the problem could be also reproduced with the gnutls-cli command. it seeems 
that's launching the handshake in an incompatible manner with the server.
the same comman from a centos box works (2.8.5 version of gnutls-cli). in the 
ubuntu box is version 2.12.14

root@ubuntuprovesfreeipa:/etc/ldap# gnutls-cli -d 4 -p 636
Resolving ''...
Connecting to ''...
|<4>| REC[0x9b5bf68]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0x9b5bf68]: Allocating epoch #1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<2>| EXT[0x9b5bf68]: Sending extension SERVER NAME (31 bytes)
|<2>| EXT[0x9b5bf68]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<2>| EXT[0x9b5bf68]: Sending extension SESSION TICKET (0 bytes)
|<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1
|<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1
|<2>| EXT[0x9b5bf68]: Sending extension SIGNATURE ALGORITHMS (10 bytes)
|<3>| HSK[0x9b5bf68]: CLIENT HELLO was sent [151 bytes]
|<4>| REC[0x9b5bf68]: Sending Packet[0] Handshake(22) with length: 151
|<4>| REC[0x9b5bf68]: Sent Packet[1] Handshake(22) with length: 156
|<2>| ASSERT: gnutls_buffers.c:640
|<2>| ASSERT: gnutls_record.c:969
|<2>| ASSERT: gnutls_handshake.c:2762
*** Fatal error: A TLS packet with unexpected length was received.
|<4>| REC: Sending Alert[2|22] - Record overflow
|<4>| REC[0x9b5bf68]: Sending Packet[1] Alert(21) with length: 2
|<4>| REC[0x9b5bf68]: Sent Packet[2] Alert(21) with length: 7
*** Handshake has failed
GnuTLS error: A TLS packet with unexpected length was received.
|<4>| REC[0x9b5bf68]: Epoch #0 freed
|<4>| REC[0x9b5bf68]: Epoch #1 freed

You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.

  fail joining to a freeipa server with ipa-client-install

Status in “freeipa” package in Ubuntu:

Bug description:
  I try to join a freeipa domain and it seems there is some problem with the 
tls negotiacion. this is the log:
  pasqual@ubuntuprovesfreeipa:~$ sudo ipa-client-install -d --enable-dns-updates
  [sudo] password for pasqual: 
  root        : DEBUG    /usr/sbin/ipa-client-install was invoked with options: 
{'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': 
True, 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, 
'server': None, 'prompt_password': False, 'mkhomedir': False, 'dns_updates': 
True, 'preserve_sssd': False, 'debug': True, 'on_master': False, 'ntp_server': 
None, 'realm_name': None, 'unattended': None, 'principal': None}
  root        : DEBUG    missing options might be asked for interactively later

  root        : DEBUG    Loading Index file from 
  root        : DEBUG    Loading StateFile from 
  root        : DEBUG    [ipadnssearchldap(]
  root        : DEBUG    [ipadnssearchldap(]
  root        : DEBUG    [ipadnssearchldap(es)]
  root        : DEBUG    [ipadnssearchldap(]
  root        : DEBUG    [ipadnssearchldap(]
  root        : DEBUG    [ipadnssearchldap(es)]
  root        : DEBUG    Domain not found
  DNS discovery failed to determine your DNS domain
  Provide the domain name of your IPA server (ex:
  root        : DEBUG    will use domain:

  root        : DEBUG    [ipadnssearchldap]
  root        : DEBUG    IPA Server not found
  DNS discovery failed to find the IPA Server
  Provide your IPA server name (ex:
  root        : DEBUG    will use server:

  root        : DEBUG    [ipadnssearchkrb]
  root        : DEBUG    [ipacheckldap]
  root        : DEBUG    args=/usr/bin/wget -O /tmp/tmpWptXwb/ca.crt -T 15 -t 2
  root        : DEBUG    stdout=
  root        : DEBUG    stderr=--2012-05-11 12:06:09--
  Resolent (
  S'està connectant a 
(||:80... conectat.
  HTTP: Petició enviada, esperant resposta... 200 OK
  Longitud: 1325 (1.3K) [application/x-x509-ca-cert]
  S'està desant a: «/tmp/tmpWptXwb/ca.crt»

       0K .                                                     100%

  2012-05-11 12:06:09 (38.4 MB/s) - s'ha desat «/tmp/tmpWptXwb/ca.crt»

  root        : DEBUG    Init ldap with: ldap://
  root        : ERROR    LDAP Error: Connect error: A TLS packet with 
unexpected length was received.
  Failed to verify that is an IPA Server.
  This may mean that the remote server is not up or is not reachable
  due to network or firewall settings.
  Installation failed. Rolling back changes.
  IPA client is not configured on this system.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: freeipa-client 2.1.4-0ubuntu1
  ProcVersionSignature: Ubuntu 3.2.0-24.37-generic-pae 3.2.14
  Uname: Linux 3.2.0-24-generic-pae i686
  ApportVersion: 2.0.1-0ubuntu7
  Architecture: i386
  Date: Fri May 11 12:07:16 2012
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release i386 
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to