[Freeipa-users] fail joining an ubuntu 12.04 to a freeipa server with ipa-client-install

pasqual milvaques milvaques_pas at gva.es
Fri May 11 14:40:44 UTC 2012 

I'have download and compiled some versions of gnutls and this is the result:
gnutls-2.8.5: works
gnutls-2.12.19: fail
gnutls-3.0.19: fail

this must affect distributions in which ldaps connections are based in 
gnutls (I only know debian and ubuntu).

the problem can be tested with this command:
gnutls-cli -d 4 -p 636 freeipaserver.linux.gva.es

in you have a problematic gnutls version the command would end with 
these lines:
...
|<3>| HSK[0x9bb40d0]: CLIENT HELLO was sent [151 bytes]
|<4>| REC[0x9bb40d0]: Sending Packet[0] Handshake(22) with length: 151
|<4>| REC[0x9bb40d0]: Sent Packet[1] Handshake(22) with length: 156
|<2>| ASSERT: gnutls_buffers.c:640
|<2>| ASSERT: gnutls_record.c:969
|<2>| ASSERT: gnutls_handshake.c:2762
*** Fatal error: A TLS packet with unexpected length was received.
|<4>| REC: Sending Alert[2|22] - Record overflow
|<4>| REC[0x9bb40d0]: Sending Packet[1] Alert(21) with length: 2
|<4>| REC[0x9bb40d0]: Sent Packet[2] Alert(21) with length: 7
*** Handshake has failed
GnuTLS error: A TLS packet with unexpected length was received.
|<4>| REC[0x9bb40d0]: Epoch #0 freed
|<4>| REC[0x9bb40d0]: Epoch #1 freed
pasqual at ubuntuprovesfreeipa:~/gnutls-2.12.19$

any idea in how to make this work?

Al 11/05/12 13:16, En/na pasqual milvaques ha escrit:
> I'm trying to join an ubuntu 12.04 machine to freeipa domain installed 
> in a centos 6.2 machine and it seems there is some problem with the 
> tls negotiacion. ubuntu 12.04 uses gnutls instead of openssl so the 
> problem could be there but  I don't know how to solve it. with the 
> ldapsearch command I can also reproduce the fail
>
> I have opened this ubuntu bug as freeipa now has a native client 
> package: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/997990
>
> any idea?
>
> this is the log of the operation:
>
> pasqual at ubuntuprovesfreeipa:~$ sudo ipa-client-install -d 
> --enable-dns-updates
> [sudo] password for pasqual:
> root : DEBUG /usr/sbin/ipa-client-install was invoked with options: 
> {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 
> 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 
> 'permit': False, 'server': None, 'prompt_password': False, 
> 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, 
> 'debug': True, 'on_master': False, 'ntp_server': None, 'realm_name': 
> None, 'unattended': None, 'principal': None}
> root : DEBUG missing options might be asked for interactively later
>
> root : DEBUG Loading Index file from 
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> root : DEBUG Loading StateFile from 
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> root : DEBUG [ipadnssearchldap(linux.gva.es)]
> root : DEBUG [ipadnssearchldap(gva.es)]
> root : DEBUG [ipadnssearchldap(es)]
> root : DEBUG [ipadnssearchldap(linux.gva.es)]
> root : DEBUG [ipadnssearchldap(gva.es)]
> root : DEBUG [ipadnssearchldap(es)]
> root : DEBUG Domain not found
> DNS discovery failed to determine your DNS domain
> Provide the domain name of your IPA server (ex: example.com): 
> linux.gva.es
> root : DEBUG will use domain: linux.gva.es
>
> root : DEBUG [ipadnssearchldap]
> root : DEBUG IPA Server not found
> DNS discovery failed to find the IPA Server
> Provide your IPA server name (ex: ipa.example.com): 
> freeipaserver.linux.gva.es
> root : DEBUG will use server: freeipaserver.linux.gva.es
>
> root : DEBUG [ipadnssearchkrb]
> root : DEBUG [ipacheckldap]
> root : DEBUG args=/usr/bin/wget -O /tmp/tmpWptXwb/ca.crt -T 15 -t 2 
> http://freeipaserver.linux.gva.es/ipa/config/ca.crt
> root : DEBUG stdout=
> root : DEBUG stderr=--2012-05-11 12:06:09-- 
> http://freeipaserver.linux.gva.es/ipa/config/ca.crt
> Resolent freeipaserver.linux.gva.es (freeipaserver.linux.gva.es)... 
> 192.168.222.99
> S'està connectant a freeipaserver.linux.gva.es 
> (freeipaserver.linux.gva.es)|192.168.222.99|:80... conectat.
> HTTP: Petició enviada, esperant resposta... 200 OK
> Longitud: 1325 (1.3K) [application/x-x509-ca-cert]
> S'està desant a: «/tmp/tmpWptXwb/ca.crt»
>
>      0K . 100% 38.4M=0s
>
> 2012-05-11 12:06:09 (38.4 MB/s) - s'ha desat «/tmp/tmpWptXwb/ca.crt» 
> [1325/1325]
>
> root : DEBUG Init ldap with: ldap://freeipaserver.linux.gva.es:389
> root : ERROR LDAP Error: Connect error: A TLS packet with unexpected 
> length was received.
> Failed to verify that freeipaserver.linux.gva.es is an IPA Server.
> This may mean that the remote server is not up or is not reachable
> due to network or firewall settings.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> pasqual at ubuntuprovesfreeipa:~$
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120511/c5c35435/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: milvaques_pas.vcf
Type: text/x-vcard
Size: 335 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120511/c5c35435/attachment.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5527 bytes
Desc: Signatura criptogr??fica S/MIME
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120511/c5c35435/attachment.p7s>

More information about the Freeipa-users mailing list