<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="GENERATOR" content="GtkHTML/4.6.5"> </head> <body> On Fri, 2013-07-26 at 06:21 -0400, Eduardo Minguez wrote: <blockquote type="CITE"> <hr align="center"> <blockquote>From: "Dmitri Pal" <dpal@redhat.com> To: freeipa-users@redhat.com Sent: Thursday, 25 July, 2013 11:35:32 PM Subject: Re: [Freeipa-users] still failing to get a RHEL 5 client to join, LDAP bind issue? On 07/25/2013 03:51 PM, Armstrong, Kenneth Lawrence wrote: <blockquote>I am still having issues trying to get a RHEL 5.9 client to join a RHEL 6.4 IdM domain. All packages on both systems updated. First problem is this: ipa-client-install --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu --enable-dns-updates Which fails with: root : ERROR Cannot obtain CA certificate 'ldap://lnxrealmtest01.liberty.edu' doesn't have a certificate. Installation failed. Rolling back changes. IPA client is not configured on this system. All of the appropriate ports are open on the IdM server, and I verified this by telnetting to all of them. I worked around this by running this: wget -O /etc/ipa/ca.crt <a href="http://lnxrealmtest01.liberty.edu/ipa/config/ca.crt"> http://lnxrealmtest01.liberty.edu/ipa/config/ca.crt</a> Then ran: ipa-client-install --server lnxrealmtest01.lnxrealmtest.liberty.edu --domain lnxrealmtest.liberty.edu --enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt And I was having better results, so apparently the RHEL 5.9 ipa-client-install does not want to download my cert. </blockquote> This rings the bell. It sounds like a known issue for 5.9 openssl libraries. Rob can you add details please? <blockquote> On to the next problem: User authorized to enroll computers: admin Synchronizing time with KDC... Password for <a href="mailto:admin@LNXREALMTEST.LIBERTY.EDU"> admin@LNXREALMTEST.LIBERTY.EDU</a>: Joining realm failed: SASL Bind failed Local error (-2) ! child exited with 9 Installation failed. Rolling back changes. </blockquote> </blockquote> Run ipa-client-install with "-d" debug flag to get more information. I've had the same issue due to DNS reverse for the server not being correct (check the krb log in the server) <blockquote> <blockquote> It is the same user that I use to login to the web interface, and I am 100% positive that I am not entering the password incorrectly. So why else would the admin user not be able to bind to my IdM setup? -Kenny <pre> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </pre> </blockquote> <pre> -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users </blockquote> -- </blockquote> <blockquote type="CITE">Eduardo Mínguez Pérez Infrastructure Consultant (RHCE, RHCSA) Red Hat - Spain Mobile: +34 629803049 (CET/CEST) E-mail: eminguez@redhat.com </blockquote> <blockquote type="CITE"> <pre> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </pre> </blockquote> Ok, if I have time, I'll try with a RHEL 5.8 client today. As for debug output, this is what I get: [<a href="mailto:root@r5-idmclient">root@r5-idmclient</a> ~]# ipa-client-install --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu --enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': False, 'domain': 'lnxrealmtest.liberty.edu', 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, 'server': 'lnxrealmtest01.liberty.edu', 'prompt_password': False, 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, 'debug': True, 'on_master': False, 'ca_cert_file': '/etc/ipa/ca.crt', 'realm_name': None, 'unattended': None, 'ntp_server': None, 'principal': None} root : DEBUG missing options might be asked for interactively later root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root : DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' root : DEBUG [ipadnssearchkrb] root : DEBUG [ipacheckldap] root : DEBUG Init ldap with: ldap://lnxrealmtest01.liberty.edu:389 root : ERROR LDAP Error: Connect error: TLS: hostname does not match CN in peer certificate root : DEBUG will use domain: lnxrealmtest.liberty.edu root : DEBUG will use server: lnxrealmtest01.liberty.edu Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Installation failed. Rolling back changes. IPA client is not configured on this system. I do have an A record and PTR record for both lnxrealmtest01.liberty.edu and lnxrealmtest.lnxrealmtest.liberty.edu. The part that confuses me (I'm still new to the innards of SSL) is this: DAP Error: Connect error: TLS: hostname does not match CN in peer certificate When I look at the cert using: openssl x509 -in /etc/ipa/ca.crt -noout -text I see this: Issuer: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority Validity Not Before: Jul 25 18:22:53 2013 GMT Not After : Jul 25 18:22:53 2033 GMT Subject: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority and ... OCSP - URI:<a href="http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp">http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp</a> So is it trying to use CN=Certificate Authority when it's expecting the host name of the IPA server? -Kenny </body> </html>