subject:"\[Freeipa\-users\] Re\: Joining realm failed\: HTTP POST to URL 'https\:\/\/ipaserver.mydomain\:443\/ipa\/xml' failed. HTTP response code is 401, not 200"

[Freeipa-users] Re: Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200

2017-11-30 Thread Rob Crittenden via FreeIPA-users

Florence Blanc-Renaud via FreeIPA-users wrote:
> 1/ did you sanitize your logs and replace your real domain name with
> "mydomain"? If you are really using "mydomain" then this may be an issue
> as FreeIPA does not support single-level domain names (this requirement
> is enforced by the server installer since a recent bugfix [1]).
> 
> 2/ the error happens during a call to ipa-join. The interesting logs
> will be on the server in /var/logs/httpd/error_logs. You can retry
> ipa-client-install after enabling debug logs on the server:
> - create a file /etc/ipa/server.conf with the following content
> [global]
> debug=True
> - restart httpd service with systemctl restart httpd
> 
> The logs will be around the lines containing
> [date] [:error] [pid xx] ipa: DEBUG: raw: join(u'client.domain.com',
> nshardwareplatform=u'x86_64', nsosversion=u'3.10.0-693.5.2.el7.x86_64',
> version=u'2.51')
> ...
> 
> Flo
> 
> [1] https://pagure.io/freeipa/issue/7207

ipa-join is returning 17 which is an XML-RPC fault.

If you re-run ipa-client-install with the -d flag it will enable
additional tracing of the XML-RPC request.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200

2017-11-30 Thread Fuji San via FreeIPA-users

Yes I did sanitize the logs.

I restarted the httpd server and the enrollment worked! No debug info in 
/var/logs/httpd/error_logs.
It was just a problem with the httpd server not working properly.

Thank you.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200

2017-11-30 Thread Florence Blanc-Renaud via FreeIPA-users


On 11/30/2017 11:39 AM, Fuji San via FreeIPA-users wrote:

Hello,
I have trouble enrolling a ipa client.
I just installed Fedora 27 and all the packages are up-to-date.
I succeeded to enroll 2 previous F27 clients, but this one is giving me a hard 
time.

Any help would be welcome.

Fuji

--
$ ipa-client-install --enable-dns-updates --mkhomedir --ssh-trust-dns 
--no-nisdomain --server=ipaserver.mydomain --domain=mydomain
WARNING: ntpd time synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always 
access the discovered server for all operations and will not fail over to other 
servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: ipaclient.mydomain
Realm: MYDOMAIN
DNS Domain: mydomain
IPA Server: ipaserver.mydomain
BaseDN: dc=mydomain

Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin@MYDOMAIN:
Successfully retrieved CA cert
 Subject: CN=Certificate Authority,O=MYDOMAIN
 Issuer:  CN=Certificate Authority,O=MYDOMAIN
 Valid From:  2015-09-11 08:02:12
 Valid Until: 2035-09-11 08:02:12

Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' 
failed.  HTTP response code is 401, not 200

Installation failed. Rolling back changes.
Unconfigured automount client failed: Command 'ipa-client-automount --uninstall 
--debug' returned non-zero exit status 1.
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
/etc/sssd/sssd.conf.deleted
Client uninstall complete.
The ipa-client-install command failed. See /var/log/ipaclient-install.log for 
more information
-




--
2017-11-30T10:11:50Z DEBUG Logging to /var/log/ipaclient-install.log
2017-11-30T10:11:50Z DEBUG ipa-client-install was invoked with arguments [] and 
options: {'unattended': False, 'principal': None, 'prompt_password': False, 
'on_master': False, 'ca_cert_files': None, 'no_ac': False, 'force': False, 
'configure_firefox': False, 'firefox_dir': None, 'keytab': None, 'mkhomedir': 
True, 'force_join': False, 'ntp_servers': None, 'no_ntp': False, 'force_ntpd': 
False, 'nisdomain': None, 'no_nisdomain': True, 'ssh_trust_dns': True, 
'no_ssh': False, 'no_sshd': False, 'no_sudo': False, 'no_dns_sshfp': False, 
'kinit_attempts': None, 'request_cert': False, 'ip_addresses': None, 
'all_ip_addresses': False, 'fixed_primary': False, 'permit': False, 
'enable_dns_updates': True, 'no_krb5_offline_passwords': False, 
'preserve_sssd': False, 'no_sssd': False, 'automount_location': None, 
'domain_name': 'mydomain', 'servers': ['ipaserver.mydomain'], 'realm_name': 
None, 'host_name': None, 'verbose': False, 'quiet': False, 'log_file': None, 
'uninstall': False}
2017-11-30T10:11:50Z DEBUG IPA version 4.6.1-3.fc27
2017-11-30T10:11:50Z DEBUG Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-11-30T10:11:50Z DEBUG Starting external process
2017-11-30T10:11:50Z DEBUG args=/usr/sbin/selinuxenabled
2017-11-30T10:11:50Z DEBUG Process finished, return code=1
2017-11-30T10:11:50Z DEBUG stdout=
2017-11-30T10:11:50Z DEBUG stderr=
2017-11-30T10:11:50Z DEBUG Starting external process
2017-11-30T10:11:50Z DEBUG args=/bin/systemctl is-enabled chronyd.service
2017-11-30T10:11:50Z DEBUG Process finished, return code=0
2017-11-30T10:11:50Z DEBUG stdout=enabled

2017-11-30T10:11:50Z DEBUG stderr=
2017-11-30T10:11:50Z DEBUG [IPA Discovery]
2017-11-30T10:11:50Z DEBUG Starting IPA discovery with domain=mydomain, 
servers=['ipaserver.mydomain'], hostname=ipaclient.mydomain
2017-11-30T10:11:50Z DEBUG Server and domain forced
2017-11-30T10:11:50Z DEBUG [Kerberos realm search]
2017-11-30T10:11:50Z DEBUG Search DNS for TXT record of _kerberos.mydomain
2017-11-30T10:11:50Z DEBUG DNS record found: "MYDOMAIN"
2017-11-30T10:11:50Z DEBUG [LDAP server check]
2017-11-30T10:11:50Z DEBUG Verifying that ipaserver.mydomain (realm MYDOMAIN) 
is an IPA server
2017-11-30T10:11:50Z DEBUG Init LDAP connection to: 
ldap://ipaserver.mydomain:389
2017-11-30T10:11:50Z DEBUG Search LDAP server for IPA base DN
2017-11-30T10:11:50Z DEBUG Check if naming context 'dc=mydomain' is for IPA
2017-11-30T10:11:50Z DEBUG Naming context 'dc=mydomain' is a valid IPA context
2017-11-30T10:11:50Z DEBUG Search for (objectClass=krbRealmContainer) in 
dc=mydomain (sub)
2017-11-30T10:11:50Z DEBUG Found: cn=MYDOMAIN,cn=kerberos,dc=mydomain
2017-11-30T10:11:50Z DEBUG Discovery result: Success; 
server=ipaserver.mydomain, domain=mydomain, kdc=ipaserver.mydomain, 
basedn=dc=mydomain
2017-11-30T10:11:50Z DEBUG Validated servers: ipaserver.mydomain
2017-11-30T10:11:50Z DEBUG

[Freeipa-users] Re: Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200

[Freeipa-users] Re: Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200

[Freeipa-users] Re: Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200

3 matches

Site Navigation

Mail list logo

Footer information