[Freeipa-users] version mismatch while joining a client ?
Steven Jones
Steven.Jones at vuw.ac.nz
Thu Aug 4 20:42:22 UTC 2011
Hi,
Yes the first is F15.
I am halting all the AD machines I will retry without the --force first to test this, when I built IPA originally there was no AD to conflict.
However its plain weird because the RHEL6.1 client points to the IPA server for DNS.
I will get back to you.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Friday, 5 August 2011 1:24 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] version mismatch while joining a client ?
Steven Jones wrote:
> Hi,
>
> I have also done this on a new f15 client and it also fails.
>
> But its saying,
>
> 500 and not 401 which is the rhel6.1 failure.
>
> "HTTP response code is 401, not 200" == RHEL61
> "HTTP response code is 500, not 200" == FED15
Assuming that the Fedora 15 client is 130.195.53.109 that I had seen in
a previous log it has a libcurl that does not do ticket delegation.
500 is an HTTP server error, we assume a principal will be there and it
isn't and things blow up (this is handled more gracefully in our dev tree).
401 is a HTTP authorization error, the user provide is now allowed to
access the server. I'm guessing this is because the client is using the
wrong kerberos server. We have this addressed too in the dev tree, we
disable dns lookups in krb5.conf. In the meantime --force should make it
use the info you provide.
rob
>
>
> ==============
> more fed15-install-error
> [root at fed15-64-ws02 ~]# ipa-client-install --mkhomedir --server vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -d
> root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': 'unix.vuw.ac.nz'
> , 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': 'vuwunicoipamt01.unix.vuw.
> ac.nz', 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server'
> : None, 'mkhomedir': True, 'unattended': None, 'principal': None}
> root : DEBUG missing options might be asked for interactively later
>
> root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
> root : DEBUG [ipacheckldap]
> root : DEBUG args=/usr/bin/wget -O /tmp/tmpsyC9Zx/ca.crt http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
> root : DEBUG stdout=
> root : DEBUG stderr=--2011-08-03 15:18:07-- http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
> Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236
> Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 779 [application/x-x509-ca-cert]
> Saving to: “/tmp/tmpsyC9Zx/ca.crt”
>
> 0K 100% 111M=0s
>
> 2011-08-03 15:18:07 (111 MB/s) - “/tmp/tmpsyC9Zx/ca.crt” saved [779/779]
>
>
> root : DEBUG Init ldap with: ldap://vuwunicoipamt01.unix.vuw.ac.nz:389
> root : DEBUG Search rootdse
> root : DEBUG Search for (info=*) in dc=unix,dc=vuw,dc=ac,dc=nz(base)
> root : DEBUG Found: [('dc=unix,dc=vuw,dc=ac,dc=nz', {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainOb
> ject', 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': ['unix.vuw.ac.nz'], 'dc': ['unix'], 'nisDomain': [
> 'unix.vuw.ac.nz']})]
> root : DEBUG Search for (objectClass=krbRealmContainer) in dc=unix,dc=vuw,dc=ac,dc=nz(sub)
> root : DEBUG Found: [('cn=UNIX.VUW.AC.NZ,cn=kerberos,dc=unix,dc=vuw,dc=ac,dc=nz', {'krbSubTrees': ['dc=unix,dc=vu
> w,dc=ac,dc=nz'], 'cn': ['UNIX.VUW.AC.NZ'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hma
> c-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScop
> e': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special
> ', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal'
> , 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMax
> RenewableAge': ['604800']})]
> root : DEBUG will use domain: unix.vuw.ac.nz
>
> root : DEBUG will use server: vuwunicoipamt01.unix.vuw.ac.nz
>
> Discovery was successful!
> root : DEBUG will use cli_realm: UNIX.VUW.AC.NZ
>
> root : DEBUG will use cli_basedn: dc=unix,dc=vuw,dc=ac,dc=nz
>
> Hostname: fed15-64-ws02.unix.vuw.ac.nz
> Realm: UNIX.VUW.AC.NZ
> DNS Domain: unix.vuw.ac.nz
> IPA Server: vuwunicoipamt01.unix.vuw.ac.nz
> BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz
>
>
> Continue to configure the system with these values? [no]: yes
> Enrollment principal: admin
> root : DEBUG will use principal: admin
>
> root : DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
> root : DEBUG stdout=
> root : DEBUG stderr=--2011-08-03 15:18:12-- http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
> Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236
> Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 779 [application/x-x509-ca-cert]
> Saving to: “/etc/ipa/ca.crt”
>
> 0K 100% 112M=0s
>
> 2011-08-03 15:18:12 (112 MB/s) - “/etc/ipa/ca.crt” saved [779/779]
>
>
> root : DEBUG Writing Kerberos configuration to /tmp/tmpiFqnW9:
> #File modified by ipa-client-install
>
> [libdefaults]
> default_realm = UNIX.VUW.AC.NZ
> dns_lookup_realm = true
> dns_lookup_kdc = true
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> UNIX.VUW.AC.NZ = {
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
> [domain_realm]
> .unix.vuw.ac.nz = UNIX.VUW.AC.NZ
> unix.vuw.ac.nz = UNIX.VUW.AC.NZ
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> Password for admin at UNIX.VUW.AC.NZ:
> root : DEBUG args=kinit admin at UNIX.VUW.AC.NZ
> root : DEBUG stdout=Password for admin at UNIX.VUW.AC.NZ:
>
> root : DEBUG stderr=
>
> root : DEBUG args=/usr/sbin/ipa-join -s vuwunicoipamt01.unix.vuw.ac.nz -d
> root : DEBUG stdout=
> root : DEBUG stderr=XML-RPC CALL:
>
> <?xml version="1.0" encoding="UTF-8"?>\r\n
> <methodCall>\r\n
> <methodName>join</methodName>\r\n
> <params>\r\n
> <param><value><array><data>\r\n
> <value><string>fed15-64-ws02.unix.vuw.ac.nz</string></value>\r\n
> </data></array></value></param>\r\n
> <param><value><struct>\r\n
> <member><name>nsosversion</name>\r\n
> <value><string>2.6.38.6-26.rc1.fc15.x86_64</string></value></member>\r\n
> <member><name>nshardwareplatform</name>\r\n
> <value><string>x86_64</string></value></member>\r\n
> </struct></value></param>\r\n
> </params>\r\n
> </methodCall>\r\n
>
> HTTP response code is 500, not 200
>
> Joining realm failed because of failing XML-RPC request.
> This error may be caused by incompatible server/client major versions.
> root : DEBUG args=kdestroy
> root : DEBUG stdout=
> root : DEBUG stderr=
> [root at fed15-64-ws02 ~]#
> =======================
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Wednesday, 3 August 2011 9:35 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] version mismatch while joining a client ?
>
> Hi,
>
> Client
> ==========
> rhel61-64cl04.unix.vuw.ac.nz
> Linux rhel61-64cl04.unix.vuw.ac.nz 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
> ipa-client-2.0.0-23.el6_1.1.x86_64
> libcurl-7.19.7-26.el6.x86_64
> Red Hat Enterprise Linux Client release 6.1 (Santiago)
> ==========
>
> Server
> ==========
> Linux vuwunicoipamt01 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
> libcurl-7.19.7-26.el6_1.1.x86_64
> ipa-client-2.0.0-23.el6_1.1.x86_64
> ipa-server-2.0.0-23.el6_1.1.x86_64
> Red Hat Enterprise Linux Server release 6.1 (Santiago)
> ==========
>
> install output
> ==========
> [root at rhel61-64cl04 ~]# ipa-client-install --mkhomedir --server vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -d
> root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': 'unix.vuw.ac.nz', 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': 'vuwunicoipamt01.unix.vuw.ac.nz', 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir': True, 'unattended': None, 'principal': None}
> root : DEBUG missing options might be asked for interactively later
>
> root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
> root : DEBUG [ipacheckldap]
> root : DEBUG args=/usr/bin/wget -O /tmp/tmpaaTaqF/ca.crt http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
> root : DEBUG stdout=
> root : DEBUG stderr=--2011-08-03 09:01:14-- http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
> Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236
> Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 779 [application/x-x509-ca-cert]
> Saving to: `/tmp/tmpaaTaqF/ca.crt'
>
> 0K 100% 132M=0s
>
> 2011-08-03 09:01:14 (132 MB/s) - `/tmp/tmpaaTaqF/ca.crt' saved [779/779]
>
>
> root : DEBUG Init ldap with: ldap://vuwunicoipamt01.unix.vuw.ac.nz:389
> root : DEBUG Search rootdse
> root : DEBUG Search for (info=*) in dc=unix,dc=vuw,dc=ac,dc=nz(base)
> root : DEBUG Found: [('dc=unix,dc=vuw,dc=ac,dc=nz', {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': ['unix.vuw.ac.nz'], 'dc': ['unix'], 'nisDomain': ['unix.vuw.ac.nz']})]
> root : DEBUG Search for (objectClass=krbRealmContainer) in dc=unix,dc=vuw,dc=ac,dc=nz(sub)
> root : DEBUG Found: [('cn=UNIX.VUW.AC.NZ,cn=kerberos,dc=unix,dc=vuw,dc=ac,dc=nz', {'krbSubTrees': ['dc=unix,dc=vuw,dc=ac,dc=nz'], 'cn': ['UNIX.VUW.AC.NZ'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})]
> root : DEBUG will use domain: unix.vuw.ac.nz
>
> root : DEBUG will use server: vuwunicoipamt01.unix.vuw.ac.nz
>
> Discovery was successful!
> root : DEBUG will use cli_realm: UNIX.VUW.AC.NZ
>
> root : DEBUG will use cli_basedn: dc=unix,dc=vuw,dc=ac,dc=nz
>
> Hostname: rhel61-64cl04.unix.vuw.ac.nz
> Realm: UNIX.VUW.AC.NZ
> DNS Domain: unix.vuw.ac.nz
> IPA Server: vuwunicoipamt01.unix.vuw.ac.nz
> BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz
>
>
> Continue to configure the system with these values? [no]: yes
> Enrollment principal: admin
> root : DEBUG will use principal: admin
>
> root : DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
> root : DEBUG stdout=
> root : DEBUG stderr=--2011-08-03 09:01:22-- http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
> Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236
> Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 779 [application/x-x509-ca-cert]
> Saving to: `/etc/ipa/ca.crt'
>
> 0K 100% 96.5M=0s
>
> 2011-08-03 09:01:22 (96.5 MB/s) - `/etc/ipa/ca.crt' saved [779/779]
>
>
> Password for admin at UNIX.VUW.AC.NZ:
> root : DEBUG args=kinit admin at UNIX.VUW.AC.NZ
> root : DEBUG stdout=Password for admin at UNIX.VUW.AC.NZ:
>
> root : DEBUG stderr=
>
> root : DEBUG args=/usr/sbin/ipa-join -s vuwunicoipamt01.unix.vuw.ac.nz -d
> root : DEBUG stdout=
> root : DEBUG stderr=XML-RPC CALL:
>
> <?xml version="1.0" encoding="UTF-8"?>\r\n
> <methodCall>\r\n
> <methodName>join</methodName>\r\n
> <params>\r\n
> <param><value><array><data>\r\n
> <value><string>rhel61-64cl04.unix.vuw.ac.nz</string></value>\r\n
> </data></array></value></param>\r\n
> <param><value><struct>\r\n
> <member><name>nsosversion</name>\r\n
> <value><string>2.6.32-131.6.1.el6.x86_64</string></value></member>\r\n
> <member><name>nshardwareplatform</name>\r\n
> <value><string>x86_64</string></value></member>\r\n
> </struct></value></param>\r\n
> </params>\r\n
> </methodCall>\r\n
>
> HTTP response code is 401, not 200
>
> Joining realm failed because of failing XML-RPC request.
> This error may be caused by incompatible server/client major versions.
> root : DEBUG args=kdestroy
> root : DEBUG stdout=
> root : DEBUG stderr=
> [root at rhel61-64cl04 ~]#
> ==========
>
> Error log
> ==========
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [notice] caught SIGTERM, shutting down
> [Wed Aug 03 09:04:58 2011] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
> [Wed Aug 03 09:04:58 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [Wed Aug 03 09:04:58 2011] [notice] Digest: generating secret for digest authentication ...
> [Wed Aug 03 09:04:58 2011] [notice] Digest: done
> [Wed Aug 03 09:04:58 2011] [warn] mod_wsgi: Compiled for Python/2.6.2.
> [Wed Aug 03 09:04:58 2011] [warn] mod_wsgi: Runtime using Python/2.6.6.
> [Wed Aug 03 09:04:59 2011] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations
> [Wed Aug 03 09:05:01 2011] [error] ipa: INFO: *** PROCESS START ***
> [Wed Aug 03 09:05:01 2011] [error] ipa: INFO: *** PROCESS START ***
> ==========
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, 3 August 2011 1:48 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] version mismatch while joining a client ?
>
> Steven Jones wrote:
>>
>> Yes....enrolement now fails, previous messages I attached show that I think, it used to work.
>>
>> History, I had to remove all my working IPA clients due to a disk space problem on our SAN (we didnt have any). So I managed to keep the working IPA server and 2 x RHEL5 64 bit servers and the one un-configured template of RHEL6.1 64bit client I had. This I used to make client side clones off previously and connected them to IPA server and they worked.
>>
>> So lastweek I went back and with a running ipa server, I cloned in the old client/template and got the mis-match, so I put them on the production network and patched, same mismatch problem.
>>
>> I can do a sosreport of the old template I think and the client to look at the differences if that helps.
>
> I'm having a hard time following exactly what you are doing, on what
> machine. I think we need to be more systematic.
>
> Can you choose a machine to act as the client and provide the following:
>
> - distro and architecture (e.g. RHEL 6.1 on x86_64)
> - rpm -q curl libcurl
> - rpm -q ipa-client
>
> On the IPA server:
> - rpm -q ipa-server
>
> Start with a client that is not enrolled. If it has previously been
> enrolled run: ipa-client-install --uninstall -U
>
> Now run ipa-client-install and answer the questions as appropriate for
> your install.
>
> If it fails please provide the following:
> - any stdout you get from the client install
> - attach the full /var/log/ipaclient-install.log
> - attach the last 100 lines from /var/log/httpd/error_log from the IPA
> server
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list