[Freeipa-users] HTTP response code is 401, not 200
Rob Crittenden
rcritten at redhat.com
Fri Apr 29 18:19:29 UTC 2016
Jose Alvarez R. wrote:
> Hi, Rob
>
> Thanks!!
>
>
> The version the xmlrpc-c of my server IPA:
> xmlrpc-c-1.16.24-1210.1840.el6.x86_64
> xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64
>
>
> The version the xmlrpc-c of my client IPA
> xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64
> xmlrpc-c-1.16.24-1210.1840.el6.x86_64
> libiqxmlrpc-0.12.4-0.parallels.i686
> xmlrpc-c-c++-1.16.24-1210.1840.el6.x86_64
You need xmlrpc-c-1.16.24-1200.1840.2.el6 on the client which fixed
https://bugzilla.redhat.com/show_bug.cgi?id=719945
The libcurl version on the client looks ok.
This is only a client-side issue so no changes on the servers should be
necessary IIRC. This appears to be EL 6.1 which at this point is quite old.
rob
>
> The versions are the same, but the libcurl is different
>
> It's the version curl IPA server
> [root at freeipa log]# rpm -qa | grep curl
> python-pycurl-7.19.0-8.el6.x86_64
> curl-7.19.7-46.el6.x86_64
> libcurl-7.19.7-46.el6.x86_64
> [root at freeipa log]#
>
>
> It's the version curl PPA server(IPA Client)
> [root at ppa named]# rpm -qa | grep curl
> curl-7.31.0-1.el6.x86_64
> python-pycurl-7.19.0-8.el6.x86_64
> libcurl-7.31.0-1.el6.x86_64
> libcurl-7.31.0-1.el6.i686
>
> Sorry, my english is not very well
>
>
> Regards.
>
>
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: viernes 29 de abril de 2016 11:14 a.m.
> To: Jose Alvarez R. <jalvarez at cyberfuel.com>; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] HTTP response code is 401, not 200
>
> Jose Alvarez R. wrote:
>> Hi Rob, Thanks for your response
>>
>> Yes, It's with admin.
>
> I assume this is a problem with your version of xmlrpc-c. We use standard
> calls xmlrpc-c calls to setup authentication and IIRC that links against
> libcurl which provides the Kerberos/GSSAPI support. On EL6 you need xmlrpc-c
>> = 1.16.24-1200.1840.2
>
> I'm confused about the versions. You mention PPA but include what look like
> RPM versions that seem to point to RHEL 6.
>
> rob
>
>>
>> I execute the command "ipa-client-install --debug"
>> ----------------------------------------------------------------------
>> ---
>>
>>
>> [root at ppa named]# ipa-client-install --debug
>> /usr/sbin/ipa-client-install was invoked with options: {'domain':
>> None,
>> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
>> 'primary': False, 'mkhomedir
>> ': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
>> 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain':
>> False, 'principal': None
>> , 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,
>> 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False,
>> 'conf_sudo': True, 'conf_ssh': Tr
>> ue, 'force_join': False, 'ca_cert_file': None, 'server': None,
>> 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
>> False, 'uninstall': False}
>> missing options might be asked for interactively later Loading Index
>> file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
>> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
>> [IPA Discovery]
>> Starting IPA discovery with domain=None, servers=None,
>> hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
>> "cyberfuel.com" (domain of the
>> hostname) and its sub-domains
>> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
>> DNS record found:
>> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
>> ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
>> [Kerberos realm search]
>> Search DNS for TXT record of _kerberos.cyberfuel.com.
>> DNS record found:
>> DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:C
>> YBERFU
>> EL.COM}
>> Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
>> DNS record found:
>> DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={p
>> riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
>> [LDAP server check]
>> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
>> server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
>> Search LDAP server for IPA base DN Check if naming context
>> 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
>> is a valid IPA context Search for (objectClass=krbRealmContainer) in
>> dc=cyberfuel,dc=com (sub)
>> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
>> Discovery result: Success; server=freeipa.cyberfuel.com,
>> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
>> basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
>> will use discovered domain: cyberfuel.com Start searching for LDAP SRV
>> record in "cyberfuel.com" (Validating DNS
>> Discovery) and its sub-domains
>> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
>> DNS record found:
>> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
>> ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
>> DNS validated, enabling discovery
>> will use discovered server: freeipa.cyberfuel.com Discovery was
>> successful!
>> will use discovered realm: CYBERFUEL.COM will use discovered basedn:
>> dc=cyberfuel,dc=com
>> Hostname: ppa.cyberfuel.com
>> Hostname source: Machine's FQDN
>> Realm: CYBERFUEL.COM
>> Realm source: Discovered from LDAP DNS records in
>> freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source:
>> Discovered LDAP SRV records from cyberfuel.com (domain of the
>> hostname) IPA Server: freeipa.cyberfuel.com IPA Server source:
>> Discovered from LDAP DNS records in freeipa.cyberfuel.com
>> BaseDN: dc=cyberfuel,dc=com
>> BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
>>
>> Continue to configure the system with these values? [no]: no
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>> [root at ppa named]#
>> [root at ppa named]# ipa-client-install --debug
>> /usr/sbin/ipa-client-install was invoked with options: {'domain':
>> None,
>> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
>> 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd':
>> True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None,
> 'nisdomain':
>> None, 'no_nisdomain': False, 'principal': None, 'hostname': None, 'no_ac':
>> False, 'unattended': None, 'sssd': True, 'trust_sshfp': False,
>> 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh':
>> True, 'force_join': False, 'ca_cert_file': None, 'server': None,
>> 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
>> False, 'uninstall': False}
>> missing options might be asked for interactively later Loading Index
>> file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
>> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
>> [IPA Discovery]
>> Starting IPA discovery with domain=None, servers=None,
>> hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
>> "cyberfuel.com" (domain of the
>> hostname) and its sub-domains
>> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
>> DNS record found:
>> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
>> ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
>> [Kerberos realm search]
>> Search DNS for TXT record of _kerberos.cyberfuel.com.
>> DNS record found:
>> DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:C
>> YBERFU
>> EL.COM}
>> Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
>> DNS record found:
>> DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={p
>> riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
>> [LDAP server check]
>> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
>> server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
>> Search LDAP server for IPA base DN Check if naming context
>> 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
>> is a valid IPA context Search for (objectClass=krbRealmContainer) in
>> dc=cyberfuel,dc=com (sub)
>> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
>> Discovery result: Success; server=freeipa.cyberfuel.com,
>> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
>> basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
>> will use discovered domain: cyberfuel.com Start searching for LDAP SRV
>> record in "cyberfuel.com" (Validating DNS
>> Discovery) and its sub-domains
>> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
>> DNS record found:
>> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
>> ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
>> DNS validated, enabling discovery
>> will use discovered server: freeipa.cyberfuel.com Discovery was
>> successful!
>> will use discovered realm: CYBERFUEL.COM will use discovered basedn:
>> dc=cyberfuel,dc=com
>> Hostname: ppa.cyberfuel.com
>> Hostname source: Machine's FQDN
>> Realm: CYBERFUEL.COM
>> Realm source: Discovered from LDAP DNS records in
>> freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source:
>> Discovered LDAP SRV records from cyberfuel.com (domain of the
>> hostname) IPA Server: freeipa.cyberfuel.com IPA Server source:
>> Discovered from LDAP DNS records in freeipa.cyberfuel.com
>> BaseDN: dc=cyberfuel,dc=com
>> BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
>>
>> Continue to configure the system with these values? [no]: yes
>> args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
>> stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file
>> or directory
>>
>> User authorized to enroll computers: admin will use principal provided
>> as option: admin Synchronizing time with KDC...
>> Search DNS for SRV record of _ntp._udp.cyberfuel.com.
>> No DNS record found
>> args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout=
>> stderr= Writing Kerberos configuration to /tmp/tmpqWSatK:
>> #File modified by ipa-client-install
>>
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>
>> [libdefaults]
>> default_realm = CYBERFUEL.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> rdns = false
>> ticket_lifetime = 24h
>> forwardable = yes
>> udp_preference_limit = 0
>>
>>
>> [realms]
>> CYBERFUEL.COM = {
>> kdc = freeipa.cyberfuel.com:88
>> master_kdc = freeipa.cyberfuel.com:88
>> admin_server = freeipa.cyberfuel.com:749
>> default_domain = cyberfuel.com
>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>>
>> }
>>
>>
>> [domain_realm]
>> .cyberfuel.com = CYBERFUEL.COM
>> cyberfuel.com = CYBERFUEL.COM
>>
>>
>>
>> Password for admin at CYBERFUEL.COM:
>> args=kinit admin at CYBERFUEL.COM
>> stdout=Password for admin at CYBERFUEL.COM:
>>
>> stderr=
>> trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
>> Existing CA cert and Retrieved CA cert are identical
>> args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b
>> dc=cyberfuel,dc=com -d stdout= stderr=XML-RPC CALL:
>>
>> <?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n
>> <methodName>join</methodName>\r\n <params>\r\n
>> <param><value><array><data>\r\n
>> <value><string>ppa.cyberfuel.com</string></value>\r\n
>> </data></array></value></param>\r\n
>> <param><value><struct>\r\n
>> <member><name>nsosversion</name>\r\n
>> <value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\n
>> <member><name>nshardwareplatform</name>\r\n
>> <value><string>x86_64</string></value></member>\r\n
>> </struct></value></param>\r\n
>> </params>\r\n
>> </methodCall>\r\n
>>
>> * About to connect() to freeipa.cyberfuel.com port 443 (#0)
>> * Trying 192.168.20.90...
>> * Adding handle: conn: 0x10bb2f0
>> * Adding handle: send: 0
>> * Adding handle: recv: 0
>> * Curl_addHandleToPipeline: length: 1
>> * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
>> * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
>> * successfully set certificate verify locations:
>> * CAfile: /etc/ipa/ca.crt
>> CApath: none
>> * SSL connection using AES256-SHA
>> * Server certificate:
>> * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
>> * start date: 2015-09-30 17:52:11 GMT
>> * expire date: 2017-09-30 17:52:11 GMT
>> * common name: freeipa.cyberfuel.com (matched)
>> * issuer: O=CYBERFUEL.COM; CN=Certificate Authority
>> * SSL certificate verify ok.
>>> POST /ipa/xml HTTP/1.1
>> Host: freeipa.cyberfuel.com
>> Accept: */*
>> Content-Type: text/xml
>> User-Agent: ipa-join/3.0.0
>> Referer: https://freeipa.cyberfuel.com/ipa/xml
>> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
>> Content-Length: 477
>>
>> * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401
>> Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT
>> * Server Apache/2.2.15 (CentOS) is not blacklisted < Server:
>> Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified:
>> Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000"
>> < Accept-Ranges: bytes
>> < Content-Length: 1370
>> < Connection: close
>> < Content-Type: text/html; charset=UTF-8 <
>> * Closing connection 0
>> HTTP response code is 401, not 200
>>
>> Joining realm failed: XML-RPC CALL:
>>
>> <?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n
>> <methodName>join</methodName>\r\n <params>\r\n
>> <param><value><array><data>\r\n
>> <value><string>ppa.cyberfuel.com</string></value>\r\n
>> </data></array></value></param>\r\n
>> <param><value><struct>\r\n
>> <member><name>nsosversion</name>\r\n
>> <value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\n
>> <member><name>nshardwareplatform</name>\r\n
>> <value><string>x86_64</string></value></member>\r\n
>> </struct></value></param>\r\n
>> </params>\r\n
>> </methodCall>\r\n
>>
>> * About to connect() to freeipa.cyberfuel.com port 443 (#0)
>> * Trying 192.168.20.90...
>> * Adding handle: conn: 0x10bb2f0
>> * Adding handle: send: 0
>> * Adding handle: recv: 0
>> * Curl_addHandleToPipeline: length: 1
>> * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
>> * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
>> * successfully set certificate verify locations:
>> * CAfile: /etc/ipa/ca.crt
>> CApath: none
>> * SSL connection using AES256-SHA
>> * Server certificate:
>> * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
>> * start date: 2015-09-30 17:52:11 GMT
>> * expire date: 2017-09-30 17:52:11 GMT
>> * common name: freeipa.cyberfuel.com (matched)
>> * issuer: O=CYBERFUEL.COM; CN=Certificate Authority
>> * SSL certificate verify ok.
>>> POST /ipa/xml HTTP/1.1
>> Host: freeipa.cyberfuel.com
>> Accept: */*
>> Content-Type: text/xml
>> User-Agent: ipa-join/3.0.0
>> Referer: https://freeipa.cyberfuel.com/ipa/xml
>> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
>> Content-Length: 477
>>
>> * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401
>> Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT
>> * Server Apache/2.2.15 (CentOS) is not blacklisted < Server:
>> Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified:
>> Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000"
>> < Accept-Ranges: bytes
>> < Content-Length: 1370
>> < Connection: close
>> < Content-Type: text/html; charset=UTF-8 <
>> * Closing connection 0
>> HTTP response code is 401, not 200
>>
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>>
>> -------------------------------------------------
>>
>> It's the version curl IPA server
>>
>> [root at freeipa log]# rpm -qa | grep curl
>> python-pycurl-7.19.0-8.el6.x86_64
>> curl-7.19.7-46.el6.x86_64
>> libcurl-7.19.7-46.el6.x86_64
>> [root at freeipa log]#
>>
>>
>> It's the version curl PPA server(IPA Client)
>>
>> [root at ppa named]# rpm -qa | grep curl
>> curl-7.31.0-1.el6.x86_64
>> python-pycurl-7.19.0-8.el6.x86_64
>> libcurl-7.31.0-1.el6.x86_64
>> libcurl-7.31.0-1.el6.i686
>>
>>
>> The version curl is different, but the version curl PPA is the
>> repository Odin Plesk.
>>
>> -----------------------------------------------------
>>
>>
>> [root at ppa tmp]# cat kerberos_trace.log
>>
>> [12118] 1461855578.809966: ccselect module realm chose cache
>> FILE:/tmp/tmptSoqDX with client principal admin at CYBERFUEL.COM for
>> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
>> [12118] 1461855578.810171: Retrieving admin at CYBERFUEL.COM ->
>> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
>> FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not
>> found [12118] 1461855578.810252: Getting credentials
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using
>> ccache FILE:/tmp/tmptSoqDX [12118] 1461855578.810369: Retrieving
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from
>> FILE:/tmp/tmptSoqDX with
>> result: -1765328243/Matching credential not found [12118]
>> 1461855578.810451: Retrieving admin at CYBERFUEL.COM ->
>> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX with result:
>> 0/Success
>> [12118] 1461855578.810476: Found cached TGT for service realm:
>> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM
>> [12118] 1461855578.810509: Requesting tickets for
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [12118]
>> 1461855578.810612: Generated subkey for TGS request: aes256-cts/7377
>> [12118] 1461855578.810679: etypes requested in TGS request:
>> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [12118]
>> 1461855578.810913: Sending request (704 bytes) to CYBERFUEL.COM
>> [12118] 1461855578.811239: Resolving hostname freeipa.cyberfuel.com
>> [12118] 1461855578.811466: Initiating TCP connection to stream
>> 192.168.0.90:88
>> [12118] 1461855578.811935: Sending TCP request to stream
>> 192.168.0.90:88 [12118] 1461855578.816404: Received answer from stream
>> 192.168.0.90:88 [12118] 1461855578.816714: Response was from master
>> KDC [12118] 1461855578.816906: TGS reply is for admin at CYBERFUEL.COM ->
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key
>> aes256-cts/BEB2 [12118] 1461855578.816977: TGS request result:
>> 0/Success [12118] 1461855578.817018: Received creds for desired
>> service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
>> [12118] 1461855578.817066: Removing admin at CYBERFUEL.COM ->
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX
>> [12118] 1461855578.817107: Storing admin at CYBERFUEL.COM ->
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmptSoqDX
>> [12118] 1461855578.817413: Creating authenticator for
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM,
>> seqnum 299651167, subkey aes256-cts/98D3, session key aes256-cts/BEB2
>> [12118] 1461855578.874786: ccselect module realm chose cache
>> FILE:/tmp/tmptSoqDX with client principal admin at CYBERFUEL.COM for
>> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
>> [12118] 1461855578.874938: Retrieving admin at CYBERFUEL.COM ->
>> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
>> FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not
>> found [12118] 1461855578.875079: Read AP-REP, time 1461855578.817442,
>> subkey aes256-cts/4B32, seqnum 706045221 [17304] 1461858424.873888:
>> ccselect module realm chose cache FILE:/tmp/tmpH0QF6P with client
>> principal admin at CYBERFUEL.COM for server principal
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
>> [17304] 1461858424.874126: Retrieving admin at CYBERFUEL.COM ->
>> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
>> FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not
>> found [17304] 1461858424.874220: Getting credentials
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using
>> ccache FILE:/tmp/tmpH0QF6P [17304] 1461858424.874413: Retrieving
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from
>> FILE:/tmp/tmpH0QF6P with
>> result: -1765328243/Matching credential not found [17304]
>> 1461858424.874531: Retrieving admin at CYBERFUEL.COM ->
>> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P with result:
>> 0/Success
>> [17304] 1461858424.874603: Found cached TGT for service realm:
>> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM
>> [17304] 1461858424.874631: Requesting tickets for
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [17304]
>> 1461858424.874747: Generated subkey for TGS request: aes256-cts/8C33
>> [17304] 1461858424.874788: etypes requested in TGS request:
>> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [17304]
>> 1461858424.875121: Sending request (704 bytes) to CYBERFUEL.COM
>> [17304] 1461858424.875525: Resolving hostname freeipa.cyberfuel.com
>> [17304] 1461858424.875805: Initiating TCP connection to stream
>> 192.168.20.90:88
>> [17304] 1461858424.877976: Sending TCP request to stream
>> 192.168.20.90:88 [17304] 1461858424.882385: Received answer from
>> stream 192.168.20.90:88 [17304] 1461858424.882531: Response was from
>> master KDC [17304] 1461858424.882775: TGS reply is for
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with
>> session key aes256-cts/20DA [17304] 1461858424.882850: TGS request
>> result: 0/Success [17304] 1461858424.882883: Received creds for
>> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
>> [17304] 1461858424.882918: Removing admin at CYBERFUEL.COM ->
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P
>> [17304] 1461858424.882951: Storing admin at CYBERFUEL.COM ->
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpH0QF6P
>> [17304] 1461858424.883271: Creating authenticator for
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM,
>> seqnum 443746416, subkey aes256-cts/13DE, session key aes256-cts/20DA
>> [17304] 1461858424.898190: ccselect module realm chose cache
>> FILE:/tmp/tmpH0QF6P with client principal admin at CYBERFUEL.COM for
>> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
>> [17304] 1461858424.898401: Retrieving admin at CYBERFUEL.COM ->
>> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
>> FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not
>> found [17304] 1461858424.898615: Read AP-REP, time 1461858424.883334,
>> subkey aes256-cts/A0F5, seqnum 906104721 [23457] 1461863053.621386:
>> ccselect module realm chose cache
>> FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for
>> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
>> [23457] 1461863053.621602: Retrieving admin at CYBERFUEL.COM ->
>> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
>> FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not
>> found [23457] 1461863053.621719: Getting credentials
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using
>> ccache FILE:/tmp/tmp576FE3 [23457] 1461863053.621918: Retrieving
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from
>> FILE:/tmp/tmp576FE3 with
>> result: -1765328243/Matching credential not found [23457]
>> 1461863053.622097: Retrieving admin at CYBERFUEL.COM ->
>> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 with result:
>> 0/Success
>> [23457] 1461863053.622144: Found cached TGT for service realm:
>> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM
>> [23457] 1461863053.622176: Requesting tickets for
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [23457]
>> 1461863053.622288: Generated subkey for TGS request: aes256-cts/897C
>> [23457] 1461863053.622331: etypes requested in TGS request:
>> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23457]
>> 1461863053.622662: Sending request (704 bytes) to CYBERFUEL.COM
>> [23457] 1461863053.623133: Resolving hostname freeipa.cyberfuel.com
>> [23457] 1461863053.623367: Initiating TCP connection to stream
>> 192.168.20.90:88
>> [23457] 1461863053.623866: Sending TCP request to stream
>> 192.168.20.90:88 [23457] 1461863053.627939: Received answer from
>> stream 192.168.20.90:88 [23457] 1461863053.628229: Response was from
>> master KDC [23457] 1461863053.628485: TGS reply is for
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with
>> session key aes256-cts/9E88 [23457] 1461863053.628560: TGS request
>> result: 0/Success [23457] 1461863053.628610: Received creds for
>> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
>> [23457] 1461863053.628655: Removing admin at CYBERFUEL.COM ->
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmp576FE3
>> [23457] 1461863053.628689: Storing admin at CYBERFUEL.COM ->
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmp576FE3
>> [23457] 1461863053.629119: Creating authenticator for
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM,
>> seqnum 13046067, subkey aes256-cts/BAC3, session key aes256-cts/9E88
>> [23457] 1461863053.640471: ccselect module realm chose cache
>> FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for
>> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
>> [23457] 1461863053.640721: Retrieving admin at CYBERFUEL.COM ->
>> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
>> FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not
>> found [23457] 1461863053.640909: Read AP-REP, time 1461863053.629208,
>> subkey aes256-cts/8866, seqnum 421358565 [23749] 1461863277.525338:
>> ccselect module realm chose cache FILE:/tmp/tmprfuOsj with client
>> principal admin at CYBERFUEL.COM for server principal
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
>> [23749] 1461863277.525435: Retrieving admin at CYBERFUEL.COM ->
>> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
>> FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not
>> found [23749] 1461863277.525469: Getting credentials
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using
>> ccache FILE:/tmp/tmprfuOsj [23749] 1461863277.525529: Retrieving
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from
>> FILE:/tmp/tmprfuOsj with
>> result: -1765328243/Matching credential not found [23749]
>> 1461863277.525572: Retrieving admin at CYBERFUEL.COM ->
>> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj with result:
>> 0/Success
>> [23749] 1461863277.525584: Found cached TGT for service realm:
>> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM
>> [23749] 1461863277.525593: Requesting tickets for
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [23749]
>> 1461863277.525645: Generated subkey for TGS request: aes256-cts/C22D
>> [23749] 1461863277.525662: etypes requested in TGS request:
>> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23749]
>> 1461863277.525806: Sending request (704 bytes) to CYBERFUEL.COM
>> [23749] 1461863277.526052: Resolving hostname freeipa.cyberfuel.com
>> [23749] 1461863277.526161: Initiating TCP connection to stream
>> 192.168.20.90:88
>> [23749] 1461863277.526440: Sending TCP request to stream
>> 192.168.20.90:88 [23749] 1461863277.530652: Received answer from
>> stream 192.168.20.90:88 [23749] 1461863277.530737: Response was from
>> master KDC [23749] 1461863277.530881: TGS reply is for
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with
>> session key aes256-cts/79C3 [23749] 1461863277.530931: TGS request
>> result: 0/Success [23749] 1461863277.530948: Received creds for
>> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
>> [23749] 1461863277.530962: Removing admin at CYBERFUEL.COM ->
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj
>> [23749] 1461863277.530971: Storing admin at CYBERFUEL.COM ->
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmprfuOsj
>> [23749] 1461863277.531133: Creating authenticator for
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM,
>> seqnum 1019693263, subkey aes256-cts/B3E0, session key aes256-cts/79C3
>> [23749] 1461863277.542808: ccselect module realm chose cache
>> FILE:/tmp/tmprfuOsj with client principal admin at CYBERFUEL.COM for
>> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
>> [23749] 1461863277.542889: Retrieving admin at CYBERFUEL.COM ->
>> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
>> FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not
>> found [23749] 1461863277.542988: Read AP-REP, time 1461863277.531150,
>> subkey aes256-cts/5194, seqnum 376027188 [25544] 1461864401.258277:
>> ccselect module realm chose cache FILE:/tmp/tmpbzX7EN with client
>> principal admin at CYBERFUEL.COM for server principal
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
>> [25544] 1461864401.258584: Retrieving admin at CYBERFUEL.COM ->
>> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
>> FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not
>> found [25544] 1461864401.258678: Getting credentials
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using
>> ccache FILE:/tmp/tmpbzX7EN [25544] 1461864401.258873: Retrieving
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from
>> FILE:/tmp/tmpbzX7EN with
>> result: -1765328243/Matching credential not found [25544]
>> 1461864401.259040: Retrieving admin at CYBERFUEL.COM ->
>> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN with result:
>> 0/Success
>> [25544] 1461864401.259076: Found cached TGT for service realm:
>> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM
>> [25544] 1461864401.259102: Requesting tickets for
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [25544]
>> 1461864401.259244: Generated subkey for TGS request: aes256-cts/277A
>> [25544] 1461864401.259291: etypes requested in TGS request:
>> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [25544]
>> 1461864401.259676: Sending request (704 bytes) to CYBERFUEL.COM
>> [25544] 1461864401.260108: Resolving hostname freeipa.cyberfuel.com
>> [25544] 1461864401.260361: Initiating TCP connection to stream
>> 192.168.20.90:88
>> [25544] 1461864401.260980: Sending TCP request to stream
>> 192.168.20.90:88 [25544] 1461864401.264399: Received answer from
>> stream 192.168.20.90:88 [25544] 1461864401.264593: Response was from
>> master KDC [25544] 1461864401.264893: TGS reply is for
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with
>> session key aes256-cts/9106 [25544] 1461864401.264966: TGS request
>> result: 0/Success [25544] 1461864401.264996: Received creds for
>> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
>> [25544] 1461864401.265029: Removing admin at CYBERFUEL.COM ->
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN
>> [25544] 1461864401.265058: Storing admin at CYBERFUEL.COM ->
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpbzX7EN
>> [25544] 1461864401.265581: Creating authenticator for
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM,
>> seqnum 921501424, subkey aes256-cts/99EA, session key aes256-cts/9106
>> [25544] 1461864401.275884: ccselect module realm chose cache
>> FILE:/tmp/tmpbzX7EN with client principal admin at CYBERFUEL.COM for
>> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
>> [25544] 1461864401.276059: Retrieving admin at CYBERFUEL.COM ->
>> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
>> FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not
>> found [25544] 1461864401.276196: Read AP-REP, time 1461864401.265627,
>> subkey aes256-cts/0E9F, seqnum 871496824 [18097] 1461937028.664354:
>> ccselect module realm chose cache
>> FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for
>> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
>> [18097] 1461937028.664456: Retrieving admin at CYBERFUEL.COM ->
>> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
>> FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not
>> found [18097] 1461937028.664490: Getting credentials
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using
>> ccache FILE:/tmp/tmpF9x_o8 [18097] 1461937028.664549: Retrieving
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from
>> FILE:/tmp/tmpF9x_o8 with
>> result: -1765328243/Matching credential not found [18097]
>> 1461937028.664590: Retrieving admin at CYBERFUEL.COM ->
>> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 with result:
>> 0/Success
>> [18097] 1461937028.664601: Found cached TGT for service realm:
>> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM
>> [18097] 1461937028.664611: Requesting tickets for
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [18097]
>> 1461937028.664700: Generated subkey for TGS request: aes256-cts/6372
>> [18097] 1461937028.664727: etypes requested in TGS request:
>> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [18097]
>> 1461937028.664865: Sending request (704 bytes) to CYBERFUEL.COM
>> [18097] 1461937028.665035: Resolving hostname freeipa.cyberfuel.com
>> [18097] 1461937028.665136: Initiating TCP connection to stream
>> 192.168.20.90:88
>> [18097] 1461937028.665510: Sending TCP request to stream
>> 192.168.20.90:88 [18097] 1461937028.668919: Received answer from
>> stream 192.168.20.90:88 [18097] 1461937028.668984: Response was from
>> master KDC [18097] 1461937028.669109: TGS reply is for
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with
>> session key aes256-cts/9592 [18097] 1461937028.669136: TGS request
>> result: 0/Success [18097] 1461937028.669156: Received creds for
>> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
>> [18097] 1461937028.669167: Removing admin at CYBERFUEL.COM ->
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8
>> [18097] 1461937028.669176: Storing admin at CYBERFUEL.COM ->
>> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpF9x_o8
>> [18097] 1461937028.669304: Creating authenticator for
>> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM,
>> seqnum 940175329, subkey aes256-cts/53B9, session key aes256-cts/9592
>> [18097] 1461937028.676414: ccselect module realm chose cache
>> FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for
>> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM
>> [18097] 1461937028.676470: Retrieving admin at CYBERFUEL.COM ->
>> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
>> FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not
>> found [18097] 1461937028.676534: Read AP-REP, time 1461937028.669328,
>> subkey aes256-cts/26C4, seqnum 864174069
>>
>> -----------------------------------
>>
>>
>> Regards
>>
>> Jose Alvarez
>>
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcritten at redhat.com]
>> Sent: viernes 29 de abril de 2016 09:34 a.m.
>> To: Jose Alvarez R. <jalvarez at cyberfuel.com>; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] HTTP response code is 401, not 200
>>
>> Jose Alvarez R. wrote:
>>> Hi Users
>>>
>>> You can help me?
>>>
>>> I have the problem for join a client to my FREEIPA Server. The
>>> version IPA Server is 3.0 and IP client is 3.0
>>>
>>> When I join my client to IPA server show these errors:
>>>
>>> [root at ppa ~]# tail -f /var/log/ipaclient-install.log
>>>
>>> 2016-04-28T17:26:41Z DEBUG stderr=
>>>
>>> 2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from
>>> ldap://freeipa.cyberfuel.com
>>>
>>> 2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are
>>> identical
>>>
>>> 2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s
>>> freeipa.cyberfuel.com -b dc=cyberfuel,dc=com
>>>
>>> 2016-04-28T17:26:41Z DEBUG stdout=
>>>
>>> 2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200
>>>
>>> 2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code
>>> is 401, not 200
>>>
>>> 2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes.
>>>
>>> 2016-04-28T17:26:41Z ERROR IPA client is not configured on this system.
>>
>> I'd look in the 389-ds access and error logs on the IPA server to see
>> if there are any more details. Look for the BIND from the client and
>> see what happens.
>>
>> More context from the log file might be helpful. I believe if you run
>> the client installer with --debug then additional flags are passed to
>> ipa-join to include the XML-RPC conversation and that might be useful too.
>>
>> What account are you using to enroll with, admin?
>>
>> rob
>>
>
>
More information about the Freeipa-users
mailing list