[Freeipa-users] HTTP response code is 401, not 200
Jose Alvarez R.
jalvarez at cyberfuel.com
Fri Apr 29 17:00:27 UTC 2016
Hi Rob, Thanks for your response
Yes, It's with admin.
I execute the command "ipa-client-install --debug"
-------------------------------------------------------------------------
[root at ppa named]# ipa-client-install --debug
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir
': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain':
False, 'principal': None
, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,
'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False,
'conf_sudo': True, 'conf_ssh': Tr
ue, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit
y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server
Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=cyberfuel,dc=com' is for IPA
Naming context 'dc=cyberfuel,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com
Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com
Discovery was successful!
will use discovered realm: CYBERFUEL.COM
will use discovered basedn: dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
DNS Domain: cyberfuel.com
DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of
the hostname)
IPA Server: freeipa.cyberfuel.com
IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: no
Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root at ppa named]#
[root at ppa named]# ipa-client-install --debug
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd':
True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'nisdomain':
None, 'no_nisdomain': False, 'principal': None, 'hostname': None, 'no_ac':
False, 'unattended': None, 'sssd': True, 'trust_sshfp': False,
'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh':
True, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit
y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server
Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=cyberfuel,dc=com' is for IPA
Naming context 'dc=cyberfuel,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com
Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com
Discovery was successful!
will use discovered realm: CYBERFUEL.COM
will use discovered basedn: dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
DNS Domain: cyberfuel.com
DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of
the hostname)
IPA Server: freeipa.cyberfuel.com
IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
stdout=
stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory
User authorized to enroll computers: admin
will use principal provided as option: admin
Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.cyberfuel.com.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
stdout=
stderr=
Writing Kerberos configuration to /tmp/tmpqWSatK:
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = CYBERFUEL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
CYBERFUEL.COM = {
kdc = freeipa.cyberfuel.com:88
master_kdc = freeipa.cyberfuel.com:88
admin_server = freeipa.cyberfuel.com:749
default_domain = cyberfuel.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.cyberfuel.com = CYBERFUEL.COM
cyberfuel.com = CYBERFUEL.COM
Password for admin at CYBERFUEL.COM:
args=kinit admin at CYBERFUEL.COM
stdout=Password for admin at CYBERFUEL.COM:
stderr=
trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
Existing CA cert and Retrieved CA cert are identical
args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com -d
stdout=
stderr=XML-RPC CALL:
<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>ppa.cyberfuel.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n
* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90...
* Adding handle: conn: 0x10bb2f0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
* Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using AES256-SHA
* Server certificate:
* subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
* start date: 2015-09-30 17:52:11 GMT
* expire date: 2017-09-30 17:52:11 GMT
* common name: freeipa.cyberfuel.com (matched)
* issuer: O=CYBERFUEL.COM; CN=Certificate Authority
* SSL certificate verify ok.
> POST /ipa/xml HTTP/1.1
Host: freeipa.cyberfuel.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: https://freeipa.cyberfuel.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 477
* upload completely sent off: 477 out of 477 bytes
< HTTP/1.1 401 Authorization Required
< Date: Fri, 29 Apr 2016 16:16:32 GMT
* Server Apache/2.2.15 (CentOS) is not blacklisted
< Server: Apache/2.2.15 (CentOS)
< WWW-Authenticate: Negotiate
< Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT
< ETag: "a0528-55a-53051ba8f7000"
< Accept-Ranges: bytes
< Content-Length: 1370
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
* Closing connection 0
HTTP response code is 401, not 200
Joining realm failed: XML-RPC CALL:
<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>ppa.cyberfuel.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n
* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90...
* Adding handle: conn: 0x10bb2f0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
* Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using AES256-SHA
* Server certificate:
* subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
* start date: 2015-09-30 17:52:11 GMT
* expire date: 2017-09-30 17:52:11 GMT
* common name: freeipa.cyberfuel.com (matched)
* issuer: O=CYBERFUEL.COM; CN=Certificate Authority
* SSL certificate verify ok.
> POST /ipa/xml HTTP/1.1
Host: freeipa.cyberfuel.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: https://freeipa.cyberfuel.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 477
* upload completely sent off: 477 out of 477 bytes
< HTTP/1.1 401 Authorization Required
< Date: Fri, 29 Apr 2016 16:16:32 GMT
* Server Apache/2.2.15 (CentOS) is not blacklisted
< Server: Apache/2.2.15 (CentOS)
< WWW-Authenticate: Negotiate
< Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT
< ETag: "a0528-55a-53051ba8f7000"
< Accept-Ranges: bytes
< Content-Length: 1370
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
* Closing connection 0
HTTP response code is 401, not 200
Installation failed. Rolling back changes.
IPA client is not configured on this system.
-------------------------------------------------
It's the version curl IPA server
[root at freeipa log]# rpm -qa | grep curl
python-pycurl-7.19.0-8.el6.x86_64
curl-7.19.7-46.el6.x86_64
libcurl-7.19.7-46.el6.x86_64
[root at freeipa log]#
It's the version curl PPA server(IPA Client)
[root at ppa named]# rpm -qa | grep curl
curl-7.31.0-1.el6.x86_64
python-pycurl-7.19.0-8.el6.x86_64
libcurl-7.31.0-1.el6.x86_64
libcurl-7.31.0-1.el6.i686
The version curl is different, but the version curl PPA is the repository
Odin Plesk.
-----------------------------------------------------
[root at ppa tmp]# cat kerberos_trace.log
[12118] 1461855578.809966: ccselect module realm chose cache
FILE:/tmp/tmptSoqDX with client principal admin at CYBERFUEL.COM for server
principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
[12118] 1461855578.810171: Retrieving admin at CYBERFUEL.COM ->
krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not found
[12118] 1461855578.810252: Getting credentials admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmptSoqDX
[12118] 1461855578.810369: Retrieving admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX with
result: -1765328243/Matching credential not found
[12118] 1461855578.810451: Retrieving admin at CYBERFUEL.COM ->
krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX with result:
0/Success
[12118] 1461855578.810476: Found cached TGT for service realm:
admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM
[12118] 1461855578.810509: Requesting tickets for
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on
[12118] 1461855578.810612: Generated subkey for TGS request: aes256-cts/7377
[12118] 1461855578.810679: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[12118] 1461855578.810913: Sending request (704 bytes) to CYBERFUEL.COM
[12118] 1461855578.811239: Resolving hostname freeipa.cyberfuel.com
[12118] 1461855578.811466: Initiating TCP connection to stream
192.168.0.90:88
[12118] 1461855578.811935: Sending TCP request to stream 192.168.0.90:88
[12118] 1461855578.816404: Received answer from stream 192.168.0.90:88
[12118] 1461855578.816714: Response was from master KDC
[12118] 1461855578.816906: TGS reply is for admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/BEB2
[12118] 1461855578.816977: TGS request result: 0/Success
[12118] 1461855578.817018: Received creds for desired service
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
[12118] 1461855578.817066: Removing admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX
[12118] 1461855578.817107: Storing admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmptSoqDX
[12118] 1461855578.817413: Creating authenticator for admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 299651167, subkey
aes256-cts/98D3, session key aes256-cts/BEB2
[12118] 1461855578.874786: ccselect module realm chose cache
FILE:/tmp/tmptSoqDX with client principal admin at CYBERFUEL.COM for server
principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
[12118] 1461855578.874938: Retrieving admin at CYBERFUEL.COM ->
krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not found
[12118] 1461855578.875079: Read AP-REP, time 1461855578.817442, subkey
aes256-cts/4B32, seqnum 706045221
[17304] 1461858424.873888: ccselect module realm chose cache
FILE:/tmp/tmpH0QF6P with client principal admin at CYBERFUEL.COM for server
principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
[17304] 1461858424.874126: Retrieving admin at CYBERFUEL.COM ->
krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not found
[17304] 1461858424.874220: Getting credentials admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmpH0QF6P
[17304] 1461858424.874413: Retrieving admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P with
result: -1765328243/Matching credential not found
[17304] 1461858424.874531: Retrieving admin at CYBERFUEL.COM ->
krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P with result:
0/Success
[17304] 1461858424.874603: Found cached TGT for service realm:
admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM
[17304] 1461858424.874631: Requesting tickets for
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on
[17304] 1461858424.874747: Generated subkey for TGS request: aes256-cts/8C33
[17304] 1461858424.874788: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[17304] 1461858424.875121: Sending request (704 bytes) to CYBERFUEL.COM
[17304] 1461858424.875525: Resolving hostname freeipa.cyberfuel.com
[17304] 1461858424.875805: Initiating TCP connection to stream
192.168.20.90:88
[17304] 1461858424.877976: Sending TCP request to stream 192.168.20.90:88
[17304] 1461858424.882385: Received answer from stream 192.168.20.90:88
[17304] 1461858424.882531: Response was from master KDC
[17304] 1461858424.882775: TGS reply is for admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/20DA
[17304] 1461858424.882850: TGS request result: 0/Success
[17304] 1461858424.882883: Received creds for desired service
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
[17304] 1461858424.882918: Removing admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P
[17304] 1461858424.882951: Storing admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpH0QF6P
[17304] 1461858424.883271: Creating authenticator for admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 443746416, subkey
aes256-cts/13DE, session key aes256-cts/20DA
[17304] 1461858424.898190: ccselect module realm chose cache
FILE:/tmp/tmpH0QF6P with client principal admin at CYBERFUEL.COM for server
principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
[17304] 1461858424.898401: Retrieving admin at CYBERFUEL.COM ->
krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not found
[17304] 1461858424.898615: Read AP-REP, time 1461858424.883334, subkey
aes256-cts/A0F5, seqnum 906104721
[23457] 1461863053.621386: ccselect module realm chose cache
FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for server
principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
[23457] 1461863053.621602: Retrieving admin at CYBERFUEL.COM ->
krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not found
[23457] 1461863053.621719: Getting credentials admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmp576FE3
[23457] 1461863053.621918: Retrieving admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 with
result: -1765328243/Matching credential not found
[23457] 1461863053.622097: Retrieving admin at CYBERFUEL.COM ->
krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 with result:
0/Success
[23457] 1461863053.622144: Found cached TGT for service realm:
admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM
[23457] 1461863053.622176: Requesting tickets for
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on
[23457] 1461863053.622288: Generated subkey for TGS request: aes256-cts/897C
[23457] 1461863053.622331: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[23457] 1461863053.622662: Sending request (704 bytes) to CYBERFUEL.COM
[23457] 1461863053.623133: Resolving hostname freeipa.cyberfuel.com
[23457] 1461863053.623367: Initiating TCP connection to stream
192.168.20.90:88
[23457] 1461863053.623866: Sending TCP request to stream 192.168.20.90:88
[23457] 1461863053.627939: Received answer from stream 192.168.20.90:88
[23457] 1461863053.628229: Response was from master KDC
[23457] 1461863053.628485: TGS reply is for admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/9E88
[23457] 1461863053.628560: TGS request result: 0/Success
[23457] 1461863053.628610: Received creds for desired service
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
[23457] 1461863053.628655: Removing admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmp576FE3
[23457] 1461863053.628689: Storing admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmp576FE3
[23457] 1461863053.629119: Creating authenticator for admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 13046067, subkey
aes256-cts/BAC3, session key aes256-cts/9E88
[23457] 1461863053.640471: ccselect module realm chose cache
FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for server
principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
[23457] 1461863053.640721: Retrieving admin at CYBERFUEL.COM ->
krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not found
[23457] 1461863053.640909: Read AP-REP, time 1461863053.629208, subkey
aes256-cts/8866, seqnum 421358565
[23749] 1461863277.525338: ccselect module realm chose cache
FILE:/tmp/tmprfuOsj with client principal admin at CYBERFUEL.COM for server
principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
[23749] 1461863277.525435: Retrieving admin at CYBERFUEL.COM ->
krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not found
[23749] 1461863277.525469: Getting credentials admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmprfuOsj
[23749] 1461863277.525529: Retrieving admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj with
result: -1765328243/Matching credential not found
[23749] 1461863277.525572: Retrieving admin at CYBERFUEL.COM ->
krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj with result:
0/Success
[23749] 1461863277.525584: Found cached TGT for service realm:
admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM
[23749] 1461863277.525593: Requesting tickets for
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on
[23749] 1461863277.525645: Generated subkey for TGS request: aes256-cts/C22D
[23749] 1461863277.525662: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[23749] 1461863277.525806: Sending request (704 bytes) to CYBERFUEL.COM
[23749] 1461863277.526052: Resolving hostname freeipa.cyberfuel.com
[23749] 1461863277.526161: Initiating TCP connection to stream
192.168.20.90:88
[23749] 1461863277.526440: Sending TCP request to stream 192.168.20.90:88
[23749] 1461863277.530652: Received answer from stream 192.168.20.90:88
[23749] 1461863277.530737: Response was from master KDC
[23749] 1461863277.530881: TGS reply is for admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/79C3
[23749] 1461863277.530931: TGS request result: 0/Success
[23749] 1461863277.530948: Received creds for desired service
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
[23749] 1461863277.530962: Removing admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj
[23749] 1461863277.530971: Storing admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmprfuOsj
[23749] 1461863277.531133: Creating authenticator for admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 1019693263, subkey
aes256-cts/B3E0, session key aes256-cts/79C3
[23749] 1461863277.542808: ccselect module realm chose cache
FILE:/tmp/tmprfuOsj with client principal admin at CYBERFUEL.COM for server
principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
[23749] 1461863277.542889: Retrieving admin at CYBERFUEL.COM ->
krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not found
[23749] 1461863277.542988: Read AP-REP, time 1461863277.531150, subkey
aes256-cts/5194, seqnum 376027188
[25544] 1461864401.258277: ccselect module realm chose cache
FILE:/tmp/tmpbzX7EN with client principal admin at CYBERFUEL.COM for server
principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
[25544] 1461864401.258584: Retrieving admin at CYBERFUEL.COM ->
krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not found
[25544] 1461864401.258678: Getting credentials admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmpbzX7EN
[25544] 1461864401.258873: Retrieving admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN with
result: -1765328243/Matching credential not found
[25544] 1461864401.259040: Retrieving admin at CYBERFUEL.COM ->
krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN with result:
0/Success
[25544] 1461864401.259076: Found cached TGT for service realm:
admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM
[25544] 1461864401.259102: Requesting tickets for
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on
[25544] 1461864401.259244: Generated subkey for TGS request: aes256-cts/277A
[25544] 1461864401.259291: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[25544] 1461864401.259676: Sending request (704 bytes) to CYBERFUEL.COM
[25544] 1461864401.260108: Resolving hostname freeipa.cyberfuel.com
[25544] 1461864401.260361: Initiating TCP connection to stream
192.168.20.90:88
[25544] 1461864401.260980: Sending TCP request to stream 192.168.20.90:88
[25544] 1461864401.264399: Received answer from stream 192.168.20.90:88
[25544] 1461864401.264593: Response was from master KDC
[25544] 1461864401.264893: TGS reply is for admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/9106
[25544] 1461864401.264966: TGS request result: 0/Success
[25544] 1461864401.264996: Received creds for desired service
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
[25544] 1461864401.265029: Removing admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN
[25544] 1461864401.265058: Storing admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpbzX7EN
[25544] 1461864401.265581: Creating authenticator for admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 921501424, subkey
aes256-cts/99EA, session key aes256-cts/9106
[25544] 1461864401.275884: ccselect module realm chose cache
FILE:/tmp/tmpbzX7EN with client principal admin at CYBERFUEL.COM for server
principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
[25544] 1461864401.276059: Retrieving admin at CYBERFUEL.COM ->
krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not found
[25544] 1461864401.276196: Read AP-REP, time 1461864401.265627, subkey
aes256-cts/0E9F, seqnum 871496824
[18097] 1461937028.664354: ccselect module realm chose cache
FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for server
principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
[18097] 1461937028.664456: Retrieving admin at CYBERFUEL.COM ->
krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not found
[18097] 1461937028.664490: Getting credentials admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmpF9x_o8
[18097] 1461937028.664549: Retrieving admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 with
result: -1765328243/Matching credential not found
[18097] 1461937028.664590: Retrieving admin at CYBERFUEL.COM ->
krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 with result:
0/Success
[18097] 1461937028.664601: Found cached TGT for service realm:
admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM
[18097] 1461937028.664611: Requesting tickets for
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on
[18097] 1461937028.664700: Generated subkey for TGS request: aes256-cts/6372
[18097] 1461937028.664727: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[18097] 1461937028.664865: Sending request (704 bytes) to CYBERFUEL.COM
[18097] 1461937028.665035: Resolving hostname freeipa.cyberfuel.com
[18097] 1461937028.665136: Initiating TCP connection to stream
192.168.20.90:88
[18097] 1461937028.665510: Sending TCP request to stream 192.168.20.90:88
[18097] 1461937028.668919: Received answer from stream 192.168.20.90:88
[18097] 1461937028.668984: Response was from master KDC
[18097] 1461937028.669109: TGS reply is for admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/9592
[18097] 1461937028.669136: TGS request result: 0/Success
[18097] 1461937028.669156: Received creds for desired service
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
[18097] 1461937028.669167: Removing admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8
[18097] 1461937028.669176: Storing admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpF9x_o8
[18097] 1461937028.669304: Creating authenticator for admin at CYBERFUEL.COM ->
ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 940175329, subkey
aes256-cts/53B9, session key aes256-cts/9592
[18097] 1461937028.676414: ccselect module realm chose cache
FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for server
principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
[18097] 1461937028.676470: Retrieving admin at CYBERFUEL.COM ->
krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not found
[18097] 1461937028.676534: Read AP-REP, time 1461937028.669328, subkey
aes256-cts/26C4, seqnum 864174069
-----------------------------------
Regards
Jose Alvarez
-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com]
Sent: viernes 29 de abril de 2016 09:34 a.m.
To: Jose Alvarez R. <jalvarez at cyberfuel.com>; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] HTTP response code is 401, not 200
Jose Alvarez R. wrote:
> Hi Users
>
> You can help me?
>
> I have the problem for join a client to my FREEIPA Server. The version
> IPA Server is 3.0 and IP client is 3.0
>
> When I join my client to IPA server show these errors:
>
> [root at ppa ~]# tail -f /var/log/ipaclient-install.log
>
> 2016-04-28T17:26:41Z DEBUG stderr=
>
> 2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from
> ldap://freeipa.cyberfuel.com
>
> 2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are
> identical
>
> 2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s
> freeipa.cyberfuel.com -b dc=cyberfuel,dc=com
>
> 2016-04-28T17:26:41Z DEBUG stdout=
>
> 2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200
>
> 2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code is
> 401, not 200
>
> 2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes.
>
> 2016-04-28T17:26:41Z ERROR IPA client is not configured on this system.
I'd look in the 389-ds access and error logs on the IPA server to see if
there are any more details. Look for the BIND from the client and see what
happens.
More context from the log file might be helpful. I believe if you run the
client installer with --debug then additional flags are passed to ipa-join
to include the XML-RPC conversation and that might be useful too.
What account are you using to enroll with, admin?
rob
More information about the Freeipa-users
mailing list