[Freeipa-users] still failing to get a RHEL 5 client to join, LDAP bind issue?
Eduardo Minguez
eminguez at redhat.com
Fri Jul 26 10:21:37 UTC 2013
----- Original Message -----
> From: "Dmitri Pal" <dpal at redhat.com>
> To: freeipa-users at redhat.com
> Sent: Thursday, 25 July, 2013 11:35:32 PM
> Subject: Re: [Freeipa-users] still failing to get a RHEL 5 client to
> join, LDAP bind issue?
> On 07/25/2013 03:51 PM, Armstrong, Kenneth Lawrence wrote:
> > I am still having issues trying to get a RHEL 5.9 client to join a
> > RHEL 6.4 IdM domain.
>
> > All packages on both systems updated.
>
> > First problem is this:
>
> > ipa-client-install --server lnxrealmtest01.liberty.edu --domain
> > lnxrealmtest.liberty.edu --enable-dns-updates
>
> > Which fails with:
>
> > root : ERROR Cannot obtain CA certificate
>
> > ' ldap://lnxrealmtest01.liberty.edu ' doesn't have a certificate.
>
> > Installation failed. Rolling back changes.
>
> > IPA client is not configured on this system.
>
> > All of the appropriate ports are open on the IdM server, and I
> > verified this by telnetting to all of them.
>
> > I worked around this by running this:
>
> > wget -O /etc/ipa/ca.crt
> > http://lnxrealmtest01.liberty.edu/ipa/config/ca.crt
>
> > Then ran:
>
> > ipa-client-install --server lnxrealmtest01.lnxrealmtest.liberty.edu
> > --domain lnxrealmtest.liberty.edu --enable-dns-updates --no-ntp
> > --ca-cert-file=/etc/ipa/ca.crt
>
> > And I was having better results, so apparently the RHEL 5.9
> > ipa-client-install does not want to download my cert.
>
> This rings the bell. It sounds like a known issue for 5.9 openssl
> libraries.
> Rob can you add details please?
> > On to the next problem:
>
> > User authorized to enroll computers: admin
>
> > Synchronizing time with KDC...
>
> > Password for admin at LNXREALMTEST.LIBERTY.EDU :
>
> > Joining realm failed: SASL Bind failed Local error (-2) !
>
> > child exited with 9
>
> > Installation failed. Rolling back changes.
>
Run ipa-client-install with "-d" debug flag to get more information. I've had the same issue due to DNS reverse for the server not being correct (check the krb log in the server)
> > It is the same user that I use to login to the web interface, and I
> > am 100% positive that I am not entering the password incorrectly.
> > So
> > why else would the admin user not be able to bind to my IdM setup?
>
> > -Kenny
>
> > _______________________________________________
>
> > Freeipa-users mailing list Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
> --
> Thank you,
> Dmitri Pal
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
> -------------------------------
> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Eduardo Mínguez Pérez
Infrastructure Consultant (RHCE, RHCSA)
Red Hat - Spain
Mobile: +34 629803049 (CET/CEST)
E-mail: eminguez at redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130726/653d0811/attachment.htm>
More information about the Freeipa-users
mailing list