[Freeipa-users] Server - client mismatch has no progressed to 6.1
Rob Crittenden
rcritten at redhat.com
Tue May 24 02:24:30 UTC 2011
Steven Jones wrote:
> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
This is a different mismatch than you were seeing with 5.6 (and a
completely different error message).
A few things to note:
- In general, when you reference any IPA server you should always use
the fully-qualified name. The SSL error you had was because the name did
not match the certificate.
- The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
you can always check the Apache error/access logs for diagnostic
information.
- The integrated DNS stores information in LDAP, not flat files, so
having no data in /var/named is not surprising.
ipa-join needs authentication in the form of a TGT or a one-time
password. It definitely did one in the log you provided and you still
got a 401, which is strange. Did you also run kinit before manually
running ipa-join in your testing?
Running ipa-join or ipa-client-install with the -d option will provide a
lot more debugging information.
I think the first place to check is the Apache error log to see why the
join call failed.
rob
More information about the Freeipa-users
mailing list