[Freeipa-users] Switching a client from one set of IPA servers to another

Tue Apr 29 17:22:25 UTC 2014

I'd like to test migrating our clients from the old IPA infrastructure 
to our newer F20-based servers but am having trouble with our first 
clients. Unenrolling them from the old IPA servers went fine, but when I 
try to enroll them with the newer ones, the logs report:

# ipa-client-install -U --server zsipa.foo.net --domain foo.net 
--password obscured --mkhomdir --enable-dns-updates
LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has 
been marked as not trusted by the user.
LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has 
been marked as not trusted by the user.
Failed to verify that zsipa.foo.net is an IPA Server.
This may mean that the remote server is not up or is not reachable due 
to network or firewall settings.
:
:
Installation failed. Rolling back changes.
IPA client is not configured on this system.
# ps aux | grep firewalld| grep -v grep
# getenforce
Disabled
# cat /var/log/ipaclient-install.log
:
:
DEBUG [LDAP server check]
DEBUG Verifying that zsipa.foo.net (realm foo.net) is an IPA server
DEBUG Init LDAP connection with: ldap://zsipa.foo.net:389
ERROR LDAP Error: Connect error: TLS error -8173:Peer's certificate 
issuer has been marked as not trusted by the user.
DEBUG Discovery result: UNKNOWN_ERROR; server=None, domain=foo.net, 
kdc=zsipa.foo.net, basedn=None
DEBUG Validated servers:
DEBUG will use discovered domain: foo.net
DEBUG IPA Server not found
DEBUG [IPA Discovery] Starting IPA discovery with domain=foo.net, 
servers=['zsipa.foo.net'], hostname=jsutil.foo.net
DEBUG Server and domain forced
DEBUG [Kerberos realm search]
DEBUG Search DNS for TXT record of _kerberos.foo.net
DEBUG DNS record found: 
DNSResult::name:_kerberos.foo.net.,type:16,class:1,rdata={data:FOO.NET}
DEBUG Search DNS for SRV record of 
_kerberos._udp.foo.net.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:zsipa.foo.net.}
DEBUG [LDAP server check]
DEBUG Verifying that zsipa.foo.net (realm FOO.NET)is an IPA server
DEBUG Init LDAP connection with: ldap://zsipa.foo.net:389
ERROR LDAP Error: Connect error: TLS error -8172:Peer's certificate 
issuer has been marked as not trusted by the user.
DEBUG Discovery result: UNKNOWN_ERROR; server=None, domain=foo.net, 
kdc=zsipa.foo.net, basedn=None
DEBUG Validated servers:
ERROR Failed to verify that zsipa.foo.net is an IPA Server.
ERROR This may mean that the remote server is not up or is not reachable 
due to network or firewall settings.
INFO Please make sure the following ports are opened in the firewall 
settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working 
properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
DEBUG (zspia.foo.net: Provided as option)
ERROR Installation failed. Rolling back changes.
ERROR IPA client is not configured on this system.

I removed the timestamps for readability.

It seems to me that something from the old version is hanging around and 
getting in the way, or that something in the setup of the new server 
isn't quite complete -- which seems more likely, and where should I be 
looking for the actual cause? Is this a problem with a certificate or 
with the server not being discoverable?

-- 
*Bret Wortman*

http://damascusgrp.com/
http://about.me/wortmanbret

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140429/2b0dbf9f/attachment.htm>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140429/2b0dbf9f/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140429/2b0dbf9f/attachment.p7s>