On 19 February 2013 12:44, Peter Brown <[email protected]> wrote: > > > > On 19 February 2013 12:06, John Moyer <[email protected]>wrote: > >> Peter, >> >> The client is pointing to DNS for the server. Here is the log info >> from the ipa-client-log (in /var/log/). I haven't tried the other stuff >> yet, I'll respond back when I get a chance to check out the CA cert things. >> >> >> 2013-02-19T02:01:37Z DEBUG args=kinit [email protected] >> 2013-02-19T02:01:37Z DEBUG stdout=Password for [email protected]: >> >> 2013-02-19T02:01:37Z DEBUG stderr= >> 2013-02-19T02:01:37Z DEBUG trying to retrieve CA cert via LDAP from >> ldap://ipa1.example.com >> 2013-02-19T02:01:37Z DEBUG get_ca_cert_from_ldap() error: Local error >> SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor >> code may provide more information (Server krbtgt/[email protected] not >> found in Kerberos database) >> 2013-02-19T02:01:37Z DEBUG {'info': 'SASL(-1): generic failure: GSSAPI >> Error: Unspecified GSS failure. Minor code may provide more information >> (Server krbtgt/[email protected] not found in Kerberos database)', 'desc': >> 'Local error'} >> 2013-02-19T02:01:37Z ERROR Cannot obtain CA certificate >> 'ldap://ipa1.example.com' doesn't have a certificate. >> 2013-02-19T02:01:37Z DEBUG args=kdestroy >> 2013-02-19T02:01:37Z DEBUG stdout= >> 2013-02-19T02:01:37Z DEBUG stderr= >> > > I would hazard a guess you need those udp ports open on the firewall for > your freeipa server. > the two I mentioned are kerberos ports. > you will likely need udp port 389 open as well for talking to the > directory server where it is attempting to get the cert from. >
I just had another thought. If you have outgoing port restrictions on your AWS instances you will need to allow them to connect to all the ports freeipa needs. > >> >> Thanks, >> _____________________________________________________ >> John Moyer >> Director, IT Operations >> *Digital Reasoning Systems, Inc.* >> [email protected] <[email protected]> >> Office: 703.678.2311 >> Mobile: 240.460.0023 >> Fax: 703.678.2312 >> www.digitalreasoning.com >> >> On Feb 18, 2013, at 8:42 PM, Peter Brown <[email protected]> wrote: >> >> On 19 February 2013 11:03, John Moyer <[email protected]>wrote: >> >>> Peter, >>> >>> Thanks for the response, I just checked out my security group >>> settings, I did have some ports blocked, however, allowing them did not >>> help. I installed mmap on the client and did a port scan of the server >>> and got the follow: >>> >>> PORT STATE SERVICE >>> 22/tcp open ssh >>> 53/tcp open domain >>> 80/tcp open http >>> 88/tcp open kerberos-sec >>> 389/tcp open ldap >>> 443/tcp open https >>> 464/tcp open kpasswd5 >>> 636/tcp open ldapssl >>> 749/tcp open kerberos-adm >>> >> >> There is a couple of UDP ports that need to be open as well >> 464 and 88 from memory. >> >> They shouldn't affect your ability to download the ca cert. >> >> Have you checked the ipa-client log file? >> I can't remember where that gets saved right now but it should mention >> the location when you run the ipa-client command. >> >> >> >>> I tried to enroll again and got the same error as seen here: >>> >>> >>> Synchronizing time with KDC... >>> >>> ipa : ERROR Cannot obtain CA certificate >>> >>> >>> >>> Thanks, >>> _____________________________________________________ >>> John Moyer >>> >>> >>> On Feb 18, 2013, at 7:24 PM, Peter Brown <[email protected]> wrote: >>> >>> Hi John, >>> >>> I ran into a similar issue with setting up a 2.2 client with a 3.1 >>> server. >>> It turned out to be that port 80 wasn't open on the freeipa server. >>> I would check your ports and see if the right ones are open. >>> I also find that setting up the SRV and TXT records in your dns zone >>> makes setting up clients a lot simpler. >>> >>> >>> >>> On 19 February 2013 00:58, John Moyer >>> <[email protected]>wrote: >>> >>>> Hello all, >>>> >>>> I am having an issue using IPA 2.2.0. I am trying to put together a >>>> proof of concept set of systems. I've stood up 2 servers on AWS. One is >>>> the server one is the client. I am using CentOS 6 to do all this testing >>>> on, with the default IPA packages provided from CentOS. I had a fully >>>> operational proof of concept finished fully scripted to be built without >>>> issues. I shutdown and started these as needed to show to people to get >>>> approval for the project. The other day the client stopped enrolling to >>>> the IPA server, I have no idea why I assume a patch pushed out broke >>>> something since it is a fully scripted install. It does get the most recent >>>> patches each time I stand it up so it definitely would pull any new patches >>>> that came out. >>>> >>>> After investigating I am getting this error when I try to manually >>>> enroll the client. I haven't been able to find any reference to this error >>>> anywhere on the net. Any help would be greatly appreciated! Let me know >>>> if any additional details are needed. >>>> >>>> >>>> PLEASE NOTE: Everything below has been sanitized >>>> >>>> >>>> [root@client ~]# ipa-client-install --domain=example.com --server= >>>> ipa1.example.com --realm=EXAMPLE.COM <http://example.com/>--configure-ssh >>>> --configure-sshd -p ipa-bind -w "blah" -U >>>> DNS domain 'example.com' is not configured for automatic KDC address >>>> lookup. >>>> KDC address will be set to fixed value. >>>> >>>> Discovery was successful! >>>> Hostname: client.ec2.internal >>>> Realm: EXAMPLE.COM <http://example.com/> >>>> DNS Domain: digitalreasoning.com >>>> IPA Server: ipa1.example.com >>>> BaseDN: dc=example,dc=com >>>> >>>> >>>> Synchronizing time with KDC... >>>> >>>> ipa : ERROR Cannot obtain CA certificate >>>> 'ldap://ipa1.example.com' doesn't have a certificate. >>>> Installation failed. Rolling back changes. >>>> IPA client is not configured on this system. >>>> >>>> >>>> Thanks, >>>> _____________________________________________________ >>>> John Moyer >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> [email protected] >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >>> >>> >> >> >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
