<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 02/18/2013 09:52 PM, Steven Jones wrote:
<blockquote
cite="mid:833D8E48405E064EBC54C84EC6B36E4071096860@STAWINCOX10MBX1.staff.vuw.ac.nz"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<style id="owaParaStyle" type="text/css">P {margin-top:0;margin-bottom:0;}</style>
<div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0,
0); font-size: 10pt;">whats AWS?<br>
</div>
</blockquote>
<br>
Amazon EC2 cloud.<br>
<br>
<blockquote
cite="mid:833D8E48405E064EBC54C84EC6B36E4071096860@STAWINCOX10MBX1.staff.vuw.ac.nz"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<div><br>
<div style="font-family: Tahoma; font-size: 13px;">
<p>regards</p>
<p>Steven Jones</p>
<p>Technical Specialist - Linux RHCE</p>
<p>Victoria University, Wellington, NZ</p>
<p>0064 4 463 6272<br>
</p>
</div>
</div>
<div style="font-family: Times New Roman; color: rgb(0, 0, 0);
font-size: 16px;">
<hr tabindex="-1">
<div style="direction: ltr;" id="divRpF151995"><font
color="#000000" face="Tahoma" size="2"><b>From:</b>
<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>
[<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>] on behalf of Dmitri Pal
[<a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com">dpal@redhat.com</a>]<br>
<b>Sent:</b> Tuesday, 19 February 2013 3:35 p.m.<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] Cannot obtain CA
Certificate<br>
</font><br>
</div>
<div>On 02/18/2013 09:06 PM, John Moyer wrote:
<blockquote type="cite">Peter,
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space:
pre;"></span>The client is pointing to DNS for the
server. Here is the log info from the ipa-client-log
(in /var/log/). I haven't tried the other stuff yet,
I'll respond back when I get a chance to check out the
CA cert things. </div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>2013-02-19T02:01:37Z DEBUG args=kinit <a
moz-do-not-send="true"
href="mailto:ipa-bind@EXAMPLE.COM" target="_blank">
ipa-bind@EXAMPLE.COM</a></div>
<div>2013-02-19T02:01:37Z DEBUG stdout=Password for <a
moz-do-not-send="true"
href="mailto:ipa-bind@EXAMPLE.COM" target="_blank">
ipa-bind@EXAMPLE.COM</a>: </div>
<div><br>
</div>
<div>2013-02-19T02:01:37Z DEBUG stderr=</div>
<div>2013-02-19T02:01:37Z DEBUG trying to retrieve CA
cert via LDAP from <a moz-do-not-send="true"
href="UrlBlockedError.aspx" target="_blank">
ldap://ipa1.example.com</a></div>
<div>2013-02-19T02:01:37Z DEBUG get_ca_cert_from_ldap()
error: Local error SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may
provide more information (Server
<a moz-do-not-send="true"
href="mailto:krbtgt/COM@EXAMPLE.COM" target="_blank">krbtgt/COM@EXAMPLE.COM</a>
not found in Kerberos database)</div>
<div>2013-02-19T02:01:37Z DEBUG {'info': 'SASL(-1):
generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information
(Server
<a moz-do-not-send="true"
href="mailto:krbtgt/COM@EXAMPLE.COM" target="_blank">krbtgt/COM@EXAMPLE.COM</a>
not found in Kerberos database)', 'desc': 'Local
error'}</div>
<div>2013-02-19T02:01:37Z ERROR Cannot obtain CA
certificate</div>
<div>'<a moz-do-not-send="true"
href="UrlBlockedError.aspx" target="_blank">ldap://ipa1.example.com'</a>
doesn't have a certificate.</div>
<div>2013-02-19T02:01:37Z DEBUG args=kdestroy</div>
<div>2013-02-19T02:01:37Z DEBUG stdout=</div>
<div>2013-02-19T02:01:37Z DEBUG stderr=</div>
</div>
</blockquote>
<br>
<br>
Can the server resolve the client in the same way as client
resolves itself?<br>
In AWS it might be an issue because it changes system names
dynamically and thus you client host when restarted might
have a different name or be not resolvable by the server.<br>
The fact that AWS changes names under you makes IPA not
usable in AWS environment.<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://fedorahosted.org/freeipa/ticket/2715"
target="_blank">https://fedorahosted.org/freeipa/ticket/2715</a><br>
<br>
<blockquote type="cite">
<div><br>
</div>
<div><br>
</div>
<div>
<div>
<div style="color: rgb(0, 0, 0); font-family:
Helvetica; font-size: medium; font-style: normal;
font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal;
orphans: 2; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
word-wrap: break-word;">
<div style="color: rgb(0, 0, 0); font-family:
Helvetica; font-size: medium; font-style: normal;
font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal;
orphans: 2; text-indent: 0px; text-transform:
none; white-space: normal; widows: 2;
word-spacing: 0px; word-wrap: break-word;">
<div style="color: rgb(0, 0, 0); font-family:
Helvetica; font-size: medium; font-style:
normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height:
normal; orphans: 2; text-indent: 0px;
text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; word-wrap:
break-word;">
<div style="color: rgb(0, 0, 0); font-family:
Helvetica; font-size: medium; font-style:
normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height:
normal; orphans: 2; text-indent: 0px;
text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; word-wrap:
break-word;">
<div style="font-family: Helvetica; font-size:
medium; font-style: normal; font-variant:
normal; letter-spacing: normal; line-height:
normal; orphans: 2; text-indent: 0px;
text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; word-wrap:
break-word;">
<div style="font-family: Helvetica;
font-size: medium; font-style: normal;
font-variant: normal; letter-spacing:
normal; line-height: normal; orphans: 2;
text-indent: 0px; text-transform: none;
white-space: normal; widows: 2;
word-spacing: 0px; word-wrap: break-word;">
<div style="font-family: Helvetica;
font-size: medium; font-style: normal;
font-variant: normal; letter-spacing:
normal; line-height: normal; orphans: 2;
text-indent: 0px; text-transform: none;
white-space: normal; widows: 2;
word-spacing: 0px; word-wrap:
break-word;">
<div style="color: rgb(0, 0, 0);
font-weight: normal; font-family:
Calibri,sans-serif; font-size: 14px;">
Thanks, </div>
<div style="color: rgb(0, 0, 0);
font-weight: normal; font-family:
Calibri,sans-serif; font-size: 14px;">
_____________________________________________________</div>
<div style="color: rgb(0, 0, 0);
font-weight: normal; font-family:
Calibri,sans-serif; font-size: 14px;">
John Moyer<br>
Director, IT Operations</div>
<div style="color: rgb(0, 0, 0);
font-family: Calibri,sans-serif;
font-size: 14px;">
<b>Digital Reasoning Systems, Inc.</b></div>
<div style="color: rgb(0, 0, 0);
font-family: Calibri,sans-serif;
font-size: 14px;">
<a moz-do-not-send="true"
href="mailto:john.moyer@digitalreasoning.com"
target="_blank">John.Moyer@digitalreasoning.com</a></div>
<div style="color: rgb(0, 0, 0);
font-weight: normal; font-family:
Calibri,sans-serif; font-size: 14px;">
Office:<span class="Apple-tab-span"
style="white-space: pre;"> </span>703.678.2311<br>
Mobile:<span class="Apple-tab-span"
style="white-space: pre;"> </span>240.460.0023<br>
Fax:<span class="Apple-tab-span"
style="white-space: pre;"> </span>703.678.2312<br>
</div>
<div style="font-weight: normal;
font-family: Calibri,sans-serif;
font-size: 14px;">
<a moz-do-not-send="true"
href="http://www.digitalreasoning.com/"
target="_blank">www.digitalreasoning.com</a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div>
<div>On Feb 18, 2013, at 8:42 PM, Peter Brown <<a
moz-do-not-send="true"
href="mailto:rendhalver@gmail.com" target="_blank">rendhalver@gmail.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div dir="ltr">On 19 February 2013 11:03, John Moyer
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:john.moyer@digitalreasoning.com"
target="_blank">john.moyer@digitalreasoning.com</a>></span>
wrote:<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:
0pt 0pt 0pt 0.8ex; border-left: 1px solid
rgb(204, 204, 204); padding-left: 1ex;">
<div style="word-wrap: break-word;">Peter,
<div><br>
</div>
<div><span style="white-space: pre-wrap;"></span>Thanks
for the response, I just checked out my
security group settings, I did have some
ports blocked, however, allowing them
did not help. I installed mmap on the
client and did a port scan of the server
and got the follow: </div>
<div><br>
</div>
<div>
<div>PORT STATE SERVICE</div>
<div>22/tcp open ssh</div>
<div>53/tcp open domain</div>
<div>80/tcp open http</div>
<div>88/tcp open kerberos-sec</div>
<div>389/tcp open ldap</div>
<div>443/tcp open https</div>
<div>464/tcp open kpasswd5</div>
<div>636/tcp open ldapssl</div>
<div>749/tcp open kerberos-adm</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div style="">There is a couple of UDP ports
that need to be open as well</div>
<div style="">464 and 88 from memory.</div>
<div style=""><br>
</div>
<div style="">They shouldn't affect your
ability to download the ca cert.</div>
<div style=""><br>
</div>
<div style="">Have you checked the ipa-client
log file?</div>
<div style="">I can't remember where that gets
saved right now but it should mention the
location when you run the ipa-client
command.</div>
<div style=""><br>
</div>
<div style=""><br>
</div>
<blockquote class="gmail_quote" style="margin:
0pt 0pt 0pt 0.8ex; border-left: 1px solid
rgb(204, 204, 204); padding-left: 1ex;">
<div style="word-wrap: break-word;">
<div><br>
</div>
<div>I tried to enroll again and got the
same error as seen here: </div>
<div class="im">
<div><br>
</div>
<div><br>
</div>
<div>
<div>Synchronizing time with KDC...</div>
<div><br>
</div>
<div>ipa : ERROR Cannot
obtain CA certificate</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div>
<div style="text-indent: 0px;
letter-spacing: normal; font-variant:
normal; font-style: normal;
font-weight: normal; line-height:
normal; text-transform: none;
font-size: medium; white-space:
normal; font-family: Helvetica;
word-wrap: break-word; word-spacing:
0px;">
<div style="text-indent: 0px;
letter-spacing: normal;
font-variant: normal; font-style:
normal; font-weight: normal;
line-height: normal; text-transform:
none; font-size: medium;
white-space: normal; font-family:
Helvetica; word-wrap: break-word;
word-spacing: 0px;">
<div style="text-indent: 0px;
letter-spacing: normal;
font-variant: normal; font-style:
normal; font-weight: normal;
line-height: normal;
text-transform: none; font-size:
medium; white-space: normal;
font-family: Helvetica; word-wrap:
break-word; word-spacing: 0px;">
<div style="text-indent: 0px;
letter-spacing: normal;
font-variant: normal;
font-style: normal; font-weight:
normal; line-height: normal;
text-transform: none; font-size:
medium; white-space: normal;
font-family: Helvetica;
word-wrap: break-word;
word-spacing: 0px;">
<div style="font-family:
Helvetica; font-size: medium;
font-style: normal;
font-variant: normal;
letter-spacing: normal;
line-height: normal;
text-indent: 0px;
text-transform: none;
white-space: normal;
word-spacing: 0px; word-wrap:
break-word;">
<div style="font-family:
Helvetica; font-size:
medium; font-style: normal;
font-variant: normal;
letter-spacing: normal;
line-height: normal;
text-indent: 0px;
text-transform: none;
white-space: normal;
word-spacing: 0px;
word-wrap: break-word;">
<div style="font-family:
Helvetica; font-size:
medium; font-style:
normal; font-variant:
normal; letter-spacing:
normal; line-height:
normal; text-indent: 0px;
text-transform: none;
white-space: normal;
word-spacing: 0px;
word-wrap: break-word;">
<div style="font-size:
14px; font-family:
Calibri,sans-serif;
font-weight: normal;">
Thanks, </div>
<div style="font-size:
14px; font-family:
Calibri,sans-serif;
font-weight: normal;">
_____________________________________________________</div>
<span class="HOEnZb"><font
color="#888888">
<div style="font-size:
14px; font-family:
Calibri,sans-serif;
font-weight:
normal;">
John Moyer<br>
<br>
</div>
</font></span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div class="h5"><br>
<div>
<div>On Feb 18, 2013, at 7:24 PM,
Peter Brown <<a
moz-do-not-send="true"
href="mailto:rendhalver@gmail.com"
target="_blank">rendhalver@gmail.com</a>>
wrote:</div>
<br>
<blockquote type="cite">
<div dir="ltr">Hi John,
<div><br>
</div>
<div>I ran into a similar issue
with setting up a 2.2 client
with a 3.1 server.</div>
<div>It turned out to be that
port 80 wasn't open on the
freeipa server.</div>
<div>I would check your ports
and see if the right ones are
open.</div>
<div>I also find that setting up
the SRV and TXT records in
your dns zone makes setting up
clients a lot simpler.</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On 19
February 2013 00:58, John
Moyer <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:john.moyer@digitalreasoning.com"
target="_blank">john.moyer@digitalreasoning.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px
solid rgb(204, 204, 204);
padding-left: 1ex;">
<div style="word-wrap:
break-word;">Hello all,
<div><br>
</div>
<div><span
style="white-space:
pre-wrap;"></span>I am
having an issue using
IPA 2.2.0. I am trying
to put together a proof
of concept set of
systems. I've stood up
2 servers on AWS. One
is the server one is the
client. I am using
CentOS 6 to do all this
testing on, with the
default IPA packages
provided from CentOS.
I had a fully
operational proof of
concept finished fully
scripted to be built
without issues. I
shutdown and started
these as needed to show
to people to get
approval for the
project. The other day
the client stopped
enrolling to the IPA
server, I have no idea
why I assume a patch
pushed out broke
something since it is a
fully scripted install.
It does get the most
recent patches each time
I stand it up so it
definitely would pull
any new patches that
came out. </div>
<div><br>
</div>
<div><span
style="white-space:
pre-wrap;"></span>After
investigating I am
getting this error when
I try to manually enroll
the client. I haven't
been able to find any
reference to this error
anywhere on the net.
Any help would be
greatly appreciated!
Let me know if any
additional details are
needed. </div>
<div><br>
</div>
<div><br>
</div>
<div>PLEASE NOTE:
Everything below has
been sanitized </div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>[root@client ~]#
ipa-client-install
--domain=<a
moz-do-not-send="true"
href="http://example.com/" target="_blank">example.com</a> --server=<a
moz-do-not-send="true"
href="http://ipa1.example.com/" target="_blank">ipa1.example.com</a>
--realm=<a
moz-do-not-send="true"
href="http://example.com/" target="_blank">EXAMPLE.COM</a>
--configure-ssh
--configure-sshd -p
ipa-bind -w "blah" -U</div>
<div>DNS domain '<a
moz-do-not-send="true"
href="http://example.com/" target="_blank">example.com</a>' is not
configured for
automatic KDC address
lookup.</div>
<div>KDC address will be
set to fixed value.</div>
<div><br>
</div>
<div>Discovery was
successful!</div>
<div>Hostname:
client.ec2.internal</div>
<div>Realm: <a
moz-do-not-send="true"
href="http://example.com/" target="_blank">EXAMPLE.COM</a></div>
<div>DNS Domain: <a
moz-do-not-send="true"
href="http://digitalreasoning.com/" target="_blank">digitalreasoning.com</a></div>
<div>IPA Server: <a
moz-do-not-send="true"
href="http://ipa1.example.com/" target="_blank">ipa1.example.com</a></div>
<div>BaseDN:
dc=example,dc=com</div>
<div><br>
</div>
<div><br>
</div>
<div>Synchronizing time
with KDC...</div>
<div><br>
</div>
<div>ipa : ERROR
Cannot obtain CA
certificate</div>
<div>'<a
moz-do-not-send="true">ldap://ipa1.example.com'</a>
doesn't have a
certificate.</div>
<div>Installation
failed. Rolling back
changes.</div>
<div>IPA client is not
configured on this
system.</div>
</div>
<div><br>
</div>
<div> </div>
<div>
<div>
<div
style="text-indent:
0px; letter-spacing:
normal;
font-variant:
normal; font-style:
normal; font-weight:
normal; line-height:
normal;
text-transform:
none; font-size:
medium; white-space:
normal; font-family:
Helvetica;
word-wrap:
break-word;
word-spacing: 0px;">
<div
style="text-indent:
0px;
letter-spacing:
normal;
font-variant:
normal;
font-style:
normal;
font-weight:
normal;
line-height:
normal;
text-transform:
none; font-size:
medium;
white-space:
normal;
font-family:
Helvetica;
word-wrap:
break-word;
word-spacing:
0px;">
<div
style="text-indent:
0px;
letter-spacing:
normal;
font-variant:
normal;
font-style:
normal;
font-weight:
normal;
line-height:
normal;
text-transform:
none; font-size:
medium;
white-space:
normal;
font-family:
Helvetica;
word-wrap:
break-word;
word-spacing:
0px;">
<div
style="text-indent:
0px;
letter-spacing:
normal;
font-variant:
normal;
font-style:
normal;
font-weight:
normal;
line-height:
normal;
text-transform:
none;
font-size:
medium;
white-space:
normal;
font-family:
Helvetica;
word-wrap:
break-word;
word-spacing:
0px;">
<div
style="font-family:
Helvetica;
font-size:
medium;
font-style:
normal;
font-variant:
normal;
letter-spacing:
normal;
line-height:
normal;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
word-spacing:
0px;
word-wrap:
break-word;">
<div
style="font-family:
Helvetica;
font-size:
medium;
font-style:
normal;
font-variant:
normal;
letter-spacing:
normal;
line-height:
normal;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
word-spacing:
0px;
word-wrap:
break-word;">
<div
style="font-family:
Helvetica;
font-size:
medium;
font-style:
normal;
font-variant:
normal;
letter-spacing:
normal;
line-height:
normal;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
word-spacing:
0px;
word-wrap:
break-word;">
<div
style="font-size:
14px;
font-family:
Calibri,sans-serif;
font-weight:
normal;">
Thanks, </div>
<div
style="font-size:
14px;
font-family:
Calibri,sans-serif;
font-weight:
normal;">
_____________________________________________________</div>
<span><font
color="#888888">
<div
style="font-size:
14px;
font-family:
Calibri,sans-serif;
font-weight:
normal;">
John Moyer<br>
<br>
</div>
</font></span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
</div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader" target="_blank"></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>