[Freeipa-users] Unable to install clien
Mohan Cheema
mohan.cheema at arrkgroup.com
Mon Oct 7 13:05:37 UTC 2013
Hi,
I am trying to install client on one of the machine I'm getting following
error:
--------------------------------
Cannot obtain CA certificate
'ldap://ipa1.example.com' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.
--------------------------------
I am able to install same on other clients.
Output of running in debug
-------------------------------------
/usr/sbin/ipa-client-install was invoked with options: {'domain':
'EXAMPLE.COM', 'force': False, 'krb5_offline_passwords': True, 'primary':
True, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True,
'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server':
None, 'principal': None, 'hostname': None, 'no_ac': False, 'unattended':
None, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False,
'realm_name': None, 'conf_ssh': True, 'server': ['ipa1.example.com',
'ipa2.example.com'], 'prompt_password': False, 'permit': False, 'debug':
True, 'preserve_sssd': False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=EXAMPLE.COM, server=['ipa1.example.com',
'ipa2.example.com'], hostname=perf-fe1.example.com
Server and domain forced
[Kerberos realm search]
Search DNS for TXT record of _kerberos.EXAMPLE.COM.
No DNS record found
[LDAP server check]
Verifying that ipa1.example.com (realm None) is an IPA server
Init LDAP connection with: ldap://ipa1.example.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=example,dc=com' is for IPA
Naming context 'dc=example,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub)
Found: cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
Discovery result: Success; server=ipa1.example.com, domain=EXAMPLE.COM,
ipa=None, basedn=dc=example,dc=com
will use discovered domain: EXAMPLE.COM
Using servers from command line, disabling DNS discovery
will use provided server: ipa1.example.com, ipa2.example.com
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always
access the discovered server for all operations and will not fail over to
other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
will use discovered realm: EXAMPLE.COM
will use discovered basedn: dc=example,dc=com
[IPA Discovery]
Starting IPA discovery with domain=EXAMPLE.COM, server=ipa2.example.com,
hostname=perf-fe1.example.com
Server and domain forced
[Kerberos realm search]
Search DNS for TXT record of _kerberos.EXAMPLE.COM.
No DNS record found
[LDAP server check]
Verifying that ipa2.example.com (realm None) is an IPA server
Init LDAP connection with: ldap://ipa2.example.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=example,dc=com' is for IPA
Naming context 'dc=example,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub)
Found: cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
Discovery result: Success; server=ipa2.example.com, domain=EXAMPLE.COM,
ipa=None, basedn=dc=example,dc=com
Hostname: perf-fe1.example.com
Hostname source: Machine's FQDN
Realm: EXAMPLE.COM
Realm source: Discovered from LDAP DNS records in ipa1.example.com
DNS Domain: EXAMPLE.COM
DNS Domain source: Forced
IPA Server: ipa1.example.com, ipa2.example.com
IPA Server source: Provided as option
BaseDN: dc=example,dc=com
BaseDN source: From IPA server ldap://ipa1.example.com:389
Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r EXAMPLE.COM
stdout=
stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory
User authorized to enroll computers: admin
Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.EXAMPLE.COM.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v ipa1.example.com
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v ipa1.example.com
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v ipa1.example.com
stdout=
stderr=
Unable to sync time with IPA NTP server, assuming the time is in sync.
Please check that 123 UDP port is opened.
Writing Kerberos configuration to /tmp/tmpune77A:
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_ipa = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
ipa = ipa1.example.com:88
master_ipa = ipa1.example.com:88
admin_server = ipa1.example.com:749
ipa = ipa2.example.com:88
master_ipa = ipa2.example.com:88
admin_server = ipa2.example.com:749
default_domain = EXAMPLE.COM
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.EXAMPLE.COM = EXAMPLE.COM
EXAMPLE.COM = EXAMPLE.COM
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Password for admin at EXAMPLE.COM:
args=kinit admin at EXAMPLE.COM
stdout=Password for admin at EXAMPLE.COM:
stderr=
trying to retrieve CA cert via LDAP from ldap://ipa1.example.com
get_ca_cert_from_ldap() error: Unknown authentication method SASL(-4): no
mechanism available: No worthy mechs found
{'info': 'SASL(-4): no mechanism available: No worthy mechs found', 'desc':
'Unknown authentication method'}
Cannot obtain CA certificate
'ldap://ipa1.example.com' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.
-------------------------------------
Seeing above it seems that LDAP is not running on SSL I have verified it
following command 'ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin'
and it does return the results.
Any help/info will be really helpful.
Regards,
Mohan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131007/022504df/attachment.htm>
More information about the Freeipa-users
mailing list