[Freeipa-users] HTTP response code is 401, not 200
Rob Crittenden
rcritten at redhat.com
Fri Apr 29 17:14:07 UTC 2016
Jose Alvarez R. wrote:
> Hi Rob, Thanks for your response
>
> Yes, It's with admin.
I assume this is a problem with your version of xmlrpc-c. We use
standard calls xmlrpc-c calls to setup authentication and IIRC that
links against libcurl which provides the Kerberos/GSSAPI support. On EL6
you need xmlrpc-c >= 1.16.24-1200.1840.2
I'm confused about the versions. You mention PPA but include what look
like RPM versions that seem to point to RHEL 6.
rob
>
> I execute the command "ipa-client-install --debug"
> -------------------------------------------------------------------------
>
>
> [root at ppa named]# ipa-client-install --debug
> /usr/sbin/ipa-client-install was invoked with options: {'domain': None,
> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
> 'primary': False, 'mkhomedir
> ': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
> 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain':
> False, 'principal': None
> , 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,
> 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False,
> 'conf_sudo': True, 'conf_ssh': Tr
> ue, 'force_join': False, 'ca_cert_file': None, 'server': None,
> 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
> False, 'uninstall': False}
> missing options might be asked for interactively later
> Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
> [IPA Discovery]
> Starting IPA discovery with domain=None, servers=None,
> hostname=ppa.cyberfuel.com
> Start searching for LDAP SRV record in "cyberfuel.com" (domain of the
> hostname) and its sub-domains
> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
> DNS record found:
> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
> port:389,weight:50,server:freeipa.cyberfuel.com.}
> [Kerberos realm search]
> Search DNS for TXT record of _kerberos.cyberfuel.com.
> DNS record found:
> DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU
> EL.COM}
> Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
> DNS record found:
> DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit
> y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
> [LDAP server check]
> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server
> Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
> Search LDAP server for IPA base DN
> Check if naming context 'dc=cyberfuel,dc=com' is for IPA
> Naming context 'dc=cyberfuel,dc=com' is a valid IPA context
> Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub)
> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
> Discovery result: Success; server=freeipa.cyberfuel.com,
> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com
> Validated servers: freeipa.cyberfuel.com
> will use discovered domain: cyberfuel.com
> Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS
> Discovery) and its sub-domains
> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
> DNS record found:
> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
> port:389,weight:50,server:freeipa.cyberfuel.com.}
> DNS validated, enabling discovery
> will use discovered server: freeipa.cyberfuel.com
> Discovery was successful!
> will use discovered realm: CYBERFUEL.COM
> will use discovered basedn: dc=cyberfuel,dc=com
> Hostname: ppa.cyberfuel.com
> Hostname source: Machine's FQDN
> Realm: CYBERFUEL.COM
> Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
> DNS Domain: cyberfuel.com
> DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of
> the hostname)
> IPA Server: freeipa.cyberfuel.com
> IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
> BaseDN: dc=cyberfuel,dc=com
> BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
>
> Continue to configure the system with these values? [no]: no
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> [root at ppa named]#
> [root at ppa named]# ipa-client-install --debug
> /usr/sbin/ipa-client-install was invoked with options: {'domain': None,
> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
> 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd':
> True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'nisdomain':
> None, 'no_nisdomain': False, 'principal': None, 'hostname': None, 'no_ac':
> False, 'unattended': None, 'sssd': True, 'trust_sshfp': False,
> 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh':
> True, 'force_join': False, 'ca_cert_file': None, 'server': None,
> 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
> False, 'uninstall': False}
> missing options might be asked for interactively later
> Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
> [IPA Discovery]
> Starting IPA discovery with domain=None, servers=None,
> hostname=ppa.cyberfuel.com
> Start searching for LDAP SRV record in "cyberfuel.com" (domain of the
> hostname) and its sub-domains
> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
> DNS record found:
> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
> port:389,weight:50,server:freeipa.cyberfuel.com.}
> [Kerberos realm search]
> Search DNS for TXT record of _kerberos.cyberfuel.com.
> DNS record found:
> DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU
> EL.COM}
> Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
> DNS record found:
> DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit
> y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
> [LDAP server check]
> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server
> Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
> Search LDAP server for IPA base DN
> Check if naming context 'dc=cyberfuel,dc=com' is for IPA
> Naming context 'dc=cyberfuel,dc=com' is a valid IPA context
> Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub)
> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
> Discovery result: Success; server=freeipa.cyberfuel.com,
> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com
> Validated servers: freeipa.cyberfuel.com
> will use discovered domain: cyberfuel.com
> Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS
> Discovery) and its sub-domains
> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
> DNS record found:
> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
> port:389,weight:50,server:freeipa.cyberfuel.com.}
> DNS validated, enabling discovery
> will use discovered server: freeipa.cyberfuel.com
> Discovery was successful!
> will use discovered realm: CYBERFUEL.COM
> will use discovered basedn: dc=cyberfuel,dc=com
> Hostname: ppa.cyberfuel.com
> Hostname source: Machine's FQDN
> Realm: CYBERFUEL.COM
> Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
> DNS Domain: cyberfuel.com
> DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of
> the hostname)
> IPA Server: freeipa.cyberfuel.com
> IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
> BaseDN: dc=cyberfuel,dc=com
> BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
>
> Continue to configure the system with these values? [no]: yes
> args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
> stdout=
> stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory
>
> User authorized to enroll computers: admin
> will use principal provided as option: admin
> Synchronizing time with KDC...
> Search DNS for SRV record of _ntp._udp.cyberfuel.com.
> No DNS record found
> args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
> stdout=
> stderr=
> Writing Kerberos configuration to /tmp/tmpqWSatK:
> #File modified by ipa-client-install
>
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [libdefaults]
> default_realm = CYBERFUEL.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
> udp_preference_limit = 0
>
>
> [realms]
> CYBERFUEL.COM = {
> kdc = freeipa.cyberfuel.com:88
> master_kdc = freeipa.cyberfuel.com:88
> admin_server = freeipa.cyberfuel.com:749
> default_domain = cyberfuel.com
> pkinit_anchors = FILE:/etc/ipa/ca.crt
>
> }
>
>
> [domain_realm]
> .cyberfuel.com = CYBERFUEL.COM
> cyberfuel.com = CYBERFUEL.COM
>
>
>
> Password for admin at CYBERFUEL.COM:
> args=kinit admin at CYBERFUEL.COM
> stdout=Password for admin at CYBERFUEL.COM:
>
> stderr=
> trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
> Existing CA cert and Retrieved CA cert are identical
> args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com -d
> stdout=
> stderr=XML-RPC CALL:
>
> <?xml version="1.0" encoding="UTF-8"?>\r\n
> <methodCall>\r\n
> <methodName>join</methodName>\r\n
> <params>\r\n
> <param><value><array><data>\r\n
> <value><string>ppa.cyberfuel.com</string></value>\r\n
> </data></array></value></param>\r\n
> <param><value><struct>\r\n
> <member><name>nsosversion</name>\r\n
> <value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\n
> <member><name>nshardwareplatform</name>\r\n
> <value><string>x86_64</string></value></member>\r\n
> </struct></value></param>\r\n
> </params>\r\n
> </methodCall>\r\n
>
> * About to connect() to freeipa.cyberfuel.com port 443 (#0)
> * Trying 192.168.20.90...
> * Adding handle: conn: 0x10bb2f0
> * Adding handle: send: 0
> * Adding handle: recv: 0
> * Curl_addHandleToPipeline: length: 1
> * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
> * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
> * successfully set certificate verify locations:
> * CAfile: /etc/ipa/ca.crt
> CApath: none
> * SSL connection using AES256-SHA
> * Server certificate:
> * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
> * start date: 2015-09-30 17:52:11 GMT
> * expire date: 2017-09-30 17:52:11 GMT
> * common name: freeipa.cyberfuel.com (matched)
> * issuer: O=CYBERFUEL.COM; CN=Certificate Authority
> * SSL certificate verify ok.
>> POST /ipa/xml HTTP/1.1
> Host: freeipa.cyberfuel.com
> Accept: */*
> Content-Type: text/xml
> User-Agent: ipa-join/3.0.0
> Referer: https://freeipa.cyberfuel.com/ipa/xml
> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
> Content-Length: 477
>
> * upload completely sent off: 477 out of 477 bytes
> < HTTP/1.1 401 Authorization Required
> < Date: Fri, 29 Apr 2016 16:16:32 GMT
> * Server Apache/2.2.15 (CentOS) is not blacklisted
> < Server: Apache/2.2.15 (CentOS)
> < WWW-Authenticate: Negotiate
> < Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT
> < ETag: "a0528-55a-53051ba8f7000"
> < Accept-Ranges: bytes
> < Content-Length: 1370
> < Connection: close
> < Content-Type: text/html; charset=UTF-8
> <
> * Closing connection 0
> HTTP response code is 401, not 200
>
> Joining realm failed: XML-RPC CALL:
>
> <?xml version="1.0" encoding="UTF-8"?>\r\n
> <methodCall>\r\n
> <methodName>join</methodName>\r\n
> <params>\r\n
> <param><value><array><data>\r\n
> <value><string>ppa.cyberfuel.com</string></value>\r\n
> </data></array></value></param>\r\n
> <param><value><struct>\r\n
> <member><name>nsosversion</name>\r\n
> <value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\n
> <member><name>nshardwareplatform</name>\r\n
> <value><string>x86_64</string></value></member>\r\n
> </struct></value></param>\r\n
> </params>\r\n
> </methodCall>\r\n
>
> * About to connect() to freeipa.cyberfuel.com port 443 (#0)
> * Trying 192.168.20.90...
> * Adding handle: conn: 0x10bb2f0
> * Adding handle: send: 0
> * Adding handle: recv: 0
> * Curl_addHandleToPipeline: length: 1
> * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
> * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
> * successfully set certificate verify locations:
> * CAfile: /etc/ipa/ca.crt
> CApath: none
> * SSL connection using AES256-SHA
> * Server certificate:
> * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
> * start date: 2015-09-30 17:52:11 GMT
> * expire date: 2017-09-30 17:52:11 GMT
> * common name: freeipa.cyberfuel.com (matched)
> * issuer: O=CYBERFUEL.COM; CN=Certificate Authority
> * SSL certificate verify ok.
>> POST /ipa/xml HTTP/1.1
> Host: freeipa.cyberfuel.com
> Accept: */*
> Content-Type: text/xml
> User-Agent: ipa-join/3.0.0
> Referer: https://freeipa.cyberfuel.com/ipa/xml
> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
> Content-Length: 477
>
> * upload completely sent off: 477 out of 477 bytes
> < HTTP/1.1 401 Authorization Required
> < Date: Fri, 29 Apr 2016 16:16:32 GMT
> * Server Apache/2.2.15 (CentOS) is not blacklisted
> < Server: Apache/2.2.15 (CentOS)
> < WWW-Authenticate: Negotiate
> < Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT
> < ETag: "a0528-55a-53051ba8f7000"
> < Accept-Ranges: bytes
> < Content-Length: 1370
> < Connection: close
> < Content-Type: text/html; charset=UTF-8
> <
> * Closing connection 0
> HTTP response code is 401, not 200
>
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
> -------------------------------------------------
>
> It's the version curl IPA server
>
> [root at freeipa log]# rpm -qa | grep curl
> python-pycurl-7.19.0-8.el6.x86_64
> curl-7.19.7-46.el6.x86_64
> libcurl-7.19.7-46.el6.x86_64
> [root at freeipa log]#
>
>
> It's the version curl PPA server(IPA Client)
>
> [root at ppa named]# rpm -qa | grep curl
> curl-7.31.0-1.el6.x86_64
> python-pycurl-7.19.0-8.el6.x86_64
> libcurl-7.31.0-1.el6.x86_64
> libcurl-7.31.0-1.el6.i686
>
>
> The version curl is different, but the version curl PPA is the repository
> Odin Plesk.
>
> -----------------------------------------------------
>
>
> [root at ppa tmp]# cat kerberos_trace.log
>
> [12118] 1461855578.809966: ccselect module realm chose cache
> FILE:/tmp/tmptSoqDX with client principal admin at CYBERFUEL.COM for server
> principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
> [12118] 1461855578.810171: Retrieving admin at CYBERFUEL.COM ->
> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
> FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not found
> [12118] 1461855578.810252: Getting credentials admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmptSoqDX
> [12118] 1461855578.810369: Retrieving admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX with
> result: -1765328243/Matching credential not found
> [12118] 1461855578.810451: Retrieving admin at CYBERFUEL.COM ->
> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX with result:
> 0/Success
> [12118] 1461855578.810476: Found cached TGT for service realm:
> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM
> [12118] 1461855578.810509: Requesting tickets for
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on
> [12118] 1461855578.810612: Generated subkey for TGS request: aes256-cts/7377
> [12118] 1461855578.810679: etypes requested in TGS request: aes256-cts,
> aes128-cts, des3-cbc-sha1, rc4-hmac
> [12118] 1461855578.810913: Sending request (704 bytes) to CYBERFUEL.COM
> [12118] 1461855578.811239: Resolving hostname freeipa.cyberfuel.com
> [12118] 1461855578.811466: Initiating TCP connection to stream
> 192.168.0.90:88
> [12118] 1461855578.811935: Sending TCP request to stream 192.168.0.90:88
> [12118] 1461855578.816404: Received answer from stream 192.168.0.90:88
> [12118] 1461855578.816714: Response was from master KDC
> [12118] 1461855578.816906: TGS reply is for admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/BEB2
> [12118] 1461855578.816977: TGS request result: 0/Success
> [12118] 1461855578.817018: Received creds for desired service
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
> [12118] 1461855578.817066: Removing admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX
> [12118] 1461855578.817107: Storing admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmptSoqDX
> [12118] 1461855578.817413: Creating authenticator for admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 299651167, subkey
> aes256-cts/98D3, session key aes256-cts/BEB2
> [12118] 1461855578.874786: ccselect module realm chose cache
> FILE:/tmp/tmptSoqDX with client principal admin at CYBERFUEL.COM for server
> principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
> [12118] 1461855578.874938: Retrieving admin at CYBERFUEL.COM ->
> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
> FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not found
> [12118] 1461855578.875079: Read AP-REP, time 1461855578.817442, subkey
> aes256-cts/4B32, seqnum 706045221
> [17304] 1461858424.873888: ccselect module realm chose cache
> FILE:/tmp/tmpH0QF6P with client principal admin at CYBERFUEL.COM for server
> principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
> [17304] 1461858424.874126: Retrieving admin at CYBERFUEL.COM ->
> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
> FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not found
> [17304] 1461858424.874220: Getting credentials admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmpH0QF6P
> [17304] 1461858424.874413: Retrieving admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P with
> result: -1765328243/Matching credential not found
> [17304] 1461858424.874531: Retrieving admin at CYBERFUEL.COM ->
> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P with result:
> 0/Success
> [17304] 1461858424.874603: Found cached TGT for service realm:
> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM
> [17304] 1461858424.874631: Requesting tickets for
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on
> [17304] 1461858424.874747: Generated subkey for TGS request: aes256-cts/8C33
> [17304] 1461858424.874788: etypes requested in TGS request: aes256-cts,
> aes128-cts, des3-cbc-sha1, rc4-hmac
> [17304] 1461858424.875121: Sending request (704 bytes) to CYBERFUEL.COM
> [17304] 1461858424.875525: Resolving hostname freeipa.cyberfuel.com
> [17304] 1461858424.875805: Initiating TCP connection to stream
> 192.168.20.90:88
> [17304] 1461858424.877976: Sending TCP request to stream 192.168.20.90:88
> [17304] 1461858424.882385: Received answer from stream 192.168.20.90:88
> [17304] 1461858424.882531: Response was from master KDC
> [17304] 1461858424.882775: TGS reply is for admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/20DA
> [17304] 1461858424.882850: TGS request result: 0/Success
> [17304] 1461858424.882883: Received creds for desired service
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
> [17304] 1461858424.882918: Removing admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P
> [17304] 1461858424.882951: Storing admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpH0QF6P
> [17304] 1461858424.883271: Creating authenticator for admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 443746416, subkey
> aes256-cts/13DE, session key aes256-cts/20DA
> [17304] 1461858424.898190: ccselect module realm chose cache
> FILE:/tmp/tmpH0QF6P with client principal admin at CYBERFUEL.COM for server
> principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
> [17304] 1461858424.898401: Retrieving admin at CYBERFUEL.COM ->
> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
> FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not found
> [17304] 1461858424.898615: Read AP-REP, time 1461858424.883334, subkey
> aes256-cts/A0F5, seqnum 906104721
> [23457] 1461863053.621386: ccselect module realm chose cache
> FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for server
> principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
> [23457] 1461863053.621602: Retrieving admin at CYBERFUEL.COM ->
> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
> FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not found
> [23457] 1461863053.621719: Getting credentials admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmp576FE3
> [23457] 1461863053.621918: Retrieving admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 with
> result: -1765328243/Matching credential not found
> [23457] 1461863053.622097: Retrieving admin at CYBERFUEL.COM ->
> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 with result:
> 0/Success
> [23457] 1461863053.622144: Found cached TGT for service realm:
> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM
> [23457] 1461863053.622176: Requesting tickets for
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on
> [23457] 1461863053.622288: Generated subkey for TGS request: aes256-cts/897C
> [23457] 1461863053.622331: etypes requested in TGS request: aes256-cts,
> aes128-cts, des3-cbc-sha1, rc4-hmac
> [23457] 1461863053.622662: Sending request (704 bytes) to CYBERFUEL.COM
> [23457] 1461863053.623133: Resolving hostname freeipa.cyberfuel.com
> [23457] 1461863053.623367: Initiating TCP connection to stream
> 192.168.20.90:88
> [23457] 1461863053.623866: Sending TCP request to stream 192.168.20.90:88
> [23457] 1461863053.627939: Received answer from stream 192.168.20.90:88
> [23457] 1461863053.628229: Response was from master KDC
> [23457] 1461863053.628485: TGS reply is for admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/9E88
> [23457] 1461863053.628560: TGS request result: 0/Success
> [23457] 1461863053.628610: Received creds for desired service
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
> [23457] 1461863053.628655: Removing admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmp576FE3
> [23457] 1461863053.628689: Storing admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmp576FE3
> [23457] 1461863053.629119: Creating authenticator for admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 13046067, subkey
> aes256-cts/BAC3, session key aes256-cts/9E88
> [23457] 1461863053.640471: ccselect module realm chose cache
> FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for server
> principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
> [23457] 1461863053.640721: Retrieving admin at CYBERFUEL.COM ->
> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
> FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not found
> [23457] 1461863053.640909: Read AP-REP, time 1461863053.629208, subkey
> aes256-cts/8866, seqnum 421358565
> [23749] 1461863277.525338: ccselect module realm chose cache
> FILE:/tmp/tmprfuOsj with client principal admin at CYBERFUEL.COM for server
> principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
> [23749] 1461863277.525435: Retrieving admin at CYBERFUEL.COM ->
> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
> FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not found
> [23749] 1461863277.525469: Getting credentials admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmprfuOsj
> [23749] 1461863277.525529: Retrieving admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj with
> result: -1765328243/Matching credential not found
> [23749] 1461863277.525572: Retrieving admin at CYBERFUEL.COM ->
> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj with result:
> 0/Success
> [23749] 1461863277.525584: Found cached TGT for service realm:
> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM
> [23749] 1461863277.525593: Requesting tickets for
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on
> [23749] 1461863277.525645: Generated subkey for TGS request: aes256-cts/C22D
> [23749] 1461863277.525662: etypes requested in TGS request: aes256-cts,
> aes128-cts, des3-cbc-sha1, rc4-hmac
> [23749] 1461863277.525806: Sending request (704 bytes) to CYBERFUEL.COM
> [23749] 1461863277.526052: Resolving hostname freeipa.cyberfuel.com
> [23749] 1461863277.526161: Initiating TCP connection to stream
> 192.168.20.90:88
> [23749] 1461863277.526440: Sending TCP request to stream 192.168.20.90:88
> [23749] 1461863277.530652: Received answer from stream 192.168.20.90:88
> [23749] 1461863277.530737: Response was from master KDC
> [23749] 1461863277.530881: TGS reply is for admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/79C3
> [23749] 1461863277.530931: TGS request result: 0/Success
> [23749] 1461863277.530948: Received creds for desired service
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
> [23749] 1461863277.530962: Removing admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj
> [23749] 1461863277.530971: Storing admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmprfuOsj
> [23749] 1461863277.531133: Creating authenticator for admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 1019693263, subkey
> aes256-cts/B3E0, session key aes256-cts/79C3
> [23749] 1461863277.542808: ccselect module realm chose cache
> FILE:/tmp/tmprfuOsj with client principal admin at CYBERFUEL.COM for server
> principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
> [23749] 1461863277.542889: Retrieving admin at CYBERFUEL.COM ->
> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
> FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not found
> [23749] 1461863277.542988: Read AP-REP, time 1461863277.531150, subkey
> aes256-cts/5194, seqnum 376027188
> [25544] 1461864401.258277: ccselect module realm chose cache
> FILE:/tmp/tmpbzX7EN with client principal admin at CYBERFUEL.COM for server
> principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
> [25544] 1461864401.258584: Retrieving admin at CYBERFUEL.COM ->
> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
> FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not found
> [25544] 1461864401.258678: Getting credentials admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmpbzX7EN
> [25544] 1461864401.258873: Retrieving admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN with
> result: -1765328243/Matching credential not found
> [25544] 1461864401.259040: Retrieving admin at CYBERFUEL.COM ->
> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN with result:
> 0/Success
> [25544] 1461864401.259076: Found cached TGT for service realm:
> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM
> [25544] 1461864401.259102: Requesting tickets for
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on
> [25544] 1461864401.259244: Generated subkey for TGS request: aes256-cts/277A
> [25544] 1461864401.259291: etypes requested in TGS request: aes256-cts,
> aes128-cts, des3-cbc-sha1, rc4-hmac
> [25544] 1461864401.259676: Sending request (704 bytes) to CYBERFUEL.COM
> [25544] 1461864401.260108: Resolving hostname freeipa.cyberfuel.com
> [25544] 1461864401.260361: Initiating TCP connection to stream
> 192.168.20.90:88
> [25544] 1461864401.260980: Sending TCP request to stream 192.168.20.90:88
> [25544] 1461864401.264399: Received answer from stream 192.168.20.90:88
> [25544] 1461864401.264593: Response was from master KDC
> [25544] 1461864401.264893: TGS reply is for admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/9106
> [25544] 1461864401.264966: TGS request result: 0/Success
> [25544] 1461864401.264996: Received creds for desired service
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
> [25544] 1461864401.265029: Removing admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN
> [25544] 1461864401.265058: Storing admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpbzX7EN
> [25544] 1461864401.265581: Creating authenticator for admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 921501424, subkey
> aes256-cts/99EA, session key aes256-cts/9106
> [25544] 1461864401.275884: ccselect module realm chose cache
> FILE:/tmp/tmpbzX7EN with client principal admin at CYBERFUEL.COM for server
> principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
> [25544] 1461864401.276059: Retrieving admin at CYBERFUEL.COM ->
> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
> FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not found
> [25544] 1461864401.276196: Read AP-REP, time 1461864401.265627, subkey
> aes256-cts/0E9F, seqnum 871496824
> [18097] 1461937028.664354: ccselect module realm chose cache
> FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for server
> principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
> [18097] 1461937028.664456: Retrieving admin at CYBERFUEL.COM ->
> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
> FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not found
> [18097] 1461937028.664490: Getting credentials admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmpF9x_o8
> [18097] 1461937028.664549: Retrieving admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 with
> result: -1765328243/Matching credential not found
> [18097] 1461937028.664590: Retrieving admin at CYBERFUEL.COM ->
> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 with result:
> 0/Success
> [18097] 1461937028.664601: Found cached TGT for service realm:
> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM
> [18097] 1461937028.664611: Requesting tickets for
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on
> [18097] 1461937028.664700: Generated subkey for TGS request: aes256-cts/6372
> [18097] 1461937028.664727: etypes requested in TGS request: aes256-cts,
> aes128-cts, des3-cbc-sha1, rc4-hmac
> [18097] 1461937028.664865: Sending request (704 bytes) to CYBERFUEL.COM
> [18097] 1461937028.665035: Resolving hostname freeipa.cyberfuel.com
> [18097] 1461937028.665136: Initiating TCP connection to stream
> 192.168.20.90:88
> [18097] 1461937028.665510: Sending TCP request to stream 192.168.20.90:88
> [18097] 1461937028.668919: Received answer from stream 192.168.20.90:88
> [18097] 1461937028.668984: Response was from master KDC
> [18097] 1461937028.669109: TGS reply is for admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/9592
> [18097] 1461937028.669136: TGS request result: 0/Success
> [18097] 1461937028.669156: Received creds for desired service
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
> [18097] 1461937028.669167: Removing admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8
> [18097] 1461937028.669176: Storing admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpF9x_o8
> [18097] 1461937028.669304: Creating authenticator for admin at CYBERFUEL.COM ->
> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 940175329, subkey
> aes256-cts/53B9, session key aes256-cts/9592
> [18097] 1461937028.676414: ccselect module realm chose cache
> FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for server
> principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
> [18097] 1461937028.676470: Retrieving admin at CYBERFUEL.COM ->
> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
> FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not found
> [18097] 1461937028.676534: Read AP-REP, time 1461937028.669328, subkey
> aes256-cts/26C4, seqnum 864174069
>
> -----------------------------------
>
>
> Regards
>
> Jose Alvarez
>
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: viernes 29 de abril de 2016 09:34 a.m.
> To: Jose Alvarez R. <jalvarez at cyberfuel.com>; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] HTTP response code is 401, not 200
>
> Jose Alvarez R. wrote:
>> Hi Users
>>
>> You can help me?
>>
>> I have the problem for join a client to my FREEIPA Server. The version
>> IPA Server is 3.0 and IP client is 3.0
>>
>> When I join my client to IPA server show these errors:
>>
>> [root at ppa ~]# tail -f /var/log/ipaclient-install.log
>>
>> 2016-04-28T17:26:41Z DEBUG stderr=
>>
>> 2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from
>> ldap://freeipa.cyberfuel.com
>>
>> 2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are
>> identical
>>
>> 2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s
>> freeipa.cyberfuel.com -b dc=cyberfuel,dc=com
>>
>> 2016-04-28T17:26:41Z DEBUG stdout=
>>
>> 2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200
>>
>> 2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code is
>> 401, not 200
>>
>> 2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes.
>>
>> 2016-04-28T17:26:41Z ERROR IPA client is not configured on this system.
>
> I'd look in the 389-ds access and error logs on the IPA server to see if
> there are any more details. Look for the BIND from the client and see what
> happens.
>
> More context from the log file might be helpful. I believe if you run the
> client installer with --debug then additional flags are passed to ipa-join
> to include the XML-RPC conversation and that might be useful too.
>
> What account are you using to enroll with, admin?
>
> rob
>
More information about the Freeipa-users
mailing list