Hi Jakub, I ended up re-enrolling the box and it is behaving as expected except I am not getting a host cert. Robert indicated auto host cert no longer avail with rhel 7 but using the --request -cert option on enroll to get a host cert if I wanted one. I did so and get this in the install log
2016-11-16T22:00:53Z DEBUG Starting external process 2016-11-16T22:00:53Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' 2016-11-16T22:00:53Z DEBUG Process finished, return code=0 2016-11-16T22:00:53Z DEBUG stdout=active 2016-11-16T22:00:53Z DEBUG stderr= 2016-11-16T22:00:53Z ERROR certmonger request for host certificate failed Maybe this is an issue with RHEL 7(4.x) client hitting a RHEL 6 (3.x) IPA server? As for crypto on RHEL 6 IPA I have (if this is what you looking for). However this is modified version as it took me a while to get this list to pass tenable scans by modding the dse files. [root@ipa1 ~]# nmap --script ssl-enum-ciphers -p 636 `hostname` Starting Nmap 5.51 ( http://nmap.org ) at 2016-11-16 17:25 EST Nmap scan report for ipa1.ipa.local Host is up (0.000087s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (14) | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | TLS_DHE_RSA_WITH_AES_128_CBC_SHA | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | Compressors (1) |_ uncompressed Sean Hogan From: Jakub Hrozek <[email protected]> To: Sean Hogan/Durham/IBM@IBMUS Cc: Martin Babinsky <[email protected]>, [email protected] Date: 11/16/2016 02:38 PM Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server On Wed, Nov 16, 2016 at 09:56:59AM -0700, Sean Hogan wrote: > [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local > kinit: Program lacks support for encryption type while getting initial > credentials OK, now there's at least the same error from kinit as sssd is generating. Can you runs this command prepended with KRB5_TRACE=/dev/stderr and perhaps also check the KDC logs for the same time? But frankly I don't know offhand what enctypes are supported by the RHEL-6 server's KDC..
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
