Hi,
I am trying to install client on one of the machine I'm getting following error: -------------------------------- Cannot obtain CA certificate 'ldap://ipa1.example.com' doesn't have a certificate. Installation failed. Rolling back changes. IPA client is not configured on this system. -------------------------------- I am able to install same on other clients. Output of running in debug ------------------------------------- /usr/sbin/ipa-client-install was invoked with options: {'domain': 'EXAMPLE.COM', 'force': False, 'krb5_offline_passwords': True, 'primary': True, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': None, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False, 'realm_name': None, 'conf_ssh': True, 'server': ['ipa1.example.com', 'ipa2.example.com'], 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False} missing options might be asked for interactively later Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' [IPA Discovery] Starting IPA discovery with domain=EXAMPLE.COM, server=['ipa1.example.com', 'ipa2.example.com'], hostname=perf-fe1.example.com Server and domain forced [Kerberos realm search] Search DNS for TXT record of _kerberos.EXAMPLE.COM. No DNS record found [LDAP server check] Verifying that ipa1.example.com (realm None) is an IPA server Init LDAP connection with: ldap://ipa1.example.com:389 Search LDAP server for IPA base DN Check if naming context 'dc=example,dc=com' is for IPA Naming context 'dc=example,dc=com' is a valid IPA context Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub) Found: cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com Discovery result: Success; server=ipa1.example.com, domain=EXAMPLE.COM, ipa=None, basedn=dc=example,dc=com will use discovered domain: EXAMPLE.COM Using servers from command line, disabling DNS discovery will use provided server: ipa1.example.com, ipa2.example.com Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes will use discovered realm: EXAMPLE.COM will use discovered basedn: dc=example,dc=com [IPA Discovery] Starting IPA discovery with domain=EXAMPLE.COM, server=ipa2.example.com, hostname=perf-fe1.example.com Server and domain forced [Kerberos realm search] Search DNS for TXT record of _kerberos.EXAMPLE.COM. No DNS record found [LDAP server check] Verifying that ipa2.example.com (realm None) is an IPA server Init LDAP connection with: ldap://ipa2.example.com:389 Search LDAP server for IPA base DN Check if naming context 'dc=example,dc=com' is for IPA Naming context 'dc=example,dc=com' is a valid IPA context Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub) Found: cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com Discovery result: Success; server=ipa2.example.com, domain=EXAMPLE.COM, ipa=None, basedn=dc=example,dc=com Hostname: perf-fe1.example.com Hostname source: Machine's FQDN Realm: EXAMPLE.COM Realm source: Discovered from LDAP DNS records in ipa1.example.com DNS Domain: EXAMPLE.COM DNS Domain source: Forced IPA Server: ipa1.example.com, ipa2.example.com IPA Server source: Provided as option BaseDN: dc=example,dc=com BaseDN source: From IPA server ldap://ipa1.example.com:389 Continue to configure the system with these values? [no]: yes args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r EXAMPLE.COM stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory User authorized to enroll computers: admin Synchronizing time with KDC... Search DNS for SRV record of _ntp._udp.EXAMPLE.COM. No DNS record found args=/usr/sbin/ntpdate -U ntp -s -b -v ipa1.example.com stdout= stderr= args=/usr/sbin/ntpdate -U ntp -s -b -v ipa1.example.com stdout= stderr= args=/usr/sbin/ntpdate -U ntp -s -b -v ipa1.example.com stdout= stderr= Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Writing Kerberos configuration to /tmp/tmpune77A: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_ipa = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] EXAMPLE.COM = { ipa = ipa1.example.com:88 master_ipa = ipa1.example.com:88 admin_server = ipa1.example.com:749 ipa = ipa2.example.com:88 master_ipa = ipa2.example.com:88 admin_server = ipa2.example.com:749 default_domain = EXAMPLE.COM pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .EXAMPLE.COM = EXAMPLE.COM EXAMPLE.COM = EXAMPLE.COM .example.com = EXAMPLE.COM example.com = EXAMPLE.COM Password for ad...@example.com: args=kinit ad...@example.com stdout=Password for ad...@example.com: stderr= trying to retrieve CA cert via LDAP from ldap://ipa1.example.com get_ca_cert_from_ldap() error: Unknown authentication method SASL(-4): no mechanism available: No worthy mechs found {'info': 'SASL(-4): no mechanism available: No worthy mechs found', 'desc': 'Unknown authentication method'} Cannot obtain CA certificate 'ldap://ipa1.example.com' doesn't have a certificate. Installation failed. Rolling back changes. IPA client is not configured on this system. ------------------------------------- Seeing above it seems that LDAP is not running on SSL I have verified it following command 'ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin' and it does return the results. Any help/info will be really helpful. Regards, Mohan
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users