<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 02/18/2013 09:06 PM, John Moyer wrote:
<blockquote
cite="mid:973C2234-AB82-4C7A-8DB3-F43F61A95D53@digitalreasoning.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
Peter,
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>The
client is pointing to DNS for the server. Here is the log info
from the ipa-client-log (in /var/log/). I haven't tried the
other stuff yet, I'll respond back when I get a chance to check
out the CA cert things. </div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>2013-02-19T02:01:37Z DEBUG args=kinit <a
moz-do-not-send="true" href="mailto:ipa-bind@EXAMPLE.COM">ipa-bind@EXAMPLE.COM</a></div>
<div>2013-02-19T02:01:37Z DEBUG stdout=Password for <a
moz-do-not-send="true" href="mailto:ipa-bind@EXAMPLE.COM">ipa-bind@EXAMPLE.COM</a>: </div>
<div><br>
</div>
<div>2013-02-19T02:01:37Z DEBUG stderr=</div>
<div>2013-02-19T02:01:37Z DEBUG trying to retrieve CA cert via
LDAP from <a moz-do-not-send="true"
href="ldap://ipa1.example.com">ldap://ipa1.example.com</a></div>
<div>2013-02-19T02:01:37Z DEBUG get_ca_cert_from_ldap() error:
Local error SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more
information (Server <a moz-do-not-send="true"
href="mailto:krbtgt/COM@EXAMPLE.COM">krbtgt/COM@EXAMPLE.COM</a>
not found in Kerberos database)</div>
<div>2013-02-19T02:01:37Z DEBUG {'info': 'SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code
may provide more information (Server <a
moz-do-not-send="true" href="mailto:krbtgt/COM@EXAMPLE.COM">krbtgt/COM@EXAMPLE.COM</a>
not found in Kerberos database)', 'desc': 'Local error'}</div>
<div>2013-02-19T02:01:37Z ERROR Cannot obtain CA certificate</div>
<div>'<a moz-do-not-send="true"
href="ldap://ipa1.example.com%27">ldap://ipa1.example.com'</a>
doesn't have a certificate.</div>
<div>2013-02-19T02:01:37Z DEBUG args=kdestroy</div>
<div>2013-02-19T02:01:37Z DEBUG stdout=</div>
<div>2013-02-19T02:01:37Z DEBUG stderr=</div>
</div>
</blockquote>
<br>
<br>
Can the server resolve the client in the same way as client resolves
itself?<br>
In AWS it might be an issue because it changes system names
dynamically and thus you client host when restarted might have a
different name or be not resolvable by the server.<br>
The fact that AWS changes names under you makes IPA not usable in
AWS environment.<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/2715">https://fedorahosted.org/freeipa/ticket/2715</a><br>
<br>
<blockquote
cite="mid:973C2234-AB82-4C7A-8DB3-F43F61A95D53@digitalreasoning.com"
type="cite">
<div><br>
</div>
<div><br>
</div>
<div>
<div>
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: medium; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: 2; text-align: -webkit-auto; text-indent:
0px; text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space; ">
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: medium; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal;
line-height: normal; orphans: 2; text-align: -webkit-auto;
text-indent: 0px; text-transform: none; white-space:
normal; widows: 2; word-spacing: 0px;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width:
0px; word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; ">
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: medium; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal;
line-height: normal; orphans: 2; text-align:
-webkit-auto; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space; ">
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: medium; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal;
line-height: normal; orphans: 2; text-align:
-webkit-auto; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space; ">
<div style="font-family: Helvetica; font-size: medium;
font-style: normal; font-variant: normal;
letter-spacing: normal; line-height: normal;
orphans: 2; text-align: -webkit-auto; text-indent:
0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px;
-webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px; word-wrap:
break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; ">
<div style="font-family: Helvetica; font-size:
medium; font-style: normal; font-variant: normal;
letter-spacing: normal; line-height: normal;
orphans: 2; text-align: -webkit-auto; text-indent:
0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px;
-webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px; word-wrap:
break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; ">
<div style="font-family: Helvetica; font-size:
medium; font-style: normal; font-variant:
normal; letter-spacing: normal; line-height:
normal; orphans: 2; text-align: -webkit-auto;
text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing:
0px; -webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px; word-wrap:
break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; ">
<div style="color: rgb(0, 0, 0); font-weight:
normal; font-family: Calibri, sans-serif;
font-size: 14px; ">Thanks, </div>
<div style="color: rgb(0, 0, 0); font-weight:
normal; font-family: Calibri, sans-serif;
font-size: 14px; ">_____________________________________________________</div>
<div style="color: rgb(0, 0, 0); font-weight:
normal; font-family: Calibri, sans-serif;
font-size: 14px; ">John Moyer<br>
Director, IT Operations</div>
<div style="color: rgb(0, 0, 0); font-family:
Calibri, sans-serif; font-size: 14px; "><b>Digital
Reasoning Systems, Inc.</b></div>
<div style="color: rgb(0, 0, 0); font-family:
Calibri, sans-serif; font-size: 14px; "><a
moz-do-not-send="true"
href="mailto:john.moyer@digitalreasoning.com">John.Moyer@digitalreasoning.com</a></div>
<div style="color: rgb(0, 0, 0); font-weight:
normal; font-family: Calibri, sans-serif;
font-size: 14px; ">Office:<span
class="Apple-tab-span" style="white-space:
pre; "> </span>703.678.2311<br>
Mobile:<span class="Apple-tab-span"
style="white-space: pre; "> </span>240.460.0023<br>
Fax:<span class="Apple-tab-span"
style="white-space: pre; "> </span>703.678.2312<br>
</div>
<div style="font-weight: normal; font-family:
Calibri, sans-serif; font-size: 14px; "><a
moz-do-not-send="true"
href="http://www.digitalreasoning.com/">www.digitalreasoning.com</a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div>
<div>On Feb 18, 2013, at 8:42 PM, Peter Brown <<a
moz-do-not-send="true" href="mailto:rendhalver@gmail.com">rendhalver@gmail.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div dir="ltr">On 19 February 2013 11:03, John Moyer <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:john.moyer@digitalreasoning.com"
target="_blank">john.moyer@digitalreasoning.com</a>></span>
wrote:<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">Peter,
<div><br>
</div>
<div><span style="white-space:pre-wrap"> </span>Thanks
for the response, I just checked out my security
group settings, I did have some ports blocked,
however, allowing them did not help. I
installed mmap on the client and did a port scan
of the server and got the follow: </div>
<div><br>
</div>
<div>
<div>PORT STATE SERVICE</div>
<div>22/tcp open ssh</div>
<div>53/tcp open domain</div>
<div>80/tcp open http</div>
<div>88/tcp open kerberos-sec</div>
<div>389/tcp open ldap</div>
<div>443/tcp open https</div>
<div>464/tcp open kpasswd5</div>
<div>636/tcp open ldapssl</div>
<div>749/tcp open kerberos-adm</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div style="">There is a couple of UDP ports that need
to be open as well</div>
<div style="">
464 and 88 from memory.</div>
<div style=""><br>
</div>
<div style="">They shouldn't affect your ability to
download the ca cert.</div>
<div style=""><br>
</div>
<div style="">Have you checked the ipa-client log
file?</div>
<div style="">I can't remember where that gets saved
right now but it should mention the location when
you run the ipa-client command.</div>
<div style=""><br>
</div>
<div style=""><br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
<div><br>
</div>
<div>I tried to enroll again and got the same
error as seen here: </div>
<div class="im">
<div><br>
</div>
<div><br>
</div>
<div>
<div>Synchronizing time with KDC...</div>
<div><br>
</div>
<div>ipa : ERROR Cannot obtain CA
certificate</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div>
<div
style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">
<div
style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">
<div
style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">
<div
style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">
<div
style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div
style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div
style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div
style="font-size:14px;font-family:Calibri,sans-serif;font-weight:normal">Thanks, </div>
<div
style="font-size:14px;font-family:Calibri,sans-serif;font-weight:normal">_____________________________________________________</div>
<span class="HOEnZb"><font
color="#888888">
<div
style="font-size:14px;font-family:Calibri,sans-serif;font-weight:normal">John
Moyer<br>
<br>
</div>
</font></span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div class="h5">
<br>
<div>
<div>On Feb 18, 2013, at 7:24 PM, Peter
Brown <<a moz-do-not-send="true"
href="mailto:rendhalver@gmail.com"
target="_blank">rendhalver@gmail.com</a>>
wrote:</div>
<br>
<blockquote type="cite">
<div dir="ltr">Hi John,
<div><br>
</div>
<div>I ran into a similar issue with
setting up a 2.2 client with a 3.1
server.</div>
<div>It turned out to be that port 80
wasn't open on the freeipa server.</div>
<div>
I would check your ports and see if
the right ones are open.</div>
<div>I also find that setting up the SRV
and TXT records in your dns zone makes
setting up clients a lot simpler.</div>
<div><br>
</div>
</div>
<div class="gmail_extra">
<br>
<br>
<div class="gmail_quote">On 19 February
2013 00:58, John Moyer <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:john.moyer@digitalreasoning.com"
target="_blank">john.moyer@digitalreasoning.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div style="word-wrap:break-word">Hello
all,
<div><br>
</div>
<div><span
style="white-space:pre-wrap">
</span>I am having an issue
using IPA 2.2.0. I am trying
to put together a proof of
concept set of systems. I've
stood up 2 servers on AWS. One
is the server one is the client.
I am using CentOS 6 to do all
this testing on, with the
default IPA packages provided
from CentOS. I had a fully
operational proof of concept
finished fully scripted to be
built without issues. I
shutdown and started these as
needed to show to people to get
approval for the project. The
other day the client stopped
enrolling to the IPA server, I
have no idea why I assume a
patch pushed out broke something
since it is a fully scripted
install. It does get the most
recent patches each time I stand
it up so it definitely would
pull any new patches that came
out. </div>
<div><br>
</div>
<div><span
style="white-space:pre-wrap">
</span>After investigating I am
getting this error when I try to
manually enroll the client. I
haven't been able to find any
reference to this error anywhere
on the net. Any help would be
greatly appreciated! Let me
know if any additional details
are needed. </div>
<div><br>
</div>
<div><br>
</div>
<div>PLEASE NOTE: Everything
below has been sanitized </div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>[root@client ~]#
ipa-client-install --domain=<a
moz-do-not-send="true"
href="http://example.com/"
target="_blank">example.com</a>
--server=<a
moz-do-not-send="true"
href="http://ipa1.example.com/"
target="_blank">ipa1.example.com</a>
--realm=<a
moz-do-not-send="true"
href="http://example.com/"
target="_blank">EXAMPLE.COM</a>
--configure-ssh
--configure-sshd -p ipa-bind
-w "blah" -U</div>
<div>DNS domain '<a
moz-do-not-send="true"
href="http://example.com/"
target="_blank">example.com</a>'
is not configured for
automatic KDC address lookup.</div>
<div>KDC address will be set to
fixed value.</div>
<div><br>
</div>
<div>Discovery was successful!</div>
<div>Hostname:
client.ec2.internal</div>
<div>Realm: <a
moz-do-not-send="true"
href="http://example.com/"
target="_blank">EXAMPLE.COM</a></div>
<div>DNS Domain: <a
moz-do-not-send="true"
href="http://digitalreasoning.com/"
target="_blank">digitalreasoning.com</a></div>
<div>
IPA Server: <a
moz-do-not-send="true"
href="http://ipa1.example.com/"
target="_blank">ipa1.example.com</a></div>
<div>BaseDN: dc=example,dc=com</div>
<div><br>
</div>
<div><br>
</div>
<div>Synchronizing time with
KDC...</div>
<div><br>
</div>
<div>ipa : ERROR
Cannot obtain CA certificate</div>
<div>'<a moz-do-not-send="true">ldap://ipa1.example.com'</a>
doesn't have a certificate.</div>
<div>Installation failed.
Rolling back changes.</div>
<div>IPA client is not
configured on this system.</div>
</div>
<div><br>
</div>
<div> </div>
<div>
<div>
<div
style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">
<div
style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">
<div
style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">
<div
style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">
<div
style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div
style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div
style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div
style="font-size:14px;font-family:Calibri,sans-serif;font-weight:normal">Thanks, </div>
<div
style="font-size:14px;font-family:Calibri,sans-serif;font-weight:normal">_____________________________________________________</div>
<span><font
color="#888888">
<div
style="font-size:14px;font-family:Calibri,sans-serif;font-weight:normal">John
Moyer<br>
<br>
</div>
</font></span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
</div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>