Re: [Freeipa-users] ipa-client-install error
Hi Bahan, Hey. Try to remove the cert file in /etc/ipa of this client. And then retry. this was perfect :-) Thank you. Best regards. Bahan Andy Hi, I want to install ipa client: ipa-client-install -d I get the following error: Verifying that "MyFreeIPA Server" (realm None) is an IPA server Init LDAP connection to: "MyFreeIPA Server" Error checking LDAP: Connect error: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. Skip "MyFreeIPA Server" : cannot verify if this is an IPA server Discovery result: UNKNOWN_ERROR; ... Validated servers: Failed to verify that "MyFreeIPA Server" is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) "MyFreeIPA Server" : Provided interactively) Installation failed. Rolling back changes. IPA client is not configured on this system. selinux on the ipa client and ipa server ist permissive, iptables is empty. It seems to be a problem with the SSL certificate of freeipa. About the client: rpm -qi ipa-client Name: ipa-client Version : 4.1.0 Release : 18.el7.centos.4 About the freeipa server: rpm -qi freeipa-server Name: freeipa-server Version : 4.1.4 Release : 1.fc21 regards, Andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client install error
On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote: On 05/01/2012 06:15 PM, Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way. Yes this is a serious problem. Thank you for uncovering it. Current plan is to: provide a fix for the older clients to be able to connect to 2.2 via errata. Make sure that the 2.2 client can connect to the 2.1 server. Thanks Dmitri I am working on a patch for ipa-client-install which should make it capable of joining an older IPA server. BTW, I always thought that the proper upgrade scenario is to upgrade the servers to the new version first and then upgrade the clients. The issue here is that the new IPA clients won't be able to use ipa command to control the old server because they have a higher API version and the old server would not support it. The combination of older IPA client (e.g. 2.1) and new server (e.g. 2.2) should be OK as we maintain backwards compatibility. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way No, that's not the problem at all. Enrolled clients will work as expected. New 6.3 clients can enroll with a 6.3 server. Based on the log it looks like a 6.3 client can't enroll with a 6.2 server but I'm still investigating. We'll fix it if needed. rob regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 2 May 2012 1:19 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error Steven Jones wrote: I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. == [root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjones...@ods.vuw.ac.nz: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1534, inmodule sys.exit(main()) File /usr/sbin/ipa-client-install, line 1521, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1358, in install api.Backend.xmlclient.connect() File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in connect conn = self.create_connection(*args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root@rhel664ws01 ~]# === Is this expected when trying to connect 6.3beta? ie its simply not compatible? The newer 2.2 client cannot connect to an older 2.1 server because it isn't going to send the TGT that the 2.1 server requires. We should handle this better, I've opened a ticket to track this: https://fedorahosted.org/freeipa/ticket/2697 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
Hi, proper isnt defined as such, but yes in an ideal world Trouble is we have so many servers that we patch over 2 or 3 early start mornings, until now we did test first, then prod.now we have to start to separate them also will IPA server on 6.3 collide with IPA server on 6.2? It would be proper to only upgrade one IPA at a time in case the upgrade buggered IPAotherwise I have to do all at once...and if it goes wrong I'm left with nothing.. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Martin Kosek [mko...@redhat.com] Sent: Thursday, 3 May 2012 1:28 a.m. To: d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote: On 05/01/2012 06:15 PM, Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way. Yes this is a serious problem. Thank you for uncovering it. Current plan is to: provide a fix for the older clients to be able to connect to 2.2 via errata. Make sure that the 2.2 client can connect to the 2.1 server. Thanks Dmitri I am working on a patch for ipa-client-install which should make it capable of joining an older IPA server. BTW, I always thought that the proper upgrade scenario is to upgrade the servers to the new version first and then upgrade the clients. The issue here is that the new IPA clients won't be able to use ipa command to control the old server because they have a higher API version and the old server would not support it. The combination of older IPA client (e.g. 2.1) and new server (e.g. 2.2) should be OK as we maintain backwards compatibility. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
What is the impact of IPA not working properly? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Martin Kosek [mko...@redhat.com] Sent: Thursday, 3 May 2012 1:52 a.m. To: Rob Crittenden Cc: Steven Jones; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote: Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way No, that's not the problem at all. Enrolled clients will work as expected. New 6.3 clients can enroll with a 6.3 server. Based on the log it looks like a 6.3 client can't enroll with a 6.2 server but I'm still investigating. We'll fix it if needed. rob I just sent a patch for this issue to freeipa-devel list. The problem was in the TGT forwarding as mentioned earlier in this thread. The patched client can now join an older IPA server. But ipa command still won't work properly as its API is higher that the server's. Martin regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 2 May 2012 1:19 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error Steven Jones wrote: I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. == [root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjones...@ods.vuw.ac.nz: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1534, inmodule sys.exit(main()) File /usr/sbin/ipa-client-install, line 1521, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1358, in install api.Backend.xmlclient.connect() File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in connect conn = self.create_connection(*args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root@rhel664ws01 ~]# === Is this expected when trying to connect 6.3beta? ie its simply not compatible? The newer 2.2 client cannot connect to an older 2.1 server because it isn't going to send the TGT that the 2.1 server requires. We should handle this better, I've opened a ticket to track this: https://fedorahosted.org/freeipa/ticket/2697 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
Steven Jones wrote: Hi, proper isnt defined as such, but yes in an ideal world Trouble is we have so many servers that we patch over 2 or 3 early start mornings, until now we did test first, then prod.now we have to start to separate them Right, this is why we fixed the bug. also will IPA server on 6.3 collide with IPA server on 6.2? It would be proper to only upgrade one IPA at a time in case the upgrade buggered IPAotherwise I have to do all at once...and if it goes wrong I'm left with nothing.. It will be fixed to work in 6.3 GA. The client enrollment will succeed but you won't get the 6.3 features (like SSH host keys uploaded). The ipa tool is not downward compatible, so a 6.3 ipa tool will not work with a 6.2 server but the reverse WILL work. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
On 05/02/2012 05:28 PM, Steven Jones wrote: Hi, proper isnt defined as such, but yes in an ideal world Trouble is we have so many servers that we patch over 2 or 3 early start mornings, until now we did test first, then prod.now we have to start to separate them also will IPA server on 6.3 collide with IPA server on 6.2? It would be proper to only upgrade one IPA at a time in case the upgrade buggered IPAotherwise I have to do all at once...and if it goes wrong I'm left with nothing.. The issue affects client to server authentication not server to server replication so 6.3 and 6.2 should work fine for several days while you are migrating servers from 6.2 to 6.3. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Martin Kosek [mko...@redhat.com] Sent: Thursday, 3 May 2012 1:28 a.m. To: d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote: On 05/01/2012 06:15 PM, Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way. Yes this is a serious problem. Thank you for uncovering it. Current plan is to: provide a fix for the older clients to be able to connect to 2.2 via errata. Make sure that the 2.2 client can connect to the 2.1 server. Thanks Dmitri I am working on a patch for ipa-client-install which should make it capable of joining an older IPA server. BTW, I always thought that the proper upgrade scenario is to upgrade the servers to the new version first and then upgrade the clients. The issue here is that the new IPA clients won't be able to use ipa command to control the old server because they have a higher API version and the old server would not support it. The combination of older IPA client (e.g. 2.1) and new server (e.g. 2.2) should be OK as we maintain backwards compatibility. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
Steven Jones wrote: What is the impact of IPA not working properly? That is a bit of a loaded question. It depends on your definition of properly but basically if IPA server isn't working, none of your auth or identity works. Depending on what state sssd thinks the server is in it may fall back into offline mode in which case individual workstations will still operate but networked authentication/identity will fail. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
On 05/02/2012 05:29 PM, Steven Jones wrote: What is the impact of IPA not working properly? You need to differentiate client system that uses IPA for identity lookups and authentication and administrative station where you have ipa-admintools package installed. It is not recommended to have this package on the client side to be higher version than on the server. We are currently fixing the issue for the client enrollment to work even if you try to enroll later version of the ipa client with the earlier version of the server but for ipa-admintools the general rule: upgrade server first and then the client ipa-admintools package should continue to apply. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Martin Kosek [mko...@redhat.com] Sent: Thursday, 3 May 2012 1:52 a.m. To: Rob Crittenden Cc: Steven Jones; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote: Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way No, that's not the problem at all. Enrolled clients will work as expected. New 6.3 clients can enroll with a 6.3 server. Based on the log it looks like a 6.3 client can't enroll with a 6.2 server but I'm still investigating. We'll fix it if needed. rob I just sent a patch for this issue to freeipa-devel list. The problem was in the TGT forwarding as mentioned earlier in this thread. The patched client can now join an older IPA server. But ipa command still won't work properly as its API is higher that the server's. Martin regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 2 May 2012 1:19 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error Steven Jones wrote: I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. == [root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjones...@ods.vuw.ac.nz: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1534, inmodule sys.exit(main()) File /usr/sbin/ipa-client-install, line 1521, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1358, in install api.Backend.xmlclient.connect() File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in connect conn = self.create_connection(*args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root@rhel664ws01 ~]# === Is this expected when trying to connect 6.3beta? ie its simply not compatible? The newer 2.2 client cannot connect to an older 2.1 server because it isn't going to send the TGT that the 2.1 server requires. We should handle this better, I've opened a ticket to track this: https://fedorahosted.org/freeipa/ticket/2697 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts
Re: [Freeipa-users] ipa-client install error
Hi, Sorry, I used IPA I should have used lower case eg, But ipa command still won't work properly as its API is higher that the server's. The way I read that is a client will have limited command line capability? that would be Ok over say some weeks while we upgraded. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 3 May 2012 9:40 a.m. To: Steven Jones Cc: Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error Steven Jones wrote: What is the impact of IPA not working properly? That is a bit of a loaded question. It depends on your definition of properly but basically if IPA server isn't working, none of your auth or identity works. Depending on what state sssd thinks the server is in it may fall back into offline mode in which case individual workstations will still operate but networked authentication/identity will fail. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
Hi, BTW, is this advice in the admin guide? I would suggest its worth stating. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Thursday, 3 May 2012 9:45 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error On 05/02/2012 05:29 PM, Steven Jones wrote: What is the impact of IPA not working properly? You need to differentiate client system that uses IPA for identity lookups and authentication and administrative station where you have ipa-admintools package installed. It is not recommended to have this package on the client side to be higher version than on the server. We are currently fixing the issue for the client enrollment to work even if you try to enroll later version of the ipa client with the earlier version of the server but for ipa-admintools the general rule: upgrade server first and then the client ipa-admintools package should continue to apply. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Martin Kosek [mko...@redhat.com] Sent: Thursday, 3 May 2012 1:52 a.m. To: Rob Crittenden Cc: Steven Jones; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote: Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way No, that's not the problem at all. Enrolled clients will work as expected. New 6.3 clients can enroll with a 6.3 server. Based on the log it looks like a 6.3 client can't enroll with a 6.2 server but I'm still investigating. We'll fix it if needed. rob I just sent a patch for this issue to freeipa-devel list. The problem was in the TGT forwarding as mentioned earlier in this thread. The patched client can now join an older IPA server. But ipa command still won't work properly as its API is higher that the server's. Martin regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 2 May 2012 1:19 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error Steven Jones wrote: I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. == [root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjones...@ods.vuw.ac.nz: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1534, inmodule sys.exit(main()) File /usr/sbin/ipa-client-install, line 1521, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1358, in install api.Backend.xmlclient.connect() File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in connect conn = self.create_connection(*args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root@rhel664ws01 ~]# === Is this expected when trying to connect 6.3beta? ie its simply not compatible? The newer 2.2 client cannot connect to an older 2.1 server because it isn't going to send the TGT that the 2.1 server requires. We should handle this better, I've opened a ticket to track this: https://fedorahosted.org/freeipa/ticket/2697 rob
Re: [Freeipa-users] ipa-client install error
On 05/02/2012 05:54 PM, Steven Jones wrote: Hi, BTW, is this advice in the admin guide? I would suggest its worth stating. Noted. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Thursday, 3 May 2012 9:45 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error On 05/02/2012 05:29 PM, Steven Jones wrote: What is the impact of IPA not working properly? You need to differentiate client system that uses IPA for identity lookups and authentication and administrative station where you have ipa-admintools package installed. It is not recommended to have this package on the client side to be higher version than on the server. We are currently fixing the issue for the client enrollment to work even if you try to enroll later version of the ipa client with the earlier version of the server but for ipa-admintools the general rule: upgrade server first and then the client ipa-admintools package should continue to apply. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Martin Kosek [mko...@redhat.com] Sent: Thursday, 3 May 2012 1:52 a.m. To: Rob Crittenden Cc: Steven Jones; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote: Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way No, that's not the problem at all. Enrolled clients will work as expected. New 6.3 clients can enroll with a 6.3 server. Based on the log it looks like a 6.3 client can't enroll with a 6.2 server but I'm still investigating. We'll fix it if needed. rob I just sent a patch for this issue to freeipa-devel list. The problem was in the TGT forwarding as mentioned earlier in this thread. The patched client can now join an older IPA server. But ipa command still won't work properly as its API is higher that the server's. Martin regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 2 May 2012 1:19 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error Steven Jones wrote: I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. == [root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjones...@ods.vuw.ac.nz: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1534, inmodule sys.exit(main()) File /usr/sbin/ipa-client-install, line 1521, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1358, in install api.Backend.xmlclient.connect() File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in connect conn = self.create_connection(*args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root@rhel664ws01 ~]# === Is this expected when trying to connect 6.3beta? ie its simply not compatible? The newer 2.2 client cannot connect to an older 2.1 server because it isn't going to send the TGT that the 2.1 server requires. We should handle this better, I've opened a ticket to track this: https
Re: [Freeipa-users] ipa-client install error
I don't see anything much more useful in the log file. The last line in the traceback suggests there is something wrong with connection to your KDC, does the connection to it work from other machines? Also, just out of curiosity about the SSH error message - what version of SSSD do you have installed? Thanks Jan Steven Jones steven.jo...@vuw.ac.nz wrote: encl ipa install log regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 1 May 2012 2:22 p.m. Cc: freeipa-users@redhat.com Subject: [Freeipa-users] ipa-client install error I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. == [root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjones...@ods.vuw.ac.nz: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1534, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 1521, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1358, in install api.Backend.xmlclient.connect() File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in connect conn = self.create_connection(*args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root@rhel664ws01 ~]# === Is this expected when trying to connect 6.3beta? ie its simply not compatible? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
Hi, sssd-1.5.1-66.el6_2.3.x86_64 KDC connections...as far as I knowbut the proof is this machine is a vm off my linux rhel6.2 server/workstation which is IPA'd itself, I can login and I manage IPA from the firefox web browser on it...so physically its the exact same cable, switches, routers, firewall and vnware hardware...so an issue makes no sense at that level unless its an issue with the KVM networking.its DHCPing off my cat6 cable so has the same IP address range, so that leaves out networking I believe. However I am having issues with some logins on other clients as well now so this points to IPA itself or something common I would say. I've done sosreports under case 627913 for that... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Jan Zeleny [jzel...@redhat.com] Sent: Tuesday, 1 May 2012 6:38 p.m. To: freeipa-users@redhat.com Cc: Steven Jones Subject: Re: [Freeipa-users] ipa-client install error I don't see anything much more useful in the log file. The last line in the traceback suggests there is something wrong with connection to your KDC, does the connection to it work from other machines? Also, just out of curiosity about the SSH error message - what version of SSSD do you have installed? Thanks Jan Steven Jones steven.jo...@vuw.ac.nz wrote: encl ipa install log regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 1 May 2012 2:22 p.m. Cc: freeipa-users@redhat.com Subject: [Freeipa-users] ipa-client install error I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. == [root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjones...@ods.vuw.ac.nz: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1534, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 1521, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1358, in install api.Backend.xmlclient.connect() File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in connect conn = self.create_connection(*args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root@rhel664ws01 ~]# === Is this expected when trying to connect 6.3beta? ie its simply not compatible? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
Error there on my part its 1.8 not 1.5.I have another machine that is 1.5. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Wednesday, 2 May 2012 8:52 a.m. To: Jan Zeleny; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error Hi, sssd-1.5.1-66.el6_2.3.x86_64 KDC connections...as far as I knowbut the proof is this machine is a vm off my linux rhel6.2 server/workstation which is IPA'd itself, I can login and I manage IPA from the firefox web browser on it...so physically its the exact same cable, switches, routers, firewall and vnware hardware...so an issue makes no sense at that level unless its an issue with the KVM networking.its DHCPing off my cat6 cable so has the same IP address range, so that leaves out networking I believe. However I am having issues with some logins on other clients as well now so this points to IPA itself or something common I would say. I've done sosreports under case 627913 for that... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Jan Zeleny [jzel...@redhat.com] Sent: Tuesday, 1 May 2012 6:38 p.m. To: freeipa-users@redhat.com Cc: Steven Jones Subject: Re: [Freeipa-users] ipa-client install error I don't see anything much more useful in the log file. The last line in the traceback suggests there is something wrong with connection to your KDC, does the connection to it work from other machines? Also, just out of curiosity about the SSH error message - what version of SSSD do you have installed? Thanks Jan Steven Jones steven.jo...@vuw.ac.nz wrote: encl ipa install log regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 1 May 2012 2:22 p.m. Cc: freeipa-users@redhat.com Subject: [Freeipa-users] ipa-client install error I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. == [root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjones...@ods.vuw.ac.nz: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1534, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 1521, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1358, in install api.Backend.xmlclient.connect() File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in connect conn = self.create_connection(*args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root@rhel664ws01 ~]# === Is this expected when trying to connect 6.3beta? ie its simply not compatible? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 2 May 2012 1:19 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error Steven Jones wrote: I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. == [root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjones...@ods.vuw.ac.nz: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1534, inmodule sys.exit(main()) File /usr/sbin/ipa-client-install, line 1521, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1358, in install api.Backend.xmlclient.connect() File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in connect conn = self.create_connection(*args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root@rhel664ws01 ~]# === Is this expected when trying to connect 6.3beta? ie its simply not compatible? The newer 2.2 client cannot connect to an older 2.1 server because it isn't going to send the TGT that the 2.1 server requires. We should handle this better, I've opened a ticket to track this: https://fedorahosted.org/freeipa/ticket/2697 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
On 05/01/2012 06:15 PM, Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way. Yes this is a serious problem. Thank you for uncovering it. Current plan is to: provide a fix for the older clients to be able to connect to 2.2 via errata. Make sure that the 2.2 client can connect to the 2.1 server. Thanks Dmitri regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 2 May 2012 1:19 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error Steven Jones wrote: I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. == [root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjones...@ods.vuw.ac.nz: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1534, inmodule sys.exit(main()) File /usr/sbin/ipa-client-install, line 1521, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1358, in install api.Backend.xmlclient.connect() File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in connect conn = self.create_connection(*args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root@rhel664ws01 ~]# === Is this expected when trying to connect 6.3beta? ie its simply not compatible? The newer 2.2 client cannot connect to an older 2.1 server because it isn't going to send the TGT that the 2.1 server requires. We should handle this better, I've opened a ticket to track this: https://fedorahosted.org/freeipa/ticket/2697 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
encl ipa install log regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 1 May 2012 2:22 p.m. Cc: freeipa-users@redhat.com Subject: [Freeipa-users] ipa-client install error I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. == [root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjones...@ods.vuw.ac.nz: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1534, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 1521, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1358, in install api.Backend.xmlclient.connect() File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in connect conn = self.create_connection(*args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root@rhel664ws01 ~]# === Is this expected when trying to connect 6.3beta? ie its simply not compatible? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ipaclient-install.log Description: ipaclient-install.log ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install error
CentOS is far behind RHEL. Many of the issues you will find have been
fixed in released versions of IPA. This one is due, I think to an
earlier issue with directory server that has since been upgraded.
You might want to see if the versions shipped with Scientifix Linux work
better for you, but it is going to be quite a few packages. Aside from
freeipa* it will be xmlrpc, 38-ds-base and DNS dyndb and possibly others.
On 11/04/2011 03:04 PM, Jimmy wrote:
I'm running the ipa-client-install on a CentOS 6 client and get this
error:
[root@kudzu ~]# ipa-client-install
Discovery was successful!
Realm: PDH.CSP
DNS Domain: pdh.csp
IPA Server: csp-idm.pdh.csp
BaseDN: dc=pdh,dc=csp
Continue to configure the system with these values? [no]: yes
Principal: admin
Password for ad...@pdh.csp:
Joining realm failed: Operation failed! unsupported extended operation
child exited with 9
Certificate subject base is: O=PDH.CSP
The only logs I see on the server are here:
Nov 04 18:52:55 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 http://192.168.201.199:
NEEDED_PREAUTH: ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional
pre-authentication required
Nov 04 18:53:20 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 http://192.168.201.199: ISSUE:
authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 http://192.168.201.199: ISSUE:
authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
HTTP/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (1 etypes
{18}) 192.168.201.199 http://192.168.201.199: ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.102 http://192.168.201.102: ISSUE:
authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
ldap/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 http://192.168.201.199: ISSUE:
authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
ldap/csp-idm.pdh@pdh.csp
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install error
Jimmy wrote:
I'm running the ipa-client-install on a CentOS 6 client and get this error:
[root@kudzu ~]# ipa-client-install
Discovery was successful!
Realm: PDH.CSP
DNS Domain: pdh.csp
IPA Server: csp-idm.pdh.csp
BaseDN: dc=pdh,dc=csp
Continue to configure the system with these values? [no]: yes
Principal: admin
Password for ad...@pdh.csp:
Joining realm failed: Operation failed! unsupported extended operation
child exited with 9
Certificate subject base is: O=PDH.CSP
The only logs I see on the server are here:
Nov 04 18:52:55 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 http://192.168.201.199: NEEDED_PREAUTH:
ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication
required
Nov 04 18:53:20 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 http://192.168.201.199: ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 http://192.168.201.199: ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
HTTP/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (1 etypes
{18}) 192.168.201.199 http://192.168.201.199: ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.102 http://192.168.201.102: ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
ldap/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 http://192.168.201.199: ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
ldap/csp-idm.pdh@pdh.csp
You need a newer ipa-client package. The extended operation we used for
enrollment changed. This was fixed in ipa-client-2.0-9.1 in RHEL 6.0.
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install error
I see. I have ipa-client-2.0-9.el6.x86_64 on the CentOS 6 client. I guess the proper fix is to use the SL packages Adam referenced? Jimmy You need a newer ipa-client package. The extended operation we used for enrollment changed. This was fixed in ipa-client-2.0-9.1 in RHEL 6.0. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install error
On 11/04/2011 07:07 PM, Dmitri Pal wrote: On 11/04/2011 04:23 PM, Jimmy wrote: I see. I have ipa-client-2.0-9.el6.x86_64 on the CentOS 6 client. I guess the proper fix is to use the SL packages Adam referenced? Correct. It looks like Scientific Linux is behind as well: The packages on http://ftp.scientificlinux.org/linux/scientific/ are all 2.0.0 forexample http://ftp.scientificlinux.org/linux/scientific/6rolling/x86_64/updates/fastbugs/ipa-client-2.0.0-23.el6_1.1.x86_64.rpm Not sure how they are doing their naming scheme, as they have 6/ 6.1/ 6x/ and 6rolling but they all look pretty much the same. Jimmy You need a newer ipa-client package. The extended operation we used for enrollment changed. This was fixed in ipa-client-2.0-9.1 in RHEL 6.0. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
