Re: [Freeipa-users] FreeIPA Client Install 403 error
:33:24Z DEBUG Search for (objectClass=krbRealmContainer) in
dc=mydomain,dc=com (sub)
2016-07-20T18:33:24Z DEBUG Found:
cn=MYDOMAION.COM,cn=kerberos,dc=mydomain,dc=com
2016-07-20T18:33:24Z DEBUG Discovery result: Success; server=ldap.mydomain.com,
domain=mydomain.com, kdc=None, basedn=dc=mydomain,dc=com
2016-07-20T18:33:24Z DEBUG Validated servers: ldap.mydomain.com
2016-07-20T18:33:24Z WARNING The failure to use DNS to find your IPA server
indicates that your resolv.conf file is not properly configured.
2016-07-20T18:33:24Z INFO Autodiscovery of servers for failover cannot work
with this configuration.
2016-07-20T18:33:24Z INFO If you proceed with the installation, services will
be configured to always access the discovered server for all operations and
will not fail over to other servers in case of failure.
2016-07-20T18:33:26Z DEBUG will use discovered realm: MYDOMAION.COM
2016-07-20T18:33:26Z DEBUG will use discovered basedn: dc=mydomain,dc=com
2016-07-20T18:33:26Z INFO Client hostname: centostest.mydomain.com
2016-07-20T18:33:26Z DEBUG Hostname source: Machine's FQDN
2016-07-20T18:33:26Z INFO Realm: MYDOMAION.COM
2016-07-20T18:33:26Z DEBUG Realm source: Discovered from LDAP DNS records in
ldap.mydomain.com
2016-07-20T18:33:26Z INFO DNS Domain: mydomain.com
2016-07-20T18:33:26Z DEBUG DNS Domain source: Provided interactively
2016-07-20T18:33:26Z INFO IPA Server: ldap.mydomain.com
2016-07-20T18:33:26Z DEBUG IPA Server source: Provided interactively
2016-07-20T18:33:26Z INFO BaseDN: dc=mydomain,dc=com
2016-07-20T18:33:26Z DEBUG BaseDN source: From IPA server
ldap://ldap.mydomain.com:389
2016-07-20T18:33:32Z DEBUG Starting external process
2016-07-20T18:33:32Z DEBUG args='/usr/sbin/ipa-rmkeytab' '-k'
'/etc/krb5.keytab' '-r' 'MYDOMAION.COM'
2016-07-20T18:33:32Z DEBUG Process finished, return code=3
2016-07-20T18:33:32Z DEBUG stdout=
2016-07-20T18:33:32Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No
such file or directory
2016-07-20T18:33:32Z INFO Skipping synchronizing time with NTP server.
2016-07-20T18:33:34Z DEBUG will use principal provided as option: admin
2016-07-20T18:33:34Z DEBUG Starting external process
2016-07-20T18:33:34Z DEBUG args='keyctl' 'get_persistent' '@s' '0'
2016-07-20T18:33:34Z DEBUG Process finished, return code=0
2016-07-20T18:33:34Z DEBUG stdout=354225941
2016-07-20T18:33:34Z DEBUG stderr=
2016-07-20T18:33:34Z DEBUG Enabling persistent keyring CCACHE
2016-07-20T18:33:34Z DEBUG Writing Kerberos configuration to /tmp/tmpGxQ6Xw:
2016-07-20T18:33:34Z DEBUG #File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = MYDOMAION.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
MYDOMAION.COM = {
kdc = ldap.mydomain.com:88
master_kdc = ldap.mydomain.com:88
admin_server = ldap.mydomain.com:749
default_domain = mydomain.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mydomain.com = MYDOMAION.COM
mydomain.com = MYDOMAION.COM
2016-07-20T18:33:37Z DEBUG Initializing principal ad...@mydomaion.com using
password
2016-07-20T18:33:37Z DEBUG Starting external process
2016-07-20T18:33:37Z DEBUG args='/usr/bin/kinit' 'ad...@mydomaion.com' '-c'
'/tmp/tmpXBVcV7'
2016-07-20T18:33:37Z DEBUG Process finished, return code=0
2016-07-20T18:33:37Z DEBUG stdout=Password for ad...@mydomaion.com:
2016-07-20T18:33:37Z DEBUG stderr=
2016-07-20T18:33:37Z DEBUG trying to retrieve CA cert via LDAP from
ldap.mydomain.com
2016-07-20T18:33:38Z DEBUG flushing ldap://ldap.mydomain.com:389 from
SchemaCache
2016-07-20T18:33:38Z DEBUG retrieving schema for SchemaCache
url=ldap://ldap.mydomain.com:389 conn=
2016-07-20T18:33:39Z DEBUG Existing CA cert and Retrieved CA cert are identical
2016-07-20T18:33:39Z DEBUG Starting external process
2016-07-20T18:33:39Z DEBUG args='/usr/sbin/ipa-join' '-s' 'ldap.mydomain.com'
'-b' 'dc=mydomain,dc=com' '-h' 'centostest.mydomain.com'
2016-07-20T18:33:39Z DEBUG Process finished, return code=17
2016-07-20T18:33:39Z DEBUG stdout=
2016-07-20T18:33:39Z DEBUG stderr=HTTP response code is 403, not 200
2016-07-20T18:33:39Z ERROR Joining realm failed: HTTP response code is 403, not
200
2016-07-20T18:33:39Z ERROR Installation failed. Rolling back changes.
2016-07-20T18:33:39Z ERROR IPA client is not configured on this system.
- Original Message -
From: "Rob Crittenden" <rcrit...@redhat.com>
To: "Rubin Binder" <rbin...@wooplagaming.com>, "Justin Stephenson"
<jstep...@redhat.com>
Cc: freeipa-users@redhat.com
Sent: Wednesday, July 20, 2016 3:33:36 PM
Subject: Re: [Freeipa-users] FreeIPA Client Install 403 error
Rubin Binder wrote:
> Justin,
>
> Thank you very much for the prompt response. The log output is as follows:
>
Re: [Freeipa-users] FreeIPA Client Install 403 error
Rubin Binder wrote: Justin, Thank you very much for the prompt response. The log output is as follows: 2016-07-20T17:02:52Z DEBUG Starting external process 2016-07-20T17:02:52Z DEBUG args='/usr/sbin/ipa-join' '-s' 'ldap.mydomain.com' '-b' 'dc=mydomain,dc=com' '-h' 'centostest.mydomain.com' 2016-07-20T17:02:52Z DEBUG Process finished, return code=17 2016-07-20T17:02:52Z DEBUG stdout= 2016-07-20T17:02:52Z DEBUG stderr=HTTP response code is 403, not 200 2016-07-20T17:02:52Z ERROR Joining realm failed: HTTP response code is 403, not 200 2016-07-20T17:02:52Z ERROR Installation failed. Rolling back changes. 2016-07-20T17:02:52Z ERROR IPA client is not configured on this system. Seeing the entire file is usually more helpful but in this case you did provide a single clue. Return code 17 from ipa-join is a XML-RPC fault. This may be the same 403 as reported elsewhere. I'd suggest looking in /var/log/httpd/error_log on the master. rob Regards, Rubin *From: *"Justin Stephenson" <jstep...@redhat.com> *To: *"Rubin Binder" <rbin...@wooplagaming.com>, freeipa-users@redhat.com *Sent: *Wednesday, July 20, 2016 2:49:16 PM *Subject: *Re: [Freeipa-users] FreeIPA Client Install 403 error Could you please share with us the /var/log/ipaclient-install.log ? Kind regards, Justin Stephenson On 07/20/2016 01:23 PM, Rubin Binder wrote: > Hello all, > > I am testing Free IPA server for use under a test environment, so far smooth sailing and have it up and running, no problems. > > The problem is occurring during client installation. I have installed the ipa-client package on a clean CentOS 7 OS. When I execute ipa-client-install... I get the following: > > Client hostname: centostest.mydomain.com > Realm: MYDOMAIN.COM > DNS Domain: mydomain.com > IPA Server: ldap.mydomain.com > BaseDN: dc=mydomain,dc=com > > Continue to configure the system with these values? [no]: yes > Skipping synchronizing time with NTP server. > User authorized to enroll computers: admin > Password for ad...@mydomain.com: > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=MYDOMAIN.COM > Issuer: CN=Certificate Authority,O=MYDOMAIN.COM > Valid From: Wed Jul 13 13:12:08 2016 UTC > Valid Until: Sun Jul 13 13:12:08 2036 UTC > > Joining realm failed: HTTP response code is 403, not 200 > > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > I can't make sense of why I'd be seeing a 403 error. I've done my share of searching but have not found a similar issue. Some have report 401 errors in some circumstances, but not 403. > > Has anyone seen this before. > > Thanks, > Rubin > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA Client Install 403 error
Justin, Thank you very much for the prompt response. The log output is as follows: 2016-07-20T17:02:52Z DEBUG Starting external process 2016-07-20T17:02:52Z DEBUG args='/usr/sbin/ipa-join' '-s' 'ldap.mydomain.com' '-b' 'dc=mydomain,dc=com' '-h' 'centostest.mydomain.com' 2016-07-20T17:02:52Z DEBUG Process finished, return code=17 2016-07-20T17:02:52Z DEBUG stdout= 2016-07-20T17:02:52Z DEBUG stderr=HTTP response code is 403, not 200 2016-07-20T17:02:52Z ERROR Joining realm failed: HTTP response code is 403, not 200 2016-07-20T17:02:52Z ERROR Installation failed. Rolling back changes. 2016-07-20T17:02:52Z ERROR IPA client is not configured on this system. Regards, Rubin - Original Message - From: "Justin Stephenson" <jstep...@redhat.com> To: "Rubin Binder" <rbin...@wooplagaming.com>, freeipa-users@redhat.com Sent: Wednesday, July 20, 2016 2:49:16 PM Subject: Re: [Freeipa-users] FreeIPA Client Install 403 error Could you please share with us the /var/log/ipaclient-install.log ? Kind regards, Justin Stephenson On 07/20/2016 01:23 PM, Rubin Binder wrote: > Hello all, > > I am testing Free IPA server for use under a test environment, so far smooth > sailing and have it up and running, no problems. > > The problem is occurring during client installation. I have installed the > ipa-client package on a clean CentOS 7 OS. When I execute > ipa-client-install... I get the following: > > Client hostname: centostest.mydomain.com > Realm: MYDOMAIN.COM > DNS Domain: mydomain.com > IPA Server: ldap.mydomain.com > BaseDN: dc=mydomain,dc=com > > Continue to configure the system with these values? [no]: yes > Skipping synchronizing time with NTP server. > User authorized to enroll computers: admin > Password for ad...@mydomain.com: > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=MYDOMAIN.COM > Issuer: CN=Certificate Authority,O=MYDOMAIN.COM > Valid From: Wed Jul 13 13:12:08 2016 UTC > Valid Until: Sun Jul 13 13:12:08 2036 UTC > > Joining realm failed: HTTP response code is 403, not 200 > > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > I can't make sense of why I'd be seeing a 403 error. I've done my share of > searching but have not found a similar issue. Some have report 401 errors in > some circumstances, but not 403. > > Has anyone seen this before. > > Thanks, > Rubin > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA Client Install 403 error
Could you please share with us the /var/log/ipaclient-install.log ? Kind regards, Justin Stephenson On 07/20/2016 01:23 PM, Rubin Binder wrote: Hello all, I am testing Free IPA server for use under a test environment, so far smooth sailing and have it up and running, no problems. The problem is occurring during client installation. I have installed the ipa-client package on a clean CentOS 7 OS. When I execute ipa-client-install... I get the following: Client hostname: centostest.mydomain.com Realm: MYDOMAIN.COM DNS Domain: mydomain.com IPA Server: ldap.mydomain.com BaseDN: dc=mydomain,dc=com Continue to configure the system with these values? [no]: yes Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for ad...@mydomain.com: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=MYDOMAIN.COM Issuer: CN=Certificate Authority,O=MYDOMAIN.COM Valid From: Wed Jul 13 13:12:08 2016 UTC Valid Until: Sun Jul 13 13:12:08 2036 UTC Joining realm failed: HTTP response code is 403, not 200 Installation failed. Rolling back changes. IPA client is not configured on this system. I can't make sense of why I'd be seeing a 403 error. I've done my share of searching but have not found a similar issue. Some have report 401 errors in some circumstances, but not 403. Has anyone seen this before. Thanks, Rubin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA Client Install 403 error
Hello all, I am testing Free IPA server for use under a test environment, so far smooth sailing and have it up and running, no problems. The problem is occurring during client installation. I have installed the ipa-client package on a clean CentOS 7 OS. When I execute ipa-client-install... I get the following: Client hostname: centostest.mydomain.com Realm: MYDOMAIN.COM DNS Domain: mydomain.com IPA Server: ldap.mydomain.com BaseDN: dc=mydomain,dc=com Continue to configure the system with these values? [no]: yes Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for ad...@mydomain.com: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=MYDOMAIN.COM Issuer: CN=Certificate Authority,O=MYDOMAIN.COM Valid From: Wed Jul 13 13:12:08 2016 UTC Valid Until: Sun Jul 13 13:12:08 2036 UTC Joining realm failed: HTTP response code is 403, not 200 Installation failed. Rolling back changes. IPA client is not configured on this system. I can't make sense of why I'd be seeing a 403 error. I've done my share of searching but have not found a similar issue. Some have report 401 errors in some circumstances, but not 403. Has anyone seen this before. Thanks, Rubin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
