[Freeipa-users] ipa-client-install errors via kickstart
Charlie Derwent
shelltoesuperstar at gmail.com
Thu Jun 23 22:37:28 UTC 2011
On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Charlie Derwent wrote:
>
>>
>>
>> On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>> Charlie Derwent wrote:
>>
>> Hi
>>
>> I'm running FreeIPA server on F14 and connecting to a F14
>> client. When I
>> run ipa-client-install (via kickstart or after the client has
>> installed)
>> I'm getting the following error message.
>>
>> root : DEBUG
>> root : ERROR LDAP Error: Connect error: Start TLS request
>> accepted. Server willing to negotiate SSL
>> Failed to verify that ipa.test.net <http://ipa.test.net>
>> <http://ipa.test.net> is an IPA server
>>
>> This may mean that the remote server is not up or is not
>> reachable due
>> to network or firewall settings
>>
>>
>> What version of IPA are you running on the client and server?
>>
>> Server is running 2.0.0.rc3-0
>> F14 Client is running 2.0.0.rc3-0
>> RHEL 5.6 Clients are running 2.0-10.el5_6.1
>> All the boxes are 64-bit
>>
>
> How are you invoking ipa-client-install? The error message looks a bit odd
> and I'm not sure if it is a mail client mucking it up or something else (the
> addition of http://ipa.test.net)
>
> rob
>
> Yeah thats a mail client quirk there was only one http://ipa.test.net in
my original email.
I'm getting the same error if I run "ipa-client-install" with no switches or
"ipa-client-install --server=ipa.test.net --domain=test.net
--realm=TEST.NET<http://test.net/>etc..". there are other switches I
have in my kickstart scripts but I'm not
at the lab right now so I couldn't tell you what they are, suffice to say
I'm connecting without any issue if I rekick a rhel or centos build on the
exact same server.
The really weird thing is I have an older box I built to F14 a few weeks ago
and that's been connected for weeks with the exact same client rpm, I just
hope I don't have to rebuild it! Is there anyway to check if the
dependencies between the two builds vary?
Charlie
>
>
>
>> Can you check the 389-ds access log to see if you can see the
>> connection and any errors reported with it?
>>
>> Nothing in the access.log on the server.
>>
>>
>>
>>
>> The ipa server is definately up and running, it's still
>> authenticating
>> other servers in the network and when I rebuild the client with
>> rhel or
>> centos it can enroll (almost) without issue (see below).
>>
>> The second issue was this certmonger related bug where
>> certmonger fails
>> to start on new install
>> (https://bugzilla.redhat.com/_**_show_bug.cgi?id=636894<https://bugzilla.redhat.com/__show_bug.cgi?id=636894>
>> <https://bugzilla.redhat.com/**show_bug.cgi?id=636894<https://bugzilla.redhat.com/show_bug.cgi?id=636894>>)
>> was it
>> resolved in
>> Red Hat 5 as I think i'm expering the issue with my RH5u6 clients?
>>
>>
>> Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to
>> restart messagebus after installing certmonger. Should be easy to do
>> in a kickstart.
>>
>>
>> yeah got the "killall -HUP dbus-daemon" in there now.
>>
>> Cheers
>> Charlie
>>
>>
>> rob
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110623/b5f77388/attachment.htm>
More information about the Freeipa-users
mailing list