[Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

Steven Jones Steven.Jones at vuw.ac.nz
Tue May 24 22:13:39 UTC 2011 

FYI
________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Wednesday, 25 May 2011 9:41 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

Steven Jones wrote:
> Logs.....

Sorry, had you set the level in the wrong file. Can you set LogLevel
debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?

rob

> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, 25 May 2011 8:51 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>
> Steven Jones wrote:
>> Hi,
>>
>> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>>
>> Is there a solution to this?
>
> Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
> and try the join again?
>
> This should give more feedback why mod_auth_kerb/kerberos is rejecting
> the credentials.
>
> rob
>
>>
>>
>> regards
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>> Sent: Tuesday, 24 May 2011 4:24 p.m.
>> To: Rob Crittenden
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>
>> I must be going blind in my old age.....anyway here they are.
>>
>> regards
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>> Sent: Tuesday, 24 May 2011 2:58 p.m.
>> To: Rob Crittenden
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>
>> Hi,
>>
>> 1) Screen data of the install from using the -d option.  (attach d.out)
>>
>> 2) ipa-install log
>>
>> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>>
>> 4) "Did you also run kinit before manually
>> running ipa-join in your testing?"  Yes....
>>
>> 5) For DNS I added,
>>
>>    allow query {any;};
>>
>> into /etc/named.conf clients were then not denied DNS.
>>
>> regards
>>
>>
>>
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Tuesday, 24 May 2011 2:24 p.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>
>> Steven Jones wrote:
>>> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
>>
>> This is a different mismatch than you were seeing with 5.6 (and a
>> completely different error message).
>>
>> A few things to note:
>>
>> - In general, when you reference any IPA server you should always use
>> the fully-qualified name. The SSL error you had was because the name did
>> not match the certificate.
>> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
>> you can always check the Apache error/access logs for diagnostic
>> information.
>> - The integrated DNS stores information in LDAP, not flat files, so
>> having no data in /var/named is not surprising.
>>
>> ipa-join needs authentication in the form of a TGT or a one-time
>> password. It definitely did one in the log you provided and you still
>> got a 401, which is strange. Did you also run kinit before manually
>> running ipa-join in your testing?
>>
>> Running ipa-join or ipa-client-install with the -d option will provide a
>> lot more debugging information.
>>
>> I think the first place to check is the Apache error log to see why the
>> join call failed.
>>
>> rob
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: error_log
Type: application/octet-stream
Size: 550 bytes
Desc: error_log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110524/fda5931c/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: access_log
Type: application/octet-stream
Size: 74018 bytes
Desc: access_log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110524/fda5931c/attachment-0001.obj>

More information about the Freeipa-users mailing list