Re: [Freeipa-users] ipa-client-install error

2015-09-28 Thread ladanyi


Hi Bahan,


Hey.

Try to remove the cert file in /etc/ipa of this client.

And then retry.



this was perfect :-) Thank you.



Best regards.

Bahan


Andy



Hi,

I want to install ipa client: ipa-client-install -d

I get the following error:

Verifying that "MyFreeIPA Server" (realm None) is an IPA server
Init LDAP connection to: "MyFreeIPA Server"
Error checking LDAP: Connect error: TLS error -8054:You are attempting
to import a cert with the same issuer/serial as an existing cert, but
that is not the same cert.
Skip "MyFreeIPA Server" : cannot verify if this is an IPA server
Discovery result: UNKNOWN_ERROR; ...
Validated servers:
Failed to verify that "MyFreeIPA Server" is an IPA Server.
This may mean that the remote server is not up or is not reachable due
to network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
 TCP: 80, 88, 389
 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working
properly after enrollment:
 TCP: 464
 UDP: 464, 123 (if NTP enabled)
"MyFreeIPA Server" : Provided interactively)
Installation failed. Rolling back changes.
IPA client is not configured on this system.


selinux on the ipa client and ipa server ist permissive, iptables is empty.

It seems to be a problem with the SSL certificate of freeipa.


About the client:

rpm -qi ipa-client
Name: ipa-client
Version : 4.1.0
Release : 18.el7.centos.4


About the freeipa server:

rpm -qi freeipa-server
Name: freeipa-server
Version : 4.1.4
Release : 1.fc21


regards,
Andy



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Martin Kosek
On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote:
 On 05/01/2012 06:15 PM, Steven Jones wrote:
  So this opens a chicken and egg?
 
  ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the 
  older 6.2 clients will break?  but I cant upgrade the clients until after 
  the servers are doneif so that is a huge and ugly looking task that is 
  one way.
 
 
 Yes this is a serious problem. Thank you for uncovering it.
 Current plan is to: provide a fix for the older clients to be able to
 connect to 2.2 via errata.
 Make sure that the 2.2 client can connect to the 2.1 server.
 
 Thanks
 Dmitri

I am working on a patch for ipa-client-install which should make it
capable of joining an older IPA server.

BTW, I always thought that the proper upgrade scenario is to upgrade the
servers to the new version first and then upgrade the clients. The issue
here is that the new IPA clients won't be able to use ipa command to
control the old server because they have a higher API version and the
old server would not support it.

The combination of older IPA client (e.g. 2.1) and new server (e.g. 2.2)
should be OK as we maintain backwards compatibility.

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Rob Crittenden

Steven Jones wrote:

So this opens a chicken and egg?

ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 
6.2 clients will break?  but I cant upgrade the clients until after the servers 
are doneif so that is a huge and ugly looking task that is one way


No, that's not the problem at all. Enrolled clients will work as 
expected. New 6.3 clients can enroll with a 6.3 server. Based on the log 
it looks like a 6.3 client can't enroll with a 6.2 server but I'm still 
investigating. We'll fix it if needed.


rob



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 2 May 2012 1:19 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client install error

Steven Jones wrote:

I made a slight oops, I just upgraded a long un-used vm on my desktop from 
6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our satellite is 
down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and 
I get an error.

==
[root@rhel664ws01 ~]# ipa-client-install --mkhomedir
Discovery was successful!
Hostname: rhel664ws01.ods.vuw.ac.nz
Realm: ODS.VUW.AC.NZ
DNS Domain: ods.vuw.ac.nz
IPA Server: vuwunicoipam002.ods.vuw.ac.nz
BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz


Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admjonesst1
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Password for admjones...@ods.vuw.ac.nz:

Enrolled in IPA realm ODS.VUW.AC.NZ
Created /etc/ipa/default.conf
Unable to activate the SSH service in SSSD config.
Please make sure you have SSSD built with SSH support installed.
Configure SSH support manually in /etc/sssd/sssd.conf.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
Traceback (most recent call last):
File /usr/sbin/ipa-client-install, line 1534, inmodule
  sys.exit(main())
File /usr/sbin/ipa-client-install, line 1521, in main
  rval = install(options, env, fstore, statestore)
File /usr/sbin/ipa-client-install, line 1358, in install
  api.Backend.xmlclient.connect()
File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in 
connect
  conn = self.create_connection(*args, **kw)
File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in 
create_connection
  raise errors.KerberosError(major=str(krberr), minor='')
ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos 
credentials/
[root@rhel664ws01 ~]#
===

Is this expected when trying to connect 6.3beta? ie its simply not compatible?



The newer 2.2 client cannot connect to an older 2.1 server because it
isn't going to send the TGT that the 2.1 server requires. We should
handle this better, I've opened a ticket to track this:
https://fedorahosted.org/freeipa/ticket/2697

rob



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Steven Jones
Hi,

proper isnt defined as such, but yes in an ideal world Trouble is we have 
so many servers that we patch over 2 or 3 early start mornings, until now we 
did test first, then prod.now we have to start to separate them

also will  IPA server on 6.3 collide with IPA server on 6.2?   It would be 
proper to only upgrade one IPA at a time in case the upgrade buggered 
IPAotherwise I have to do all at once...and if it goes wrong I'm left 
with nothing..

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Martin Kosek [mko...@redhat.com]
Sent: Thursday, 3 May 2012 1:28 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client install error

On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote:
 On 05/01/2012 06:15 PM, Steven Jones wrote:
  So this opens a chicken and egg?
 
  ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the 
  older 6.2 clients will break?  but I cant upgrade the clients until after 
  the servers are doneif so that is a huge and ugly looking task that is 
  one way.
 

 Yes this is a serious problem. Thank you for uncovering it.
 Current plan is to: provide a fix for the older clients to be able to
 connect to 2.2 via errata.
 Make sure that the 2.2 client can connect to the 2.1 server.

 Thanks
 Dmitri

I am working on a patch for ipa-client-install which should make it
capable of joining an older IPA server.

BTW, I always thought that the proper upgrade scenario is to upgrade the
servers to the new version first and then upgrade the clients. The issue
here is that the new IPA clients won't be able to use ipa command to
control the old server because they have a higher API version and the
old server would not support it.

The combination of older IPA client (e.g. 2.1) and new server (e.g. 2.2)
should be OK as we maintain backwards compatibility.

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Steven Jones
What is the impact of IPA not working properly?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Martin Kosek [mko...@redhat.com]
Sent: Thursday, 3 May 2012 1:52 a.m.
To: Rob Crittenden
Cc: Steven Jones; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client install error

On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote:
 Steven Jones wrote:
  So this opens a chicken and egg?
 
  ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the 
  older 6.2 clients will break?  but I cant upgrade the clients until after 
  the servers are doneif so that is a huge and ugly looking task that is 
  one way

 No, that's not the problem at all. Enrolled clients will work as
 expected. New 6.3 clients can enroll with a 6.3 server. Based on the log
 it looks like a 6.3 client can't enroll with a 6.2 server but I'm still
 investigating. We'll fix it if needed.

 rob

I just sent a patch for this issue to freeipa-devel list. The problem
was in the TGT forwarding as mentioned earlier in this thread. The
patched client can now join an older IPA server. But ipa command still
won't work properly as its API is higher that the server's.

Martin



 
  regards
 
  Steven Jones
 
  Technical Specialist - Linux RHCE
 
  Victoria University, Wellington, NZ
 
  0064 4 463 6272
 
  
  From: Rob Crittenden [rcrit...@redhat.com]
  Sent: Wednesday, 2 May 2012 1:19 a.m.
  To: Steven Jones
  Cc: freeipa-users@redhat.com
  Subject: Re: [Freeipa-users] ipa-client install error
 
  Steven Jones wrote:
  I made a slight oops, I just upgraded a long un-used vm on my desktop from 
  6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our satellite 
  is down I cant correct this so I tried to add the 6.3beta client to IPA on 
  6.2 and I get an error.
 
  ==
  [root@rhel664ws01 ~]# ipa-client-install --mkhomedir
  Discovery was successful!
  Hostname: rhel664ws01.ods.vuw.ac.nz
  Realm: ODS.VUW.AC.NZ
  DNS Domain: ods.vuw.ac.nz
  IPA Server: vuwunicoipam002.ods.vuw.ac.nz
  BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz
 
 
  Continue to configure the system with these values? [no]: yes
  User authorized to enroll computers: admjonesst1
  Synchronizing time with KDC...
  Unable to sync time with IPA NTP server, assuming the time is in sync.
  Password for admjones...@ods.vuw.ac.nz:
 
  Enrolled in IPA realm ODS.VUW.AC.NZ
  Created /etc/ipa/default.conf
  Unable to activate the SSH service in SSSD config.
  Please make sure you have SSSD built with SSH support installed.
  Configure SSH support manually in /etc/sssd/sssd.conf.
  Configured /etc/sssd/sssd.conf
  Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
  Traceback (most recent call last):
  File /usr/sbin/ipa-client-install, line 1534, inmodule
sys.exit(main())
  File /usr/sbin/ipa-client-install, line 1521, in main
rval = install(options, env, fstore, statestore)
  File /usr/sbin/ipa-client-install, line 1358, in install
api.Backend.xmlclient.connect()
  File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in 
  connect
conn = self.create_connection(*args, **kw)
  File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in 
  create_connection
raise errors.KerberosError(major=str(krberr), minor='')
  ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos 
  credentials/
  [root@rhel664ws01 ~]#
  ===
 
  Is this expected when trying to connect 6.3beta? ie its simply not 
  compatible?
 
 
  The newer 2.2 client cannot connect to an older 2.1 server because it
  isn't going to send the TGT that the 2.1 server requires. We should
  handle this better, I've opened a ticket to track this:
  https://fedorahosted.org/freeipa/ticket/2697
 
  rob
 

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Rob Crittenden

Steven Jones wrote:

Hi,

proper isnt defined as such, but yes in an ideal world Trouble is we have 
so many servers that we patch over 2 or 3 early start mornings, until now we did test 
first, then prod.now we have to start to separate them


Right, this is why we fixed the bug.



also will  IPA server on 6.3 collide with IPA server on 6.2?   It would be 
proper to only upgrade one IPA at a time in case the upgrade buggered 
IPAotherwise I have to do all at once...and if it goes wrong I'm left with 
nothing..


It will be fixed to work in 6.3 GA. The client enrollment will succeed 
but you won't get the 6.3 features (like SSH host keys uploaded). The 
ipa tool is not downward compatible, so a 6.3 ipa tool will not work 
with a 6.2 server but the reverse WILL work.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Dmitri Pal
On 05/02/2012 05:28 PM, Steven Jones wrote:
 Hi,

 proper isnt defined as such, but yes in an ideal world Trouble is we 
 have so many servers that we patch over 2 or 3 early start mornings, until 
 now we did test first, then prod.now we have to start to separate them

 also will  IPA server on 6.3 collide with IPA server on 6.2?   It would be 
 proper to only upgrade one IPA at a time in case the upgrade buggered 
 IPAotherwise I have to do all at once...and if it goes wrong I'm left 
 with nothing..


The issue affects client to server authentication not server to server
replication so 6.3 and 6.2 should work fine for several days while you
are migrating servers from 6.2 to 6.3.

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
 behalf of Martin Kosek [mko...@redhat.com]
 Sent: Thursday, 3 May 2012 1:28 a.m.
 To: d...@redhat.com
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] ipa-client install error

 On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote:
 On 05/01/2012 06:15 PM, Steven Jones wrote:
 So this opens a chicken and egg?

 ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the 
 older 6.2 clients will break?  but I cant upgrade the clients until after 
 the servers are doneif so that is a huge and ugly looking task that is 
 one way.

 Yes this is a serious problem. Thank you for uncovering it.
 Current plan is to: provide a fix for the older clients to be able to
 connect to 2.2 via errata.
 Make sure that the 2.2 client can connect to the 2.1 server.

 Thanks
 Dmitri
 I am working on a patch for ipa-client-install which should make it
 capable of joining an older IPA server.

 BTW, I always thought that the proper upgrade scenario is to upgrade the
 servers to the new version first and then upgrade the clients. The issue
 here is that the new IPA clients won't be able to use ipa command to
 control the old server because they have a higher API version and the
 old server would not support it.

 The combination of older IPA client (e.g. 2.1) and new server (e.g. 2.2)
 should be OK as we maintain backwards compatibility.

 Martin

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Rob Crittenden

Steven Jones wrote:

What is the impact of IPA not working properly?


That is a bit of a loaded question. It depends on your definition of 
properly but basically if IPA server isn't working, none of your auth 
or identity works. Depending on what state sssd thinks the server is in 
it may fall back into offline mode in which case individual workstations 
will still operate but networked authentication/identity will fail.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Dmitri Pal
On 05/02/2012 05:29 PM, Steven Jones wrote:
 What is the impact of IPA not working properly?

You need to differentiate client system that uses IPA for identity
lookups and authentication and administrative station where you have
ipa-admintools package installed. It is not recommended to have this
package on the client side to be higher version than on the server. We
are currently fixing the issue for the client enrollment to work even if
you try to enroll later version of the ipa client with the earlier
version of the server but for ipa-admintools the general rule: upgrade
server first and then the client ipa-admintools package should continue
to apply.



 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Martin Kosek [mko...@redhat.com]
 Sent: Thursday, 3 May 2012 1:52 a.m.
 To: Rob Crittenden
 Cc: Steven Jones; freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] ipa-client install error

 On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote:
 Steven Jones wrote:
 So this opens a chicken and egg?

 ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the 
 older 6.2 clients will break?  but I cant upgrade the clients until after 
 the servers are doneif so that is a huge and ugly looking task that is 
 one way
 No, that's not the problem at all. Enrolled clients will work as
 expected. New 6.3 clients can enroll with a 6.3 server. Based on the log
 it looks like a 6.3 client can't enroll with a 6.2 server but I'm still
 investigating. We'll fix it if needed.

 rob
 I just sent a patch for this issue to freeipa-devel list. The problem
 was in the TGT forwarding as mentioned earlier in this thread. The
 patched client can now join an older IPA server. But ipa command still
 won't work properly as its API is higher that the server's.

 Martin


 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Rob Crittenden [rcrit...@redhat.com]
 Sent: Wednesday, 2 May 2012 1:19 a.m.
 To: Steven Jones
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] ipa-client install error

 Steven Jones wrote:
 I made a slight oops, I just upgraded a long un-used vm on my desktop from 
 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our satellite 
 is down I cant correct this so I tried to add the 6.3beta client to IPA on 
 6.2 and I get an error.

 ==
 [root@rhel664ws01 ~]# ipa-client-install --mkhomedir
 Discovery was successful!
 Hostname: rhel664ws01.ods.vuw.ac.nz
 Realm: ODS.VUW.AC.NZ
 DNS Domain: ods.vuw.ac.nz
 IPA Server: vuwunicoipam002.ods.vuw.ac.nz
 BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz


 Continue to configure the system with these values? [no]: yes
 User authorized to enroll computers: admjonesst1
 Synchronizing time with KDC...
 Unable to sync time with IPA NTP server, assuming the time is in sync.
 Password for admjones...@ods.vuw.ac.nz:

 Enrolled in IPA realm ODS.VUW.AC.NZ
 Created /etc/ipa/default.conf
 Unable to activate the SSH service in SSSD config.
 Please make sure you have SSSD built with SSH support installed.
 Configure SSH support manually in /etc/sssd/sssd.conf.
 Configured /etc/sssd/sssd.conf
 Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
 Traceback (most recent call last):
 File /usr/sbin/ipa-client-install, line 1534, inmodule
   sys.exit(main())
 File /usr/sbin/ipa-client-install, line 1521, in main
   rval = install(options, env, fstore, statestore)
 File /usr/sbin/ipa-client-install, line 1358, in install
   api.Backend.xmlclient.connect()
 File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in 
 connect
   conn = self.create_connection(*args, **kw)
 File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in 
 create_connection
   raise errors.KerberosError(major=str(krberr), minor='')
 ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos 
 credentials/
 [root@rhel664ws01 ~]#
 ===

 Is this expected when trying to connect 6.3beta? ie its simply not 
 compatible?

 The newer 2.2 client cannot connect to an older 2.1 server because it
 isn't going to send the TGT that the 2.1 server requires. We should
 handle this better, I've opened a ticket to track this:
 https://fedorahosted.org/freeipa/ticket/2697

 rob

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts

Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Steven Jones
Hi,

Sorry, I used IPA I should have used lower case eg,

But ipa command still
won't work properly as its API is higher that the server's.

The way I read that is a client will have limited command line capability? that 
would be Ok over say some weeks while we upgraded.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Thursday, 3 May 2012 9:40 a.m.
To: Steven Jones
Cc: Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client install error

Steven Jones wrote:
 What is the impact of IPA not working properly?

That is a bit of a loaded question. It depends on your definition of
properly but basically if IPA server isn't working, none of your auth
or identity works. Depending on what state sssd thinks the server is in
it may fall back into offline mode in which case individual workstations
will still operate but networked authentication/identity will fail.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Steven Jones
Hi,

BTW, is this advice in the admin guide?  I would suggest its worth stating.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Thursday, 3 May 2012 9:45 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client install error

On 05/02/2012 05:29 PM, Steven Jones wrote:
 What is the impact of IPA not working properly?

You need to differentiate client system that uses IPA for identity
lookups and authentication and administrative station where you have
ipa-admintools package installed. It is not recommended to have this
package on the client side to be higher version than on the server. We
are currently fixing the issue for the client enrollment to work even if
you try to enroll later version of the ipa client with the earlier
version of the server but for ipa-admintools the general rule: upgrade
server first and then the client ipa-admintools package should continue
to apply.



 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Martin Kosek [mko...@redhat.com]
 Sent: Thursday, 3 May 2012 1:52 a.m.
 To: Rob Crittenden
 Cc: Steven Jones; freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] ipa-client install error

 On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote:
 Steven Jones wrote:
 So this opens a chicken and egg?

 ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the 
 older 6.2 clients will break?  but I cant upgrade the clients until after 
 the servers are doneif so that is a huge and ugly looking task that is 
 one way
 No, that's not the problem at all. Enrolled clients will work as
 expected. New 6.3 clients can enroll with a 6.3 server. Based on the log
 it looks like a 6.3 client can't enroll with a 6.2 server but I'm still
 investigating. We'll fix it if needed.

 rob
 I just sent a patch for this issue to freeipa-devel list. The problem
 was in the TGT forwarding as mentioned earlier in this thread. The
 patched client can now join an older IPA server. But ipa command still
 won't work properly as its API is higher that the server's.

 Martin


 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Rob Crittenden [rcrit...@redhat.com]
 Sent: Wednesday, 2 May 2012 1:19 a.m.
 To: Steven Jones
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] ipa-client install error

 Steven Jones wrote:
 I made a slight oops, I just upgraded a long un-used vm on my desktop from 
 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our satellite 
 is down I cant correct this so I tried to add the 6.3beta client to IPA on 
 6.2 and I get an error.

 ==
 [root@rhel664ws01 ~]# ipa-client-install --mkhomedir
 Discovery was successful!
 Hostname: rhel664ws01.ods.vuw.ac.nz
 Realm: ODS.VUW.AC.NZ
 DNS Domain: ods.vuw.ac.nz
 IPA Server: vuwunicoipam002.ods.vuw.ac.nz
 BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz


 Continue to configure the system with these values? [no]: yes
 User authorized to enroll computers: admjonesst1
 Synchronizing time with KDC...
 Unable to sync time with IPA NTP server, assuming the time is in sync.
 Password for admjones...@ods.vuw.ac.nz:

 Enrolled in IPA realm ODS.VUW.AC.NZ
 Created /etc/ipa/default.conf
 Unable to activate the SSH service in SSSD config.
 Please make sure you have SSSD built with SSH support installed.
 Configure SSH support manually in /etc/sssd/sssd.conf.
 Configured /etc/sssd/sssd.conf
 Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
 Traceback (most recent call last):
 File /usr/sbin/ipa-client-install, line 1534, inmodule
   sys.exit(main())
 File /usr/sbin/ipa-client-install, line 1521, in main
   rval = install(options, env, fstore, statestore)
 File /usr/sbin/ipa-client-install, line 1358, in install
   api.Backend.xmlclient.connect()
 File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in 
 connect
   conn = self.create_connection(*args, **kw)
 File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in 
 create_connection
   raise errors.KerberosError(major=str(krberr), minor='')
 ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos 
 credentials/
 [root@rhel664ws01 ~]#
 ===

 Is this expected when trying to connect 6.3beta? ie its simply not 
 compatible?

 The newer 2.2 client cannot connect to an older 2.1 server because it
 isn't going to send the TGT that the 2.1 server requires. We should
 handle this better, I've opened a ticket to track this:
 https://fedorahosted.org/freeipa/ticket/2697

 rob

Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Dmitri Pal
On 05/02/2012 05:54 PM, Steven Jones wrote:
 Hi,

 BTW, is this advice in the admin guide?  I would suggest its worth 
 stating.


Noted.

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
 behalf of Dmitri Pal [d...@redhat.com]
 Sent: Thursday, 3 May 2012 9:45 a.m.
 To: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] ipa-client install error

 On 05/02/2012 05:29 PM, Steven Jones wrote:
 What is the impact of IPA not working properly?
 You need to differentiate client system that uses IPA for identity
 lookups and authentication and administrative station where you have
 ipa-admintools package installed. It is not recommended to have this
 package on the client side to be higher version than on the server. We
 are currently fixing the issue for the client enrollment to work even if
 you try to enroll later version of the ipa client with the earlier
 version of the server but for ipa-admintools the general rule: upgrade
 server first and then the client ipa-admintools package should continue
 to apply.


 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Martin Kosek [mko...@redhat.com]
 Sent: Thursday, 3 May 2012 1:52 a.m.
 To: Rob Crittenden
 Cc: Steven Jones; freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] ipa-client install error

 On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote:
 Steven Jones wrote:
 So this opens a chicken and egg?

 ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the 
 older 6.2 clients will break?  but I cant upgrade the clients until after 
 the servers are doneif so that is a huge and ugly looking task that is 
 one way
 No, that's not the problem at all. Enrolled clients will work as
 expected. New 6.3 clients can enroll with a 6.3 server. Based on the log
 it looks like a 6.3 client can't enroll with a 6.2 server but I'm still
 investigating. We'll fix it if needed.

 rob
 I just sent a patch for this issue to freeipa-devel list. The problem
 was in the TGT forwarding as mentioned earlier in this thread. The
 patched client can now join an older IPA server. But ipa command still
 won't work properly as its API is higher that the server's.

 Martin


 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Rob Crittenden [rcrit...@redhat.com]
 Sent: Wednesday, 2 May 2012 1:19 a.m.
 To: Steven Jones
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] ipa-client install error

 Steven Jones wrote:
 I made a slight oops, I just upgraded a long un-used vm on my desktop 
 from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our 
 satellite is down I cant correct this so I tried to add the 6.3beta 
 client to IPA on 6.2 and I get an error.

 ==
 [root@rhel664ws01 ~]# ipa-client-install --mkhomedir
 Discovery was successful!
 Hostname: rhel664ws01.ods.vuw.ac.nz
 Realm: ODS.VUW.AC.NZ
 DNS Domain: ods.vuw.ac.nz
 IPA Server: vuwunicoipam002.ods.vuw.ac.nz
 BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz


 Continue to configure the system with these values? [no]: yes
 User authorized to enroll computers: admjonesst1
 Synchronizing time with KDC...
 Unable to sync time with IPA NTP server, assuming the time is in sync.
 Password for admjones...@ods.vuw.ac.nz:

 Enrolled in IPA realm ODS.VUW.AC.NZ
 Created /etc/ipa/default.conf
 Unable to activate the SSH service in SSSD config.
 Please make sure you have SSSD built with SSH support installed.
 Configure SSH support manually in /etc/sssd/sssd.conf.
 Configured /etc/sssd/sssd.conf
 Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
 Traceback (most recent call last):
 File /usr/sbin/ipa-client-install, line 1534, inmodule
   sys.exit(main())
 File /usr/sbin/ipa-client-install, line 1521, in main
   rval = install(options, env, fstore, statestore)
 File /usr/sbin/ipa-client-install, line 1358, in install
   api.Backend.xmlclient.connect()
 File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, 
 in connect
   conn = self.create_connection(*args, **kw)
 File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in 
 create_connection
   raise errors.KerberosError(major=str(krberr), minor='')
 ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos 
 credentials/
 [root@rhel664ws01 ~]#
 ===

 Is this expected when trying to connect 6.3beta? ie its simply not 
 compatible?

 The newer 2.2 client cannot connect to an older 2.1 server because it
 isn't going to send the TGT that the 2.1 server requires. We should
 handle this better, I've opened a ticket to track this:
 https

Re: [Freeipa-users] ipa-client install error

2012-05-01 Thread Jan Zeleny
I don't see anything much more useful in the log file. The last line in the 
traceback suggests there is something wrong with connection to your KDC, does 
the connection to it work from other machines?

Also, just out of curiosity about the SSH error message - what version of SSSD 
do you have installed?

Thanks
Jan

Steven Jones steven.jo...@vuw.ac.nz wrote:
 encl ipa install log
 
 regards
 
 Steven Jones
 
 Technical Specialist - Linux RHCE
 
 Victoria University, Wellington, NZ
 
 0064 4 463 6272
 
 
 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com]
 on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 1 May
 2012 2:22 p.m.
 Cc: freeipa-users@redhat.com
 Subject: [Freeipa-users] ipa-client install error
 
 I made a slight oops, I just upgraded a long un-used vm on my desktop from
 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our satellite
 is down I cant correct this so I tried to add the 6.3beta client to IPA on
 6.2 and I get an error.
 
 ==
 [root@rhel664ws01 ~]# ipa-client-install --mkhomedir
 Discovery was successful!
 Hostname: rhel664ws01.ods.vuw.ac.nz
 Realm: ODS.VUW.AC.NZ
 DNS Domain: ods.vuw.ac.nz
 IPA Server: vuwunicoipam002.ods.vuw.ac.nz
 BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz
 
 
 Continue to configure the system with these values? [no]: yes
 User authorized to enroll computers: admjonesst1
 Synchronizing time with KDC...
 Unable to sync time with IPA NTP server, assuming the time is in sync.
 Password for admjones...@ods.vuw.ac.nz:
 
 Enrolled in IPA realm ODS.VUW.AC.NZ
 Created /etc/ipa/default.conf
 Unable to activate the SSH service in SSSD config.
 Please make sure you have SSSD built with SSH support installed.
 Configure SSH support manually in /etc/sssd/sssd.conf.
 Configured /etc/sssd/sssd.conf
 Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
 Traceback (most recent call last):
   File /usr/sbin/ipa-client-install, line 1534, in module
 sys.exit(main())
   File /usr/sbin/ipa-client-install, line 1521, in main
 rval = install(options, env, fstore, statestore)
   File /usr/sbin/ipa-client-install, line 1358, in install
 api.Backend.xmlclient.connect()
   File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in
 connect conn = self.create_connection(*args, **kw)
   File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in
 create_connection raise errors.KerberosError(major=str(krberr), minor='')
 ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos
 credentials/ [root@rhel664ws01 ~]#
 ===
 
 Is this expected when trying to connect 6.3beta? ie its simply not
 compatible?

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] ipa-client install error

2012-05-01 Thread Steven Jones
Hi,

sssd-1.5.1-66.el6_2.3.x86_64

KDC connections...as far as I knowbut the proof is this machine is a vm 
off my linux rhel6.2 server/workstation which is IPA'd itself, I can login and 
I manage IPA from the firefox web browser on it...so physically its the exact 
same cable, switches, routers, firewall and vnware hardware...so an issue makes 
no sense at that level unless its an issue with the KVM networking.its 
DHCPing off my cat6 cable so has the same IP address range, so that leaves out 
networking I believe.

However I am having issues with some logins on other clients as well now so 
this points to IPA itself or something common I would say.

I've done sosreports under case 627913 for that...

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Jan Zeleny [jzel...@redhat.com]
Sent: Tuesday, 1 May 2012 6:38 p.m.
To: freeipa-users@redhat.com
Cc: Steven Jones
Subject: Re: [Freeipa-users] ipa-client install error

I don't see anything much more useful in the log file. The last line in the
traceback suggests there is something wrong with connection to your KDC, does
the connection to it work from other machines?

Also, just out of curiosity about the SSH error message - what version of SSSD
do you have installed?

Thanks
Jan

Steven Jones steven.jo...@vuw.ac.nz wrote:
 encl ipa install log

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com]
 on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 1 May
 2012 2:22 p.m.
 Cc: freeipa-users@redhat.com
 Subject: [Freeipa-users] ipa-client install error

 I made a slight oops, I just upgraded a long un-used vm on my desktop from
 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our satellite
 is down I cant correct this so I tried to add the 6.3beta client to IPA on
 6.2 and I get an error.

 ==
 [root@rhel664ws01 ~]# ipa-client-install --mkhomedir
 Discovery was successful!
 Hostname: rhel664ws01.ods.vuw.ac.nz
 Realm: ODS.VUW.AC.NZ
 DNS Domain: ods.vuw.ac.nz
 IPA Server: vuwunicoipam002.ods.vuw.ac.nz
 BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz


 Continue to configure the system with these values? [no]: yes
 User authorized to enroll computers: admjonesst1
 Synchronizing time with KDC...
 Unable to sync time with IPA NTP server, assuming the time is in sync.
 Password for admjones...@ods.vuw.ac.nz:

 Enrolled in IPA realm ODS.VUW.AC.NZ
 Created /etc/ipa/default.conf
 Unable to activate the SSH service in SSSD config.
 Please make sure you have SSSD built with SSH support installed.
 Configure SSH support manually in /etc/sssd/sssd.conf.
 Configured /etc/sssd/sssd.conf
 Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
 Traceback (most recent call last):
   File /usr/sbin/ipa-client-install, line 1534, in module
 sys.exit(main())
   File /usr/sbin/ipa-client-install, line 1521, in main
 rval = install(options, env, fstore, statestore)
   File /usr/sbin/ipa-client-install, line 1358, in install
 api.Backend.xmlclient.connect()
   File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in
 connect conn = self.create_connection(*args, **kw)
   File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in
 create_connection raise errors.KerberosError(major=str(krberr), minor='')
 ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos
 credentials/ [root@rhel664ws01 ~]#
 ===

 Is this expected when trying to connect 6.3beta? ie its simply not
 compatible?

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] ipa-client install error

2012-05-01 Thread Steven Jones
Error there on my part its 1.8 not 1.5.I have another machine that is 1.5.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Wednesday, 2 May 2012 8:52 a.m.
To: Jan Zeleny; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client install error

Hi,

sssd-1.5.1-66.el6_2.3.x86_64

KDC connections...as far as I knowbut the proof is this machine is a vm 
off my linux rhel6.2 server/workstation which is IPA'd itself, I can login and 
I manage IPA from the firefox web browser on it...so physically its the exact 
same cable, switches, routers, firewall and vnware hardware...so an issue makes 
no sense at that level unless its an issue with the KVM networking.its 
DHCPing off my cat6 cable so has the same IP address range, so that leaves out 
networking I believe.

However I am having issues with some logins on other clients as well now so 
this points to IPA itself or something common I would say.

I've done sosreports under case 627913 for that...

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Jan Zeleny [jzel...@redhat.com]
Sent: Tuesday, 1 May 2012 6:38 p.m.
To: freeipa-users@redhat.com
Cc: Steven Jones
Subject: Re: [Freeipa-users] ipa-client install error

I don't see anything much more useful in the log file. The last line in the
traceback suggests there is something wrong with connection to your KDC, does
the connection to it work from other machines?

Also, just out of curiosity about the SSH error message - what version of SSSD
do you have installed?

Thanks
Jan

Steven Jones steven.jo...@vuw.ac.nz wrote:
 encl ipa install log

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com]
 on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 1 May
 2012 2:22 p.m.
 Cc: freeipa-users@redhat.com
 Subject: [Freeipa-users] ipa-client install error

 I made a slight oops, I just upgraded a long un-used vm on my desktop from
 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our satellite
 is down I cant correct this so I tried to add the 6.3beta client to IPA on
 6.2 and I get an error.

 ==
 [root@rhel664ws01 ~]# ipa-client-install --mkhomedir
 Discovery was successful!
 Hostname: rhel664ws01.ods.vuw.ac.nz
 Realm: ODS.VUW.AC.NZ
 DNS Domain: ods.vuw.ac.nz
 IPA Server: vuwunicoipam002.ods.vuw.ac.nz
 BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz


 Continue to configure the system with these values? [no]: yes
 User authorized to enroll computers: admjonesst1
 Synchronizing time with KDC...
 Unable to sync time with IPA NTP server, assuming the time is in sync.
 Password for admjones...@ods.vuw.ac.nz:

 Enrolled in IPA realm ODS.VUW.AC.NZ
 Created /etc/ipa/default.conf
 Unable to activate the SSH service in SSSD config.
 Please make sure you have SSSD built with SSH support installed.
 Configure SSH support manually in /etc/sssd/sssd.conf.
 Configured /etc/sssd/sssd.conf
 Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
 Traceback (most recent call last):
   File /usr/sbin/ipa-client-install, line 1534, in module
 sys.exit(main())
   File /usr/sbin/ipa-client-install, line 1521, in main
 rval = install(options, env, fstore, statestore)
   File /usr/sbin/ipa-client-install, line 1358, in install
 api.Backend.xmlclient.connect()
   File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in
 connect conn = self.create_connection(*args, **kw)
   File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in
 create_connection raise errors.KerberosError(major=str(krberr), minor='')
 ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos
 credentials/ [root@rhel664ws01 ~]#
 ===

 Is this expected when trying to connect 6.3beta? ie its simply not
 compatible?

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] ipa-client install error

2012-05-01 Thread Steven Jones
So this opens a chicken and egg?

ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 
6.2 clients will break?  but I cant upgrade the clients until after the servers 
are doneif so that is a huge and ugly looking task that is one way.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 2 May 2012 1:19 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client install error

Steven Jones wrote:
 I made a slight oops, I just upgraded a long un-used vm on my desktop from 
 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our satellite is 
 down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 
 and I get an error.

 ==
 [root@rhel664ws01 ~]# ipa-client-install --mkhomedir
 Discovery was successful!
 Hostname: rhel664ws01.ods.vuw.ac.nz
 Realm: ODS.VUW.AC.NZ
 DNS Domain: ods.vuw.ac.nz
 IPA Server: vuwunicoipam002.ods.vuw.ac.nz
 BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz


 Continue to configure the system with these values? [no]: yes
 User authorized to enroll computers: admjonesst1
 Synchronizing time with KDC...
 Unable to sync time with IPA NTP server, assuming the time is in sync.
 Password for admjones...@ods.vuw.ac.nz:

 Enrolled in IPA realm ODS.VUW.AC.NZ
 Created /etc/ipa/default.conf
 Unable to activate the SSH service in SSSD config.
 Please make sure you have SSSD built with SSH support installed.
 Configure SSH support manually in /etc/sssd/sssd.conf.
 Configured /etc/sssd/sssd.conf
 Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
 Traceback (most recent call last):
File /usr/sbin/ipa-client-install, line 1534, inmodule
  sys.exit(main())
File /usr/sbin/ipa-client-install, line 1521, in main
  rval = install(options, env, fstore, statestore)
File /usr/sbin/ipa-client-install, line 1358, in install
  api.Backend.xmlclient.connect()
File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in 
 connect
  conn = self.create_connection(*args, **kw)
File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in 
 create_connection
  raise errors.KerberosError(major=str(krberr), minor='')
 ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos 
 credentials/
 [root@rhel664ws01 ~]#
 ===

 Is this expected when trying to connect 6.3beta? ie its simply not compatible?


The newer 2.2 client cannot connect to an older 2.1 server because it
isn't going to send the TGT that the 2.1 server requires. We should
handle this better, I've opened a ticket to track this:
https://fedorahosted.org/freeipa/ticket/2697

rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] ipa-client install error

2012-05-01 Thread Dmitri Pal
On 05/01/2012 06:15 PM, Steven Jones wrote:
 So this opens a chicken and egg?

 ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the 
 older 6.2 clients will break?  but I cant upgrade the clients until after the 
 servers are doneif so that is a huge and ugly looking task that is one 
 way.


Yes this is a serious problem. Thank you for uncovering it.
Current plan is to: provide a fix for the older clients to be able to
connect to 2.2 via errata.
Make sure that the 2.2 client can connect to the 2.1 server.

Thanks
Dmitri

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Rob Crittenden [rcrit...@redhat.com]
 Sent: Wednesday, 2 May 2012 1:19 a.m.
 To: Steven Jones
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] ipa-client install error

 Steven Jones wrote:
 I made a slight oops, I just upgraded a long un-used vm on my desktop from 
 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our satellite is 
 down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 
 and I get an error.

 ==
 [root@rhel664ws01 ~]# ipa-client-install --mkhomedir
 Discovery was successful!
 Hostname: rhel664ws01.ods.vuw.ac.nz
 Realm: ODS.VUW.AC.NZ
 DNS Domain: ods.vuw.ac.nz
 IPA Server: vuwunicoipam002.ods.vuw.ac.nz
 BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz


 Continue to configure the system with these values? [no]: yes
 User authorized to enroll computers: admjonesst1
 Synchronizing time with KDC...
 Unable to sync time with IPA NTP server, assuming the time is in sync.
 Password for admjones...@ods.vuw.ac.nz:

 Enrolled in IPA realm ODS.VUW.AC.NZ
 Created /etc/ipa/default.conf
 Unable to activate the SSH service in SSSD config.
 Please make sure you have SSSD built with SSH support installed.
 Configure SSH support manually in /etc/sssd/sssd.conf.
 Configured /etc/sssd/sssd.conf
 Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
 Traceback (most recent call last):
File /usr/sbin/ipa-client-install, line 1534, inmodule
  sys.exit(main())
File /usr/sbin/ipa-client-install, line 1521, in main
  rval = install(options, env, fstore, statestore)
File /usr/sbin/ipa-client-install, line 1358, in install
  api.Backend.xmlclient.connect()
File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in 
 connect
  conn = self.create_connection(*args, **kw)
File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in 
 create_connection
  raise errors.KerberosError(major=str(krberr), minor='')
 ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos 
 credentials/
 [root@rhel664ws01 ~]#
 ===

 Is this expected when trying to connect 6.3beta? ie its simply not 
 compatible?

 The newer 2.2 client cannot connect to an older 2.1 server because it
 isn't going to send the TGT that the 2.1 server requires. We should
 handle this better, I've opened a ticket to track this:
 https://fedorahosted.org/freeipa/ticket/2697

 rob


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] ipa-client install error

2012-04-30 Thread Steven Jones
encl ipa install log

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Tuesday, 1 May 2012 2:22 p.m.
Cc: freeipa-users@redhat.com
Subject: [Freeipa-users] ipa-client install error

I made a slight oops, I just upgraded a long un-used vm on my desktop from 
6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our satellite is 
down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and 
I get an error.

==
[root@rhel664ws01 ~]# ipa-client-install --mkhomedir
Discovery was successful!
Hostname: rhel664ws01.ods.vuw.ac.nz
Realm: ODS.VUW.AC.NZ
DNS Domain: ods.vuw.ac.nz
IPA Server: vuwunicoipam002.ods.vuw.ac.nz
BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz


Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admjonesst1
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Password for admjones...@ods.vuw.ac.nz:

Enrolled in IPA realm ODS.VUW.AC.NZ
Created /etc/ipa/default.conf
Unable to activate the SSH service in SSSD config.
Please make sure you have SSSD built with SSH support installed.
Configure SSH support manually in /etc/sssd/sssd.conf.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
Traceback (most recent call last):
  File /usr/sbin/ipa-client-install, line 1534, in module
sys.exit(main())
  File /usr/sbin/ipa-client-install, line 1521, in main
rval = install(options, env, fstore, statestore)
  File /usr/sbin/ipa-client-install, line 1358, in install
api.Backend.xmlclient.connect()
  File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in connect
conn = self.create_connection(*args, **kw)
  File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in 
create_connection
raise errors.KerberosError(major=str(krberr), minor='')
ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos 
credentials/
[root@rhel664ws01 ~]#
===

Is this expected when trying to connect 6.3beta? ie its simply not compatible?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


ipaclient-install.log
Description: ipaclient-install.log
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client-install error

2011-11-04 Thread Adam Young
CentOS is far behind RHEL.  Many of the issues you will find have been 
fixed in released versions of IPA.  This one is due, I think to an 
earlier issue with directory server that has since been upgraded.


You might want to see if the versions shipped with Scientifix Linux work 
better for you, but it is going to be quite a few packages.  Aside from 
freeipa*  it will be xmlrpc,  38-ds-base  and DNS dyndb and possibly others.







On 11/04/2011 03:04 PM, Jimmy wrote:
I'm running the ipa-client-install on a CentOS 6 client and get this 
error:


[root@kudzu ~]# ipa-client-install
Discovery was successful!
Realm: PDH.CSP
DNS Domain: pdh.csp
IPA Server: csp-idm.pdh.csp
BaseDN: dc=pdh,dc=csp

Continue to configure the system with these values? [no]: yes
Principal: admin
Password for ad...@pdh.csp:
Joining realm failed: Operation failed! unsupported extended operation
child exited with 9
Certificate subject base is: O=PDH.CSP

The only logs I see on the server are here:

Nov 04 18:52:55 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes 
{18 17 16 23}) 192.168.201.199 http://192.168.201.199: 
NEEDED_PREAUTH: ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional 
pre-authentication required
Nov 04 18:53:20 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes 
{18 17 16 23}) 192.168.201.199 http://192.168.201.199: ISSUE: 
authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for 
krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes 
{18 17 16 23}) 192.168.201.199 http://192.168.201.199: ISSUE: 
authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for 
HTTP/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (1 etypes 
{18}) 192.168.201.199 http://192.168.201.199: ISSUE: authtime 
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for 
krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes 
{18 17 16 23}) 192.168.201.102 http://192.168.201.102: ISSUE: 
authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for 
ldap/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes 
{18 17 16 23}) 192.168.201.199 http://192.168.201.199: ISSUE: 
authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for 
ldap/csp-idm.pdh@pdh.csp




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client-install error

2011-11-04 Thread Rob Crittenden

Jimmy wrote:

I'm running the ipa-client-install on a CentOS 6 client and get this error:

[root@kudzu ~]# ipa-client-install
Discovery was successful!
Realm: PDH.CSP
DNS Domain: pdh.csp
IPA Server: csp-idm.pdh.csp
BaseDN: dc=pdh,dc=csp

Continue to configure the system with these values? [no]: yes
Principal: admin
Password for ad...@pdh.csp:
Joining realm failed: Operation failed! unsupported extended operation
child exited with 9
Certificate subject base is: O=PDH.CSP

The only logs I see on the server are here:

Nov 04 18:52:55 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 http://192.168.201.199: NEEDED_PREAUTH:
ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication
required
Nov 04 18:53:20 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 http://192.168.201.199: ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 http://192.168.201.199: ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
HTTP/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (1 etypes
{18}) 192.168.201.199 http://192.168.201.199: ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.102 http://192.168.201.102: ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
ldap/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 http://192.168.201.199: ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
ldap/csp-idm.pdh@pdh.csp



You need a newer ipa-client package. The extended operation we used for 
enrollment changed. This was fixed in ipa-client-2.0-9.1 in RHEL 6.0.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] ipa-client-install error

2011-11-04 Thread Jimmy
I see. I have ipa-client-2.0-9.el6.x86_64 on the CentOS 6 client. I guess
the proper fix is to use the SL packages Adam referenced?
Jimmy


 You need a newer ipa-client package. The extended operation we used for
 enrollment changed. This was fixed in ipa-client-2.0-9.1 in RHEL 6.0.

 rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client-install error

2011-11-04 Thread Adam Young

On 11/04/2011 07:07 PM, Dmitri Pal wrote:

On 11/04/2011 04:23 PM, Jimmy wrote:


I see. I have ipa-client-2.0-9.el6.x86_64 on the CentOS 6 client. I 
guess the proper fix is to use the SL packages Adam referenced?


Correct.


It looks like Scientific Linux is behind as well:  The packages on 
http://ftp.scientificlinux.org/linux/scientific/  are all 2.0.0


forexample

http://ftp.scientificlinux.org/linux/scientific/6rolling/x86_64/updates/fastbugs/ipa-client-2.0.0-23.el6_1.1.x86_64.rpm


Not sure how they are doing their naming scheme,  as they have 6/  6.1/  
6x/  and 6rolling  but they all look pretty much the same.





Jimmy


You need a newer ipa-client package. The extended operation we
used for enrollment changed. This was fixed in ipa-client-2.0-9.1
in RHEL 6.0.

rob



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users