Re: [Freeipa-users] Unable to enrol servers with principal
On Fri, Feb 15, 2013 at 6:56 PM, Rob Crittenden rcrit...@redhat.com wrote: Charlie Derwent wrote: Hi So there's nothing I can see in the access logs. However, I get the following message in the KDC log Feb 15 14:05:49 ipa.example.com http://ipa.example.com/ krb5kdc[1749](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.0.1 http://192.168.0.1/: ISSUE: authtime 1360951549, etypes {rep=18 tkt=18 ses=18}, u...@example.com mailto:u...@example.com for krbtgt/example@example.com mailto:krbtgt/EXAMPLE.COM@**EXAMPLE.COM example@example.com and when I get a kinit(v5): Cannot read password while getting initial credentials error I see this error Feb 15 14:39:35 ipa.example.com http://ipa.example.com/ krb5kdc[1749](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.0.1 http://192.168.0.1/: NEEDED_PREAUTH: u...@example.com mailto:u...@example.com for kadmin/chang...@example.com mailto:kadmin/changepw@**EXAMPLE.COM chang...@example.com, Additional pre-authentication required Interestingly enough when I try a 5.6 server running ipa-client-2.0.14.el5_7.2 and xmlrpc-c-client-1.16.24-1206.**1840.el5 it works but rolling ipa-client, certmonger, xmlrpc-c and xmlrpc-c-client back to their 5.6 versions on the 5.8 server makes no difference. I guess looking at times it has worked I should be getting a TGS_REQ message in logs immediately after the AS_REQ. Any ideas or anything else I can check? Thanks Charliez Are you seeing this failure only on this one 5.8 box or on others as well? The linker error is totally bizarre and I'm not sure why you'd get it infrequently. Does /var/log/ipaclient-install.log contain any additional information when things fail? rob On a whole host of 5.8 boxes. I'm 99.9% sure the ipaclient-install.log didn't throw up anything I hadn't seen running the installer in debug mode and then mentioned in the original e-mail but I'll double check that when I'm in the office on Monday. Dmitri, I'll triple check the date/timezone settings. I know the times match using the date command, but I haven't checked inside the localtime and clock files, all our servers should be set to UTC someone is getting fired out of a cannon if I find one that isn't. It's worth mentioning that we don't use the ntp function of the IPA server as we're running them inside VMs. All servers get there time from elsewhere. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to enrol servers with principal
Charlie Derwent wrote: Hi So there's nothing I can see in the access logs. However, I get the following message in the KDC log Feb 15 14:05:49 ipa.example.com http://ipa.example.com/ krb5kdc[1749](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.0.1 http://192.168.0.1/: ISSUE: authtime 1360951549, etypes {rep=18 tkt=18 ses=18}, u...@example.com mailto:u...@example.com for krbtgt/example@example.com mailto:krbtgt/example@example.com and when I get a kinit(v5): Cannot read password while getting initial credentials error I see this error Feb 15 14:39:35 ipa.example.com http://ipa.example.com/ krb5kdc[1749](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.0.1 http://192.168.0.1/: NEEDED_PREAUTH: u...@example.com mailto:u...@example.com for kadmin/chang...@example.com mailto:kadmin/chang...@example.com, Additional pre-authentication required Interestingly enough when I try a 5.6 server running ipa-client-2.0.14.el5_7.2 and xmlrpc-c-client-1.16.24-1206.1840.el5 it works but rolling ipa-client, certmonger, xmlrpc-c and xmlrpc-c-client back to their 5.6 versions on the 5.8 server makes no difference. I guess looking at times it has worked I should be getting a TGS_REQ message in logs immediately after the AS_REQ. Any ideas or anything else I can check? Thanks Charliez Are you seeing this failure only on this one 5.8 box or on others as well? The linker error is totally bizarre and I'm not sure why you'd get it infrequently. Does /var/log/ipaclient-install.log contain any additional information when things fail? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to enrol servers with principal
On Sun, Feb 10, 2013 at 1:48 AM, Rob Crittenden rcrit...@redhat.com wrote: Charlie Derwent wrote: Hi Whenever I attempt an unattended installation with a principal and password. The installation fails. I'm using the following syntax for my command ipa-client-install --domain=example.com http://example.com --server=ipa.example.com http://ipa.example.com --realm=EXAMPLE.COM http://EXAMPLE.COM --principal=user --password=pass -U --ntp-server=123.123.123.123 --mkhomedir --hostname=server1.example.com http://server1.example.com The error I get varies between (in order of frequency) Joining realm failed: /usr/sbin/ipa-join: symbol lookup error: /usr/sbin/ipa-join: undefined symbol: xmlrpc_server_info_set_user and This is the sort of thing that if you saw once, you should see every time. What version of xmlrpc-c-client is installed? I agree I should be seeing it all the time it's very odd that I'm not, the package is xmlrpc-c-client-1.16.24-1206.1840.4.el5.x86_64.rpm kinit(v5): Password incorrect while getting initial credentials and Password expired. you must change it now. kinit(v5): Cannot read password while getting initial credentials The password is 100% right as I can kinit on other servers and access the webgui with the same details. OTP's work flawlessly. The KDC log might have more information. I'm not in the office right now so I can't check the logs but I assume the KDC log is actually on the IPA server? Thanks Charlie ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to enrol servers with principal
On 02/13/2013 04:57 PM, Charlie Derwent wrote: On Sun, Feb 10, 2013 at 1:48 AM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Charlie Derwent wrote: Hi Whenever I attempt an unattended installation with a principal and password. The installation fails. I'm using the following syntax for my command ipa-client-install --domain=example.com http://example.com http://example.com --server=ipa.example.com http://ipa.example.com http://ipa.example.com --realm=EXAMPLE.COM http://EXAMPLE.COM http://EXAMPLE.COM --principal=user --password=pass -U --ntp-server=123.123.123.123 --mkhomedir --hostname=server1.example.com http://server1.example.com http://server1.example.com The error I get varies between (in order of frequency) Joining realm failed: /usr/sbin/ipa-join: symbol lookup error: /usr/sbin/ipa-join: undefined symbol: xmlrpc_server_info_set_user and This is the sort of thing that if you saw once, you should see every time. What version of xmlrpc-c-client is installed? I agree I should be seeing it all the time it's very odd that I'm not, the package is xmlrpc-c-client-1.16.24-1206.1840.4.el5.x86_64.rpm kinit(v5): Password incorrect while getting initial credentials and Password expired. you must change it now. kinit(v5): Cannot read password while getting initial credentials The password is 100% right as I can kinit on other servers and access the webgui with the same details. OTP's work flawlessly. The KDC log might have more information. I'm not in the office right now so I can't check the logs but I assume the KDC log is actually on the IPA server? yes and the DS access logs too Thanks Charlie ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to enrol servers with principal
Charlie Derwent wrote: Hi Whenever I attempt an unattended installation with a principal and password. The installation fails. I'm using the following syntax for my command ipa-client-install --domain=example.com http://example.com --server=ipa.example.com http://ipa.example.com --realm=EXAMPLE.COM http://EXAMPLE.COM --principal=user --password=pass -U --ntp-server=123.123.123.123 --mkhomedir --hostname=server1.example.com http://server1.example.com The error I get varies between (in order of frequency) Joining realm failed: /usr/sbin/ipa-join: symbol lookup error: /usr/sbin/ipa-join: undefined symbol: xmlrpc_server_info_set_user and This is the sort of thing that if you saw once, you should see every time. What version of xmlrpc-c-client is installed? kinit(v5): Password incorrect while getting initial credentials and Password expired. you must change it now. kinit(v5): Cannot read password while getting initial credentials The password is 100% right as I can kinit on other servers and access the webgui with the same details. OTP's work flawlessly. The KDC log might have more information. ipa-client = tried with 2.1.3-1.el5 and 2.1.3-5.el5_9.2 (RHEL 5.8) ipa-server = 2.2.0-16.el6 (RHEL 6.3) rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to enrol servers with principal
Yes the times on the ipa server and ipa client are in sync with our NTP source Thanks Charlie On Sat, Feb 9, 2013 at 1:07 AM, Dmitri Pal d...@redhat.com wrote: On 02/08/2013 07:47 PM, Charlie Derwent wrote: Hi Whenever I attempt an unattended installation with a principal and password. The installation fails. I'm using the following syntax for my command ipa-client-install --domain=example.com --server=ipa.example.com --realm= EXAMPLE.COM --principal=user --password=pass -U --ntp-server=123.123.123.123 --mkhomedir --hostname=server1.example.com The error I get varies between (in order of frequency) Joining realm failed: /usr/sbin/ipa-join: symbol lookup error: /usr/sbin/ipa-join: undefined symbol: xmlrpc_server_info_set_user and kinit(v5): Password incorrect while getting initial credentials and Password expired. you must change it now. kinit(v5): Cannot read password while getting initial credentials The password is 100% right as I can kinit on other servers and access the webgui with the same details. OTP's work flawlessly. ipa-client = tried with 2.1.3-1.el5 and 2.1.3-5.el5_9.2 (RHEL 5.8) ipa-server = 2.2.0-16.el6 (RHEL 6.3) I assume this happens on the newly installed system... Is the time on the system correct? Thanks, Charlie ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users