Hi, So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
Is there a solution to this? regards ________________________________________ From: [email protected] [[email protected]] on behalf of Steven Jones [[email protected]] Sent: Tuesday, 24 May 2011 4:24 p.m. To: Rob Crittenden Cc: [email protected] Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs I must be going blind in my old age.....anyway here they are. regards ________________________________________ From: [email protected] [[email protected]] on behalf of Steven Jones [[email protected]] Sent: Tuesday, 24 May 2011 2:58 p.m. To: Rob Crittenden Cc: [email protected] Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 Hi, 1) Screen data of the install from using the -d option. (attach d.out) 2) ipa-install log 3) there are no httpd logs in /var/log/httpd/ it is an empty directory. 4) "Did you also run kinit before manually running ipa-join in your testing?" Yes.... 5) For DNS I added, allow query {any;}; into /etc/named.conf clients were then not denied DNS. regards ________________________________________ From: Rob Crittenden [[email protected]] Sent: Tuesday, 24 May 2011 2:24 p.m. To: Steven Jones Cc: [email protected] Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 Steven Jones wrote: > ran the ipa-join manually and krb5.conf was not configured, scp'd that over > from the ipa-server and re-ran ipa-join, still getting the same 401 failure... This is a different mismatch than you were seeing with 5.6 (and a completely different error message). A few things to note: - In general, when you reference any IPA server you should always use the fully-qualified name. The SSL error you had was because the name did not match the certificate. - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so you can always check the Apache error/access logs for diagnostic information. - The integrated DNS stores information in LDAP, not flat files, so having no data in /var/named is not surprising. ipa-join needs authentication in the form of a TGT or a one-time password. It definitely did one in the log you provided and you still got a 401, which is strange. Did you also run kinit before manually running ipa-join in your testing? Running ipa-join or ipa-client-install with the -d option will provide a lot more debugging information. I think the first place to check is the Apache error log to see why the join call failed. rob _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
