[Freeipa-users] HTTP response code is 401, not 200

Discussion:

Jose Alvarez R.

2016-04-29 13:17:27 UTC

Hi Users

You can help me?

I have the problem for join a client to my FREEIPA Server. The version IPA
Server is 3.0 and IP client is 3.0

When I join my client to IPA server show these errors:

[***@ppa ~]# tail -f /var/log/ipaclient-install.log

2016-04-28T17:26:41Z DEBUG stderr=

2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from
ldap://freeipa.cyberfuel.com

2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are
identical

2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com
-b dc=cyberfuel,dc=com

2016-04-28T17:26:41Z DEBUG stdout=

2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200

2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code is 401,
not 200

2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes.

2016-04-28T17:26:41Z ERROR IPA client is not configured on this system.

My client have installed a
PPA(http://www.odin.com/es/products/plesk-automation
<http://www.odin.com/es/products/plesk-automation/> ) and the version curl
is:

curl-7.31.0-1.el6.x86_64

python-pycurl-7.19.0-8.el6.x86_64

libcurl-7.31.0-1.el6.x86_64

libcurl-7.31.0-1.el6.i686

The version curl in my server FREEIPA is:

python-pycurl-7.19.0-8.el6.x86_64

curl-7.19.7-46.el6.x86_64

libcurl-7.19.7-46.el6.x86_64

Can you help me ?

Thanks, Regards

Jose Alvarez R.

Rob Crittenden

2016-04-29 15:34:22 UTC

Permalink

Post by Jose Alvarez R.
Hi Users
You can help me?
I have the problem for join a client to my FREEIPA Server. The version
IPA Server is 3.0 and IP client is 3.0
2016-04-28T17:26:41Z DEBUG stderr=
2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from
ldap://freeipa.cyberfuel.com
2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are
identical
2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s
freeipa.cyberfuel.com -b dc=cyberfuel,dc=com
2016-04-28T17:26:41Z DEBUG stdout=
2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200
2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code is
401, not 200
2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes.
2016-04-28T17:26:41Z ERROR IPA client is not configured on this system.

I'd look in the 389-ds access and error logs on the IPA server to see if
there are any more details. Look for the BIND from the client and see
what happens.

More context from the log file might be helpful. I believe if you run
the client installer with --debug then additional flags are passed to
ipa-join to include the XML-RPC conversation and that might be useful too.

What account are you using to enroll with, admin?

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Jose Alvarez R.

2016-04-29 17:00:27 UTC

Permalink

Hi Rob, Thanks for your response

Yes, It's with admin.

I execute the command "ipa-client-install --debug"
-------------------------------------------------------------------------

[***@ppa named]# ipa-client-install --debug
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir
': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain':
False, 'principal': None
, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,
'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False,
'conf_sudo': True, 'conf_ssh': Tr
ue, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit
y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server
Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=cyberfuel,dc=com' is for IPA
Naming context 'dc=cyberfuel,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com
Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com
Discovery was successful!
will use discovered realm: CYBERFUEL.COM
will use discovered basedn: dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
DNS Domain: cyberfuel.com
DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of
the hostname)
IPA Server: freeipa.cyberfuel.com
IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389

Continue to configure the system with these values? [no]: no
Installation failed. Rolling back changes.
IPA client is not configured on this system.
[***@ppa named]#
[***@ppa named]# ipa-client-install --debug
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd':
True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'nisdomain':
None, 'no_nisdomain': False, 'principal': None, 'hostname': None, 'no_ac':
False, 'unattended': None, 'sssd': True, 'trust_sshfp': False,
'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh':
True, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit
y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server
Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=cyberfuel,dc=com' is for IPA
Naming context 'dc=cyberfuel,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com
Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com
Discovery was successful!
will use discovered realm: CYBERFUEL.COM
will use discovered basedn: dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
DNS Domain: cyberfuel.com
DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of
the hostname)
IPA Server: freeipa.cyberfuel.com
IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389

Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
stdout=
stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory

User authorized to enroll computers: admin
will use principal provided as option: admin
Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.cyberfuel.com.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
stdout=
stderr=
Writing Kerberos configuration to /tmp/tmpqWSatK:
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
default_realm = CYBERFUEL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0

[realms]
CYBERFUEL.COM = {
kdc = freeipa.cyberfuel.com:88
master_kdc = freeipa.cyberfuel.com:88
admin_server = freeipa.cyberfuel.com:749
default_domain = cyberfuel.com
pkinit_anchors = FILE:/etc/ipa/ca.crt

}

[domain_realm]
.cyberfuel.com = CYBERFUEL.COM
cyberfuel.com = CYBERFUEL.COM

Password for ***@CYBERFUEL.COM:
args=kinit ***@CYBERFUEL.COM
stdout=Password for ***@CYBERFUEL.COM:

stderr=
trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
Existing CA cert and Retrieved CA cert are identical
args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com -d
stdout=
stderr=XML-RPC CALL:

<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>ppa.cyberfuel.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n

* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90...
* Adding handle: conn: 0x10bb2f0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
* Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using AES256-SHA
* Server certificate:
* subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
* start date: 2015-09-30 17:52:11 GMT
* expire date: 2017-09-30 17:52:11 GMT
* common name: freeipa.cyberfuel.com (matched)
* issuer: O=CYBERFUEL.COM; CN=Certificate Authority
* SSL certificate verify ok.

POST /ipa/xml HTTP/1.1

Host: freeipa.cyberfuel.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: https://freeipa.cyberfuel.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 477

* upload completely sent off: 477 out of 477 bytes
< HTTP/1.1 401 Authorization Required
< Date: Fri, 29 Apr 2016 16:16:32 GMT
* Server Apache/2.2.15 (CentOS) is not blacklisted
< Server: Apache/2.2.15 (CentOS)
< WWW-Authenticate: Negotiate
< Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT
< ETag: "a0528-55a-53051ba8f7000"
< Accept-Ranges: bytes
< Content-Length: 1370
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
* Closing connection 0
HTTP response code is 401, not 200

Installation failed. Rolling back changes.
IPA client is not configured on this system.

-------------------------------------------------

It's the version curl IPA server

[***@freeipa log]# rpm -qa | grep curl
python-pycurl-7.19.0-8.el6.x86_64
curl-7.19.7-46.el6.x86_64
libcurl-7.19.7-46.el6.x86_64
[***@freeipa log]#

It's the version curl PPA server(IPA Client)

[***@ppa named]# rpm -qa | grep curl
curl-7.31.0-1.el6.x86_64
python-pycurl-7.19.0-8.el6.x86_64
libcurl-7.31.0-1.el6.x86_64
libcurl-7.31.0-1.el6.i686

The version curl is different, but the version curl PPA is the repository
Odin Plesk.

-----------------------------------------------------

[***@ppa tmp]# cat kerberos_trace.log

[12118] 1461855578.809966: ccselect module realm chose cache
FILE:/tmp/tmptSoqDX with client principal ***@CYBERFUEL.COM for server
principal ldap/***@CYBERFUEL.COM
[12118] 1461855578.810171: Retrieving ***@CYBERFUEL.COM ->
krb5_ccache_conf_data/***@X-CACHECONF: from
FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not found
[12118] 1461855578.810252: Getting credentials ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM using ccache FILE:/tmp/tmptSoqDX
[12118] 1461855578.810369: Retrieving ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM from FILE:/tmp/tmptSoqDX with
result: -1765328243/Matching credential not found
[12118] 1461855578.810451: Retrieving ***@CYBERFUEL.COM ->
krbtgt/***@CYBERFUEL.COM from FILE:/tmp/tmptSoqDX with result:
0/Success
[12118] 1461855578.810476: Found cached TGT for service realm:
***@CYBERFUEL.COM -> krbtgt/***@CYBERFUEL.COM
[12118] 1461855578.810509: Requesting tickets for
ldap/***@CYBERFUEL.COM, referrals on
[12118] 1461855578.810612: Generated subkey for TGS request: aes256-cts/7377
[12118] 1461855578.810679: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[12118] 1461855578.810913: Sending request (704 bytes) to CYBERFUEL.COM
[12118] 1461855578.811239: Resolving hostname freeipa.cyberfuel.com
[12118] 1461855578.811466: Initiating TCP connection to stream
192.168.0.90:88
[12118] 1461855578.811935: Sending TCP request to stream 192.168.0.90:88
[12118] 1461855578.816404: Received answer from stream 192.168.0.90:88
[12118] 1461855578.816714: Response was from master KDC
[12118] 1461855578.816906: TGS reply is for ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM with session key aes256-cts/BEB2
[12118] 1461855578.816977: TGS request result: 0/Success
[12118] 1461855578.817018: Received creds for desired service
ldap/***@CYBERFUEL.COM
[12118] 1461855578.817066: Removing ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM from FILE:/tmp/tmptSoqDX
[12118] 1461855578.817107: Storing ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM in FILE:/tmp/tmptSoqDX
[12118] 1461855578.817413: Creating authenticator for ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM, seqnum 299651167, subkey
aes256-cts/98D3, session key aes256-cts/BEB2
[12118] 1461855578.874786: ccselect module realm chose cache
FILE:/tmp/tmptSoqDX with client principal ***@CYBERFUEL.COM for server
principal ldap/***@CYBERFUEL.COM
[12118] 1461855578.874938: Retrieving ***@CYBERFUEL.COM ->
krb5_ccache_conf_data/***@X-CACHECONF: from
FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not found
[12118] 1461855578.875079: Read AP-REP, time 1461855578.817442, subkey
aes256-cts/4B32, seqnum 706045221
[17304] 1461858424.873888: ccselect module realm chose cache
FILE:/tmp/tmpH0QF6P with client principal ***@CYBERFUEL.COM for server
principal ldap/***@CYBERFUEL.COM
[17304] 1461858424.874126: Retrieving ***@CYBERFUEL.COM ->
krb5_ccache_conf_data/***@X-CACHECONF: from
FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not found
[17304] 1461858424.874220: Getting credentials ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM using ccache FILE:/tmp/tmpH0QF6P
[17304] 1461858424.874413: Retrieving ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P with
result: -1765328243/Matching credential not found
[17304] 1461858424.874531: Retrieving ***@CYBERFUEL.COM ->
krbtgt/***@CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P with result:
0/Success
[17304] 1461858424.874603: Found cached TGT for service realm:
***@CYBERFUEL.COM -> krbtgt/***@CYBERFUEL.COM
[17304] 1461858424.874631: Requesting tickets for
ldap/***@CYBERFUEL.COM, referrals on
[17304] 1461858424.874747: Generated subkey for TGS request: aes256-cts/8C33
[17304] 1461858424.874788: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[17304] 1461858424.875121: Sending request (704 bytes) to CYBERFUEL.COM
[17304] 1461858424.875525: Resolving hostname freeipa.cyberfuel.com
[17304] 1461858424.875805: Initiating TCP connection to stream
192.168.20.90:88
[17304] 1461858424.877976: Sending TCP request to stream 192.168.20.90:88
[17304] 1461858424.882385: Received answer from stream 192.168.20.90:88
[17304] 1461858424.882531: Response was from master KDC
[17304] 1461858424.882775: TGS reply is for ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM with session key aes256-cts/20DA
[17304] 1461858424.882850: TGS request result: 0/Success
[17304] 1461858424.882883: Received creds for desired service
ldap/***@CYBERFUEL.COM
[17304] 1461858424.882918: Removing ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P
[17304] 1461858424.882951: Storing ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM in FILE:/tmp/tmpH0QF6P
[17304] 1461858424.883271: Creating authenticator for ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM, seqnum 443746416, subkey
aes256-cts/13DE, session key aes256-cts/20DA
[17304] 1461858424.898190: ccselect module realm chose cache
FILE:/tmp/tmpH0QF6P with client principal ***@CYBERFUEL.COM for server
principal ldap/***@CYBERFUEL.COM
[17304] 1461858424.898401: Retrieving ***@CYBERFUEL.COM ->
krb5_ccache_conf_data/***@X-CACHECONF: from
FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not found
[17304] 1461858424.898615: Read AP-REP, time 1461858424.883334, subkey
aes256-cts/A0F5, seqnum 906104721
[23457] 1461863053.621386: ccselect module realm chose cache
FILE:/tmp/tmp576FE3 with client principal ***@CYBERFUEL.COM for server
principal ldap/***@CYBERFUEL.COM
[23457] 1461863053.621602: Retrieving ***@CYBERFUEL.COM ->
krb5_ccache_conf_data/***@X-CACHECONF: from
FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not found
[23457] 1461863053.621719: Getting credentials ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM using ccache FILE:/tmp/tmp576FE3
[23457] 1461863053.621918: Retrieving ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM from FILE:/tmp/tmp576FE3 with
result: -1765328243/Matching credential not found
[23457] 1461863053.622097: Retrieving ***@CYBERFUEL.COM ->
krbtgt/***@CYBERFUEL.COM from FILE:/tmp/tmp576FE3 with result:
0/Success
[23457] 1461863053.622144: Found cached TGT for service realm:
***@CYBERFUEL.COM -> krbtgt/***@CYBERFUEL.COM
[23457] 1461863053.622176: Requesting tickets for
ldap/***@CYBERFUEL.COM, referrals on
[23457] 1461863053.622288: Generated subkey for TGS request: aes256-cts/897C
[23457] 1461863053.622331: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[23457] 1461863053.622662: Sending request (704 bytes) to CYBERFUEL.COM
[23457] 1461863053.623133: Resolving hostname freeipa.cyberfuel.com
[23457] 1461863053.623367: Initiating TCP connection to stream
192.168.20.90:88
[23457] 1461863053.623866: Sending TCP request to stream 192.168.20.90:88
[23457] 1461863053.627939: Received answer from stream 192.168.20.90:88
[23457] 1461863053.628229: Response was from master KDC
[23457] 1461863053.628485: TGS reply is for ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM with session key aes256-cts/9E88
[23457] 1461863053.628560: TGS request result: 0/Success
[23457] 1461863053.628610: Received creds for desired service
ldap/***@CYBERFUEL.COM
[23457] 1461863053.628655: Removing ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM from FILE:/tmp/tmp576FE3
[23457] 1461863053.628689: Storing ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM in FILE:/tmp/tmp576FE3
[23457] 1461863053.629119: Creating authenticator for ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM, seqnum 13046067, subkey
aes256-cts/BAC3, session key aes256-cts/9E88
[23457] 1461863053.640471: ccselect module realm chose cache
FILE:/tmp/tmp576FE3 with client principal ***@CYBERFUEL.COM for server
principal ldap/***@CYBERFUEL.COM
[23457] 1461863053.640721: Retrieving ***@CYBERFUEL.COM ->
krb5_ccache_conf_data/***@X-CACHECONF: from
FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not found
[23457] 1461863053.640909: Read AP-REP, time 1461863053.629208, subkey
aes256-cts/8866, seqnum 421358565
[23749] 1461863277.525338: ccselect module realm chose cache
FILE:/tmp/tmprfuOsj with client principal ***@CYBERFUEL.COM for server
principal ldap/***@CYBERFUEL.COM
[23749] 1461863277.525435: Retrieving ***@CYBERFUEL.COM ->
krb5_ccache_conf_data/***@X-CACHECONF: from
FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not found
[23749] 1461863277.525469: Getting credentials ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM using ccache FILE:/tmp/tmprfuOsj
[23749] 1461863277.525529: Retrieving ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM from FILE:/tmp/tmprfuOsj with
result: -1765328243/Matching credential not found
[23749] 1461863277.525572: Retrieving ***@CYBERFUEL.COM ->
krbtgt/***@CYBERFUEL.COM from FILE:/tmp/tmprfuOsj with result:
0/Success
[23749] 1461863277.525584: Found cached TGT for service realm:
***@CYBERFUEL.COM -> krbtgt/***@CYBERFUEL.COM
[23749] 1461863277.525593: Requesting tickets for
ldap/***@CYBERFUEL.COM, referrals on
[23749] 1461863277.525645: Generated subkey for TGS request: aes256-cts/C22D
[23749] 1461863277.525662: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[23749] 1461863277.525806: Sending request (704 bytes) to CYBERFUEL.COM
[23749] 1461863277.526052: Resolving hostname freeipa.cyberfuel.com
[23749] 1461863277.526161: Initiating TCP connection to stream
192.168.20.90:88
[23749] 1461863277.526440: Sending TCP request to stream 192.168.20.90:88
[23749] 1461863277.530652: Received answer from stream 192.168.20.90:88
[23749] 1461863277.530737: Response was from master KDC
[23749] 1461863277.530881: TGS reply is for ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM with session key aes256-cts/79C3
[23749] 1461863277.530931: TGS request result: 0/Success
[23749] 1461863277.530948: Received creds for desired service
ldap/***@CYBERFUEL.COM
[23749] 1461863277.530962: Removing ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM from FILE:/tmp/tmprfuOsj
[23749] 1461863277.530971: Storing ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM in FILE:/tmp/tmprfuOsj
[23749] 1461863277.531133: Creating authenticator for ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM, seqnum 1019693263, subkey
aes256-cts/B3E0, session key aes256-cts/79C3
[23749] 1461863277.542808: ccselect module realm chose cache
FILE:/tmp/tmprfuOsj with client principal ***@CYBERFUEL.COM for server
principal ldap/***@CYBERFUEL.COM
[23749] 1461863277.542889: Retrieving ***@CYBERFUEL.COM ->
krb5_ccache_conf_data/***@X-CACHECONF: from
FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not found
[23749] 1461863277.542988: Read AP-REP, time 1461863277.531150, subkey
aes256-cts/5194, seqnum 376027188
[25544] 1461864401.258277: ccselect module realm chose cache
FILE:/tmp/tmpbzX7EN with client principal ***@CYBERFUEL.COM for server
principal ldap/***@CYBERFUEL.COM
[25544] 1461864401.258584: Retrieving ***@CYBERFUEL.COM ->
krb5_ccache_conf_data/***@X-CACHECONF: from
FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not found
[25544] 1461864401.258678: Getting credentials ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM using ccache FILE:/tmp/tmpbzX7EN
[25544] 1461864401.258873: Retrieving ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN with
result: -1765328243/Matching credential not found
[25544] 1461864401.259040: Retrieving ***@CYBERFUEL.COM ->
krbtgt/***@CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN with result:
0/Success
[25544] 1461864401.259076: Found cached TGT for service realm:
***@CYBERFUEL.COM -> krbtgt/***@CYBERFUEL.COM
[25544] 1461864401.259102: Requesting tickets for
ldap/***@CYBERFUEL.COM, referrals on
[25544] 1461864401.259244: Generated subkey for TGS request: aes256-cts/277A
[25544] 1461864401.259291: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[25544] 1461864401.259676: Sending request (704 bytes) to CYBERFUEL.COM
[25544] 1461864401.260108: Resolving hostname freeipa.cyberfuel.com
[25544] 1461864401.260361: Initiating TCP connection to stream
192.168.20.90:88
[25544] 1461864401.260980: Sending TCP request to stream 192.168.20.90:88
[25544] 1461864401.264399: Received answer from stream 192.168.20.90:88
[25544] 1461864401.264593: Response was from master KDC
[25544] 1461864401.264893: TGS reply is for ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM with session key aes256-cts/9106
[25544] 1461864401.264966: TGS request result: 0/Success
[25544] 1461864401.264996: Received creds for desired service
ldap/***@CYBERFUEL.COM
[25544] 1461864401.265029: Removing ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN
[25544] 1461864401.265058: Storing ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM in FILE:/tmp/tmpbzX7EN
[25544] 1461864401.265581: Creating authenticator for ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM, seqnum 921501424, subkey
aes256-cts/99EA, session key aes256-cts/9106
[25544] 1461864401.275884: ccselect module realm chose cache
FILE:/tmp/tmpbzX7EN with client principal ***@CYBERFUEL.COM for server
principal ldap/***@CYBERFUEL.COM
[25544] 1461864401.276059: Retrieving ***@CYBERFUEL.COM ->
krb5_ccache_conf_data/***@X-CACHECONF: from
FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not found
[25544] 1461864401.276196: Read AP-REP, time 1461864401.265627, subkey
aes256-cts/0E9F, seqnum 871496824
[18097] 1461937028.664354: ccselect module realm chose cache
FILE:/tmp/tmpF9x_o8 with client principal ***@CYBERFUEL.COM for server
principal ldap/***@CYBERFUEL.COM
[18097] 1461937028.664456: Retrieving ***@CYBERFUEL.COM ->
krb5_ccache_conf_data/***@X-CACHECONF: from
FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not found
[18097] 1461937028.664490: Getting credentials ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM using ccache FILE:/tmp/tmpF9x_o8
[18097] 1461937028.664549: Retrieving ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 with
result: -1765328243/Matching credential not found
[18097] 1461937028.664590: Retrieving ***@CYBERFUEL.COM ->
krbtgt/***@CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 with result:
0/Success
[18097] 1461937028.664601: Found cached TGT for service realm:
***@CYBERFUEL.COM -> krbtgt/***@CYBERFUEL.COM
[18097] 1461937028.664611: Requesting tickets for
ldap/***@CYBERFUEL.COM, referrals on
[18097] 1461937028.664700: Generated subkey for TGS request: aes256-cts/6372
[18097] 1461937028.664727: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[18097] 1461937028.664865: Sending request (704 bytes) to CYBERFUEL.COM
[18097] 1461937028.665035: Resolving hostname freeipa.cyberfuel.com
[18097] 1461937028.665136: Initiating TCP connection to stream
192.168.20.90:88
[18097] 1461937028.665510: Sending TCP request to stream 192.168.20.90:88
[18097] 1461937028.668919: Received answer from stream 192.168.20.90:88
[18097] 1461937028.668984: Response was from master KDC
[18097] 1461937028.669109: TGS reply is for ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM with session key aes256-cts/9592
[18097] 1461937028.669136: TGS request result: 0/Success
[18097] 1461937028.669156: Received creds for desired service
ldap/***@CYBERFUEL.COM
[18097] 1461937028.669167: Removing ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8
[18097] 1461937028.669176: Storing ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM in FILE:/tmp/tmpF9x_o8
[18097] 1461937028.669304: Creating authenticator for ***@CYBERFUEL.COM ->
ldap/***@CYBERFUEL.COM, seqnum 940175329, subkey
aes256-cts/53B9, session key aes256-cts/9592
[18097] 1461937028.676414: ccselect module realm chose cache
FILE:/tmp/tmpF9x_o8 with client principal ***@CYBERFUEL.COM for server
principal ldap/***@CYBERFUEL.COM
[18097] 1461937028.676470: Retrieving ***@CYBERFUEL.COM ->
krb5_ccache_conf_data/***@X-CACHECONF: from
FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not found
[18097] 1461937028.676534: Read AP-REP, time 1461937028.669328, subkey
aes256-cts/26C4, seqnum 864174069

-----------------------------------

Regards

Jose Alvarez

-----Original Message-----
From: Rob Crittenden [mailto:***@redhat.com]
Sent: viernes 29 de abril de 2016 09:34 a.m.
To: Jose Alvarez R. <***@cyberfuel.com>; freeipa-***@redhat.com
Subject: Re: [Freeipa-users] HTTP response code is 401, not 200

Hi Users
You can help me?
I have the problem for join a client to my FREEIPA Server. The version
IPA Server is 3.0 and IP client is 3.0
2016-04-28T17:26:41Z DEBUG stderr=
2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from
ldap://freeipa.cyberfuel.com
2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are
identical
2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s
freeipa.cyberfuel.com -b dc=cyberfuel,dc=com
2016-04-28T17:26:41Z DEBUG stdout=
2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200
2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code is
401, not 200
2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes.
2016-04-28T17:26:41Z ERROR IPA client is not configured on this system.

I'd look in the 389-ds access and error logs on the IPA server to see if
there are any more details. Look for the BIND from the client and see what
happens.

More context from the log file might be helpful. I believe if you run the
client installer with --debug then additional flags are passed to ipa-join
to include the XML-RPC conversation and that might be useful too.

What account are you using to enroll with, admin?

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Rob Crittenden

2016-04-29 17:14:07 UTC

Permalink

Post by Jose Alvarez R.
Hi Rob, Thanks for your response
Yes, It's with admin.

I assume this is a problem with your version of xmlrpc-c. We use
standard calls xmlrpc-c calls to setup authentication and IIRC that
links against libcurl which provides the Kerberos/GSSAPI support. On EL6
you need xmlrpc-c >= 1.16.24-1200.1840.2

I'm confused about the versions. You mention PPA but include what look
like RPM versions that seem to point to RHEL 6.

rob

Post by Jose Alvarez R.
I execute the command "ipa-client-install --debug"
-------------------------------------------------------------------------
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir
': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
False, 'principal': None
, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,
'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False,
'conf_sudo': True, 'conf_ssh': Tr
ue, 'force_join': False, 'ca_cert_file': None, 'server': None,
False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit
y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server
Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=cyberfuel,dc=com' is for IPA
Naming context 'dc=cyberfuel,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com
Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com
Discovery was successful!
will use discovered realm: CYBERFUEL.COM
will use discovered basedn: dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
DNS Domain: cyberfuel.com
DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of
the hostname)
IPA Server: freeipa.cyberfuel.com
IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: no
Installation failed. Rolling back changes.
IPA client is not configured on this system.
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
False, 'unattended': None, 'sssd': True, 'trust_sshfp': False,
True, 'force_join': False, 'ca_cert_file': None, 'server': None,
False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit
y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server
Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=cyberfuel,dc=com' is for IPA
Naming context 'dc=cyberfuel,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com
Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com
Discovery was successful!
will use discovered realm: CYBERFUEL.COM
will use discovered basedn: dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
DNS Domain: cyberfuel.com
DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of
the hostname)
IPA Server: freeipa.cyberfuel.com
IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
stdout=
stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory
User authorized to enroll computers: admin
will use principal provided as option: admin
Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.cyberfuel.com.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
stdout=
stderr=
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = CYBERFUEL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
CYBERFUEL.COM = {
kdc = freeipa.cyberfuel.com:88
master_kdc = freeipa.cyberfuel.com:88
admin_server = freeipa.cyberfuel.com:749
default_domain = cyberfuel.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.cyberfuel.com = CYBERFUEL.COM
cyberfuel.com = CYBERFUEL.COM
stderr=
trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
Existing CA cert and Retrieved CA cert are identical
args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com -d
stdout=
<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>ppa.cyberfuel.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n
* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90...
* Adding handle: conn: 0x10bb2f0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
* Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using AES256-SHA
* subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
* start date: 2015-09-30 17:52:11 GMT
* expire date: 2017-09-30 17:52:11 GMT
* common name: freeipa.cyberfuel.com (matched)
* issuer: O=CYBERFUEL.COM; CN=Certificate Authority
* SSL certificate verify ok.

POST /ipa/xml HTTP/1.1

I'd look in the 389-ds access and error logs on the IPA server to see if
there are any more details. Look for the BIND from the client and see what
happens.
More context from the log file might be helpful. I believe if you run the
client installer with --debug then additional flags are passed to ipa-join
to include the XML-RPC conversation and that might be useful too.
What account are you using to enroll with, admin?
rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Jose Alvarez R.

2016-04-29 18:05:48 UTC

Permalink

Hi, Rob

Thanks!!

The version the xmlrpc-c of my server IPA:
xmlrpc-c-1.16.24-1210.1840.el6.x86_64
xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64

The version the xmlrpc-c of my client IPA
xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64
xmlrpc-c-1.16.24-1210.1840.el6.x86_64
libiqxmlrpc-0.12.4-0.parallels.i686
xmlrpc-c-c++-1.16.24-1210.1840.el6.x86_64

The versions are the same, but the libcurl is different

It's the version curl IPA server
[***@freeipa log]# rpm -qa | grep curl
python-pycurl-7.19.0-8.el6.x86_64
curl-7.19.7-46.el6.x86_64
libcurl-7.19.7-46.el6.x86_64
[***@freeipa log]#

It's the version curl PPA server(IPA Client)
[***@ppa named]# rpm -qa | grep curl
curl-7.31.0-1.el6.x86_64
python-pycurl-7.19.0-8.el6.x86_64
libcurl-7.31.0-1.el6.x86_64
libcurl-7.31.0-1.el6.i686

Sorry, my english is not very well

Regards.

-----Original Message-----
From: Rob Crittenden [mailto:***@redhat.com]
Sent: viernes 29 de abril de 2016 11:14 a.m.
To: Jose Alvarez R. <***@cyberfuel.com>; freeipa-***@redhat.com
Subject: Re: [Freeipa-users] HTTP response code is 401, not 200

Post by Jose Alvarez R.
Hi Rob, Thanks for your response
Yes, It's with admin.

Post by Jose Alvarez R.
= 1.16.24-1200.1840.2

I'm confused about the versions. You mention PPA but include what look like
RPM versions that seem to point to RHEL 6.

rob

Post by Jose Alvarez R.
I execute the command "ipa-client-install --debug"
----------------------------------------------------------------------
---
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir
': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
False, 'principal': None
, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,
'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False,
'conf_sudo': True, 'conf_ssh': Tr
ue, 'force_join': False, 'ca_cert_file': None, 'server': None,
False, 'uninstall': False}
missing options might be asked for interactively later Loading Index
file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
"cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:C
YBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={p
riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN Check if naming context
'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
is a valid IPA context Search for (objectClass=krbRealmContainer) in
dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com Start searching for LDAP SRV
record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com Discovery was
successful!
dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in
Discovered LDAP SRV records from cyberfuel.com (domain of the
Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: no
Installation failed. Rolling back changes.
IPA client is not configured on this system.
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
False, 'unattended': None, 'sssd': True, 'trust_sshfp': False,
True, 'force_join': False, 'ca_cert_file': None, 'server': None,
False, 'uninstall': False}
missing options might be asked for interactively later Loading Index
file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
"cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:C
YBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={p
riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN Check if naming context
'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
is a valid IPA context Search for (objectClass=krbRealmContainer) in
dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com Start searching for LDAP SRV
record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com Discovery was
successful!
dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in
Discovered LDAP SRV records from cyberfuel.com (domain of the
Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file
or directory
User authorized to enroll computers: admin will use principal provided
as option: admin Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.cyberfuel.com.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout=
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = CYBERFUEL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
CYBERFUEL.COM = {
kdc = freeipa.cyberfuel.com:88
master_kdc = freeipa.cyberfuel.com:88
admin_server = freeipa.cyberfuel.com:749
default_domain = cyberfuel.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.cyberfuel.com = CYBERFUEL.COM
cyberfuel.com = CYBERFUEL.COM
stderr=
trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
Existing CA cert and Retrieved CA cert are identical
args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b
<?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n
<methodName>join</methodName>\r\n <params>\r\n
<param><value><array><data>\r\n
<value><string>ppa.cyberfuel.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n
* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90...
* Adding handle: conn: 0x10bb2f0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
* Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using AES256-SHA
* subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
* start date: 2015-09-30 17:52:11 GMT
* expire date: 2017-09-30 17:52:11 GMT
* common name: freeipa.cyberfuel.com (matched)
* issuer: O=CYBERFUEL.COM; CN=Certificate Authority
* SSL certificate verify ok.

POST /ipa/xml HTTP/1.1

Hi Users
You can help me?
I have the problem for join a client to my FREEIPA Server. The
version IPA Server is 3.0 and IP client is 3.0
2016-04-28T17:26:41Z DEBUG stderr=
2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from
ldap://freeipa.cyberfuel.com
2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are
identical
2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s
freeipa.cyberfuel.com -b dc=cyberfuel,dc=com
2016-04-28T17:26:41Z DEBUG stdout=
2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200
2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code
is 401, not 200
2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes.
2016-04-28T17:26:41Z ERROR IPA client is not configured on this system.

I'd look in the 389-ds access and error logs on the IPA server to see
if there are any more details. Look for the BIND from the client and
see what happens.
More context from the log file might be helpful. I believe if you run
the client installer with --debug then additional flags are passed to
ipa-join to include the XML-RPC conversation and that might be useful too.
What account are you using to enroll with, admin?
rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Rob Crittenden

2016-04-29 18:19:29 UTC

Permalink

Post by Jose Alvarez R.
Hi, Rob
Thanks!!
xmlrpc-c-1.16.24-1210.1840.el6.x86_64
xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64
The version the xmlrpc-c of my client IPA
xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64
xmlrpc-c-1.16.24-1210.1840.el6.x86_64
libiqxmlrpc-0.12.4-0.parallels.i686
xmlrpc-c-c++-1.16.24-1210.1840.el6.x86_64

You need xmlrpc-c-1.16.24-1200.1840.2.el6 on the client which fixed
https://bugzilla.redhat.com/show_bug.cgi?id=719945

The libcurl version on the client looks ok.

This is only a client-side issue so no changes on the servers should be
necessary IIRC. This appears to be EL 6.1 which at this point is quite old.

rob

Post by Jose Alvarez R.
The versions are the same, but the libcurl is different
It's the version curl IPA server
python-pycurl-7.19.0-8.el6.x86_64
curl-7.19.7-46.el6.x86_64
libcurl-7.19.7-46.el6.x86_64
It's the version curl PPA server(IPA Client)
curl-7.31.0-1.el6.x86_64
python-pycurl-7.19.0-8.el6.x86_64
libcurl-7.31.0-1.el6.x86_64
libcurl-7.31.0-1.el6.i686
Sorry, my english is not very well
Regards.
-----Original Message-----
Sent: viernes 29 de abril de 2016 11:14 a.m.
Subject: Re: [Freeipa-users] HTTP response code is 401, not 200

Post by Jose Alvarez R.
Hi Rob, Thanks for your response
Yes, It's with admin.

Post by Jose Alvarez R.
= 1.16.24-1200.1840.2

I'm confused about the versions. You mention PPA but include what look like
RPM versions that seem to point to RHEL 6.
rob

Post by Jose Alvarez R.
I execute the command "ipa-client-install --debug"
----------------------------------------------------------------------
---
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir
': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
False, 'principal': None
, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,
'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False,
'conf_sudo': True, 'conf_ssh': Tr
ue, 'force_join': False, 'ca_cert_file': None, 'server': None,
False, 'uninstall': False}
missing options might be asked for interactively later Loading Index
file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
"cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:C
YBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={p
riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN Check if naming context
'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
is a valid IPA context Search for (objectClass=krbRealmContainer) in
dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com Start searching for LDAP SRV
record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com Discovery was
successful!
dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in
Discovered LDAP SRV records from cyberfuel.com (domain of the
Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: no
Installation failed. Rolling back changes.
IPA client is not configured on this system.
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None,
False, 'unattended': None, 'sssd': True, 'trust_sshfp': False,
True, 'force_join': False, 'ca_cert_file': None, 'server': None,
False, 'uninstall': False}
missing options might be asked for interactively later Loading Index
file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
"cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:C
YBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={p
riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN Check if naming context
'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
is a valid IPA context Search for (objectClass=krbRealmContainer) in
dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com Start searching for LDAP SRV
record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com Discovery was
successful!
dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in
Discovered LDAP SRV records from cyberfuel.com (domain of the
Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file
or directory
User authorized to enroll computers: admin will use principal provided
as option: admin Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.cyberfuel.com.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout=
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = CYBERFUEL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
CYBERFUEL.COM = {
kdc = freeipa.cyberfuel.com:88
master_kdc = freeipa.cyberfuel.com:88
admin_server = freeipa.cyberfuel.com:749
default_domain = cyberfuel.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.cyberfuel.com = CYBERFUEL.COM
cyberfuel.com = CYBERFUEL.COM
stderr=
trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
Existing CA cert and Retrieved CA cert are identical
args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b
<?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n
<methodName>join</methodName>\r\n <params>\r\n
<param><value><array><data>\r\n
<value><string>ppa.cyberfuel.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n
* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90...
* Adding handle: conn: 0x10bb2f0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
* Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using AES256-SHA
* subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
* start date: 2015-09-30 17:52:11 GMT
* expire date: 2017-09-30 17:52:11 GMT
* common name: freeipa.cyberfuel.com (matched)
* issuer: O=CYBERFUEL.COM; CN=Certificate Authority
* SSL certificate verify ok.

POST /ipa/xml HTTP/1.1

Hi Users
You can help me?
I have the problem for join a client to my FREEIPA Server. The
version IPA Server is 3.0 and IP client is 3.0
2016-04-28T17:26:41Z DEBUG stderr=
2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from
ldap://freeipa.cyberfuel.com
2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are
identical
2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s
freeipa.cyberfuel.com -b dc=cyberfuel,dc=com
2016-04-28T17:26:41Z DEBUG stdout=
2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200
2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code
is 401, not 200
2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes.
2016-04-28T17:26:41Z ERROR IPA client is not configured on this system.

I'd look in the 389-ds access and error logs on the IPA server to see
if there are any more details. Look for the BIND from the client and
see what happens.
More context from the log file might be helpful. I believe if you run
the client installer with --debug then additional flags are passed to
ipa-join to include the XML-RPC conversation and that might be useful too.
What account are you using to enroll with, admin?
rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Jose Alvarez R.

2016-04-29 20:53:16 UTC

Permalink

Hi, Rob

Thanks for your response

The link https://bugzilla.redhat.com/show_bug.cgi?id=719945 I not have
access..

I tried to install xmlrpc-c-1.16.24-1210.1840.el6.src.rpm in the server
PPA(Client IPA), but still shows the same error.

A moment ago I added another client server with same version xmlrpc and
installed correctly.

Thanks Regards.

[***@bk1 ~]# ipa-client-install --debug
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir'on_master': False, 'ntp_server': None,
'nisdomain': None, 'no_nisdomain': False, 'principal': None, 'hostname':
None, 'no_ac': False, 'unattended': None, 'sssd': True,nf_sudo': True,
'conf_ssh': True, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=bk1.cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit
y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server
Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=cyberfuel,dc=com' is for IPA
Naming context 'dc=cyberfuel,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com
Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com
Discovery was successful!
will use discovered realm: CYBERFUEL.COM
will use discovered basedn: dc=cyberfuel,dc=com
Hostname: bk1.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
DNS Domain: cyberfuel.com
DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of
the hostname)
IPA Server: freeipa.cyberfuel.com
IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389

Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
stdout=
stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory

User authorized to enroll computers: admin
will use principal provided as option: admin
Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.cyberfuel.com.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
stdout=
stderr=
Unable to sync time with IPA NTP server, assuming the time is in sync.
Please check that 123 UDP port is opened.
Writing Kerberos configuration to /tmp/tmp5msIum:
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
default_realm = CYBERFUEL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0

[realms]
CYBERFUEL.COM = {
kdc = freeipa.cyberfuel.com:88
master_kdc = freeipa.cyberfuel.com:88
admin_server = freeipa.cyberfuel.com:749
default_domain = cyberfuel.com
pkinit_anchors = FILE:/etc/ipa/ca.crt

}

[domain_realm]
.cyberfuel.com = CYBERFUEL.COM
cyberfuel.com = CYBERFUEL.COM

Password for ***@CYBERFUEL.COM:
args=kinit ***@CYBERFUEL.COM
stdout=Password for ***@CYBERFUEL.COM:

stderr=
trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=CYBERFUEL.COM
Issuer: CN=Certificate Authority,O=CYBERFUEL.COM
Valid From: Wed Sep 30 17:46:50 2015 UTC
Valid Until: Sun Sep 30 17:46:50 2035 UTC

args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com -d
stdout=
stderr=XML-RPC CALL:

<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>bk1.cyberfuel.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.12.1.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n

* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90... * Connected to freeipa.cyberfuel.com
(192.168.20.90) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM
* start date: Sep 30 17:52:11 2015 GMT
* expire date: Sep 30 17:52:11 2017 GMT
* common name: freeipa.cyberfuel.com
* issuer: CN=Certificate Authority,O=CYBERFUEL.COM

POST /ipa/xml HTTP/1.1

Host: freeipa.cyberfuel.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: https://freeipa.cyberfuel.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 478

< HTTP/1.1 401 Authorization Required
< Date: Fri, 29 Apr 2016 20:42:25 GMT
< Server: Apache/2.2.15 (CentOS)
< WWW-Authenticate: Negotiate
< Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT
< ETag: "a0528-55a-53051ba8f7000"
< Accept-Ranges: bytes
< Content-Length: 1370
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
* Closing connection #0
* Issue another request to this URL:
'https://freeipa.cyberfuel.com:443/ipa/xml'
* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90... * Connected to freeipa.cyberfuel.com
(192.168.20.90) port 443 (#0)
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM
* start date: Sep 30 17:52:11 2015 GMT
* expire date: Sep 30 17:52:11 2017 GMT
* common name: freeipa.cyberfuel.com
* issuer: CN=Certificate Authority,O=CYBERFUEL.COM
* Server auth using GSS-Negotiate with user ''

POST /ipa/xml HTTP/1.1

Authorization: Negotiate
YIIFFAYJKoZIhvcSAQICAQBuggUDMIIE/6ADAgEFoQMCAQ6iBwMFAAAAAACjggFiYYIBXjCCAVqg
AwIBBaEPGw1DWUJFUkZVRUwuQ09NoigwJqADAgEDoR8wHRsESFRUUBsVZnJlZWlwYS5MIZbbMHqa
QcuYz6zysTVwY+I/uvLznfkDrkClgtyvEIsnBopXcWBenFEbqcmRIBa7bkXiIxc1tYEzNh1rME/4
ZUh0PjUjX+QQO9NDpYrAIxFLoP6b6J87wFt2Wi+Rx2LPGlcPrIwKPNwyaOqw/QQ8r11FLI5RVzpH
eUL3uokQgZF6+GBoFo61lHY/W36Cb3JgxdG8Ge3TWWYgjEQKWlY48N6YNSPF2a2iKpgSuy/1Qe5E
HTfpyiJWnZJnlEIHllpIIDgjCCA36gAwIBEqKCA3UEggNx1WXEz0IRl4aJlkL5Eq0bxky36jm7zI
q3oiCcgWzqH9ma866TuD4ew++XcXmKZxszk6zf+c8tYhdRezxK74jF9XkpnRxTiBxOao7oPabJau
yM0k637IWWzTb1m+cC46PRaysFc7x3z5CGBWNyu0DpGyw240za4cepY1J+Q+mm7bq51zCDyMU1CY
7+of3Z4Z7s6P5/x/pn8DJBegXVIYq2Wb3sQbMUJCSbCG37Xb8j2nzhAaup1l4xTINQxSSLZRIS7M
H2YCE+z66P0607z7xBh7bwed97hHC2o3T0hDNnJOP7SRBUXquXCW9RbLUdOmYfcLcH8ygUWemm3A
MqL+mDYN3jpe25O/7Z/wFxYiUIw/6CtHGjJ1nrDy47Y1sbsjU1XT/sJ8JqxRFwCm9ALpQP+rYZ0k
v8/9OAaclw4vobu4Zmb3rVFBOzKpgRaUSvg4vSuRi/SPCzcH2PwBBSHpZuXWazWvZpnpTXYBl3nw
lelW8gE1PWWeAhxbCDP/u5D6vAJ7q1287bL+UdpnCki0Ye0c1+LCsqzhscPDtWOMHAqzs5pwyyfC
Qpg13GX93fHWJPRkrJbGTkGAknZkQFPtjks1C3JCRqhiz62KVLo6g5uRljHr8NNzvTBr2iRl9aK6
cDAEMaW5X26ko0XtO7urcbw/w6smuJLyYjroJH5Pe41bPMaUCls3RTvhxrlMzXSXgywPr3zDFpIg
CirdIfqowkF5Utq6Uub2d9wdhXXYuH3PCj3KBzsAAHFv2iI+Xg3a7+7LlWUFnTLVEzEhsKVO3lO7
jFb8kKwop5o7yTyXsQmW4g0rdCam07GuRObob6yQ=
Host: freeipa.cyberfuel.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: https://freeipa.cyberfuel.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 478

< HTTP/1.1 200 Success
< Date: Fri, 29 Apr 2016 20:42:25 GMT
< Server: Apache/2.2.15 (CentOS)
* Added cookie ipa_session="4aeb2b4e2cfacb0691a94b71e2d0a0c9" for domain
freeipa.cyberfuel.com, path /ipa, expire 1461963745
< Set-Cookie: ipa_session=4aeb2b4e2cfacb0691a94b71e2d0a0c9;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:25
GMT; Secure; HttpOnly
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: text/xml; charset=utf-8
<
* Expire cleared
* Closing connection #0
XML-RPC RESPONSE:

<?xml version='1.0' encoding='UTF-8'?>\n
<methodResponse>\n
<params>\n
<param>\n
<value><array><data>\n
<value><string>fqdn=bk1.cyberfuel.com,cn=computers,cn=accounts,dc=cyberfuel,
dc=com</string></value>\n
<value><struct>\n
<member>\n
<name>dn</name>\n
<value><string>fqdn=bk1.cyberfuel.com,cn=computers,cn=accounts,dc=cyberfuel,
dc=com</string></value>\n
</member>\n
<member>\n
<name>ipacertificatesubjectbase</name>\n
<value><array><data>\n
<value><string>O=CYBERFUEL.COM</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>has_keytab</name>\n
<value><boolean>0</boolean></value>\n
</member>\n
<member>\n
<name>objectclass</name>\n
<value><array><data>\n
<value><string>ipaobject</string></value>\n
<value><string>nshost</string></value>\n
<value><string>ipahost</string></value>\n
<value><string>pkiuser</string></value>\n
<value><string>ipaservice</string></value>\n
<value><string>krbprincipalaux</string></value>\n
<value><string>krbprincipal</string></value>\n
<value><string>ieee802device</string></value>\n
<value><string>ipasshhost</string></value>\n
<value><string>top</string></value>\n
<value><string>ipaSshGroupOfPubKeys</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>fqdn</name>\n
<value><array><data>\n
<value><string>bk1.cyberfuel.com</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>has_password</name>\n
<value><boolean>0</boolean></value>\n
</member>\n
<member>\n
<name>ipauniqueid</name>\n
<value><array><data>\n
<value><string>e1a08eb8-0e4a-11e6-8c5b-005056b027f1</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>krbprincipalname</name>\n
<value><array><data>\n
<value><string>host/***@CYBERFUEL.COM</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>managedby_host</name>\n
<value><array><data>\n
<value><string>bk1.cyberfuel.com</string></value>\n
</data></array></value>\n
</member>\n
</struct></value>\n
</data></array></value>\n
</param>\n
</params>\n
</methodResponse>\n

Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=CYBERFUEL.COM

Enrolled in IPA realm CYBERFUEL.COM
args=kdestroy
stdout=
stderr=
Attempting to get host TGT...
args=/usr/bin/kinit -k -t /etc/krb5.keytab
host/***@CYBERFUEL.COM
stdout=
stderr=
Attempt 1/5 succeeded.
Backing up system configuration file '/etc/ipa/default.conf'
-> Not backing up - '/etc/ipa/default.conf' doesn't exist
Created /etc/ipa/default.conf
importing all plugin modules in
'/usr/lib/python2.6/site-packages/ipalib/plugins'...
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
args=klist -V
stdout=Kerberos 5 version 1.10.3

stderr=
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
Backing up system configuration file '/etc/sssd/sssd.conf'
-> Not backing up - '/etc/sssd/sssd.conf' doesn't exist
New SSSD config will be created
Backing up system configuration file '/etc/nsswitch.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i
/etc/ipa/ca.crt
stdout=
stderr=
Backing up system configuration file '/etc/krb5.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
Writing Kerberos configuration to /etc/krb5.conf:
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
default_realm = CYBERFUEL.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0

[realms]
CYBERFUEL.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt

}

[domain_realm]
.cyberfuel.com = CYBERFUEL.COM
cyberfuel.com = CYBERFUEL.COM

Configured /etc/krb5.conf for IPA realm CYBERFUEL.COM
args=keyctl search @s user
ipa_session_cookie:host/***@CYBERFUEL.COM
stdout=
stderr=keyctl_search: Required key not available

args=keyctl search @s user
ipa_session_cookie:host/***@CYBERFUEL.COM
stdout=
stderr=keyctl_search: Required key not available

failed to find session_cookie in persistent storage for principal
'host/***@CYBERFUEL.COM'
trying https://freeipa.cyberfuel.com/ipa/xml
Created connection context.xmlclient
raw: env(None, server=True)
env(None, server=True, all=True)
Forwarding 'env' to server u'https://freeipa.cyberfuel.com/ipa/xml'
NSSConnection init freeipa.cyberfuel.com
Connecting: 192.168.20.90:0
auth_certificate_callback: check_sig=True is_server=False
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Certificate Authority,O=CYBERFUEL.COM
Validity:
Not Before: Wed Sep 30 17:52:11 2015 UTC
Not After: Sat Sep 30 17:52:11 2017 UTC
Subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM
Subject Public Key Info:
Public Key Algorithm:
Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
ad:e7:d2:7f:c3:e1:91:0a:03:6d:5c:ba:54:14:3e:00:
0e:f9:e7:61:85:3c:4f:1b:8f:a8:fb:e4:b4:92:a3:7c:
7d:bb:06:b4:b8:43:8a:20:86:17:71:a2:a3:6a:a1:51:
e5:89:44:0f:a1:43:67:3b:46:76:b0:81:9e:10:43:56:
86:9f:27:46:e1:5e:b3:d6:8c:17:73:e3:17:7d:e7:eb:
a4:78:9c:7a:e8:6f:00:f8:36:d9:71:88:e1:90:bf:98:
fa:40:0f:88:f4:2e:d8:a2:b3:a5:0c:5a:81:8b:2e:cf:
22:f9:cb:6d:bf:85:7c:c9:7f:17:de:5d:d4:1a:2b:09:
5b:1b:99:11:22:3f:1e:49:5f:26:1a:25:2f:a4:50:2a:
8b:f2:3c:12:db:45:3f:f4:06:64:a2:30:5f:f4:a1:c9:
2c:8c:60:b5:c6:aa:25:2e:1e:31:c2:ad:2c:63:b0:a4:
bb:2c:fc:f8:b6:f9:13:eb:09:bc:b0:c1:4c:06:06:09:
2f:f9:08:ba:7d:a4:0a:57:d1:8e:86:87:cb:f9:3a:58:
60:f9:34:e1:5b:34:d1:2f:8e:54:87:2a:74:9c:e2:d6:
83:4f:78:6b:59:1e:95:ec:67:6e:86:25:ad:f0:d3:6c:
96:9c:db:c3:e5:3f:e5:bc:f4:ff:55:55:18:a8:3e:5d
Exponent:
65537 (0x10001)
Signed Extensions: (5 total)
Name: Certificate Authority Key Identifier
Critical: False
Key ID:
31:4f:83:e1:70:d7:ea:96:e5:1b:b1:c2:2c:d8:8a:a8:
d1:87:fa:ff
Serial Number: None
General Names: [0 total]

Name: Authority Information Access
Critical: False
Authority Information Access: [1 total]
Info [1]:
Method: PKIX Online Certificate Status Protocol
Location: URI: http://freeipa.cyberfuel.com:80/ca/ocsp

Name: Certificate Key Usage
Critical: True
Usages:
Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment

Name: Extended Key Usage
Critical: False
Usages:
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate

Name: Certificate Subject Key ID
Critical: False
Data:
73:ed:ac:87:d3:0e:04:84:66:5c:1a:e1:10:8d:f8:e1:
89:b9:1e:70

Signature:
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
40:da:c2:6b:20:08:7c:4a:05:1a:e2:cc:49:7f:25:6c:
48:3a:73:3c:b6:ab:35:6c:1a:d9:78:15:60:48:0b:0e:
c1:3c:bf:76:90:35:bf:67:b5:9d:88:1c:98:ce:3b:8a:
f6:86:c7:f9:1e:7b:3c:cd:98:00:99:23:a4:06:4f:ed:
0f:ee:44:65:9d:db:b6:9d:cc:cf:cb:83:f8:7c:23:93:
2a:0b:40:bb:5b:31:c5:9e:ed:74:eb:c0:c9:cc:30:1e:
78:19:69:64:60:24:58:f5:a7:6f:3b:bb:f6:7c:72:5c:
1c:50:33:0f:df:49:b7:0a:cb:ac:3f:7b:4f:e7:42:e9:
3b:19:e0:15:a3:fe:e3:43:aa:23:69:d0:28:7a:64:b7:
19:e3:8a:a9:bc:48:3a:de:f7:c0:67:8b:02:e9:af:74:
49:33:5e:2f:21:0b:4c:f3:3d:63:ea:1e:2e:4d:e9:ed:
af:ef:61:35:ad:86:2b:93:ab:b6:7d:45:ed:b1:9b:12:
57:fc:55:ef:42:46:01:63:b1:b9:84:e9:f4:46:fb:39:
fa:1e:55:2e:20:32:c1:45:ad:ac:54:c9:e6:4e:ca:f1:
fb:da:9a:b5:bc:8b:6c:43:86:4e:df:06:97:46:3e:9b:
a2:a1:ff:41:6e:80:df:a7:bd:5d:96:2c:ba:e0:d2:56
Fingerprint (MD5):
09:ad:08:87:8b:64:04:0f:d2:6c:25:ac:b1:1e:e1:48
Fingerprint (SHA1):
c9:a0:1f:6d:8e:f6:d9:9b:53:6e:6b:92:ea:7c:ae:79:
ca:4d:09:98
approved_usage = SSL Server intended_usage = SSL Server
cert valid True for "CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM"
handshake complete, peer = 192.168.20.90:443
Protocol: TLS1.2
Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
received Set-Cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30
GMT; Secure; HttpOnly'
storing cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30
GMT; Secure; HttpOnly' for prin
args=keyctl search @s user
ipa_session_cookie:host/***@CYBERFUEL.COM
stdout=
stderr=keyctl_search: Required key not available

args=keyctl search @s user
ipa_session_cookie:host/***@CYBERFUEL.COM
stdout=
stderr=keyctl_search: Required key not available

args=keyctl padd user
ipa_session_cookie:host/***@CYBERFUEL.COM @s
stdout=640092261

stderr=
Hostname (bk1.cyberfuel.com) not found in DNS
Writing nsupdate commands to /etc/ipa/.dns_update.txt:

zone cyberfuel.com.
update delete bk1.cyberfuel.com. IN A
send
update add bk1.cyberfuel.com. 1200 IN A 192.168.20.13
send

args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
stdout=
stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
Minor code may provide more information, Minor = Server
DNS/***@CYBERFUEL.COM no

nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt'
returned non-zero exit status 1
Failed to update DNS records.
args=/sbin/service messagebus start
stdout=Starting system message bus: [ OK ]

stderr=
args=/sbin/service messagebus status
stdout=messagebus (pid 41820) is running...

stderr=
args=/sbin/service certmonger restart
stdout=Stopping certmonger: [FAILED]
Starting certmonger: [ OK ]

stderr=
args=/sbin/service certmonger status
stdout=certmonger (pid 41859) is running...

stderr=
args=/sbin/service certmonger restart
stdout=Stopping certmonger: [ OK ]
Starting certmonger: [ OK ]

stderr=
args=/sbin/service certmonger status
stdout=certmonger (pid 41927) is running...

stderr=
args=/sbin/chkconfig certmonger on
stdout=
stderr=
args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate -
bk1.cyberfuel.com -N CN=bk1.cyberfuel.com,O=CYBERFUEL.COM -K
host/***@CYBERFUEL.CO
stdout=New signing request "20160429204235" added.

stderr=
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
raw: host_mod(u'bk1.cyberfuel.com', ipasshpubkey=[u'ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEA071MP58tqZXKpba7ndVtIqtgZmGNxm/PJz/eqf7w9SNewATA
xmV14vUYyyohaIWBBi87sXwqcNsWBUWAcg2ezfKfKYqc3YPqaNq2poRL3+vhpNnHDBdfh2NzqdId
slZEMt2H+v/0g3G52ycOoRCfhwbGasV+ZCxLGyCPnYTAb7gvpms+/JNf1FWjQpTHt+dZ8CtCcfvL
ctY5pjdxT4kQTtK8kyyGwlXH/Oh4qisMsS57/1a1HEED7xczbIHF/YHF7u08WBbFe0Y40QA5gfa7
/hhu+JoblQBH55iKzR8l8RfZXt1Vcam2pr2nj/w0oYxyB+JkO0CuR/mWu93aLRkxFxtwEoUUiWMm
M3mXs1gsTFKClFnTbOzwg8QyFlCj+An4GrzrsbAA/rfLvb+VmwOS/BccDZfAAAAFShUVZUinN/bv
4/xv1ejRLk62VxtHxw1z+w/JLc0WbTtIj4cB4nE03et3id5ZT6yDz5XKduyhAeCYPGXepmWXqSxb
2N/Ia5OZbEfwNcEivzWdeRzxnk+W8OErBuOkRcCYmT1aIFGmIAAACANrKXEgH6qjJZdpFM3CFIBt
mZY3RF1adYeI7i8daJxkwxPv55idHkphc4aDX4lUPzvcw+r5jtE+rm4huv03qlTKy+/0HlTyIRJv
wfpc='], updatedns=False)
host_mod(u'bk1.cyberfuel.com', random=False, ipasshpubkey=(u'ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEA071MP58tqZXKpba7ndVtIqtgZmGNxm/PJz/eqf7w9SNewATA
xmV14vUYyyohaIWBBi87sXwlVqxX+L95cg2ezfKfKYqc3YPqaNq2poRL3+vhpNnHDBdfh2NzqdId
slZEMt2H+v/0g3G52ycOoRCfhwbGasV+ZCxLGyCPnYTAb7gvpms+/JNf1FWjQpTHt+dZ8CtCcfvL
ctY5pjdxT4kQTtK8kyyGwlXH/Oh4qisMsS57/1aAN359BmDxbIHF/YHF7u08WBbFe0Y40QA5gfa7
/hhu+JoblQBH55iKzR8l8RfZXt1Vcam2pr2nj/w0oYxyB+JkO0CuR/mWu93aLRkxFxtwEoUUiWMm
M3mXs1gsTFKClFnTbOzwg8QyFlCj+An4GrzrsbAA/rfLvb+VmwOS/BcXJiFI6Ub3ShUVZUinN/bv
4/xv1ejRLk62VxtHxw1z+w/JLc0WbTtIj4cB4nE03et3id5ZT6yDz5XKduyhAeCYPGXepmWXqSxb
2N/Ia5OZbEfwNcEivzWdeRzxnk+W8OErBuOkRcCYmT1aIFGmIAAACANrKXEgH6qjJZdpFM3mdAXb
7imVRF1adYeI7i8daJxkwxPv55idHkphc4aDX4lUPzvcw+r5jtE+rm4huv03qlTKy+/0HlTyIRJv
wfpc='), rights=False, updatedns=False, all=False, raw=False,
no_members=False)
Forwarding 'host_mod' to server u'https://freeipa.cyberfuel.com/ipa/xml'
NSSConnection init freeipa.cyberfuel.com
Connecting: 192.168.20.90:0
handshake complete, peer = 192.168.20.90:443
Protocol: TLS1.2
Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
received Set-Cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35
GMT; Secure; HttpOnly'
storing cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35
GMT; Secure; HttpOnly' for prin
args=keyctl search @s user
ipa_session_cookie:host/***@CYBERFUEL.COM
stdout=640092261

stderr=
args=keyctl search @s user
ipa_session_cookie:host/***@CYBERFUEL.COM
stdout=640092261

stderr=
args=keyctl pupdate 640092261
stdout=
stderr=
Writing nsupdate commands to /etc/ipa/.dns_update.txt:
zone cyberfuel.com.
update delete bk1.cyberfuel.com. IN SSHFP
send
update add bk1.cyberfuel.com. 1200 IN SSHFP 1 1
B40F0F3FF14223B021F206C3E3276AC48F6EEAF0
update add bk1.cyberfuel.com. 1200 IN SSHFP 2 1
30D2331BC69452EFE65445B5C990773EA41A2FE8
send

args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
stdout=
stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
Minor code may provide more information, Minor = Server
DNS/***@CYBERFUEL.COM no

nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt'
returned non-zero exit status 1
Could not update DNS SSHFP records.
args=/sbin/service nscd status
stdout=
stderr=nscd: unrecognized service

Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
args=/usr/sbin/authconfig --enablesssdauth --update --enablesssd
stdout=
stderr=
SSSD enabled
Configuring cyberfuel.com as NIS domain
args=/bin/nisdomainname
stdout=(none)

stderr=
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
args=/usr/sbin/authconfig --update --nisdomain cyberfuel.com
stdout=
stderr=
args=/bin/nisdomainname cyberfuel.com
stdout=
stderr=
args=/sbin/service sssd restart
stdout=Stopping sssd: [FAILED]
Starting sssd: [ OK ]

stderr=cat: /var/run/sssd.pid: No such file or directory

args=/sbin/service sssd status
stdout=sssd (pid 42071) is running...

stderr=
args=/sbin/chkconfig sssd on
stdout=
stderr=
Backing up system configuration file '/etc/openldap/ldap.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
Configured /etc/openldap/ldap.conf
args=getent passwd admin
stdout=admin:*:1045400000:1045400000:Administrator:/home/admin:/bin/bash

stderr=
Backing up system configuration file '/etc/ntp/step-tickers'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=/usr/sbin/selinuxenabled
stdout=
stderr=
args=/sbin/chkconfig ntpd
stdout=
stderr=
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Backing up system configuration file '/etc/ntp.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=/usr/sbin/selinuxenabled
stdout=
stderr=
Backing up system configuration file '/etc/sysconfig/ntpd'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=/usr/sbin/selinuxenabled
stdout=
stderr=
args=/sbin/chkconfig ntpd on
stdout=
stderr=
args=/sbin/service ntpd restart
stdout=Shutting down ntpd: [ OK ]
Starting ntpd: [ OK ]

stderr=
args=/sbin/service ntpd status
stdout=ntpd (pid 42133) is running...

stderr=
NTP enabled
Backing up system configuration file '/etc/ssh/ssh_config'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
Configured /etc/ssh/ssh_config
Backing up system configuration file '/etc/ssh/sshd_config'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=sshd -t -f /dev/null -o AuthorizedKeysCommand=
stdout=
stderr=
Configured /etc/ssh/sshd_config
args=/sbin/service sshd status
stdout=openssh-daemon (pid 46497) is running...

stderr=
args=/sbin/service sshd restart
stdout=Stopping sshd: [ OK ]
Starting sshd: [ OK ]

stderr=
args=/sbin/service sshd status
stdout=openssh-daemon (pid 42190) is running...

stderr=
Client configuration complete.

-----Original Message-----
From: Rob Crittenden [mailto:***@redhat.com]
Sent: viernes 29 de abril de 2016 12:19 p.m.
To: Jose Alvarez R. <***@cyberfuel.com>; freeipa-***@redhat.com
Subject: Re: [Freeipa-users] HTTP response code is 401, not 200

Hi, Rob
Thanks!!
xmlrpc-c-1.16.24-1210.1840.el6.x86_64
xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64
The version the xmlrpc-c of my client IPA
xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64
xmlrpc-c-1.16.24-1210.1840.el6.x86_64
libiqxmlrpc-0.12.4-0.parallels.i686
xmlrpc-c-c++-1.16.24-1210.1840.el6.x86_64

The versions are the same, but the libcurl is different
It's the version curl IPA server
python-pycurl-7.19.0-8.el6.x86_64
curl-7.19.7-46.el6.x86_64
libcurl-7.19.7-46.el6.x86_64
| grep curl
curl-7.31.0-1.el6.x86_64
python-pycurl-7.19.0-8.el6.x86_64
libcurl-7.31.0-1.el6.x86_64
libcurl-7.31.0-1.el6.i686
Sorry, my english is not very well
Regards.
-----Original Message-----
Sent: viernes 29 de abril de 2016 11:14 a.m.
Subject: Re: [Freeipa-users] HTTP response code is 401, not 200

Post by Jose Alvarez R.
Hi Rob, Thanks for your response
Yes, It's with admin.

Post by Jose Alvarez R.
= 1.16.24-1200.1840.2

I'm confused about the versions. You mention PPA but include what look
like RPM versions that seem to point to RHEL 6.
rob

Post by Jose Alvarez R.
I execute the command "ipa-client-install --debug"
---------------------------------------------------------------------
-
---
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir
': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
'on_master': False, 'ntp_server': None, 'nisdomain': None,
False, 'principal': None
, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,
'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False,
'conf_sudo': True, 'conf_ssh': Tr
ue, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True,
False, 'uninstall': False}
missing options might be asked for interactively later Loading Index
file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
"cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
C
YBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={
p riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN Check if naming context
'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
is a valid IPA context Search for (objectClass=krbRealmContainer) in
dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com Start searching for LDAP
SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com Discovery was
successful!
dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in
Discovered LDAP SRV records from cyberfuel.com (domain of the
Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: no
Installation failed. Rolling back changes.
IPA client is not configured on this system.
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None,
False, 'unattended': None, 'sssd': True, 'trust_sshfp': False,
True, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True,
False, 'uninstall': False}
missing options might be asked for interactively later Loading Index
file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
"cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
C
YBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={
p riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN Check if naming context
'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
is a valid IPA context Search for (objectClass=krbRealmContainer) in
dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com Start searching for LDAP
SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com Discovery was
successful!
dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in
Discovered LDAP SRV records from cyberfuel.com (domain of the
Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file
or directory
User authorized to enroll computers: admin will use principal
provided as option: admin Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.cyberfuel.com.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout=
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = CYBERFUEL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
CYBERFUEL.COM = {
kdc = freeipa.cyberfuel.com:88
master_kdc = freeipa.cyberfuel.com:88
admin_server = freeipa.cyberfuel.com:749
default_domain = cyberfuel.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.cyberfuel.com = CYBERFUEL.COM
cyberfuel.com = CYBERFUEL.COM
stderr=
trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
Existing CA cert and Retrieved CA cert are identical
args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b
<?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n
<methodName>join</methodName>\r\n <params>\r\n
<param><value><array><data>\r\n
<value><string>ppa.cyberfuel.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\
n <member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n
* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90...
* Adding handle: conn: 0x10bb2f0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
* Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using AES256-SHA
* subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
* start date: 2015-09-30 17:52:11 GMT
* expire date: 2017-09-30 17:52:11 GMT
* common name: freeipa.cyberfuel.com (matched)
* issuer: O=CYBERFUEL.COM; CN=Certificate Authority
* SSL certificate verify ok.

POST /ipa/xml HTTP/1.1

Hi Users
You can help me?
I have the problem for join a client to my FREEIPA Server. The
version IPA Server is 3.0 and IP client is 3.0
2016-04-28T17:26:41Z DEBUG stderr=
2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from
ldap://freeipa.cyberfuel.com
2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert
are identical
2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s
freeipa.cyberfuel.com -b dc=cyberfuel,dc=com
2016-04-28T17:26:41Z DEBUG stdout=
2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200
2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code
is 401, not 200
2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes.
2016-04-28T17:26:41Z ERROR IPA client is not configured on this system.

I'd look in the 389-ds access and error logs on the IPA server to see
if there are any more details. Look for the BIND from the client and
see what happens.
More context from the log file might be helpful. I believe if you run
the client installer with --debug then additional flags are passed to
ipa-join to include the XML-RPC conversation and that might be useful too.
What account are you using to enroll with, admin?
rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Jose Alvarez R.

2016-05-02 18:05:09 UTC

Permalink

Hi, Rob

I did what you indicated to me, but still gives the same problem.

Can you help me ?

Thanks, Regards

Jose Alvarez

-----Original Message-----
From: freeipa-users-***@redhat.com
[mailto:freeipa-users-***@redhat.com] On Behalf Of Jose Alvarez R.
Sent: viernes 29 de abril de 2016 02:53 p.m.
To: 'Rob Crittenden' <***@redhat.com>
Cc: freeipa-***@redhat.com
Subject: Re: [Freeipa-users] HTTP response code is 401, not 200

Hi, Rob

Thanks for your response

The link <https://bugzilla.redhat.com/show_bug.cgi?id=719945>
https://bugzilla.redhat.com/show_bug.cgi?id=719945 I not have

access..

I tried to install xmlrpc-c-1.16.24-1210.1840.el6.src.rpm in the server

PPA(Client IPA), but still shows the same error.

A moment ago I added another client server with same version xmlrpc and

installed correctly.

Thanks Regards.

[***@bk1 ~]# ipa-client-install --debug

/usr/sbin/ipa-client-install was invoked with options: {'domain': None,

'force': False, 'realm_name': None, 'krb5_offline_passwords': True,

'primary': False, 'mkhomedir'on_master': False, 'ntp_server': None,

'nisdomain': None, 'no_nisdomain': False, 'principal': None, 'hostname':

None, 'no_ac': False, 'unattended': None, 'sssd': True,nf_sudo': True,

'conf_ssh': True, 'force_join': False, 'ca_cert_file': None, 'server': None,

'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':

missing options might be asked for interactively later

Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'

Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'

[IPA Discovery]

Starting IPA discovery with domain=None, servers=None,

hostname=bk1.cyberfuel.com

Start searching for LDAP SRV record in "cyberfuel.com" (domain of the

hostname) and its sub-domains

Search DNS for SRV record of _ldap._tcp.cyberfuel.com.

DNS record found:

DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,

port:389,weight:50,server:freeipa.cyberfuel.com.}

[Kerberos realm search]

Search DNS for TXT record of _kerberos.cyberfuel.com.

DNS record found:

DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU

EL.COM}

Search DNS for SRV record of _kerberos._udp.cyberfuel.com.

DNS record found:

DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit

y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}

[LDAP server check]

Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server

Init LDAP connection with: ldap://freeipa.cyberfuel.com:389

Search LDAP server for IPA base DN

Check if naming context 'dc=cyberfuel,dc=com' is for IPA

Naming context 'dc=cyberfuel,dc=com' is a valid IPA context

Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub)

Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com

Discovery result: Success; server=freeipa.cyberfuel.com,

domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com

Validated servers: freeipa.cyberfuel.com

will use discovered domain: cyberfuel.com

Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS

Discovery) and its sub-domains

Search DNS for SRV record of _ldap._tcp.cyberfuel.com.

DNS record found:

DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,

port:389,weight:50,server:freeipa.cyberfuel.com.}

DNS validated, enabling discovery

will use discovered server: freeipa.cyberfuel.com

Discovery was successful!

will use discovered realm: CYBERFUEL.COM

will use discovered basedn: dc=cyberfuel,dc=com

Hostname: bk1.cyberfuel.com

Hostname source: Machine's FQDN

Realm: CYBERFUEL.COM

Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com

DNS Domain: cyberfuel.com

DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of

the hostname)

IPA Server: freeipa.cyberfuel.com

IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com

BaseDN: dc=cyberfuel,dc=com

BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389

Continue to configure the system with these values? [no]: yes

args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM

stdout=

stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory

User authorized to enroll computers: admin

will use principal provided as option: admin

Synchronizing time with KDC...

Search DNS for SRV record of _ntp._udp.cyberfuel.com.

No DNS record found

args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com

stdout=

stderr=

args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com

stdout=

stderr=

args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com

stdout=

stderr=

Unable to sync time with IPA NTP server, assuming the time is in sync.

Please check that 123 UDP port is opened.

Writing Kerberos configuration to /tmp/tmp5msIum:

#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]

default_realm = CYBERFUEL.COM

dns_lookup_realm = false

dns_lookup_kdc = false

rdns = false

ticket_lifetime = 24h

forwardable = yes

udp_preference_limit = 0

[realms]

CYBERFUEL.COM = {

kdc = freeipa.cyberfuel.com:88

master_kdc = freeipa.cyberfuel.com:88

admin_server = freeipa.cyberfuel.com:749

default_domain = cyberfuel.com

pkinit_anchors = FILE:/etc/ipa/ca.crt

}

[domain_realm]

.cyberfuel.com = CYBERFUEL.COM

cyberfuel.com = CYBERFUEL.COM

Password for <mailto:***@CYBERFUEL.COM> ***@CYBERFUEL.COM:

args=kinit <mailto:***@CYBERFUEL.COM> ***@CYBERFUEL.COM

stdout=Password for <mailto:***@CYBERFUEL.COM> ***@CYBERFUEL.COM:

stderr=

trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com

Successfully retrieved CA cert

Subject: CN=Certificate Authority,O=CYBERFUEL.COM

Issuer: CN=Certificate Authority,O=CYBERFUEL.COM

Valid From: Wed Sep 30 17:46:50 2015 UTC

Valid Until: Sun Sep 30 17:46:50 2035 UTC

args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com -d

stdout=

stderr=XML-RPC CALL:

<?xml version="1.0" encoding="UTF-8"?>\r\n

<methodCall>\r\n

<methodName>join</methodName>\r\n

<params>\r\n

<param><value><array><data>\r\n

<value><string>bk1.cyberfuel.com</string></value>\r\n

</data></array></value></param>\r\n

<param><value><struct>\r\n

<member><name>nsosversion</name>\r\n

<value><string>2.6.32-573.12.1.el6.x86_64</string></value></member>\r\n

<member><name>nshardwareplatform</name>\r\n

<value><string>x86_64</string></value></member>\r\n

</struct></value></param>\r\n

</params>\r\n

</methodCall>\r\n

* About to connect() to freeipa.cyberfuel.com port 443 (#0)

* Trying 192.168.20.90... * Connected to freeipa.cyberfuel.com

(192.168.20.90) port 443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

* CAfile: /etc/ipa/ca.crt

CApath: none

* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA

* Server certificate:

* subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM

* start date: Sep 30 17:52:11 2015 GMT

* expire date: Sep 30 17:52:11 2017 GMT

* common name: freeipa.cyberfuel.com

* issuer: CN=Certificate Authority,O=CYBERFUEL.COM

POST /ipa/xml HTTP/1.1

Host: freeipa.cyberfuel.com

Accept: */*

Content-Type: text/xml

User-Agent: ipa-join/3.0.0

Referer: <https://freeipa.cyberfuel.com/ipa/xml>
https://freeipa.cyberfuel.com/ipa/xml

X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1

Content-Length: 478

< HTTP/1.1 401 Authorization Required

< Date: Fri, 29 Apr 2016 20:42:25 GMT

< Server: Apache/2.2.15 (CentOS)

< WWW-Authenticate: Negotiate

< Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT

< ETag: "a0528-55a-53051ba8f7000"

< Accept-Ranges: bytes

< Content-Length: 1370

< Connection: close

< Content-Type: text/html; charset=UTF-8

<

* Closing connection #0

* Issue another request to this URL:

'https://freeipa.cyberfuel.com:443/ipa/xml'

* About to connect() to freeipa.cyberfuel.com port 443 (#0)

* Trying 192.168.20.90... * Connected to freeipa.cyberfuel.com

(192.168.20.90) port 443 (#0)

* CAfile: /etc/ipa/ca.crt

CApath: none

* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA

* Server certificate:

* subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM

* start date: Sep 30 17:52:11 2015 GMT

* expire date: Sep 30 17:52:11 2017 GMT

* common name: freeipa.cyberfuel.com

* issuer: CN=Certificate Authority,O=CYBERFUEL.COM

* Server auth using GSS-Negotiate with user ''

POST /ipa/xml HTTP/1.1

Authorization: Negotiate

YIIFFAYJKoZIhvcSAQICAQBuggUDMIIE/6ADAgEFoQMCAQ6iBwMFAAAAAACjggFiYYIBXjCCAVqg

AwIBBaEPGw1DWUJFUkZVRUwuQ09NoigwJqADAgEDoR8wHRsESFRUUBsVZnJlZWlwYS5MIZbbMHqa

QcuYz6zysTVwY+I/uvLznfkDrkClgtyvEIsnBopXcWBenFEbqcmRIBa7bkXiIxc1tYEzNh1rME/4

ZUh0PjUjX+QQO9NDpYrAIxFLoP6b6J87wFt2Wi+Rx2LPGlcPrIwKPNwyaOqw/QQ8r11FLI5RVzpH

eUL3uokQgZF6+GBoFo61lHY/W36Cb3JgxdG8Ge3TWWYgjEQKWlY48N6YNSPF2a2iKpgSuy/1Qe5E

HTfpyiJWnZJnlEIHllpIIDgjCCA36gAwIBEqKCA3UEggNx1WXEz0IRl4aJlkL5Eq0bxky36jm7zI

q3oiCcgWzqH9ma866TuD4ew++XcXmKZxszk6zf+c8tYhdRezxK74jF9XkpnRxTiBxOao7oPabJau

yM0k637IWWzTb1m+cC46PRaysFc7x3z5CGBWNyu0DpGyw240za4cepY1J+Q+mm7bq51zCDyMU1CY

7+of3Z4Z7s6P5/x/pn8DJBegXVIYq2Wb3sQbMUJCSbCG37Xb8j2nzhAaup1l4xTINQxSSLZRIS7M

H2YCE+z66P0607z7xBh7bwed97hHC2o3T0hDNnJOP7SRBUXquXCW9RbLUdOmYfcLcH8ygUWemm3A

MqL+mDYN3jpe25O/7Z/wFxYiUIw/6CtHGjJ1nrDy47Y1sbsjU1XT/sJ8JqxRFwCm9ALpQP+rYZ0k

v8/9OAaclw4vobu4Zmb3rVFBOzKpgRaUSvg4vSuRi/SPCzcH2PwBBSHpZuXWazWvZpnpTXYBl3nw

lelW8gE1PWWeAhxbCDP/u5D6vAJ7q1287bL+UdpnCki0Ye0c1+LCsqzhscPDtWOMHAqzs5pwyyfC

Qpg13GX93fHWJPRkrJbGTkGAknZkQFPtjks1C3JCRqhiz62KVLo6g5uRljHr8NNzvTBr2iRl9aK6

cDAEMaW5X26ko0XtO7urcbw/w6smuJLyYjroJH5Pe41bPMaUCls3RTvhxrlMzXSXgywPr3zDFpIg

CirdIfqowkF5Utq6Uub2d9wdhXXYuH3PCj3KBzsAAHFv2iI+Xg3a7+7LlWUFnTLVEzEhsKVO3lO7

jFb8kKwop5o7yTyXsQmW4g0rdCam07GuRObob6yQ=

Host: freeipa.cyberfuel.com

Accept: */*

Content-Type: text/xml

User-Agent: ipa-join/3.0.0

Referer: <https://freeipa.cyberfuel.com/ipa/xml>
https://freeipa.cyberfuel.com/ipa/xml

X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1

Content-Length: 478

< HTTP/1.1 200 Success

< Date: Fri, 29 Apr 2016 20:42:25 GMT

< Server: Apache/2.2.15 (CentOS)

* Added cookie ipa_session="4aeb2b4e2cfacb0691a94b71e2d0a0c9" for domain

freeipa.cyberfuel.com, path /ipa, expire 1461963745

< Set-Cookie: ipa_session=4aeb2b4e2cfacb0691a94b71e2d0a0c9;

Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:25

GMT; Secure; HttpOnly

< Connection: close

< Transfer-Encoding: chunked

< Content-Type: text/xml; charset=utf-8

<

* Expire cleared

* Closing connection #0

XML-RPC RESPONSE:

<?xml version='1.0' encoding='UTF-8'?>\n

<methodResponse>\n

<params>\n

<param>\n

<value><array><data>\n

<value><string>fqdn=bk1.cyberfuel.com,cn=computers,cn=accounts,dc=cyberfuel,

dc=com</string></value>\n

<value><struct>\n

<member>\n

<name>dn</name>\n

<value><string>fqdn=bk1.cyberfuel.com,cn=computers,cn=accounts,dc=cyberfuel,

dc=com</string></value>\n

</member>\n

<member>\n

<name>ipacertificatesubjectbase</name>\n

<value><array><data>\n

<value><string>O=CYBERFUEL.COM</string></value>\n

</data></array></value>\n

</member>\n

<member>\n

<name>has_keytab</name>\n

<value><boolean>0</boolean></value>\n

</member>\n

<member>\n

<name>objectclass</name>\n

<value><array><data>\n

<value><string>ipaobject</string></value>\n

<value><string>nshost</string></value>\n

<value><string>ipahost</string></value>\n

<value><string>pkiuser</string></value>\n

<value><string>ipaservice</string></value>\n

<value><string>krbprincipalaux</string></value>\n

<value><string>krbprincipal</string></value>\n

<value><string>ieee802device</string></value>\n

<value><string>ipasshhost</string></value>\n

<value><string>top</string></value>\n

<value><string>ipaSshGroupOfPubKeys</string></value>\n

</data></array></value>\n

</member>\n

<member>\n

<name>fqdn</name>\n

<value><array><data>\n

<value><string>bk1.cyberfuel.com</string></value>\n

</data></array></value>\n

</member>\n

<member>\n

<name>has_password</name>\n

<value><boolean>0</boolean></value>\n

</member>\n

<member>\n

<name>ipauniqueid</name>\n

<value><array><data>\n

<value><string>e1a08eb8-0e4a-11e6-8c5b-005056b027f1</string></value>\n

</data></array></value>\n

</member>\n

<member>\n

<name>krbprincipalname</name>\n

<value><array><data>\n

<value><string>
<mailto:host/***@CYBERFUEL.COM%3c/string%3e%3c/value%3e\n>
host/***@CYBERFUEL.COM</string></value>\n

</data></array></value>\n

</member>\n

<member>\n

<name>managedby_host</name>\n

<value><array><data>\n

<value><string>bk1.cyberfuel.com</string></value>\n

</data></array></value>\n

</member>\n

</struct></value>\n

</data></array></value>\n

</param>\n

</params>\n

</methodResponse>\n

Keytab successfully retrieved and stored in: /etc/krb5.keytab

Certificate subject base is: O=CYBERFUEL.COM

Enrolled in IPA realm CYBERFUEL.COM

args=kdestroy

stdout=

stderr=

Attempting to get host TGT...

args=/usr/bin/kinit -k -t /etc/krb5.keytab

<mailto:host/***@CYBERFUEL.COM>
host/***@CYBERFUEL.COM

stdout=

stderr=

Attempt 1/5 succeeded.

Backing up system configuration file '/etc/ipa/default.conf'

-> Not backing up - '/etc/ipa/default.conf' doesn't exist

Created /etc/ipa/default.conf

importing all plugin modules in

'/usr/lib/python2.6/site-packages/ipalib/plugins'...

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'

args=klist -V

stdout=Kerberos 5 version 1.10.3

stderr=

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'

importing plugin module

'/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'

Backing up system configuration file '/etc/sssd/sssd.conf'

-> Not backing up - '/etc/sssd/sssd.conf' doesn't exist

New SSSD config will be created

Backing up system configuration file '/etc/nsswitch.conf'

Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'

Configured sudoers in /etc/nsswitch.conf

Configured /etc/sssd/sssd.conf

args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i

/etc/ipa/ca.crt

stdout=

stderr=

Backing up system configuration file '/etc/krb5.conf'

Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'

Writing Kerberos configuration to /etc/krb5.conf:

#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]

default_realm = CYBERFUEL.COM

dns_lookup_realm = true

dns_lookup_kdc = true

rdns = false

ticket_lifetime = 24h

forwardable = yes

udp_preference_limit = 0

[realms]

CYBERFUEL.COM = {

pkinit_anchors = FILE:/etc/ipa/ca.crt

}

[domain_realm]

.cyberfuel.com = CYBERFUEL.COM

cyberfuel.com = CYBERFUEL.COM

Configured /etc/krb5.conf for IPA realm CYBERFUEL.COM

args=keyctl search @s user

ipa_session_cookie:host/***@CYBERFUEL.COM

stdout=

stderr=keyctl_search: Required key not available

args=keyctl search @s user

ipa_session_cookie:host/***@CYBERFUEL.COM

stdout=

stderr=keyctl_search: Required key not available

failed to find session_cookie in persistent storage for principal

'host/***@CYBERFUEL.COM'

trying <https://freeipa.cyberfuel.com/ipa/xml>
https://freeipa.cyberfuel.com/ipa/xml

Created connection context.xmlclient

raw: env(None, server=True)

env(None, server=True, all=True)

Forwarding 'env' to server u'https://freeipa.cyberfuel.com/ipa/xml'

NSSConnection init freeipa.cyberfuel.com

Connecting: 192.168.20.90:0

auth_certificate_callback: check_sig=True is_server=False

Data:

Version: 3 (0x2)

Serial Number: 10 (0xa)

Signature Algorithm:

Algorithm: PKCS #1 SHA-256 With RSA Encryption

Issuer: CN=Certificate Authority,O=CYBERFUEL.COM

Validity:

Not Before: Wed Sep 30 17:52:11 2015 UTC

Not After: Sat Sep 30 17:52:11 2017 UTC

Subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM

Subject Public Key Info:

Public Key Algorithm:

Algorithm: PKCS #1 RSA Encryption

RSA Public Key:

Modulus:

ad:e7:d2:7f:c3:e1:91:0a:03:6d:5c:ba:54:14:3e:00:

0e:f9:e7:61:85:3c:4f:1b:8f:a8:fb:e4:b4:92:a3:7c:

7d:bb:06:b4:b8:43:8a:20:86:17:71:a2:a3:6a:a1:51:

e5:89:44:0f:a1:43:67:3b:46:76:b0:81:9e:10:43:56:

86:9f:27:46:e1:5e:b3:d6:8c:17:73:e3:17:7d:e7:eb:

a4:78:9c:7a:e8:6f:00:f8:36:d9:71:88:e1:90:bf:98:

fa:40:0f:88:f4:2e:d8:a2:b3:a5:0c:5a:81:8b:2e:cf:

22:f9:cb:6d:bf:85:7c:c9:7f:17:de:5d:d4:1a:2b:09:

5b:1b:99:11:22:3f:1e:49:5f:26:1a:25:2f:a4:50:2a:

8b:f2:3c:12:db:45:3f:f4:06:64:a2:30:5f:f4:a1:c9:

2c:8c:60:b5:c6:aa:25:2e:1e:31:c2:ad:2c:63:b0:a4:

bb:2c:fc:f8:b6:f9:13:eb:09:bc:b0:c1:4c:06:06:09:

2f:f9:08:ba:7d:a4:0a:57:d1:8e:86:87:cb:f9:3a:58:

60:f9:34:e1:5b:34:d1:2f:8e:54:87:2a:74:9c:e2:d6:

83:4f:78:6b:59:1e:95:ec:67:6e:86:25:ad:f0:d3:6c:

96:9c:db:c3:e5:3f:e5:bc:f4:ff:55:55:18:a8:3e:5d

Exponent:

65537 (0x10001)

Signed Extensions: (5 total)

Name: Certificate Authority Key Identifier

Critical: False

Key ID:

31:4f:83:e1:70:d7:ea:96:e5:1b:b1:c2:2c:d8:8a:a8:

d1:87:fa:ff

Serial Number: None

General Names: [0 total]

Name: Authority Information Access

Critical: False

Authority Information Access: [1 total]

Info [1]:

Method: PKIX Online Certificate Status Protocol

Location: URI: <http://freeipa.cyberfuel.com:80/ca/ocsp>
http://freeipa.cyberfuel.com:80/ca/ocsp

Name: Certificate Key Usage

Critical: True

Usages:

Digital Signature

Non-Repudiation

Key Encipherment

Data Encipherment

Name: Extended Key Usage

Critical: False

Usages:

TLS Web Server Authentication Certificate

TLS Web Client Authentication Certificate

Name: Certificate Subject Key ID

Critical: False

Data:

73:ed:ac:87:d3:0e:04:84:66:5c:1a:e1:10:8d:f8:e1:

89:b9:1e:70

Signature:

Signature Algorithm:

Algorithm: PKCS #1 SHA-256 With RSA Encryption

Signature:

40:da:c2:6b:20:08:7c:4a:05:1a:e2:cc:49:7f:25:6c:

48:3a:73:3c:b6:ab:35:6c:1a:d9:78:15:60:48:0b:0e:

c1:3c:bf:76:90:35:bf:67:b5:9d:88:1c:98:ce:3b:8a:

f6:86:c7:f9:1e:7b:3c:cd:98:00:99:23:a4:06:4f:ed:

0f:ee:44:65:9d:db:b6:9d:cc:cf:cb:83:f8:7c:23:93:

2a:0b:40:bb:5b:31:c5:9e:ed:74:eb:c0:c9:cc:30:1e:

78:19:69:64:60:24:58:f5:a7:6f:3b:bb:f6:7c:72:5c:

1c:50:33:0f:df:49:b7:0a:cb:ac:3f:7b:4f:e7:42:e9:

3b:19:e0:15:a3:fe:e3:43:aa:23:69:d0:28:7a:64:b7:

19:e3:8a:a9:bc:48:3a:de:f7:c0:67:8b:02:e9:af:74:

49:33:5e:2f:21:0b:4c:f3:3d:63:ea:1e:2e:4d:e9:ed:

af:ef:61:35:ad:86:2b:93:ab:b6:7d:45:ed:b1:9b:12:

57:fc:55:ef:42:46:01:63:b1:b9:84:e9:f4:46:fb:39:

fa:1e:55:2e:20:32:c1:45:ad:ac:54:c9:e6:4e:ca:f1:

fb:da:9a:b5:bc:8b:6c:43:86:4e:df:06:97:46:3e:9b:

a2:a1:ff:41:6e:80:df:a7:bd:5d:96:2c:ba:e0:d2:56

Fingerprint (MD5):

09:ad:08:87:8b:64:04:0f:d2:6c:25:ac:b1:1e:e1:48

Fingerprint (SHA1):

c9:a0:1f:6d:8e:f6:d9:9b:53:6e:6b:92:ea:7c:ae:79:

ca:4d:09:98

approved_usage = SSL Server intended_usage = SSL Server

cert valid True for "CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM"

handshake complete, peer = 192.168.20.90:443

Protocol: TLS1.2

Cipher: TLS_RSA_WITH_AES_256_CBC_SHA

received Set-Cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd;

Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30

GMT; Secure; HttpOnly'

storing cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd;

Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30

GMT; Secure; HttpOnly' for prin

args=keyctl search @s user

ipa_session_cookie:host/***@CYBERFUEL.COM

stdout=

stderr=keyctl_search: Required key not available

args=keyctl search @s user

ipa_session_cookie:host/***@CYBERFUEL.COM

stdout=

stderr=keyctl_search: Required key not available

args=keyctl padd user

ipa_session_cookie:host/***@CYBERFUEL.COM @s

stdout=640092261

stderr=

Hostname (bk1.cyberfuel.com) not found in DNS

Writing nsupdate commands to /etc/ipa/.dns_update.txt:

zone cyberfuel.com.

update delete bk1.cyberfuel.com. IN A

send

update add bk1.cyberfuel.com. 1200 IN A 192.168.20.13

send

args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt

stdout=

stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure.

Minor code may provide more information, Minor = Server

<mailto:DNS/***@CYBERFUEL.COM>
DNS/***@CYBERFUEL.COM no

nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt'

returned non-zero exit status 1

Failed to update DNS records.

args=/sbin/service messagebus start

stdout=Starting system message bus: [ OK ]

stderr=

args=/sbin/service messagebus status

stdout=messagebus (pid 41820) is running...

stderr=

args=/sbin/service certmonger restart

stdout=Stopping certmonger: [FAILED]

Starting certmonger: [ OK ]

stderr=

args=/sbin/service certmonger status

stdout=certmonger (pid 41859) is running...

stderr=

args=/sbin/service certmonger restart

stdout=Stopping certmonger: [ OK ]

Starting certmonger: [ OK ]

stderr=

args=/sbin/service certmonger status

stdout=certmonger (pid 41927) is running...

stderr=

args=/sbin/chkconfig certmonger on

stdout=

stderr=

args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate -

bk1.cyberfuel.com -N CN=bk1.cyberfuel.com,O=CYBERFUEL.COM -K

<mailto:host/***@CYBERFUEL.CO>
host/***@CYBERFUEL.CO

stdout=New signing request "20160429204235" added.

stderr=

Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub

raw: host_mod(u'bk1.cyberfuel.com', ipasshpubkey=[u'ssh-rsa

AAAAB3NzaC1yc2EAAAABIwAAAQEA071MP58tqZXKpba7ndVtIqtgZmGNxm/PJz/eqf7w9SNewATA

xmV14vUYyyohaIWBBi87sXwqcNsWBUWAcg2ezfKfKYqc3YPqaNq2poRL3+vhpNnHDBdfh2NzqdId

slZEMt2H+v/0g3G52ycOoRCfhwbGasV+ZCxLGyCPnYTAb7gvpms+/JNf1FWjQpTHt+dZ8CtCcfvL

ctY5pjdxT4kQTtK8kyyGwlXH/Oh4qisMsS57/1a1HEED7xczbIHF/YHF7u08WBbFe0Y40QA5gfa7

/hhu+JoblQBH55iKzR8l8RfZXt1Vcam2pr2nj/w0oYxyB+JkO0CuR/mWu93aLRkxFxtwEoUUiWMm

M3mXs1gsTFKClFnTbOzwg8QyFlCj+An4GrzrsbAA/rfLvb+VmwOS/BccDZfAAAAFShUVZUinN/bv

4/xv1ejRLk62VxtHxw1z+w/JLc0WbTtIj4cB4nE03et3id5ZT6yDz5XKduyhAeCYPGXepmWXqSxb

2N/Ia5OZbEfwNcEivzWdeRzxnk+W8OErBuOkRcCYmT1aIFGmIAAACANrKXEgH6qjJZdpFM3CFIBt

mZY3RF1adYeI7i8daJxkwxPv55idHkphc4aDX4lUPzvcw+r5jtE+rm4huv03qlTKy+/0HlTyIRJv

wfpc='], updatedns=False)

host_mod(u'bk1.cyberfuel.com', random=False, ipasshpubkey=(u'ssh-rsa

AAAAB3NzaC1yc2EAAAABIwAAAQEA071MP58tqZXKpba7ndVtIqtgZmGNxm/PJz/eqf7w9SNewATA

xmV14vUYyyohaIWBBi87sXwlVqxX+L95cg2ezfKfKYqc3YPqaNq2poRL3+vhpNnHDBdfh2NzqdId

slZEMt2H+v/0g3G52ycOoRCfhwbGasV+ZCxLGyCPnYTAb7gvpms+/JNf1FWjQpTHt+dZ8CtCcfvL

ctY5pjdxT4kQTtK8kyyGwlXH/Oh4qisMsS57/1aAN359BmDxbIHF/YHF7u08WBbFe0Y40QA5gfa7

/hhu+JoblQBH55iKzR8l8RfZXt1Vcam2pr2nj/w0oYxyB+JkO0CuR/mWu93aLRkxFxtwEoUUiWMm

M3mXs1gsTFKClFnTbOzwg8QyFlCj+An4GrzrsbAA/rfLvb+VmwOS/BcXJiFI6Ub3ShUVZUinN/bv

4/xv1ejRLk62VxtHxw1z+w/JLc0WbTtIj4cB4nE03et3id5ZT6yDz5XKduyhAeCYPGXepmWXqSxb

2N/Ia5OZbEfwNcEivzWdeRzxnk+W8OErBuOkRcCYmT1aIFGmIAAACANrKXEgH6qjJZdpFM3mdAXb

7imVRF1adYeI7i8daJxkwxPv55idHkphc4aDX4lUPzvcw+r5jtE+rm4huv03qlTKy+/0HlTyIRJv

wfpc='), rights=False, updatedns=False, all=False, raw=False,

no_members=False)

Forwarding 'host_mod' to server u'https://freeipa.cyberfuel.com/ipa/xml'

NSSConnection init freeipa.cyberfuel.com

Connecting: 192.168.20.90:0

handshake complete, peer = 192.168.20.90:443

Protocol: TLS1.2

Cipher: TLS_RSA_WITH_AES_256_CBC_SHA

received Set-Cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0;

Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35

GMT; Secure; HttpOnly'

storing cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0;

Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35

GMT; Secure; HttpOnly' for prin

args=keyctl search @s user

ipa_session_cookie:host/***@CYBERFUEL.COM

stdout=640092261

stderr=

args=keyctl search @s user

ipa_session_cookie:host/***@CYBERFUEL.COM

stdout=640092261

stderr=

args=keyctl pupdate 640092261

stdout=

stderr=

Writing nsupdate commands to /etc/ipa/.dns_update.txt:

zone cyberfuel.com.

update delete bk1.cyberfuel.com. IN SSHFP

send

update add bk1.cyberfuel.com. 1200 IN SSHFP 1 1

B40F0F3FF14223B021F206C3E3276AC48F6EEAF0

update add bk1.cyberfuel.com. 1200 IN SSHFP 2 1

30D2331BC69452EFE65445B5C990773EA41A2FE8

send

args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt

stdout=

stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure.

Minor code may provide more information, Minor = Server

<mailto:DNS/***@CYBERFUEL.COM>
DNS/***@CYBERFUEL.COM no

nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt'

returned non-zero exit status 1

Could not update DNS SSHFP records.

args=/sbin/service nscd status

stdout=

stderr=nscd: unrecognized service

Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'

Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'

args=/usr/sbin/authconfig --enablesssdauth --update --enablesssd

stdout=

stderr=

SSSD enabled

Configuring cyberfuel.com as NIS domain

args=/bin/nisdomainname

stdout=(none)

stderr=

Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'

args=/usr/sbin/authconfig --update --nisdomain cyberfuel.com

stdout=

stderr=

args=/bin/nisdomainname cyberfuel.com

stdout=

stderr=

args=/sbin/service sssd restart

stdout=Stopping sssd: [FAILED]

Starting sssd: [ OK ]

stderr=cat: /var/run/sssd.pid: No such file or directory

args=/sbin/service sssd status

stdout=sssd (pid 42071) is running...

stderr=

args=/sbin/chkconfig sssd on

stdout=

stderr=

Backing up system configuration file '/etc/openldap/ldap.conf'

Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'

Configured /etc/openldap/ldap.conf

args=getent passwd admin

stdout=admin:*:1045400000:1045400000:Administrator:/home/admin:/bin/bash

stderr=

Backing up system configuration file '/etc/ntp/step-tickers'

Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'

args=/usr/sbin/selinuxenabled

stdout=

stderr=

args=/sbin/chkconfig ntpd

stdout=

stderr=

Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'

Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'

Backing up system configuration file '/etc/ntp.conf'

Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'

args=/usr/sbin/selinuxenabled

stdout=

stderr=

Backing up system configuration file '/etc/sysconfig/ntpd'

Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'

args=/usr/sbin/selinuxenabled

stdout=

stderr=

args=/sbin/chkconfig ntpd on

stdout=

stderr=

args=/sbin/service ntpd restart

stdout=Shutting down ntpd: [ OK ]

Starting ntpd: [ OK ]

stderr=

args=/sbin/service ntpd status

stdout=ntpd (pid 42133) is running...

stderr=

NTP enabled

Backing up system configuration file '/etc/ssh/ssh_config'

Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'

Configured /etc/ssh/ssh_config

Backing up system configuration file '/etc/ssh/sshd_config'

Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'

args=sshd -t -f /dev/null -o AuthorizedKeysCommand=

stdout=

stderr=

Configured /etc/ssh/sshd_config

args=/sbin/service sshd status

stdout=openssh-daemon (pid 46497) is running...

stderr=

args=/sbin/service sshd restart

stdout=Stopping sshd: [ OK ]

Starting sshd: [ OK ]

stderr=

args=/sbin/service sshd status

stdout=openssh-daemon (pid 42190) is running...

stderr=

Client configuration complete.

-----Original Message-----

From: Rob Crittenden [ <mailto:***@redhat.com>
mailto:***@redhat.com]

Sent: viernes 29 de abril de 2016 12:19 p.m.

To: Jose Alvarez R. < <mailto:***@cyberfuel.com>
***@cyberfuel.com>; <mailto:freeipa-***@redhat.com>
freeipa-***@redhat.com

Subject: Re: [Freeipa-users] HTTP response code is 401, not 200

You need xmlrpc-c-1.16.24-1200.1840.2.el6 on the client which fixed

<https://bugzilla.redhat.com/show_bug.cgi?id=719945>
https://bugzilla.redhat.com/show_bug.cgi?id=719945

The libcurl version on the client looks ok.

This is only a client-side issue so no changes on the servers should be

necessary IIRC. This appears to be EL 6.1 which at this point is quite old.

rob

Post by Jose Alvarez R.
Hi Rob, Thanks for your response
Yes, It's with admin.

Post by Jose Alvarez R.
= 1.16.24-1200.1840.2

I'm confused about the versions. You mention PPA but include what look
like RPM versions that seem to point to RHEL 6.
rob

Post by Jose Alvarez R.
I execute the command "ipa-client-install --debug"
---------------------------------------------------------------------
-
---
None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir
': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
'on_master': False, 'ntp_server': None, 'nisdomain': None,
False, 'principal': None
, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,
'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False,
'conf_sudo': True, 'conf_ssh': Tr
ue, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True,
False, 'uninstall': False}
missing options might be asked for interactively later Loading Index
file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
"cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
C
YBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={
p riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN Check if naming context
'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
is a valid IPA context Search for (objectClass=krbRealmContainer) in
dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com Start searching for LDAP
SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com Discovery was
successful!
dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in
Discovered LDAP SRV records from cyberfuel.com (domain of the
Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: no
Installation failed. Rolling back changes.
IPA client is not configured on this system.
None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None,
None, 'no_nisdomain': False, 'principal': None, 'hostname': None,
False, 'unattended': None, 'sssd': True, 'trust_sshfp': False,
True, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True,
False, 'uninstall': False}
missing options might be asked for interactively later Loading Index
file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
"cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
C
YBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={
p riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN Check if naming context
'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
is a valid IPA context Search for (objectClass=krbRealmContainer) in
dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com Start searching for LDAP
SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com Discovery was
successful!
dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in
Discovered LDAP SRV records from cyberfuel.com (domain of the
Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file
or directory
User authorized to enroll computers: admin will use principal
provided as option: admin Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.cyberfuel.com.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout=
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = CYBERFUEL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
CYBERFUEL.COM = {
kdc = freeipa.cyberfuel.com:88
master_kdc = freeipa.cyberfuel.com:88
admin_server = freeipa.cyberfuel.com:749
default_domain = cyberfuel.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.cyberfuel.com = CYBERFUEL.COM
cyberfuel.com = CYBERFUEL.COM
stderr=
trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
Existing CA cert and Retrieved CA cert are identical
args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b
<?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n
<methodName>join</methodName>\r\n <params>\r\n
<param><value><array><data>\r\n
<value><string>ppa.cyberfuel.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\
n <member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n
* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90...
* Adding handle: conn: 0x10bb2f0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
* Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using AES256-SHA
* subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
* start date: 2015-09-30 17:52:11 GMT
* expire date: 2017-09-30 17:52:11 GMT
* common name: freeipa.cyberfuel.com (matched)
* issuer: O=CYBERFUEL.COM; CN=Certificate Authority
* SSL certificate verify ok.

POST /ipa/xml HTTP/1.1

Host: freeipa.cyberfuel.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: <https://freeipa.cyberfuel.com/ipa/xml>

https://freeipa.cyberfuel.com/ipa/xml

POST /ipa/xml HTTP/1.1

Host: freeipa.cyberfuel.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: <https://freeipa.cyberfuel.com/ipa/xml>

https://freeipa.cyberfuel.com/ipa/xml

Post by Jose Alvarez R.
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 477
* upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401
Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT
Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000"
< Accept-Ranges: bytes
< Content-Length: 1370
< Connection: close
< Content-Type: text/html; charset=UTF-8 <
* Closing connection 0
HTTP response code is 401, not 200
Installation failed. Rolling back changes.
IPA client is not configured on this system.
-------------------------------------------------
It's the version curl IPA server
python-pycurl-7.19.0-8.el6.x86_64
curl-7.19.7-46.el6.x86_64
libcurl-7.19.7-46.el6.x86_64
It's the version curl PPA server(IPA Client)
curl-7.31.0-1.el6.x86_64
python-pycurl-7.19.0-8.el6.x86_64
libcurl-7.31.0-1.el6.x86_64
libcurl-7.31.0-1.el6.i686
The version curl is different, but the version curl PPA is the
repository Odin Plesk.
-----------------------------------------------------
[12118] 1461855578.809966: ccselect module realm chose cache
FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not
found [12118] 1461855578.810252: Getting credentials
ccache FILE:/tmp/tmptSoqDX [12118] 1461855578.810369: Retrieving
FILE:/tmp/tmptSoqDX with
result: -1765328243/Matching credential not found [12118]
0/Success
[12118] 1461855578.810509: Requesting tickets for
1461855578.810612: Generated subkey for TGS request: aes256-cts/7377
aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [12118]
1461855578.810913: Sending request (704 bytes) to CYBERFUEL.COM
[12118] 1461855578.811239: Resolving hostname freeipa.cyberfuel.com
[12118] 1461855578.811466: Initiating TCP connection to stream
192.168.0.90:88
[12118] 1461855578.811935: Sending TCP request to stream
192.168.0.90:88 [12118] 1461855578.816404: Received answer from
stream
192.168.0.90:88 [12118] 1461855578.816714: Response was from master
KDC [12118] 1461855578.816906: TGS reply is for
0/Success [12118] 1461855578.817018: Received creds for desired
[12118] 1461855578.817413: Creating authenticator for
seqnum 299651167, subkey aes256-cts/98D3, session key aes256-cts/BEB2
[12118] 1461855578.874786: ccselect module realm chose cache
FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not
found [12118] 1461855578.875079: Read AP-REP, time 1461855578.817442,
ccselect module realm chose cache FILE:/tmp/tmpH0QF6P with client
FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not
found [17304] 1461858424.874220: Getting credentials
ccache FILE:/tmp/tmpH0QF6P [17304] 1461858424.874413: Retrieving
FILE:/tmp/tmpH0QF6P with
result: -1765328243/Matching credential not found [17304]
0/Success
[17304] 1461858424.874631: Requesting tickets for
1461858424.874747: Generated subkey for TGS request: aes256-cts/8C33
aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [17304]
1461858424.875121: Sending request (704 bytes) to CYBERFUEL.COM
[17304] 1461858424.875525: Resolving hostname freeipa.cyberfuel.com
[17304] 1461858424.875805: Initiating TCP connection to stream
192.168.20.90:88
[17304] 1461858424.877976: Sending TCP request to stream
192.168.20.90:88 [17304] 1461858424.882385: Received answer from
stream 192.168.20.90:88 [17304] 1461858424.882531: Response was from
master KDC [17304] 1461858424.882775: TGS reply is for
session key aes256-cts/20DA [17304] 1461858424.882850: TGS request
result: 0/Success [17304] 1461858424.882883: Received creds for
[17304] 1461858424.883271: Creating authenticator for
seqnum 443746416, subkey aes256-cts/13DE, session key aes256-cts/20DA
[17304] 1461858424.898190: ccselect module realm chose cache
FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not
found [17304] 1461858424.898615: Read AP-REP, time 1461858424.883334,
ccselect module realm chose cache
FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not
found [23457] 1461863053.621719: Getting credentials
ccache FILE:/tmp/tmp576FE3 [23457] 1461863053.621918: Retrieving
FILE:/tmp/tmp576FE3 with
result: -1765328243/Matching credential not found [23457]
0/Success
[23457] 1461863053.622176: Requesting tickets for
1461863053.622288: Generated subkey for TGS request: aes256-cts/897C
aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23457]
1461863053.622662: Sending request (704 bytes) to CYBERFUEL.COM
[23457] 1461863053.623133: Resolving hostname freeipa.cyberfuel.com
[23457] 1461863053.623367: Initiating TCP connection to stream
192.168.20.90:88
[23457] 1461863053.623866: Sending TCP request to stream
192.168.20.90:88 [23457] 1461863053.627939: Received answer from
stream 192.168.20.90:88 [23457] 1461863053.628229: Response was from
master KDC [23457] 1461863053.628485: TGS reply is for
session key aes256-cts/9E88 [23457] 1461863053.628560: TGS request
result: 0/Success [23457] 1461863053.628610: Received creds for
[23457] 1461863053.629119: Creating authenticator for
seqnum 13046067, subkey aes256-cts/BAC3, session key aes256-cts/9E88
[23457] 1461863053.640471: ccselect module realm chose cache
FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not
found [23457] 1461863053.640909: Read AP-REP, time 1461863053.629208,
ccselect module realm chose cache FILE:/tmp/tmprfuOsj with client
FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not
found [23749] 1461863277.525469: Getting credentials
ccache FILE:/tmp/tmprfuOsj [23749] 1461863277.525529: Retrieving
FILE:/tmp/tmprfuOsj with
result: -1765328243/Matching credential not found [23749]
0/Success
[23749] 1461863277.525593: Requesting tickets for
1461863277.525645: Generated subkey for TGS request: aes256-cts/C22D
aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23749]
1461863277.525806: Sending request (704 bytes) to CYBERFUEL.COM
[23749] 1461863277.526052: Resolving hostname freeipa.cyberfuel.com
[23749] 1461863277.526161: Initiating TCP connection to stream
192.168.20.90:88
[23749] 1461863277.526440: Sending TCP request to stream
192.168.20.90:88 [23749] 1461863277.530652: Received answer from
stream 192.168.20.90:88 [23749] 1461863277.530737: Response was from
master KDC [23749] 1461863277.530881: TGS reply is for
session key aes256-cts/79C3 [23749] 1461863277.530931: TGS request
result: 0/Success [23749] 1461863277.530948: Received creds for
[23749] 1461863277.531133: Creating authenticator for
seqnum 1019693263, subkey aes256-cts/B3E0, session key
aes256-cts/79C3 [23749] 1461863277.542808: ccselect module realm
chose cache FILE:/tmp/tmprfuOsj with client principal
FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not
found [23749] 1461863277.542988: Read AP-REP, time 1461863277.531150,
ccselect module realm chose cache FILE:/tmp/tmpbzX7EN with client
FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not
found [25544] 1461864401.258678: Getting credentials
ccache FILE:/tmp/tmpbzX7EN [25544] 1461864401.258873: Retrieving
FILE:/tmp/tmpbzX7EN with
result: -1765328243/Matching credential not found [25544]
0/Success
[25544] 1461864401.259102: Requesting tickets for
1461864401.259244: Generated subkey for TGS request: aes256-cts/277A
aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [25544]
1461864401.259676: Sending request (704 bytes) to CYBERFUEL.COM
[25544] 1461864401.260108: Resolving hostname freeipa.cyberfuel.com
[25544] 1461864401.260361: Initiating TCP connection to stream
192.168.20.90:88
[25544] 1461864401.260980: Sending TCP request to stream
192.168.20.90:88 [25544] 1461864401.264399: Received answer from
stream 192.168.20.90:88 [25544] 1461864401.264593: Response was from
master KDC [25544] 1461864401.264893: TGS reply is for
session key aes256-cts/9106 [25544] 1461864401.264966: TGS request
result: 0/Success [25544] 1461864401.264996: Received creds for
[25544] 1461864401.265581: Creating authenticator for
seqnum 921501424, subkey aes256-cts/99EA, session key aes256-cts/9106
[25544] 1461864401.275884: ccselect module realm chose cache
FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not
found [25544] 1461864401.276196: Read AP-REP, time 1461864401.265627,
ccselect module realm chose cache
FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not
found [18097] 1461937028.664490: Getting credentials
ccache FILE:/tmp/tmpF9x_o8 [18097] 1461937028.664549: Retrieving
FILE:/tmp/tmpF9x_o8 with
result: -1765328243/Matching credential not found [18097]
0/Success
[18097] 1461937028.664611: Requesting tickets for
1461937028.664700: Generated subkey for TGS request: aes256-cts/6372
aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [18097]
1461937028.664865: Sending request (704 bytes) to CYBERFUEL.COM
[18097] 1461937028.665035: Resolving hostname freeipa.cyberfuel.com
[18097] 1461937028.665136: Initiating TCP connection to stream
192.168.20.90:88
[18097] 1461937028.665510: Sending TCP request to stream
192.168.20.90:88 [18097] 1461937028.668919: Received answer from
stream 192.168.20.90:88 [18097] 1461937028.668984: Response was from
master KDC [18097] 1461937028.669109: TGS reply is for
session key aes256-cts/9592 [18097] 1461937028.669136: TGS request
result: 0/Success [18097] 1461937028.669156: Received creds for
[18097] 1461937028.669304: Creating authenticator for
seqnum 940175329, subkey aes256-cts/53B9, session key aes256-cts/9592
[18097] 1461937028.676414: ccselect module realm chose cache
FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not
found [18097] 1461937028.676534: Read AP-REP, time 1461937028.669328,
subkey aes256-cts/26C4, seqnum 864174069
-----------------------------------
Regards
Jose Alvarez
-----Original Message-----
Sent: viernes 29 de abril de 2016 09:34 a.m.
Subject: Re: [Freeipa-users] HTTP response code is 401, not 200

Hi Users
You can help me?
I have the problem for join a client to my FREEIPA Server. The
version IPA Server is 3.0 and IP client is 3.0
2016-04-28T17:26:41Z DEBUG stderr=
2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from
ldap://freeipa.cyberfuel.com
2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert
are identical
2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s
freeipa.cyberfuel.com -b dc=cyberfuel,dc=com
2016-04-28T17:26:41Z DEBUG stdout=
2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200
2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code
is 401, not 200
2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes.
2016-04-28T17:26:41Z ERROR IPA client is not configured on this system.

I'd look in the 389-ds access and error logs on the IPA server to see
if there are any more details. Look for the BIND from the client and
see what happens.
More context from the log file might be helpful. I believe if you run
the client installer with --debug then additional flags are passed to
ipa-join to include the XML-RPC conversation and that might be useful

too.

Post by Jose Alvarez R.
What account are you using to enroll with, admin?
rob

--
Manage your subscription for the Freeipa-users mailing list:

https://www.redhat.com/mailman/listinfo/freeipa-users

Go to http://freeipa.org for more info on the project

Rob Crittenden

2016-05-02 19:14:31 UTC

Permalink

*Hi, Rob*
**
*I did what you indicated to me, but still gives the same problem.*
**
*Can you help me ?*

The problem is client side, not server side, so you need to install the
updated bits on the client. I don't know what the reference to PPA is.

If that doesn't fix things then it's hard to say. There are only a
couple of moving parts and you just ruled out the server since another
client can enroll ok.

The non-working log shows the server sending WWW-Authenticate: Negotiate
and the client just gives up. In the working version the client
correctly responds with an Authorization header and things proceed so I
think the problem is in either libcurl or xmlrpc-c.

rob

**
*Thanks, Regards*
**
*Jose Alvarez*
-----Original Message-----
Sent: viernes 29 de abril de 2016 02:53 p.m.
Subject: Re: [Freeipa-users] HTTP response code is 401, not 200
Hi, Rob
Thanks for your response
The link https://bugzilla.redhat.com/show_bug.cgi?id=719945I not have
access..
I tried to install xmlrpc-c-1.16.24-1210.1840.el6.src.rpm in the server
PPA(Client IPA), but still shows the same error.
A moment ago I added another client server with same version xmlrpc and
installed correctly.
Thanks Regards.
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir'on_master': False, 'ntp_server': None,
None, 'no_ac': False, 'unattended': None, 'sssd': True,nf_sudo': True,
'conf_ssh': True, 'force_join': False, 'ca_cert_file': None, 'server': None,
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=bk1.cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit
y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server
Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=cyberfuel,dc=com' is for IPA
Naming context 'dc=cyberfuel,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com
Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com
Discovery was successful!
will use discovered realm: CYBERFUEL.COM
will use discovered basedn: dc=cyberfuel,dc=com
Hostname: bk1.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
DNS Domain: cyberfuel.com
DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of
the hostname)
IPA Server: freeipa.cyberfuel.com
IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
stdout=
stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory
User authorized to enroll computers: admin
will use principal provided as option: admin
Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.cyberfuel.com.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
stdout=
stderr=
Unable to sync time with IPA NTP server, assuming the time is in sync.
Please check that 123 UDP port is opened.
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = CYBERFUEL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
CYBERFUEL.COM = {
kdc = freeipa.cyberfuel.com:88
master_kdc = freeipa.cyberfuel.com:88
admin_server = freeipa.cyberfuel.com:749
default_domain = cyberfuel.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.cyberfuel.com = CYBERFUEL.COM
cyberfuel.com = CYBERFUEL.COM
stderr=
trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=CYBERFUEL.COM
Issuer: CN=Certificate Authority,O=CYBERFUEL.COM
Valid From: Wed Sep 30 17:46:50 2015 UTC
Valid Until: Sun Sep 30 17:46:50 2035 UTC
args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com -d
stdout=
<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>bk1.cyberfuel.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.12.1.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n
* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90... * Connected to freeipa.cyberfuel.com
(192.168.20.90) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM
* start date: Sep 30 17:52:11 2015 GMT
* expire date: Sep 30 17:52:11 2017 GMT
* common name: freeipa.cyberfuel.com
* issuer: CN=Certificate Authority,O=CYBERFUEL.COM

POST /ipa/xml HTTP/1.1

Host: freeipa.cyberfuel.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: https://freeipa.cyberfuel.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 478
< HTTP/1.1 401 Authorization Required
< Date: Fri, 29 Apr 2016 20:42:25 GMT
< Server: Apache/2.2.15 (CentOS)
< WWW-Authenticate: Negotiate
< Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT
< ETag: "a0528-55a-53051ba8f7000"
< Accept-Ranges: bytes
< Content-Length: 1370
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
* Closing connection #0
'https://freeipa.cyberfuel.com:443/ipa/xml'
* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90... * Connected to freeipa.cyberfuel.com
(192.168.20.90) port 443 (#0)
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM
* start date: Sep 30 17:52:11 2015 GMT
* expire date: Sep 30 17:52:11 2017 GMT
* common name: freeipa.cyberfuel.com
* issuer: CN=Certificate Authority,O=CYBERFUEL.COM
* Server auth using GSS-Negotiate with user ''

POST /ipa/xml HTTP/1.1

Authorization: Negotiate
YIIFFAYJKoZIhvcSAQICAQBuggUDMIIE/6ADAgEFoQMCAQ6iBwMFAAAAAACjggFiYYIBXjCCAVqg
AwIBBaEPGw1DWUJFUkZVRUwuQ09NoigwJqADAgEDoR8wHRsESFRUUBsVZnJlZWlwYS5MIZbbMHqa
QcuYz6zysTVwY+I/uvLznfkDrkClgtyvEIsnBopXcWBenFEbqcmRIBa7bkXiIxc1tYEzNh1rME/4
ZUh0PjUjX+QQO9NDpYrAIxFLoP6b6J87wFt2Wi+Rx2LPGlcPrIwKPNwyaOqw/QQ8r11FLI5RVzpH
eUL3uokQgZF6+GBoFo61lHY/W36Cb3JgxdG8Ge3TWWYgjEQKWlY48N6YNSPF2a2iKpgSuy/1Qe5E
HTfpyiJWnZJnlEIHllpIIDgjCCA36gAwIBEqKCA3UEggNx1WXEz0IRl4aJlkL5Eq0bxky36jm7zI
q3oiCcgWzqH9ma866TuD4ew++XcXmKZxszk6zf+c8tYhdRezxK74jF9XkpnRxTiBxOao7oPabJau
yM0k637IWWzTb1m+cC46PRaysFc7x3z5CGBWNyu0DpGyw240za4cepY1J+Q+mm7bq51zCDyMU1CY
7+of3Z4Z7s6P5/x/pn8DJBegXVIYq2Wb3sQbMUJCSbCG37Xb8j2nzhAaup1l4xTINQxSSLZRIS7M
H2YCE+z66P0607z7xBh7bwed97hHC2o3T0hDNnJOP7SRBUXquXCW9RbLUdOmYfcLcH8ygUWemm3A
MqL+mDYN3jpe25O/7Z/wFxYiUIw/6CtHGjJ1nrDy47Y1sbsjU1XT/sJ8JqxRFwCm9ALpQP+rYZ0k
v8/9OAaclw4vobu4Zmb3rVFBOzKpgRaUSvg4vSuRi/SPCzcH2PwBBSHpZuXWazWvZpnpTXYBl3nw
lelW8gE1PWWeAhxbCDP/u5D6vAJ7q1287bL+UdpnCki0Ye0c1+LCsqzhscPDtWOMHAqzs5pwyyfC
Qpg13GX93fHWJPRkrJbGTkGAknZkQFPtjks1C3JCRqhiz62KVLo6g5uRljHr8NNzvTBr2iRl9aK6
cDAEMaW5X26ko0XtO7urcbw/w6smuJLyYjroJH5Pe41bPMaUCls3RTvhxrlMzXSXgywPr3zDFpIg
CirdIfqowkF5Utq6Uub2d9wdhXXYuH3PCj3KBzsAAHFv2iI+Xg3a7+7LlWUFnTLVEzEhsKVO3lO7
jFb8kKwop5o7yTyXsQmW4g0rdCam07GuRObob6yQ=
Host: freeipa.cyberfuel.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: https://freeipa.cyberfuel.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 478
< HTTP/1.1 200 Success
< Date: Fri, 29 Apr 2016 20:42:25 GMT
< Server: Apache/2.2.15 (CentOS)
* Added cookie ipa_session="4aeb2b4e2cfacb0691a94b71e2d0a0c9" for domain
freeipa.cyberfuel.com, path /ipa, expire 1461963745
< Set-Cookie: ipa_session=4aeb2b4e2cfacb0691a94b71e2d0a0c9;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:25
GMT; Secure; HttpOnly
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: text/xml; charset=utf-8
<
* Expire cleared
* Closing connection #0
<?xml version='1.0' encoding='UTF-8'?>\n
<methodResponse>\n
<params>\n
<param>\n
<value><array><data>\n
<value><string>fqdn=bk1.cyberfuel.com,cn=computers,cn=accounts,dc=cyberfuel,
dc=com</string></value>\n
<value><struct>\n
<member>\n
<name>dn</name>\n
<value><string>fqdn=bk1.cyberfuel.com,cn=computers,cn=accounts,dc=cyberfuel,
dc=com</string></value>\n
</member>\n
<member>\n
<name>ipacertificatesubjectbase</name>\n
<value><array><data>\n
<value><string>O=CYBERFUEL.COM</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>has_keytab</name>\n
<value><boolean>0</boolean></value>\n
</member>\n
<member>\n
<name>objectclass</name>\n
<value><array><data>\n
<value><string>ipaobject</string></value>\n
<value><string>nshost</string></value>\n
<value><string>ipahost</string></value>\n
<value><string>pkiuser</string></value>\n
<value><string>ipaservice</string></value>\n
<value><string>krbprincipalaux</string></value>\n
<value><string>krbprincipal</string></value>\n
<value><string>ieee802device</string></value>\n
<value><string>ipasshhost</string></value>\n
<value><string>top</string></value>\n
<value><string>ipaSshGroupOfPubKeys</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>fqdn</name>\n
<value><array><data>\n
<value><string>bk1.cyberfuel.com</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>has_password</name>\n
<value><boolean>0</boolean></value>\n
</member>\n
<member>\n
<name>ipauniqueid</name>\n
<value><array><data>\n
<value><string>e1a08eb8-0e4a-11e6-8c5b-005056b027f1</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>krbprincipalname</name>\n
<value><array><data>\n
</data></array></value>\n
</member>\n
<member>\n
<name>managedby_host</name>\n
<value><array><data>\n
<value><string>bk1.cyberfuel.com</string></value>\n
</data></array></value>\n
</member>\n
</struct></value>\n
</data></array></value>\n
</param>\n
</params>\n
</methodResponse>\n
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=CYBERFUEL.COM
Enrolled in IPA realm CYBERFUEL.COM
args=kdestroy
stdout=
stderr=
Attempting to get host TGT...
args=/usr/bin/kinit -k -t /etc/krb5.keytab
stdout=
stderr=
Attempt 1/5 succeeded.
Backing up system configuration file '/etc/ipa/default.conf'
-> Not backing up - '/etc/ipa/default.conf' doesn't exist
Created /etc/ipa/default.conf
importing all plugin modules in
'/usr/lib/python2.6/site-packages/ipalib/plugins'...
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
args=klist -V
stdout=Kerberos 5 version 1.10.3
stderr=
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
Backing up system configuration file '/etc/sssd/sssd.conf'
-> Not backing up - '/etc/sssd/sssd.conf' doesn't exist
New SSSD config will be created
Backing up system configuration file '/etc/nsswitch.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i
/etc/ipa/ca.crt
stdout=
stderr=
Backing up system configuration file '/etc/krb5.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = CYBERFUEL.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
CYBERFUEL.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.cyberfuel.com = CYBERFUEL.COM
cyberfuel.com = CYBERFUEL.COM
Configured /etc/krb5.conf for IPA realm CYBERFUEL.COM
stdout=
stderr=keyctl_search: Required key not available
stdout=
stderr=keyctl_search: Required key not available
failed to find session_cookie in persistent storage for principal
trying https://freeipa.cyberfuel.com/ipa/xml
Created connection context.xmlclient
raw: env(None, server=True)
env(None, server=True, all=True)
Forwarding 'env' to server u'https://freeipa.cyberfuel.com/ipa/xml'
NSSConnection init freeipa.cyberfuel.com
Connecting: 192.168.20.90:0
auth_certificate_callback: check_sig=True is_server=False
Version: 3 (0x2)
Serial Number: 10 (0xa)
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Certificate Authority,O=CYBERFUEL.COM
Not Before: Wed Sep 30 17:52:11 2015 UTC
Not After: Sat Sep 30 17:52:11 2017 UTC
Subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM
Algorithm: PKCS #1 RSA Encryption
96:9c:db:c3:e5:3f:e5:bc:f4:ff:55:55:18:a8:3e:5d
65537 (0x10001)
Signed Extensions: (5 total)
Name: Certificate Authority Key Identifier
Critical: False
d1:87:fa:ff
Serial Number: None
General Names: [0 total]
Name: Authority Information Access
Critical: False
Authority Information Access: [1 total]
Method: PKIX Online Certificate Status Protocol
Location: URI: http://freeipa.cyberfuel.com:80/ca/ocsp
Name: Certificate Key Usage
Critical: True
Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Name: Extended Key Usage
Critical: False
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
Name: Certificate Subject Key ID
Critical: False
89:b9:1e:70
Algorithm: PKCS #1 SHA-256 With RSA Encryption
a2:a1:ff:41:6e:80:df:a7:bd:5d:96:2c:ba:e0:d2:56
09:ad:08:87:8b:64:04:0f:d2:6c:25:ac:b1:1e:e1:48
ca:4d:09:98
approved_usage = SSL Server intended_usage = SSL Server
cert valid True for "CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM"
handshake complete, peer = 192.168.20.90:443
Protocol: TLS1.2
Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
received Set-Cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30
GMT; Secure; HttpOnly'
storing cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30
GMT; Secure; HttpOnly' for prin
stdout=
stderr=keyctl_search: Required key not available
stdout=
stderr=keyctl_search: Required key not available
args=keyctl padd user
stdout=640092261
stderr=
Hostname (bk1.cyberfuel.com) not found in DNS
zone cyberfuel.com.
update delete bk1.cyberfuel.com. IN A
send
update add bk1.cyberfuel.com. 1200 IN A 192.168.20.13
send
args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
stdout=
stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
Minor code may provide more information, Minor = Server
nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt'
returned non-zero exit status 1
Failed to update DNS records.
args=/sbin/service messagebus start
stdout=Starting system message bus: [ OK ]
stderr=
args=/sbin/service messagebus status
stdout=messagebus (pid 41820) is running...
stderr=
args=/sbin/service certmonger restart
stdout=Stopping certmonger: [FAILED]
Starting certmonger: [ OK ]
stderr=
args=/sbin/service certmonger status
stdout=certmonger (pid 41859) is running...
stderr=
args=/sbin/service certmonger restart
stdout=Stopping certmonger: [ OK ]
Starting certmonger: [ OK ]
stderr=
args=/sbin/service certmonger status
stdout=certmonger (pid 41927) is running...
stderr=
args=/sbin/chkconfig certmonger on
stdout=
stderr=
args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate -
bk1.cyberfuel.com -N CN=bk1.cyberfuel.com,O=CYBERFUEL.COM -K
stdout=New signing request "20160429204235" added.
stderr=
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
raw: host_mod(u'bk1.cyberfuel.com', ipasshpubkey=[u'ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEA071MP58tqZXKpba7ndVtIqtgZmGNxm/PJz/eqf7w9SNewATA
xmV14vUYyyohaIWBBi87sXwqcNsWBUWAcg2ezfKfKYqc3YPqaNq2poRL3+vhpNnHDBdfh2NzqdId
slZEMt2H+v/0g3G52ycOoRCfhwbGasV+ZCxLGyCPnYTAb7gvpms+/JNf1FWjQpTHt+dZ8CtCcfvL
ctY5pjdxT4kQTtK8kyyGwlXH/Oh4qisMsS57/1a1HEED7xczbIHF/YHF7u08WBbFe0Y40QA5gfa7
/hhu+JoblQBH55iKzR8l8RfZXt1Vcam2pr2nj/w0oYxyB+JkO0CuR/mWu93aLRkxFxtwEoUUiWMm
M3mXs1gsTFKClFnTbOzwg8QyFlCj+An4GrzrsbAA/rfLvb+VmwOS/BccDZfAAAAFShUVZUinN/bv
4/xv1ejRLk62VxtHxw1z+w/JLc0WbTtIj4cB4nE03et3id5ZT6yDz5XKduyhAeCYPGXepmWXqSxb
2N/Ia5OZbEfwNcEivzWdeRzxnk+W8OErBuOkRcCYmT1aIFGmIAAACANrKXEgH6qjJZdpFM3CFIBt
mZY3RF1adYeI7i8daJxkwxPv55idHkphc4aDX4lUPzvcw+r5jtE+rm4huv03qlTKy+/0HlTyIRJv
wfpc='], updatedns=False)
host_mod(u'bk1.cyberfuel.com', random=False, ipasshpubkey=(u'ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEA071MP58tqZXKpba7ndVtIqtgZmGNxm/PJz/eqf7w9SNewATA
xmV14vUYyyohaIWBBi87sXwlVqxX+L95cg2ezfKfKYqc3YPqaNq2poRL3+vhpNnHDBdfh2NzqdId
slZEMt2H+v/0g3G52ycOoRCfhwbGasV+ZCxLGyCPnYTAb7gvpms+/JNf1FWjQpTHt+dZ8CtCcfvL
ctY5pjdxT4kQTtK8kyyGwlXH/Oh4qisMsS57/1aAN359BmDxbIHF/YHF7u08WBbFe0Y40QA5gfa7
/hhu+JoblQBH55iKzR8l8RfZXt1Vcam2pr2nj/w0oYxyB+JkO0CuR/mWu93aLRkxFxtwEoUUiWMm
M3mXs1gsTFKClFnTbOzwg8QyFlCj+An4GrzrsbAA/rfLvb+VmwOS/BcXJiFI6Ub3ShUVZUinN/bv
4/xv1ejRLk62VxtHxw1z+w/JLc0WbTtIj4cB4nE03et3id5ZT6yDz5XKduyhAeCYPGXepmWXqSxb
2N/Ia5OZbEfwNcEivzWdeRzxnk+W8OErBuOkRcCYmT1aIFGmIAAACANrKXEgH6qjJZdpFM3mdAXb
7imVRF1adYeI7i8daJxkwxPv55idHkphc4aDX4lUPzvcw+r5jtE+rm4huv03qlTKy+/0HlTyIRJv
wfpc='), rights=False, updatedns=False, all=False, raw=False,
no_members=False)
Forwarding 'host_mod' to server u'https://freeipa.cyberfuel.com/ipa/xml'
NSSConnection init freeipa.cyberfuel.com
Connecting: 192.168.20.90:0
handshake complete, peer = 192.168.20.90:443
Protocol: TLS1.2
Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
received Set-Cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35
GMT; Secure; HttpOnly'
storing cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35
GMT; Secure; HttpOnly' for prin
stdout=640092261
stderr=
stdout=640092261
stderr=
args=keyctl pupdate 640092261
stdout=
stderr=
zone cyberfuel.com.
update delete bk1.cyberfuel.com. IN SSHFP
send
update add bk1.cyberfuel.com. 1200 IN SSHFP 1 1
B40F0F3FF14223B021F206C3E3276AC48F6EEAF0
update add bk1.cyberfuel.com. 1200 IN SSHFP 2 1
30D2331BC69452EFE65445B5C990773EA41A2FE8
send
args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
stdout=
stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
Minor code may provide more information, Minor = Server
nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt'
returned non-zero exit status 1
Could not update DNS SSHFP records.
args=/sbin/service nscd status
stdout=
stderr=nscd: unrecognized service
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
args=/usr/sbin/authconfig --enablesssdauth --update --enablesssd
stdout=
stderr=
SSSD enabled
Configuring cyberfuel.com as NIS domain
args=/bin/nisdomainname
stdout=(none)
stderr=
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
args=/usr/sbin/authconfig --update --nisdomain cyberfuel.com
stdout=
stderr=
args=/bin/nisdomainname cyberfuel.com
stdout=
stderr=
args=/sbin/service sssd restart
stdout=Stopping sssd: [FAILED]
Starting sssd: [ OK ]
stderr=cat: /var/run/sssd.pid: No such file or directory
args=/sbin/service sssd status
stdout=sssd (pid 42071) is running...
stderr=
args=/sbin/chkconfig sssd on
stdout=
stderr=
Backing up system configuration file '/etc/openldap/ldap.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
Configured /etc/openldap/ldap.conf
args=getent passwd admin
stdout=admin:*:1045400000:1045400000:Administrator:/home/admin:/bin/bash
stderr=
Backing up system configuration file '/etc/ntp/step-tickers'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=/usr/sbin/selinuxenabled
stdout=
stderr=
args=/sbin/chkconfig ntpd
stdout=
stderr=
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Backing up system configuration file '/etc/ntp.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=/usr/sbin/selinuxenabled
stdout=
stderr=
Backing up system configuration file '/etc/sysconfig/ntpd'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=/usr/sbin/selinuxenabled
stdout=
stderr=
args=/sbin/chkconfig ntpd on
stdout=
stderr=
args=/sbin/service ntpd restart
stdout=Shutting down ntpd: [ OK ]
Starting ntpd: [ OK ]
stderr=
args=/sbin/service ntpd status
stdout=ntpd (pid 42133) is running...
stderr=
NTP enabled
Backing up system configuration file '/etc/ssh/ssh_config'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
Configured /etc/ssh/ssh_config
Backing up system configuration file '/etc/ssh/sshd_config'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=sshd -t -f /dev/null -o AuthorizedKeysCommand=
stdout=
stderr=
Configured /etc/ssh/sshd_config
args=/sbin/service sshd status
stdout=openssh-daemon (pid 46497) is running...
stderr=
args=/sbin/service sshd restart
stdout=Stopping sshd: [ OK ]
Starting sshd: [ OK ]
stderr=
args=/sbin/service sshd status
stdout=openssh-daemon (pid 42190) is running...
stderr=
Client configuration complete.
-----Original Message-----
Sent: viernes 29 de abril de 2016 12:19 p.m.
Subject: Re: [Freeipa-users] HTTP response code is 401, not 200

You need xmlrpc-c-1.16.24-1200.1840.2.el6 on the client which fixed
https://bugzilla.redhat.com/show_bug.cgi?id=719945
The libcurl version on the client looks ok.
This is only a client-side issue so no changes on the servers should be
necessary IIRC. This appears to be EL 6.1 which at this point is quite old.
rob

Post by Jose Alvarez R.
Hi Rob, Thanks for your response
Yes, It's with admin.

Post by Jose Alvarez R.
= 1.16.24-1200.1840.2

I'm confused about the versions. You mention PPA but include what look
like RPM versions that seem to point to RHEL 6.
rob

Post by Jose Alvarez R.
I execute the command "ipa-client-install --debug"
---------------------------------------------------------------------
-
---
None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir
': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
'on_master': False, 'ntp_server': None, 'nisdomain': None,
False, 'principal': None
, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,
'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False,
'conf_sudo': True, 'conf_ssh': Tr
ue, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True,
False, 'uninstall': False}
missing options might be asked for interactively later Loading Index
file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
"cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
C
YBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={
p riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN Check if naming context
'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
is a valid IPA context Search for (objectClass=krbRealmContainer) in
dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com Start searching for LDAP
SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com Discovery was
successful!
dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in
Discovered LDAP SRV records from cyberfuel.com (domain of the
Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: no
Installation failed. Rolling back changes.
IPA client is not configured on this system.
None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None,
None, 'no_nisdomain': False, 'principal': None, 'hostname': None,
False, 'unattended': None, 'sssd': True, 'trust_sshfp': False,
'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True,
True, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True,
False, 'uninstall': False}
missing options might be asked for interactively later Loading Index
file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
"cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
C
YBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={
p riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN Check if naming context
'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
is a valid IPA context Search for (objectClass=krbRealmContainer) in
dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com Start searching for LDAP
SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com Discovery was
successful!
dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in
Discovered LDAP SRV records from cyberfuel.com (domain of the
Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file
or directory
User authorized to enroll computers: admin will use principal
provided as option: admin Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.cyberfuel.com.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout=
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = CYBERFUEL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
CYBERFUEL.COM = {
kdc = freeipa.cyberfuel.com:88
master_kdc = freeipa.cyberfuel.com:88
admin_server = freeipa.cyberfuel.com:749
default_domain = cyberfuel.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.cyberfuel.com = CYBERFUEL.COM
cyberfuel.com = CYBERFUEL.COM
stderr=
trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
Existing CA cert and Retrieved CA cert are identical
args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b
<?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n
<methodName>join</methodName>\r\n <params>\r\n
<param><value><array><data>\r\n
<value><string>ppa.cyberfuel.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\
n <member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n
* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90...
* Adding handle: conn: 0x10bb2f0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
* Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using AES256-SHA
* subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
* start date: 2015-09-30 17:52:11 GMT
* expire date: 2017-09-30 17:52:11 GMT
* common name: freeipa.cyberfuel.com (matched)
* issuer: O=CYBERFUEL.COM; CN=Certificate Authority
* SSL certificate verify ok.

POST /ipa/xml HTTP/1.1

Hi Users
You can help me?
I have the problem for join a client to my FREEIPA Server. The
version IPA Server is 3.0 and IP client is 3.0
2016-04-28T17:26:41Z DEBUG stderr=
2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from
ldap://freeipa.cyberfuel.com
2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert
are identical
2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s
freeipa.cyberfuel.com -b dc=cyberfuel,dc=com
2016-04-28T17:26:41Z DEBUG stdout=
2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200
2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code
is 401, not 200
2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes.
2016-04-28T17:26:41Z ERROR IPA client is not configured on this system.

I'd look in the 389-ds access and error logs on the IPA server to see
if there are any more details. Look for the BIND from the client and
see what happens.
More context from the log file might be helpful. I believe if you run
the client installer with --debug then additional flags are passed to
ipa-join to include the XML-RPC conversation and that might be useful

too.

Post by Jose Alvarez R.
What account are you using to enroll with, admin?
rob

--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Jose Alvarez R.

2016-05-02 20:27:43 UTC

Permalink

Hi Rob

Thanks for your response.

The PPA is hosting Control Panel of the company
Odin(https://www.plesk.com/?_ga=1.159107642.1001081217.1436214087)
Several packages were installed by this software. Because they use their own
repositories.

Regards

Jose Alvarez

-----Original Message-----
From: Rob Crittenden [mailto:***@redhat.com]
Sent: lunes 2 de mayo de 2016 01:15 p.m.
To: Jose Alvarez R. <***@cyberfuel.com>
Cc: freeipa-***@redhat.com
Subject: Re: [Freeipa-users] HTTP response code is 401, not 200

*Hi, Rob*
**
*I did what you indicated to me, but still gives the same problem.*
**
*Can you help me ?*

DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,

port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.

DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU

EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.

DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit

y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server
Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=cyberfuel,dc=com' is for IPA
Naming context 'dc=cyberfuel,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,

basedn=dc=cyberfuel,dc=com

Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.

DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,

port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com
Discovery was successful!
will use discovered realm: CYBERFUEL.COM
will use discovered basedn: dc=cyberfuel,dc=com
Hostname: bk1.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
DNS Domain: cyberfuel.com
DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of
the hostname)
IPA Server: freeipa.cyberfuel.com
IPA Server source: Discovered from LDAP DNS records in

freeipa.cyberfuel.com

BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
stdout=
stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory
User authorized to enroll computers: admin
will use principal provided as option: admin
Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.cyberfuel.com.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
stdout=
stderr=
Unable to sync time with IPA NTP server, assuming the time is in sync.
Please check that 123 UDP port is opened.
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = CYBERFUEL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
CYBERFUEL.COM = {
kdc = freeipa.cyberfuel.com:88
master_kdc = freeipa.cyberfuel.com:88
admin_server = freeipa.cyberfuel.com:749
default_domain = cyberfuel.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.cyberfuel.com = CYBERFUEL.COM
cyberfuel.com = CYBERFUEL.COM
stderr=
trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=CYBERFUEL.COM
Issuer: CN=Certificate Authority,O=CYBERFUEL.COM
Valid From: Wed Sep 30 17:46:50 2015 UTC
Valid Until: Sun Sep 30 17:46:50 2035 UTC
args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com -d
stdout=
<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>bk1.cyberfuel.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.12.1.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n
* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90... * Connected to freeipa.cyberfuel.com
(192.168.20.90) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM
* start date: Sep 30 17:52:11 2015 GMT
* expire date: Sep 30 17:52:11 2017 GMT
* common name: freeipa.cyberfuel.com
* issuer: CN=Certificate Authority,O=CYBERFUEL.COM

POST /ipa/xml HTTP/1.1

Host: freeipa.cyberfuel.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: https://freeipa.cyberfuel.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 478
< HTTP/1.1 401 Authorization Required
< Date: Fri, 29 Apr 2016 20:42:25 GMT
< Server: Apache/2.2.15 (CentOS)
< WWW-Authenticate: Negotiate
< Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT
< ETag: "a0528-55a-53051ba8f7000"
< Accept-Ranges: bytes
< Content-Length: 1370
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
* Closing connection #0
'https://freeipa.cyberfuel.com:443/ipa/xml'
* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90... * Connected to freeipa.cyberfuel.com
(192.168.20.90) port 443 (#0)
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM
* start date: Sep 30 17:52:11 2015 GMT
* expire date: Sep 30 17:52:11 2017 GMT
* common name: freeipa.cyberfuel.com
* issuer: CN=Certificate Authority,O=CYBERFUEL.COM
* Server auth using GSS-Negotiate with user ''

POST /ipa/xml HTTP/1.1

Authorization: Negotiate

YIIFFAYJKoZIhvcSAQICAQBuggUDMIIE/6ADAgEFoQMCAQ6iBwMFAAAAAACjggFiYYIBXjCCAVqg
AwIBBaEPGw1DWUJFUkZVRUwuQ09NoigwJqADAgEDoR8wHRsESFRUUBsVZnJlZWlwYS5MIZbbMHqa
QcuYz6zysTVwY+I/uvLznfkDrkClgtyvEIsnBopXcWBenFEbqcmRIBa7bkXiIxc1tYEzNh1rME/4
ZUh0PjUjX+QQO9NDpYrAIxFLoP6b6J87wFt2Wi+Rx2LPGlcPrIwKPNwyaOqw/QQ8r11FLI5RVzpH
eUL3uokQgZF6+GBoFo61lHY/W36Cb3JgxdG8Ge3TWWYgjEQKWlY48N6YNSPF2a2iKpgSuy/1Qe5E
HTfpyiJWnZJnlEIHllpIIDgjCCA36gAwIBEqKCA3UEggNx1WXEz0IRl4aJlkL5Eq0bxky36jm7zI
q3oiCcgWzqH9ma866TuD4ew++XcXmKZxszk6zf+c8tYhdRezxK74jF9XkpnRxTiBxOao7oPabJau
yM0k637IWWzTb1m+cC46PRaysFc7x3z5CGBWNyu0DpGyw240za4cepY1J+Q+mm7bq51zCDyMU1CY
7+of3Z4Z7s6P5/x/pn8DJBegXVIYq2Wb3sQbMUJCSbCG37Xb8j2nzhAaup1l4xTINQxSSLZRIS7M
H2YCE+z66P0607z7xBh7bwed97hHC2o3T0hDNnJOP7SRBUXquXCW9RbLUdOmYfcLcH8ygUWemm3A
MqL+mDYN3jpe25O/7Z/wFxYiUIw/6CtHGjJ1nrDy47Y1sbsjU1XT/sJ8JqxRFwCm9ALpQP+rYZ0k
v8/9OAaclw4vobu4Zmb3rVFBOzKpgRaUSvg4vSuRi/SPCzcH2PwBBSHpZuXWazWvZpnpTXYBl3nw
lelW8gE1PWWeAhxbCDP/u5D6vAJ7q1287bL+UdpnCki0Ye0c1+LCsqzhscPDtWOMHAqzs5pwyyfC
Qpg13GX93fHWJPRkrJbGTkGAknZkQFPtjks1C3JCRqhiz62KVLo6g5uRljHr8NNzvTBr2iRl9aK6
cDAEMaW5X26ko0XtO7urcbw/w6smuJLyYjroJH5Pe41bPMaUCls3RTvhxrlMzXSXgywPr3zDFpIg
CirdIfqowkF5Utq6Uub2d9wdhXXYuH3PCj3KBzsAAHFv2iI+Xg3a7+7LlWUFnTLVEzEhsKVO3lO7

jFb8kKwop5o7yTyXsQmW4g0rdCam07GuRObob6yQ=
Host: freeipa.cyberfuel.com
Accept: */*
Content-Type: text/xml
User-Agent: ipa-join/3.0.0
Referer: https://freeipa.cyberfuel.com/ipa/xml
X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1
Content-Length: 478
< HTTP/1.1 200 Success
< Date: Fri, 29 Apr 2016 20:42:25 GMT
< Server: Apache/2.2.15 (CentOS)
* Added cookie ipa_session="4aeb2b4e2cfacb0691a94b71e2d0a0c9" for domain
freeipa.cyberfuel.com, path /ipa, expire 1461963745
< Set-Cookie: ipa_session=4aeb2b4e2cfacb0691a94b71e2d0a0c9;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:25
GMT; Secure; HttpOnly
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: text/xml; charset=utf-8
<
* Expire cleared
* Closing connection #0
<?xml version='1.0' encoding='UTF-8'?>\n
<methodResponse>\n
<params>\n
<param>\n
<value><array><data>\n

<value><string>fqdn=bk1.cyberfuel.com,cn=computers,cn=accounts,dc=cyberfuel,

dc=com</string></value>\n
<value><struct>\n
<member>\n
<name>dn</name>\n

<value><string>fqdn=bk1.cyberfuel.com,cn=computers,cn=accounts,dc=cyberfuel,

dc=com</string></value>\n
</member>\n
<member>\n
<name>ipacertificatesubjectbase</name>\n
<value><array><data>\n
<value><string>O=CYBERFUEL.COM</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>has_keytab</name>\n
<value><boolean>0</boolean></value>\n
</member>\n
<member>\n
<name>objectclass</name>\n
<value><array><data>\n
<value><string>ipaobject</string></value>\n
<value><string>nshost</string></value>\n
<value><string>ipahost</string></value>\n
<value><string>pkiuser</string></value>\n
<value><string>ipaservice</string></value>\n
<value><string>krbprincipalaux</string></value>\n
<value><string>krbprincipal</string></value>\n
<value><string>ieee802device</string></value>\n
<value><string>ipasshhost</string></value>\n
<value><string>top</string></value>\n
<value><string>ipaSshGroupOfPubKeys</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>fqdn</name>\n
<value><array><data>\n
<value><string>bk1.cyberfuel.com</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>has_password</name>\n
<value><boolean>0</boolean></value>\n
</member>\n
<member>\n
<name>ipauniqueid</name>\n
<value><array><data>\n
<value><string>e1a08eb8-0e4a-11e6-8c5b-005056b027f1</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>krbprincipalname</name>\n
<value><array><data>\n
</data></array></value>\n
</member>\n
<member>\n
<name>managedby_host</name>\n
<value><array><data>\n
<value><string>bk1.cyberfuel.com</string></value>\n
</data></array></value>\n
</member>\n
</struct></value>\n
</data></array></value>\n
</param>\n
</params>\n
</methodResponse>\n
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=CYBERFUEL.COM
Enrolled in IPA realm CYBERFUEL.COM
args=kdestroy
stdout=
stderr=
Attempting to get host TGT...
args=/usr/bin/kinit -k -t /etc/krb5.keytab
stdout=
stderr=
Attempt 1/5 succeeded.
Backing up system configuration file '/etc/ipa/default.conf'
-> Not backing up - '/etc/ipa/default.conf' doesn't exist
Created /etc/ipa/default.conf
importing all plugin modules in
'/usr/lib/python2.6/site-packages/ipalib/plugins'...
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
args=klist -V
stdout=Kerberos 5 version 1.10.3
stderr=
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
Backing up system configuration file '/etc/sssd/sssd.conf'
-> Not backing up - '/etc/sssd/sssd.conf' doesn't exist
New SSSD config will be created
Backing up system configuration file '/etc/nsswitch.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i
/etc/ipa/ca.crt
stdout=
stderr=
Backing up system configuration file '/etc/krb5.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = CYBERFUEL.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
CYBERFUEL.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.cyberfuel.com = CYBERFUEL.COM
cyberfuel.com = CYBERFUEL.COM
Configured /etc/krb5.conf for IPA realm CYBERFUEL.COM
stdout=
stderr=keyctl_search: Required key not available
stdout=
stderr=keyctl_search: Required key not available
failed to find session_cookie in persistent storage for principal
trying https://freeipa.cyberfuel.com/ipa/xml
Created connection context.xmlclient
raw: env(None, server=True)
env(None, server=True, all=True)
Forwarding 'env' to server u'https://freeipa.cyberfuel.com/ipa/xml'
NSSConnection init freeipa.cyberfuel.com
Connecting: 192.168.20.90:0
auth_certificate_callback: check_sig=True is_server=False
Version: 3 (0x2)
Serial Number: 10 (0xa)
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Certificate Authority,O=CYBERFUEL.COM
Not Before: Wed Sep 30 17:52:11 2015 UTC
Not After: Sat Sep 30 17:52:11 2017 UTC
Subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM
Algorithm: PKCS #1 RSA Encryption
96:9c:db:c3:e5:3f:e5:bc:f4:ff:55:55:18:a8:3e:5d
65537 (0x10001)
Signed Extensions: (5 total)
Name: Certificate Authority Key Identifier
Critical: False
d1:87:fa:ff
Serial Number: None
General Names: [0 total]
Name: Authority Information Access
Critical: False
Authority Information Access: [1 total]
Method: PKIX Online Certificate Status Protocol
Location: URI: http://freeipa.cyberfuel.com:80/ca/ocsp
Name: Certificate Key Usage
Critical: True
Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Name: Extended Key Usage
Critical: False
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
Name: Certificate Subject Key ID
Critical: False
89:b9:1e:70
Algorithm: PKCS #1 SHA-256 With RSA Encryption
a2:a1:ff:41:6e:80:df:a7:bd:5d:96:2c:ba:e0:d2:56
09:ad:08:87:8b:64:04:0f:d2:6c:25:ac:b1:1e:e1:48
ca:4d:09:98
approved_usage = SSL Server intended_usage = SSL Server
cert valid True for "CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM"
handshake complete, peer = 192.168.20.90:443
Protocol: TLS1.2
Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
received Set-Cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30
GMT; Secure; HttpOnly'
storing cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30
GMT; Secure; HttpOnly' for prin
stdout=
stderr=keyctl_search: Required key not available
stdout=
stderr=keyctl_search: Required key not available
args=keyctl padd user
stdout=640092261
stderr=
Hostname (bk1.cyberfuel.com) not found in DNS
zone cyberfuel.com.
update delete bk1.cyberfuel.com. IN A
send
update add bk1.cyberfuel.com. 1200 IN A 192.168.20.13
send
args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
stdout=
stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
Minor code may provide more information, Minor = Server
nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt'
returned non-zero exit status 1
Failed to update DNS records.
args=/sbin/service messagebus start
stdout=Starting system message bus: [ OK ]
stderr=
args=/sbin/service messagebus status
stdout=messagebus (pid 41820) is running...
stderr=
args=/sbin/service certmonger restart
stdout=Stopping certmonger: [FAILED]
Starting certmonger: [ OK ]
stderr=
args=/sbin/service certmonger status
stdout=certmonger (pid 41859) is running...
stderr=
args=/sbin/service certmonger restart
stdout=Stopping certmonger: [ OK ]
Starting certmonger: [ OK ]
stderr=
args=/sbin/service certmonger status
stdout=certmonger (pid 41927) is running...
stderr=
args=/sbin/chkconfig certmonger on
stdout=
stderr=
args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate -
bk1.cyberfuel.com -N CN=bk1.cyberfuel.com,O=CYBERFUEL.COM -K
stdout=New signing request "20160429204235" added.
stderr=
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
raw: host_mod(u'bk1.cyberfuel.com', ipasshpubkey=[u'ssh-rsa

AAAAB3NzaC1yc2EAAAABIwAAAQEA071MP58tqZXKpba7ndVtIqtgZmGNxm/PJz/eqf7w9SNewATA
xmV14vUYyyohaIWBBi87sXwqcNsWBUWAcg2ezfKfKYqc3YPqaNq2poRL3+vhpNnHDBdfh2NzqdId
slZEMt2H+v/0g3G52ycOoRCfhwbGasV+ZCxLGyCPnYTAb7gvpms+/JNf1FWjQpTHt+dZ8CtCcfvL
ctY5pjdxT4kQTtK8kyyGwlXH/Oh4qisMsS57/1a1HEED7xczbIHF/YHF7u08WBbFe0Y40QA5gfa7
/hhu+JoblQBH55iKzR8l8RfZXt1Vcam2pr2nj/w0oYxyB+JkO0CuR/mWu93aLRkxFxtwEoUUiWMm
M3mXs1gsTFKClFnTbOzwg8QyFlCj+An4GrzrsbAA/rfLvb+VmwOS/BccDZfAAAAFShUVZUinN/bv
4/xv1ejRLk62VxtHxw1z+w/JLc0WbTtIj4cB4nE03et3id5ZT6yDz5XKduyhAeCYPGXepmWXqSxb
2N/Ia5OZbEfwNcEivzWdeRzxnk+W8OErBuOkRcCYmT1aIFGmIAAACANrKXEgH6qjJZdpFM3CFIBt
mZY3RF1adYeI7i8daJxkwxPv55idHkphc4aDX4lUPzvcw+r5jtE+rm4huv03qlTKy+/0HlTyIRJv

wfpc='], updatedns=False)
host_mod(u'bk1.cyberfuel.com', random=False, ipasshpubkey=(u'ssh-rsa

AAAAB3NzaC1yc2EAAAABIwAAAQEA071MP58tqZXKpba7ndVtIqtgZmGNxm/PJz/eqf7w9SNewATA
xmV14vUYyyohaIWBBi87sXwlVqxX+L95cg2ezfKfKYqc3YPqaNq2poRL3+vhpNnHDBdfh2NzqdId
slZEMt2H+v/0g3G52ycOoRCfhwbGasV+ZCxLGyCPnYTAb7gvpms+/JNf1FWjQpTHt+dZ8CtCcfvL
ctY5pjdxT4kQTtK8kyyGwlXH/Oh4qisMsS57/1aAN359BmDxbIHF/YHF7u08WBbFe0Y40QA5gfa7
/hhu+JoblQBH55iKzR8l8RfZXt1Vcam2pr2nj/w0oYxyB+JkO0CuR/mWu93aLRkxFxtwEoUUiWMm
M3mXs1gsTFKClFnTbOzwg8QyFlCj+An4GrzrsbAA/rfLvb+VmwOS/BcXJiFI6Ub3ShUVZUinN/bv
4/xv1ejRLk62VxtHxw1z+w/JLc0WbTtIj4cB4nE03et3id5ZT6yDz5XKduyhAeCYPGXepmWXqSxb
2N/Ia5OZbEfwNcEivzWdeRzxnk+W8OErBuOkRcCYmT1aIFGmIAAACANrKXEgH6qjJZdpFM3mdAXb
7imVRF1adYeI7i8daJxkwxPv55idHkphc4aDX4lUPzvcw+r5jtE+rm4huv03qlTKy+/0HlTyIRJv

wfpc='), rights=False, updatedns=False, all=False, raw=False,
no_members=False)
Forwarding 'host_mod' to server u'https://freeipa.cyberfuel.com/ipa/xml'
NSSConnection init freeipa.cyberfuel.com
Connecting: 192.168.20.90:0
handshake complete, peer = 192.168.20.90:443
Protocol: TLS1.2
Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
received Set-Cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35
GMT; Secure; HttpOnly'
storing cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0;
Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35
GMT; Secure; HttpOnly' for prin
stdout=640092261
stderr=
stdout=640092261
stderr=
args=keyctl pupdate 640092261
stdout=
stderr=
zone cyberfuel.com.
update delete bk1.cyberfuel.com. IN SSHFP
send
update add bk1.cyberfuel.com. 1200 IN SSHFP 1 1
B40F0F3FF14223B021F206C3E3276AC48F6EEAF0
update add bk1.cyberfuel.com. 1200 IN SSHFP 2 1
30D2331BC69452EFE65445B5C990773EA41A2FE8
send
args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
stdout=
stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
Minor code may provide more information, Minor = Server
nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt'
returned non-zero exit status 1
Could not update DNS SSHFP records.
args=/sbin/service nscd status
stdout=
stderr=nscd: unrecognized service
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
args=/usr/sbin/authconfig --enablesssdauth --update --enablesssd
stdout=
stderr=
SSSD enabled
Configuring cyberfuel.com as NIS domain
args=/bin/nisdomainname
stdout=(none)
stderr=
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
args=/usr/sbin/authconfig --update --nisdomain cyberfuel.com
stdout=
stderr=
args=/bin/nisdomainname cyberfuel.com
stdout=
stderr=
args=/sbin/service sssd restart
stdout=Stopping sssd: [FAILED]
Starting sssd: [ OK ]
stderr=cat: /var/run/sssd.pid: No such file or directory
args=/sbin/service sssd status
stdout=sssd (pid 42071) is running...
stderr=
args=/sbin/chkconfig sssd on
stdout=
stderr=
Backing up system configuration file '/etc/openldap/ldap.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
Configured /etc/openldap/ldap.conf
args=getent passwd admin
stdout=admin:*:1045400000:1045400000:Administrator:/home/admin:/bin/bash
stderr=
Backing up system configuration file '/etc/ntp/step-tickers'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=/usr/sbin/selinuxenabled
stdout=
stderr=
args=/sbin/chkconfig ntpd
stdout=
stderr=
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Backing up system configuration file '/etc/ntp.conf'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=/usr/sbin/selinuxenabled
stdout=
stderr=
Backing up system configuration file '/etc/sysconfig/ntpd'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=/usr/sbin/selinuxenabled
stdout=
stderr=
args=/sbin/chkconfig ntpd on
stdout=
stderr=
args=/sbin/service ntpd restart
stdout=Shutting down ntpd: [ OK ]
Starting ntpd: [ OK ]
stderr=
args=/sbin/service ntpd status
stdout=ntpd (pid 42133) is running...
stderr=
NTP enabled
Backing up system configuration file '/etc/ssh/ssh_config'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
Configured /etc/ssh/ssh_config
Backing up system configuration file '/etc/ssh/sshd_config'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
args=sshd -t -f /dev/null -o AuthorizedKeysCommand=
stdout=
stderr=
Configured /etc/ssh/sshd_config
args=/sbin/service sshd status
stdout=openssh-daemon (pid 46497) is running...
stderr=
args=/sbin/service sshd restart
stdout=Stopping sshd: [ OK ]
Starting sshd: [ OK ]
stderr=
args=/sbin/service sshd status
stdout=openssh-daemon (pid 42190) is running...
stderr=
Client configuration complete.
-----Original Message-----
Sent: viernes 29 de abril de 2016 12:19 p.m.
Subject: Re: [Freeipa-users] HTTP response code is 401, not 200

You need xmlrpc-c-1.16.24-1200.1840.2.el6 on the client which fixed
https://bugzilla.redhat.com/show_bug.cgi?id=719945
The libcurl version on the client looks ok.
This is only a client-side issue so no changes on the servers should be
necessary IIRC. This appears to be EL 6.1 which at this point is quite old.
rob

Post by Jose Alvarez R.
Hi Rob, Thanks for your response
Yes, It's with admin.

Post by Jose Alvarez R.
= 1.16.24-1200.1840.2

I'm confused about the versions. You mention PPA but include what look
like RPM versions that seem to point to RHEL 6.
rob

'/var/lib/ipa-client/sysrestore/sysrestore.state'

Post by Jose Alvarez R.
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
"cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
C
YBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={
p riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN Check if naming context
'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
is a valid IPA context Search for (objectClass=krbRealmContainer) in
dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com Start searching for LDAP
SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio
r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com Discovery was
successful!
dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in
Discovered LDAP SRV records from cyberfuel.com (domain of the
Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389
Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file
or directory
User authorized to enroll computers: admin will use principal
provided as option: admin Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.cyberfuel.com.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout=
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = CYBERFUEL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
CYBERFUEL.COM = {
kdc = freeipa.cyberfuel.com:88
master_kdc = freeipa.cyberfuel.com:88
admin_server = freeipa.cyberfuel.com:749
default_domain = cyberfuel.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.cyberfuel.com = CYBERFUEL.COM
cyberfuel.com = CYBERFUEL.COM
stderr=
trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com
Existing CA cert and Retrieved CA cert are identical
args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b
<?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n
<methodName>join</methodName>\r\n <params>\r\n
<param><value><array><data>\r\n
<value><string>ppa.cyberfuel.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.8.1.el6.x86_64</string></value></member>\r\
n <member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n
* About to connect() to freeipa.cyberfuel.com port 443 (#0)
* Trying 192.168.20.90...
* Adding handle: conn: 0x10bb2f0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0
* Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0)
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using AES256-SHA
* subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com
* start date: 2015-09-30 17:52:11 GMT
* expire date: 2017-09-30 17:52:11 GMT
* common name: freeipa.cyberfuel.com (matched)
* issuer: O=CYBERFUEL.COM; CN=Certificate Authority
* SSL certificate verify ok.

POST /ipa/xml HTTP/1.1

Hi Users
You can help me?
I have the problem for join a client to my FREEIPA Server. The
version IPA Server is 3.0 and IP client is 3.0
2016-04-28T17:26:41Z DEBUG stderr=
2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from
ldap://freeipa.cyberfuel.com
2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert
are identical
2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s
freeipa.cyberfuel.com -b dc=cyberfuel,dc=com
2016-04-28T17:26:41Z DEBUG stdout=
2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200
2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code
is 401, not 200
2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes.
2016-04-28T17:26:41Z ERROR IPA client is not configured on this system.

I'd look in the 389-ds access and error logs on the IPA server to see
if there are any more details. Look for the BIND from the client and
see what happens.
More context from the log file might be helpful. I believe if you run
the client installer with --debug then additional flags are passed to
ipa-join to include the XML-RPC conversation and that might be useful

too.

Post by Jose Alvarez R.
What account are you using to enroll with, admin?
rob

--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project