[Freeipa-users] fail joining an ubuntu 12.04 to a freeipa server with ipa-client-install

pasqual milvaques milvaques_pas at gva.es
Mon May 14 08:20:57 UTC 2012 

the people frrm ubuntu pointed me to this bug.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663127

enabling ssl3 in the server with this orders served as a workaround:

ldapmodify -D "cn=directory manager" -W -p 389 -h localhost -x

dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on

exit

but the client doesn't join completly the domain because in the system 
there is no system wide nss database:

New SSSD config will be created.
root : INFO New SSSD config will be created
Configured /etc/sssd/sssd.conf
root : DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t 
CT,C,C -a -i /etc/ipa/ca.crt
root : DEBUG stdout=
root : DEBUG stderr=certutil: function failed: security library: bad 
database.

Traceback (most recent call last):
   File "/usr/sbin/ipa-client-install", line 1292, in <module>
     sys.exit(main())
   File "/usr/sbin/ipa-client-install", line 1279, in main
     rval = install(options, env, fstore, statestore)
   File "/usr/sbin/ipa-client-install", line 1124, in install
     run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA 
CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"])
   File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 
273, in run
     raise CalledProcessError(p.returncode, args)
subprocess.CalledProcessError: Command '/usr/bin/certutil -A -d 
/etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt' returned 
non-zero exit status 255
pasqual at ubuntuprovesfreeipa:~$

It can create it with this commands:
mkdir -p /etc/pki/nssdb
certutil -N -d /etc/pki/nssdb

but asks for a password. there are some obscure references about using a 
password file called pwdfile.txt that resides in the server but I'm not 
sure with what to do now. perhaps the password must be blank. any idea?

thanks



Al 11/05/12 16:40, En/na pasqual milvaques ha escrit:
> I'have download and compiled some versions of gnutls and this is the 
> result:
> gnutls-2.8.5: works
> gnutls-2.12.19: fail
> gnutls-3.0.19: fail
>
> this must affect distributions in which ldaps connections are based in 
> gnutls (I only know debian and ubuntu).
>
> the problem can be tested with this command:
> gnutls-cli -d 4 -p 636 freeipaserver.linux.gva.es
>
> in you have a problematic gnutls version the command would end with 
> these lines:
> ...
> |<3>| HSK[0x9bb40d0]: CLIENT HELLO was sent [151 bytes]
> |<4>| REC[0x9bb40d0]: Sending Packet[0] Handshake(22) with length: 151
> |<4>| REC[0x9bb40d0]: Sent Packet[1] Handshake(22) with length: 156
> |<2>| ASSERT: gnutls_buffers.c:640
> |<2>| ASSERT: gnutls_record.c:969
> |<2>| ASSERT: gnutls_handshake.c:2762
> *** Fatal error: A TLS packet with unexpected length was received.
> |<4>| REC: Sending Alert[2|22] - Record overflow
> |<4>| REC[0x9bb40d0]: Sending Packet[1] Alert(21) with length: 2
> |<4>| REC[0x9bb40d0]: Sent Packet[2] Alert(21) with length: 7
> *** Handshake has failed
> GnuTLS error: A TLS packet with unexpected length was received.
> |<4>| REC[0x9bb40d0]: Epoch #0 freed
> |<4>| REC[0x9bb40d0]: Epoch #1 freed
> pasqual at ubuntuprovesfreeipa:~/gnutls-2.12.19$
>
> any idea in how to make this work?
>
> Al 11/05/12 13:16, En/na pasqual milvaques ha escrit:
>> I'm trying to join an ubuntu 12.04 machine to freeipa domain 
>> installed in a centos 6.2 machine and it seems there is some problem 
>> with the tls negotiacion. ubuntu 12.04 uses gnutls instead of openssl 
>> so the problem could be there but  I don't know how to solve it. with 
>> the ldapsearch command I can also reproduce the fail
>>
>> I have opened this ubuntu bug as freeipa now has a native client 
>> package: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/997990
>>
>> any idea?
>>
>> this is the log of the operation:
>>
>> pasqual at ubuntuprovesfreeipa:~$ sudo ipa-client-install -d 
>> --enable-dns-updates
>> [sudo] password for pasqual:
>> root : DEBUG /usr/sbin/ipa-client-install was invoked with options: 
>> {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': 
>> False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': 
>> None, 'permit': False, 'server': None, 'prompt_password': False, 
>> 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, 
>> 'debug': True, 'on_master': False, 'ntp_server': None, 'realm_name': 
>> None, 'unattended': None, 'principal': None}
>> root : DEBUG missing options might be asked for interactively later
>>
>> root : DEBUG Loading Index file from 
>> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>> root : DEBUG Loading StateFile from 
>> '/var/lib/ipa-client/sysrestore/sysrestore.state'
>> root : DEBUG [ipadnssearchldap(linux.gva.es)]
>> root : DEBUG [ipadnssearchldap(gva.es)]
>> root : DEBUG [ipadnssearchldap(es)]
>> root : DEBUG [ipadnssearchldap(linux.gva.es)]
>> root : DEBUG [ipadnssearchldap(gva.es)]
>> root : DEBUG [ipadnssearchldap(es)]
>> root : DEBUG Domain not found
>> DNS discovery failed to determine your DNS domain
>> Provide the domain name of your IPA server (ex: example.com): 
>> linux.gva.es
>> root : DEBUG will use domain: linux.gva.es
>>
>> root : DEBUG [ipadnssearchldap]
>> root : DEBUG IPA Server not found
>> DNS discovery failed to find the IPA Server
>> Provide your IPA server name (ex: ipa.example.com): 
>> freeipaserver.linux.gva.es
>> root : DEBUG will use server: freeipaserver.linux.gva.es
>>
>> root : DEBUG [ipadnssearchkrb]
>> root : DEBUG [ipacheckldap]
>> root : DEBUG args=/usr/bin/wget -O /tmp/tmpWptXwb/ca.crt -T 15 -t 2 
>> http://freeipaserver.linux.gva.es/ipa/config/ca.crt
>> root : DEBUG stdout=
>> root : DEBUG stderr=--2012-05-11 12:06:09-- 
>> http://freeipaserver.linux.gva.es/ipa/config/ca.crt
>> Resolent freeipaserver.linux.gva.es (freeipaserver.linux.gva.es)... 
>> 192.168.222.99
>> S'està connectant a freeipaserver.linux.gva.es 
>> (freeipaserver.linux.gva.es)|192.168.222.99|:80... conectat.
>> HTTP: Petició enviada, esperant resposta... 200 OK
>> Longitud: 1325 (1.3K) [application/x-x509-ca-cert]
>> S'està desant a: «/tmp/tmpWptXwb/ca.crt»
>>
>>      0K . 100% 38.4M=0s
>>
>> 2012-05-11 12:06:09 (38.4 MB/s) - s'ha desat «/tmp/tmpWptXwb/ca.crt» 
>> [1325/1325]
>>
>> root : DEBUG Init ldap with: ldap://freeipaserver.linux.gva.es:389
>> root : ERROR LDAP Error: Connect error: A TLS packet with unexpected 
>> length was received.
>> Failed to verify that freeipaserver.linux.gva.es is an IPA Server.
>> This may mean that the remote server is not up or is not reachable
>> due to network or firewall settings.
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>> pasqual at ubuntuprovesfreeipa:~$
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120514/23325667/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: milvaques_pas.vcf
Type: text/x-vcard
Size: 335 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120514/23325667/attachment.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5527 bytes
Desc: Signatura criptogr??fica S/MIME
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120514/23325667/attachment.p7s>

More information about the Freeipa-users mailing list