[Freeipa-users] FreeIPA Client Install 403 error
Rubin Binder
rbinder at wooplagaming.com
Wed Jul 20 18:45:40 UTC 2016
Rob,
My apologies, I only provided a tail of the log, I should have provided more. I can see now there is much more detail in there.
I followed your lead regarding the HTTP error log from the server and found this:
[Wed Jul 20 14:33:39.410295 2016] [authz_core:error] [pid 27345] [client 172.16.10.12:49727] AH01630: client denied by server configuration: /usr/share/ipa/wsgi.py, referer: https://ldap.mydomain.com/ipa/xml
So, that is most likely the next track for me to follow.
Thank you for your assistance to this point, and in case there is interest here is the full client log:
2016-07-20T18:33:18Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 'ip_addresses': [], 'configure_firefox': False, 'primary': False, 'realm_name': None, 'force_ntpd': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'no_nisdomain': False, 'nisdomain': None, 'ca_cert_file': None, 'principal': None, 'keytab': None, 'hostname': None, 'request_cert': False, 'trust_sshfp': False, 'no_ac': False, 'unattended': None, 'all_ip_addresses': False, 'location': None, 'sssd': True, 'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': False, 'firefox_dir': None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'mkhomedir': False, 'uninstall': False}
2016-07-20T18:33:18Z DEBUG missing options might be asked for interactively later
2016-07-20T18:33:18Z DEBUG IPA version 4.2.0-15.0.1.el7.centos.17
2016-07-20T18:33:18Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2016-07-20T18:33:18Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2016-07-20T18:33:18Z DEBUG Starting external process
2016-07-20T18:33:18Z DEBUG args='/bin/systemctl' 'is-enabled' 'chronyd.service'
2016-07-20T18:33:18Z DEBUG Process finished, return code=0
2016-07-20T18:33:18Z DEBUG stdout=enabled
2016-07-20T18:33:18Z DEBUG stderr=
2016-07-20T18:33:18Z WARNING Using existing certificate '/etc/ipa/ca.crt'.
2016-07-20T18:33:18Z DEBUG [IPA Discovery]
2016-07-20T18:33:18Z DEBUG Starting IPA discovery with domain=None, servers=None, hostname=centostest.mydomain.com
2016-07-20T18:33:18Z DEBUG Start searching for LDAP SRV record in "mydomain.com" (domain of the hostname) and its sub-domains
2016-07-20T18:33:18Z DEBUG Search DNS for SRV record of _ldap._tcp.mydomain.com
2016-07-20T18:33:18Z DEBUG DNS record not found: NXDOMAIN
2016-07-20T18:33:18Z DEBUG Search DNS for SRV record of _ldap._tcp.com
2016-07-20T18:33:18Z DEBUG DNS record not found: NXDOMAIN
2016-07-20T18:33:18Z DEBUG Start searching for LDAP SRV record in "mydomain.com" (search domain from /etc/resolv.conf) and its sub-domains
2016-07-20T18:33:18Z DEBUG Already searched mydomain.com; skipping
2016-07-20T18:33:18Z DEBUG No LDAP server found
2016-07-20T18:33:18Z DEBUG No LDAP server found
2016-07-20T18:33:18Z INFO DNS discovery failed to determine your DNS domain
2016-07-20T18:33:20Z DEBUG will use interactively provided domain: mydomain.com
2016-07-20T18:33:20Z DEBUG [IPA Discovery]
2016-07-20T18:33:20Z DEBUG Starting IPA discovery with domain=mydomain.com, servers=None, hostname=centostest.mydomain.com
2016-07-20T18:33:20Z DEBUG Search for LDAP SRV record in mydomain.com
2016-07-20T18:33:20Z DEBUG Search DNS for SRV record of _ldap._tcp.mydomain.com
2016-07-20T18:33:20Z DEBUG DNS record not found: NXDOMAIN
2016-07-20T18:33:20Z DEBUG No LDAP server found
2016-07-20T18:33:20Z DEBUG IPA Server not found
2016-07-20T18:33:20Z DEBUG DNS discovery failed to find the IPA Server
2016-07-20T18:33:23Z DEBUG will use interactively provided server: ldap.mydomain.com
2016-07-20T18:33:23Z DEBUG [IPA Discovery]
2016-07-20T18:33:23Z DEBUG Starting IPA discovery with domain=mydomain.com, servers=['ldap.mydomain.com'], hostname=centostest.mydomain.com
2016-07-20T18:33:23Z DEBUG Server and domain forced
2016-07-20T18:33:23Z DEBUG [Kerberos realm search]
2016-07-20T18:33:23Z DEBUG Search DNS for TXT record of _kerberos.mydomain.com
2016-07-20T18:33:23Z DEBUG DNS record not found: NXDOMAIN
2016-07-20T18:33:23Z DEBUG Search DNS for SRV record of _kerberos._udp.mydomain.com
2016-07-20T18:33:23Z DEBUG DNS record not found: NXDOMAIN
2016-07-20T18:33:23Z DEBUG SRV record for KDC not found! Domain: mydomain.com
2016-07-20T18:33:23Z DEBUG [LDAP server check]
2016-07-20T18:33:23Z DEBUG Verifying that ldap.mydomain.com (realm None) is an IPA server
2016-07-20T18:33:23Z DEBUG Init LDAP connection to: ldap.mydomain.com
2016-07-20T18:33:24Z DEBUG Search LDAP server for IPA base DN
2016-07-20T18:33:24Z DEBUG Check if naming context 'dc=mydomain,dc=com' is for IPA
2016-07-20T18:33:24Z DEBUG Naming context 'dc=mydomain,dc=com' is a valid IPA context
2016-07-20T18:33:24Z DEBUG Search for (objectClass=krbRealmContainer) in dc=mydomain,dc=com (sub)
2016-07-20T18:33:24Z DEBUG Found: cn=MYDOMAION.COM,cn=kerberos,dc=mydomain,dc=com
2016-07-20T18:33:24Z DEBUG Discovery result: Success; server=ldap.mydomain.com, domain=mydomain.com, kdc=None, basedn=dc=mydomain,dc=com
2016-07-20T18:33:24Z DEBUG Validated servers: ldap.mydomain.com
2016-07-20T18:33:24Z WARNING The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.
2016-07-20T18:33:24Z INFO Autodiscovery of servers for failover cannot work with this configuration.
2016-07-20T18:33:24Z INFO If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
2016-07-20T18:33:26Z DEBUG will use discovered realm: MYDOMAION.COM
2016-07-20T18:33:26Z DEBUG will use discovered basedn: dc=mydomain,dc=com
2016-07-20T18:33:26Z INFO Client hostname: centostest.mydomain.com
2016-07-20T18:33:26Z DEBUG Hostname source: Machine's FQDN
2016-07-20T18:33:26Z INFO Realm: MYDOMAION.COM
2016-07-20T18:33:26Z DEBUG Realm source: Discovered from LDAP DNS records in ldap.mydomain.com
2016-07-20T18:33:26Z INFO DNS Domain: mydomain.com
2016-07-20T18:33:26Z DEBUG DNS Domain source: Provided interactively
2016-07-20T18:33:26Z INFO IPA Server: ldap.mydomain.com
2016-07-20T18:33:26Z DEBUG IPA Server source: Provided interactively
2016-07-20T18:33:26Z INFO BaseDN: dc=mydomain,dc=com
2016-07-20T18:33:26Z DEBUG BaseDN source: From IPA server ldap://ldap.mydomain.com:389
2016-07-20T18:33:32Z DEBUG Starting external process
2016-07-20T18:33:32Z DEBUG args='/usr/sbin/ipa-rmkeytab' '-k' '/etc/krb5.keytab' '-r' 'MYDOMAION.COM'
2016-07-20T18:33:32Z DEBUG Process finished, return code=3
2016-07-20T18:33:32Z DEBUG stdout=
2016-07-20T18:33:32Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory
2016-07-20T18:33:32Z INFO Skipping synchronizing time with NTP server.
2016-07-20T18:33:34Z DEBUG will use principal provided as option: admin
2016-07-20T18:33:34Z DEBUG Starting external process
2016-07-20T18:33:34Z DEBUG args='keyctl' 'get_persistent' '@s' '0'
2016-07-20T18:33:34Z DEBUG Process finished, return code=0
2016-07-20T18:33:34Z DEBUG stdout=354225941
2016-07-20T18:33:34Z DEBUG stderr=
2016-07-20T18:33:34Z DEBUG Enabling persistent keyring CCACHE
2016-07-20T18:33:34Z DEBUG Writing Kerberos configuration to /tmp/tmpGxQ6Xw:
2016-07-20T18:33:34Z DEBUG #File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = MYDOMAION.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
MYDOMAION.COM = {
kdc = ldap.mydomain.com:88
master_kdc = ldap.mydomain.com:88
admin_server = ldap.mydomain.com:749
default_domain = mydomain.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mydomain.com = MYDOMAION.COM
mydomain.com = MYDOMAION.COM
2016-07-20T18:33:37Z DEBUG Initializing principal admin at MYDOMAION.COM using password
2016-07-20T18:33:37Z DEBUG Starting external process
2016-07-20T18:33:37Z DEBUG args='/usr/bin/kinit' 'admin at MYDOMAION.COM' '-c' '/tmp/tmpXBVcV7'
2016-07-20T18:33:37Z DEBUG Process finished, return code=0
2016-07-20T18:33:37Z DEBUG stdout=Password for admin at MYDOMAION.COM:
2016-07-20T18:33:37Z DEBUG stderr=
2016-07-20T18:33:37Z DEBUG trying to retrieve CA cert via LDAP from ldap.mydomain.com
2016-07-20T18:33:38Z DEBUG flushing ldap://ldap.mydomain.com:389 from SchemaCache
2016-07-20T18:33:38Z DEBUG retrieving schema for SchemaCache url=ldap://ldap.mydomain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x1ed57a0>
2016-07-20T18:33:39Z DEBUG Existing CA cert and Retrieved CA cert are identical
2016-07-20T18:33:39Z DEBUG Starting external process
2016-07-20T18:33:39Z DEBUG args='/usr/sbin/ipa-join' '-s' 'ldap.mydomain.com' '-b' 'dc=mydomain,dc=com' '-h' 'centostest.mydomain.com'
2016-07-20T18:33:39Z DEBUG Process finished, return code=17
2016-07-20T18:33:39Z DEBUG stdout=
2016-07-20T18:33:39Z DEBUG stderr=HTTP response code is 403, not 200
2016-07-20T18:33:39Z ERROR Joining realm failed: HTTP response code is 403, not 200
2016-07-20T18:33:39Z ERROR Installation failed. Rolling back changes.
2016-07-20T18:33:39Z ERROR IPA client is not configured on this system.
----- Original Message -----
From: "Rob Crittenden" <rcritten at redhat.com>
To: "Rubin Binder" <rbinder at wooplagaming.com>, "Justin Stephenson" <jstephen at redhat.com>
Cc: freeipa-users at redhat.com
Sent: Wednesday, July 20, 2016 3:33:36 PM
Subject: Re: [Freeipa-users] FreeIPA Client Install 403 error
Rubin Binder wrote:
> Justin,
>
> Thank you very much for the prompt response. The log output is as follows:
>
> 2016-07-20T17:02:52Z DEBUG Starting external process
> 2016-07-20T17:02:52Z DEBUG args='/usr/sbin/ipa-join' '-s'
> 'ldap.mydomain.com' '-b' 'dc=mydomain,dc=com' '-h' 'centostest.mydomain.com'
> 2016-07-20T17:02:52Z DEBUG Process finished, return code=17
> 2016-07-20T17:02:52Z DEBUG stdout=
> 2016-07-20T17:02:52Z DEBUG stderr=HTTP response code is 403, not 200
>
> 2016-07-20T17:02:52Z ERROR Joining realm failed: HTTP response code is
> 403, not 200
>
> 2016-07-20T17:02:52Z ERROR Installation failed. Rolling back changes.
> 2016-07-20T17:02:52Z ERROR IPA client is not configured on this system.
Seeing the entire file is usually more helpful but in this case you did
provide a single clue. Return code 17 from ipa-join is a XML-RPC fault.
This may be the same 403 as reported elsewhere. I'd suggest looking in
/var/log/httpd/error_log on the master.
rob
>
> Regards,
> Rubin
>
> ------------------------------------------------------------------------
> *From: *"Justin Stephenson" <jstephen at redhat.com>
> *To: *"Rubin Binder" <rbinder at wooplagaming.com>, freeipa-users at redhat.com
> *Sent: *Wednesday, July 20, 2016 2:49:16 PM
> *Subject: *Re: [Freeipa-users] FreeIPA Client Install 403 error
>
> Could you please share with us the /var/log/ipaclient-install.log ?
>
> Kind regards,
>
> Justin Stephenson
>
>
> On 07/20/2016 01:23 PM, Rubin Binder wrote:
> > Hello all,
> >
> > I am testing Free IPA server for use under a test environment, so far
> smooth sailing and have it up and running, no problems.
> >
> > The problem is occurring during client installation. I have installed
> the ipa-client package on a clean CentOS 7 OS. When I execute
> ipa-client-install... I get the following:
> >
> > Client hostname: centostest.mydomain.com
> > Realm: MYDOMAIN.COM
> > DNS Domain: mydomain.com
> > IPA Server: ldap.mydomain.com
> > BaseDN: dc=mydomain,dc=com
> >
> > Continue to configure the system with these values? [no]: yes
> > Skipping synchronizing time with NTP server.
> > User authorized to enroll computers: admin
> > Password for admin at MYDOMAIN.COM:
> > Successfully retrieved CA cert
> > Subject: CN=Certificate Authority,O=MYDOMAIN.COM
> > Issuer: CN=Certificate Authority,O=MYDOMAIN.COM
> > Valid From: Wed Jul 13 13:12:08 2016 UTC
> > Valid Until: Sun Jul 13 13:12:08 2036 UTC
> >
> > Joining realm failed: HTTP response code is 403, not 200
> >
> > Installation failed. Rolling back changes.
> > IPA client is not configured on this system.
> >
> > I can't make sense of why I'd be seeing a 403 error. I've done my
> share of searching but have not found a similar issue. Some have report
> 401 errors in some circumstances, but not 403.
> >
> > Has anyone seen this before.
> >
> > Thanks,
> > Rubin
> >
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160720/b0e40169/attachment.htm>
More information about the Freeipa-users
mailing list