Rob, My apologies, I only provided a tail of the log, I should have provided more. I can see now there is much more detail in there.
I followed your lead regarding the HTTP error log from the server and found this: [Wed Jul 20 14:33:39.410295 2016] [authz_core:error] [pid 27345] [client 172.16.10.12:49727] AH01630: client denied by server configuration: /usr/share/ipa/wsgi.py, referer: https://ldap.mydomain.com/ipa/xml So, that is most likely the next track for me to follow. Thank you for your assistance to this point, and in case there is interest here is the full client log: 2016-07-20T18:33:18Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 'ip_addresses': [], 'configure_firefox': False, 'primary': False, 'realm_name': None, 'force_ntpd': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'no_nisdomain': False, 'nisdomain': None, 'ca_cert_file': None, 'principal': None, 'keytab': None, 'hostname': None, 'request_cert': False, 'trust_sshfp': False, 'no_ac': False, 'unattended': None, 'all_ip_addresses': False, 'location': None, 'sssd': True, 'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': False, 'firefox_dir': None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'mkhomedir': False, 'uninstall': False} 2016-07-20T18:33:18Z DEBUG missing options might be asked for interactively later 2016-07-20T18:33:18Z DEBUG IPA version 4.2.0-15.0.1.el7.centos.17 2016-07-20T18:33:18Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2016-07-20T18:33:18Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2016-07-20T18:33:18Z DEBUG Starting external process 2016-07-20T18:33:18Z DEBUG args='/bin/systemctl' 'is-enabled' 'chronyd.service' 2016-07-20T18:33:18Z DEBUG Process finished, return code=0 2016-07-20T18:33:18Z DEBUG stdout=enabled 2016-07-20T18:33:18Z DEBUG stderr= 2016-07-20T18:33:18Z WARNING Using existing certificate '/etc/ipa/ca.crt'. 2016-07-20T18:33:18Z DEBUG [IPA Discovery] 2016-07-20T18:33:18Z DEBUG Starting IPA discovery with domain=None, servers=None, hostname=centostest.mydomain.com 2016-07-20T18:33:18Z DEBUG Start searching for LDAP SRV record in "mydomain.com" (domain of the hostname) and its sub-domains 2016-07-20T18:33:18Z DEBUG Search DNS for SRV record of _ldap._tcp.mydomain.com 2016-07-20T18:33:18Z DEBUG DNS record not found: NXDOMAIN 2016-07-20T18:33:18Z DEBUG Search DNS for SRV record of _ldap._tcp.com 2016-07-20T18:33:18Z DEBUG DNS record not found: NXDOMAIN 2016-07-20T18:33:18Z DEBUG Start searching for LDAP SRV record in "mydomain.com" (search domain from /etc/resolv.conf) and its sub-domains 2016-07-20T18:33:18Z DEBUG Already searched mydomain.com; skipping 2016-07-20T18:33:18Z DEBUG No LDAP server found 2016-07-20T18:33:18Z DEBUG No LDAP server found 2016-07-20T18:33:18Z INFO DNS discovery failed to determine your DNS domain 2016-07-20T18:33:20Z DEBUG will use interactively provided domain: mydomain.com 2016-07-20T18:33:20Z DEBUG [IPA Discovery] 2016-07-20T18:33:20Z DEBUG Starting IPA discovery with domain=mydomain.com, servers=None, hostname=centostest.mydomain.com 2016-07-20T18:33:20Z DEBUG Search for LDAP SRV record in mydomain.com 2016-07-20T18:33:20Z DEBUG Search DNS for SRV record of _ldap._tcp.mydomain.com 2016-07-20T18:33:20Z DEBUG DNS record not found: NXDOMAIN 2016-07-20T18:33:20Z DEBUG No LDAP server found 2016-07-20T18:33:20Z DEBUG IPA Server not found 2016-07-20T18:33:20Z DEBUG DNS discovery failed to find the IPA Server 2016-07-20T18:33:23Z DEBUG will use interactively provided server: ldap.mydomain.com 2016-07-20T18:33:23Z DEBUG [IPA Discovery] 2016-07-20T18:33:23Z DEBUG Starting IPA discovery with domain=mydomain.com, servers=['ldap.mydomain.com'], hostname=centostest.mydomain.com 2016-07-20T18:33:23Z DEBUG Server and domain forced 2016-07-20T18:33:23Z DEBUG [Kerberos realm search] 2016-07-20T18:33:23Z DEBUG Search DNS for TXT record of _kerberos.mydomain.com 2016-07-20T18:33:23Z DEBUG DNS record not found: NXDOMAIN 2016-07-20T18:33:23Z DEBUG Search DNS for SRV record of _kerberos._udp.mydomain.com 2016-07-20T18:33:23Z DEBUG DNS record not found: NXDOMAIN 2016-07-20T18:33:23Z DEBUG SRV record for KDC not found! Domain: mydomain.com 2016-07-20T18:33:23Z DEBUG [LDAP server check] 2016-07-20T18:33:23Z DEBUG Verifying that ldap.mydomain.com (realm None) is an IPA server 2016-07-20T18:33:23Z DEBUG Init LDAP connection to: ldap.mydomain.com 2016-07-20T18:33:24Z DEBUG Search LDAP server for IPA base DN 2016-07-20T18:33:24Z DEBUG Check if naming context 'dc=mydomain,dc=com' is for IPA 2016-07-20T18:33:24Z DEBUG Naming context 'dc=mydomain,dc=com' is a valid IPA context 2016-07-20T18:33:24Z DEBUG Search for (objectClass=krbRealmContainer) in dc=mydomain,dc=com (sub) 2016-07-20T18:33:24Z DEBUG Found: cn=MYDOMAION.COM,cn=kerberos,dc=mydomain,dc=com 2016-07-20T18:33:24Z DEBUG Discovery result: Success; server=ldap.mydomain.com, domain=mydomain.com, kdc=None, basedn=dc=mydomain,dc=com 2016-07-20T18:33:24Z DEBUG Validated servers: ldap.mydomain.com 2016-07-20T18:33:24Z WARNING The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured. 2016-07-20T18:33:24Z INFO Autodiscovery of servers for failover cannot work with this configuration. 2016-07-20T18:33:24Z INFO If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. 2016-07-20T18:33:26Z DEBUG will use discovered realm: MYDOMAION.COM 2016-07-20T18:33:26Z DEBUG will use discovered basedn: dc=mydomain,dc=com 2016-07-20T18:33:26Z INFO Client hostname: centostest.mydomain.com 2016-07-20T18:33:26Z DEBUG Hostname source: Machine's FQDN 2016-07-20T18:33:26Z INFO Realm: MYDOMAION.COM 2016-07-20T18:33:26Z DEBUG Realm source: Discovered from LDAP DNS records in ldap.mydomain.com 2016-07-20T18:33:26Z INFO DNS Domain: mydomain.com 2016-07-20T18:33:26Z DEBUG DNS Domain source: Provided interactively 2016-07-20T18:33:26Z INFO IPA Server: ldap.mydomain.com 2016-07-20T18:33:26Z DEBUG IPA Server source: Provided interactively 2016-07-20T18:33:26Z INFO BaseDN: dc=mydomain,dc=com 2016-07-20T18:33:26Z DEBUG BaseDN source: From IPA server ldap://ldap.mydomain.com:389 2016-07-20T18:33:32Z DEBUG Starting external process 2016-07-20T18:33:32Z DEBUG args='/usr/sbin/ipa-rmkeytab' '-k' '/etc/krb5.keytab' '-r' 'MYDOMAION.COM' 2016-07-20T18:33:32Z DEBUG Process finished, return code=3 2016-07-20T18:33:32Z DEBUG stdout= 2016-07-20T18:33:32Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory 2016-07-20T18:33:32Z INFO Skipping synchronizing time with NTP server. 2016-07-20T18:33:34Z DEBUG will use principal provided as option: admin 2016-07-20T18:33:34Z DEBUG Starting external process 2016-07-20T18:33:34Z DEBUG args='keyctl' 'get_persistent' '@s' '0' 2016-07-20T18:33:34Z DEBUG Process finished, return code=0 2016-07-20T18:33:34Z DEBUG stdout=354225941 2016-07-20T18:33:34Z DEBUG stderr= 2016-07-20T18:33:34Z DEBUG Enabling persistent keyring CCACHE 2016-07-20T18:33:34Z DEBUG Writing Kerberos configuration to /tmp/tmpGxQ6Xw: 2016-07-20T18:33:34Z DEBUG #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = MYDOMAION.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] MYDOMAION.COM = { kdc = ldap.mydomain.com:88 master_kdc = ldap.mydomain.com:88 admin_server = ldap.mydomain.com:749 default_domain = mydomain.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mydomain.com = MYDOMAION.COM mydomain.com = MYDOMAION.COM 2016-07-20T18:33:37Z DEBUG Initializing principal ad...@mydomaion.com using password 2016-07-20T18:33:37Z DEBUG Starting external process 2016-07-20T18:33:37Z DEBUG args='/usr/bin/kinit' 'ad...@mydomaion.com' '-c' '/tmp/tmpXBVcV7' 2016-07-20T18:33:37Z DEBUG Process finished, return code=0 2016-07-20T18:33:37Z DEBUG stdout=Password for ad...@mydomaion.com: 2016-07-20T18:33:37Z DEBUG stderr= 2016-07-20T18:33:37Z DEBUG trying to retrieve CA cert via LDAP from ldap.mydomain.com 2016-07-20T18:33:38Z DEBUG flushing ldap://ldap.mydomain.com:389 from SchemaCache 2016-07-20T18:33:38Z DEBUG retrieving schema for SchemaCache url=ldap://ldap.mydomain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x1ed57a0> 2016-07-20T18:33:39Z DEBUG Existing CA cert and Retrieved CA cert are identical 2016-07-20T18:33:39Z DEBUG Starting external process 2016-07-20T18:33:39Z DEBUG args='/usr/sbin/ipa-join' '-s' 'ldap.mydomain.com' '-b' 'dc=mydomain,dc=com' '-h' 'centostest.mydomain.com' 2016-07-20T18:33:39Z DEBUG Process finished, return code=17 2016-07-20T18:33:39Z DEBUG stdout= 2016-07-20T18:33:39Z DEBUG stderr=HTTP response code is 403, not 200 2016-07-20T18:33:39Z ERROR Joining realm failed: HTTP response code is 403, not 200 2016-07-20T18:33:39Z ERROR Installation failed. Rolling back changes. 2016-07-20T18:33:39Z ERROR IPA client is not configured on this system. ----- Original Message ----- From: "Rob Crittenden" <rcrit...@redhat.com> To: "Rubin Binder" <rbin...@wooplagaming.com>, "Justin Stephenson" <jstep...@redhat.com> Cc: freeipa-users@redhat.com Sent: Wednesday, July 20, 2016 3:33:36 PM Subject: Re: [Freeipa-users] FreeIPA Client Install 403 error Rubin Binder wrote: > Justin, > > Thank you very much for the prompt response. The log output is as follows: > > 2016-07-20T17:02:52Z DEBUG Starting external process > 2016-07-20T17:02:52Z DEBUG args='/usr/sbin/ipa-join' '-s' > 'ldap.mydomain.com' '-b' 'dc=mydomain,dc=com' '-h' 'centostest.mydomain.com' > 2016-07-20T17:02:52Z DEBUG Process finished, return code=17 > 2016-07-20T17:02:52Z DEBUG stdout= > 2016-07-20T17:02:52Z DEBUG stderr=HTTP response code is 403, not 200 > > 2016-07-20T17:02:52Z ERROR Joining realm failed: HTTP response code is > 403, not 200 > > 2016-07-20T17:02:52Z ERROR Installation failed. Rolling back changes. > 2016-07-20T17:02:52Z ERROR IPA client is not configured on this system. Seeing the entire file is usually more helpful but in this case you did provide a single clue. Return code 17 from ipa-join is a XML-RPC fault. This may be the same 403 as reported elsewhere. I'd suggest looking in /var/log/httpd/error_log on the master. rob > > Regards, > Rubin > > ------------------------------------------------------------------------ > *From: *"Justin Stephenson" <jstep...@redhat.com> > *To: *"Rubin Binder" <rbin...@wooplagaming.com>, freeipa-users@redhat.com > *Sent: *Wednesday, July 20, 2016 2:49:16 PM > *Subject: *Re: [Freeipa-users] FreeIPA Client Install 403 error > > Could you please share with us the /var/log/ipaclient-install.log ? > > Kind regards, > > Justin Stephenson > > > On 07/20/2016 01:23 PM, Rubin Binder wrote: > > Hello all, > > > > I am testing Free IPA server for use under a test environment, so far > smooth sailing and have it up and running, no problems. > > > > The problem is occurring during client installation. I have installed > the ipa-client package on a clean CentOS 7 OS. When I execute > ipa-client-install... I get the following: > > > > Client hostname: centostest.mydomain.com > > Realm: MYDOMAIN.COM > > DNS Domain: mydomain.com > > IPA Server: ldap.mydomain.com > > BaseDN: dc=mydomain,dc=com > > > > Continue to configure the system with these values? [no]: yes > > Skipping synchronizing time with NTP server. > > User authorized to enroll computers: admin > > Password for ad...@mydomain.com: > > Successfully retrieved CA cert > > Subject: CN=Certificate Authority,O=MYDOMAIN.COM > > Issuer: CN=Certificate Authority,O=MYDOMAIN.COM > > Valid From: Wed Jul 13 13:12:08 2016 UTC > > Valid Until: Sun Jul 13 13:12:08 2036 UTC > > > > Joining realm failed: HTTP response code is 403, not 200 > > > > Installation failed. Rolling back changes. > > IPA client is not configured on this system. > > > > I can't make sense of why I'd be seeing a 403 error. I've done my > share of searching but have not found a similar issue. Some have report > 401 errors in some circumstances, but not 403. > > > > Has anyone seen this before. > > > > Thanks, > > Rubin > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project