[Freeipa-users] version mismatch while joining a client ?
Rob Crittenden
rcritten at redhat.com
Wed Aug 3 21:38:22 UTC 2011
Steven Jones wrote:
> Hi,
>
> Hopefully these will help.
It shows that you have two clients, one of which has a working libcurl
and another that does not.
The client 130.195.53.109 does not have a working libcurl as can be seen
in the error log with the error "Client didn't delegate us their
credential" and the principal error. The HTTP response is a 500.
The second client is 130.195.53.104 and does have a working libcurl. The
authentication is not accepted though and the request rejected with a 401.
Do you have another KDC somewhere on your network? In the RHEL bits we
had dns_lookup_kdc and dns_realm_kdc both set to True which causes the
enrollment to use the wrong KDC even if you have things otherwise
entered properly.
You should be able to work around this by using the --force flag in
ipa-client-install.
rob
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Thursday, 4 August 2011 8:42 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] version mismatch while joining a client ?
>
> Steven Jones wrote:
>> Hi,
>>
>> Client
>> ==========
>> rhel61-64cl04.unix.vuw.ac.nz
>> Linux rhel61-64cl04.unix.vuw.ac.nz 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
>> ipa-client-2.0.0-23.el6_1.1.x86_64
>> libcurl-7.19.7-26.el6.x86_64
>> Red Hat Enterprise Linux Client release 6.1 (Santiago)
>> ==========
>>
>> Server
>> ==========
>> Linux vuwunicoipamt01 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
>> libcurl-7.19.7-26.el6_1.1.x86_64
>> ipa-client-2.0.0-23.el6_1.1.x86_64
>> ipa-server-2.0.0-23.el6_1.1.x86_64
>> Red Hat Enterprise Linux Server release 6.1 (Santiago)
>> ==========
>>
>> install output
>> ==========
>> [root at rhel61-64cl04 ~]# ipa-client-install --mkhomedir --server vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -d
>> root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': 'unix.vuw.ac.nz', 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': 'vuwunicoipamt01.unix.vuw.ac.nz', 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir': True, 'unattended': None, 'principal': None}
>> root : DEBUG missing options might be asked for interactively later
>>
>> root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
>> root : DEBUG [ipacheckldap]
>> root : DEBUG args=/usr/bin/wget -O /tmp/tmpaaTaqF/ca.crt http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
>> root : DEBUG stdout=
>> root : DEBUG stderr=--2011-08-03 09:01:14-- http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
>> Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236
>> Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 779 [application/x-x509-ca-cert]
>> Saving to: `/tmp/tmpaaTaqF/ca.crt'
>>
>> 0K 100% 132M=0s
>>
>> 2011-08-03 09:01:14 (132 MB/s) - `/tmp/tmpaaTaqF/ca.crt' saved [779/779]
>>
>>
>> root : DEBUG Init ldap with: ldap://vuwunicoipamt01.unix.vuw.ac.nz:389
>> root : DEBUG Search rootdse
>> root : DEBUG Search for (info=*) in dc=unix,dc=vuw,dc=ac,dc=nz(base)
>> root : DEBUG Found: [('dc=unix,dc=vuw,dc=ac,dc=nz', {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': ['unix.vuw.ac.nz'], 'dc': ['unix'], 'nisDomain': ['unix.vuw.ac.nz']})]
>> root : DEBUG Search for (objectClass=krbRealmContainer) in dc=unix,dc=vuw,dc=ac,dc=nz(sub)
>> root : DEBUG Found: [('cn=UNIX.VUW.AC.NZ,cn=kerberos,dc=unix,dc=vuw,dc=ac,dc=nz', {'krbSubTrees': ['dc=unix,dc=vuw,dc=ac,dc=nz'], 'cn': ['UNIX.VUW.AC.NZ'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})]
>> root : DEBUG will use domain: unix.vuw.ac.nz
>>
>> root : DEBUG will use server: vuwunicoipamt01.unix.vuw.ac.nz
>>
>> Discovery was successful!
>> root : DEBUG will use cli_realm: UNIX.VUW.AC.NZ
>>
>> root : DEBUG will use cli_basedn: dc=unix,dc=vuw,dc=ac,dc=nz
>>
>> Hostname: rhel61-64cl04.unix.vuw.ac.nz
>> Realm: UNIX.VUW.AC.NZ
>> DNS Domain: unix.vuw.ac.nz
>> IPA Server: vuwunicoipamt01.unix.vuw.ac.nz
>> BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz
>>
>>
>> Continue to configure the system with these values? [no]: yes
>> Enrollment principal: admin
>> root : DEBUG will use principal: admin
>>
>> root : DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
>> root : DEBUG stdout=
>> root : DEBUG stderr=--2011-08-03 09:01:22-- http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
>> Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236
>> Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 779 [application/x-x509-ca-cert]
>> Saving to: `/etc/ipa/ca.crt'
>>
>> 0K 100% 96.5M=0s
>>
>> 2011-08-03 09:01:22 (96.5 MB/s) - `/etc/ipa/ca.crt' saved [779/779]
>>
>>
>> Password for admin at UNIX.VUW.AC.NZ:
>> root : DEBUG args=kinit admin at UNIX.VUW.AC.NZ
>> root : DEBUG stdout=Password for admin at UNIX.VUW.AC.NZ:
>>
>> root : DEBUG stderr=
>>
>> root : DEBUG args=/usr/sbin/ipa-join -s vuwunicoipamt01.unix.vuw.ac.nz -d
>> root : DEBUG stdout=
>> root : DEBUG stderr=XML-RPC CALL:
>>
>> <?xml version="1.0" encoding="UTF-8"?>\r\n
>> <methodCall>\r\n
>> <methodName>join</methodName>\r\n
>> <params>\r\n
>> <param><value><array><data>\r\n
>> <value><string>rhel61-64cl04.unix.vuw.ac.nz</string></value>\r\n
>> </data></array></value></param>\r\n
>> <param><value><struct>\r\n
>> <member><name>nsosversion</name>\r\n
>> <value><string>2.6.32-131.6.1.el6.x86_64</string></value></member>\r\n
>> <member><name>nshardwareplatform</name>\r\n
>> <value><string>x86_64</string></value></member>\r\n
>> </struct></value></param>\r\n
>> </params>\r\n
>> </methodCall>\r\n
>>
>> HTTP response code is 401, not 200
>>
>> Joining realm failed because of failing XML-RPC request.
>> This error may be caused by incompatible server/client major versions.
>> root : DEBUG args=kdestroy
>> root : DEBUG stdout=
>> root : DEBUG stderr=
>> [root at rhel61-64cl04 ~]#
>> ==========
>>
>> Error log
>> ==========
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
>> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
>> [Wed Aug 03 09:04:57 2011] [notice] caught SIGTERM, shutting down
>> [Wed Aug 03 09:04:58 2011] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
>> [Wed Aug 03 09:04:58 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>> [Wed Aug 03 09:04:58 2011] [notice] Digest: generating secret for digest authentication ...
>> [Wed Aug 03 09:04:58 2011] [notice] Digest: done
>> [Wed Aug 03 09:04:58 2011] [warn] mod_wsgi: Compiled for Python/2.6.2.
>> [Wed Aug 03 09:04:58 2011] [warn] mod_wsgi: Runtime using Python/2.6.6.
>> [Wed Aug 03 09:04:59 2011] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations
>> [Wed Aug 03 09:05:01 2011] [error] ipa: INFO: *** PROCESS START ***
>> [Wed Aug 03 09:05:01 2011] [error] ipa: INFO: *** PROCESS START ***
>> ==========
>>
>
> This appears to be a different issue. If it were the libcurl problem on
> the server side we would see something like:
>
> AttributeError: 'thread._local' object has no attribute 'principal'
>
> Because you are getting a 401 and not a 500 it means that the principal
> is not being authenticated.
>
> I suspect that this is a kerberos problem. Can you check
> /var/log/krb5kdc to see if it is getting a service ticket request from
> your client?
>
> Another thing to try is to set LogLevel debug in
> /etc/httpd/conf.d/nss.conf and restart Apache. This will provide much
> more logging information on the Negotiate request from the client.
>
> rob
More information about the Freeipa-users
mailing list