<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <tt>the people frrm ubuntu pointed me to this bug. </tt> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663127">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663127</a> <tt>enabling ssl3 in the server with this orders served as a workaround: </tt> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 0.8em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; width: auto; max-width: 45em; color: rgb(51, 51, 51); font-family: 'Ubuntu Mono', monospace; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18px; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); ">ldapmodify -D "cn=directory manager" -W -p 389 -h localhost -x <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 0.8em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; width: auto; max-width: 45em; color: rgb(51, 51, 51); font-family: 'Ubuntu Mono', monospace; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18px; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); ">dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on <p style="margin: 0px 0px 0.8em; padding: 0px; width: auto; max-width: 45em; color: rgb(51, 51, 51); font-family: 'Ubuntu Mono',monospace; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18px; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; background-color: rgb(255, 255, 255);">exit <p style="margin: 0px 0px 0.8em; padding: 0px; width: auto; max-width: 45em; color: rgb(51, 51, 51); font-family: 'Ubuntu Mono',monospace; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18px; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; background-color: rgb(255, 255, 255);">but the client doesn't join completly the domain because in the system there is no system wide nss database: <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 0.8em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; width: auto; max-width: 45em; color: rgb(51, 51, 51); font-family: 'Ubuntu Mono', monospace; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18px; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); ">New SSSD config will be created. root : INFO New SSSD config will be created Configured /etc/sssd/sssd.conf root : DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt root : DEBUG stdout= root : DEBUG stderr=certutil: function failed: security library: bad database. <p style="margin: 0px 0px 0.8em; padding: 0px; width: auto; max-width: 45em; color: rgb(51, 51, 51); font-family: 'Ubuntu Mono',monospace; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18px; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; background-color: rgb(255, 255, 255);">Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 1292, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 1279, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 1124, in install run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"]) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 273, in run raise CalledProcessError(p.returncode, args) subprocess.CalledProcessError: Command '/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt' returned non-zero exit status 255 pasqual@ubuntuprovesfreeipa:~$ <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 0.8em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; width: auto; max-width: 45em; color: rgb(51, 51, 51); font-family: 'Ubuntu Mono', monospace; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18px; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); ">It can create it with this commands: mkdir -p /etc/pki/nssdb certutil -N -d /etc/pki/nssdb <p style="margin: 0px 0px 0.8em; padding: 0px; width: auto; max-width: 45em; color: rgb(51, 51, 51); font-family: 'Ubuntu Mono',monospace; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18px; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; background-color: rgb(255, 255, 255);">but asks for a password. there are some obscure references about using a password file called pwdfile.txt that resides in the server but I'm not sure with what to do now. perhaps the password must be blank. any idea? <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 0.8em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; width: auto; max-width: 45em; color: rgb(51, 51, 51); font-family: 'Ubuntu Mono', monospace; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18px; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); ">thanks Al 11/05/12 16:40, En/na pasqual milvaques ha escrit: <blockquote cite="mid:4FAD24EC.6090501@gva.es" type="cite"> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> <tt>I'have download and compiled some versions of gnutls and this is the result: gnutls-2.8.5: works gnutls-2.12.19: fail gnutls-3.0.19: fail this must affect distributions in which ldaps connections are based in gnutls (I only know debian and ubuntu). the problem can be tested with this command: gnutls-cli -d 4 -p 636 freeipaserver.linux.gva.es in you have a problematic gnutls version the command would end with these lines: ... |<3>| HSK[0x9bb40d0]: CLIENT HELLO was sent [151 bytes] |<4>| REC[0x9bb40d0]: Sending Packet[0] Handshake(22) with length: 151 |<4>| REC[0x9bb40d0]: Sent Packet[1] Handshake(22) with length: 156 |<2>| ASSERT: gnutls_buffers.c:640 |<2>| ASSERT: gnutls_record.c:969 |<2>| ASSERT: gnutls_handshake.c:2762 *** Fatal error: A TLS packet with unexpected length was received. |<4>| REC: Sending Alert[2|22] - Record overflow |<4>| REC[0x9bb40d0]: Sending Packet[1] Alert(21) with length: 2 |<4>| REC[0x9bb40d0]: Sent Packet[2] Alert(21) with length: 7 *** Handshake has failed GnuTLS error: A TLS packet with unexpected length was received. |<4>| REC[0x9bb40d0]: Epoch #0 freed |<4>| REC[0x9bb40d0]: Epoch #1 freed <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:pasqual@ubuntuprovesfreeipa:%7E/gnutls-2.12.19$">pasqual@ubuntuprovesfreeipa:~/gnutls-2.12.19$</a> any idea in how to make this work? </tt> Al 11/05/12 13:16, En/na pasqual milvaques ha escrit: <blockquote cite="mid:4FACF525.4070303@gva.es" type="cite">I'm trying to join an ubuntu 12.04 machine to freeipa domain installed in a centos 6.2 machine and it seems there is some problem with the tls negotiacion. ubuntu 12.04 uses gnutls instead of openssl so the problem could be there but I don't know how to solve it. with the ldapsearch command I can also reproduce the fail I have opened this ubuntu bug as freeipa now has a native client package: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/997990">https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/997990</a> any idea? this is the log of the operation: pasqual@ubuntuprovesfreeipa:~$ sudo ipa-client-install -d --enable-dns-updates [sudo] password for pasqual: root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'realm_name': None, 'unattended': None, 'principal': None} root : DEBUG missing options might be asked for interactively later root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root : DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' root : DEBUG [ipadnssearchldap(linux.gva.es)] root : DEBUG [ipadnssearchldap(gva.es)] root : DEBUG [ipadnssearchldap(es)] root : DEBUG [ipadnssearchldap(linux.gva.es)] root : DEBUG [ipadnssearchldap(gva.es)] root : DEBUG [ipadnssearchldap(es)] root : DEBUG Domain not found DNS discovery failed to determine your DNS domain Provide the domain name of your IPA server (ex: example.com): linux.gva.es root : DEBUG will use domain: linux.gva.es root : DEBUG [ipadnssearchldap] root : DEBUG IPA Server not found DNS discovery failed to find the IPA Server Provide your IPA server name (ex: ipa.example.com): freeipaserver.linux.gva.es root : DEBUG will use server: freeipaserver.linux.gva.es root : DEBUG [ipadnssearchkrb] root : DEBUG [ipacheckldap] root : DEBUG args=/usr/bin/wget -O /tmp/tmpWptXwb/ca.crt -T 15 -t 2 <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://freeipaserver.linux.gva.es/ipa/config/ca.crt">http://freeipaserver.linux.gva.es/ipa/config/ca.crt</a> root : DEBUG stdout= root : DEBUG stderr=--2012-05-11 12:06:09-- <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://freeipaserver.linux.gva.es/ipa/config/ca.crt">http://freeipaserver.linux.gva.es/ipa/config/ca.crt</a> Resolent freeipaserver.linux.gva.es (freeipaserver.linux.gva.es)... 192.168.222.99 S'està connectant a freeipaserver.linux.gva.es (freeipaserver.linux.gva.es)|192.168.222.99|:80... conectat. HTTP: Petició enviada, esperant resposta... 200 OK Longitud: 1325 (1.3K) [application/x-x509-ca-cert] S'està desant a: «/tmp/tmpWptXwb/ca.crt» 0K . 100% 38.4M=0s 2012-05-11 12:06:09 (38.4 MB/s) - s'ha desat «/tmp/tmpWptXwb/ca.crt» [1325/1325] root : DEBUG Init ldap with: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="ldap://freeipaserver.linux.gva.es:389">ldap://freeipaserver.linux.gva.es:389</a> root : ERROR LDAP Error: Connect error: A TLS packet with unexpected length was received. Failed to verify that freeipaserver.linux.gva.es is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Installation failed. Rolling back changes. IPA client is not configured on this system. pasqual@ubuntuprovesfreeipa:~$ <fieldset class="mimeAttachmentHeader"></fieldset> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <fieldset class="mimeAttachmentHeader"></fieldset> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> </body> </html>