[Freeipa-users] ipa-client-install errors via kickstart

Charlie Derwent shelltoesuperstar at gmail.com
Thu Jun 23 22:37:28 UTC 2011 

On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Charlie Derwent wrote:
>
>>
>>
>> On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>>    Charlie Derwent wrote:
>>
>>        Hi
>>
>>        I'm running FreeIPA server on F14 and connecting to a F14
>>        client. When I
>>        run ipa-client-install (via kickstart or after the client has
>>        installed)
>>        I'm getting the following error message.
>>
>>        root        : DEBUG
>>        root        : ERROR    LDAP Error: Connect error: Start TLS request
>>        accepted. Server willing to negotiate SSL
>>        Failed to verify that ipa.test.net <http://ipa.test.net>
>>        <http://ipa.test.net> is an IPA server
>>
>>        This may mean that the remote server is not up or is not
>>        reachable due
>>        to network or firewall settings
>>
>>
>>    What version of IPA are you running on the client and server?
>>
>> Server is running 2.0.0.rc3-0
>> F14 Client is running  2.0.0.rc3-0
>> RHEL 5.6 Clients are running 2.0-10.el5_6.1
>> All the boxes are 64-bit
>>
>
> How are you invoking ipa-client-install? The error message looks a bit odd
> and I'm not sure if it is a mail client mucking it up or something else (the
> addition of http://ipa.test.net)
>
> rob
>
> Yeah thats a mail client quirk there was only one http://ipa.test.net in
my original email.

I'm getting the same error if I run "ipa-client-install" with no switches or
"ipa-client-install --server=ipa.test.net --domain=test.net
--realm=TEST.NET<http://test.net/>etc..". there are other switches I
have in my kickstart scripts but I'm not
at the lab right now so I couldn't tell you what they are, suffice to say
I'm connecting without any issue if I rekick a rhel or centos build on the
exact same server.

The really weird thing is I have an older box I built to F14 a few weeks ago
and that's been connected for weeks with the exact same client rpm, I just
hope I don't have to rebuild it! Is there anyway to check if the
dependencies between the two builds vary?

Charlie
>
>
>
>>    Can you check the 389-ds access log to see if you can see the
>>    connection and any errors reported with it?
>>
>>  Nothing in the access.log on the server.
>>
>>
>>
>>
>>        The ipa server is definately up and running, it's still
>>        authenticating
>>        other servers in the network and when I rebuild the client with
>>        rhel or
>>        centos it can enroll (almost) without issue (see below).
>>
>>        The second issue was this certmonger related bug where
>>        certmonger fails
>>        to start on new install
>>        (https://bugzilla.redhat.com/_**_show_bug.cgi?id=636894<https://bugzilla.redhat.com/__show_bug.cgi?id=636894>
>>        <https://bugzilla.redhat.com/**show_bug.cgi?id=636894<https://bugzilla.redhat.com/show_bug.cgi?id=636894>>)
>> was it
>>        resolved in
>>        Red Hat 5 as I think i'm expering the issue with my RH5u6 clients?
>>
>>
>>    Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to
>>    restart messagebus after installing certmonger. Should be easy to do
>>    in a kickstart.
>>
>>
>> yeah got the "killall -HUP dbus-daemon" in there now.
>>
>> Cheers
>> Charlie
>>
>>
>>    rob
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110623/b5f77388/attachment.htm>

More information about the Freeipa-users mailing list