[Freeipa-users] Switching a client from one set of IPA servers to another

Tue Apr 29 17:40:18 UTC 2014

Crap. Thought I caught this before I sent it.

# rm -f /etc/ipa/ca.crt

On 04/29/2014 01:22 PM, Bret Wortman wrote:
> I'd like to test migrating our clients from the old IPA infrastructure 
> to our newer F20-based servers but am having trouble with our first 
> clients. Unenrolling them from the old IPA servers went fine, but when 
> I try to enroll them with the newer ones, the logs report:
>
> # ipa-client-install -U --server zsipa.foo.net --domain foo.net 
> --password obscured --mkhomdir --enable-dns-updates
> LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer 
> has been marked as not trusted by the user.
> LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer 
> has been marked as not trusted by the user.
> Failed to verify that zsipa.foo.net is an IPA Server.
> This may mean that the remote server is not up or is not reachable due 
> to network or firewall settings.
> :
> :
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> # ps aux | grep firewalld| grep -v grep
> # getenforce
> Disabled
> # cat /var/log/ipaclient-install.log
> :
> :
> DEBUG [LDAP server check]
> DEBUG Verifying that zsipa.foo.net (realm foo.net) is an IPA server
> DEBUG Init LDAP connection with: ldap://zsipa.foo.net:389
> ERROR LDAP Error: Connect error: TLS error -8173:Peer's certificate 
> issuer has been marked as not trusted by the user.
> DEBUG Discovery result: UNKNOWN_ERROR; server=None, domain=foo.net, 
> kdc=zsipa.foo.net, basedn=None
> DEBUG Validated servers:
> DEBUG will use discovered domain: foo.net
> DEBUG IPA Server not found
> DEBUG [IPA Discovery] Starting IPA discovery with domain=foo.net, 
> servers=['zsipa.foo.net'], hostname=jsutil.foo.net
> DEBUG Server and domain forced
> DEBUG [Kerberos realm search]
> DEBUG Search DNS for TXT record of _kerberos.foo.net
> DEBUG DNS record found: 
> DNSResult::name:_kerberos.foo.net.,type:16,class:1,rdata={data:FOO.NET}
> DEBUG Search DNS for SRV record of 
> _kerberos._udp.foo.net.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:zsipa.foo.net.}
> DEBUG [LDAP server check]
> DEBUG Verifying that zsipa.foo.net (realm FOO.NET)is an IPA server
> DEBUG Init LDAP connection with: ldap://zsipa.foo.net:389
> ERROR LDAP Error: Connect error: TLS error -8172:Peer's certificate 
> issuer has been marked as not trusted by the user.
> DEBUG Discovery result: UNKNOWN_ERROR; server=None, domain=foo.net, 
> kdc=zsipa.foo.net, basedn=None
> DEBUG Validated servers:
> ERROR Failed to verify that zsipa.foo.net is an IPA Server.
> ERROR This may mean that the remote server is not up or is not 
> reachable due to network or firewall settings.
> INFO Please make sure the following ports are opened in the firewall 
> settings:
>     TCP: 80, 88, 389
>     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
> Also note that following ports are necessary for ipa-client working 
> properly after enrollment:
>     TCP: 464
>     UDP: 464, 123 (if NTP enabled)
> DEBUG (zspia.foo.net: Provided as option)
> ERROR Installation failed. Rolling back changes.
> ERROR IPA client is not configured on this system.
>
> I removed the timestamps for readability.
>
> It seems to me that something from the old version is hanging around 
> and getting in the way, or that something in the setup of the new 
> server isn't quite complete -- which seems more likely, and where 
> should I be looking for the actual cause? Is this a problem with a 
> certificate or with the server not being discoverable?
>
>
> -- 
> *Bret Wortman*
>
> http://damascusgrp.com/
> http://about.me/wortmanbret
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140429/fc1358e7/attachment.htm>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140429/fc1358e7/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140429/fc1358e7/attachment.p7s>