<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<tt>I'have download and compiled some versions of gnutls and this is
the result:<br>
gnutls-2.8.5: works<br>
gnutls-2.12.19: fail<br>
gnutls-3.0.19: fail<br>
<br>
this must affect distributions in which ldaps connections are
based in gnutls (I only know debian and ubuntu). <br>
<br>
the problem can be tested with this command:<br>
gnutls-cli -d 4 -p 636 freeipaserver.linux.gva.es<br>
<br>
in you have a problematic gnutls version the command would end
with these lines:<br>
...<br>
|<3>| HSK[0x9bb40d0]: CLIENT HELLO was sent [151 bytes]<br>
|<4>| REC[0x9bb40d0]: Sending Packet[0] Handshake(22) with
length: 151<br>
|<4>| REC[0x9bb40d0]: Sent Packet[1] Handshake(22) with
length: 156<br>
|<2>| ASSERT: gnutls_buffers.c:640<br>
|<2>| ASSERT: gnutls_record.c:969<br>
|<2>| ASSERT: gnutls_handshake.c:2762<br>
*** Fatal error: A TLS packet with unexpected length was received.<br>
|<4>| REC: Sending Alert[2|22] - Record overflow<br>
|<4>| REC[0x9bb40d0]: Sending Packet[1] Alert(21) with
length: 2<br>
|<4>| REC[0x9bb40d0]: Sent Packet[2] Alert(21) with length:
7<br>
*** Handshake has failed<br>
GnuTLS error: A TLS packet with unexpected length was received.<br>
|<4>| REC[0x9bb40d0]: Epoch #0 freed<br>
|<4>| REC[0x9bb40d0]: Epoch #1 freed<br>
<a class="moz-txt-link-abbreviated" href="mailto:pasqual@ubuntuprovesfreeipa:~/gnutls-2.12.19$">pasqual@ubuntuprovesfreeipa:~/gnutls-2.12.19$</a> <br>
<br>
any idea in how to make this work?<br>
</tt><br>
Al 11/05/12 13:16, En/na pasqual milvaques ha escrit:
<blockquote cite="mid:4FACF525.4070303@gva.es" type="cite">I'm
trying to join an ubuntu 12.04 machine to freeipa domain installed
in a centos 6.2 machine and it seems there is some problem with
the tls negotiacion. ubuntu 12.04 uses gnutls instead of openssl
so the problem could be there but I don't know how to solve it.
with the ldapsearch command I can also reproduce the fail
<br>
<br>
I have opened this ubuntu bug as freeipa now has a native client
package:
<a class="moz-txt-link-freetext" href="https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/997990">https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/997990</a>
<br>
<br>
any idea?
<br>
<br>
this is the log of the operation:
<br>
<br>
pasqual@ubuntuprovesfreeipa:~$ sudo ipa-client-install -d
--enable-dns-updates
<br>
[sudo] password for pasqual:
<br>
root : DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'conf_ntp': True, 'domain': None, 'uninstall': False,
'force': False, 'sssd': True, 'krb5_offline_passwords': True,
'hostname': None, 'permit': False, 'server': None,
'prompt_password': False, 'mkhomedir': False, 'dns_updates': True,
'preserve_sssd': False, 'debug': True, 'on_master': False,
'ntp_server': None, 'realm_name': None, 'unattended': None,
'principal': None}
<br>
root : DEBUG missing options might be asked for interactively
later
<br>
<br>
root : DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
<br>
root : DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
<br>
root : DEBUG [ipadnssearchldap(linux.gva.es)]
<br>
root : DEBUG [ipadnssearchldap(gva.es)]
<br>
root : DEBUG [ipadnssearchldap(es)]
<br>
root : DEBUG [ipadnssearchldap(linux.gva.es)]
<br>
root : DEBUG [ipadnssearchldap(gva.es)]
<br>
root : DEBUG [ipadnssearchldap(es)]
<br>
root : DEBUG Domain not found
<br>
DNS discovery failed to determine your DNS domain
<br>
Provide the domain name of your IPA server (ex: example.com):
linux.gva.es
<br>
root : DEBUG will use domain: linux.gva.es
<br>
<br>
root : DEBUG [ipadnssearchldap]
<br>
root : DEBUG IPA Server not found
<br>
DNS discovery failed to find the IPA Server
<br>
Provide your IPA server name (ex: ipa.example.com):
freeipaserver.linux.gva.es
<br>
root : DEBUG will use server: freeipaserver.linux.gva.es
<br>
<br>
root : DEBUG [ipadnssearchkrb]
<br>
root : DEBUG [ipacheckldap]
<br>
root : DEBUG args=/usr/bin/wget -O /tmp/tmpWptXwb/ca.crt -T 15 -t
2 <a class="moz-txt-link-freetext" href="http://freeipaserver.linux.gva.es/ipa/config/ca.crt">http://freeipaserver.linux.gva.es/ipa/config/ca.crt</a>
<br>
root : DEBUG stdout=
<br>
root : DEBUG stderr=--2012-05-11 12:06:09--
<a class="moz-txt-link-freetext" href="http://freeipaserver.linux.gva.es/ipa/config/ca.crt">http://freeipaserver.linux.gva.es/ipa/config/ca.crt</a>
<br>
Resolent freeipaserver.linux.gva.es
(freeipaserver.linux.gva.es)... 192.168.222.99
<br>
S'està connectant a freeipaserver.linux.gva.es
(freeipaserver.linux.gva.es)|192.168.222.99|:80... conectat.
<br>
HTTP: Petició enviada, esperant resposta... 200 OK
<br>
Longitud: 1325 (1.3K) [application/x-x509-ca-cert]
<br>
S'està desant a: «/tmp/tmpWptXwb/ca.crt»
<br>
<br>
0K . 100% 38.4M=0s
<br>
<br>
2012-05-11 12:06:09 (38.4 MB/s) - s'ha desat
«/tmp/tmpWptXwb/ca.crt» [1325/1325]
<br>
<br>
root : DEBUG Init ldap with: <a class="moz-txt-link-freetext" href="ldap://freeipaserver.linux.gva.es:389">ldap://freeipaserver.linux.gva.es:389</a>
<br>
root : ERROR LDAP Error: Connect error: A TLS packet with
unexpected length was received.
<br>
Failed to verify that freeipaserver.linux.gva.es is an IPA Server.
<br>
This may mean that the remote server is not up or is not reachable
<br>
due to network or firewall settings.
<br>
Installation failed. Rolling back changes.
<br>
IPA client is not configured on this system.
<br>
pasqual@ubuntuprovesfreeipa:~$
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
</body>
</html>