[Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

Sean Hogan schogan at us.ibm.com
Wed Nov 16 22:34:07 UTC 2016 

Hi Jakub,

  I ended up re-enrolling the box and it is behaving as expected except I
am not getting a host cert.  Robert indicated auto host cert no longer
avail with rhel 7 but using the --request -cert option on enroll to get a
host cert if I wanted one.   I did so and get this in the install log


2016-11-16T22:00:53Z DEBUG Starting external process
2016-11-16T22:00:53Z DEBUG args='/bin/systemctl' 'is-active'
'certmonger.service'
2016-11-16T22:00:53Z DEBUG Process finished, return code=0
2016-11-16T22:00:53Z DEBUG stdout=active

2016-11-16T22:00:53Z DEBUG stderr=
2016-11-16T22:00:53Z ERROR certmonger request for host certificate failed


Maybe this is an issue with RHEL 7(4.x) client hitting a RHEL 6 (3.x) IPA
server?

As for crypto on RHEL 6 IPA I have (if this is what you looking for).
However this is modified version as it took me a while to get this list to
pass tenable scans by modding the dse files.
[root at ipa1 ~]#  nmap --script ssl-enum-ciphers -p 636 `hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-11-16 17:25 EST
Nmap scan report for ipa1.ipa.local
Host is up (0.000087s latency).
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
|     Ciphers (14)
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA256
|       TLS_RSA_WITH_AES_128_GCM_SHA256
|       TLS_RSA_WITH_AES_256_CBC_SHA
|       TLS_RSA_WITH_AES_256_CBC_SHA256
|     Compressors (1)
|_      uncompressed





Sean Hogan







From:	Jakub Hrozek <jhrozek at redhat.com>
To:	Sean Hogan/Durham/IBM at IBMUS
Cc:	Martin Babinsky <mbabinsk at redhat.com>, freeipa-users at redhat.com
Date:	11/16/2016 02:38 PM
Subject:	Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server



On Wed, Nov 16, 2016 at 09:56:59AM -0700, Sean Hogan wrote:
> [root at server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local
> kinit: Program lacks support for encryption type while getting initial
> credentials

OK, now there's at least the same error from kinit as sssd is
generating. Can you runs this command prepended with
KRB5_TRACE=/dev/stderr and perhaps also check the KDC logs for the same
time?

But frankly I don't know offhand what enctypes are supported by the
RHEL-6 server's KDC..



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161116/39feb114/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161116/39feb114/attachment.gif>

More information about the Freeipa-users mailing list