<html>
<head>
<title>Switching a client from one set of IPA servers to another</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Subject: </div>Switching a client from one set of IPA servers to another</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">From: </div>Bret Wortman <bret.wortman@damascusgrp.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Date: </div>04/29/2014 01:18 PM</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">To: </div>Freeipa-users@redhat.com</td></tr></table><br>
<div class="moz-text-html" lang="x-western"><html>
<head>
<meta http-equiv="content-type" content="text/html; ">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I'd like to test migrating our clients from the old IPA
infrastructure to our newer F20-based servers but am having trouble
with our first clients. Unenrolling them from the old IPA servers
went fine, but when I try to enroll them with the newer ones, the
logs report:<br>
<tt><br>
</tt><tt># ipa-client-install -U --server zsipa.foo.net --domain
foo.net --password obscured --mkhomdir --enable-dns-updates</tt><tt><br>
</tt><tt>LDAP Error: Connect error: TLS error -8172:Peer's
certificate issuer has been marked as not trusted by the user.</tt><tt><br>
</tt>
<div class="moz-signature"><tt>LDAP Error: Connect error: TLS error
-8172:Peer's certificate issuer has been marked as not trusted
by the user.</tt><tt><br>
</tt><tt>
Failed to verify that zsipa.foo.net is an IPA Server.</tt><tt><br>
</tt><tt>This may mean that the remote server is not up or is not
reachable due to network or firewall settings.</tt><tt><br>
</tt><tt>:</tt><tt><br>
</tt><tt>:</tt><tt><br>
</tt><tt>Installation failed. Rolling back changes.</tt><tt><br>
</tt><tt>IPA client is not configured on this system.</tt><tt><br>
</tt><tt># ps aux | grep firewalld</tt><tt> | grep -v grep</tt><tt><br>
</tt><tt># getenforce</tt><tt><br>
</tt><tt>Disabled</tt><tt><br>
</tt><tt># cat /var/log/ipaclient-install.log</tt><tt><br>
</tt><tt>:</tt><tt><br>
</tt><tt>:</tt><tt><br>
</tt><tt>DEBUG [LDAP server check]</tt><tt><br>
</tt><tt>DEBUG Verifying that zsipa.foo.net (realm foo.net) is an
IPA server</tt><tt><br>
</tt><tt>DEBUG Init LDAP connection with: <a class="moz-txt-link-freetext" href="ldap://zsipa.foo.net:389">ldap://zsipa.foo.net:389</a></tt><tt><br>
</tt><tt>ERROR LDAP Error: Connect error: TLS error -8173:Peer's
certificate issuer has been marked as not trusted by the user.</tt><tt><br>
</tt><tt>DEBUG Discovery result: UNKNOWN_ERROR; server=None,
domain=foo.net, kdc=zsipa.foo.net, basedn=None</tt><tt><br>
</tt><tt>DEBUG Validated servers:</tt><tt><br>
</tt><tt>DEBUG will use discovered domain: foo.net</tt><tt><br>
</tt><tt>DEBUG IPA Server not found</tt><tt><br>
</tt><tt>DEBUG [IPA Discovery] Starting IPA discovery with
domain=foo.net, servers=['zsipa.foo.net'],
hostname=jsutil.foo.net</tt><tt><br>
</tt><tt>DEBUG Server and domain forced</tt><tt><br>
</tt><tt>DEBUG [Kerberos realm search]</tt><tt><br>
</tt><tt>DEBUG Search DNS for TXT record of _kerberos.foo.net</tt><tt><br>
</tt><tt>DEBUG DNS record found:
DNSResult::name:_kerberos.foo.net.,type:16,class:1,rdata={data:FOO.NET}</tt><tt><br>
</tt><tt>DEBUG Search DNS for SRV record of
_kerberos._udp.foo.net.,type:33,class:1,rdata={priority:-,port:88,weight:100,server:zsipa.foo.net.}</tt><tt><br>
</tt><tt>DEBUG [LDAP server check]</tt><tt><br>
</tt><tt>DEBUG Verifying that zsipa.foo.net (realm FOO.NET)</tt><tt>
is an IPA server</tt><tt><br>
</tt><tt>DEBUG Init LDAP connection with: <a class="moz-txt-link-freetext" href="ldap://zsipa.foo.net:389">ldap://zsipa.foo.net:389</a></tt><tt><br>
</tt><tt>ERROR LDAP Error: COnnect error: TLS error -8172:Peer's
certificate issuer has been marked as not trusted by the user.</tt><tt><br>
</tt><tt>DEBUG Discovery result: UNKNOWN_ERROR; server=None,
domain=foo.net, kdc=zsipa.foo.net, basedn=None</tt><tt><br>
</tt><tt>DEBUG Validated servers:</tt><tt><br>
</tt><tt>ERROR Failed to verify that zsipa.foo.net is an IPA
Server.</tt><tt><br>
</tt><tt>ERROR This may mean that the remote server is not up or
is not reachable due to network or firewall settings.</tt><tt><br>
</tt><tt>INFO Please make sure the followign ports are opened in
the firewall settings:</tt><tt><br>
</tt><tt> TCP: 80, 88, 389</tt><tt><br>
</tt><tt> UDP: 88 (at least one of TCP/UDP ports 88 ahs to be
open)</tt><tt><br>
</tt><tt>Also note that following ports are necessary for
ipa-clietn working properly after enrollment:</tt><tt><br>
</tt><tt> TCP: 464</tt><tt><br>
</tt><tt> UDP: 464, 123 (if NTP enabled)</tt><tt><br>
</tt><tt>DEBUG (zspia.foo.net: Provided as optino)</tt><tt><br>
</tt><tt>ERROR Installation failed. Rolling back changes.</tt><tt><br>
</tt><tt>ERROR IPA client is not configured on this system.</tt><br>
<br>
I removed the timestamps for readability.<br>
<br>
<br>
-- <br>
<div><b>Bret Wortman</b></div>
<div><img src="imap://bret%2Ewortman%40damascusgrp%2Ecom@mail.messagingengine.com:993/fetch%3EUID%3E.INBOX.Drafts%3E193?format=1500w&part=1.1.2"
height="53/" width="200"><br>
</div>
<div><a href="http://damascusgrp.com/">http://damascusgrp.com/</a><br>
</div>
<div><a href="http://about.me/wortmanbret">http://about.me/wortmanbret</a><br>
<br>
</div>
</div>
</body>
</html>
</div></body>
</html>
</table></div>