[Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
Rob Crittenden
rcritten at redhat.com
Thu Nov 17 14:59:43 UTC 2016
Sean Hogan wrote:
> Hi Jakub,
>
> I ended up re-enrolling the box and it is behaving as expected except I
> am not getting a host cert. Robert indicated auto host cert no longer
> avail with rhel 7 but using the --request -cert option on enroll to get
> a host cert if I wanted one. I did so and get this in the install log
>
>
> *2016-11-16T22:00:53Z DEBUG Starting external process*
> *2016-11-16T22:00:53Z DEBUG args='/bin/systemctl' 'is-active'
> 'certmonger.service'*
> *2016-11-16T22:00:53Z DEBUG Process finished, return code=0*
> *2016-11-16T22:00:53Z DEBUG stdout=active*
>
> *2016-11-16T22:00:53Z DEBUG stderr=*
> *2016-11-16T22:00:53Z ERROR certmonger request for host certificate failed*
Did you cut off the reason reported for the request failing?
> Maybe this is an issue with RHEL 7(4.x) client hitting a RHEL 6 (3.x)
> IPA server?
You could look in the server logs for details.
> As for crypto on RHEL 6 IPA I have (if this is what you looking for).
> However this is modified version as it took me a while to get this list
> to pass tenable scans by modding the dse files.
> [root at ipa1 ~]# nmap --script ssl-enum-ciphers -p 636 `hostname`
These are the TLS settings for LDAP, not the Kerberos encryption types
supported. You instead want to run:
$ ldapsearch -x -D 'cn=directory manager' -W -s base -b
cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com krbSupportedEncSaltTypes
rob
More information about the Freeipa-users
mailing list