subject:"\[Freeipa\-users\] Unable to join FreeIPA client to server"

Re: [Freeipa-users] Unable to join FreeIPA client to server

2016-03-29 Thread Adam Bishop

On 29 Mar 2016, at 14:29, Adam Bishop  wrote:
> I could use a bit of help resolving this - full client debug follows. Both 
> systems are running nss 3.19.1 which *should* support TLS1.2., so I'm unsure 
> where to start fixing this.

Turns out to be a little easier to solve than I thought; the CentOS 6 client 
was running an older version of NSS than I thought it was.

ipa-client-3.0.0-47.el6.centos.1.x86_64 defaults to requiring tls1.2 , but does 
not depend on a version of NSS that actually supports tls1.2.

Manually installing an updated version of NSS has resolved the problem. 

Regards,

Adam Bishop

 gpg: 0x6609D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under Company No. 5747339, VAT No. GB 
197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, 
BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited 
by guarantee which is registered in England under company number 2881024, VAT 
number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, 
Bristol BS2 0JA. T 0203 697 5800.  

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Unable to join FreeIPA client to server

2016-03-29 Thread Adam Bishop

Client is running ipa-client-3.0.0-47.el6.centos.1.x86_64 on CentOS 6
Servers are running ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64 on CentOS 7

When I try to join the CentOS 6 client to the CentOS 7 servers, 
ipa-client-install is unable to access /ipa/xml, throwing the following error:

  ...
  Connecting: [2001:630:1:177::98]:0
  Failed to set TLS range to tls1.0, tls1.2
  Could not connect socket to [2001:630:1:177::98]:443, error: 
(SSL_ERROR_INVALID_VERSION_RANGE) SSL version range is not valid.
  ...

The full log follows, but I don't see anything interesting or unusual, other 
than HTTPS connections are established OK earlier in the installation process.

I could use a bit of help resolving this - full client debug follows. Both 
systems are running nss 3.19.1 which *should* support TLS1.2., so I'm unsure 
where to start fixing this.

Thanks,

Adam Bishop

  gpg: 0x6609D460

jisc.ac.uk

---

Starting IPA discovery with domain=example.org, servers=None, 
hostname=rms1.example.org
Search for LDAP SRV record in example.org
Search DNS for SRV record of _ldap._tcp.example.org.
DNS record found: 
DNSResult::name:_ldap._tcp.example.org.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:atl-ipa-001.example.org.}
DNS record found: 
DNSResult::name:_ldap._tcp.example.org.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:swi-ipa-001.example.org.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.example.org.
DNS record found: 
DNSResult::name:_kerberos.example.org.,type:16,class:1,rdata={data:example.org}
Search DNS for SRV record of _kerberos._udp.example.org.
DNS record found: 
DNSResult::name:_kerberos._udp.example.org.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:swi-ipa-001.example.org.}
DNS record found: 
DNSResult::name:_kerberos._udp.example.org.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:atl-ipa-001.example.org.}
[LDAP server check]
Verifying that atl-ipa-001.example.org (realm example.org) is an IPA server
Init LDAP connection with: ldap://atl-ipa-001.example.org:389
Search LDAP server for IPA base DN
Check if naming context 'dc=example,dc=org' is for IPA
Naming context 'dc=example,dc=org' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=example,dc=org (sub)
Found: cn=example.org,cn=kerberos,dc=example,dc=org
Discovery result: Success; server=atl-ipa-001.example.org, domain=example.org, 
kdc=swi-ipa-001.example.org,atl-ipa-001.example.org, basedn=dc=example,dc=org
Validated servers: atl-ipa-001.example.org
will use discovered domain: example.org
Start searching for LDAP SRV record in "example.org" (Validating DNS Discovery) 
and its sub-domains
Search DNS for SRV record of _ldap._tcp.example.org.
DNS record found: 
DNSResult::name:_ldap._tcp.example.org.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:swi-ipa-001.example.org.}
DNS record found: 
DNSResult::name:_ldap._tcp.example.org.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:atl-ipa-001.example.org.}
DNS validated, enabling discovery
will use discovered server: atl-ipa-001.example.org
Discovery was successful!
will use discovered realm: example.org
will use discovered basedn: dc=example,dc=org
Hostname: rms1.example.org
Hostname source: Machine's FQDN
Realm: example.org
Realm source: Discovered from LDAP DNS records in atl-ipa-001.example.org
DNS Domain: example.org
DNS Domain source: Discovered LDAP SRV records from example.org
IPA Server: atl-ipa-001.example.org
IPA Server source: Discovered from LDAP DNS records in atl-ipa-001.example.org
BaseDN: dc=example,dc=org
BaseDN source: From IPA server ldap://atl-ipa-001.example.org:389

Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r example.org
stdout=
stderr=realm not found

User authorized to enroll computers: admin
will use principal provided as option: admin
Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.example.org.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v atl-ipa-001.example.org
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v atl-ipa-001.example.org
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v atl-ipa-001.example.org
stdout=
stderr=
Unable to sync time with IPA NTP server, assuming the time is in sync. Please 
check that 123 UDP port is opened.
Writing Kerberos configuration to /tmp/tmpX2eUdM:
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = example.org
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0


[realms]
  example.org = {
kdc = atl-ipa-001.example.org:88
master_kdc = atl-ipa-001.example.org:88
admin_server = atl-ipa-001.example.org:749
default_domain = example.org
pkinit_anchors = FILE:/etc/ipa/ca.crt

  }


[domain_realm]
  .example.org = example.org
  example.org =

Re: [Freeipa-users] Unable to join FreeIPA client to server

[Freeipa-users] Unable to join FreeIPA client to server

2 matches

Site Navigation

Mail list logo

Footer information