Bug 984526
Summary: | Cannot verify domain server | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stef Walter <stefw> |
Component: | freeipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | abokovoy, mkosek, rcritten, ssorce, stefw |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-07-15 15:36:19 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Stef Walter
2013-07-15 12:44:59 UTC
Domain information for reproducing available here: https://fedoraproject.org/wiki/Test_Day:2013-05-09_Red_Hat_Test_Bed#FreeIPA:ipa.baseos.qe >Init LDAP connection to: server.ipa.baseos.qe
>Error checking LDAP: Connect error: TLS error -8172:Peer's certificate issuer >has been marked as not trusted by the user.
>Skip server.ipa.baseos.qe: cannot verify if this is an IPA server
>Discovery result: UNKNOWN_ERROR; server=None, domain=ipa.baseos.qe,
Stef, looks like your client machine has some specific set up in /etc/pki/nssdb that doesn't trust IPA master certificate. Since before install there should be no IPA master certificate there, you haven't seen the problem before. Perhaps, this machine had previously been used for setting IPA client and then server was re-installed, causing re-issue of the certificate.
I'm inclined to see this as misconfiguration.
I have not configured /etc/pki/nssdb to distrust the IPA master certificate. And it seems I should not need to configure explicit trust in advance of joining an IPA domain. Am I misunderstanding? As a double check, I've removed my /etc/pki/nssdb and still get the same failure: [stef@stef ~]$ sudo mv /etc/pki/nssdb/ /etc/pki/nssdb.bak [sudo] password for stef: [stef@stef ~]$ sudo /usr/sbin/ipa-client-install --debug --domain ipa.baseos.qe --realm IPA.BASEOS.QE --mkhomedir --enable-dns-updates --unattended --principal admin -W --force-ntpd /usr/sbin/ipa-client-install was invoked with options: {'domain': 'ipa.baseos.qe', 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'realm_name': 'IPA.BASEOS.QE', 'force_ntpd': True, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'ca_cert_file': None, 'principal': 'admin', 'keytab': None, 'hostname': None, 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, 'dns_updates': True, 'mkhomedir': True, 'conf_ssh': True, 'force_join': False, 'server': None, 'prompt_password': True, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False} missing options might be asked for interactively later Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' [IPA Discovery] Starting IPA discovery with domain=ipa.baseos.qe, servers=None, hostname=stef.thewalter.lan Search for LDAP SRV record in ipa.baseos.qe Search DNS for SRV record of _ldap._tcp.ipa.baseos.qe DNS record found: 0 100 389 server.ipa.baseos.qe. [Kerberos realm search] Search DNS for TXT record of _kerberos.ipa.baseos.qe DNS record found: "IPA.BASEOS.QE" Search DNS for SRV record of _kerberos._udp.ipa.baseos.qe DNS record found: 0 100 88 server.ipa.baseos.qe. [LDAP server check] Verifying that server.ipa.baseos.qe (realm IPA.BASEOS.QE) is an IPA server Init LDAP connection to: server.ipa.baseos.qe Error checking LDAP: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. Skip server.ipa.baseos.qe: cannot verify if this is an IPA server Discovery result: UNKNOWN_ERROR; server=None, domain=ipa.baseos.qe, kdc=server.ipa.baseos.qe, basedn=None Validated servers: will use discovered domain: ipa.baseos.qe IPA Server not found Unable to find IPA Server to join Installation failed. Rolling back changes. IPA client is not configured on this system. Is this coming from realmd?
> Error checking LDAP: Connect error: TLS error -8172:Peer's certificate issuer
has been marked as not trusted by the user.
To me this looks like you are configuring LDAP client to reject any non-verified certificates, is that how your realmd code is doing it? For sure you wouldn't have a certificate until ipa-client-install fetched it.
Although I initially discovered this problem when running ipa-client-install from within realmd, ... As you can see from the output, I'm now running it directly from a command line prompt. I've also tried moving my ~/.ldaprc and /etc/ldap.conf files away, to make sure they're not affecting behavior. [stef@stef ~]$ cat /etc/ldap.conf cat: /etc/ldap.conf: No such file or directory [stef@stef ~]$ cat ~/.ldaprc cat: ~/.ldaprc: No such file or directory All of this and we still get the error: [LDAP server check] Verifying that server.ipa.baseos.qe (realm IPA.BASEOS.QE) is an IPA server Init LDAP connection to: server.ipa.baseos.qe Error checking LDAP: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. Skip server.ipa.baseos.qe: cannot verify if this is an IPA server Discovery result: UNKNOWN_ERROR; server=None, domain=ipa.baseos.qe, kdc=server.ipa.baseos.qe, basedn=None It seems odd that its trying to connect via TLS to the server, rather than just straight up LDAP. In the LDAP discovery phase, we connect via plain LDAP when there is no /etc/ipa/ca.crt file which is added during ipa-client-install (after discovery phase). Stef, can you please check if the file is not existent in your machine? For example from some previous testing of IPA. If yes, does the ipa-client-install when you remove it? This file is already being removed during uninstall procedure of IPA client (since 3.2, see https://fedorahosted.org/freeipa/ticket/3537) to avoid this kind of issues. The file /etc/ipa/ca.crt is present. I guess i last left an IPA domain before the above upstream bug was fixed. It looks like the previous ipa-client-uninstall --unattended failed for some reason. The file /etc/ipa/ca.crt is present. I guess i last left an IPA domain before the above upstream bug was fixed. Thanks for the help. |