<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On 19 February 2013 12:44, Peter Brown <span dir="ltr"><<a href="mailto:rendhalver@gmail.com" target="_blank">rendhalver@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote"><div class="im">On 19 February 2013 12:06, John Moyer <span dir="ltr"><<a href="mailto:john.moyer@digitalreasoning.com" target="_blank">john.moyer@digitalreasoning.com</a>></span> wrote:<br>

</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div style="word-wrap:break-word">Peter, <div><br></div>
<div class="im"><div>
<span style="white-space:pre-wrap">     </span>The client is pointing to DNS for the server.   Here is the log info from the ipa-client-log (in /var/log/).  I haven't tried the other stuff yet, I'll respond back when I get a chance to check out the CA cert things. </div>

<div><br></div><div><br></div><div><div>2013-02-19T02:01:37Z DEBUG args=kinit <a href="mailto:ipa-bind@EXAMPLE.COM" target="_blank">ipa-bind@EXAMPLE.COM</a></div><div>2013-02-19T02:01:37Z DEBUG stdout=Password for <a href="mailto:ipa-bind@EXAMPLE.COM" target="_blank">ipa-bind@EXAMPLE.COM</a>: </div>

<div><br></div><div>2013-02-19T02:01:37Z DEBUG stderr=</div><div>2013-02-19T02:01:37Z DEBUG trying to retrieve CA cert via LDAP from <a>ldap://ipa1.example.com</a></div><div>2013-02-19T02:01:37Z DEBUG get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server <a href="mailto:krbtgt/COM@EXAMPLE.COM" target="_blank">krbtgt/COM@EXAMPLE.COM</a> not found in Kerberos database)</div>

<div>2013-02-19T02:01:37Z DEBUG {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server <a href="mailto:krbtgt/COM@EXAMPLE.COM" target="_blank">krbtgt/COM@EXAMPLE.COM</a> not found in Kerberos database)', 'desc': 'Local error'}</div>

<div>2013-02-19T02:01:37Z ERROR Cannot obtain CA certificate</div><div><div>'<a>ldap://ipa1.example.com'</a> doesn't have a certificate.</div></div><div>2013-02-19T02:01:37Z DEBUG args=kdestroy</div>
<div>2013-02-19T02:01:37Z DEBUG stdout=</div><div>2013-02-19T02:01:37Z DEBUG stderr=</div></div></div></div></blockquote><div><br></div><div class="im"><div> I would hazard a guess you need those udp ports open on the firewall for your freeipa server.</div>

<div>the two I mentioned are kerberos ports.</div><div>you will likely need udp port 389 open as well for talking to the directory server where it is attempting to get the cert from.</div></div></div></div></div></blockquote>
<div><br></div><div><br></div><div style>I just had another thought.</div><div style>If you have outgoing port restrictions on your AWS instances you will need to allow them to connect to all the ports freeipa needs.</div>
<div style><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div class="im"><div><br></div></div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div style="word-wrap:break-word"><div><br></div><div><br></div><div><div class="h5"><div><div>
<div style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">

<div style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">

<div style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">

<div style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">

<div style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">

<div style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">

<div style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">

<div style="font-size:14px;font-family:Calibri,sans-serif;font-weight:normal">Thanks, </div><div style="font-size:14px;font-family:Calibri,sans-serif;font-weight:normal">_____________________________________________________</div>

<span><font color="#888888"><div style="font-size:14px;font-family:Calibri,sans-serif;font-weight:normal">John Moyer<br>Director, IT Operations</div><div style="font-size:14px;font-family:Calibri,sans-serif"><b>Digital Reasoning Systems, Inc.</b></div>

<div style="font-size:14px;font-family:Calibri,sans-serif"><a href="mailto:john.moyer@digitalreasoning.com" target="_blank">John.Moyer@digitalreasoning.com</a></div><div style="font-size:14px;font-family:Calibri,sans-serif;font-weight:normal">

Office:<span style="white-space:pre-wrap">      </span>703.678.2311<br>Mobile:<span style="white-space:pre-wrap">   </span>240.460.0023<br>Fax:<span style="white-space:pre-wrap">              </span>703.678.2312<br></div><div style="font-weight:normal;font-family:Calibri,sans-serif;font-size:14px">

<a href="http://www.digitalreasoning.com/" target="_blank">www.digitalreasoning.com</a></div></font></span></div></div></div></div></div></div></div>
</div><div><div>
<br><div><div>On Feb 18, 2013, at 8:42 PM, Peter Brown <<a href="mailto:rendhalver@gmail.com" target="_blank">rendhalver@gmail.com</a>> wrote:</div><br><blockquote type="cite"><div dir="ltr">On 19 February 2013 11:03, John Moyer <span dir="ltr"><<a href="mailto:john.moyer@digitalreasoning.com" target="_blank">john.moyer@digitalreasoning.com</a>></span> wrote:<br>

<div class="gmail_extra"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div style="word-wrap:break-word">Peter, <div><br></div><div>

<span style="white-space:pre-wrap">     </span>Thanks for the response, I just checked out my security group settings, I did have some ports blocked, however, allowing them did not help.   I installed mmap on the client and did a port scan of the server and got the follow: </div>


<div><br></div><div><div>PORT    STATE SERVICE</div><div>22/tcp  open  ssh</div><div>53/tcp  open  domain</div><div>80/tcp  open  http</div><div>88/tcp  open  kerberos-sec</div><div>389/tcp open  ldap</div><div>443/tcp open  https</div>


<div>464/tcp open  kpasswd5</div><div>636/tcp open  ldapssl</div><div>749/tcp open  kerberos-adm</div></div></div></blockquote><div><br></div><div>There is a couple of UDP ports that need to be open as well</div><div>
464 and 88 from memory.</div><div><br></div><div>They shouldn't affect your ability to download the ca cert.</div><div><br></div><div>Have you checked the ipa-client log file?</div><div>I can't remember where that gets saved right now but it should mention the location when you run the ipa-client command.</div>


<div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div style="word-wrap:break-word">

<div><br></div><div>I tried to enroll again and got the same error as seen here: </div>
<div><div><br></div><div><br></div><div><div>Synchronizing time with KDC...</div><div><br></div><div>ipa         : ERROR    Cannot obtain CA certificate</div></div><div><br></div><div><br></div><div><br></div></div>
<div>
<div style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">


<div style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">


<div style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">


<div style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">


<div style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">


<div style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">


<div style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">


<div style="font-size:14px;font-family:Calibri,sans-serif;font-weight:normal">Thanks, </div><div style="font-size:14px;font-family:Calibri,sans-serif;font-weight:normal">_____________________________________________________</div>


<span><font color="#888888"><div style="font-size:14px;font-family:Calibri,sans-serif;font-weight:normal">John Moyer<br><br></div></font></span></div></div></div></div></div></div></div>
</div><div><div>
<br><div><div>On Feb 18, 2013, at 7:24 PM, Peter Brown <<a href="mailto:rendhalver@gmail.com" target="_blank">rendhalver@gmail.com</a>> wrote:</div><br><blockquote type="cite"><div dir="ltr">Hi John,<div><br></div>


<div>I ran into a similar issue with setting up a 2.2 client with a 3.1 server.</div><div>It turned out to be that port 80 wasn't open on the freeipa server.</div><div>
I would check your ports and see if the right ones are open.</div><div>I also find that setting up the SRV and TXT records in your dns zone makes setting up clients a lot simpler.</div><div><br></div></div><div class="gmail_extra">



<br><br><div class="gmail_quote">On 19 February 2013 00:58, John Moyer <span dir="ltr"><<a href="mailto:john.moyer@digitalreasoning.com" target="_blank">john.moyer@digitalreasoning.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">



<div style="word-wrap:break-word">Hello all, <div><br></div><div><span style="white-space:pre-wrap">    </span>I am having an issue using IPA 2.2.0.   I am trying to put together a proof of concept set of systems.  I've stood up 2 servers on AWS.   One is the server one is the client.   I am using CentOS 6 to do all this testing on, with the default IPA packages provided from CentOS.   I had a fully operational proof of concept finished fully scripted to be built without issues.   I shutdown and started these as needed to show to people to get approval for the project.   The other day the client stopped enrolling to the IPA server, I have no idea why I assume a patch pushed out broke something since it is a fully scripted install. It does get the most recent patches each time I stand it up so it definitely would pull any new patches that came out. </div>



<div><br></div><div><span style="white-space:pre-wrap"> </span>After investigating I am getting this error when I try to manually enroll the client.  I haven't been able to find any reference to this error anywhere on the net.  Any help would be greatly appreciated!  Let me know if any additional details are needed. </div>



<div><br></div><div><br></div><div>PLEASE NOTE:  Everything below has been sanitized </div><div><br></div><div><br></div><div><div>[root@client ~]# ipa-client-install --domain=<a href="http://example.com/" target="_blank">example.com</a> --server=<a href="http://ipa1.example.com/" target="_blank">ipa1.example.com</a> --realm=<a href="http://example.com/" target="_blank">EXAMPLE.COM</a> --configure-ssh --configure-sshd -p ipa-bind -w "blah" -U</div>



<div>DNS domain '<a href="http://example.com/" target="_blank">example.com</a>' is not configured for automatic KDC address lookup.</div><div>KDC address will be set to fixed value.</div><div><br></div><div>Discovery was successful!</div>



<div>Hostname: client.ec2.internal</div><div>Realm: <a href="http://example.com/" target="_blank">EXAMPLE.COM</a></div><div>DNS Domain: <a href="http://digitalreasoning.com/" target="_blank">digitalreasoning.com</a></div>


<div>
IPA Server: <a href="http://ipa1.example.com/" target="_blank">ipa1.example.com</a></div><div>BaseDN: dc=example,dc=com</div><div><br></div><div><br></div><div>Synchronizing time with KDC...</div><div><br></div><div>ipa         : ERROR    Cannot obtain CA certificate</div>



<div>'<a>ldap://ipa1.example.com'</a> doesn't have a certificate.</div><div>Installation failed. Rolling back changes.</div><div>IPA client is not configured on this system.</div></div><div><br></div><div> </div>



<div><div>
<div style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">



<div style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">



<div style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">



<div style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-wrap:break-word;word-spacing:0px">



<div style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">



<div style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">



<div style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">



<div style="font-size:14px;font-family:Calibri,sans-serif;font-weight:normal">Thanks, </div><div style="font-size:14px;font-family:Calibri,sans-serif;font-weight:normal">_____________________________________________________</div>



<span><font color="#888888"><div style="font-size:14px;font-family:Calibri,sans-serif;font-weight:normal">John Moyer<br><br></div></font></span></div></div></div></div></div></div></div>
</div>
<br></div></div><br>_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></blockquote></div><br></div>
</blockquote></div><br></div></div></div></blockquote></div><br></div></div>
</blockquote></div><br></div></div></div></div></div></div></blockquote></div><br></div></div>
</blockquote></div><br></div></div>