**
*Thanks, Regards*
**
*Jose Alvarez*
-----Original Message-----
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jose Alvarez R.
Sent: viernes 29 de abril de 2016 02:53 p.m.
To: 'Rob Crittenden' <rcrit...@redhat.com>
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] HTTP response code is 401, not 200
Hi, Rob
Thanks for your response
The link https://bugzilla.redhat.com/show_bug.cgi?id=719945I not have
access..
I tried to install xmlrpc-c-1.16.24-1210.1840.el6.src.rpm in the server
PPA(Client IPA), but still shows the same error.
A moment ago I added another client server with same version xmlrpc and
installed correctly.
Thanks Regards.
[root@bk1 ~]# ipa-client-install --debug
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir'on_master': False, 'ntp_server': None,
'nisdomain': None, 'no_nisdomain': False, 'principal': None, 'hostname':
None, 'no_ac': False, 'unattended': None, 'sssd': True,nf_sudo': True,
'conf_ssh': True, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=bk1.cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit
y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server
Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=cyberfuel,dc=com' is for IPA
Naming context 'dc=cyberfuel,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com
Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com
Discovery was successful!
will use discovered realm: CYBERFUEL.COM
will use discovered basedn: dc=cyberfuel,dc=com
Hostname: bk1.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
DNS Domain: cyberfuel.com
DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of
the hostname)
IPA Server: freeipa.cyberfuel.com
IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
stdout=
stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory
User authorized to enroll computers: admin
will use principal provided as option: admin
Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.cyberfuel.com.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
stdout=
stderr=
Unable to sync time with IPA NTP server, assuming the time is in sync.
Please check that 123 UDP port is opened.
Writing Kerberos configuration to /tmp/tmp5msIum:
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = CYBERFUEL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
CYBERFUEL.COM = {
kdc = freeipa.cyberfuel.com:88
master_kdc = freeipa.cyberfuel.com:88
admin_server = freeipa.cyberfuel.com:749
default_domain = cyberfuel.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.cyberfuel.com = CYBERFUEL.COM
cyberfuel.com = CYBERFUEL.COM
Password for ad...@cyberfuel.com <mailto:ad...@cyberfuel.com>:
args=kinit ad...@cyberfuel.com <mailto:ad...@cyberfuel.com>
stdout=Password for ad...@cyberfuel.com <mailto:ad...@cyberfuel.com>:
stderr=
trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=CYBERFUEL.COM
Issuer: CN=Certificate Authority,O=CYBERFUEL.COM
Valid From: Wed Sep 30 17:46:50 2015 UTC
Valid Until: Sun Sep 30 17:46:50 2035 UTC
args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com -d
stdout=
stderr=XML-RPC CALL:
<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>bk1.cyberfuel.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.12.1.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n
* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90... * Connected to freeipa.cyberfuel.com
(192.168.20.90) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM
* start date: Sep 30 17:52:11 2015 GMT
* expire date: Sep 30 17:52:11 2017 GMT
* common name: freeipa.cyberfuel.com
* issuer: CN=Certificate Authority,O=CYBERFUEL.COM
> POST /ipa/xml HTTP/1.1
Host: freeipa.cyberfuel.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: https://freeipa.cyberfuel.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 478
< HTTP/1.1 401 Authorization Required
< Date: Fri, 29 Apr 2016 20:42:25 GMT
< Server: Apache/2.2.15 (CentOS)
< WWW-Authenticate: Negotiate
< Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT
< ETag: "a0528-55a-53051ba8f7000"
< Accept-Ranges: bytes
< Content-Length: 1370
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
* Closing connection #0
* Issue another request to this URL:
'https://freeipa.cyberfuel.com:443/ipa/xml'
* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90... * Connected to freeipa.cyberfuel.com
(192.168.20.90) port 443 (#0)
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM
* start date: Sep 30 17:52:11 2015 GMT
* expire date: Sep 30 17:52:11 2017 GMT
* common name: freeipa.cyberfuel.com
* issuer: CN=Certificate Authority,O=CYBERFUEL.COM
* Server auth using GSS-Negotiate with user ''
> POST /ipa/xml HTTP/1.1
Authorization: Negotiate
YIIFFAYJKoZIhvcSAQICAQBuggUDMIIE/6ADAgEFoQMCAQ6iBwMFAAAAAACjggFiYYIBXjCCAVqg
AwIBBaEPGw1DWUJFUkZVRUwuQ09NoigwJqADAgEDoR8wHRsESFRUUBsVZnJlZWlwYS5MIZbbMHqa
QcuYz6zysTVwY+I/uvLznfkDrkClgtyvEIsnBopXcWBenFEbqcmRIBa7bkXiIxc1tYEzNh1rME/4
ZUh0PjUjX+QQO9NDpYrAIxFLoP6b6J87wFt2Wi+Rx2LPGlcPrIwKPNwyaOqw/QQ8r11FLI5RVzpH
eUL3uokQgZF6+GBoFo61lHY/W36Cb3JgxdG8Ge3TWWYgjEQKWlY48N6YNSPF2a2iKpgSuy/1Qe5E
HTfpyiJWnZJnlEIHllpIIDgjCCA36gAwIBEqKCA3UEggNx1WXEz0IRl4aJlkL5Eq0bxky36jm7zI
q3oiCcgWzqH9ma866TuD4ew++XcXmKZxszk6zf+c8tYhdRezxK74jF9XkpnRxTiBxOao7oPabJau
yM0k637IWWzTb1m+cC46PRaysFc7x3z5CGBWNyu0DpGyw240za4cepY1J+Q+mm7bq51zCDyMU1CY
7+of3Z4Z7s6P5/x/pn8DJBegXVIYq2Wb3sQbMUJCSbCG37Xb8j2nzhAaup1l4xTINQxSSLZRIS7M
H2YCE+z66P0607z7xBh7bwed97hHC2o3T0hDNnJOP7SRBUXquXCW9RbLUdOmYfcLcH8ygUWemm3A
MqL+mDYN3jpe25O/7Z/wFxYiUIw/6CtHGjJ1nrDy47Y1sbsjU1XT/sJ8JqxRFwCm9ALpQP+rYZ0k
v8/9OAaclw4vobu4Zmb3rVFBOzKpgRaUSvg4vSuRi/SPCzcH2PwBBSHpZuXWazWvZpnpTXYBl3nw
lelW8gE1PWWeAhxbCDP/u5D6vAJ7q1287bL+UdpnCki0Ye0c1+LCsqzhscPDtWOMHAqzs5pwyyfC
Qpg13GX93fHWJPRkrJbGTkGAknZkQFPtjks1C3JCRqhiz62KVLo6g5uRljHr8NNzvTBr2iRl9aK6
cDAEMaW5X26ko0XtO7urcbw/w6smuJLyYjroJH5Pe41bPMaUCls3RTvhxrlMzXSXgywPr3zDFpIg
CirdIfqowkF5Utq6Uub2d9wdhXXYuH3PCj3KBzsAAHFv2iI+Xg3a7+7LlWUFnTLVEzEhsKVO3lO7
jFb8kKwop5o7yTyXsQmW4g0rdCam07GuRObob6yQ=
Host: freeipa.cyberfuel.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: https://freeipa.cyberfuel.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 478
< HTTP/1.1 200 Success
< Date: Fri, 29 Apr 2016 20:42:25 GMT
< Server: Apache/2.2.15 (CentOS)
* Added cookie ipa_session="4aeb2b4e2cfacb0691a94b71e2d0a0c9" for domain
freeipa.cyberfuel.com, path /ipa, expire 1461963745
< Set-Cookie: ipa_session=4aeb2b4e2cfacb0691a94b71e2d0a0c9;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:25
GMT; Secure; HttpOnly
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: text/xml; charset=utf-8
<
* Expire cleared
* Closing connection #0
XML-RPC RESPONSE:
<?xml version='1.0' encoding='UTF-8'?>\n
<methodResponse>\n
<params>\n
<param>\n
<value><array><data>\n
<value><string>fqdn=bk1.cyberfuel.com,cn=computers,cn=accounts,dc=cyberfuel,
dc=com</string></value>\n
<value><struct>\n
<member>\n
<name>dn</name>\n
<value><string>fqdn=bk1.cyberfuel.com,cn=computers,cn=accounts,dc=cyberfuel,
dc=com</string></value>\n
</member>\n
<member>\n
<name>ipacertificatesubjectbase</name>\n
<value><array><data>\n
<value><string>O=CYBERFUEL.COM</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>has_keytab</name>\n
<value><boolean>0</boolean></value>\n
</member>\n
<member>\n
<name>objectclass</name>\n
<value><array><data>\n
<value><string>ipaobject</string></value>\n
<value><string>nshost</string></value>\n
<value><string>ipahost</string></value>\n
<value><string>pkiuser</string></value>\n
<value><string>ipaservice</string></value>\n
<value><string>krbprincipalaux</string></value>\n
<value><string>krbprincipal</string></value>\n
<value><string>ieee802device</string></value>\n
<value><string>ipasshhost</string></value>\n
<value><string>top</string></value>\n
<value><string>ipaSshGroupOfPubKeys</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>fqdn</name>\n
<value><array><data>\n
<value><string>bk1.cyberfuel.com</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>has_password</name>\n
<value><boolean>0</boolean></value>\n
</member>\n
<member>\n
<name>ipauniqueid</name>\n
<value><array><data>\n
<value><string>e1a08eb8-0e4a-11e6-8c5b-005056b027f1</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>krbprincipalname</name>\n
<value><array><data>\n
<value><string>host/bk1.cyberfuel....@cyberfuel.com</string></value>\n
<mailto:host/bk1.cyberfuel....@cyberfuel.com%3c/string%3e%3c/value%3e\n>
</data></array></value>\n
</member>\n
<member>\n
<name>managedby_host</name>\n
<value><array><data>\n
<value><string>bk1.cyberfuel.com</string></value>\n
</data></array></value>\n
</member>\n
</struct></value>\n
</data></array></value>\n
</param>\n
</params>\n
</methodResponse>\n
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=CYBERFUEL.COM
Enrolled in IPA realm CYBERFUEL.COM
args=kdestroy
stdout=
stderr=
Attempting to get host TGT...
args=/usr/bin/kinit -k -t /etc/krb5.keytab
host/bk1.cyberfuel....@cyberfuel.com
<mailto:host/bk1.cyberfuel....@cyberfuel.com>
stdout=
stderr=
Attempt 1/5 succeeded.
Backing up system configuration file '/etc/ipa/default.conf'
-> Not backing up - '/etc/ipa/default.conf' doesn't exist
Created /etc/ipa/default.conf
importing all plugin modules in
'/usr/lib/python2.6/site-packages/ipalib/plugins'...
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
args=klist -V
stdout=Kerberos 5 version 1.10.3
stderr=
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
Backing up system configuration file '/etc/sssd/sssd.conf'
-> Not backing up - '/etc/sssd/sssd.conf' doesn't exist
New SSSD config will be created
Backing up system configuration file '/etc/nsswitch.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i
/etc/ipa/ca.crt
stdout=
stderr=
Backing up system configuration file '/etc/krb5.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
Writing Kerberos configuration to /etc/krb5.conf:
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = CYBERFUEL.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
CYBERFUEL.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.cyberfuel.com = CYBERFUEL.COM
cyberfuel.com = CYBERFUEL.COM
Configured /etc/krb5.conf for IPA realm CYBERFUEL.COM
args=keyctl search @s user
ipa_session_cookie:host/bk1.cyberfuel....@cyberfuel.com
stdout=
stderr=keyctl_search: Required key not available
args=keyctl search @s user
ipa_session_cookie:host/bk1.cyberfuel....@cyberfuel.com
stdout=
stderr=keyctl_search: Required key not available
failed to find session_cookie in persistent storage for principal
'host/bk1.cyberfuel....@cyberfuel.com'
trying https://freeipa.cyberfuel.com/ipa/xml
Created connection context.xmlclient
raw: env(None, server=True)
env(None, server=True, all=True)
Forwarding 'env' to server u'https://freeipa.cyberfuel.com/ipa/xml'
NSSConnection init freeipa.cyberfuel.com
Connecting: 192.168.20.90:0
auth_certificate_callback: check_sig=True is_server=False
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Certificate Authority,O=CYBERFUEL.COM
Validity:
Not Before: Wed Sep 30 17:52:11 2015 UTC
Not After: Sat Sep 30 17:52:11 2017 UTC
Subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM
Subject Public Key Info:
Public Key Algorithm:
Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
ad:e7:d2:7f:c3:e1:91:0a:03:6d:5c:ba:54:14:3e:00:
0e:f9:e7:61:85:3c:4f:1b:8f:a8:fb:e4:b4:92:a3:7c:
7d:bb:06:b4:b8:43:8a:20:86:17:71:a2:a3:6a:a1:51:
e5:89:44:0f:a1:43:67:3b:46:76:b0:81:9e:10:43:56:
86:9f:27:46:e1:5e:b3:d6:8c:17:73:e3:17:7d:e7:eb:
a4:78:9c:7a:e8:6f:00:f8:36:d9:71:88:e1:90:bf:98:
fa:40:0f:88:f4:2e:d8:a2:b3:a5:0c:5a:81:8b:2e:cf:
22:f9:cb:6d:bf:85:7c:c9:7f:17:de:5d:d4:1a:2b:09:
5b:1b:99:11:22:3f:1e:49:5f:26:1a:25:2f:a4:50:2a:
8b:f2:3c:12:db:45:3f:f4:06:64:a2:30:5f:f4:a1:c9:
2c:8c:60:b5:c6:aa:25:2e:1e:31:c2:ad:2c:63:b0:a4:
bb:2c:fc:f8:b6:f9:13:eb:09:bc:b0:c1:4c:06:06:09:
2f:f9:08:ba:7d:a4:0a:57:d1:8e:86:87:cb:f9:3a:58:
60:f9:34:e1:5b:34:d1:2f:8e:54:87:2a:74:9c:e2:d6:
83:4f:78:6b:59:1e:95:ec:67:6e:86:25:ad:f0:d3:6c:
96:9c:db:c3:e5:3f:e5:bc:f4:ff:55:55:18:a8:3e:5d
Exponent:
65537 (0x10001)
Signed Extensions: (5 total)
Name: Certificate Authority Key Identifier
Critical: False
Key ID:
31:4f:83:e1:70:d7:ea:96:e5:1b:b1:c2:2c:d8:8a:a8:
d1:87:fa:ff
Serial Number: None
General Names: [0 total]
Name: Authority Information Access
Critical: False
Authority Information Access: [1 total]
Info [1]:
Method: PKIX Online Certificate Status Protocol
Location: URI: http://freeipa.cyberfuel.com:80/ca/ocsp
Name: Certificate Key Usage
Critical: True
Usages:
Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Name: Extended Key Usage
Critical: False
Usages:
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
Name: Certificate Subject Key ID
Critical: False
Data:
73:ed:ac:87:d3:0e:04:84:66:5c:1a:e1:10:8d:f8:e1:
89:b9:1e:70
Signature:
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
40:da:c2:6b:20:08:7c:4a:05:1a:e2:cc:49:7f:25:6c:
48:3a:73:3c:b6:ab:35:6c:1a:d9:78:15:60:48:0b:0e:
c1:3c:bf:76:90:35:bf:67:b5:9d:88:1c:98:ce:3b:8a:
f6:86:c7:f9:1e:7b:3c:cd:98:00:99:23:a4:06:4f:ed:
0f:ee:44:65:9d:db:b6:9d:cc:cf:cb:83:f8:7c:23:93:
2a:0b:40:bb:5b:31:c5:9e:ed:74:eb:c0:c9:cc:30:1e:
78:19:69:64:60:24:58:f5:a7:6f:3b:bb:f6:7c:72:5c:
1c:50:33:0f:df:49:b7:0a:cb:ac:3f:7b:4f:e7:42:e9:
3b:19:e0:15:a3:fe:e3:43:aa:23:69:d0:28:7a:64:b7:
19:e3:8a:a9:bc:48:3a:de:f7:c0:67:8b:02:e9:af:74:
49:33:5e:2f:21:0b:4c:f3:3d:63:ea:1e:2e:4d:e9:ed:
af:ef:61:35:ad:86:2b:93:ab:b6:7d:45:ed:b1:9b:12:
57:fc:55:ef:42:46:01:63:b1:b9:84:e9:f4:46:fb:39:
fa:1e:55:2e:20:32:c1:45:ad:ac:54:c9:e6:4e:ca:f1:
fb:da:9a:b5:bc:8b:6c:43:86:4e:df:06:97:46:3e:9b:
a2:a1:ff:41:6e:80:df:a7:bd:5d:96:2c:ba:e0:d2:56
Fingerprint (MD5):
09:ad:08:87:8b:64:04:0f:d2:6c:25:ac:b1:1e:e1:48
Fingerprint (SHA1):
c9:a0:1f:6d:8e:f6:d9:9b:53:6e:6b:92:ea:7c:ae:79:
ca:4d:09:98
approved_usage = SSL Server intended_usage = SSL Server
cert valid True for "CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM"
handshake complete, peer = 192.168.20.90:443
Protocol: TLS1.2
Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
received Set-Cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30
GMT; Secure; HttpOnly'
storing cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30
GMT; Secure; HttpOnly' for prin
args=keyctl search @s user
ipa_session_cookie:host/bk1.cyberfuel....@cyberfuel.com
stdout=
stderr=keyctl_search: Required key not available
args=keyctl search @s user
ipa_session_cookie:host/bk1.cyberfuel....@cyberfuel.com
stdout=
stderr=keyctl_search: Required key not available
args=keyctl padd user
ipa_session_cookie:host/bk1.cyberfuel....@cyberfuel.com @s
stdout=640092261
stderr=
Hostname (bk1.cyberfuel.com) not found in DNS
Writing nsupdate commands to /etc/ipa/.dns_update.txt:
zone cyberfuel.com.
update delete bk1.cyberfuel.com. IN A
send
update add bk1.cyberfuel.com. 1200 IN A 192.168.20.13
send
args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
stdout=
stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
Minor code may provide more information, Minor = Server
DNS/ns1.cyberfuel....@cyberfuel.com
<mailto:DNS/ns1.cyberfuel....@cyberfuel.com> no
nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt'
returned non-zero exit status 1
Failed to update DNS records.
args=/sbin/service messagebus start
stdout=Starting system message bus: [ OK ]
stderr=
args=/sbin/service messagebus status
stdout=messagebus (pid 41820) is running...
stderr=
args=/sbin/service certmonger restart
stdout=Stopping certmonger: [FAILED]
Starting certmonger: [ OK ]
stderr=
args=/sbin/service certmonger status
stdout=certmonger (pid 41859) is running...
stderr=
args=/sbin/service certmonger restart
stdout=Stopping certmonger: [ OK ]
Starting certmonger: [ OK ]
stderr=
args=/sbin/service certmonger status
stdout=certmonger (pid 41927) is running...
stderr=
args=/sbin/chkconfig certmonger on
stdout=
stderr=
args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate -
bk1.cyberfuel.com -N CN=bk1.cyberfuel.com,O=CYBERFUEL.COM -K
host/bk1.cyberfuel....@cyberfuel.co
<mailto:host/bk1.cyberfuel....@cyberfuel.co>
stdout=New signing request "20160429204235" added.
stderr=
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
raw: host_mod(u'bk1.cyberfuel.com', ipasshpubkey=[u'ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEA071MP58tqZXKpba7ndVtIqtgZmGNxm/PJz/eqf7w9SNewATA
xmV14vUYyyohaIWBBi87sXwqcNsWBUWAcg2ezfKfKYqc3YPqaNq2poRL3+vhpNnHDBdfh2NzqdId
slZEMt2H+v/0g3G52ycOoRCfhwbGasV+ZCxLGyCPnYTAb7gvpms+/JNf1FWjQpTHt+dZ8CtCcfvL
ctY5pjdxT4kQTtK8kyyGwlXH/Oh4qisMsS57/1a1HEED7xczbIHF/YHF7u08WBbFe0Y40QA5gfa7
/hhu+JoblQBH55iKzR8l8RfZXt1Vcam2pr2nj/w0oYxyB+JkO0CuR/mWu93aLRkxFxtwEoUUiWMm
M3mXs1gsTFKClFnTbOzwg8QyFlCj+An4GrzrsbAA/rfLvb+VmwOS/BccDZfAAAAFShUVZUinN/bv
4/xv1ejRLk62VxtHxw1z+w/JLc0WbTtIj4cB4nE03et3id5ZT6yDz5XKduyhAeCYPGXepmWXqSxb
2N/Ia5OZbEfwNcEivzWdeRzxnk+W8OErBuOkRcCYmT1aIFGmIAAACANrKXEgH6qjJZdpFM3CFIBt
mZY3RF1adYeI7i8daJxkwxPv55idHkphc4aDX4lUPzvcw+r5jtE+rm4huv03qlTKy+/0HlTyIRJv
wfpc='], updatedns=False)
host_mod(u'bk1.cyberfuel.com', random=False, ipasshpubkey=(u'ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEA071MP58tqZXKpba7ndVtIqtgZmGNxm/PJz/eqf7w9SNewATA
xmV14vUYyyohaIWBBi87sXwlVqxX+L95cg2ezfKfKYqc3YPqaNq2poRL3+vhpNnHDBdfh2NzqdId
slZEMt2H+v/0g3G52ycOoRCfhwbGasV+ZCxLGyCPnYTAb7gvpms+/JNf1FWjQpTHt+dZ8CtCcfvL
ctY5pjdxT4kQTtK8kyyGwlXH/Oh4qisMsS57/1aAN359BmDxbIHF/YHF7u08WBbFe0Y40QA5gfa7
/hhu+JoblQBH55iKzR8l8RfZXt1Vcam2pr2nj/w0oYxyB+JkO0CuR/mWu93aLRkxFxtwEoUUiWMm
M3mXs1gsTFKClFnTbOzwg8QyFlCj+An4GrzrsbAA/rfLvb+VmwOS/BcXJiFI6Ub3ShUVZUinN/bv
4/xv1ejRLk62VxtHxw1z+w/JLc0WbTtIj4cB4nE03et3id5ZT6yDz5XKduyhAeCYPGXepmWXqSxb
2N/Ia5OZbEfwNcEivzWdeRzxnk+W8OErBuOkRcCYmT1aIFGmIAAACANrKXEgH6qjJZdpFM3mdAXb
7imVRF1adYeI7i8daJxkwxPv55idHkphc4aDX4lUPzvcw+r5jtE+rm4huv03qlTKy+/0HlTyIRJv
wfpc='), rights=False, updatedns=False, all=False, raw=False,
no_members=False)
Forwarding 'host_mod' to server u'https://freeipa.cyberfuel.com/ipa/xml'
NSSConnection init freeipa.cyberfuel.com
Connecting: 192.168.20.90:0
handshake complete, peer = 192.168.20.90:443
Protocol: TLS1.2
Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
received Set-Cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35
GMT; Secure; HttpOnly'
storing cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35
GMT; Secure; HttpOnly' for prin
args=keyctl search @s user
ipa_session_cookie:host/bk1.cyberfuel....@cyberfuel.com
stdout=640092261
stderr=
args=keyctl search @s user
ipa_session_cookie:host/bk1.cyberfuel....@cyberfuel.com
stdout=640092261
stderr=
args=keyctl pupdate 640092261
stdout=
stderr=
Writing nsupdate commands to /etc/ipa/.dns_update.txt:
zone cyberfuel.com.
update delete bk1.cyberfuel.com. IN SSHFP
send
update add bk1.cyberfuel.com. 1200 IN SSHFP 1 1
B40F0F3FF14223B021F206C3E3276AC48F6EEAF0
update add bk1.cyberfuel.com. 1200 IN SSHFP 2 1
30D2331BC69452EFE65445B5C990773EA41A2FE8
send
args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
stdout=
stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
Minor code may provide more information, Minor = Server
DNS/ns1.cyberfuel....@cyberfuel.com
<mailto:DNS/ns1.cyberfuel....@cyberfuel.com> no
nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt'
returned non-zero exit status 1
Could not update DNS SSHFP records.
args=/sbin/service nscd status
stdout=
stderr=nscd: unrecognized service
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
args=/usr/sbin/authconfig --enablesssdauth --update --enablesssd
stdout=
stderr=
SSSD enabled
Configuring cyberfuel.com as NIS domain
args=/bin/nisdomainname
stdout=(none)
stderr=
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
args=/usr/sbin/authconfig --update --nisdomain cyberfuel.com
stdout=
stderr=
args=/bin/nisdomainname cyberfuel.com
stdout=
stderr=
args=/sbin/service sssd restart
stdout=Stopping sssd: [FAILED]
Starting sssd: [ OK ]
stderr=cat: /var/run/sssd.pid: No such file or directory
args=/sbin/service sssd status
stdout=sssd (pid 42071) is running...
stderr=
args=/sbin/chkconfig sssd on
stdout=
stderr=
Backing up system configuration file '/etc/openldap/ldap.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
Configured /etc/openldap/ldap.conf
args=getent passwd admin
stdout=admin:*:1045400000:1045400000:Administrator:/home/admin:/bin/bash
stderr=
Backing up system configuration file '/etc/ntp/step-tickers'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=/usr/sbin/selinuxenabled
stdout=
stderr=
args=/sbin/chkconfig ntpd
stdout=
stderr=
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Backing up system configuration file '/etc/ntp.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=/usr/sbin/selinuxenabled
stdout=
stderr=
Backing up system configuration file '/etc/sysconfig/ntpd'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=/usr/sbin/selinuxenabled
stdout=
stderr=
args=/sbin/chkconfig ntpd on
stdout=
stderr=
args=/sbin/service ntpd restart
stdout=Shutting down ntpd: [ OK ]
Starting ntpd: [ OK ]
stderr=
args=/sbin/service ntpd status
stdout=ntpd (pid 42133) is running...
stderr=
NTP enabled
Backing up system configuration file '/etc/ssh/ssh_config'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
Configured /etc/ssh/ssh_config
Backing up system configuration file '/etc/ssh/sshd_config'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=sshd -t -f /dev/null -o AuthorizedKeysCommand=
stdout=
stderr=
Configured /etc/ssh/sshd_config
args=/sbin/service sshd status
stdout=openssh-daemon (pid 46497) is running...
stderr=
args=/sbin/service sshd restart
stdout=Stopping sshd: [ OK ]
Starting sshd: [ OK ]
stderr=
args=/sbin/service sshd status
stdout=openssh-daemon (pid 42190) is running...
stderr=
Client configuration complete.
-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: viernes 29 de abril de 2016 12:19 p.m.
To: Jose Alvarez R. <jalva...@cyberfuel.com
<mailto:jalva...@cyberfuel.com>>; freeipa-users@redhat.com
<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] HTTP response code is 401, not 200
Jose Alvarez R. wrote:
> Hi, Rob
>
> Thanks!!
>
>
> The version the xmlrpc-c of my server IPA:
> xmlrpc-c-1.16.24-1210.1840.el6.x86_64
> xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64
>
>
> The version the xmlrpc-c of my client IPA
> xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64
> xmlrpc-c-1.16.24-1210.1840.el6.x86_64
> libiqxmlrpc-0.12.4-0.parallels.i686
> xmlrpc-c-c++-1.16.24-1210.1840.el6.x86_64
You need xmlrpc-c-1.16.24-1200.1840.2.el6 on the client which fixed
https://bugzilla.redhat.com/show_bug.cgi?id=719945
The libcurl version on the client looks ok.
This is only a client-side issue so no changes on the servers should be
necessary IIRC. This appears to be EL 6.1 which at this point is quite old.
rob
>
> The versions are the same, but the libcurl is different
>
> It's the version curl IPA server
> [root@freeipa log]# rpm -qa | grep curl
> python-pycurl-7.19.0-8.el6.x86_64
> curl-7.19.7-46.el6.x86_64
> libcurl-7.19.7-46.el6.x86_64
> [root@freeipa log]#
>
>
> It's the version curl PPA server(IPA Client) [root@ppa named]# rpm -qa
> | grep curl
> curl-7.31.0-1.el6.x86_64
> python-pycurl-7.19.0-8.el6.x86_64
> libcurl-7.31.0-1.el6.x86_64
> libcurl-7.31.0-1.el6.i686
>
> Sorry, my english is not very well
>
>
> Regards.
>
>
>
> -----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: viernes 29 de abril de 2016 11:14 a.m.
To: Jose Alvarez R. <jalva...@cyberfuel.com <mailto:jalva...@cyberfuel.com>>;
freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
> Subject: Re: [Freeipa-users] HTTP response code is 401, not 200
>
> Jose Alvarez R. wrote:
>> Hi Rob, Thanks for your response
>>
>> Yes, It's with admin.
>
> I assume this is a problem with your version of xmlrpc-c. We use
> standard calls xmlrpc-c calls to setup authentication and IIRC that
> links against libcurl which provides the Kerberos/GSSAPI support. On
> EL6 you need xmlrpc-c
>> = 1.16.24-1200.1840.2
>
> I'm confused about the versions. You mention PPA but include what look
> like RPM versions that seem to point to RHEL 6.
>
> rob
>
>>
>> I execute the command "ipa-client-install --debug"
>> ---------------------------------------------------------------------
>> -
>> ---
>>
>>
>> [root@ppa named]# ipa-client-install --debug
>> /usr/sbin/ipa-client-install was invoked with options: {'domain':
>> None,
>> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
>> 'primary': False, 'mkhomedir
>> ': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
>> 'on_master': False, 'ntp_server': None, 'nisdomain': None,
'no_nisdomain':
>> False, 'principal': None
>> , 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,
>> 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False,
>> 'conf_sudo': True, 'conf_ssh': Tr
>> ue, 'force_join': False, 'ca_cert_file': None, 'server': None,
>> 'prompt_password': False, 'permit': False, 'debug': True,
'preserve_sssd':
>> False, 'uninstall': False}
>> missing options might be asked for interactively later Loading Index
>> file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
>> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
>> [IPA Discovery]
>> Starting IPA discovery with domain=None, servers=None,
>> hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
>> "cyberfuel.com" (domain of the
>> hostname) and its sub-domains
>> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
>> DNS record found:
>> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
>> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
>> [Kerberos realm search]
>> Search DNS for TXT record of _kerberos.cyberfuel.com.
>> DNS record found:
>> DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:
>> C
>> YBERFU
>> EL.COM}
>> Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
>> DNS record found:
>> DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={
>> p riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
>> [LDAP server check]
>> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
>> server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
>> Search LDAP server for IPA base DN Check if naming context
>> 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
>> is a valid IPA context Search for (objectClass=krbRealmContainer) in
>> dc=cyberfuel,dc=com (sub)
>> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
>> Discovery result: Success; server=freeipa.cyberfuel.com,
>> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
>> basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
>> will use discovered domain: cyberfuel.com Start searching for LDAP
>> SRV record in "cyberfuel.com" (Validating DNS
>> Discovery) and its sub-domains
>> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
>> DNS record found:
>> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
>> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
>> DNS validated, enabling discovery
>> will use discovered server: freeipa.cyberfuel.com Discovery was
>> successful!
>> will use discovered realm: CYBERFUEL.COM will use discovered basedn:
>> dc=cyberfuel,dc=com
>> Hostname: ppa.cyberfuel.com
>> Hostname source: Machine's FQDN
>> Realm: CYBERFUEL.COM
>> Realm source: Discovered from LDAP DNS records in
>> freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source:
>> Discovered LDAP SRV records from cyberfuel.com (domain of the
>> hostname) IPA Server: freeipa.cyberfuel.com IPA Server source:
>> Discovered from LDAP DNS records in freeipa.cyberfuel.com
>> BaseDN: dc=cyberfuel,dc=com
>> BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
>>
>> Continue to configure the system with these values? [no]: no
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>> [root@ppa named]#
>> [root@ppa named]# ipa-client-install --debug
>> /usr/sbin/ipa-client-install was invoked with options: {'domain':
>> None,
>> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
>> 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd':
>> True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None,
> 'nisdomain':
>> None, 'no_nisdomain': False, 'principal': None, 'hostname': None,
'no_ac':
>> False, 'unattended': None, 'sssd': True, 'trust_sshfp': False,
>> 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True,
'conf_ssh':
>> True, 'force_join': False, 'ca_cert_file': None, 'server': None,
>> 'prompt_password': False, 'permit': False, 'debug': True,
'preserve_sssd':
>> False, 'uninstall': False}
>> missing options might be asked for interactively later Loading Index
>> file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
>> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
>> [IPA Discovery]
>> Starting IPA discovery with domain=None, servers=None,
>> hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
>> "cyberfuel.com" (domain of the
>> hostname) and its sub-domains
>> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
>> DNS record found:
>> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
>> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
>> [Kerberos realm search]
>> Search DNS for TXT record of _kerberos.cyberfuel.com.
>> DNS record found:
>> DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:
>> C
>> YBERFU
>> EL.COM}
>> Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
>> DNS record found:
>> DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={
>> p riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
>> [LDAP server check]
>> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
>> server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
>> Search LDAP server for IPA base DN Check if naming context
>> 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
>> is a valid IPA context Search for (objectClass=krbRealmContainer) in
>> dc=cyberfuel,dc=com (sub)
>> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
>> Discovery result: Success; server=freeipa.cyberfuel.com,
>> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
>> basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
>> will use discovered domain: cyberfuel.com Start searching for LDAP
>> SRV record in "cyberfuel.com" (Validating DNS
>> Discovery) and its sub-domains
>> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
>> DNS record found:
>> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
>> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
>> DNS validated, enabling discovery
>> will use discovered server: freeipa.cyberfuel.com Discovery was
>> successful!
>> will use discovered realm: CYBERFUEL.COM will use discovered basedn:
>> dc=cyberfuel,dc=com
>> Hostname: ppa.cyberfuel.com
>> Hostname source: Machine's FQDN
>> Realm: CYBERFUEL.COM
>> Realm source: Discovered from LDAP DNS records in
>> freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source:
>> Discovered LDAP SRV records from cyberfuel.com (domain of the
>> hostname) IPA Server: freeipa.cyberfuel.com IPA Server source:
>> Discovered from LDAP DNS records in freeipa.cyberfuel.com
>> BaseDN: dc=cyberfuel,dc=com
>> BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
>>
>> Continue to configure the system with these values? [no]: yes
>> args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
>> stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file
>> or directory
>>
>> User authorized to enroll computers: admin will use principal
>> provided as option: admin Synchronizing time with KDC...
>> Search DNS for SRV record of _ntp._udp.cyberfuel.com.
>> No DNS record found
>> args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout=
>> stderr= Writing Kerberos configuration to /tmp/tmpqWSatK:
>> #File modified by ipa-client-install
>>
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>
>> [libdefaults]
>> default_realm = CYBERFUEL.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> rdns = false
>> ticket_lifetime = 24h
>> forwardable = yes
>> udp_preference_limit = 0
>>
>>
>> [realms]
>> CYBERFUEL.COM = {
>> kdc = freeipa.cyberfuel.com:88
>> master_kdc = freeipa.cyberfuel.com:88
>> admin_server = freeipa.cyberfuel.com:749
>> default_domain = cyberfuel.com
>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>>
>> }
>>
>>
>> [domain_realm]
>> .cyberfuel.com = CYBERFUEL.COM
>> cyberfuel.com = CYBERFUEL.COM
>>
>>
>>
Password forad...@cyberfuel.com <mailto:ad...@cyberfuel.com>:
args=kinitad...@cyberfuel.com <mailto:ad...@cyberfuel.com>
stdout=Password forad...@cyberfuel.com <mailto:ad...@cyberfuel.com>:
>>
>> stderr=
>> trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
>> Existing CA cert and Retrieved CA cert are identical
>> args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b
>> dc=cyberfuel,dc=com -d stdout= stderr=XML-RPC CALL:
>>
>> <?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n
>> <methodName>join</methodName>\r\n <params>\r\n
>> <param><value><array><data>\r\n
>> <value><string>ppa.cyberfuel.com</string></value>\r\n
>> </data></array></value></param>\r\n
>> <param><value><struct>\r\n
>> <member><name>nsosversion</name>\r\n
>> <value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\
>> n <member><name>nshardwareplatform</name>\r\n
>> <value><string>x86_64</string></value></member>\r\n
>> </struct></value></param>\r\n
>> </params>\r\n
>> </methodCall>\r\n
>>
>> * About to connect() to freeipa.cyberfuel.com port 443 (#0)
>> * Trying 192.168.20.90...
>> * Adding handle: conn: 0x10bb2f0
>> * Adding handle: send: 0
>> * Adding handle: recv: 0
>> * Curl_addHandleToPipeline: length: 1
>> * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
>> * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
>> * successfully set certificate verify locations:
>> * CAfile: /etc/ipa/ca.crt
>> CApath: none
>> * SSL connection using AES256-SHA
>> * Server certificate:
>> * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
>> * start date: 2015-09-30 17:52:11 GMT
>> * expire date: 2017-09-30 17:52:11 GMT
>> * common name: freeipa.cyberfuel.com (matched)
>> * issuer: O=CYBERFUEL.COM; CN=Certificate Authority
>> * SSL certificate verify ok.
>>> POST /ipa/xml HTTP/1.1
>> Host: freeipa.cyberfuel.com
>> Accept: */*
>> Content-Type: text/xml
>> User-Agent: ipa-join/3.0.0
Referer:https://freeipa.cyberfuel.com/ipa/xml
>> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
>> Content-Length: 477
>>
>> * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401
>> Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT
>> * Server Apache/2.2.15 (CentOS) is not blacklisted < Server:
>> Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified:
>> Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000"
>> < Accept-Ranges: bytes
>> < Content-Length: 1370
>> < Connection: close
>> < Content-Type: text/html; charset=UTF-8 <
>> * Closing connection 0
>> HTTP response code is 401, not 200
>>
>> Joining realm failed: XML-RPC CALL:
>>
>> <?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n
>> <methodName>join</methodName>\r\n <params>\r\n
>> <param><value><array><data>\r\n
>> <value><string>ppa.cyberfuel.com</string></value>\r\n
>> </data></array></value></param>\r\n
>> <param><value><struct>\r\n
>> <member><name>nsosversion</name>\r\n
>> <value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\
>> n <member><name>nshardwareplatform</name>\r\n
>> <value><string>x86_64</string></value></member>\r\n
>> </struct></value></param>\r\n
>> </params>\r\n
>> </methodCall>\r\n
>>
>> * About to connect() to freeipa.cyberfuel.com port 443 (#0)
>> * Trying 192.168.20.90...
>> * Adding handle: conn: 0x10bb2f0
>> * Adding handle: send: 0
>> * Adding handle: recv: 0
>> * Curl_addHandleToPipeline: length: 1
>> * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
>> * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
>> * successfully set certificate verify locations:
>> * CAfile: /etc/ipa/ca.crt
>> CApath: none
>> * SSL connection using AES256-SHA
>> * Server certificate:
>> * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
>> * start date: 2015-09-30 17:52:11 GMT
>> * expire date: 2017-09-30 17:52:11 GMT
>> * common name: freeipa.cyberfuel.com (matched)
>> * issuer: O=CYBERFUEL.COM; CN=Certificate Authority
>> * SSL certificate verify ok.
>>> POST /ipa/xml HTTP/1.1
>> Host: freeipa.cyberfuel.com
>> Accept: */*
>> Content-Type: text/xml
>> User-Agent: ipa-join/3.0.0
Referer:https://freeipa.cyberfuel.com/ipa/xml
>> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
>> Content-Length: 477
>>
>> * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401
>> Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT
>> * Server Apache/2.2.15 (CentOS) is not blacklisted < Server:
>> Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified:
>> Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000"
>> < Accept-Ranges: bytes
>> < Content-Length: 1370
>> < Connection: close
>> < Content-Type: text/html; charset=UTF-8 <
>> * Closing connection 0
>> HTTP response code is 401, not 200
>>
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>>
>> -------------------------------------------------
>>
>> It's the version curl IPA server
>>
>> [root@freeipa log]# rpm -qa | grep curl
>> python-pycurl-7.19.0-8.el6.x86_64
>> curl-7.19.7-46.el6.x86_64
>> libcurl-7.19.7-46.el6.x86_64
>> [root@freeipa log]#
>>
>>
>> It's the version curl PPA server(IPA Client)
>>
>> [root@ppa named]# rpm -qa | grep curl
>> curl-7.31.0-1.el6.x86_64
>> python-pycurl-7.19.0-8.el6.x86_64
>> libcurl-7.31.0-1.el6.x86_64
>> libcurl-7.31.0-1.el6.i686
>>
>>
>> The version curl is different, but the version curl PPA is the
>> repository Odin Plesk.
>>
>> -----------------------------------------------------
>>
>>
>> [root@ppa tmp]# cat kerberos_trace.log
>>
>> [12118] 1461855578.809966: ccselect module realm chose cache
FILE:/tmp/tmptSoqDX with client principalad...@cyberfuel.com
<mailto:ad...@cyberfuel.com>for
server principalldap/freeipa.cyberfuel....@cyberfuel.com
<mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>
[12118] 1461855578.810171: retrievingad...@cyberfuel.com
<mailto:ad...@cyberfuel.com>->
>> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>> FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not
>> found [12118] 1461855578.810252: Getting credentials
ad...@cyberfuel.com <mailto:ad...@cyberfuel.com>->
ldap/freeipa.cyberfuel....@cyberfuel.com
<mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>using
>> ccache FILE:/tmp/tmptSoqDX [12118] 1461855578.810369: Retrieving
ad...@cyberfuel.com <mailto:ad...@cyberfuel.com>->
ldap/freeipa.cyberfuel....@cyberfuel.com
<mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>from
>> FILE:/tmp/tmptSoqDX with
>> result: -1765328243/Matching credential not found [12118]
1461855578.810451: retrievingad...@cyberfuel.com <mailto:ad...@cyberfuel.com>->
krbtgt/cyberfuel....@cyberfuel.com
<mailto:krbtgt/cyberfuel....@cyberfuel.com>from FILE:/tmp/tmptSoqDX with
result:
>> 0/Success
>> [12118] 1461855578.810476: Found cached TGT for service realm:
>> ad...@cyberfuel.com <mailto:ad...@cyberfuel.com> ->
krbtgt/cyberfuel....@cyberfuel.com
<mailto:krbtgt/cyberfuel....@cyberfuel.com>
>> [12118] 1461855578.810509: Requesting tickets for
ldap/freeipa.cyberfuel....@cyberfuel.com
<mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>, referrals on [12118]
>> 1461855578.810612: Generated subkey for TGS request: aes256-cts/7377
>> [12118] 1461855578.810679: etypes requested in TGS request:
>> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [12118]
>> 1461855578.810913: Sending request (704 bytes) to CYBERFUEL.COM
>> [12118] 1461855578.811239: Resolving hostname freeipa.cyberfuel.com
>> [12118] 1461855578.811466: Initiating TCP connection to stream
>> 192.168.0.90:88
>> [12118] 1461855578.811935: Sending TCP request to stream
>> 192.168.0.90:88 [12118] 1461855578.816404: Received answer from
>> stream
>> 192.168.0.90:88 [12118] 1461855578.816714: Response was from master
KDC [12118] 1461855578.816906: TGS reply is forad...@cyberfuel.com
<mailto:ad...@cyberfuel.com>
->ldap/freeipa.cyberfuel....@cyberfuel.com
<mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>with session key
>> aes256-cts/BEB2 [12118] 1461855578.816977: TGS request result:
>> 0/Success [12118] 1461855578.817018: Received creds for desired
serviceldap/freeipa.cyberfuel....@cyberfuel.com
<mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>
[12118] 1461855578.817066: removingad...@cyberfuel.com
<mailto:ad...@cyberfuel.com>->
ldap/freeipa.cyberfuel....@cyberfuel.com
<mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>from FILE:/tmp/tmptSoqDX
[12118] 1461855578.817107: storingad...@cyberfuel.com
<mailto:ad...@cyberfuel.com>->
ldap/freeipa.cyberfuel....@cyberfuel.com
<mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>in FILE:/tmp/tmptSoqDX
>> [12118] 1461855578.817413: Creating authenticator for
>> ad...@cyberfuel.com <mailto:ad...@cyberfuel.com> ->
ldap/freeipa.cyberfuel....@cyberfuel.com
<mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>,
>> seqnum 299651167, subkey aes256-cts/98D3, session key aes256-cts/BEB2
>> [12118] 1461855578.874786: ccselect module realm chose cache
FILE:/tmp/tmptSoqDX with client principalad...@cyberfuel.com
<mailto:ad...@cyberfuel.com>for
server principalldap/freeipa.cyberfuel....@cyberfuel.com
<mailto:ldap/freeipa.cyberfuel....@cyberfuel.com>
[12118] 1461855578.874938: retrievingad...@cyberfuel.com
<mailto:ad...@cyberfuel.com>->
>> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>> FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not
>> found [12118] 1461855578.875079: Read AP-REP, time 1461855578.817442,
>> subkey aes256-cts/4B32, seqnum 706045221 [17304] 1461858424.873888:
>> ccselect module realm chose cache FILE:/tmp/tmpH0QF6P with client
>> principal ad...@cyberfuel.com for server principal
>> ldap/freeipa.cyberfuel....@cyberfuel.com
>> [17304] 1461858424.874126: Retrieving ad...@cyberfuel.com ->
>> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>> FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not
>> found [17304] 1461858424.874220: Getting credentials
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using
>> ccache FILE:/tmp/tmpH0QF6P [17304] 1461858424.874413: Retrieving
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from
>> FILE:/tmp/tmpH0QF6P with
>> result: -1765328243/Matching credential not found [17304]
>> 1461858424.874531: Retrieving ad...@cyberfuel.com ->
>> krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmpH0QF6P with result:
>> 0/Success
>> [17304] 1461858424.874603: Found cached TGT for service realm:
>> ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
>> [17304] 1461858424.874631: Requesting tickets for
>> ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [17304]
>> 1461858424.874747: Generated subkey for TGS request: aes256-cts/8C33
>> [17304] 1461858424.874788: etypes requested in TGS request:
>> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [17304]
>> 1461858424.875121: Sending request (704 bytes) to CYBERFUEL.COM
>> [17304] 1461858424.875525: Resolving hostname freeipa.cyberfuel.com
>> [17304] 1461858424.875805: Initiating TCP connection to stream
>> 192.168.20.90:88
>> [17304] 1461858424.877976: Sending TCP request to stream
>> 192.168.20.90:88 [17304] 1461858424.882385: Received answer from
>> stream 192.168.20.90:88 [17304] 1461858424.882531: Response was from
>> master KDC [17304] 1461858424.882775: TGS reply is for
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with
>> session key aes256-cts/20DA [17304] 1461858424.882850: TGS request
>> result: 0/Success [17304] 1461858424.882883: Received creds for
>> desired service ldap/freeipa.cyberfuel....@cyberfuel.com
>> [17304] 1461858424.882918: Removing ad...@cyberfuel.com ->
>> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpH0QF6P
>> [17304] 1461858424.882951: Storing ad...@cyberfuel.com ->
>> ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmpH0QF6P
>> [17304] 1461858424.883271: Creating authenticator for
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com,
>> seqnum 443746416, subkey aes256-cts/13DE, session key aes256-cts/20DA
>> [17304] 1461858424.898190: ccselect module realm chose cache
>> FILE:/tmp/tmpH0QF6P with client principal ad...@cyberfuel.com for
>> server principal ldap/freeipa.cyberfuel....@cyberfuel.com
>> [17304] 1461858424.898401: Retrieving ad...@cyberfuel.com ->
>> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>> FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not
>> found [17304] 1461858424.898615: Read AP-REP, time 1461858424.883334,
>> subkey aes256-cts/A0F5, seqnum 906104721 [23457] 1461863053.621386:
>> ccselect module realm chose cache
>> FILE:/tmp/tmp576FE3 with client principal ad...@cyberfuel.com for
>> server principal ldap/freeipa.cyberfuel....@cyberfuel.com
>> [23457] 1461863053.621602: Retrieving ad...@cyberfuel.com ->
>> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>> FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not
>> found [23457] 1461863053.621719: Getting credentials
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using
>> ccache FILE:/tmp/tmp576FE3 [23457] 1461863053.621918: Retrieving
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from
>> FILE:/tmp/tmp576FE3 with
>> result: -1765328243/Matching credential not found [23457]
>> 1461863053.622097: Retrieving ad...@cyberfuel.com ->
>> krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmp576FE3 with result:
>> 0/Success
>> [23457] 1461863053.622144: Found cached TGT for service realm:
>> ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
>> [23457] 1461863053.622176: Requesting tickets for
>> ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [23457]
>> 1461863053.622288: Generated subkey for TGS request: aes256-cts/897C
>> [23457] 1461863053.622331: etypes requested in TGS request:
>> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23457]
>> 1461863053.622662: Sending request (704 bytes) to CYBERFUEL.COM
>> [23457] 1461863053.623133: Resolving hostname freeipa.cyberfuel.com
>> [23457] 1461863053.623367: Initiating TCP connection to stream
>> 192.168.20.90:88
>> [23457] 1461863053.623866: Sending TCP request to stream
>> 192.168.20.90:88 [23457] 1461863053.627939: Received answer from
>> stream 192.168.20.90:88 [23457] 1461863053.628229: Response was from
>> master KDC [23457] 1461863053.628485: TGS reply is for
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with
>> session key aes256-cts/9E88 [23457] 1461863053.628560: TGS request
>> result: 0/Success [23457] 1461863053.628610: Received creds for
>> desired service ldap/freeipa.cyberfuel....@cyberfuel.com
>> [23457] 1461863053.628655: Removing ad...@cyberfuel.com ->
>> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmp576FE3
>> [23457] 1461863053.628689: Storing ad...@cyberfuel.com ->
>> ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmp576FE3
>> [23457] 1461863053.629119: Creating authenticator for
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com,
>> seqnum 13046067, subkey aes256-cts/BAC3, session key aes256-cts/9E88
>> [23457] 1461863053.640471: ccselect module realm chose cache
>> FILE:/tmp/tmp576FE3 with client principal ad...@cyberfuel.com for
>> server principal ldap/freeipa.cyberfuel....@cyberfuel.com
>> [23457] 1461863053.640721: Retrieving ad...@cyberfuel.com ->
>> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>> FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not
>> found [23457] 1461863053.640909: Read AP-REP, time 1461863053.629208,
>> subkey aes256-cts/8866, seqnum 421358565 [23749] 1461863277.525338:
>> ccselect module realm chose cache FILE:/tmp/tmprfuOsj with client
>> principal ad...@cyberfuel.com for server principal
>> ldap/freeipa.cyberfuel....@cyberfuel.com
>> [23749] 1461863277.525435: Retrieving ad...@cyberfuel.com ->
>> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>> FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not
>> found [23749] 1461863277.525469: Getting credentials
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using
>> ccache FILE:/tmp/tmprfuOsj [23749] 1461863277.525529: Retrieving
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from
>> FILE:/tmp/tmprfuOsj with
>> result: -1765328243/Matching credential not found [23749]
>> 1461863277.525572: Retrieving ad...@cyberfuel.com ->
>> krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmprfuOsj with result:
>> 0/Success
>> [23749] 1461863277.525584: Found cached TGT for service realm:
>> ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
>> [23749] 1461863277.525593: Requesting tickets for
>> ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [23749]
>> 1461863277.525645: Generated subkey for TGS request: aes256-cts/C22D
>> [23749] 1461863277.525662: etypes requested in TGS request:
>> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23749]
>> 1461863277.525806: Sending request (704 bytes) to CYBERFUEL.COM
>> [23749] 1461863277.526052: Resolving hostname freeipa.cyberfuel.com
>> [23749] 1461863277.526161: Initiating TCP connection to stream
>> 192.168.20.90:88
>> [23749] 1461863277.526440: Sending TCP request to stream
>> 192.168.20.90:88 [23749] 1461863277.530652: Received answer from
>> stream 192.168.20.90:88 [23749] 1461863277.530737: Response was from
>> master KDC [23749] 1461863277.530881: TGS reply is for
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with
>> session key aes256-cts/79C3 [23749] 1461863277.530931: TGS request
>> result: 0/Success [23749] 1461863277.530948: Received creds for
>> desired service ldap/freeipa.cyberfuel....@cyberfuel.com
>> [23749] 1461863277.530962: Removing ad...@cyberfuel.com ->
>> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmprfuOsj
>> [23749] 1461863277.530971: Storing ad...@cyberfuel.com ->
>> ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmprfuOsj
>> [23749] 1461863277.531133: Creating authenticator for
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com,
>> seqnum 1019693263, subkey aes256-cts/B3E0, session key
>> aes256-cts/79C3 [23749] 1461863277.542808: ccselect module realm
>> chose cache FILE:/tmp/tmprfuOsj with client principal
>> ad...@cyberfuel.com for server principal
>> ldap/freeipa.cyberfuel....@cyberfuel.com
>> [23749] 1461863277.542889: Retrieving ad...@cyberfuel.com ->
>> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>> FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not
>> found [23749] 1461863277.542988: Read AP-REP, time 1461863277.531150,
>> subkey aes256-cts/5194, seqnum 376027188 [25544] 1461864401.258277:
>> ccselect module realm chose cache FILE:/tmp/tmpbzX7EN with client
>> principal ad...@cyberfuel.com for server principal
>> ldap/freeipa.cyberfuel....@cyberfuel.com
>> [25544] 1461864401.258584: Retrieving ad...@cyberfuel.com ->
>> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>> FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not
>> found [25544] 1461864401.258678: Getting credentials
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using
>> ccache FILE:/tmp/tmpbzX7EN [25544] 1461864401.258873: Retrieving
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from
>> FILE:/tmp/tmpbzX7EN with
>> result: -1765328243/Matching credential not found [25544]
>> 1461864401.259040: Retrieving ad...@cyberfuel.com ->
>> krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmpbzX7EN with result:
>> 0/Success
>> [25544] 1461864401.259076: Found cached TGT for service realm:
>> ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
>> [25544] 1461864401.259102: Requesting tickets for
>> ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [25544]
>> 1461864401.259244: Generated subkey for TGS request: aes256-cts/277A
>> [25544] 1461864401.259291: etypes requested in TGS request:
>> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [25544]
>> 1461864401.259676: Sending request (704 bytes) to CYBERFUEL.COM
>> [25544] 1461864401.260108: Resolving hostname freeipa.cyberfuel.com
>> [25544] 1461864401.260361: Initiating TCP connection to stream
>> 192.168.20.90:88
>> [25544] 1461864401.260980: Sending TCP request to stream
>> 192.168.20.90:88 [25544] 1461864401.264399: Received answer from
>> stream 192.168.20.90:88 [25544] 1461864401.264593: Response was from
>> master KDC [25544] 1461864401.264893: TGS reply is for
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with
>> session key aes256-cts/9106 [25544] 1461864401.264966: TGS request
>> result: 0/Success [25544] 1461864401.264996: Received creds for
>> desired service ldap/freeipa.cyberfuel....@cyberfuel.com
>> [25544] 1461864401.265029: Removing ad...@cyberfuel.com ->
>> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpbzX7EN
>> [25544] 1461864401.265058: Storing ad...@cyberfuel.com ->
>> ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmpbzX7EN
>> [25544] 1461864401.265581: Creating authenticator for
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com,
>> seqnum 921501424, subkey aes256-cts/99EA, session key aes256-cts/9106
>> [25544] 1461864401.275884: ccselect module realm chose cache
>> FILE:/tmp/tmpbzX7EN with client principal ad...@cyberfuel.com for
>> server principal ldap/freeipa.cyberfuel....@cyberfuel.com
>> [25544] 1461864401.276059: Retrieving ad...@cyberfuel.com ->
>> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>> FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not
>> found [25544] 1461864401.276196: Read AP-REP, time 1461864401.265627,
>> subkey aes256-cts/0E9F, seqnum 871496824 [18097] 1461937028.664354:
>> ccselect module realm chose cache
>> FILE:/tmp/tmpF9x_o8 with client principal ad...@cyberfuel.com for
>> server principal ldap/freeipa.cyberfuel....@cyberfuel.com
>> [18097] 1461937028.664456: Retrieving ad...@cyberfuel.com ->
>> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>> FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not
>> found [18097] 1461937028.664490: Getting credentials
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com using
>> ccache FILE:/tmp/tmpF9x_o8 [18097] 1461937028.664549: Retrieving
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com from
>> FILE:/tmp/tmpF9x_o8 with
>> result: -1765328243/Matching credential not found [18097]
>> 1461937028.664590: Retrieving ad...@cyberfuel.com ->
>> krbtgt/cyberfuel....@cyberfuel.com from FILE:/tmp/tmpF9x_o8 with result:
>> 0/Success
>> [18097] 1461937028.664601: Found cached TGT for service realm:
>> ad...@cyberfuel.com -> krbtgt/cyberfuel....@cyberfuel.com
>> [18097] 1461937028.664611: Requesting tickets for
>> ldap/freeipa.cyberfuel....@cyberfuel.com, referrals on [18097]
>> 1461937028.664700: Generated subkey for TGS request: aes256-cts/6372
>> [18097] 1461937028.664727: etypes requested in TGS request:
>> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [18097]
>> 1461937028.664865: Sending request (704 bytes) to CYBERFUEL.COM
>> [18097] 1461937028.665035: Resolving hostname freeipa.cyberfuel.com
>> [18097] 1461937028.665136: Initiating TCP connection to stream
>> 192.168.20.90:88
>> [18097] 1461937028.665510: Sending TCP request to stream
>> 192.168.20.90:88 [18097] 1461937028.668919: Received answer from
>> stream 192.168.20.90:88 [18097] 1461937028.668984: Response was from
>> master KDC [18097] 1461937028.669109: TGS reply is for
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com with
>> session key aes256-cts/9592 [18097] 1461937028.669136: TGS request
>> result: 0/Success [18097] 1461937028.669156: Received creds for
>> desired service ldap/freeipa.cyberfuel....@cyberfuel.com
>> [18097] 1461937028.669167: Removing ad...@cyberfuel.com ->
>> ldap/freeipa.cyberfuel....@cyberfuel.com from FILE:/tmp/tmpF9x_o8
>> [18097] 1461937028.669176: Storing ad...@cyberfuel.com ->
>> ldap/freeipa.cyberfuel....@cyberfuel.com in FILE:/tmp/tmpF9x_o8
>> [18097] 1461937028.669304: Creating authenticator for
>> ad...@cyberfuel.com -> ldap/freeipa.cyberfuel....@cyberfuel.com,
>> seqnum 940175329, subkey aes256-cts/53B9, session key aes256-cts/9592
>> [18097] 1461937028.676414: ccselect module realm chose cache
>> FILE:/tmp/tmpF9x_o8 with client principal ad...@cyberfuel.com for
>> server principal ldap/freeipa.cyberfuel....@cyberfuel.com
>> [18097] 1461937028.676470: Retrieving ad...@cyberfuel.com ->
>> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
>> FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not
>> found [18097] 1461937028.676534: Read AP-REP, time 1461937028.669328,
>> subkey aes256-cts/26C4, seqnum 864174069
>>
>> -----------------------------------
>>
>>
>> Regards
>>
>> Jose Alvarez
>>
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcrit...@redhat.com]
>> Sent: viernes 29 de abril de 2016 09:34 a.m.
>> To: Jose Alvarez R. <jalva...@cyberfuel.com>;
>> freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] HTTP response code is 401, not 200
>>
>> Jose Alvarez R. wrote:
>>> Hi Users
>>>
>>> You can help me?
>>>
>>> I have the problem for join a client to my FREEIPA Server. The
>>> version IPA Server is 3.0 and IP client is 3.0
>>>
>>> When I join my client to IPA server show these errors:
>>>
>>> [root@ppa ~]# tail -f /var/log/ipaclient-install.log
>>>
>>> 2016-04-28T17:26:41Z DEBUG stderr=
>>>
>>> 2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from
>>> ldap://freeipa.cyberfuel.com
>>>
>>> 2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert
>>> are identical
>>>
>>> 2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s
>>> freeipa.cyberfuel.com -b dc=cyberfuel,dc=com
>>>
>>> 2016-04-28T17:26:41Z DEBUG stdout=
>>>
>>> 2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200
>>>
>>> 2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code
>>> is 401, not 200
>>>
>>> 2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes.
>>>
>>> 2016-04-28T17:26:41Z ERROR IPA client is not configured on this system.
>>
>> I'd look in the 389-ds access and error logs on the IPA server to see
>> if there are any more details. Look for the BIND from the client and
>> see what happens.
>>
>> More context from the log file might be helpful. I believe if you run
>> the client installer with --debug then additional flags are passed to
>> ipa-join to include the XML-RPC conversation and that might be useful
too.
>>
>> What account are you using to enroll with, admin?
>>
>> rob
>>
>
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
