On 26.2.2013 17:55, John Moyer wrote:
Sorry for the late response, so I tried this, and it changed the error to the
following:
Synchronizing time with KDC...
Joining realm failed: HTTP response code is 401, not 200
Installation failed. Rolling back changes.
Looking at debug this is what I see:
< HTTP/1.1 401 Authorization Required
< Date: Tue, 26 Feb 2013 16:54:21 GMT
< Server: Apache/2.2.15 (CentOS)
* gss_init_sec_context() failed: : Server krbtgt/[email protected] not found in
Kerberos database< WWW-Authenticate: Negotiate
krbtgt/[email protected] is definitely not correct. It should look like
"krbtgt/[email protected]". I would recommend to double check name
resolution.
Are all records in /etc/hosts correct?
Does /etc/resolv.conf point to the IPA server?
Do forward (A) and reverse (PTR) records match for client and also IPA servers?
Does dig -t TXT _kerberos.example.com return correct REALM?
Do all domain and realm names in /etc/krb5.conf point to correct IPA domain?
You can run ipa-client-install with KRB5_TRACE environment variable set. It
could produce some useful output. E.g.:
$ KRB5_TRACE=/tmp/kerberos_trace.log ipa-client-install <.. blah blah..>
This should log actions done by Kerberos libraries to file
/tmp/kerberos_trace.log.
Also, "tcpdump -s 65535 -w /tmp/tcpdump -i any" could provide some clue.
You can send both files to me privately if you don't want to send them to
mailing list.
Petr^2 Spacek
< Last-Modified: Wed, 23 Jan 2013 22:16:50 GMT
< ETag: "4627-740-4d3fc0cfd7880"
< Accept-Ranges: bytes
< Content-Length: 1856
< Connection: close
< Content-Type: text/html; charset=UTF-8
On Feb 19, 2013, at 6:35 AM, Jan-Frode Myklebust <[email protected]> wrote:
ipa : ERROR Cannot obtain CA certificate
'ldap://ipa1.example.com' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.
FYI, I have this same issue when enrolling RHEL5 clients. Have been
doing this as a workaround:
wget -O /etc/ipa/ca.crt http://ipa1.example.com/ipa/config/ca.crt
ipa-client-install --no-ntp --mkhomedir --ca-cert-file=/etc/ipa/ca.crt
-jf
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
