Re: [Freeipa-users] Unable to enrol servers with principal

2013-02-16 Thread Charlie Derwent 
On Fri, Feb 15, 2013 at 6:56 PM, Rob Crittenden rcrit...@redhat.com wrote:

 Charlie Derwent wrote:

 Hi
 So there's nothing I can see in the access logs.
 However, I get the following message in the KDC log
 Feb 15 14:05:49 ipa.example.com http://ipa.example.com/

 krb5kdc[1749](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12
 13}) 192.168.0.1 http://192.168.0.1/: ISSUE: authtime 1360951549,

 etypes {rep=18 tkt=18 ses=18}, u...@example.com
 mailto:u...@example.com for krbtgt/example@example.com
 mailto:krbtgt/EXAMPLE.COM@**EXAMPLE.COM example@example.com

 and when I get a kinit(v5): Cannot read password while getting initial
 credentials error I see this error
 Feb 15 14:39:35 ipa.example.com http://ipa.example.com/

 krb5kdc[1749](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12
 13}) 192.168.0.1 http://192.168.0.1/: NEEDED_PREAUTH: u...@example.com
 mailto:u...@example.com for kadmin/chang...@example.com
 mailto:kadmin/changepw@**EXAMPLE.COM chang...@example.com,
 Additional pre-authentication required

 Interestingly enough when I try a 5.6 server running
 ipa-client-2.0.14.el5_7.2 and  xmlrpc-c-client-1.16.24-1206.**1840.el5 it
 works but rolling ipa-client, certmonger, xmlrpc-c and xmlrpc-c-client
 back to their 5.6 versions on the 5.8 server makes no difference. I
 guess looking at times it has worked I should be getting a TGS_REQ
 message in logs immediately after the AS_REQ.
 Any ideas or anything else I can check?
 Thanks
 Charliez


 Are you seeing this failure only on this one 5.8 box or on others as well?

 The linker error is totally bizarre and I'm not sure why you'd get it
 infrequently.

 Does /var/log/ipaclient-install.log contain any additional information
 when things fail?

 rob


On a whole host of 5.8 boxes. I'm 99.9% sure the ipaclient-install.log
didn't throw up anything I hadn't seen running the installer in debug mode
and then mentioned in the original e-mail but I'll double check that when
I'm in the office on Monday.

Dmitri, I'll triple check the date/timezone settings. I know the times
match using the date command, but I haven't checked inside the localtime
and clock files, all our servers should be set to UTC someone is getting
fired out of a cannon if I find one that isn't. It's worth mentioning that
we don't use the ntp function of the IPA server as we're running them
inside VMs. All servers get there time from elsewhere.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to enrol servers with principal

2013-02-15 Thread Rob Crittenden 

Charlie Derwent wrote:

Hi
So there's nothing I can see in the access logs.
However, I get the following message in the KDC log
Feb 15 14:05:49 ipa.example.com http://ipa.example.com/
krb5kdc[1749](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12
13}) 192.168.0.1 http://192.168.0.1/: ISSUE: authtime 1360951549,
etypes {rep=18 tkt=18 ses=18}, u...@example.com
mailto:u...@example.com for krbtgt/example@example.com
mailto:krbtgt/example@example.com
and when I get a kinit(v5): Cannot read password while getting initial
credentials error I see this error
Feb 15 14:39:35 ipa.example.com http://ipa.example.com/
krb5kdc[1749](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12
13}) 192.168.0.1 http://192.168.0.1/: NEEDED_PREAUTH: u...@example.com
mailto:u...@example.com for kadmin/chang...@example.com
mailto:kadmin/chang...@example.com, Additional pre-authentication required
Interestingly enough when I try a 5.6 server running
ipa-client-2.0.14.el5_7.2 and  xmlrpc-c-client-1.16.24-1206.1840.el5 it
works but rolling ipa-client, certmonger, xmlrpc-c and xmlrpc-c-client
back to their 5.6 versions on the 5.8 server makes no difference. I
guess looking at times it has worked I should be getting a TGS_REQ
message in logs immediately after the AS_REQ.
Any ideas or anything else I can check?
Thanks
Charliez


Are you seeing this failure only on this one 5.8 box or on others as well?

The linker error is totally bizarre and I'm not sure why you'd get it 
infrequently.


Does /var/log/ipaclient-install.log contain any additional information 
when things fail?


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to enrol servers with principal

2013-02-13 Thread Charlie Derwent 
On Sun, Feb 10, 2013 at 1:48 AM, Rob Crittenden rcrit...@redhat.com wrote:

 Charlie Derwent wrote:

 Hi
 Whenever I attempt an unattended installation with a principal and
 password. The installation fails.
 I'm using the following syntax for my command
 ipa-client-install --domain=example.com http://example.com
 --server=ipa.example.com http://ipa.example.com --realm=EXAMPLE.COM
 http://EXAMPLE.COM --principal=user --password=pass -U
 --ntp-server=123.123.123.123 --mkhomedir --hostname=server1.example.com
 http://server1.example.com

 The error I get varies between (in order of frequency)
 Joining realm failed: /usr/sbin/ipa-join: symbol lookup error:
 /usr/sbin/ipa-join: undefined symbol: xmlrpc_server_info_set_user
 and


 This is the sort of thing that if you saw once, you should see every time.
 What version of xmlrpc-c-client is installed?



I agree I should be seeing it all the time it's very odd that I'm not, the
package is xmlrpc-c-client-1.16.24-1206.1840.4.el5.x86_64.rpm


  kinit(v5): Password incorrect while getting initial credentials
 and
 Password expired. you must change it now.
 kinit(v5): Cannot read password while getting initial credentials
 The password is 100% right as I can kinit on other servers and access
 the webgui with the same details.
 OTP's work flawlessly.


 The KDC log might have more information.

I'm not in the office right now so I can't check the logs but I assume the
KDC log is actually on the IPA server?

Thanks
Charlie



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to enrol servers with principal

2013-02-13 Thread Dmitri Pal 
On 02/13/2013 04:57 PM, Charlie Derwent wrote:


 On Sun, Feb 10, 2013 at 1:48 AM, Rob Crittenden rcrit...@redhat.com
 mailto:rcrit...@redhat.com wrote:

 Charlie Derwent wrote:

 Hi
 Whenever I attempt an unattended installation with a principal and
 password. The installation fails.
 I'm using the following syntax for my command
 ipa-client-install --domain=example.com http://example.com
 http://example.com
 --server=ipa.example.com http://ipa.example.com
 http://ipa.example.com --realm=EXAMPLE.COM http://EXAMPLE.COM
 http://EXAMPLE.COM --principal=user --password=pass -U
 --ntp-server=123.123.123.123 --mkhomedir
 --hostname=server1.example.com http://server1.example.com
 http://server1.example.com

 The error I get varies between (in order of frequency)
 Joining realm failed: /usr/sbin/ipa-join: symbol lookup error:
 /usr/sbin/ipa-join: undefined symbol: xmlrpc_server_info_set_user
 and


 This is the sort of thing that if you saw once, you should see
 every time. What version of xmlrpc-c-client is installed?

  

 I agree I should be seeing it all the time it's very odd that I'm not,
 the package is xmlrpc-c-client-1.16.24-1206.1840.4.el5.x86_64.rpm 


 kinit(v5): Password incorrect while getting initial credentials
 and
 Password expired. you must change it now.
 kinit(v5): Cannot read password while getting initial credentials
 The password is 100% right as I can kinit on other servers and
 access
 the webgui with the same details.
 OTP's work flawlessly.


 The KDC log might have more information.

 I'm not in the office right now so I can't check the logs but I assume
 the KDC log is actually on the IPA server?

yes
and the DS access logs too
  
 Thanks
 Charlie

  


  


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to enrol servers with principal

2013-02-09 Thread Rob Crittenden 

Charlie Derwent wrote:

Hi
Whenever I attempt an unattended installation with a principal and
password. The installation fails.
I'm using the following syntax for my command
ipa-client-install --domain=example.com http://example.com
--server=ipa.example.com http://ipa.example.com --realm=EXAMPLE.COM
http://EXAMPLE.COM --principal=user --password=pass -U
--ntp-server=123.123.123.123 --mkhomedir --hostname=server1.example.com
http://server1.example.com
The error I get varies between (in order of frequency)
Joining realm failed: /usr/sbin/ipa-join: symbol lookup error:
/usr/sbin/ipa-join: undefined symbol: xmlrpc_server_info_set_user
and


This is the sort of thing that if you saw once, you should see every 
time. What version of xmlrpc-c-client is installed?



kinit(v5): Password incorrect while getting initial credentials
and
Password expired. you must change it now.
kinit(v5): Cannot read password while getting initial credentials
The password is 100% right as I can kinit on other servers and access
the webgui with the same details.
OTP's work flawlessly.


The KDC log might have more information.


ipa-client = tried with 2.1.3-1.el5 and 2.1.3-5.el5_9.2 (RHEL 5.8)
ipa-server = 2.2.0-16.el6  (RHEL 6.3)


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to enrol servers with principal

2013-02-08 Thread Charlie Derwent 
Yes the times on the ipa server and ipa client are in sync with our NTP
source

Thanks
Charlie


On Sat, Feb 9, 2013 at 1:07 AM, Dmitri Pal d...@redhat.com wrote:

  On 02/08/2013 07:47 PM, Charlie Derwent wrote:

  Hi

 Whenever I attempt an unattended installation with a principal and
 password. The installation fails.

 I'm using the following syntax for my command

 ipa-client-install --domain=example.com --server=ipa.example.com --realm=
 EXAMPLE.COM --principal=user --password=pass -U
 --ntp-server=123.123.123.123 --mkhomedir --hostname=server1.example.com

 The error I get varies between (in order of frequency)

 Joining realm failed: /usr/sbin/ipa-join: symbol lookup error:
 /usr/sbin/ipa-join: undefined symbol: xmlrpc_server_info_set_user

 and

  kinit(v5): Password incorrect while getting initial credentials

  and

  Password expired. you must change it now.
  kinit(v5): Cannot read password while getting initial credentials

 The password is 100% right as I can kinit on other servers and access the
 webgui with the same details.

  OTP's work flawlessly.

  ipa-client = tried with 2.1.3-1.el5 and 2.1.3-5.el5_9.2 (RHEL 5.8)

 ipa-server = 2.2.0-16.el6  (RHEL 6.3)


 I assume this happens on the newly installed system...
 Is the time on the system correct?


 Thanks,
  Charlie


 ___
 Freeipa-users mailing 
 listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users



 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager for IdM portfolio
 Red Hat Inc.


 ---
 Looking to carve out IT costs?www.redhat.com/carveoutcosts/


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users