[Freeipa-users] ipa-client-install errors via kickstart
Rob Crittenden
rcritten at redhat.com
Mon Jun 27 15:01:44 UTC 2011
Charlie Derwent wrote:
>
>
> On Mon, Jun 27, 2011 at 2:07 PM, Adam Young <ayoung at redhat.com
> <mailto:ayoung at redhat.com>> wrote:
>
> __
> On 06/26/2011 08:35 AM, Charlie Derwent wrote:
>>
>>
>> On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden
>> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>
>> Charlie Derwent wrote:
>>
>>
>>
>> On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden
>> <rcritten at redhat.com <mailto:rcritten at redhat.com>
>> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>
>> wrote:
>>
>> Charlie Derwent wrote:
>>
>> Hi
>>
>> I'm running FreeIPA server on F14 and connecting to
>> a F14
>> client. When I
>> run ipa-client-install (via kickstart or after the
>> client has
>> installed)
>> I'm getting the following error message.
>>
>> root : DEBUG
>> root : ERROR LDAP Error: Connect error:
>> Start TLS request
>> accepted. Server willing to negotiate SSL
>> Failed to verify that ipa.test.net
>> <http://ipa.test.net> <http://ipa.test.net>
>> <http://ipa.test.net> is an IPA server
>>
>> This may mean that the remote server is not up or
>> is not
>> reachable due
>> to network or firewall settings
>>
>>
>> What version of IPA are you running on the client and
>> server?
>>
>> Server is running 2.0.0.rc3-0
>> F14 Client is running 2.0.0.rc3-0
>> RHEL 5.6 Clients are running 2.0-10.el5_6.1
>> All the boxes are 64-bit
>>
>>
>> How are you invoking ipa-client-install? The error message
>> looks a bit odd and I'm not sure if it is a mail client
>> mucking it up or something else (the addition of
>> http://ipa.test.net)
>>
>> rob
>>
>>
>>
>> Can you check the 389-ds access log to see if you can
>> see the
>> connection and any errors reported with it?
>>
>> Nothing in the access.log on the server.
>>
>>
>>
>>
>> The ipa server is definately up and running, it's still
>> authenticating
>> other servers in the network and when I rebuild the
>> client with
>> rhel or
>> centos it can enroll (almost) without issue (see
>> below).
>>
>> The second issue was this certmonger related bug where
>> certmonger fails
>> to start on new install
>> (https://bugzilla.redhat.com/__show_bug.cgi?id=636894
>> <https://bugzilla.redhat.com/show_bug.cgi?id=636894>) was it
>> resolved in
>> Red Hat 5 as I think i'm expering the issue with my
>> RH5u6 clients?
>>
>>
>> Looks like it wasn't fixed in RHEL 5.x. IIRC the simple
>> fix is to
>> restart messagebus after installing certmonger. Should
>> be easy to do
>> in a kickstart.
>>
>>
>> yeah got the "killall -HUP dbus-daemon" in there now.
>>
>> Cheers
>> Charlie
>>
>>
>> rob
>>
>>
>>
>>
>> Figured it out! Well partly... it's a dependency issue. I
>> installed pretty much everything onto the box and it started to
>> work but on my cut down server no joy. Finding the missing RPM
>> might be a little bit more trickier unless someone could deduce
>> what RPM's absence could cause that error?
>>
>> It's hard cause it may be a dependency for the ipa-client or a
>> dependency of a dependency and so forth!
>
> If you are doing a DNS install for the server, you need
> bind-dyndb-ldap, which is the LDAP backend for the DNS server.
>
>
> This was a client side issue (apologies for saying "cut down server" I
> meant server in a hardware sense rather that server/client model). But
> yeah bind-dyndb-ldap is installed on my server.
>
A brute force way would be to do rpm -qa > list on both installs so we
can compare the two and try to find some important difference.
rob
More information about the Freeipa-users
mailing list