Re: [Freeipa-users] anonymous bind + ipa-install-client failure
On 1/7/12 1:52 PM, Benjamin Reed wrote: At this point, I will do whatever is the fastest way to get things back online. I do want to keep my user schema if possible, even if I have to make them reset their passwords. Is it possible to recover that if I just blow my config away and start fresh? I gave up, I ipa-server-install --uninstall'd. Then I reran the install: Applying LDAP updates Restarting IPA to initialize updates before performing deletes: [1/2]: stopping directory server [2/2]: starting directory server done configuring dirsrv. Restarting the directory server Restarting the KDC Restarting the web server Sample zone file for bind has been created in /tmp/sample.zone._TBKwb.db Configuration of client side components failed! ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain opennms.com --server connect.opennms.com --realm OPENNMS.COM --hostname connect.opennms.com' returned non-zero exit status 1 I tried running the client install from another machine, and it agrees. What's going wrong here? How do I fix this? Did the uninstall fail to clean something out, so now the new install is corrupt in some way? -- Benjamin Reed The OpenNMS Group http://www.opennms.org/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] anonymous bind + ipa-install-client failure
On 1/7/12 3:06 PM, Benjamin Reed wrote: Configuration of client side components failed! ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain opennms.com --server connect.opennms.com --realm OPENNMS.COM --hostname connect.opennms.com' returned non-zero exit status 1 It turns out the issue for this showed in the ipa-client-install.log -- I had set up my HTTP server to redirect to HTTPS automatically, and that was messing up the round-trip of the configuration: 2012-01-07 14:04:22,653 DEBUG args=/usr/bin/wget -O /tmp/tmptzxcFF/ca.crt -T 15 -t 2 http://connect.opennms.com/ipa/config/ca.crt 2012-01-07 14:04:22,653 DEBUG stdout= 2012-01-07 14:04:22,653 DEBUG stderr=--2012-01-07 14:04:22-- http://connect.opennms.com/ipa/config/ca.crt Resolving connect.opennms.com... 66.135.60.215 Connecting to connect.opennms.com|66.135.60.215|:80... connected. HTTP request sent, awaiting response... 302 Found Location: https://connect.opennms.com/ipa/config/ca.crt [following] --2012-01-07 14:04:22-- https://connect.opennms.com/ipa/config/ca.crt Connecting to connect.opennms.com|66.135.60.215|:443... connected. ERROR: cannot verify connect.opennms.com’s certificate, issued by “/O=OPENNMS.COM/CN=Certificate Authority”: Self-signed certificate encountered. To connect to connect.opennms.com insecurely, use ‘--no-check-certificate’. 2012-01-07 14:04:22,653 DEBUG Retrieving CA from connect.opennms.com failed. -- Benjamin Reed The OpenNMS Group http://www.opennms.org/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] anonymous bind + ipa-install-client failure
On Thu, 2011-12-22 at 22:54 -0500, Benjamin Reed wrote: This implies I guess the LDAP server isn't accepting this cert? No, more that the client does not recognized the LDAP server's cert as trusted. It may be because the ca.crt that is downloaded has not been updated and so the client is getting the old ca.cert you had before the selfsign - dogtag migration I helped you with some time ago. One thing you can test is if the ca.crt exposed via http is the same that is stored on the server in /etc/ipa/ca.crt Is there a log that might explain what's going on on the server side? You can look into the dirsrv access log under /var/log/dirsrv/slpad-INSTANCE_NAME/access (the log is buffered so you may have to wait a few seconds before you see the log after the operation you want to monitor has been performed). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] anonymous bind + ipa-install-client failure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/23/11 12:02 PM, Simo Sorce wrote: One thing you can test is if the ca.crt exposed via http is the same that is stored on the server in /etc/ipa/ca.crt they are identical, I did find that the errors file is complaining about this: [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_cipher_init: symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_unwrap_key: failed to unwrap key for cipher 3DES [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_cipher_init: symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [22/Dec/2011:21:31:16 -0600] attrcrypt - All prepared ciphers are not available. Please disable attribute encryption. - -- Benjamin Reed The OpenNMS Group http://www.opennms.org/ -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFO9PTfUu+jZtP2Zf4RAveHAJ9TniJdF74K/XSI3r8o8eKSS0+TEACfT6xc wWKYP73YzPY5SsnzNwnt16g= =KnIi -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] anonymous bind + ipa-install-client failure
On 12/22/11 9:46 PM, Benjamin Reed wrote:
I'm attempting to configure a CentOS6 box to talk to a RHEL6.2 IPA
server. The IPA server has anonymous bind disabled since it's on the
public Internet. When I run ipa-client-install, I get the following error:
So the full log makes more sense with debug on:
---(snip!)---
[root@nen etc]# ipa-client-install --domain=OPENNMS.COM --debug
root: DEBUG/usr/sbin/ipa-client-install was invoked with
options: {'conf_ntp': True, 'domain': 'OPENNMS.COM', 'uninstall': False,
'force': False, 'sssd': True, 'krb5_offline_passwords': True,
'hostname': None, 'preserve_sssd': False, 'server': None,
'prompt_password': False, 'mkhomedir': False, 'dns_updates': False,
'permit': False, 'debug': True, 'on_master': False, 'ntp_server': None,
'realm_name': None, 'unattended': None, 'principal': None}
root: DEBUGmissing options might be asked for interactively
later
root: DEBUGLoading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root: DEBUGLoading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
root: DEBUG[ipadnssearchldap]
root: DEBUG[ipadnssearchkrb]
root: DEBUG[ipacheckldap]
root: DEBUGargs=/usr/bin/wget -O /tmp/tmpjxJzV_/ca.crt -T 15
-t 2 http://connect.opennms.com/ipa/config/ca.crt
root: DEBUGstdout=
root: DEBUGstderr=--2011-12-22 22:47:39--
http://connect.opennms.com/ipa/config/ca.crt
Resolving connect.opennms.com... 66.135.60.215
Connecting to connect.opennms.com|66.135.60.215|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://connect.opennms.com/ipa/config/ca.crt [following]
--2011-12-22 22:47:39-- https://connect.opennms.com/ipa/config/ca.crt
Connecting to connect.opennms.com|66.135.60.215|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1313 (1.3K) [application/x-x509-ca-cert]
Saving to: /tmp/tmpjxJzV_/ca.crt
0K . 100% 3.11M=0s
2011-12-22 22:47:40 (3.11 MB/s) - /tmp/tmpjxJzV_/ca.crt saved [1313/1313]
root: DEBUGInit ldap with: ldap://connect.opennms.com:389
root: ERRORLDAP Error: Connect error: TLS error
-8172:Unknown code ___f 20
root: DEBUGwill use domain: OPENNMS.COM
root: DEBUGwill use server: connect.opennms.com
Failed to verify that connect.opennms.com is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.
Installation failed. Rolling back changes.
IPA client is not configured on this system.
---(snip!)---
This implies I guess the LDAP server isn't accepting this cert?
Is there a log that might explain what's going on on the server side?
--
Benjamin Reed
The OpenNMS Group
http://www.opennms.org/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
