[Freeipa-users] version mismatch while joining a client ?
Steven Jones
Steven.Jones at vuw.ac.nz
Wed Aug 3 21:20:40 UTC 2011
Hi,
Hopefully these will help.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Thursday, 4 August 2011 8:42 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] version mismatch while joining a client ?
Steven Jones wrote:
> Hi,
>
> Client
> ==========
> rhel61-64cl04.unix.vuw.ac.nz
> Linux rhel61-64cl04.unix.vuw.ac.nz 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
> ipa-client-2.0.0-23.el6_1.1.x86_64
> libcurl-7.19.7-26.el6.x86_64
> Red Hat Enterprise Linux Client release 6.1 (Santiago)
> ==========
>
> Server
> ==========
> Linux vuwunicoipamt01 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
> libcurl-7.19.7-26.el6_1.1.x86_64
> ipa-client-2.0.0-23.el6_1.1.x86_64
> ipa-server-2.0.0-23.el6_1.1.x86_64
> Red Hat Enterprise Linux Server release 6.1 (Santiago)
> ==========
>
> install output
> ==========
> [root at rhel61-64cl04 ~]# ipa-client-install --mkhomedir --server vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -d
> root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': 'unix.vuw.ac.nz', 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': 'vuwunicoipamt01.unix.vuw.ac.nz', 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir': True, 'unattended': None, 'principal': None}
> root : DEBUG missing options might be asked for interactively later
>
> root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
> root : DEBUG [ipacheckldap]
> root : DEBUG args=/usr/bin/wget -O /tmp/tmpaaTaqF/ca.crt http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
> root : DEBUG stdout=
> root : DEBUG stderr=--2011-08-03 09:01:14-- http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
> Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236
> Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 779 [application/x-x509-ca-cert]
> Saving to: `/tmp/tmpaaTaqF/ca.crt'
>
> 0K 100% 132M=0s
>
> 2011-08-03 09:01:14 (132 MB/s) - `/tmp/tmpaaTaqF/ca.crt' saved [779/779]
>
>
> root : DEBUG Init ldap with: ldap://vuwunicoipamt01.unix.vuw.ac.nz:389
> root : DEBUG Search rootdse
> root : DEBUG Search for (info=*) in dc=unix,dc=vuw,dc=ac,dc=nz(base)
> root : DEBUG Found: [('dc=unix,dc=vuw,dc=ac,dc=nz', {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': ['unix.vuw.ac.nz'], 'dc': ['unix'], 'nisDomain': ['unix.vuw.ac.nz']})]
> root : DEBUG Search for (objectClass=krbRealmContainer) in dc=unix,dc=vuw,dc=ac,dc=nz(sub)
> root : DEBUG Found: [('cn=UNIX.VUW.AC.NZ,cn=kerberos,dc=unix,dc=vuw,dc=ac,dc=nz', {'krbSubTrees': ['dc=unix,dc=vuw,dc=ac,dc=nz'], 'cn': ['UNIX.VUW.AC.NZ'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})]
> root : DEBUG will use domain: unix.vuw.ac.nz
>
> root : DEBUG will use server: vuwunicoipamt01.unix.vuw.ac.nz
>
> Discovery was successful!
> root : DEBUG will use cli_realm: UNIX.VUW.AC.NZ
>
> root : DEBUG will use cli_basedn: dc=unix,dc=vuw,dc=ac,dc=nz
>
> Hostname: rhel61-64cl04.unix.vuw.ac.nz
> Realm: UNIX.VUW.AC.NZ
> DNS Domain: unix.vuw.ac.nz
> IPA Server: vuwunicoipamt01.unix.vuw.ac.nz
> BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz
>
>
> Continue to configure the system with these values? [no]: yes
> Enrollment principal: admin
> root : DEBUG will use principal: admin
>
> root : DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
> root : DEBUG stdout=
> root : DEBUG stderr=--2011-08-03 09:01:22-- http://vuwunicoipamt01.unix.vuw.ac.nz/ipa/config/ca.crt
> Resolving vuwunicoipamt01.unix.vuw.ac.nz... 130.195.87.236
> Connecting to vuwunicoipamt01.unix.vuw.ac.nz|130.195.87.236|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 779 [application/x-x509-ca-cert]
> Saving to: `/etc/ipa/ca.crt'
>
> 0K 100% 96.5M=0s
>
> 2011-08-03 09:01:22 (96.5 MB/s) - `/etc/ipa/ca.crt' saved [779/779]
>
>
> Password for admin at UNIX.VUW.AC.NZ:
> root : DEBUG args=kinit admin at UNIX.VUW.AC.NZ
> root : DEBUG stdout=Password for admin at UNIX.VUW.AC.NZ:
>
> root : DEBUG stderr=
>
> root : DEBUG args=/usr/sbin/ipa-join -s vuwunicoipamt01.unix.vuw.ac.nz -d
> root : DEBUG stdout=
> root : DEBUG stderr=XML-RPC CALL:
>
> <?xml version="1.0" encoding="UTF-8"?>\r\n
> <methodCall>\r\n
> <methodName>join</methodName>\r\n
> <params>\r\n
> <param><value><array><data>\r\n
> <value><string>rhel61-64cl04.unix.vuw.ac.nz</string></value>\r\n
> </data></array></value></param>\r\n
> <param><value><struct>\r\n
> <member><name>nsosversion</name>\r\n
> <value><string>2.6.32-131.6.1.el6.x86_64</string></value></member>\r\n
> <member><name>nshardwareplatform</name>\r\n
> <value><string>x86_64</string></value></member>\r\n
> </struct></value></param>\r\n
> </params>\r\n
> </methodCall>\r\n
>
> HTTP response code is 401, not 200
>
> Joining realm failed because of failing XML-RPC request.
> This error may be caused by incompatible server/client major versions.
> root : DEBUG args=kdestroy
> root : DEBUG stdout=
> root : DEBUG stderr=
> [root at rhel61-64cl04 ~]#
> ==========
>
> Error log
> ==========
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [error] Exception KeyError: KeyError(140510308317152,) in<module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored
> [Wed Aug 03 09:04:57 2011] [notice] caught SIGTERM, shutting down
> [Wed Aug 03 09:04:58 2011] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
> [Wed Aug 03 09:04:58 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [Wed Aug 03 09:04:58 2011] [notice] Digest: generating secret for digest authentication ...
> [Wed Aug 03 09:04:58 2011] [notice] Digest: done
> [Wed Aug 03 09:04:58 2011] [warn] mod_wsgi: Compiled for Python/2.6.2.
> [Wed Aug 03 09:04:58 2011] [warn] mod_wsgi: Runtime using Python/2.6.6.
> [Wed Aug 03 09:04:59 2011] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations
> [Wed Aug 03 09:05:01 2011] [error] ipa: INFO: *** PROCESS START ***
> [Wed Aug 03 09:05:01 2011] [error] ipa: INFO: *** PROCESS START ***
> ==========
>
This appears to be a different issue. If it were the libcurl problem on
the server side we would see something like:
AttributeError: 'thread._local' object has no attribute 'principal'
Because you are getting a 401 and not a 500 it means that the principal
is not being authenticated.
I suspect that this is a kerberos problem. Can you check
/var/log/krb5kdc to see if it is getting a service ticket request from
your client?
Another thing to try is to set LogLevel debug in
/etc/httpd/conf.d/nss.conf and restart Apache. This will provide much
more logging information on the Negotiate request from the client.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: access_log
Type: application/octet-stream
Size: 11700 bytes
Desc: access_log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110803/8c402ba3/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: error_log
Type: application/octet-stream
Size: 15166 bytes
Desc: error_log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110803/8c402ba3/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: f15-ipaclient-install.log
Type: application/octet-stream
Size: 5419 bytes
Desc: f15-ipaclient-install.log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110803/8c402ba3/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rhel61cl-ipaclient-install.log
Type: application/octet-stream
Size: 4822 bytes
Desc: rhel61cl-ipaclient-install.log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110803/8c402ba3/attachment-0003.obj>
More information about the Freeipa-users
mailing list