Armstrong, Kenneth Lawrence wrote:
On Fri, 2013-07-26 at 10:20 -0400, Rob Crittenden wrote:
Armstrong, Kenneth Lawrence wrote:
> On Fri, 2013-07-26 at 06:21 -0400, Eduardo Minguez wrote:
> Ok, if I have time, I'll try with a RHEL 5.8 client today.
>
>
> As for debug output, this is what I get:
>
> [root@r5-idmclient <mailto:root@r5-idmclient> ~]# ipa-client-install
> --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
> --enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d
> root : DEBUG /usr/sbin/ipa-client-install was invoked with
> options: {'conf_ntp': False, 'domain': 'lnxrealmtest.liberty.edu',
> 'uninstall': False, 'force': False, 'sssd': True,
> 'krb5_offline_passwords': True, 'hostname': None, 'permit': False,
> 'server': 'lnxrealmtest01.liberty.edu', 'prompt_password': False,
> 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False,
> 'debug': True, 'on_master': False, 'ca_cert_file': '/etc/ipa/ca.crt',
> 'realm_name': None, 'unattended': None, 'ntp_server': None, 'principal':
> None}
> root : DEBUG missing options might be asked for interactively
> later
>
> root : DEBUG Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> root : DEBUG Loading StateFile from
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> root : DEBUG [ipadnssearchkrb]
> root : DEBUG [ipacheckldap]
> root : DEBUG Init ldap with: ldap://lnxrealmtest01.liberty.edu:389
> root : ERROR LDAP Error: Connect error: TLS: hostname does not
> match CN in peer certificate
> root : DEBUG will use domain: lnxrealmtest.liberty.edu
>
> root : DEBUG will use server: lnxrealmtest01.liberty.edu
>
> Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
> This may mean that the remote server is not up or is not reachable
> due to network or firewall settings.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
>
> I do have an A record and PTR record for both lnxrealmtest01.liberty.edu
> and lnxrealmtest.lnxrealmtest.liberty.edu.
>
> The part that confuses me (I'm still new to the innards of SSL) is this:
>
> DAP Error: Connect error: TLS: hostname does not match CN in peer
> certificate
>
> When I look at the cert using:
>
> openssl x509 -in /etc/ipa/ca.crt -noout -text
>
> I see this:
>
> Issuer: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
> Validity
> Not Before: Jul 25 18:22:53 2013 GMT
> Not After : Jul 25 18:22:53 2033 GMT
> Subject: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
>
>
> and ...
>
> OCSP - URI:http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp
No, you looked at the wrong certificate.
To look at it use:
# certutil -L -d /etc/dirsrv/slapd-LNXREALMTEST-LIBERTY-EDU -n Server-Cert
rob
Ok, that makes sense. The CN in that cert is correct, so I corrected my
command. It's still failing on binding a user it looks like.
I've attached the complete output.
Take a look at your 389-ds error log and the KDC log. The only thing we
get on the client side is LOCAL_ERROR.
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
