Re: [Freeipa-users] ipa-client-install error
Hi Bahan, Hey. Try to remove the cert file in /etc/ipa of this client. And then retry. this was perfect :-) Thank you. Best regards. Bahan Andy Hi, I want to install ipa client: ipa-client-install -d I get the following error: Verifying that "MyFreeIPA Server" (realm None) is an IPA server Init LDAP connection to: "MyFreeIPA Server" Error checking LDAP: Connect error: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. Skip "MyFreeIPA Server" : cannot verify if this is an IPA server Discovery result: UNKNOWN_ERROR; ... Validated servers: Failed to verify that "MyFreeIPA Server" is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) "MyFreeIPA Server" : Provided interactively) Installation failed. Rolling back changes. IPA client is not configured on this system. selinux on the ipa client and ipa server ist permissive, iptables is empty. It seems to be a problem with the SSL certificate of freeipa. About the client: rpm -qi ipa-client Name: ipa-client Version : 4.1.0 Release : 18.el7.centos.4 About the freeipa server: rpm -qi freeipa-server Name: freeipa-server Version : 4.1.4 Release : 1.fc21 regards, Andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-client-install error
Hi, I want to install ipa client: ipa-client-install -d I get the following error: Verifying that "MyFreeIPA Server" (realm None) is an IPA server Init LDAP connection to: "MyFreeIPA Server" Error checking LDAP: Connect error: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. Skip "MyFreeIPA Server" : cannot verify if this is an IPA server Discovery result: UNKNOWN_ERROR; ... Validated servers: Failed to verify that "MyFreeIPA Server" is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) "MyFreeIPA Server" : Provided interactively) Installation failed. Rolling back changes. IPA client is not configured on this system. selinux on the ipa client and ipa server ist permissive, iptables is empty. It seems to be a problem with the SSL certificate of freeipa. About the client: rpm -qi ipa-client Name: ipa-client Version : 4.1.0 Release : 18.el7.centos.4 About the freeipa server: rpm -qi freeipa-server Name: freeipa-server Version : 4.1.4 Release : 1.fc21 regards, Andy smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client install error
On 05/02/2012 05:54 PM, Steven Jones wrote: > Hi, > > BTW, is this advice in the admin guide? I would suggest its worth > stating. > Noted. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Dmitri Pal [d...@redhat.com] > Sent: Thursday, 3 May 2012 9:45 a.m. > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] ipa-client install error > > On 05/02/2012 05:29 PM, Steven Jones wrote: >> What is the impact of IPA not working properly? > You need to differentiate client system that uses IPA for identity > lookups and authentication and administrative station where you have > ipa-admintools package installed. It is not recommended to have this > package on the client side to be higher version than on the server. We > are currently fixing the issue for the client enrollment to work even if > you try to enroll later version of the ipa client with the earlier > version of the server but for ipa-admintools the general rule: upgrade > server first and then the client ipa-admintools package should continue > to apply. > > >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ____ >> From: Martin Kosek [mko...@redhat.com] >> Sent: Thursday, 3 May 2012 1:52 a.m. >> To: Rob Crittenden >> Cc: Steven Jones; freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] ipa-client install error >> >> On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote: >>> Steven Jones wrote: >>>> So this opens a chicken and egg? >>>> >>>> ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the >>>> older 6.2 clients will break? but I cant upgrade the clients until after >>>> the servers are doneif so that is a huge and ugly looking task that is >>>> one way >>> No, that's not the problem at all. Enrolled clients will work as >>> expected. New 6.3 clients can enroll with a 6.3 server. Based on the log >>> it looks like a 6.3 client can't enroll with a 6.2 server but I'm still >>> investigating. We'll fix it if needed. >>> >>> rob >> I just sent a patch for this issue to freeipa-devel list. The problem >> was in the TGT forwarding as mentioned earlier in this thread. The >> patched client can now join an older IPA server. But ipa command still >> won't work properly as its API is higher that the server's. >> >> Martin >> >> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> >>>> From: Rob Crittenden [rcrit...@redhat.com] >>>> Sent: Wednesday, 2 May 2012 1:19 a.m. >>>> To: Steven Jones >>>> Cc: freeipa-users@redhat.com >>>> Subject: Re: [Freeipa-users] ipa-client install error >>>> >>>> Steven Jones wrote: >>>>> I made a slight oops, I just upgraded a long un-used vm on my desktop >>>>> from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our >>>>> satellite is down I cant correct this so I tried to add the 6.3beta >>>>> client to IPA on 6.2 and I get an error. >>>>> >>>>> == >>>>> [root@rhel664ws01 ~]# ipa-client-install --mkhomedir >>>>> Discovery was successful! >>>>> Hostname: rhel664ws01.ods.vuw.ac.nz >>>>> Realm: ODS.VUW.AC.NZ >>>>> DNS Domain: ods.vuw.ac.nz >>>>> IPA Server: vuwunicoipam002.ods.vuw.ac.nz >>>>> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz >>>>> >>>>> >>>>> Continue to configure the system with these values? [no]: yes >>>>> User authorized to enroll computers: admjonesst1 >>>>> Synchronizing time with KDC... >>>>> Unable to sync time with IPA NTP server, assuming the time is in sync. >>>>> Password for admjones...@ods.vuw.ac.nz: >>>>> >>>>> Enrolled in IPA realm ODS.VUW.AC.NZ >>>>> Created /etc/i
Re: [Freeipa-users] ipa-client install error
Hi, BTW, is this advice in the admin guide? I would suggest its worth stating. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Thursday, 3 May 2012 9:45 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error On 05/02/2012 05:29 PM, Steven Jones wrote: > What is the impact of IPA not working properly? You need to differentiate client system that uses IPA for identity lookups and authentication and administrative station where you have ipa-admintools package installed. It is not recommended to have this package on the client side to be higher version than on the server. We are currently fixing the issue for the client enrollment to work even if you try to enroll later version of the ipa client with the earlier version of the server but for ipa-admintools the general rule: upgrade server first and then the client ipa-admintools package should continue to apply. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: Martin Kosek [mko...@redhat.com] > Sent: Thursday, 3 May 2012 1:52 a.m. > To: Rob Crittenden > Cc: Steven Jones; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] ipa-client install error > > On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote: >> Steven Jones wrote: >>> So this opens a chicken and egg? >>> >>> ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the >>> older 6.2 clients will break? but I cant upgrade the clients until after >>> the servers are doneif so that is a huge and ugly looking task that is >>> one way >> No, that's not the problem at all. Enrolled clients will work as >> expected. New 6.3 clients can enroll with a 6.3 server. Based on the log >> it looks like a 6.3 client can't enroll with a 6.2 server but I'm still >> investigating. We'll fix it if needed. >> >> rob > I just sent a patch for this issue to freeipa-devel list. The problem > was in the TGT forwarding as mentioned earlier in this thread. The > patched client can now join an older IPA server. But ipa command still > won't work properly as its API is higher that the server's. > > Martin > > >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> >>> From: Rob Crittenden [rcrit...@redhat.com] >>> Sent: Wednesday, 2 May 2012 1:19 a.m. >>> To: Steven Jones >>> Cc: freeipa-users@redhat.com >>> Subject: Re: [Freeipa-users] ipa-client install error >>> >>> Steven Jones wrote: >>>> I made a slight oops, I just upgraded a long un-used vm on my desktop from >>>> 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite >>>> is down I cant correct this so I tried to add the 6.3beta client to IPA on >>>> 6.2 and I get an error. >>>> >>>> == >>>> [root@rhel664ws01 ~]# ipa-client-install --mkhomedir >>>> Discovery was successful! >>>> Hostname: rhel664ws01.ods.vuw.ac.nz >>>> Realm: ODS.VUW.AC.NZ >>>> DNS Domain: ods.vuw.ac.nz >>>> IPA Server: vuwunicoipam002.ods.vuw.ac.nz >>>> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz >>>> >>>> >>>> Continue to configure the system with these values? [no]: yes >>>> User authorized to enroll computers: admjonesst1 >>>> Synchronizing time with KDC... >>>> Unable to sync time with IPA NTP server, assuming the time is in sync. >>>> Password for admjones...@ods.vuw.ac.nz: >>>> >>>> Enrolled in IPA realm ODS.VUW.AC.NZ >>>> Created /etc/ipa/default.conf >>>> Unable to activate the SSH service in SSSD config. >>>> Please make sure you have SSSD built with SSH support installed. >>>> Configure SSH support manually in /etc/sssd/sssd.conf. >>>> Configured /etc/sssd/sssd.conf >>>> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ >>>> Traceback (most recent call last): >>>> File "/usr/sbin/ipa-client-install", line 1534, in >>>> sys.exit(main()) >>>
Re: [Freeipa-users] ipa-client install error
Hi, Sorry, I used IPA I should have used lower case eg, "But ipa command still won't work properly as its API is higher that the server's." The way I read that is a client will have limited command line capability? that would be Ok over say some weeks while we upgraded. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 3 May 2012 9:40 a.m. To: Steven Jones Cc: Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error Steven Jones wrote: > What is the impact of IPA not working properly? That is a bit of a loaded question. It depends on your definition of "properly" but basically if IPA server isn't working, none of your auth or identity works. Depending on what state sssd thinks the server is in it may fall back into offline mode in which case individual workstations will still operate but networked authentication/identity will fail. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
On 05/02/2012 05:29 PM, Steven Jones wrote: > What is the impact of IPA not working properly? You need to differentiate client system that uses IPA for identity lookups and authentication and administrative station where you have ipa-admintools package installed. It is not recommended to have this package on the client side to be higher version than on the server. We are currently fixing the issue for the client enrollment to work even if you try to enroll later version of the ipa client with the earlier version of the server but for ipa-admintools the general rule: upgrade server first and then the client ipa-admintools package should continue to apply. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: Martin Kosek [mko...@redhat.com] > Sent: Thursday, 3 May 2012 1:52 a.m. > To: Rob Crittenden > Cc: Steven Jones; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] ipa-client install error > > On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote: >> Steven Jones wrote: >>> So this opens a chicken and egg? >>> >>> ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the >>> older 6.2 clients will break? but I cant upgrade the clients until after >>> the servers are doneif so that is a huge and ugly looking task that is >>> one way >> No, that's not the problem at all. Enrolled clients will work as >> expected. New 6.3 clients can enroll with a 6.3 server. Based on the log >> it looks like a 6.3 client can't enroll with a 6.2 server but I'm still >> investigating. We'll fix it if needed. >> >> rob > I just sent a patch for this issue to freeipa-devel list. The problem > was in the TGT forwarding as mentioned earlier in this thread. The > patched client can now join an older IPA server. But ipa command still > won't work properly as its API is higher that the server's. > > Martin > > >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> >>> From: Rob Crittenden [rcrit...@redhat.com] >>> Sent: Wednesday, 2 May 2012 1:19 a.m. >>> To: Steven Jones >>> Cc: freeipa-users@redhat.com >>> Subject: Re: [Freeipa-users] ipa-client install error >>> >>> Steven Jones wrote: >>>> I made a slight oops, I just upgraded a long un-used vm on my desktop from >>>> 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite >>>> is down I cant correct this so I tried to add the 6.3beta client to IPA on >>>> 6.2 and I get an error. >>>> >>>> == >>>> [root@rhel664ws01 ~]# ipa-client-install --mkhomedir >>>> Discovery was successful! >>>> Hostname: rhel664ws01.ods.vuw.ac.nz >>>> Realm: ODS.VUW.AC.NZ >>>> DNS Domain: ods.vuw.ac.nz >>>> IPA Server: vuwunicoipam002.ods.vuw.ac.nz >>>> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz >>>> >>>> >>>> Continue to configure the system with these values? [no]: yes >>>> User authorized to enroll computers: admjonesst1 >>>> Synchronizing time with KDC... >>>> Unable to sync time with IPA NTP server, assuming the time is in sync. >>>> Password for admjones...@ods.vuw.ac.nz: >>>> >>>> Enrolled in IPA realm ODS.VUW.AC.NZ >>>> Created /etc/ipa/default.conf >>>> Unable to activate the SSH service in SSSD config. >>>> Please make sure you have SSSD built with SSH support installed. >>>> Configure SSH support manually in /etc/sssd/sssd.conf. >>>> Configured /etc/sssd/sssd.conf >>>> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ >>>> Traceback (most recent call last): >>>> File "/usr/sbin/ipa-client-install", line 1534, in >>>> sys.exit(main()) >>>> File "/usr/sbin/ipa-client-install", line 1521, in main >>>> rval = install(options, env, fstore, statestore) >>>> File "/usr/sbin/ipa-client-install", line 1358, in install >>>> api.Backend.xmlclient.connect() >>>> File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in >>>> connect >>>> conn = self.creat
Re: [Freeipa-users] ipa-client install error
Steven Jones wrote: What is the impact of IPA not working properly? That is a bit of a loaded question. It depends on your definition of "properly" but basically if IPA server isn't working, none of your auth or identity works. Depending on what state sssd thinks the server is in it may fall back into offline mode in which case individual workstations will still operate but networked authentication/identity will fail. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
On 05/02/2012 05:28 PM, Steven Jones wrote: > Hi, > > "proper" isnt defined as such, but yes in an ideal world Trouble is we > have so many servers that we patch over 2 or 3 early start mornings, until > now we did test first, then prod.now we have to start to separate them > > also will IPA server on 6.3 collide with IPA server on 6.2? It would be > "proper" to only upgrade one IPA at a time in case the upgrade buggered > IPAotherwise I have to do all at once...and if it goes wrong I'm left > with nothing.. > The issue affects client to server authentication not server to server replication so 6.3 and 6.2 should work fine for several days while you are migrating servers from 6.2 to 6.3. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Martin Kosek [mko...@redhat.com] > Sent: Thursday, 3 May 2012 1:28 a.m. > To: d...@redhat.com > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] ipa-client install error > > On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote: >> On 05/01/2012 06:15 PM, Steven Jones wrote: >>> So this opens a chicken and egg? >>> >>> ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the >>> older 6.2 clients will break? but I cant upgrade the clients until after >>> the servers are doneif so that is a huge and ugly looking task that is >>> one way. >>> >> Yes this is a serious problem. Thank you for uncovering it. >> Current plan is to: provide a fix for the older clients to be able to >> connect to 2.2 via errata. >> Make sure that the 2.2 client can connect to the 2.1 server. >> >> Thanks >> Dmitri > I am working on a patch for ipa-client-install which should make it > capable of joining an older IPA server. > > BTW, I always thought that the proper upgrade scenario is to upgrade the > servers to the new version first and then upgrade the clients. The issue > here is that the new IPA clients won't be able to use "ipa" command to > control the old server because they have a higher API version and the > old server would not support it. > > The combination of older IPA client (e.g. 2.1) and new server (e.g. 2.2) > should be OK as we maintain backwards compatibility. > > Martin > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
Steven Jones wrote: Hi, "proper" isnt defined as such, but yes in an ideal world Trouble is we have so many servers that we patch over 2 or 3 early start mornings, until now we did test first, then prod.now we have to start to separate them Right, this is why we fixed the bug. also will IPA server on 6.3 collide with IPA server on 6.2? It would be "proper" to only upgrade one IPA at a time in case the upgrade buggered IPAotherwise I have to do all at once...and if it goes wrong I'm left with nothing.. It will be fixed to work in 6.3 GA. The client enrollment will succeed but you won't get the 6.3 features (like SSH host keys uploaded). The ipa tool is not downward compatible, so a 6.3 ipa tool will not work with a 6.2 server but the reverse WILL work. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
What is the impact of IPA not working properly? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Martin Kosek [mko...@redhat.com] Sent: Thursday, 3 May 2012 1:52 a.m. To: Rob Crittenden Cc: Steven Jones; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote: > Steven Jones wrote: > > So this opens a chicken and egg? > > > > ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the > > older 6.2 clients will break? but I cant upgrade the clients until after > > the servers are doneif so that is a huge and ugly looking task that is > > one way > > No, that's not the problem at all. Enrolled clients will work as > expected. New 6.3 clients can enroll with a 6.3 server. Based on the log > it looks like a 6.3 client can't enroll with a 6.2 server but I'm still > investigating. We'll fix it if needed. > > rob I just sent a patch for this issue to freeipa-devel list. The problem was in the TGT forwarding as mentioned earlier in this thread. The patched client can now join an older IPA server. But ipa command still won't work properly as its API is higher that the server's. Martin > > > > > regards > > > > Steven Jones > > > > Technical Specialist - Linux RHCE > > > > Victoria University, Wellington, NZ > > > > 0064 4 463 6272 > > > > ____ > > From: Rob Crittenden [rcrit...@redhat.com] > > Sent: Wednesday, 2 May 2012 1:19 a.m. > > To: Steven Jones > > Cc: freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] ipa-client install error > > > > Steven Jones wrote: > >> I made a slight oops, I just upgraded a long un-used vm on my desktop from > >> 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite > >> is down I cant correct this so I tried to add the 6.3beta client to IPA on > >> 6.2 and I get an error. > >> > >> == > >> [root@rhel664ws01 ~]# ipa-client-install --mkhomedir > >> Discovery was successful! > >> Hostname: rhel664ws01.ods.vuw.ac.nz > >> Realm: ODS.VUW.AC.NZ > >> DNS Domain: ods.vuw.ac.nz > >> IPA Server: vuwunicoipam002.ods.vuw.ac.nz > >> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz > >> > >> > >> Continue to configure the system with these values? [no]: yes > >> User authorized to enroll computers: admjonesst1 > >> Synchronizing time with KDC... > >> Unable to sync time with IPA NTP server, assuming the time is in sync. > >> Password for admjones...@ods.vuw.ac.nz: > >> > >> Enrolled in IPA realm ODS.VUW.AC.NZ > >> Created /etc/ipa/default.conf > >> Unable to activate the SSH service in SSSD config. > >> Please make sure you have SSSD built with SSH support installed. > >> Configure SSH support manually in /etc/sssd/sssd.conf. > >> Configured /etc/sssd/sssd.conf > >> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ > >> Traceback (most recent call last): > >> File "/usr/sbin/ipa-client-install", line 1534, in > >> sys.exit(main()) > >> File "/usr/sbin/ipa-client-install", line 1521, in main > >> rval = install(options, env, fstore, statestore) > >> File "/usr/sbin/ipa-client-install", line 1358, in install > >> api.Backend.xmlclient.connect() > >> File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in > >> connect > >> conn = self.create_connection(*args, **kw) > >> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in > >> create_connection > >> raise errors.KerberosError(major=str(krberr), minor='') > >> ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos > >> credentials/ > >> [root@rhel664ws01 ~]# > >> === > >> > >> Is this expected when trying to connect 6.3beta? ie its simply not > >> compatible? > >> > > > > The newer 2.2 client cannot connect to an older 2.1 server because it > > isn't going to send the TGT that the 2.1 server requires. We should > > handle this better, I've opened a ticket to track this: > > https://fedorahosted.org/freeipa/ticket/2697 > > > > rob > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
Hi, "proper" isnt defined as such, but yes in an ideal world Trouble is we have so many servers that we patch over 2 or 3 early start mornings, until now we did test first, then prod.now we have to start to separate them also will IPA server on 6.3 collide with IPA server on 6.2? It would be "proper" to only upgrade one IPA at a time in case the upgrade buggered IPAotherwise I have to do all at once...and if it goes wrong I'm left with nothing.. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Martin Kosek [mko...@redhat.com] Sent: Thursday, 3 May 2012 1:28 a.m. To: d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote: > On 05/01/2012 06:15 PM, Steven Jones wrote: > > So this opens a chicken and egg? > > > > ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the > > older 6.2 clients will break? but I cant upgrade the clients until after > > the servers are doneif so that is a huge and ugly looking task that is > > one way. > > > > Yes this is a serious problem. Thank you for uncovering it. > Current plan is to: provide a fix for the older clients to be able to > connect to 2.2 via errata. > Make sure that the 2.2 client can connect to the 2.1 server. > > Thanks > Dmitri I am working on a patch for ipa-client-install which should make it capable of joining an older IPA server. BTW, I always thought that the proper upgrade scenario is to upgrade the servers to the new version first and then upgrade the clients. The issue here is that the new IPA clients won't be able to use "ipa" command to control the old server because they have a higher API version and the old server would not support it. The combination of older IPA client (e.g. 2.1) and new server (e.g. 2.2) should be OK as we maintain backwards compatibility. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote: > Steven Jones wrote: > > So this opens a chicken and egg? > > > > ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the > > older 6.2 clients will break? but I cant upgrade the clients until after > > the servers are doneif so that is a huge and ugly looking task that is > > one way > > No, that's not the problem at all. Enrolled clients will work as > expected. New 6.3 clients can enroll with a 6.3 server. Based on the log > it looks like a 6.3 client can't enroll with a 6.2 server but I'm still > investigating. We'll fix it if needed. > > rob I just sent a patch for this issue to freeipa-devel list. The problem was in the TGT forwarding as mentioned earlier in this thread. The patched client can now join an older IPA server. But ipa command still won't work properly as its API is higher that the server's. Martin > > > > > regards > > > > Steven Jones > > > > Technical Specialist - Linux RHCE > > > > Victoria University, Wellington, NZ > > > > 0064 4 463 6272 > > > > ____ > > From: Rob Crittenden [rcrit...@redhat.com] > > Sent: Wednesday, 2 May 2012 1:19 a.m. > > To: Steven Jones > > Cc: freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] ipa-client install error > > > > Steven Jones wrote: > >> I made a slight oops, I just upgraded a long un-used vm on my desktop from > >> 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite > >> is down I cant correct this so I tried to add the 6.3beta client to IPA on > >> 6.2 and I get an error. > >> > >> == > >> [root@rhel664ws01 ~]# ipa-client-install --mkhomedir > >> Discovery was successful! > >> Hostname: rhel664ws01.ods.vuw.ac.nz > >> Realm: ODS.VUW.AC.NZ > >> DNS Domain: ods.vuw.ac.nz > >> IPA Server: vuwunicoipam002.ods.vuw.ac.nz > >> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz > >> > >> > >> Continue to configure the system with these values? [no]: yes > >> User authorized to enroll computers: admjonesst1 > >> Synchronizing time with KDC... > >> Unable to sync time with IPA NTP server, assuming the time is in sync. > >> Password for admjones...@ods.vuw.ac.nz: > >> > >> Enrolled in IPA realm ODS.VUW.AC.NZ > >> Created /etc/ipa/default.conf > >> Unable to activate the SSH service in SSSD config. > >> Please make sure you have SSSD built with SSH support installed. > >> Configure SSH support manually in /etc/sssd/sssd.conf. > >> Configured /etc/sssd/sssd.conf > >> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ > >> Traceback (most recent call last): > >> File "/usr/sbin/ipa-client-install", line 1534, in > >> sys.exit(main()) > >> File "/usr/sbin/ipa-client-install", line 1521, in main > >> rval = install(options, env, fstore, statestore) > >> File "/usr/sbin/ipa-client-install", line 1358, in install > >> api.Backend.xmlclient.connect() > >> File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in > >> connect > >> conn = self.create_connection(*args, **kw) > >> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in > >> create_connection > >> raise errors.KerberosError(major=str(krberr), minor='') > >> ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos > >> credentials/ > >> [root@rhel664ws01 ~]# > >> === > >> > >> Is this expected when trying to connect 6.3beta? ie its simply not > >> compatible? > >> > > > > The newer 2.2 client cannot connect to an older 2.1 server because it > > isn't going to send the TGT that the 2.1 server requires. We should > > handle this better, I've opened a ticket to track this: > > https://fedorahosted.org/freeipa/ticket/2697 > > > > rob > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way No, that's not the problem at all. Enrolled clients will work as expected. New 6.3 clients can enroll with a 6.3 server. Based on the log it looks like a 6.3 client can't enroll with a 6.2 server but I'm still investigating. We'll fix it if needed. rob regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 2 May 2012 1:19 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error Steven Jones wrote: I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. == [root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjones...@ods.vuw.ac.nz: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 1534, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 1521, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 1358, in install api.Backend.xmlclient.connect() File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root@rhel664ws01 ~]# === Is this expected when trying to connect 6.3beta? ie its simply not compatible? The newer 2.2 client cannot connect to an older 2.1 server because it isn't going to send the TGT that the 2.1 server requires. We should handle this better, I've opened a ticket to track this: https://fedorahosted.org/freeipa/ticket/2697 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote: > On 05/01/2012 06:15 PM, Steven Jones wrote: > > So this opens a chicken and egg? > > > > ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the > > older 6.2 clients will break? but I cant upgrade the clients until after > > the servers are doneif so that is a huge and ugly looking task that is > > one way. > > > > Yes this is a serious problem. Thank you for uncovering it. > Current plan is to: provide a fix for the older clients to be able to > connect to 2.2 via errata. > Make sure that the 2.2 client can connect to the 2.1 server. > > Thanks > Dmitri I am working on a patch for ipa-client-install which should make it capable of joining an older IPA server. BTW, I always thought that the proper upgrade scenario is to upgrade the servers to the new version first and then upgrade the clients. The issue here is that the new IPA clients won't be able to use "ipa" command to control the old server because they have a higher API version and the old server would not support it. The combination of older IPA client (e.g. 2.1) and new server (e.g. 2.2) should be OK as we maintain backwards compatibility. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
On 05/01/2012 06:15 PM, Steven Jones wrote: > So this opens a chicken and egg? > > ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the > older 6.2 clients will break? but I cant upgrade the clients until after the > servers are doneif so that is a huge and ugly looking task that is one > way. > Yes this is a serious problem. Thank you for uncovering it. Current plan is to: provide a fix for the older clients to be able to connect to 2.2 via errata. Make sure that the 2.2 client can connect to the 2.1 server. Thanks Dmitri > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: Rob Crittenden [rcrit...@redhat.com] > Sent: Wednesday, 2 May 2012 1:19 a.m. > To: Steven Jones > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] ipa-client install error > > Steven Jones wrote: >> I made a slight oops, I just upgraded a long un-used vm on my desktop from >> 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is >> down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 >> and I get an error. >> >> == >> [root@rhel664ws01 ~]# ipa-client-install --mkhomedir >> Discovery was successful! >> Hostname: rhel664ws01.ods.vuw.ac.nz >> Realm: ODS.VUW.AC.NZ >> DNS Domain: ods.vuw.ac.nz >> IPA Server: vuwunicoipam002.ods.vuw.ac.nz >> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz >> >> >> Continue to configure the system with these values? [no]: yes >> User authorized to enroll computers: admjonesst1 >> Synchronizing time with KDC... >> Unable to sync time with IPA NTP server, assuming the time is in sync. >> Password for admjones...@ods.vuw.ac.nz: >> >> Enrolled in IPA realm ODS.VUW.AC.NZ >> Created /etc/ipa/default.conf >> Unable to activate the SSH service in SSSD config. >> Please make sure you have SSSD built with SSH support installed. >> Configure SSH support manually in /etc/sssd/sssd.conf. >> Configured /etc/sssd/sssd.conf >> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ >> Traceback (most recent call last): >>File "/usr/sbin/ipa-client-install", line 1534, in >> sys.exit(main()) >>File "/usr/sbin/ipa-client-install", line 1521, in main >> rval = install(options, env, fstore, statestore) >>File "/usr/sbin/ipa-client-install", line 1358, in install >> api.Backend.xmlclient.connect() >>File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in >> connect >> conn = self.create_connection(*args, **kw) >>File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in >> create_connection >> raise errors.KerberosError(major=str(krberr), minor='') >> ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos >> credentials/ >> [root@rhel664ws01 ~]# >> === >> >> Is this expected when trying to connect 6.3beta? ie its simply not >> compatible? >> > The newer 2.2 client cannot connect to an older 2.1 server because it > isn't going to send the TGT that the 2.1 server requires. We should > handle this better, I've opened a ticket to track this: > https://fedorahosted.org/freeipa/ticket/2697 > > rob > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 2 May 2012 1:19 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error Steven Jones wrote: > I made a slight oops, I just upgraded a long un-used vm on my desktop from > 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is > down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 > and I get an error. > > == > [root@rhel664ws01 ~]# ipa-client-install --mkhomedir > Discovery was successful! > Hostname: rhel664ws01.ods.vuw.ac.nz > Realm: ODS.VUW.AC.NZ > DNS Domain: ods.vuw.ac.nz > IPA Server: vuwunicoipam002.ods.vuw.ac.nz > BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz > > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admjonesst1 > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Password for admjones...@ods.vuw.ac.nz: > > Enrolled in IPA realm ODS.VUW.AC.NZ > Created /etc/ipa/default.conf > Unable to activate the SSH service in SSSD config. > Please make sure you have SSSD built with SSH support installed. > Configure SSH support manually in /etc/sssd/sssd.conf. > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ > Traceback (most recent call last): >File "/usr/sbin/ipa-client-install", line 1534, in > sys.exit(main()) >File "/usr/sbin/ipa-client-install", line 1521, in main > rval = install(options, env, fstore, statestore) >File "/usr/sbin/ipa-client-install", line 1358, in install > api.Backend.xmlclient.connect() >File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in > connect > conn = self.create_connection(*args, **kw) >File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in > create_connection > raise errors.KerberosError(major=str(krberr), minor='') > ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos > credentials/ > [root@rhel664ws01 ~]# > === > > Is this expected when trying to connect 6.3beta? ie its simply not compatible? > The newer 2.2 client cannot connect to an older 2.1 server because it isn't going to send the TGT that the 2.1 server requires. We should handle this better, I've opened a ticket to track this: https://fedorahosted.org/freeipa/ticket/2697 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
Error there on my part its 1.8 not 1.5.I have another machine that is 1.5. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Wednesday, 2 May 2012 8:52 a.m. To: Jan Zeleny; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error Hi, sssd-1.5.1-66.el6_2.3.x86_64 KDC connections...as far as I knowbut the proof is this machine is a vm off my linux rhel6.2 server/workstation which is IPA'd itself, I can login and I manage IPA from the firefox web browser on it...so physically its the exact same cable, switches, routers, firewall and vnware hardware...so an issue makes no sense at that level unless its an issue with the KVM networking.its DHCPing off my cat6 cable so has the same IP address range, so that leaves out networking I believe. However I am having issues with some logins on other clients as well now so this points to IPA itself or something common I would say. I've done sosreports under case 627913 for that... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Jan Zeleny [jzel...@redhat.com] Sent: Tuesday, 1 May 2012 6:38 p.m. To: freeipa-users@redhat.com Cc: Steven Jones Subject: Re: [Freeipa-users] ipa-client install error I don't see anything much more useful in the log file. The last line in the traceback suggests there is something wrong with connection to your KDC, does the connection to it work from other machines? Also, just out of curiosity about the SSH error message - what version of SSSD do you have installed? Thanks Jan Steven Jones wrote: > encl ipa install log > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] > on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 1 May > 2012 2:22 p.m. > Cc: freeipa-users@redhat.com > Subject: [Freeipa-users] ipa-client install error > > I made a slight oops, I just upgraded a long un-used vm on my desktop from > 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite > is down I cant correct this so I tried to add the 6.3beta client to IPA on > 6.2 and I get an error. > > == > [root@rhel664ws01 ~]# ipa-client-install --mkhomedir > Discovery was successful! > Hostname: rhel664ws01.ods.vuw.ac.nz > Realm: ODS.VUW.AC.NZ > DNS Domain: ods.vuw.ac.nz > IPA Server: vuwunicoipam002.ods.vuw.ac.nz > BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz > > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admjonesst1 > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Password for admjones...@ods.vuw.ac.nz: > > Enrolled in IPA realm ODS.VUW.AC.NZ > Created /etc/ipa/default.conf > Unable to activate the SSH service in SSSD config. > Please make sure you have SSSD built with SSH support installed. > Configure SSH support manually in /etc/sssd/sssd.conf. > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 1534, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 1521, in main > rval = install(options, env, fstore, statestore) > File "/usr/sbin/ipa-client-install", line 1358, in install > api.Backend.xmlclient.connect() > File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in > connect conn = self.create_connection(*args, **kw) > File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in > create_connection raise errors.KerberosError(major=str(krberr), minor='') > ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos > credentials/ [root@rhel664ws01 ~]# > === > > Is this expected when trying to connect 6.3beta? ie its simply not > compatible? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
Hi, sssd-1.5.1-66.el6_2.3.x86_64 KDC connections...as far as I knowbut the proof is this machine is a vm off my linux rhel6.2 server/workstation which is IPA'd itself, I can login and I manage IPA from the firefox web browser on it...so physically its the exact same cable, switches, routers, firewall and vnware hardware...so an issue makes no sense at that level unless its an issue with the KVM networking.its DHCPing off my cat6 cable so has the same IP address range, so that leaves out networking I believe. However I am having issues with some logins on other clients as well now so this points to IPA itself or something common I would say. I've done sosreports under case 627913 for that... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Jan Zeleny [jzel...@redhat.com] Sent: Tuesday, 1 May 2012 6:38 p.m. To: freeipa-users@redhat.com Cc: Steven Jones Subject: Re: [Freeipa-users] ipa-client install error I don't see anything much more useful in the log file. The last line in the traceback suggests there is something wrong with connection to your KDC, does the connection to it work from other machines? Also, just out of curiosity about the SSH error message - what version of SSSD do you have installed? Thanks Jan Steven Jones wrote: > encl ipa install log > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] > on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 1 May > 2012 2:22 p.m. > Cc: freeipa-users@redhat.com > Subject: [Freeipa-users] ipa-client install error > > I made a slight oops, I just upgraded a long un-used vm on my desktop from > 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite > is down I cant correct this so I tried to add the 6.3beta client to IPA on > 6.2 and I get an error. > > == > [root@rhel664ws01 ~]# ipa-client-install --mkhomedir > Discovery was successful! > Hostname: rhel664ws01.ods.vuw.ac.nz > Realm: ODS.VUW.AC.NZ > DNS Domain: ods.vuw.ac.nz > IPA Server: vuwunicoipam002.ods.vuw.ac.nz > BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz > > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admjonesst1 > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Password for admjones...@ods.vuw.ac.nz: > > Enrolled in IPA realm ODS.VUW.AC.NZ > Created /etc/ipa/default.conf > Unable to activate the SSH service in SSSD config. > Please make sure you have SSSD built with SSH support installed. > Configure SSH support manually in /etc/sssd/sssd.conf. > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 1534, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 1521, in main > rval = install(options, env, fstore, statestore) > File "/usr/sbin/ipa-client-install", line 1358, in install > api.Backend.xmlclient.connect() > File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in > connect conn = self.create_connection(*args, **kw) > File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in > create_connection raise errors.KerberosError(major=str(krberr), minor='') > ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos > credentials/ [root@rhel664ws01 ~]# > === > > Is this expected when trying to connect 6.3beta? ie its simply not > compatible? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
Steven Jones wrote: I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. == [root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjones...@ods.vuw.ac.nz: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 1534, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 1521, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 1358, in install api.Backend.xmlclient.connect() File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root@rhel664ws01 ~]# === Is this expected when trying to connect 6.3beta? ie its simply not compatible? The newer 2.2 client cannot connect to an older 2.1 server because it isn't going to send the TGT that the 2.1 server requires. We should handle this better, I've opened a ticket to track this: https://fedorahosted.org/freeipa/ticket/2697 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
I don't see anything much more useful in the log file. The last line in the traceback suggests there is something wrong with connection to your KDC, does the connection to it work from other machines? Also, just out of curiosity about the SSH error message - what version of SSSD do you have installed? Thanks Jan Steven Jones wrote: > encl ipa install log > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] > on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 1 May > 2012 2:22 p.m. > Cc: freeipa-users@redhat.com > Subject: [Freeipa-users] ipa-client install error > > I made a slight oops, I just upgraded a long un-used vm on my desktop from > 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite > is down I cant correct this so I tried to add the 6.3beta client to IPA on > 6.2 and I get an error. > > == > [root@rhel664ws01 ~]# ipa-client-install --mkhomedir > Discovery was successful! > Hostname: rhel664ws01.ods.vuw.ac.nz > Realm: ODS.VUW.AC.NZ > DNS Domain: ods.vuw.ac.nz > IPA Server: vuwunicoipam002.ods.vuw.ac.nz > BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz > > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admjonesst1 > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Password for admjones...@ods.vuw.ac.nz: > > Enrolled in IPA realm ODS.VUW.AC.NZ > Created /etc/ipa/default.conf > Unable to activate the SSH service in SSSD config. > Please make sure you have SSSD built with SSH support installed. > Configure SSH support manually in /etc/sssd/sssd.conf. > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 1534, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 1521, in main > rval = install(options, env, fstore, statestore) > File "/usr/sbin/ipa-client-install", line 1358, in install > api.Backend.xmlclient.connect() > File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in > connect conn = self.create_connection(*args, **kw) > File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in > create_connection raise errors.KerberosError(major=str(krberr), minor='') > ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos > credentials/ [root@rhel664ws01 ~]# > === > > Is this expected when trying to connect 6.3beta? ie its simply not > compatible? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
encl ipa install log regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 1 May 2012 2:22 p.m. Cc: freeipa-users@redhat.com Subject: [Freeipa-users] ipa-client install error I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. == [root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjones...@ods.vuw.ac.nz: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 1534, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 1521, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 1358, in install api.Backend.xmlclient.connect() File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root@rhel664ws01 ~]# === Is this expected when trying to connect 6.3beta? ie its simply not compatible? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ipaclient-install.log Description: ipaclient-install.log ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa-client install error
I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. == [root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjones...@ods.vuw.ac.nz: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 1534, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 1521, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 1358, in install api.Backend.xmlclient.connect() File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root@rhel664ws01 ~]# === Is this expected when trying to connect 6.3beta? ie its simply not compatible? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa-client-install error during ipa-replica-install
Hi guys, I'm still working with the beta version. I tried the setup of another replica and this is what I'm getting: [root@freeipa04 ~]# ipa-replica-install --setup-dns --no-forwarders /var/lib/ipa/replica-info-freeipa04.unix.mydomain.it.gpg Directory Manager (existing master) password: Warning: Hostname (freeipa04.unix.mydomain.it) not found in DNS Run connection check to master Check connection from replica to remote master 'freeipa01.unix.mydomain.it': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@unix.mydomain.it password: Execute check on remote master ad...@freeipa01.unix.mydomain.it's password: Check connection from master to remote replica 'freeipa04.unix.mydomain.it': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance [17/30]: configuring certmap.conf [18/30]: configure autobind for root [19/30]: configure new location for managed entries [20/30]: restarting directory server [21/30]: setting up initial replication Starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [22/30]: adding replication acis [23/30]: setting Auto Member configuration [24/30]: enabling S4U2Proxy delegation [25/30]: initializing group membership [26/30]: adding master entry [27/30]: configuring Posix uid/gid generation [28/30]: enabling compatibility plugin [29/30]: tuning directory server [30/30]: configuring directory to start on boot done configuring dirsrv. Configuring Kerberos KDC: Estimated time 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9]: creating a keytab for the machine [6/9]: adding the password extension to the directory [7/9]: enable GSSAPI for replication [8/9]: starting the KDC [9/9]: configuring KDC to start on boot done configuring krb5kdc. Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot done configuring ipa_memcached. Configuring the web interface: Estimated time 1 minute [1/13]: disabling mod_ssl in httpd [2/13]: setting mod_nss port to 443 [3/13]: setting mod_nss password file [4/13]: enabling mod_nss renegotiate [5/13]: adding URL rewriting rules [6/13]: configuring httpd [7/13]: setting up ssl [8/13]: publish CA cert [9/13]: creating a keytab for httpd [10/13]: clean up any existing httpd ccache [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot done configuring httpd. Applying LDAP updates Restarting the directory server Restarting the KDC Restarting the web server Using reverse zone 146.168.192.in-addr.arpa. Configuring named: [1/8]: adding NS record to the zone [2/8]: setting up reverse zone [3/8]: setting up our own record [4/8]: setting up kerberos principal [5/8]: setting up named.conf [6/8]: restarting named [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves done configuring named. Configuration of client side components failed! ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unat
Re: [Freeipa-users] ipa-client-install error
On 11/04/2011 07:07 PM, Dmitri Pal wrote: On 11/04/2011 04:23 PM, Jimmy wrote: I see. I have ipa-client-2.0-9.el6.x86_64 on the CentOS 6 client. I guess the proper fix is to use the SL packages Adam referenced? Correct. It looks like Scientific Linux is behind as well: The packages on http://ftp.scientificlinux.org/linux/scientific/ are all 2.0.0 forexample http://ftp.scientificlinux.org/linux/scientific/6rolling/x86_64/updates/fastbugs/ipa-client-2.0.0-23.el6_1.1.x86_64.rpm Not sure how they are doing their naming scheme, as they have 6/ 6.1/ 6x/ and 6rolling but they all look pretty much the same. Jimmy You need a newer ipa-client package. The extended operation we used for enrollment changed. This was fixed in ipa-client-2.0-9.1 in RHEL 6.0. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install error
On 11/04/2011 04:23 PM, Jimmy wrote: > > I see. I have ipa-client-2.0-9.el6.x86_64 on the CentOS 6 client. I > guess the proper fix is to use the SL packages Adam referenced? Correct. > Jimmy > > > You need a newer ipa-client package. The extended operation we > used for enrollment changed. This was fixed in ipa-client-2.0-9.1 > in RHEL 6.0. > > rob > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install error
I see. I have ipa-client-2.0-9.el6.x86_64 on the CentOS 6 client. I guess the proper fix is to use the SL packages Adam referenced? Jimmy > > You need a newer ipa-client package. The extended operation we used for > enrollment changed. This was fixed in ipa-client-2.0-9.1 in RHEL 6.0. > > rob > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install error
Jimmy wrote:
I'm running the ipa-client-install on a CentOS 6 client and get this error:
[root@kudzu ~]# ipa-client-install
Discovery was successful!
Realm: PDH.CSP
DNS Domain: pdh.csp
IPA Server: csp-idm.pdh.csp
BaseDN: dc=pdh,dc=csp
Continue to configure the system with these values? [no]: yes
Principal: admin
Password for ad...@pdh.csp:
Joining realm failed: Operation failed! unsupported extended operation
child exited with 9
Certificate subject base is: O=PDH.CSP
The only logs I see on the server are here:
Nov 04 18:52:55 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 : NEEDED_PREAUTH:
ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication
required
Nov 04 18:53:20 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 : ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 : ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
HTTP/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (1 etypes
{18}) 192.168.201.199 : ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.102 : ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
ldap/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 : ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
ldap/csp-idm.pdh@pdh.csp
You need a newer ipa-client package. The extended operation we used for
enrollment changed. This was fixed in ipa-client-2.0-9.1 in RHEL 6.0.
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install error
I don't know if I was clear on the issue- the FreeIPA server is running on
Fedora 15, the client is CentOS 6. If your suggestion still applies I will
look into the SL packages.
Thanks- J
On Fri, Nov 4, 2011 at 3:12 PM, Adam Young wrote:
> CentOS is far behind RHEL. Many of the issues you will find have been
> fixed in released versions of IPA. This one is due, I think to an earlier
> issue with directory server that has since been upgraded.
>
> You might want to see if the versions shipped with Scientifix Linux work
> better for you, but it is going to be quite a few packages. Aside from
> freeipa* it will be xmlrpc, 38-ds-base and DNS dyndb and possibly others.
>
>
>
>
>
>
>
> On 11/04/2011 03:04 PM, Jimmy wrote:
>
> I'm running the ipa-client-install on a CentOS 6 client and get this
> error:
>
> [root@kudzu ~]# ipa-client-install
> Discovery was successful!
> Realm: PDH.CSP
> DNS Domain: pdh.csp
> IPA Server: csp-idm.pdh.csp
> BaseDN: dc=pdh,dc=csp
>
> Continue to configure the system with these values? [no]: yes
> Principal: admin
> Password for ad...@pdh.csp:
> Joining realm failed: Operation failed! unsupported extended operation
> child exited with 9
> Certificate subject base is: O=PDH.CSP
>
> The only logs I see on the server are here:
>
> Nov 04 18:52:55 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes
> {18 17 16 23}) 192.168.201.199: NEEDED_PREAUTH: ad...@pdh.csp for
> krbtgt/pdh@pdh.csp, Additional pre-authentication required
> Nov 04 18:53:20 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes {18
> 17 16 23}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18
> tkt=18 ses=18}, ad...@pdh.csp for krbtgt/pdh@pdh.csp
> Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18
> 17 16 23}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18
> tkt=18 ses=18}, ad...@pdh.csp for HTTP/csp-idm.pdh@pdh.csp
> Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (1 etypes
> {18}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18 tkt=18
> ses=18}, ad...@pdh.csp for krbtgt/pdh@pdh.csp
> Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18
> 17 16 23}) 192.168.201.102: ISSUE: authtime 1320432800, etypes {rep=18
> tkt=18 ses=18}, ad...@pdh.csp for ldap/csp-idm.pdh@pdh.csp
> Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18
> 17 16 23}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18
> tkt=18 ses=18}, ad...@pdh.csp for ldap/csp-idm.pdh@pdh.csp
>
>
>
> ___
> Freeipa-users mailing
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install error
CentOS is far behind RHEL. Many of the issues you will find have been
fixed in released versions of IPA. This one is due, I think to an
earlier issue with directory server that has since been upgraded.
You might want to see if the versions shipped with Scientifix Linux work
better for you, but it is going to be quite a few packages. Aside from
freeipa* it will be xmlrpc, 38-ds-base and DNS dyndb and possibly others.
On 11/04/2011 03:04 PM, Jimmy wrote:
I'm running the ipa-client-install on a CentOS 6 client and get this
error:
[root@kudzu ~]# ipa-client-install
Discovery was successful!
Realm: PDH.CSP
DNS Domain: pdh.csp
IPA Server: csp-idm.pdh.csp
BaseDN: dc=pdh,dc=csp
Continue to configure the system with these values? [no]: yes
Principal: admin
Password for ad...@pdh.csp:
Joining realm failed: Operation failed! unsupported extended operation
child exited with 9
Certificate subject base is: O=PDH.CSP
The only logs I see on the server are here:
Nov 04 18:52:55 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 :
NEEDED_PREAUTH: ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional
pre-authentication required
Nov 04 18:53:20 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 : ISSUE:
authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 : ISSUE:
authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
HTTP/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (1 etypes
{18}) 192.168.201.199 : ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.102 : ISSUE:
authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
ldap/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 : ISSUE:
authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
ldap/csp-idm.pdh@pdh.csp
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa-client-install error
I'm running the ipa-client-install on a CentOS 6 client and get this error:
[root@kudzu ~]# ipa-client-install
Discovery was successful!
Realm: PDH.CSP
DNS Domain: pdh.csp
IPA Server: csp-idm.pdh.csp
BaseDN: dc=pdh,dc=csp
Continue to configure the system with these values? [no]: yes
Principal: admin
Password for ad...@pdh.csp:
Joining realm failed: Operation failed! unsupported extended operation
child exited with 9
Certificate subject base is: O=PDH.CSP
The only logs I see on the server are here:
Nov 04 18:52:55 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes {18
17 16 23}) 192.168.201.199: NEEDED_PREAUTH: ad...@pdh.csp for
krbtgt/pdh@pdh.csp, Additional pre-authentication required
Nov 04 18:53:20 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes {18
17 16 23}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18
tkt=18 ses=18}, ad...@pdh.csp for krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18
17 16 23}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18
tkt=18 ses=18}, ad...@pdh.csp for HTTP/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (1 etypes
{18}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18 tkt=18
ses=18}, ad...@pdh.csp for krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18
17 16 23}) 192.168.201.102: ISSUE: authtime 1320432800, etypes {rep=18
tkt=18 ses=18}, ad...@pdh.csp for ldap/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18
17 16 23}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18
tkt=18 ses=18}, ad...@pdh.csp for ldap/csp-idm.pdh@pdh.csp
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
