Bug 736787 - ipa-client-install fails to join ipa server.
Summary: ipa-client-install fails to join ipa server.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.2
Hardware: Unspecified
OS: Unspecified
urgent
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On: 719945
Blocks: 743047
TreeView+ depends on / blocked
 
Reported: 2011-09-08 17:32 UTC by Gowrishankar Rajaiyan
Modified: 2015-01-04 23:51 UTC (History)
4 users (show)

Fixed In Version: ipa-2.1.1-2.el6
Doc Type: Bug Fix
Doc Text:
Do not document
Clone Of:
Environment:
Last Closed: 2011-12-06 18:31:00 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Gowrishankar Rajaiyan 2011-09-08 17:32:25 UTC
Description of problem:


Version-Release number of selected component (if applicable):
Server:
# rpm -q ipa-server curl xmlrpc-c
ipa-server-2.1.1-1.el6.x86_64
curl-7.19.7-26.el6_1.2.x86_64
xmlrpc-c-1.16.24-1200.1840.el6.x86_64

Client:
# rpm -q ipa-client curl xmlrpc-c
ipa-client-2.1.1-1.el6.i686
curl-7.19.7-26.el6_1.2.i686
xmlrpc-c-1.16.24-1200.1840.el6.i686


How reproducible:
Always

Steps to Reproduce:
ipa-client-install  --domain=lab.eng.pnq.redhat.com --server=bumblebee.lab.eng.pnq.redhat.com --no-ntp --password=Secret123 --principal=admin --mkhomedir --unattended

  
Actual results:
# ipa-client-install  --domain=lab.eng.pnq.redhat.com --server=bumblebee.lab.eng.pnq.redhat.com --no-ntp --password=Secret123 --principal=admin --mkhomedir --unattended
DNS domain 'lab.eng.pnq.redhat.com' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Hostname: mudflap.lab.eng.pnq.redhat.com
Realm: LAB.ENG.PNQ.REDHAT.COM
DNS Domain: lab.eng.pnq.redhat.com
IPA Server: bumblebee.lab.eng.pnq.redhat.com
BaseDN: dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com



Joining realm failed: RPC failed at server.  did not receive Kerberos credentials
Installation failed. Rolling back changes.
IPA client is not configured on this system.


Expected results:
Should join successfully.

Additional info:
# ipa-client-install -d --domain=lab.eng.pnq.redhat.com --server=bumblebee.lab.eng.pnq.redhat.com --no-ntp --password=Secret123 --principal=admin --mkhomedir --unattended
root        : DEBUG    /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': False, 'domain': 'lab.eng.pnq.redhat.com', 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, 'server': 'bumblebee.lab.eng.pnq.redhat.com', 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir': True, 'unattended': True, 'principal': 'admin'}
root        : DEBUG    missing options might be asked for interactively later

root        : DEBUG    Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
root        : DEBUG    Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
root        : DEBUG    [ipadnssearchkrb]
root        : DEBUG    [ipacheckldap]
root        : DEBUG    args=/usr/bin/wget -O /tmp/tmphU6DZv/ca.crt http://bumblebee.lab.eng.pnq.redhat.com/ipa/config/ca.crt
root        : DEBUG    stdout=
root        : DEBUG    stderr=--2011-09-08 13:29:28--  http://bumblebee.lab.eng.pnq.redhat.com/ipa/config/ca.crt
Resolving bumblebee.lab.eng.pnq.redhat.com... 10.65.201.64
Connecting to bumblebee.lab.eng.pnq.redhat.com|10.65.201.64|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1361 (1.3K) [application/x-x509-ca-cert]
Saving to: “/tmp/tmphU6DZv/ca.crt”

     0K .                                                     100%  190M=0s

2011-09-08 13:29:28 (190 MB/s) - “/tmp/tmphU6DZv/ca.crt” saved [1361/1361]


root        : DEBUG    Init ldap with: ldap://bumblebee.lab.eng.pnq.redhat.com:389
root        : DEBUG    Search rootdse
root        : DEBUG    Search for (info=*) in dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com(base)
root        : DEBUG    Found: [('dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com', {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': ['lab.eng.pnq.redhat.com'], 'dc': ['lab'], 'nisDomain': ['lab.eng.pnq.redhat.com']})]
root        : DEBUG    Search for (objectClass=krbRealmContainer) in dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com(sub)
root        : DEBUG    Found: [('cn=LAB.ENG.PNQ.REDHAT.COM,cn=kerberos,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com', {'krbSubTrees': ['dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com'], 'cn': ['LAB.ENG.PNQ.REDHAT.COM'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})]
root        : DEBUG    will use domain: lab.eng.pnq.redhat.com

root        : DEBUG    will use server: bumblebee.lab.eng.pnq.redhat.com

DNS domain 'lab.eng.pnq.redhat.com' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
root        : DEBUG    will use cli_realm: LAB.ENG.PNQ.REDHAT.COM

root        : DEBUG    will use cli_basedn: dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com

Hostname: mudflap.lab.eng.pnq.redhat.com
Realm: LAB.ENG.PNQ.REDHAT.COM
DNS Domain: lab.eng.pnq.redhat.com
IPA Server: bumblebee.lab.eng.pnq.redhat.com
BaseDN: dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com


root        : DEBUG    args=/usr/bin/wget -O /etc/ipa/ca.crt http://bumblebee.lab.eng.pnq.redhat.com/ipa/config/ca.crt
root        : DEBUG    stdout=
root        : DEBUG    stderr=--2011-09-08 13:29:28--  http://bumblebee.lab.eng.pnq.redhat.com/ipa/config/ca.crt
Resolving bumblebee.lab.eng.pnq.redhat.com... 10.65.201.64
Connecting to bumblebee.lab.eng.pnq.redhat.com|10.65.201.64|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1361 (1.3K) [application/x-x509-ca-cert]
Saving to: “/etc/ipa/ca.crt”

     0K .                                                     100%  197M=0s

2011-09-08 13:29:28 (197 MB/s) - “/etc/ipa/ca.crt” saved [1361/1361]


root        : DEBUG    Writing Kerberos configuration to /tmp/tmpGrTYGE:
#File modified by ipa-client-install

[libdefaults]
  default_realm = LAB.ENG.PNQ.REDHAT.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  LAB.ENG.PNQ.REDHAT.COM = {
    kdc = bumblebee.lab.eng.pnq.redhat.com:88
    admin_server = bumblebee.lab.eng.pnq.redhat.com:749
    default_domain = lab.eng.pnq.redhat.com
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .lab.eng.pnq.redhat.com = LAB.ENG.PNQ.REDHAT.COM
  lab.eng.pnq.redhat.com = LAB.ENG.PNQ.REDHAT.COM

[appdefaults]
  pam = {
    debug = false
    krb4_convert = false
  }

root        : DEBUG    args=kinit admin@LAB.ENG.PNQ.REDHAT.COM
root        : DEBUG    stdout=Password for admin@LAB.ENG.PNQ.REDHAT.COM: 

root        : DEBUG    stderr=

root        : DEBUG    args=/usr/sbin/ipa-join -s bumblebee.lab.eng.pnq.redhat.com -d
root        : DEBUG    stdout=
root        : DEBUG    stderr=XML-RPC CALL:

<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>mudflap.lab.eng.pnq.redhat.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-193.el6.i686</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>i686</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n

XML-RPC RESPONSE:

<?xml version='1.0' encoding='UTF-8'?>\n
<methodResponse>\n
<fault>\n
<value><struct>\n
<member>\n
<name>faultCode</name>\n
<value><int>1101</int></value>\n
</member>\n
<member>\n
<name>faultString</name>\n
<value><string>did not receive Kerberos credentials</string></value>\n
</member>\n
</struct></value>\n
</fault>\n
</methodResponse>\n

RPC failed at server.  did not receive Kerberos credentials

Joining realm failed: XML-RPC CALL:

<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>mudflap.lab.eng.pnq.redhat.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-193.el6.i686</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>i686</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n

XML-RPC RESPONSE:

<?xml version='1.0' encoding='UTF-8'?>\n
<methodResponse>\n
<fault>\n
<value><struct>\n
<member>\n
<name>faultCode</name>\n
<value><int>1101</int></value>\n
</member>\n
<member>\n
<name>faultString</name>\n
<value><string>did not receive Kerberos credentials</string></value>\n
</member>\n
</struct></value>\n
</fault>\n
</methodResponse>\n

RPC failed at server.  did not receive Kerberos credentials
root        : DEBUG    args=kdestroy
root        : DEBUG    stdout=
root        : DEBUG    stderr=
Installation failed. Rolling back changes.
IPA client is not configured on this system.

Comment 2 Rob Crittenden 2011-09-08 17:43:06 UTC
The ipa spec does not have the right minimum version of xmlrpc-c set. You need 1.16.24-1200.1840.el6_1.2 or higher.

Comment 8 Jenny Severance 2011-09-21 15:42:20 UTC
verified:

ipa-client-install --domain=testrelm --realm=TESTRELM -p admin -w Secret123 -U
--server=ipaqavme.testrelm
Discovery was successful!
Hostname: hp-dl380g6-01.testrelm
Realm: TESTRELM
DNS Domain: testrelm
IPA Server: ipaqavme.testrelm
BaseDN: dc=testrelm



Enrolled in IPA realm TESTRELM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM
Warning: Hostname (hp-dl380g6-01.testrelm) not found in DNS
DNS server record set to: hp-dl380g6-01.testrelm -> 10.16.65.39
SSSD enabled
Kerberos 5 enabled
NTP enabled
Client configuration complete.
[root@hp-dl380g6-01 ~]# kinit admin
Password for admin@TESTRELM: 
[root@hp-dl380g6-01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM

Valid starting     Expires            Service principal
09/21/11 11:38:40  09/22/11 11:38:36  krbtgt/TESTRELM@TESTRELM


versions:

curl-7.19.7-26.el6_1.2.x86_64
xmlrpc-c-1.16.24-1200.1840.el6_1.4.x86_64
certmonger-0.46-1.el6.x86_64
ipa-client-2.1.1-3.el6.x86_64

Comment 10 Martin Kosek 2011-11-01 12:23:28 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document

Comment 11 errata-xmlrpc 2011-12-06 18:31:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html


Note You need to log in before you can comment on or make changes to this bug.