[Freeipa-users] RHEL 5.11 as IPA client
Alexander Bokovoy
abokovoy at redhat.com
Wed Jun 10 10:29:44 UTC 2015
On Wed, 10 Jun 2015, Alexander Frolushkin wrote:
>Hello.
>We cannot login to our IPA enrolled RHEL 5.11 host using any IPA (4.1) native or AD trusted users.
>Seems like it fails on connection to server. SSSD logs attached.
>Additionally, is it ever possible now to use AD trusted users to ssh RHEL 5 servers?
>Logs and sssd config attached.
RHEL5 uses OpenSSL crypto library which doesn't support TLS 1.1+ which
is required by default by IPA 4.1. Your potential fix would be to allow
tls1.0 use at the server side but you need to know what this leads to:
https://access.redhat.com/articles/1294573
You seem to have issues on RHEL5 with TLS1.0+ configuration which is in
use by the LDAP server:
(Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [sdap_process_result]
(8): Trace: sh[0x15b01590], connected[1], ops[0x15b01e40],
ldap[0x15b019d0]
(Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [sdap_connect_done] (3):
START TLS result: Success(0), Start TLS request accepted.Server willing
to negotiate SSL.
(Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [sdap_connect_done] (3):
ldap_install_tls failed: [Connect error] [Start TLS request
accepted.Server willing to negotiate SSL.]
(Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [sdap_handle_release]
(8): Trace: sh[0x15b01590], connected[1], ops[(nil)], ldap[0x15b019d0],
destructor_lock[0], release_memory[0]
(Wed Jun 10 17:05:16 2015) [sssd[be[default]]]
[remove_connection_callback] (9): Successfully removed connection
callback.
(Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [fo_set_port_status] (4):
Marking port 389 of server 'sib-rhidm01.unix.megafon.ru' as 'not
working'
(Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [be_pam_handler_callback]
(4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [be_pam_handler_callback]
(4): Sending result [4][default]
(Wed Jun 10 17:05:16 2015) [sssd[be[default]]] [be_pam_handler_callback]
(4): Sent result [4][default]
(Wed Jun 10 17:05:22 2015) [sssd[be[default]]] [sbus_dispatch] (9): dbus
conn: 15AF0830
(Wed Jun 10 17:05:22 2015) [sssd[be[default]]] [sbus_dispatch] (9):
Dispatching.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list