Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 -
I just re-kickstarted the clone without the cis-security hardening script and it runs fine, so something in the cis-script breaks IPA server. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Monday, 30 May 2011 1:53 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - While you were out... I cloned the original server, left it switched off and booted the clone, ran the --uninstall flag and yum remove and removed the ipa-sever packages, I then re-installed, same SASL 9 failure messages... :/ regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 -
While you were out... I cloned the original server, left it switched off and booted the clone, ran the --uninstall flag and yum remove and removed the ipa-sever packages, I then re-installed, same SASL 9 failure messages... :/ regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
Outcome?, I couldnt see where the 401 or 500 appeared. the screen output of curl was as attached. regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 26 May 2011 1:21 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: FYI Think I did it right! :] What was the outcome? Did you get a 401 or 500? I can't figure it out based on the logs but I do see quite a few successful authentications. Can you isolate the log data for this one curl request? I'd run this on the 6.1 client that you're having problems with. thanks rob regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 3:33 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: FYI Ok, this is very strange, it isn't really trying very hard to do the kerberos authentication. It should be requesting the HTTP service principal and then doing the Negotiate authentication but for some reason it is giving up. Here is something to try (obviously replacing ipa.example.com with your ipa server): % kdestroy % scp ipa.example.com:/etc/krb5.conf test-krb5.conf % export KRB5_CONFIG=`pwd`/test-krb5.conf % kinit admin % klist -f (send us this output) % curl -kv --negotiate -u : https://ipa.example.com/ipa/xml % klist -f (send us this too) % unset KRB5_CONFIG You should get a 500 error and not a 401. Some logs to capture the tail of: Apache error and access logs /var/log/krb5kdc.log rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 9:41 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Logs. Sorry, had you set the level in the wrong file. Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again? rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 8:51 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Hi, So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1 Is there a solution to this? Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache and try the join again? This should give more feedback why mod_auth_kerb/kerberos is rejecting the credentials. rob regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 4:24 p.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs I must be going blind in my old age.anyway here they are. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 2:58 p.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 Hi, 1) Screen data of the install from using the -d option. (attach d.out) 2) ipa-install log 3) there are no httpd logs in /var/log/httpd/ it is an empty directory. 4) Did you also run kinit before manually running ipa-join in your testing? Yes 5) For DNS I added, allow query {any;}; into /etc/named.conf clients were then not denied DNS. regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 24 May 2011 2:24 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 Steven Jones wrote: ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure... This is a different mismatch than you were seeing with 5.6 (and a completely different error message). A few things to note: - In general, when you reference any IPA server you should always use the fully-qualified name. The SSL error you had was because the name did not match the certificate. - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so you can always check the Apache error/access logs for diagnostic information. - The integrated DNS stores information in LDAP, not flat files, so having no data in /var/named is not surprising. ipa-join needs authentication
Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
Steven Jones wrote: Outcome?, I couldnt see where the 401 or 500 appeared. the screen output of curl was as attached. You didn't use the FQDN of the ipa server so it didn't do the authentication. Please run this again using the FQDN. rob regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 26 May 2011 1:21 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: FYI Think I did it right! :] What was the outcome? Did you get a 401 or 500? I can't figure it out based on the logs but I do see quite a few successful authentications. Can you isolate the log data for this one curl request? I'd run this on the 6.1 client that you're having problems with. thanks rob regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 3:33 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: FYI Ok, this is very strange, it isn't really trying very hard to do the kerberos authentication. It should be requesting the HTTP service principal and then doing the Negotiate authentication but for some reason it is giving up. Here is something to try (obviously replacing ipa.example.com with your ipa server): % kdestroy % scp ipa.example.com:/etc/krb5.conf test-krb5.conf % export KRB5_CONFIG=`pwd`/test-krb5.conf % kinit admin % klist -f (send us this output) % curl -kv --negotiate -u : https://ipa.example.com/ipa/xml % klist -f (send us this too) % unset KRB5_CONFIG You should get a 500 error and not a 401. Some logs to capture the tail of: Apache error and access logs /var/log/krb5kdc.log rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 9:41 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Logs. Sorry, had you set the level in the wrong file. Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again? rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 8:51 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Hi, So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1 Is there a solution to this? Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache and try the join again? This should give more feedback why mod_auth_kerb/kerberos is rejecting the credentials. rob regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 4:24 p.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs I must be going blind in my old age.anyway here they are. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 2:58 p.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 Hi, 1) Screen data of the install from using the -d option. (attach d.out) 2) ipa-install log 3) there are no httpd logs in /var/log/httpd/ it is an empty directory. 4) Did you also run kinit before manually running ipa-join in your testing? Yes 5) For DNS I added, allow query {any;}; into /etc/named.conf clients were then not denied DNS. regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 24 May 2011 2:24 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 Steven Jones wrote: ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure... This is a different mismatch than you were seeing with 5.6 (and a completely different error message). A few things to note: - In general, when you reference any IPA server you should always use the fully-qualified name. The SSL error you had was because the name did not match the certificate. - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so you can always check the Apache error/access logs for diagnostic information. - The integrated DNS stores information in LDAP, not flat files, so having no data in /var/named
Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
Strange dns things? calling host from the comamnd line works but something cant resolve the ipa server regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 26 May 2011 8:32 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Outcome?, I couldnt see where the 401 or 500 appeared. the screen output of curl was as attached. You didn't use the FQDN of the ipa server so it didn't do the authentication. Please run this again using the FQDN. rob regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 26 May 2011 1:21 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: FYI Think I did it right! :] What was the outcome? Did you get a 401 or 500? I can't figure it out based on the logs but I do see quite a few successful authentications. Can you isolate the log data for this one curl request? I'd run this on the 6.1 client that you're having problems with. thanks rob regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 3:33 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: FYI Ok, this is very strange, it isn't really trying very hard to do the kerberos authentication. It should be requesting the HTTP service principal and then doing the Negotiate authentication but for some reason it is giving up. Here is something to try (obviously replacing ipa.example.com with your ipa server): % kdestroy % scp ipa.example.com:/etc/krb5.conf test-krb5.conf % export KRB5_CONFIG=`pwd`/test-krb5.conf % kinit admin % klist -f (send us this output) % curl -kv --negotiate -u : https://ipa.example.com/ipa/xml % klist -f (send us this too) % unset KRB5_CONFIG You should get a 500 error and not a 401. Some logs to capture the tail of: Apache error and access logs /var/log/krb5kdc.log rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 9:41 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Logs. Sorry, had you set the level in the wrong file. Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again? rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 8:51 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Hi, So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1 Is there a solution to this? Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache and try the join again? This should give more feedback why mod_auth_kerb/kerberos is rejecting the credentials. rob regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 4:24 p.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs I must be going blind in my old age.anyway here they are. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 2:58 p.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 Hi, 1) Screen data of the install from using the -d option. (attach d.out) 2) ipa-install log 3) there are no httpd logs in /var/log/httpd/ it is an empty directory. 4) Did you also run kinit before manually running ipa-join in your testing? Yes 5) For DNS I added, allow query {any;}; into /etc/named.conf clients were then not denied DNS. regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 24 May 2011 2:24 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 Steven Jones wrote: ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure... This is a different mismatch than you were seeing with 5.6
Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
any ideas pls? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 26 May 2011 8:37 a.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Strange dns things? calling host from the comamnd line works but something cant resolve the ipa server regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 26 May 2011 8:32 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Outcome?, I couldnt see where the 401 or 500 appeared. the screen output of curl was as attached. You didn't use the FQDN of the ipa server so it didn't do the authentication. Please run this again using the FQDN. rob regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 26 May 2011 1:21 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: FYI Think I did it right! :] What was the outcome? Did you get a 401 or 500? I can't figure it out based on the logs but I do see quite a few successful authentications. Can you isolate the log data for this one curl request? I'd run this on the 6.1 client that you're having problems with. thanks rob regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 3:33 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: FYI Ok, this is very strange, it isn't really trying very hard to do the kerberos authentication. It should be requesting the HTTP service principal and then doing the Negotiate authentication but for some reason it is giving up. Here is something to try (obviously replacing ipa.example.com with your ipa server): % kdestroy % scp ipa.example.com:/etc/krb5.conf test-krb5.conf % export KRB5_CONFIG=`pwd`/test-krb5.conf % kinit admin % klist -f (send us this output) % curl -kv --negotiate -u : https://ipa.example.com/ipa/xml % klist -f (send us this too) % unset KRB5_CONFIG You should get a 500 error and not a 401. Some logs to capture the tail of: Apache error and access logs /var/log/krb5kdc.log rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 9:41 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Logs. Sorry, had you set the level in the wrong file. Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again? rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 8:51 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Hi, So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1 Is there a solution to this? Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache and try the join again? This should give more feedback why mod_auth_kerb/kerberos is rejecting the credentials. rob regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 4:24 p.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs I must be going blind in my old age.anyway here they are. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 2:58 p.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 Hi, 1) Screen data of the install from using the -d option. (attach d.out) 2) ipa-install log 3) there are no httpd logs in /var/log/httpd/ it is an empty directory. 4) Did you also run kinit before manually running ipa-join in your testing? Yes 5) For DNS I added, allow query {any;}; into /etc/named.conf clients were then not denied DNS. regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 24 May 2011 2:24 p.m
Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
Steven Jones wrote: Strange dns things? calling host from the comamnd line works but something cant resolve the ipa server This is not a DNS problem, you did not give the FQDN to curl. There are Apache mod_rewrite rules that attempt to redirect HTTP requests to a point where the name will match the Kerberos service principal for the server, hence the 301 you got in return. Please just use the FQDN and all will be well. rob regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 26 May 2011 8:32 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Outcome?, I couldnt see where the 401 or 500 appeared. the screen output of curl was as attached. You didn't use the FQDN of the ipa server so it didn't do the authentication. Please run this again using the FQDN. rob regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 26 May 2011 1:21 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: FYI Think I did it right! :] What was the outcome? Did you get a 401 or 500? I can't figure it out based on the logs but I do see quite a few successful authentications. Can you isolate the log data for this one curl request? I'd run this on the 6.1 client that you're having problems with. thanks rob regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 3:33 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: FYI Ok, this is very strange, it isn't really trying very hard to do the kerberos authentication. It should be requesting the HTTP service principal and then doing the Negotiate authentication but for some reason it is giving up. Here is something to try (obviously replacing ipa.example.com with your ipa server): % kdestroy % scp ipa.example.com:/etc/krb5.conf test-krb5.conf % export KRB5_CONFIG=`pwd`/test-krb5.conf % kinit admin % klist -f (send us this output) % curl -kv --negotiate -u : https://ipa.example.com/ipa/xml % klist -f (send us this too) % unset KRB5_CONFIG You should get a 500 error and not a 401. Some logs to capture the tail of: Apache error and access logs /var/log/krb5kdc.log rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 9:41 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Logs. Sorry, had you set the level in the wrong file. Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again? rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 8:51 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Hi, So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1 Is there a solution to this? Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache and try the join again? This should give more feedback why mod_auth_kerb/kerberos is rejecting the credentials. rob regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 4:24 p.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs I must be going blind in my old age.anyway here they are. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 2:58 p.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 Hi, 1) Screen data of the install from using the -d option. (attach d.out) 2) ipa-install log 3) there are no httpd logs in /var/log/httpd/ it is an empty directory. 4) Did you also run kinit before manually running ipa-join in your testing? Yes 5) For DNS I added, allow query {any;}; into /etc/named.conf clients were then not denied DNS. regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 24 May 2011 2:24 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
um...doh typo... From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 26 May 2011 12:46 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Strange dns things? calling host from the comamnd line works but something cant resolve the ipa server This is not a DNS problem, you did not give the FQDN to curl. There are Apache mod_rewrite rules that attempt to redirect HTTP requests to a point where the name will match the Kerberos service principal for the server, hence the 301 you got in return. Please just use the FQDN and all will be well. rob regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 26 May 2011 8:32 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Outcome?, I couldnt see where the 401 or 500 appeared. the screen output of curl was as attached. You didn't use the FQDN of the ipa server so it didn't do the authentication. Please run this again using the FQDN. rob regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 26 May 2011 1:21 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: FYI Think I did it right! :] What was the outcome? Did you get a 401 or 500? I can't figure it out based on the logs but I do see quite a few successful authentications. Can you isolate the log data for this one curl request? I'd run this on the 6.1 client that you're having problems with. thanks rob regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 3:33 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: FYI Ok, this is very strange, it isn't really trying very hard to do the kerberos authentication. It should be requesting the HTTP service principal and then doing the Negotiate authentication but for some reason it is giving up. Here is something to try (obviously replacing ipa.example.com with your ipa server): % kdestroy % scp ipa.example.com:/etc/krb5.conf test-krb5.conf % export KRB5_CONFIG=`pwd`/test-krb5.conf % kinit admin % klist -f (send us this output) % curl -kv --negotiate -u : https://ipa.example.com/ipa/xml % klist -f (send us this too) % unset KRB5_CONFIG You should get a 500 error and not a 401. Some logs to capture the tail of: Apache error and access logs /var/log/krb5kdc.log rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 9:41 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Logs. Sorry, had you set the level in the wrong file. Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again? rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 8:51 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Hi, So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1 Is there a solution to this? Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache and try the join again? This should give more feedback why mod_auth_kerb/kerberos is rejecting the credentials. rob regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 4:24 p.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs I must be going blind in my old age.anyway here they are. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 2:58 p.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 Hi, 1) Screen data of the install from using the -d option. (attach d.out) 2) ipa-install log 3) there are no httpd logs in /var/log/httpd/ it is an empty directory. 4) Did you also run kinit before manually running ipa-join in your
Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
Steven Jones wrote: Logs. Sorry, had you set the level in the wrong file. Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again? rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 8:51 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Hi, So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1 Is there a solution to this? Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache and try the join again? This should give more feedback why mod_auth_kerb/kerberos is rejecting the credentials. rob regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 4:24 p.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs I must be going blind in my old age.anyway here they are. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 2:58 p.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 Hi, 1) Screen data of the install from using the -d option. (attach d.out) 2) ipa-install log 3) there are no httpd logs in /var/log/httpd/ it is an empty directory. 4) Did you also run kinit before manually running ipa-join in your testing? Yes 5) For DNS I added, allow query {any;}; into /etc/named.conf clients were then not denied DNS. regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 24 May 2011 2:24 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 Steven Jones wrote: ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure... This is a different mismatch than you were seeing with 5.6 (and a completely different error message). A few things to note: - In general, when you reference any IPA server you should always use the fully-qualified name. The SSL error you had was because the name did not match the certificate. - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so you can always check the Apache error/access logs for diagnostic information. - The integrated DNS stores information in LDAP, not flat files, so having no data in /var/named is not surprising. ipa-join needs authentication in the form of a TGT or a one-time password. It definitely did one in the log you provided and you still got a 401, which is strange. Did you also run kinit before manually running ipa-join in your testing? Running ipa-join or ipa-client-install with the -d option will provide a lot more debugging information. I think the first place to check is the Apache error log to see why the join call failed. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
Is this done on the cleint or the server? regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 3:33 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: FYI Ok, this is very strange, it isn't really trying very hard to do the kerberos authentication. It should be requesting the HTTP service principal and then doing the Negotiate authentication but for some reason it is giving up. Here is something to try (obviously replacing ipa.example.com with your ipa server): % kdestroy % scp ipa.example.com:/etc/krb5.conf test-krb5.conf % export KRB5_CONFIG=`pwd`/test-krb5.conf % kinit admin % klist -f (send us this output) % curl -kv --negotiate -u : https://ipa.example.com/ipa/xml % klist -f (send us this too) % unset KRB5_CONFIG You should get a 500 error and not a 401. Some logs to capture the tail of: Apache error and access logs /var/log/krb5kdc.log rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 9:41 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Logs. Sorry, had you set the level in the wrong file. Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again? rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 25 May 2011 8:51 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs Steven Jones wrote: Hi, So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1 Is there a solution to this? Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache and try the join again? This should give more feedback why mod_auth_kerb/kerberos is rejecting the credentials. rob regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 4:24 p.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs I must be going blind in my old age.anyway here they are. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 2:58 p.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 Hi, 1) Screen data of the install from using the -d option. (attach d.out) 2) ipa-install log 3) there are no httpd logs in /var/log/httpd/ it is an empty directory. 4) Did you also run kinit before manually running ipa-join in your testing? Yes 5) For DNS I added, allow query {any;}; into /etc/named.conf clients were then not denied DNS. regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 24 May 2011 2:24 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 Steven Jones wrote: ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure... This is a different mismatch than you were seeing with 5.6 (and a completely different error message). A few things to note: - In general, when you reference any IPA server you should always use the fully-qualified name. The SSL error you had was because the name did not match the certificate. - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so you can always check the Apache error/access logs for diagnostic information. - The integrated DNS stores information in LDAP, not flat files, so having no data in /var/named is not surprising. ipa-join needs authentication in the form of a TGT or a one-time password. It definitely did one in the log you provided and you still got a 401, which is strange. Did you also run kinit before manually running ipa-join in your testing? Running ipa-join or ipa-client-install with the -d option will provide a lot more debugging information. I think the first place to check is the Apache error log to see why the join call failed. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https
Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
turned it off, same failure. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, 24 May 2011 11:34 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:25 PM, Steven Jones wrote: So even though I have the same versions I get the mis-match error., as per 5.6...except these did differ. Firewall? :( regards ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
On 05/23/2011 07:45 PM, Steven Jones wrote: turned it off, same failure. There are multiple protocols... did you turn it off completely or just poke holes? What about DNS? Does the client resolve the server correctly? Can you specify the server explicitly on the client command line? Would the result be different? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, 24 May 2011 11:34 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:25 PM, Steven Jones wrote: So even though I have the same versions I get the mis-match error., as per 5.6...except these did differ. Firewall? :( regards ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
On 05/23/2011 07:58 PM, Steven Jones wrote: When its on I poked holes through it, to test I did service iptables stop... Here's the iptables -L -n output (attached) This is as much as I can help. Hopefully there is enough info for developers to see what is going on. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, 24 May 2011 11:52 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:45 PM, Steven Jones wrote: turned it off, same failure. There are multiple protocols... did you turn it off completely or just poke holes? What about DNS? Does the client resolve the server correctly? Can you specify the server explicitly on the client command line? Would the result be different? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, 24 May 2011 11:34 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:25 PM, Steven Jones wrote: So even though I have the same versions I get the mis-match error., as per 5.6...except these did differ. Firewall? :( regards ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
looking at the install log its not resolving the server via DNS, Im now getting resolvining issues Suggests the integrated DNS is poked... regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, 24 May 2011 12:07 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:58 PM, Steven Jones wrote: When its on I poked holes through it, to test I did service iptables stop... Here's the iptables -L -n output (attached) This is as much as I can help. Hopefully there is enough info for developers to see what is going on. regards From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.commailto:d...@redhat.com] Sent: Tuesday, 24 May 2011 11:52 a.m. To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:45 PM, Steven Jones wrote: turned it off, same failure. There are multiple protocols... did you turn it off completely or just poke holes? What about DNS? Does the client resolve the server correctly? Can you specify the server explicitly on the client command line? Would the result be different? regards From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.commailto:d...@redhat.com] Sent: Tuesday, 24 May 2011 11:34 a.m. To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:25 PM, Steven Jones wrote: So even though I have the same versions I get the mis-match error., as per 5.6...except these did differ. Firewall? :( regards ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.commailto:Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
ignore that i was making a typodoh. Included is the install log.shows that same error as 5.6 in the log 2011-05-24 12:58:10,407 DEBUG stderr=HTTP response code is 401, not 200 looks like its the ipa-join thats failing From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 12:57 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 looking at the install log its not resolving the server via DNS, Im now getting resolvining issues Suggests the integrated DNS is poked... regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, 24 May 2011 12:07 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:58 PM, Steven Jones wrote: When its on I poked holes through it, to test I did service iptables stop... Here's the iptables -L -n output (attached) This is as much as I can help. Hopefully there is enough info for developers to see what is going on. regards From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.commailto:d...@redhat.com] Sent: Tuesday, 24 May 2011 11:52 a.m. To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:45 PM, Steven Jones wrote: turned it off, same failure. There are multiple protocols... did you turn it off completely or just poke holes? What about DNS? Does the client resolve the server correctly? Can you specify the server explicitly on the client command line? Would the result be different? regards From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.commailto:d...@redhat.com] Sent: Tuesday, 24 May 2011 11:34 a.m. To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:25 PM, Steven Jones wrote: So even though I have the same versions I get the mis-match error., as per 5.6...except these did differ. Firewall? :( regards ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.commailto:Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ipaclient-install.log Description: ipaclient-install.log ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure... regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 1:01 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 ignore that i was making a typodoh. Included is the install log.shows that same error as 5.6 in the log 2011-05-24 12:58:10,407 DEBUG stderr=HTTP response code is 401, not 200 looks like its the ipa-join thats failing From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 12:57 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 looking at the install log its not resolving the server via DNS, Im now getting resolvining issues Suggests the integrated DNS is poked... regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, 24 May 2011 12:07 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:58 PM, Steven Jones wrote: When its on I poked holes through it, to test I did service iptables stop... Here's the iptables -L -n output (attached) This is as much as I can help. Hopefully there is enough info for developers to see what is going on. regards From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.commailto:d...@redhat.com] Sent: Tuesday, 24 May 2011 11:52 a.m. To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:45 PM, Steven Jones wrote: turned it off, same failure. There are multiple protocols... did you turn it off completely or just poke holes? What about DNS? Does the client resolve the server correctly? Can you specify the server explicitly on the client command line? Would the result be different? regards From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.commailto:d...@redhat.com] Sent: Tuesday, 24 May 2011 11:34 a.m. To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:25 PM, Steven Jones wrote: So even though I have the same versions I get the mis-match error., as per 5.6...except these did differ. Firewall? :( regards ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.commailto:Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users