[Freeipa-users] ipa-client-install errors via kickstart
Adam Young
ayoung at redhat.com
Mon Jun 27 16:13:28 UTC 2011
On 06/27/2011 11:01 AM, Rob Crittenden wrote:
> Charlie Derwent wrote:
>>
>>
>> On Mon, Jun 27, 2011 at 2:07 PM, Adam Young <ayoung at redhat.com
>> <mailto:ayoung at redhat.com>> wrote:
>>
>> __
>> On 06/26/2011 08:35 AM, Charlie Derwent wrote:
>>>
>>>
>>> On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden
>>> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>>
>>> Charlie Derwent wrote:
>>>
>>>
>>>
>>> On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden
>>> <rcritten at redhat.com <mailto:rcritten at redhat.com>
>>> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>
>>> wrote:
>>>
>>> Charlie Derwent wrote:
>>>
>>> Hi
>>>
>>> I'm running FreeIPA server on F14 and connecting to
>>> a F14
>>> client. When I
>>> run ipa-client-install (via kickstart or after the
>>> client has
>>> installed)
>>> I'm getting the following error message.
>>>
>>> root : DEBUG
>>> root : ERROR LDAP Error: Connect error:
>>> Start TLS request
>>> accepted. Server willing to negotiate SSL
>>> Failed to verify that ipa.test.net
>>> <http://ipa.test.net> <http://ipa.test.net>
>>> <http://ipa.test.net> is an IPA server
>>>
>>> This may mean that the remote server is not up or
>>> is not
>>> reachable due
>>> to network or firewall settings
>>>
>>>
>>> What version of IPA are you running on the client and
>>> server?
>>>
>>> Server is running 2.0.0.rc3-0
>>> F14 Client is running 2.0.0.rc3-0
>>> RHEL 5.6 Clients are running 2.0-10.el5_6.1
>>> All the boxes are 64-bit
>>>
>>>
>>> How are you invoking ipa-client-install? The error message
>>> looks a bit odd and I'm not sure if it is a mail client
>>> mucking it up or something else (the addition of
>>> http://ipa.test.net)
>>>
>>> rob
>>>
>>>
>>>
>>> Can you check the 389-ds access log to see if you can
>>> see the
>>> connection and any errors reported with it?
>>>
>>> Nothing in the access.log on the server.
>>>
>>>
>>>
>>>
>>> The ipa server is definately up and running, it's
>>> still
>>> authenticating
>>> other servers in the network and when I rebuild the
>>> client with
>>> rhel or
>>> centos it can enroll (almost) without issue (see
>>> below).
>>>
>>> The second issue was this certmonger related bug
>>> where
>>> certmonger fails
>>> to start on new install
>>>
>>> (https://bugzilla.redhat.com/__show_bug.cgi?id=636894
>>> <https://bugzilla.redhat.com/show_bug.cgi?id=636894>) was it
>>> resolved in
>>> Red Hat 5 as I think i'm expering the issue with my
>>> RH5u6 clients?
>>>
>>>
>>> Looks like it wasn't fixed in RHEL 5.x. IIRC the simple
>>> fix is to
>>> restart messagebus after installing certmonger. Should
>>> be easy to do
>>> in a kickstart.
>>>
>>>
>>> yeah got the "killall -HUP dbus-daemon" in there now.
>>>
>>> Cheers
>>> Charlie
>>>
>>>
>>> rob
>>>
>>>
>>>
>>>
>>> Figured it out! Well partly... it's a dependency issue. I
>>> installed pretty much everything onto the box and it started to
>>> work but on my cut down server no joy. Finding the missing RPM
>>> might be a little bit more trickier unless someone could deduce
>>> what RPM's absence could cause that error?
>>>
>>> It's hard cause it may be a dependency for the ipa-client or a
>>> dependency of a dependency and so forth!
>>
>> If you are doing a DNS install for the server, you need
>> bind-dyndb-ldap, which is the LDAP backend for the DNS server.
>>
>>
>> This was a client side issue (apologies for saying "cut down server" I
>> meant server in a hardware sense rather that server/client model). But
>> yeah bind-dyndb-ldap is installed on my server.
>>
>
> A brute force way would be to do rpm -qa > list on both installs so we
> can compare the two and try to find some important difference.
>
> rob
Would the client install log report an error if something was missing?
/var/log/ipaclient-install.log
More information about the Freeipa-users
mailing list