[Freeipa-users] version mismatch while joining a client ?

Rob Crittenden rcritten at redhat.com
Tue Jul 26 14:03:28 UTC 2011 

Robert M. Albrecht wrote:
> Hi,
>
> I tried to join my first client (another fully patched F15, like the
> ipa-server).
>
> Joining realm failed because of failing XML-RPC request.
> This error may be caused by incompatible server/client major versions.

I think this is the problem caused by a recent libcurl change. libcurl 
recently dropped support for GSSAPI ticket delegation which is needed 
for the enrollment. If you look in the Apache error log on the IPA 
server I'll bet there is an error about principal.

We're waiting on upstream to add support for forwarding back in. Until 
then your options are limited. The change was made because it was 
considered a security issue: whenever forwarding was allow the ticket 
was sent whether it was requested or not.

Downgrading libcurl will fix the problem for enrollment. You should 
evaluate the CVE to decide the course of action: 
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2192

rob
>
>
>
> [root at chessur ~]# ipa-client-install --debug --enable-dns-updates
> root : DEBUG /usr/sbin/ipa-client-install was invoked with
> options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force':
> False, 'sssd': True, 'hostname': None, 'permit': False, 'server': None,
> 'prompt_password': False, 'realm_name': None, 'dns_updates': True,
> 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir':
> False, 'unattended': None, 'principal': None}
> root : DEBUG missing options might be asked for interactively
> later
>
> root : DEBUG Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>
> ^C^C^C^C^C^C^C^C^C[root at chessur ~]# ipa-client-install --debug
> --enable-dns-updates
> root : DEBUG /usr/sbin/ipa-client-install was invoked with
> options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force':
> False, 'sssd': True, 'hostname': None, 'permit': False, 'server': None,
> 'prompt_password': False, 'realm_name': None, 'dns_updates': True,
> 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir':
> False, 'unattended': None, 'principal': None}
> root : DEBUG missing options might be asked for interactively
> later
>
> root : DEBUG Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> root : DEBUG [ipadnssearchldap(vorlon.lan)]
> root : DEBUG [ipadnssearchkrb]
> root : DEBUG [ipacheckldap]
> root : DEBUG args=/usr/bin/wget -O /tmp/tmpLob8Sc/ca.crt
> http://zerberus.vorlon.lan/ipa/config/ca.crt
> root : DEBUG stdout=
> root : DEBUG stderr=--2011-07-26 15:34:18--
> http://zerberus.vorlon.lan/ipa/config/ca.crt
> Auflösen des Hostnamen »zerberus.vorlon.lan«.... 192.168.0.230
> Verbindungsaufbau zu zerberus.vorlon.lan|192.168.0.230|:80... verbunden.
> HTTP Anforderung gesendet, warte auf Antwort... 200 OK
> Länge: 767 [application/x-x509-ca-cert]
> In »»/tmp/tmpLob8Sc/ca.crt«« speichern.
>
> 0K 100% 96,8M=0s
>
> 2011-07-26 15:34:18 (96,8 MB/s) - »»/tmp/tmpLob8Sc/ca.crt«« gespeichert
> [767/767]
>
>
> root : DEBUG Init ldap with: ldap://zerberus.vorlon.lan:389
> root : DEBUG Search rootdse
> root : DEBUG Search for (info=*) in dc=vorlon,dc=lan(base)
> root : DEBUG Found: [('dc=vorlon,dc=lan', {'objectClass':
> ['top', 'domain', 'pilotObject', 'nisDomainObject',
> 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain':
> ['vorlon.lan'], 'dc': ['vorlon'], 'nisDomain': ['vorlon.lan']})]
> root : DEBUG Search for (objectClass=krbRealmContainer) in
> dc=vorlon,dc=lan(sub)
> root : DEBUG Found:
> [('cn=VORLON.LAN,cn=kerberos,dc=vorlon,dc=lan', {'krbSubTrees':
> ['dc=vorlon,dc=lan'], 'cn': ['VORLON.LAN'], 'krbDefaultEncSaltTypes':
> ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special',
> 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer',
> 'krbticketpolicyaux'], 'krbSearchScope': ['2'],
> 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
> 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
> 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special',
> 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal',
> 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'],
> 'krbMaxRenewableAge': ['604800']})]
> root : DEBUG will use domain: vorlon.lan
>
> root : DEBUG will use server: zerberus.vorlon.lan
>
> Discovery was successful!
> root : DEBUG will use cli_realm: VORLON.LAN
>
> root : DEBUG will use cli_basedn: dc=vorlon,dc=lan
>
> Hostname: chessur.vorlon.lan
> Realm: VORLON.LAN
> DNS Domain: vorlon.lan
> IPA Server: zerberus.vorlon.lan
> BaseDN: dc=vorlon,dc=lan
>
>
> Continue to configure the system with these values? [no]: yes
> Enrollment principal: admin
> root : DEBUG will use principal: admin
>
> root : DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
> http://zerberus.vorlon.lan/ipa/config/ca.crt
> root : DEBUG stdout=
> root : DEBUG stderr=--2011-07-26 15:34:28--
> http://zerberus.vorlon.lan/ipa/config/ca.crt
> Auflösen des Hostnamen »zerberus.vorlon.lan«.... 192.168.0.230
> Verbindungsaufbau zu zerberus.vorlon.lan|192.168.0.230|:80... verbunden.
> HTTP Anforderung gesendet, warte auf Antwort... 200 OK
> Länge: 767 [application/x-x509-ca-cert]
> In »»/etc/ipa/ca.crt«« speichern.
>
> 0K 100% 64,6M=0s
>
> 2011-07-26 15:34:28 (64,6 MB/s) - »»/etc/ipa/ca.crt«« gespeichert [767/767]
>
>
> root : DEBUG Writing Kerberos configuration to /tmp/tmphXdPGl:
> #File modified by ipa-client-install
>
> [libdefaults]
> default_realm = VORLON.LAN
> dns_lookup_realm = true
> dns_lookup_kdc = true
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> VORLON.LAN = {
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
> [domain_realm]
> .vorlon.lan = VORLON.LAN
> vorlon.lan = VORLON.LAN
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> Password for admin at VORLON.LAN:
> root : DEBUG args=kinit admin at VORLON.LAN
> root : DEBUG stdout=Password for admin at VORLON.LAN:
>
> root : DEBUG stderr=
>
> root : DEBUG args=/usr/sbin/ipa-join -s zerberus.vorlon.lan -d
> root : DEBUG stdout=
> root : DEBUG stderr=XML-RPC CALL:
>
> <?xml version="1.0" encoding="UTF-8"?>\r\n
> <methodCall>\r\n
> <methodName>join</methodName>\r\n
> <params>\r\n
> <param><value><array><data>\r\n
> <value><string>chessur.vorlon.lan</string></value>\r\n
> </data></array></value></param>\r\n
> <param><value><struct>\r\n
> <member><name>nsosversion</name>\r\n
> <value><string>2.6.38.8-35.fc15.x86_64</string></value></member>\r\n
> <member><name>nshardwareplatform</name>\r\n
> <value><string>x86_64</string></value></member>\r\n
> </struct></value></param>\r\n
> </params>\r\n
> </methodCall>\r\n
>
> HTTP response code is 500, not 200
>
> Joining realm failed because of failing XML-RPC request.
> This error may be caused by incompatible server/client major versions.
> root : DEBUG args=kdestroy
> root : DEBUG stdout=
> root : DEBUG stderr=
> [root at chessur ~]#
>
>
> cu romal
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list