[Freeipa-devel] Still failing on 5.7 with the same error........
Rob Crittenden
rcritten at redhat.com
Tue Sep 20 19:19:33 UTC 2011
JR Aquino wrote:
>
> On Sep 19, 2011, at 10:16 PM, JR Aquino wrote:
>
>> We're having significant reproducible problems with rhel 5.7 + FreeIPA master...
>> I'm not sure if it is localized to us or even which side is responsible for the error...
>>
>> Has anyone had success with rhel 5.7's repo included FreeIPA client joining a fedora based FreeIPA server?
>>
>> We are essentially dead in the water at this point.
>>
>> Sent from my iPad
>>
>> Begin forwarded message:
>>
>> From: Brett Campbell<<mailto:Brett.Campbell at citrix.com>Brett.Campbell at citrix.com<mailto:Brett.Campbell at citrix.com>>
>> Date: September 19, 2011 6:48:55 PM PDT
>> To: JR Aquino<<mailto:JR.Aquino at citrix.com>JR.Aquino at citrix.com<mailto:JR.Aquino at citrix.com>>
>> Cc: Jason Vagalatos<<mailto:Jason.Vagalatos at citrix.com>Jason.Vagalatos at citrix.com<mailto:Jason.Vagalatos at citrix.com>>
>> Subject: RE: Still failing on 5.7 with the same error........
>>
>> Apparently this error is printed from FreeIPA code and not an underlying library.
>> Here’s the relevant bit from ipa-getkeytab.c:
>>
>> /* Format of response
>> *
>> * KeytabGetRequest ::= SEQUENCE {
>> * new_kvno Int32
>> * SEQUENCE OF KeyTypes
>> * }
>> *
>> * * List of accepted enctypes *
>> * KeyTypes ::= SEQUENCE {
>> * enctype Int32
>> * }
>> */
>>
>> rtag = ber_scanf(sctrl, "{i{",&kvno);
>> if (rtag == LBER_ERROR) {
>> fprintf(stderr, "ber_scanf() failed, Invalid control ?!\n");
>> goto error_out;
>> }
>>
>>
>> However, the call that’s failing (ber_scanf()) is one from the openldap library:
>>
>> [root at util1 Server]# strings /usr/lib/liblber-2.3.so.0 |grep ber_scanf
>> ber_scanf
>> ber_scanf fmt (%s) ber:
>> ber_scanf: unknown fmt %c
>> ber_scanf
>>
>>
>>
>> From: /O=EXPERTCITY.COM/OU=BETA.EXPERTCITY/CN=RECIPIENTS/CN=BRETT.CAMPBELL On Behalf Of Brett Campbell
>> Sent: Monday, September 19, 2011 6:29 PM
>> To:<mailto:JR.Aquino at citrix.com> <mailto:JR.Aquino at citrix.com> JR.Aquino at citrix.com<mailto:JR.Aquino at citrix.com>
>> Subject: Still failing on 5.7 with the same error........
>>
>> Are you sure it’s not the server? Can you check the logs?
>>
>>
>> [root at util1 Server]# cat /etc/issue
>> Red Hat Enterprise Linux Server release 5.7 (Tikanga)
>> Kernel \r on an \m
>> [root at util1 Server]#
>> [root at util1 Server]#
>> [root at util1 Server]#
>> [root at util1 Server]# rpm --aid -ivh /tmp/ipa-client-2.0-14.el5_7.1.x86_64.rpm certmonger-0.42-1.el5.x86_64.rpm cyrus-sasl-gssapi-2.1.22-5.el5_4.3.x86_64.rpm sssd-client-1.5.1-37.el5.x86_64.rpm sssd-1.5.1-37.el5.x86_64.rpm xmlrpc-c-1.16.24-1206.1840.el5.x86_64.rpm libcollection-0.6.0-10.el5.x86_64.rpm libdhash-0.4.2-10.el5.x86_64.rpm libldb-0.9.10-33.el5.x86_64.rpm libtdb-1.2.1-6.el5.x86_64.rpm openssl-devel-0.9.8e-20.el5.x86_64.rpm libref_array-0.1.1-10.el5.x86_64.rpm libpath_utils-0.2.1-10.el5.x86_64.rpm libini_config-0.6.1-10.el5.x86_64.rpm libref_array-0.1.1-10.el5.x86_64.rpm openldap24-libs-2.4.23-5.el5.x86_64.rpm xmlrpc-c-client-1.16.24-1206.1840.el5.x86_64.rpm libtalloc-2.0.1-11.el5.x86_64.rpm c-ares-1.6.0-5.el5.x86_64.rpm krb5-devel-1.6.1-62.el5.x86_64.rpm zlib-devel-1.2.3-4.el5.x86_64.rpm libtevent-0.9.8-10.el5.x86_64.rpm e2fsprogs-devel-1.39-33.el5.x86_64.rpm keyutils-libs-devel-1.2-1.el5.x86_64.rpm libselinux-devel-1.33.4-5.7.el5.x86_64.rpm libsepol-devel-1.15.2
-3.el5.x86_64.rpm
>> warning: /tmp/ipa-client-2.0-14.el5_7.1.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
>> Preparing... ########################################### [100%]
>> 1:libtalloc ########################################### [ 4%]
>> 2:libtevent ########################################### [ 8%]
>> 3:xmlrpc-c ########################################### [ 12%]
>> 4:xmlrpc-c-client ########################################### [ 15%]
>> 5:libref_array ########################################### [ 19%]
>> 6:libtdb ########################################### [ 23%]
>> 7:libcollection ########################################### [ 27%]
>> 8:cyrus-sasl-gssapi ########################################### [ 31%]
>> 9:libldb ########################################### [ 35%]
>> 10:certmonger ########################################### [ 38%]
>> 11:c-ares ########################################### [ 42%]
>> 12:openldap24-libs ########################################### [ 46%]
>> 13:libpath_utils ########################################### [ 50%]
>> 14:libini_config ########################################### [ 54%]
>> 15:libdhash ########################################### [ 58%]
>> 16:sssd-client ########################################### [ 62%]
>> 17:sssd ########################################### [ 65%]
>> 18:libsepol-devel ########################################### [ 69%]
>> 19:libselinux-devel ########################################### [ 73%]
>> 20:keyutils-libs-devel ########################################### [ 77%]
>> 21:e2fsprogs-devel ########################################### [ 81%]
>> 22:krb5-devel ########################################### [ 85%]
>> 23:zlib-devel ########################################### [ 88%]
>> 24:ipa-client ########################################### [ 92%]
>> 25:openssl-devel ########################################### [ 96%]
>> 26:libref_array ########################################### [100%]
>> [root at util1 Server]#
>> [root at util1 Server]#
>> [root at util1 Server]#
>> [root at util1 Server]#
>> [root at util1 Server]# ipa-client-install --unattended --password='n7 I,6TN+!TF' --domain=expertcity.com --server=authstage1.ops.expertcity.com --hostname=$(hostname) --no-ntp
>> Realm:<http://EXPERTCITY.COM> <http://EXPERTCITY.COM> EXPERTCITY.COM<http://EXPERTCITY.COM>
>> DNS Domain:<http://expertcity.com> <http://expertcity.com> expertcity.com<http://expertcity.com>
>> IPA Server:<http://authstage1.ops.expertcity.com> <http://authstage1.ops.expertcity.com> authstage1.ops.expertcity.com<http://authstage1.ops.expertcity.com>
>> BaseDN: dc=expertcity,dc=com
>>
>>
>> Joining realm failed: ber_scanf() failed, Invalid control ?!
>> child exited with 9
>> Certificate subject base is: O=EXPERTCITY.COM
>> [root at util1 Server]#
>> [root at util1 Server]#
>> [root at util1 Server]#
>> [root at util1 Server]# ipa-client-install --unattended --password='n7 I,6TN+!TF' --domain=expertcity.com --server=authstage1.ops.expertcity.com --hostname=$(hostname) --no-ntp
>> Realm:<http://EXPERTCITY.COM> <http://EXPERTCITY.COM> EXPERTCITY.COM<http://EXPERTCITY.COM>
>> DNS Domain:<http://expertcity.com> <http://expertcity.com> expertcity.com<http://expertcity.com>
>> IPA Server:<http://authstage1.ops.expertcity.com> <http://authstage1.ops.expertcity.com> authstage1.ops.expertcity.com<http://authstage1.ops.expertcity.com>
>> BaseDN: dc=expertcity,dc=com
>>
>>
>> Joining realm failed: Host is already joined.
>> Certificate subject base is: O=EXPERTCITY.COM
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> Simo recently fixed a bug in master that was preventing users keytabs from being recognized as non expired... Following a hunch, I updated the Stage Server with the newest master and now I get a completely new error from the RHEL 5.7 Client:
>
> Joining realm failed because of failing XML-RPC request.
> This error may be caused by incompatible server/client major versions.
What version of ipa-client are you using?
Check ipaclient-install.log for potentially more details, and the Apache
log on the IPA server as well.
If the Apache side is logging an error about context.principal you need
to update your ipa-client software which should pull in updated xmlrpc-c
and curl libraries.
rob
More information about the Freeipa-devel
mailing list