[Freeipa-users] Switching a client from one set of IPA servers to another

Tue Apr 29 17:38:34 UTC 2014

Bret Wortman wrote:
> I'd like to test migrating our clients from the old IPA infrastructure
> to our newer F20-based servers but am having trouble with our first
> clients. Unenrolling them from the old IPA servers went fine, but when I
> try to enroll them with the newer ones, the logs report:
>
> # ipa-client-install -U --server zsipa.foo.net --domain foo.net
> --password obscured --mkhomdir --enable-dns-updates
> LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has
> been marked as not trusted by the user.
> LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has
> been marked as not trusted by the user.
> Failed to verify that zsipa.foo.net is an IPA Server.
> This may mean that the remote server is not up or is not reachable due
> to network or firewall settings.
> :
> :
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> # ps aux | grep firewalld| grep -v grep
> # getenforce
> Disabled
> # cat /var/log/ipaclient-install.log
> :
> :
> DEBUG [LDAP server check]
> DEBUG Verifying that zsipa.foo.net (realm foo.net) is an IPA server
> DEBUG Init LDAP connection with: ldap://zsipa.foo.net:389
> ERROR LDAP Error: Connect error: TLS error -8173:Peer's certificate
> issuer has been marked as not trusted by the user.
> DEBUG Discovery result: UNKNOWN_ERROR; server=None, domain=foo.net,
> kdc=zsipa.foo.net, basedn=None
> DEBUG Validated servers:
> DEBUG will use discovered domain: foo.net
> DEBUG IPA Server not found
> DEBUG [IPA Discovery] Starting IPA discovery with domain=foo.net,
> servers=['zsipa.foo.net'], hostname=jsutil.foo.net
> DEBUG Server and domain forced
> DEBUG [Kerberos realm search]
> DEBUG Search DNS for TXT record of _kerberos.foo.net
> DEBUG DNS record found:
> DNSResult::name:_kerberos.foo.net.,type:16,class:1,rdata={data:FOO.NET}
> DEBUG Search DNS for SRV record of
> _kerberos._udp.foo.net.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:zsipa.foo.net.}
> DEBUG [LDAP server check]
> DEBUG Verifying that zsipa.foo.net (realm FOO.NET)is an IPA server
> DEBUG Init LDAP connection with: ldap://zsipa.foo.net:389
> ERROR LDAP Error: Connect error: TLS error -8172:Peer's certificate
> issuer has been marked as not trusted by the user.
> DEBUG Discovery result: UNKNOWN_ERROR; server=None, domain=foo.net,
> kdc=zsipa.foo.net, basedn=None
> DEBUG Validated servers:
> ERROR Failed to verify that zsipa.foo.net is an IPA Server.
> ERROR This may mean that the remote server is not up or is not reachable
> due to network or firewall settings.
> INFO Please make sure the following ports are opened in the firewall
> settings:
>      TCP: 80, 88, 389
>      UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
> Also note that following ports are necessary for ipa-client working
> properly after enrollment:
>      TCP: 464
>      UDP: 464, 123 (if NTP enabled)
> DEBUG (zspia.foo.net: Provided as option)
> ERROR Installation failed. Rolling back changes.
> ERROR IPA client is not configured on this system.
>
> I removed the timestamps for readability.
>
> It seems to me that something from the old version is hanging around and
> getting in the way, or that something in the setup of the new server
> isn't quite complete -- which seems more likely, and where should I be
> looking for the actual cause? Is this a problem with a certificate or
> with the server not being discoverable?

You don't say what release the clients are but try removing 
/etc/ipa/ca.crt. This is fixed in newer releases.

rob