<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="GENERATOR" content="GtkHTML/4.6.5"> </head> <body> On Fri, 2013-07-26 at 18:14 +0000, Armstrong, Kenneth Lawrence wrote: <blockquote type="CITE">On Fri, 2013-07-26 at 14:59 +0000, Armstrong, Kenneth Lawrence wrote: <blockquote type="CITE">On Fri, 2013-07-26 at 10:47 -0400, Rob Crittenden wrote: <blockquote type="CITE"> <pre> Armstrong, Kenneth Lawrence wrote: > On Fri, 2013-07-26 at 10:20 -0400, Rob Crittenden wrote: >> Armstrong, Kenneth Lawrence wrote: >> > On Fri, 2013-07-26 at 06:21 -0400, Eduardo Minguez wrote: >> > Ok, if I have time, I'll try with a RHEL 5.8 client today. >> > >> > >> > As for debug output, this is what I get: >> > >> > [root@r5-idmclient <<a href="mailto:root@r5-idmclient">mailto:root@r5-idmclient</a>> ~]# ipa-client-install >> > --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu >> > --enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d >> > root : DEBUG /usr/sbin/ipa-client-install was invoked with >> > options: {'conf_ntp': False, 'domain': 'lnxrealmtest.liberty.edu', >> > 'uninstall': False, 'force': False, 'sssd': True, >> > 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, >> > 'server': 'lnxrealmtest01.liberty.edu', 'prompt_password': False, >> > 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, >> > 'debug': True, 'on_master': False, 'ca_cert_file': '/etc/ipa/ca.crt', >> > 'realm_name': None, 'unattended': None, 'ntp_server': None, 'principal': >> > None} >> > root : DEBUG missing options might be asked for interactively >> > later >> > >> > root : DEBUG Loading Index file from >> > '/var/lib/ipa-client/sysrestore/sysrestore.index' >> > root : DEBUG Loading StateFile from >> > '/var/lib/ipa-client/sysrestore/sysrestore.state' >> > root : DEBUG [ipadnssearchkrb] >> > root : DEBUG [ipacheckldap] >> > root : DEBUG Init ldap with: ldap://lnxrealmtest01.liberty.edu:389 >> > root : ERROR LDAP Error: Connect error: TLS: hostname does not >> > match CN in peer certificate >> > root : DEBUG will use domain: lnxrealmtest.liberty.edu >> > >> > root : DEBUG will use server: lnxrealmtest01.liberty.edu >> > >> > Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server. >> > This may mean that the remote server is not up or is not reachable >> > due to network or firewall settings. >> > Installation failed. Rolling back changes. >> > IPA client is not configured on this system. >> > >> > >> > I do have an A record and PTR record for both lnxrealmtest01.liberty.edu >> > and lnxrealmtest.lnxrealmtest.liberty.edu. >> > >> > The part that confuses me (I'm still new to the innards of SSL) is this: >> > >> > DAP Error: Connect error: TLS: hostname does not match CN in peer >> > certificate >> > >> > When I look at the cert using: >> > >> > openssl x509 -in /etc/ipa/ca.crt -noout -text >> > >> > I see this: >> > >> > Issuer: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority >> > Validity >> > Not Before: Jul 25 18:22:53 2013 GMT >> > Not After : Jul 25 18:22:53 2033 GMT >> > Subject: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority >> > >> > >> > and ... >> > >> > OCSP - URI:<a href="http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp">http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp</a> >> >> No, you looked at the wrong certificate. >> >> To look at it use: >> >> # certutil -L -d /etc/dirsrv/slapd-LNXREALMTEST-LIBERTY-EDU -n Server-Cert >> >> rob > > Ok, that makes sense. The CN in that cert is correct, so I corrected my > command. It's still failing on binding a user it looks like. > > I've attached the complete output. Take a look at your 389-ds error log and the KDC log. The only thing we get on the client side is LOCAL_ERROR. rob </pre> </blockquote> I see this in /var/log/krb5kdc.log: Jul 26 10:27:10 lnxrealmtest01.lnxrealmtest.liberty.edu krb5kdc[2987](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.203.60.226: UNKNOWN_SERVER: authtime 0, <a href="mailto:admin@LNXREALMTEST.LIBERTY.EDU">admin@LNXREALMTEST.LIBERTY.EDU</a> for krbtgt/<a href="mailto:LIBERTY.EDU@LNXREALMTEST.LIBERTY.EDU">LIBERTY.EDU@LNXREALMTEST.LIBERTY.EDU</a>, Server not found in Kerberos database Jul 26 10:49:06 lnxrealmtest01.lnxrealmtest.liberty.edu krb5kdc[2987](info): AS_REQ (4 etypes {18 17 16 23}) 10.203.60.225: NEEDED_PREAUTH: host/<a href="mailto:lnxrealmtest01.lnxrealmtest.liberty.edu@LNXREALMTEST.LIBERTY.EDU">lnxrealmtest01.lnxrealmtest.liberty.edu@LNXREALMTEST.LIBERTY.EDU</a> for krbtgt/<a href="mailto:LNXREALMTEST.LIBERTY.EDU@LNXREALMTEST.LIBERTY.EDU">LNXREALMTEST.LIBERTY.EDU@LNXREALMTEST.LIBERTY.EDU</a>, Additional pre-authentication required This is in /var/log/dirsrv/slapd-PKI-IPA/access log: [26/Jul/2013:10:28:36 -0400] conn=241 fd=65 slot=65 connection from 10.203.60.225 to 10.203.60.225 [26/Jul/2013:10:28:36 -0400] conn=241 op=0 BIND dn="cn=Directory Manager" method=128 version=2 [26/Jul/2013:10:28:36 -0400] conn=241 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [26/Jul/2013:10:28:36 -0400] conn=241 op=1 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" attrs="cn" [26/Jul/2013:10:28:36 -0400] conn=241 op=1 RESULT err=32 tag=101 nentries=0 etime=0 [26/Jul/2013:10:28:36 -0400] conn=241 op=2 UNBIND [26/Jul/2013:10:28:36 -0400] conn=241 op=2 fd=65 closed - U1 <pre> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </pre> </blockquote> I tried a RHEL 5.8 client, and I didn't get the issue with the certificate not downloading, so it does seem like a problem with 5.9's libs on that one. I am however getting the same binding error. I even created another user that was in the admin group, and it still fails. -Kenny <pre> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </pre> </blockquote> Ok, so I was able to successfully joined a RHEL 5.8 client to the domain. I had to take out all of the nameserver entries in the /etc/resolv.conf file and replaced it with the IP of the IdM server. I tried the same exact thing on the 5.9 client, and it still fails. I can't help but think that the messed up OpenSSL libs on 5.9 are the root cause of this. -Kenny </body> </html>