[Freeipa-users] FreeIPA Client Install 403 error

Rob Crittenden rcritten at redhat.com
Wed Jul 20 18:33:36 UTC 2016 

Rubin Binder wrote:
> Justin,
>
> Thank you very much for the prompt response.  The log output is as follows:
>
> 2016-07-20T17:02:52Z DEBUG Starting external process
> 2016-07-20T17:02:52Z DEBUG args='/usr/sbin/ipa-join' '-s'
> 'ldap.mydomain.com' '-b' 'dc=mydomain,dc=com' '-h' 'centostest.mydomain.com'
> 2016-07-20T17:02:52Z DEBUG Process finished, return code=17
> 2016-07-20T17:02:52Z DEBUG stdout=
> 2016-07-20T17:02:52Z DEBUG stderr=HTTP response code is 403, not 200
>
> 2016-07-20T17:02:52Z ERROR Joining realm failed: HTTP response code is
> 403, not 200
>
> 2016-07-20T17:02:52Z ERROR Installation failed. Rolling back changes.
> 2016-07-20T17:02:52Z ERROR IPA client is not configured on this system.

Seeing the entire file is usually more helpful but in this case you did 
provide a single clue. Return code 17 from ipa-join is a XML-RPC fault. 
This may be the same 403 as reported elsewhere. I'd suggest looking in 
/var/log/httpd/error_log on the master.

rob

>
> Regards,
> Rubin
>
> ------------------------------------------------------------------------
> *From: *"Justin Stephenson" <jstephen at redhat.com>
> *To: *"Rubin Binder" <rbinder at wooplagaming.com>, freeipa-users at redhat.com
> *Sent: *Wednesday, July 20, 2016 2:49:16 PM
> *Subject: *Re: [Freeipa-users] FreeIPA Client Install 403 error
>
> Could you please share with us the /var/log/ipaclient-install.log ?
>
> Kind regards,
>
> Justin Stephenson
>
>
> On 07/20/2016 01:23 PM, Rubin Binder wrote:
>  > Hello all,
>  >
>  > I am testing Free IPA server for use under a test environment, so far
> smooth sailing and have it up and running, no problems.
>  >
>  > The problem is occurring during client installation. I have installed
> the ipa-client package on a clean CentOS 7 OS. When I execute
> ipa-client-install... I get the following:
>  >
>  >   Client hostname: centostest.mydomain.com
>  >   Realm: MYDOMAIN.COM
>  >   DNS Domain: mydomain.com
>  >   IPA Server: ldap.mydomain.com
>  >   BaseDN: dc=mydomain,dc=com
>  >
>  >   Continue to configure the system with these values? [no]: yes
>  >   Skipping synchronizing time with NTP server.
>  >   User authorized to enroll computers: admin
>  >   Password for admin at MYDOMAIN.COM:
>  >   Successfully retrieved CA cert
>  >   Subject: CN=Certificate Authority,O=MYDOMAIN.COM
>  >   Issuer: CN=Certificate Authority,O=MYDOMAIN.COM
>  >   Valid From: Wed Jul 13 13:12:08 2016 UTC
>  >   Valid Until: Sun Jul 13 13:12:08 2036 UTC
>  >
>  >   Joining realm failed: HTTP response code is 403, not 200
>  >
>  >   Installation failed. Rolling back changes.
>  >   IPA client is not configured on this system.
>  >
>  > I can't make sense of why I'd be seeing a 403 error.  I've done my
> share of searching but have not found a similar issue.  Some have report
> 401 errors in some circumstances, but not 403.
>  >
>  > Has anyone seen this before.
>  >
>  > Thanks,
>  > Rubin
>  >
>
>
>
>

More information about the Freeipa-users mailing list