Re: [Freeipa-users] Cannot obtain CA Certificate

2013-03-01 Thread Jan-Frode Myklebust 
On Wed, Feb 27, 2013 at 11:52:42AM +0100, Petr Spacek wrote:
> On 27.2.2013 11:34, Jan-Frode Myklebust wrote:
> >
> >I have a similar problem getting a couple of RHEL 6.4 clients working
> >with a 6.3 server (ipa-server-2.2.0-17.el6_3.1.x86_64). When doing the
> >ipa-client-install I get:
> >
> > * gss_init_sec_context() failed: : Request is a replay< 
> > WWW-Authenticate: Negotiate
> This is very suspicious. Could you double check time on all servers
> and the client?

The cause of this problem was that the router ACL was dropping the
kerberos return traffic from the ipa server. We had opening from client
to ipa-server port 88/udp, but not from ipa-server 88/udp to client high
port.



  -jf

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot obtain CA Certificate

2013-02-27 Thread Rob Crittenden 

Petr Spacek wrote:

On 27.2.2013 11:34, Jan-Frode Myklebust wrote:

On Wed, Feb 27, 2013 at 10:42:49AM +0100, Petr Spacek wrote:



< HTTP/1.1 401 Authorization Required
< Date: Tue, 26 Feb 2013 16:54:21 GMT
< Server: Apache/2.2.15 (CentOS)
* gss_init_sec_context() failed: : Server krbtgt/c...@example.com not
found in Kerberos database< WWW-Authenticate: Negotiate


I have a similar problem getting a couple of RHEL 6.4 clients working
with a 6.3 server (ipa-server-2.2.0-17.el6_3.1.x86_64). When doing the
ipa-client-install I get:

* gss_init_sec_context() failed: : Request is a replay<
WWW-Authenticate: Negotiate

This is very suspicious. Could you double check time on all servers and
the client?


I have a ticket opened with RH-support for this (00796525), so I hope
to get it fixed that way soonish.. but -- one strange thing about my
problem is that I can't even get sssd working if I do a manual
enrollment. I've tried doing ipa host-add, ipa host-add-managedby,
ipa-getkeytab on the ipa-server, transferred the keytab, but still
sssd fails to work. To get sssd working on this machine I had to
configure an LDAP backend against the ipa-servers, without
"ldap_sasl_mech=GSSAPI".

Is there a simple way to verify that the hosts keytab is OK?
"klist -k -t -K FILE:/etc/krb5.keytab" works fine, but I'd
like to test it against the ipa-server.


You can do kinit as host principal:

$ klist -kt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
 - -
2 10/17/12 15:22:19 host/host.example@example.com

$ kinit -kt /etc/krb5.keytab host/host.example@example.com

$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/host.example@example.com

Valid starting ExpiresService principal
02/27/13 11:45:02  02/28/13 11:45:02  krbtgt/example@example.com



You can use kvno to see what the KDC things the version number should 
be, to compare to what is in the keytab.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot obtain CA Certificate

2013-02-27 Thread Petr Spacek 

On 27.2.2013 11:34, Jan-Frode Myklebust wrote:

On Wed, Feb 27, 2013 at 10:42:49AM +0100, Petr Spacek wrote:



< HTTP/1.1 401 Authorization Required
< Date: Tue, 26 Feb 2013 16:54:21 GMT
< Server: Apache/2.2.15 (CentOS)
* gss_init_sec_context() failed: : Server krbtgt/c...@example.com not found in 
Kerberos database< WWW-Authenticate: Negotiate


I have a similar problem getting a couple of RHEL 6.4 clients working
with a 6.3 server (ipa-server-2.2.0-17.el6_3.1.x86_64). When doing the
ipa-client-install I get:

* gss_init_sec_context() failed: : Request is a replay< 
WWW-Authenticate: Negotiate
This is very suspicious. Could you double check time on all servers and the 
client?



I have a ticket opened with RH-support for this (00796525), so I hope
to get it fixed that way soonish.. but -- one strange thing about my
problem is that I can't even get sssd working if I do a manual
enrollment. I've tried doing ipa host-add, ipa host-add-managedby,
ipa-getkeytab on the ipa-server, transferred the keytab, but still
sssd fails to work. To get sssd working on this machine I had to
configure an LDAP backend against the ipa-servers, without
"ldap_sasl_mech=GSSAPI".

Is there a simple way to verify that the hosts keytab is OK?
"klist -k -t -K FILE:/etc/krb5.keytab" works fine, but I'd
like to test it against the ipa-server.


You can do kinit as host principal:

$ klist -kt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
 - -
   2 10/17/12 15:22:19 host/host.example@example.com

$ kinit -kt /etc/krb5.keytab host/host.example@example.com

$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/host.example@example.com

Valid starting ExpiresService principal
02/27/13 11:45:02  02/28/13 11:45:02  krbtgt/example@example.com

--
Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot obtain CA Certificate

2013-02-27 Thread Jan-Frode Myklebust 
On Wed, Feb 27, 2013 at 10:42:49AM +0100, Petr Spacek wrote:
> >
> >
> >< HTTP/1.1 401 Authorization Required
> >< Date: Tue, 26 Feb 2013 16:54:21 GMT
> >< Server: Apache/2.2.15 (CentOS)
> >* gss_init_sec_context() failed: : Server krbtgt/c...@example.com not found 
> >in Kerberos database< WWW-Authenticate: Negotiate

I have a similar problem getting a couple of RHEL 6.4 clients working
with a 6.3 server (ipa-server-2.2.0-17.el6_3.1.x86_64). When doing the
ipa-client-install I get:

* gss_init_sec_context() failed: : Request is a replay< 
WWW-Authenticate: Negotiate

I have a ticket opened with RH-support for this (00796525), so I hope
to get it fixed that way soonish.. but -- one strange thing about my
problem is that I can't even get sssd working if I do a manual
enrollment. I've tried doing ipa host-add, ipa host-add-managedby,
ipa-getkeytab on the ipa-server, transferred the keytab, but still 
sssd fails to work. To get sssd working on this machine I had to 
configure an LDAP backend against the ipa-servers, without
"ldap_sasl_mech=GSSAPI".

Is there a simple way to verify that the hosts keytab is OK? 
"klist -k -t -K FILE:/etc/krb5.keytab" works fine, but I'd 
like to test it against the ipa-server.



  -jf

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot obtain CA Certificate

2013-02-27 Thread Petr Spacek 

On 26.2.2013 17:55, John Moyer wrote:

Sorry for the late response, so I tried this, and it changed the error to the 
following:

Synchronizing time with KDC...

Joining realm failed: HTTP response code is 401, not 200
Installation failed. Rolling back changes.



Looking at debug this is what I see:

< HTTP/1.1 401 Authorization Required
< Date: Tue, 26 Feb 2013 16:54:21 GMT
< Server: Apache/2.2.15 (CentOS)
* gss_init_sec_context() failed: : Server krbtgt/c...@example.com not found in 
Kerberos database< WWW-Authenticate: Negotiate


krbtgt/c...@example.com is definitely not correct. It should look like 
"krbtgt/example@example.com". I would recommend to double check name 
resolution.


Are all records in /etc/hosts correct?

Does /etc/resolv.conf point to the IPA server?

Do forward (A) and reverse (PTR) records match for client and also IPA servers?

Does dig -t TXT _kerberos.example.com return correct REALM?

Do all domain and realm names in /etc/krb5.conf point to correct IPA domain?

You can run ipa-client-install with KRB5_TRACE environment variable set. It 
could produce some useful output. E.g.:


$ KRB5_TRACE=/tmp/kerberos_trace.log ipa-client-install <.. blah blah..>

This should log actions done by Kerberos libraries to file 
/tmp/kerberos_trace.log.


Also, "tcpdump -s 65535 -w /tmp/tcpdump -i any" could provide some clue.

You can send both files to me privately if you don't want to send them to 
mailing list.


Petr^2 Spacek


< Last-Modified: Wed, 23 Jan 2013 22:16:50 GMT
< ETag: "4627-740-4d3fc0cfd7880"
< Accept-Ranges: bytes
< Content-Length: 1856
< Connection: close
< Content-Type: text/html; charset=UTF-8




On Feb 19, 2013, at 6:35 AM, Jan-Frode Myklebust  wrote:


ipa : ERRORCannot obtain CA certificate
'ldap://ipa1.example.com' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.


FYI, I have this same issue when enrolling RHEL5 clients. Have been
doing this as a workaround:

wget -O /etc/ipa/ca.crt http://ipa1.example.com/ipa/config/ca.crt
ipa-client-install --no-ntp --mkhomedir --ca-cert-file=/etc/ipa/ca.crt



  -jf


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot obtain CA Certificate

2013-02-26 Thread John Moyer 
Sorry for the late response, so I tried this, and it changed the error to the 
following: 

Synchronizing time with KDC...

Joining realm failed: HTTP response code is 401, not 200
Installation failed. Rolling back changes.



Looking at debug this is what I see: 

< HTTP/1.1 401 Authorization Required
< Date: Tue, 26 Feb 2013 16:54:21 GMT
< Server: Apache/2.2.15 (CentOS)
* gss_init_sec_context() failed: : Server krbtgt/c...@example.com not found in 
Kerberos database< WWW-Authenticate: Negotiate
< Last-Modified: Wed, 23 Jan 2013 22:16:50 GMT
< ETag: "4627-740-4d3fc0cfd7880"
< Accept-Ranges: bytes
< Content-Length: 1856
< Connection: close
< Content-Type: text/html; charset=UTF-8





Thanks, 
_
John Moyer




On Feb 19, 2013, at 6:35 AM, Jan-Frode Myklebust  wrote:

>> ipa : ERRORCannot obtain CA certificate
>> 'ldap://ipa1.example.com' doesn't have a certificate.
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
> 
> FYI, I have this same issue when enrolling RHEL5 clients. Have been
> doing this as a workaround:
> 
>   wget -O /etc/ipa/ca.crt http://ipa1.example.com/ipa/config/ca.crt
>   ipa-client-install --no-ntp --mkhomedir --ca-cert-file=/etc/ipa/ca.crt
> 
> 
> 
>  -jf


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot obtain CA Certificate

2013-02-19 Thread Jan-Frode Myklebust 
> ipa : ERRORCannot obtain CA certificate
> 'ldap://ipa1.example.com' doesn't have a certificate.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.

FYI, I have this same issue when enrolling RHEL5 clients. Have been
doing this as a workaround:

wget -O /etc/ipa/ca.crt http://ipa1.example.com/ipa/config/ca.crt
ipa-client-install --no-ntp --mkhomedir --ca-cert-file=/etc/ipa/ca.crt



  -jf

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot obtain CA Certificate

2013-02-18 Thread John Dennis 

On 02/18/2013 09:06 PM, John Moyer wrote:

Peter,

The client is pointing to DNS for the server.   Here is the log info
from the ipa-client-log (in /var/log/).  I haven't tried the other stuff
yet, I'll respond back when I get a chance to check out the CA cert things.


2013-02-19T02:01:37Z DEBUG args=kinit ipa-b...@example.com


When the client installer tries to retrieve the CA cert from LDAP it 
uses a GSSAPI bind and they error you're getting is that it cannot 
perform a bind with the credentials from above.


Did you provide the password for ipa-bind? Are you running the client 
install interactively?


Is the realm EXAMPLE.COM really correct?

Are you able to do a kinit for ipa-b...@example.com on the client 
successfully?


Are your kerberos ports open?




--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot obtain CA Certificate

2013-02-18 Thread Steven Jones 
whats AWS?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Tuesday, 19 February 2013 3:35 p.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Cannot obtain CA Certificate

On 02/18/2013 09:06 PM, John Moyer wrote:
Peter,

The client is pointing to DNS for the server.   Here is the log info from the 
ipa-client-log (in /var/log/).  I haven't tried the other stuff yet, I'll 
respond back when I get a chance to check out the CA cert things.


2013-02-19T02:01:37Z DEBUG args=kinit 
ipa-b...@example.com<mailto:ipa-b...@example.com>
2013-02-19T02:01:37Z DEBUG stdout=Password for 
ipa-b...@example.com<mailto:ipa-b...@example.com>:

2013-02-19T02:01:37Z DEBUG stderr=
2013-02-19T02:01:37Z DEBUG trying to retrieve CA cert via LDAP from 
ldap://ipa1.example.com
2013-02-19T02:01:37Z DEBUG get_ca_cert_from_ldap() error: Local error SASL(-1): 
generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide 
more information (Server 
krbtgt/c...@example.com<mailto:krbtgt/c...@example.com> not found in Kerberos 
database)
2013-02-19T02:01:37Z DEBUG {'info': 'SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information (Server 
krbtgt/c...@example.com<mailto:krbtgt/c...@example.com> not found in Kerberos 
database)', 'desc': 'Local error'}
2013-02-19T02:01:37Z ERROR Cannot obtain CA certificate
'ldap://ipa1.example.com' doesn't have a certificate.
2013-02-19T02:01:37Z DEBUG args=kdestroy
2013-02-19T02:01:37Z DEBUG stdout=
2013-02-19T02:01:37Z DEBUG stderr=


Can the server resolve the client in the same way as client resolves itself?
In AWS it might be an issue because it changes system names dynamically and 
thus you client host when restarted might have a different name or be not 
resolvable by the server.
The fact that AWS changes names under you makes IPA not usable in AWS 
environment.
https://fedorahosted.org/freeipa/ticket/2715



Thanks,
_
John Moyer
Director, IT Operations
Digital Reasoning Systems, Inc.
john.mo...@digitalreasoning.com<mailto:john.mo...@digitalreasoning.com>
Office: 703.678.2311
Mobile: 240.460.0023
Fax: 703.678.2312
www.digitalreasoning.com<http://www.digitalreasoning.com/>

On Feb 18, 2013, at 8:42 PM, Peter Brown 
mailto:rendhal...@gmail.com>> wrote:

On 19 February 2013 11:03, John Moyer 
mailto:john.mo...@digitalreasoning.com>> wrote:
Peter,

Thanks for the response, I just checked out my security group settings, I did 
have some ports blocked, however, allowing them did not help.   I installed 
mmap on the client and did a port scan of the server and got the follow:

PORTSTATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
88/tcp  open  kerberos-sec
389/tcp open  ldap
443/tcp open  https
464/tcp open  kpasswd5
636/tcp open  ldapssl
749/tcp open  kerberos-adm

There is a couple of UDP ports that need to be open as well
464 and 88 from memory.

They shouldn't affect your ability to download the ca cert.

Have you checked the ipa-client log file?
I can't remember where that gets saved right now but it should mention the 
location when you run the ipa-client command.



I tried to enroll again and got the same error as seen here:


Synchronizing time with KDC...

ipa : ERRORCannot obtain CA certificate



Thanks,
_
John Moyer


On Feb 18, 2013, at 7:24 PM, Peter Brown 
mailto:rendhal...@gmail.com>> wrote:

Hi John,

I ran into a similar issue with setting up a 2.2 client with a 3.1 server.
It turned out to be that port 80 wasn't open on the freeipa server.
I would check your ports and see if the right ones are open.
I also find that setting up the SRV and TXT records in your dns zone makes 
setting up clients a lot simpler.



On 19 February 2013 00:58, John Moyer 
mailto:john.mo...@digitalreasoning.com>> wrote:
Hello all,

I am having an issue using IPA 2.2.0.   I am trying to put together a proof of 
concept set of systems.  I've stood up 2 servers on AWS.   One is the server 
one is the client.   I am using CentOS 6 to do all this testing on, with the 
default IPA packages provided from CentOS.   I had a fully operational proof of 
concept finished fully scripted to be built without issues.   I shutdown and 
started these as needed to show to people to get approval for the project.   
The other day the client stopped enrolling to the IPA server, I have no idea 
why I assume a patch pushed out broke something since it is a fully scripted 
install. It does get the most recent patches each time I stand it up so it 
defini

Re: [Freeipa-users] Cannot obtain CA Certificate

2013-02-18 Thread Peter Brown 
On 19 February 2013 12:44, Peter Brown  wrote:

>
>
>
> On 19 February 2013 12:06, John Moyer wrote:
>
>> Peter,
>>
>>  The client is pointing to DNS for the server.   Here is the log info
>> from the ipa-client-log (in /var/log/).  I haven't tried the other stuff
>> yet, I'll respond back when I get a chance to check out the CA cert things.
>>
>>
>> 2013-02-19T02:01:37Z DEBUG args=kinit ipa-b...@example.com
>> 2013-02-19T02:01:37Z DEBUG stdout=Password for ipa-b...@example.com:
>>
>> 2013-02-19T02:01:37Z DEBUG stderr=
>> 2013-02-19T02:01:37Z DEBUG trying to retrieve CA cert via LDAP from
>> ldap://ipa1.example.com
>> 2013-02-19T02:01:37Z DEBUG get_ca_cert_from_ldap() error: Local error
>> SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor
>> code may provide more information (Server krbtgt/c...@example.com not
>> found in Kerberos database)
>> 2013-02-19T02:01:37Z DEBUG {'info': 'SASL(-1): generic failure: GSSAPI
>> Error: Unspecified GSS failure.  Minor code may provide more information
>> (Server krbtgt/c...@example.com not found in Kerberos database)', 'desc':
>> 'Local error'}
>> 2013-02-19T02:01:37Z ERROR Cannot obtain CA certificate
>> 'ldap://ipa1.example.com' doesn't have a certificate.
>> 2013-02-19T02:01:37Z DEBUG args=kdestroy
>> 2013-02-19T02:01:37Z DEBUG stdout=
>> 2013-02-19T02:01:37Z DEBUG stderr=
>>
>
>  I would hazard a guess you need those udp ports open on the firewall for
> your freeipa server.
> the two I mentioned are kerberos ports.
> you will likely need udp port 389 open as well for talking to the
> directory server where it is attempting to get the cert from.
>


I just had another thought.
If you have outgoing port restrictions on your AWS instances you will need
to allow them to connect to all the ports freeipa needs.


>
>>
>> Thanks,
>> _
>> John Moyer
>> Director, IT Operations
>> *Digital Reasoning Systems, Inc.*
>> john.mo...@digitalreasoning.com 
>> Office: 703.678.2311
>> Mobile: 240.460.0023
>> Fax: 703.678.2312
>> www.digitalreasoning.com
>>
>> On Feb 18, 2013, at 8:42 PM, Peter Brown  wrote:
>>
>> On 19 February 2013 11:03, John Moyer wrote:
>>
>>> Peter,
>>>
>>>  Thanks for the response, I just checked out my security group
>>> settings, I did have some ports blocked, however, allowing them did not
>>> help.   I installed mmap on the client and did a port scan of the server
>>> and got the follow:
>>>
>>> PORTSTATE SERVICE
>>> 22/tcp  open  ssh
>>> 53/tcp  open  domain
>>> 80/tcp  open  http
>>> 88/tcp  open  kerberos-sec
>>> 389/tcp open  ldap
>>> 443/tcp open  https
>>> 464/tcp open  kpasswd5
>>> 636/tcp open  ldapssl
>>> 749/tcp open  kerberos-adm
>>>
>>
>> There is a couple of UDP ports that need to be open as well
>> 464 and 88 from memory.
>>
>> They shouldn't affect your ability to download the ca cert.
>>
>> Have you checked the ipa-client log file?
>> I can't remember where that gets saved right now but it should mention
>> the location when you run the ipa-client command.
>>
>>
>>
>>> I tried to enroll again and got the same error as seen here:
>>>
>>>
>>> Synchronizing time with KDC...
>>>
>>> ipa : ERRORCannot obtain CA certificate
>>>
>>>
>>>
>>> Thanks,
>>> _
>>> John Moyer
>>>
>>>
>>> On Feb 18, 2013, at 7:24 PM, Peter Brown  wrote:
>>>
>>> Hi John,
>>>
>>> I ran into a similar issue with setting up a 2.2 client with a 3.1
>>> server.
>>> It turned out to be that port 80 wasn't open on the freeipa server.
>>> I would check your ports and see if the right ones are open.
>>> I also find that setting up the SRV and TXT records in your dns zone
>>> makes setting up clients a lot simpler.
>>>
>>>
>>>
>>> On 19 February 2013 00:58, John Moyer 
>>> wrote:
>>>
 Hello all,

 I am having an issue using IPA 2.2.0.   I am trying to put together a
 proof of concept set of systems.  I've stood up 2 servers on AWS.   One is
 the server one is the client.   I am using CentOS 6 to do all this testing
 on, with the default IPA packages provided from CentOS.   I had a fully
 operational proof of concept finished fully scripted to be built without
 issues.   I shutdown and started these as needed to show to people to get
 approval for the project.   The other day the client stopped enrolling to
 the IPA server, I have no idea why I assume a patch pushed out broke
 something since it is a fully scripted install. It does get the most recent
 patches each time I stand it up so it definitely would pull any new patches
 that came out.

 After investigating I am getting this error when I try to manually
 enroll the client.  I haven't been able to find any reference to this error
 anywhere on the net.  Any help would be greatly appreciated!  Let me know
 if any additional details are needed.


 PLEASE NOTE:  Everything below has been sanitized

Re: [Freeipa-users] Cannot obtain CA Certificate

2013-02-18 Thread Peter Brown 
On 19 February 2013 12:06, John Moyer wrote:

> Peter,
>
> The client is pointing to DNS for the server.   Here is the log info from
> the ipa-client-log (in /var/log/).  I haven't tried the other stuff yet,
> I'll respond back when I get a chance to check out the CA cert things.
>
>
> 2013-02-19T02:01:37Z DEBUG args=kinit ipa-b...@example.com
> 2013-02-19T02:01:37Z DEBUG stdout=Password for ipa-b...@example.com:
>
> 2013-02-19T02:01:37Z DEBUG stderr=
> 2013-02-19T02:01:37Z DEBUG trying to retrieve CA cert via LDAP from
> ldap://ipa1.example.com
> 2013-02-19T02:01:37Z DEBUG get_ca_cert_from_ldap() error: Local error
> SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor
> code may provide more information (Server krbtgt/c...@example.com not
> found in Kerberos database)
> 2013-02-19T02:01:37Z DEBUG {'info': 'SASL(-1): generic failure: GSSAPI
> Error: Unspecified GSS failure.  Minor code may provide more information
> (Server krbtgt/c...@example.com not found in Kerberos database)', 'desc':
> 'Local error'}
> 2013-02-19T02:01:37Z ERROR Cannot obtain CA certificate
> 'ldap://ipa1.example.com' doesn't have a certificate.
> 2013-02-19T02:01:37Z DEBUG args=kdestroy
> 2013-02-19T02:01:37Z DEBUG stdout=
> 2013-02-19T02:01:37Z DEBUG stderr=
>

 I would hazard a guess you need those udp ports open on the firewall for
your freeipa server.
the two I mentioned are kerberos ports.
you will likely need udp port 389 open as well for talking to the directory
server where it is attempting to get the cert from.


>
> Thanks,
> _
> John Moyer
> Director, IT Operations
> *Digital Reasoning Systems, Inc.*
> john.mo...@digitalreasoning.com 
> Office: 703.678.2311
> Mobile: 240.460.0023
> Fax: 703.678.2312
> www.digitalreasoning.com
>
> On Feb 18, 2013, at 8:42 PM, Peter Brown  wrote:
>
> On 19 February 2013 11:03, John Moyer wrote:
>
>> Peter,
>>
>> Thanks for the response, I just checked out my security group settings, I
>> did have some ports blocked, however, allowing them did not help.   I
>> installed mmap on the client and did a port scan of the server and got the
>> follow:
>>
>> PORTSTATE SERVICE
>> 22/tcp  open  ssh
>> 53/tcp  open  domain
>> 80/tcp  open  http
>> 88/tcp  open  kerberos-sec
>> 389/tcp open  ldap
>> 443/tcp open  https
>> 464/tcp open  kpasswd5
>> 636/tcp open  ldapssl
>> 749/tcp open  kerberos-adm
>>
>
> There is a couple of UDP ports that need to be open as well
> 464 and 88 from memory.
>
> They shouldn't affect your ability to download the ca cert.
>
> Have you checked the ipa-client log file?
> I can't remember where that gets saved right now but it should mention the
> location when you run the ipa-client command.
>
>
>
>> I tried to enroll again and got the same error as seen here:
>>
>>
>> Synchronizing time with KDC...
>>
>> ipa : ERRORCannot obtain CA certificate
>>
>>
>>
>> Thanks,
>> _
>> John Moyer
>>
>>
>> On Feb 18, 2013, at 7:24 PM, Peter Brown  wrote:
>>
>> Hi John,
>>
>> I ran into a similar issue with setting up a 2.2 client with a 3.1 server.
>> It turned out to be that port 80 wasn't open on the freeipa server.
>> I would check your ports and see if the right ones are open.
>> I also find that setting up the SRV and TXT records in your dns zone
>> makes setting up clients a lot simpler.
>>
>>
>>
>> On 19 February 2013 00:58, John Moyer wrote:
>>
>>> Hello all,
>>>
>>> I am having an issue using IPA 2.2.0.   I am trying to put together a
>>> proof of concept set of systems.  I've stood up 2 servers on AWS.   One is
>>> the server one is the client.   I am using CentOS 6 to do all this testing
>>> on, with the default IPA packages provided from CentOS.   I had a fully
>>> operational proof of concept finished fully scripted to be built without
>>> issues.   I shutdown and started these as needed to show to people to get
>>> approval for the project.   The other day the client stopped enrolling to
>>> the IPA server, I have no idea why I assume a patch pushed out broke
>>> something since it is a fully scripted install. It does get the most recent
>>> patches each time I stand it up so it definitely would pull any new patches
>>> that came out.
>>>
>>> After investigating I am getting this error when I try to manually
>>> enroll the client.  I haven't been able to find any reference to this error
>>> anywhere on the net.  Any help would be greatly appreciated!  Let me know
>>> if any additional details are needed.
>>>
>>>
>>> PLEASE NOTE:  Everything below has been sanitized
>>>
>>>
>>> [root@client ~]# ipa-client-install --domain=example.com --server=
>>> ipa1.example.com --realm=EXAMPLE.COM --configure-ssh 
>>> --configure-sshd -p ipa-bind -w "blah" -U
>>> DNS domain 'example.com' is not configured for automatic KDC address
>>> lookup.
>>> KDC address will be set to fixed value.
>>>
>>> Discovery was successful!
>>> Hostn

Re: [Freeipa-users] Cannot obtain CA Certificate

2013-02-18 Thread Dmitri Pal 
On 02/18/2013 09:06 PM, John Moyer wrote:
> Peter, 
>
> The client is pointing to DNS for the server.   Here is the log info
> from the ipa-client-log (in /var/log/).  I haven't tried the other
> stuff yet, I'll respond back when I get a chance to check out the CA
> cert things. 
>
>
> 2013-02-19T02:01:37Z DEBUG args=kinit ipa-b...@example.com
> 
> 2013-02-19T02:01:37Z DEBUG stdout=Password for ipa-b...@example.com
> : 
>
> 2013-02-19T02:01:37Z DEBUG stderr=
> 2013-02-19T02:01:37Z DEBUG trying to retrieve CA cert via LDAP from
> ldap://ipa1.example.com
> 2013-02-19T02:01:37Z DEBUG get_ca_cert_from_ldap() error: Local error
> SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
>  Minor code may provide more information (Server
> krbtgt/c...@example.com  not found in
> Kerberos database)
> 2013-02-19T02:01:37Z DEBUG {'info': 'SASL(-1): generic failure: GSSAPI
> Error: Unspecified GSS failure.  Minor code may provide more
> information (Server krbtgt/c...@example.com
>  not found in Kerberos database)',
> 'desc': 'Local error'}
> 2013-02-19T02:01:37Z ERROR Cannot obtain CA certificate
> 'ldap://ipa1.example.com'  doesn't have a
> certificate.
> 2013-02-19T02:01:37Z DEBUG args=kdestroy
> 2013-02-19T02:01:37Z DEBUG stdout=
> 2013-02-19T02:01:37Z DEBUG stderr=


Can the server resolve the client in the same way as client resolves itself?
In AWS it might be an issue because it changes system names dynamically
and thus you client host when restarted might have a different name or
be not resolvable by the server.
The fact that AWS changes names under you makes IPA not usable in AWS
environment.
https://fedorahosted.org/freeipa/ticket/2715

>
>
> Thanks, 
> _
> John Moyer
> Director, IT Operations
> *Digital Reasoning Systems, Inc.*
> john.mo...@digitalreasoning.com 
> Office:703.678.2311
> Mobile:240.460.0023
> Fax:703.678.2312
> www.digitalreasoning.com 
>
> On Feb 18, 2013, at 8:42 PM, Peter Brown  > wrote:
>
>> On 19 February 2013 11:03, John Moyer
>> > > wrote:
>>
>> Peter, 
>>
>> Thanks for the response, I just checked out my security group
>> settings, I did have some ports blocked, however, allowing them
>> did not help.   I installed mmap on the client and did a port
>> scan of the server and got the follow: 
>>
>> PORTSTATE SERVICE
>> 22/tcp  open  ssh
>> 53/tcp  open  domain
>> 80/tcp  open  http
>> 88/tcp  open  kerberos-sec
>> 389/tcp open  ldap
>> 443/tcp open  https
>> 464/tcp open  kpasswd5
>> 636/tcp open  ldapssl
>> 749/tcp open  kerberos-adm
>>
>>
>> There is a couple of UDP ports that need to be open as well
>> 464 and 88 from memory.
>>
>> They shouldn't affect your ability to download the ca cert.
>>
>> Have you checked the ipa-client log file?
>> I can't remember where that gets saved right now but it should
>> mention the location when you run the ipa-client command.
>>
>>
>>
>> I tried to enroll again and got the same error as seen here: 
>>
>>
>> Synchronizing time with KDC...
>>
>> ipa : ERRORCannot obtain CA certificate
>>
>>
>>
>> Thanks, 
>> _
>> John Moyer
>>
>>
>> On Feb 18, 2013, at 7:24 PM, Peter Brown > > wrote:
>>
>>> Hi John,
>>>
>>> I ran into a similar issue with setting up a 2.2 client with a
>>> 3.1 server.
>>> It turned out to be that port 80 wasn't open on the freeipa server.
>>> I would check your ports and see if the right ones are open.
>>> I also find that setting up the SRV and TXT records in your dns
>>> zone makes setting up clients a lot simpler.
>>>
>>>
>>>
>>> On 19 February 2013 00:58, John Moyer
>>> >> > wrote:
>>>
>>> Hello all, 
>>>
>>> I am having an issue using IPA 2.2.0.   I am trying to put
>>> together a proof of concept set of systems.  I've stood up 2
>>> servers on AWS.   One is the server one is the client.   I
>>> am using CentOS 6 to do all this testing on, with the
>>> default IPA packages provided from CentOS.   I had a fully
>>> operational proof of concept finished fully scripted to be
>>> built without issues.   I shutdown and started these as
>>> needed to show to people to get approval for the project.  
>>> The other day the client stopped enrolling to the IPA
>>> server, I have no idea why I assume a patch pushed out broke
>>> something since it is a fully scripted install. It does get
>>> the most recent patches each time

Re: [Freeipa-users] Cannot obtain CA Certificate

2013-02-18 Thread John Moyer 
Peter, 

The client is pointing to DNS for the server.   Here is the log info 
from the ipa-client-log (in /var/log/).  I haven't tried the other stuff yet, 
I'll respond back when I get a chance to check out the CA cert things. 


2013-02-19T02:01:37Z DEBUG args=kinit ipa-b...@example.com
2013-02-19T02:01:37Z DEBUG stdout=Password for ipa-b...@example.com: 

2013-02-19T02:01:37Z DEBUG stderr=
2013-02-19T02:01:37Z DEBUG trying to retrieve CA cert via LDAP from 
ldap://ipa1.example.com
2013-02-19T02:01:37Z DEBUG get_ca_cert_from_ldap() error: Local error SASL(-1): 
generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide 
more information (Server krbtgt/c...@example.com not found in Kerberos database)
2013-02-19T02:01:37Z DEBUG {'info': 'SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information (Server 
krbtgt/c...@example.com not found in Kerberos database)', 'desc': 'Local error'}
2013-02-19T02:01:37Z ERROR Cannot obtain CA certificate
'ldap://ipa1.example.com' doesn't have a certificate.
2013-02-19T02:01:37Z DEBUG args=kdestroy
2013-02-19T02:01:37Z DEBUG stdout=
2013-02-19T02:01:37Z DEBUG stderr=


Thanks, 
_
John Moyer
Director, IT Operations
Digital Reasoning Systems, Inc.
john.mo...@digitalreasoning.com
Office: 703.678.2311
Mobile: 240.460.0023
Fax:703.678.2312
www.digitalreasoning.com

On Feb 18, 2013, at 8:42 PM, Peter Brown  wrote:

> On 19 February 2013 11:03, John Moyer  wrote:
> Peter, 
> 
>   Thanks for the response, I just checked out my security group settings, 
> I did have some ports blocked, however, allowing them did not help.   I 
> installed mmap on the client and did a port scan of the server and got the 
> follow: 
> 
> PORTSTATE SERVICE
> 22/tcp  open  ssh
> 53/tcp  open  domain
> 80/tcp  open  http
> 88/tcp  open  kerberos-sec
> 389/tcp open  ldap
> 443/tcp open  https
> 464/tcp open  kpasswd5
> 636/tcp open  ldapssl
> 749/tcp open  kerberos-adm
> 
> There is a couple of UDP ports that need to be open as well
> 464 and 88 from memory.
> 
> They shouldn't affect your ability to download the ca cert.
> 
> Have you checked the ipa-client log file?
> I can't remember where that gets saved right now but it should mention the 
> location when you run the ipa-client command.
> 
> 
> 
> I tried to enroll again and got the same error as seen here: 
> 
> 
> Synchronizing time with KDC...
> 
> ipa : ERRORCannot obtain CA certificate
> 
> 
> 
> Thanks, 
> _
> John Moyer
> 
> 
> On Feb 18, 2013, at 7:24 PM, Peter Brown  wrote:
> 
>> Hi John,
>> 
>> I ran into a similar issue with setting up a 2.2 client with a 3.1 server.
>> It turned out to be that port 80 wasn't open on the freeipa server.
>> I would check your ports and see if the right ones are open.
>> I also find that setting up the SRV and TXT records in your dns zone makes 
>> setting up clients a lot simpler.
>> 
>> 
>> 
>> On 19 February 2013 00:58, John Moyer  
>> wrote:
>> Hello all, 
>> 
>>  I am having an issue using IPA 2.2.0.   I am trying to put together a 
>> proof of concept set of systems.  I've stood up 2 servers on AWS.   One is 
>> the server one is the client.   I am using CentOS 6 to do all this testing 
>> on, with the default IPA packages provided from CentOS.   I had a fully 
>> operational proof of concept finished fully scripted to be built without 
>> issues.   I shutdown and started these as needed to show to people to get 
>> approval for the project.   The other day the client stopped enrolling to 
>> the IPA server, I have no idea why I assume a patch pushed out broke 
>> something since it is a fully scripted install. It does get the most recent 
>> patches each time I stand it up so it definitely would pull any new patches 
>> that came out. 
>> 
>>  After investigating I am getting this error when I try to manually 
>> enroll the client.  I haven't been able to find any reference to this error 
>> anywhere on the net.  Any help would be greatly appreciated!  Let me know if 
>> any additional details are needed. 
>> 
>> 
>> PLEASE NOTE:  Everything below has been sanitized 
>> 
>> 
>> [root@client ~]# ipa-client-install --domain=example.com 
>> --server=ipa1.example.com --realm=EXAMPLE.COM --configure-ssh 
>> --configure-sshd -p ipa-bind -w "blah" -U
>> DNS domain 'example.com' is not configured for automatic KDC address lookup.
>> KDC address will be set to fixed value.
>> 
>> Discovery was successful!
>> Hostname: client.ec2.internal
>> Realm: EXAMPLE.COM
>> DNS Domain: digitalreasoning.com
>> IPA Server: ipa1.example.com
>> BaseDN: dc=example,dc=com
>> 
>> 
>> Synchronizing time with KDC...
>> 
>> ipa : ERRORCannot obtain CA certificate
>> 'ldap://ipa1.example.com' doesn't have a certificate.
>> Installation failed. Rolling back changes.
>> IPA client is not configured on t

Re: [Freeipa-users] Cannot obtain CA Certificate

2013-02-18 Thread Peter Brown 
On 19 February 2013 11:03, John Moyer wrote:

> Peter,
>
> Thanks for the response, I just checked out my security group settings, I
> did have some ports blocked, however, allowing them did not help.   I
> installed mmap on the client and did a port scan of the server and got the
> follow:
>
> PORTSTATE SERVICE
> 22/tcp  open  ssh
> 53/tcp  open  domain
> 80/tcp  open  http
> 88/tcp  open  kerberos-sec
> 389/tcp open  ldap
> 443/tcp open  https
> 464/tcp open  kpasswd5
> 636/tcp open  ldapssl
> 749/tcp open  kerberos-adm
>

There is a couple of UDP ports that need to be open as well
464 and 88 from memory.

They shouldn't affect your ability to download the ca cert.

Have you checked the ipa-client log file?
I can't remember where that gets saved right now but it should mention the
location when you run the ipa-client command.



> I tried to enroll again and got the same error as seen here:
>
>
> Synchronizing time with KDC...
>
> ipa : ERRORCannot obtain CA certificate
>
>
>
> Thanks,
> _
> John Moyer
>
>
> On Feb 18, 2013, at 7:24 PM, Peter Brown  wrote:
>
> Hi John,
>
> I ran into a similar issue with setting up a 2.2 client with a 3.1 server.
> It turned out to be that port 80 wasn't open on the freeipa server.
> I would check your ports and see if the right ones are open.
> I also find that setting up the SRV and TXT records in your dns zone makes
> setting up clients a lot simpler.
>
>
>
> On 19 February 2013 00:58, John Moyer wrote:
>
>> Hello all,
>>
>> I am having an issue using IPA 2.2.0.   I am trying to put together a
>> proof of concept set of systems.  I've stood up 2 servers on AWS.   One is
>> the server one is the client.   I am using CentOS 6 to do all this testing
>> on, with the default IPA packages provided from CentOS.   I had a fully
>> operational proof of concept finished fully scripted to be built without
>> issues.   I shutdown and started these as needed to show to people to get
>> approval for the project.   The other day the client stopped enrolling to
>> the IPA server, I have no idea why I assume a patch pushed out broke
>> something since it is a fully scripted install. It does get the most recent
>> patches each time I stand it up so it definitely would pull any new patches
>> that came out.
>>
>> After investigating I am getting this error when I try to manually enroll
>> the client.  I haven't been able to find any reference to this error
>> anywhere on the net.  Any help would be greatly appreciated!  Let me know
>> if any additional details are needed.
>>
>>
>> PLEASE NOTE:  Everything below has been sanitized
>>
>>
>> [root@client ~]# ipa-client-install --domain=example.com --server=
>> ipa1.example.com --realm=EXAMPLE.COM --configure-ssh 
>> --configure-sshd -p ipa-bind -w "blah" -U
>> DNS domain 'example.com' is not configured for automatic KDC address
>> lookup.
>> KDC address will be set to fixed value.
>>
>> Discovery was successful!
>> Hostname: client.ec2.internal
>> Realm: EXAMPLE.COM 
>> DNS Domain: digitalreasoning.com
>> IPA Server: ipa1.example.com
>> BaseDN: dc=example,dc=com
>>
>>
>> Synchronizing time with KDC...
>>
>> ipa : ERRORCannot obtain CA certificate
>> 'ldap://ipa1.example.com' doesn't have a certificate.
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>>
>>
>> Thanks,
>> _
>> John Moyer
>>
>>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot obtain CA Certificate

2013-02-18 Thread Steven Jones 
Hi,

My poor 2 ideas,

You could try web browsing to the IPA server to see if the cert is there (wild 
guess).

~/ipa and see if there is a CA cert you can import.

Is the client pointing at the IPA server for its DNS?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of John Moyer [john.mo...@digitalreasoning.com]
Sent: Tuesday, 19 February 2013 2:03 p.m.
To: Peter Brown
Cc: freeipa-users
Subject: Re: [Freeipa-users] Cannot obtain CA Certificate

Peter,

Thanks for the response, I just checked out my security group settings, I did 
have some ports blocked, however, allowing them did not help.   I installed 
mmap on the client and did a port scan of the server and got the follow:

PORTSTATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
88/tcp  open  kerberos-sec
389/tcp open  ldap
443/tcp open  https
464/tcp open  kpasswd5
636/tcp open  ldapssl
749/tcp open  kerberos-adm

I tried to enroll again and got the same error as seen here:


Synchronizing time with KDC...

ipa : ERRORCannot obtain CA certificate



Thanks,
_
John Moyer


On Feb 18, 2013, at 7:24 PM, Peter Brown 
mailto:rendhal...@gmail.com>> wrote:

Hi John,

I ran into a similar issue with setting up a 2.2 client with a 3.1 server.
It turned out to be that port 80 wasn't open on the freeipa server.
I would check your ports and see if the right ones are open.
I also find that setting up the SRV and TXT records in your dns zone makes 
setting up clients a lot simpler.



On 19 February 2013 00:58, John Moyer 
mailto:john.mo...@digitalreasoning.com>> wrote:
Hello all,

I am having an issue using IPA 2.2.0.   I am trying to put together a proof of 
concept set of systems.  I've stood up 2 servers on AWS.   One is the server 
one is the client.   I am using CentOS 6 to do all this testing on, with the 
default IPA packages provided from CentOS.   I had a fully operational proof of 
concept finished fully scripted to be built without issues.   I shutdown and 
started these as needed to show to people to get approval for the project.   
The other day the client stopped enrolling to the IPA server, I have no idea 
why I assume a patch pushed out broke something since it is a fully scripted 
install. It does get the most recent patches each time I stand it up so it 
definitely would pull any new patches that came out.

After investigating I am getting this error when I try to manually enroll the 
client.  I haven't been able to find any reference to this error anywhere on 
the net.  Any help would be greatly appreciated!  Let me know if any additional 
details are needed.


PLEASE NOTE:  Everything below has been sanitized


[root@client ~]# ipa-client-install --domain=example.com<http://example.com/> 
--server=ipa1.example.com<http://ipa1.example.com/> 
--realm=EXAMPLE.COM<http://example.com/> --configure-ssh --configure-sshd -p 
ipa-bind -w "blah" -U
DNS domain 'example.com<http://example.com/>' is not configured for automatic 
KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Hostname: client.ec2.internal
Realm: EXAMPLE.COM<http://example.com/>
DNS Domain: digitalreasoning.com<http://digitalreasoning.com/>
IPA Server: ipa1.example.com<http://ipa1.example.com/>
BaseDN: dc=example,dc=com


Synchronizing time with KDC...

ipa : ERRORCannot obtain CA certificate
'ldap://ipa1.example.com' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.


Thanks,
_
John Moyer



___
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot obtain CA Certificate

2013-02-18 Thread John Moyer 
Peter, 

Thanks for the response, I just checked out my security group settings, 
I did have some ports blocked, however, allowing them did not help.   I 
installed mmap on the client and did a port scan of the server and got the 
follow: 

PORTSTATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
88/tcp  open  kerberos-sec
389/tcp open  ldap
443/tcp open  https
464/tcp open  kpasswd5
636/tcp open  ldapssl
749/tcp open  kerberos-adm

I tried to enroll again and got the same error as seen here: 


Synchronizing time with KDC...

ipa : ERRORCannot obtain CA certificate



Thanks, 
_
John Moyer


On Feb 18, 2013, at 7:24 PM, Peter Brown  wrote:

> Hi John,
> 
> I ran into a similar issue with setting up a 2.2 client with a 3.1 server.
> It turned out to be that port 80 wasn't open on the freeipa server.
> I would check your ports and see if the right ones are open.
> I also find that setting up the SRV and TXT records in your dns zone makes 
> setting up clients a lot simpler.
> 
> 
> 
> On 19 February 2013 00:58, John Moyer  wrote:
> Hello all, 
> 
>   I am having an issue using IPA 2.2.0.   I am trying to put together a 
> proof of concept set of systems.  I've stood up 2 servers on AWS.   One is 
> the server one is the client.   I am using CentOS 6 to do all this testing 
> on, with the default IPA packages provided from CentOS.   I had a fully 
> operational proof of concept finished fully scripted to be built without 
> issues.   I shutdown and started these as needed to show to people to get 
> approval for the project.   The other day the client stopped enrolling to the 
> IPA server, I have no idea why I assume a patch pushed out broke something 
> since it is a fully scripted install. It does get the most recent patches 
> each time I stand it up so it definitely would pull any new patches that came 
> out. 
> 
>   After investigating I am getting this error when I try to manually 
> enroll the client.  I haven't been able to find any reference to this error 
> anywhere on the net.  Any help would be greatly appreciated!  Let me know if 
> any additional details are needed. 
> 
> 
> PLEASE NOTE:  Everything below has been sanitized 
> 
> 
> [root@client ~]# ipa-client-install --domain=example.com 
> --server=ipa1.example.com --realm=EXAMPLE.COM --configure-ssh 
> --configure-sshd -p ipa-bind -w "blah" -U
> DNS domain 'example.com' is not configured for automatic KDC address lookup.
> KDC address will be set to fixed value.
> 
> Discovery was successful!
> Hostname: client.ec2.internal
> Realm: EXAMPLE.COM
> DNS Domain: digitalreasoning.com
> IPA Server: ipa1.example.com
> BaseDN: dc=example,dc=com
> 
> 
> Synchronizing time with KDC...
> 
> ipa : ERRORCannot obtain CA certificate
> 'ldap://ipa1.example.com' doesn't have a certificate.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> 
>  
> Thanks, 
> _
> John Moyer
> 
> 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot obtain CA Certificate

2013-02-18 Thread Peter Brown 
Hi John,

I ran into a similar issue with setting up a 2.2 client with a 3.1 server.
It turned out to be that port 80 wasn't open on the freeipa server.
I would check your ports and see if the right ones are open.
I also find that setting up the SRV and TXT records in your dns zone makes
setting up clients a lot simpler.



On 19 February 2013 00:58, John Moyer wrote:

> Hello all,
>
> I am having an issue using IPA 2.2.0.   I am trying to put together a
> proof of concept set of systems.  I've stood up 2 servers on AWS.   One is
> the server one is the client.   I am using CentOS 6 to do all this testing
> on, with the default IPA packages provided from CentOS.   I had a fully
> operational proof of concept finished fully scripted to be built without
> issues.   I shutdown and started these as needed to show to people to get
> approval for the project.   The other day the client stopped enrolling to
> the IPA server, I have no idea why I assume a patch pushed out broke
> something since it is a fully scripted install. It does get the most recent
> patches each time I stand it up so it definitely would pull any new patches
> that came out.
>
> After investigating I am getting this error when I try to manually enroll
> the client.  I haven't been able to find any reference to this error
> anywhere on the net.  Any help would be greatly appreciated!  Let me know
> if any additional details are needed.
>
>
> PLEASE NOTE:  Everything below has been sanitized
>
>
> [root@client ~]# ipa-client-install --domain=example.com --server=
> ipa1.example.com --realm=EXAMPLE.COM --configure-ssh --configure-sshd -p
> ipa-bind -w "blah" -U
> DNS domain 'example.com' is not configured for automatic KDC address
> lookup.
> KDC address will be set to fixed value.
>
> Discovery was successful!
> Hostname: client.ec2.internal
> Realm: EXAMPLE.COM
> DNS Domain: digitalreasoning.com
> IPA Server: ipa1.example.com
> BaseDN: dc=example,dc=com
>
>
> Synchronizing time with KDC...
>
> ipa : ERRORCannot obtain CA certificate
> 'ldap://ipa1.example.com' doesn't have a certificate.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
>
> Thanks,
> _
> John Moyer
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users