://lnxrealmtest01.liberty.edu:389
>> > root        : ERROR    LDAP Error: Connect error: TLS: hostname does not
>> > match CN in peer certificate
>> > root        : DEBUG    will use domain: lnxrealmtest.liberty.edu
>> >
>> > root        : DEBUG    will use server: lnxrealmtest01.liberty.edu
>> >
>> > Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
>> > This may mean that the remote server is not up or is not reachable
>> > due to network or firewall settings.
>> > Installation failed. Rolling back changes.
>> > IPA client is not configured on this system.
>> >
>> >
>> > I do have an A record and PTR record for both lnxrealmtest01.liberty.edu
>> > and lnxrealmtest.lnxrealmtest.liberty.edu.
>> >
>> > The part that confuses me (I'm still new to the innards of SSL) is this:
>> >
>> > DAP Error: Connect error: TLS: hostname does not match CN in peer
>> > certificate
>> >
>> > When I look at the cert using:
>> >
>> > openssl x509 -in /etc/ipa/ca.crt -noout -text
>> >
>> > I see this:
>> >
>> > Issuer: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
>> >          Validity
>> >              Not Before: Jul 25 18:22:53 2013 GMT
>> >              Not After : Jul 25 18:22:53 2033 GMT
>> >          Subject: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
>> >
>> >
>> > and ...
>> >
>> > OCSP - URI:http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp
>>
>> No, you looked at the wrong certificate.
>>
>> To look at it use:
>>
>> # certutil -L -d /etc/dirsrv/slapd-LNXREALMTEST-LIBERTY-EDU -n Server-Cert
>>
>> rob
>
> Ok, that makes sense.  The CN in that cert is correct, so I corrected my
> command.  It's still failing on binding a user it looks like.
>
> I've attached the complete output.

Take a look at your 389-ds error log and the KDC log. The only thing we
get on the client side is LOCAL_ERROR.

rob



I see this in /var/log/krb5kdc.log:

Jul 26 10:27:10 lnxrealmtest01.lnxrealmtest.liberty.edu krb5kdc[2987](info): 
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.203.60.226: UNKNOWN_SERVER: authtime 
0,  ad...@lnxrealmtest.liberty.edu<mailto:ad...@lnxrealmtest.liberty.edu> for 
krbtgt/liberty....@lnxrealmtest.liberty.edu<mailto:liberty....@lnxrealmtest.liberty.edu>,
 Server not found in Kerberos database
Jul 26 10:49:06 lnxrealmtest01.lnxrealmtest.liberty.edu krb5kdc[2987](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.203.60.225: NEEDED_PREAUTH: 
host/lnxrealmtest01.lnxrealmtest.liberty....@lnxrealmtest.liberty.edu<mailto:lnxrealmtest01.lnxrealmtest.liberty....@lnxrealmtest.liberty.edu>
 for 
krbtgt/lnxrealmtest.liberty....@lnxrealmtest.liberty.edu<mailto:lnxrealmtest.liberty....@lnxrealmtest.liberty.edu>,
 Additional pre-authentication required


This is in /var/log/dirsrv/slapd-PKI-IPA/access log:

[26/Jul/2013:10:28:36 -0400] conn=241 fd=65 slot=65 connection from 
10.203.60.225 to 10.203.60.225
[26/Jul/2013:10:28:36 -0400] conn=241 op=0 BIND dn="cn=Directory Manager" 
method=128 version=2
[26/Jul/2013:10:28:36 -0400] conn=241 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn="cn=directory manager"
[26/Jul/2013:10:28:36 -0400] conn=241 op=1 SRCH base="ou=sessions,ou=Security 
Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" 
attrs="cn"
[26/Jul/2013:10:28:36 -0400] conn=241 op=1 RESULT err=32 tag=101 nentries=0 
etime=0
[26/Jul/2013:10:28:36 -0400] conn=241 op=2 UNBIND
[26/Jul/2013:10:28:36 -0400] conn=241 op=2 fd=65 closed - U1





_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


I tried a RHEL 5.8 client, and I didn't get the issue with the certificate not 
downloading, so it does seem like a problem with 5.9's libs on that one.

I am however getting the same binding error.  I even created another user that 
was in the admin group, and it still fails.

-Kenny
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to