Bug 984526 - Cannot verify domain server
Cannot verify domain server
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: freeipa (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-15 08:44 EDT by Stef Walter
Modified: 2013-07-15 11:36 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-15 11:36:19 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stef Walter 2013-07-15 08:44:59 EDT
Cannot join IPA domain from Fedora 19 client: Unable to find IPA Server to join:

[stef@stef ~]$ sudo /usr/sbin/ipa-client-install --debug --domain ipa.baseos.qe --realm IPA.BASEOS.QE --mkhomedir --enable-dns-updates --unattended --principal admin -W --force-ntpd
[sudo] password for stef: 
/usr/sbin/ipa-client-install was invoked with options: {'domain': 'ipa.baseos.qe', 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'realm_name': 'IPA.BASEOS.QE', 'force_ntpd': True, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'ca_cert_file': None, 'principal': 'admin', 'keytab': None, 'hostname': None, 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, 'dns_updates': True, 'mkhomedir': True, 'conf_ssh': True, 'force_join': False, 'server': None, 'prompt_password': True, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=ipa.baseos.qe, servers=None, hostname=stef.thewalter.lan
Search for LDAP SRV record in ipa.baseos.qe
Search DNS for SRV record of _ldap._tcp.ipa.baseos.qe
DNS record found: 0 100 389 server.ipa.baseos.qe.
[Kerberos realm search]
Search DNS for TXT record of _kerberos.ipa.baseos.qe
DNS record found: "IPA.BASEOS.QE"
Search DNS for SRV record of _kerberos._udp.ipa.baseos.qe
DNS record found: 0 100 88 server.ipa.baseos.qe.
[LDAP server check]
Verifying that server.ipa.baseos.qe (realm IPA.BASEOS.QE) is an IPA server
Init LDAP connection to: server.ipa.baseos.qe
Error checking LDAP: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
Skip server.ipa.baseos.qe: cannot verify if this is an IPA server
Discovery result: UNKNOWN_ERROR; server=None, domain=ipa.baseos.qe, kdc=server.ipa.baseos.qe, basedn=None
Validated servers: 
will use discovered domain: ipa.baseos.qe
IPA Server not found
Unable to find IPA Server to join
Installation failed. Rolling back changes.
IPA client is not configured on this system.
[stef@stef ~]$ cat /etc/ldap.conf
SASL_NOCANON on
uri ldap://dc.ipa.thewalter.lan
[stef@stef ~]$ cat ~/.ldaprc 
TLS_CACERT /media/truecrypt1/keys/system-ca-bundle.pem
TLS_CERT /media/truecrypt1/keys/operator-nate.crt
TLS_KEY /media/truecrypt1/keys/operator-nate.key
# SASL_MECH EXTERNAL
# URI ldap://ca.familymembers.com
TLS_REQCERT never

[stef@stef ~]$ yum info freeipa-client
Loaded plugins: auto-update-debuginfo, langpacks, refresh-packagekit
Installed Packages
Name        : freeipa-client
Arch        : x86_64
Version     : 3.2.1
Release     : 1.fc19
Comment 1 Stef Walter 2013-07-15 09:14:38 EDT
Domain information for reproducing available here: https://fedoraproject.org/wiki/Test_Day:2013-05-09_Red_Hat_Test_Bed#FreeIPA:ipa.baseos.qe
Comment 2 Alexander Bokovoy 2013-07-15 09:24:26 EDT
>Init LDAP connection to: server.ipa.baseos.qe
>Error checking LDAP: Connect error: TLS error -8172:Peer's certificate issuer >has been marked as not trusted by the user.
>Skip server.ipa.baseos.qe: cannot verify if this is an IPA server
>Discovery result: UNKNOWN_ERROR; server=None, domain=ipa.baseos.qe, 

Stef, looks like your client machine has some specific set up in /etc/pki/nssdb that doesn't trust IPA master certificate. Since before install there should be no IPA master certificate there, you haven't seen the problem before. Perhaps, this machine had previously been used for setting IPA client and then server was re-installed, causing re-issue of the certificate.

I'm inclined to see this as misconfiguration.
Comment 3 Stef Walter 2013-07-15 09:44:13 EDT
I have not configured /etc/pki/nssdb to distrust the IPA master certificate. And it seems I should not need to configure explicit trust in advance of joining an IPA domain.

Am I misunderstanding? 

As a double check, I've removed my /etc/pki/nssdb and still get the same failure:

[stef@stef ~]$ sudo mv /etc/pki/nssdb/ /etc/pki/nssdb.bak
[sudo] password for stef: 
[stef@stef ~]$ sudo /usr/sbin/ipa-client-install --debug --domain ipa.baseos.qe --realm IPA.BASEOS.QE --mkhomedir --enable-dns-updates --unattended --principal admin -W --force-ntpd
/usr/sbin/ipa-client-install was invoked with options: {'domain': 'ipa.baseos.qe', 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'realm_name': 'IPA.BASEOS.QE', 'force_ntpd': True, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'ca_cert_file': None, 'principal': 'admin', 'keytab': None, 'hostname': None, 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, 'dns_updates': True, 'mkhomedir': True, 'conf_ssh': True, 'force_join': False, 'server': None, 'prompt_password': True, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=ipa.baseos.qe, servers=None, hostname=stef.thewalter.lan
Search for LDAP SRV record in ipa.baseos.qe
Search DNS for SRV record of _ldap._tcp.ipa.baseos.qe
DNS record found: 0 100 389 server.ipa.baseos.qe.
[Kerberos realm search]
Search DNS for TXT record of _kerberos.ipa.baseos.qe
DNS record found: "IPA.BASEOS.QE"
Search DNS for SRV record of _kerberos._udp.ipa.baseos.qe
DNS record found: 0 100 88 server.ipa.baseos.qe.
[LDAP server check]
Verifying that server.ipa.baseos.qe (realm IPA.BASEOS.QE) is an IPA server
Init LDAP connection to: server.ipa.baseos.qe
Error checking LDAP: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
Skip server.ipa.baseos.qe: cannot verify if this is an IPA server
Discovery result: UNKNOWN_ERROR; server=None, domain=ipa.baseos.qe, kdc=server.ipa.baseos.qe, basedn=None
Validated servers: 
will use discovered domain: ipa.baseos.qe
IPA Server not found
Unable to find IPA Server to join
Installation failed. Rolling back changes.
IPA client is not configured on this system.
Comment 4 Alexander Bokovoy 2013-07-15 09:51:10 EDT
Is this coming from realmd?

> Error checking LDAP: Connect error: TLS error -8172:Peer's certificate issuer
has been marked as not trusted by the user.

To me this looks like you are configuring LDAP client to reject any non-verified certificates, is that how your realmd code is doing it? For sure you wouldn't have a certificate until ipa-client-install fetched it.
Comment 5 Stef Walter 2013-07-15 10:04:42 EDT
Although I initially discovered this problem when running ipa-client-install from within realmd, ... As you can see from the output, I'm now running it directly from a command line prompt.

I've also tried moving my ~/.ldaprc and /etc/ldap.conf files away, to make sure they're not affecting behavior.

[stef@stef ~]$ cat /etc/ldap.conf
cat: /etc/ldap.conf: No such file or directory
[stef@stef ~]$ cat ~/.ldaprc
cat: ~/.ldaprc: No such file or directory

All of this and we still get the error:

[LDAP server check]
Verifying that server.ipa.baseos.qe (realm IPA.BASEOS.QE) is an IPA server
Init LDAP connection to: server.ipa.baseos.qe
Error checking LDAP: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
Skip server.ipa.baseos.qe: cannot verify if this is an IPA server
Discovery result: UNKNOWN_ERROR; server=None, domain=ipa.baseos.qe, kdc=server.ipa.baseos.qe, basedn=None

It seems odd that its trying to connect via TLS to the server, rather than just straight up LDAP.
Comment 6 Martin Kosek 2013-07-15 11:11:32 EDT
In the LDAP discovery phase, we connect via plain LDAP when there is no /etc/ipa/ca.crt file which is added during ipa-client-install (after discovery phase).

Stef, can you please check if the file is not existent in your machine? For example from some previous testing of IPA. If yes, does the ipa-client-install when you remove it?

This file is already being removed during uninstall procedure of IPA client (since 3.2, see https://fedorahosted.org/freeipa/ticket/3537) to avoid this kind of issues.
Comment 7 Stef Walter 2013-07-15 11:36:19 EDT
The file /etc/ipa/ca.crt is present. I guess i last left an IPA domain before the above upstream bug was fixed. 

It looks like the previous ipa-client-uninstall --unattended failed for some reason.
Comment 8 Stef Walter 2013-07-15 11:36:37 EDT
The file /etc/ipa/ca.crt is present. I guess i last left an IPA domain before the above upstream bug was fixed. Thanks for the help.

Note You need to log in before you can comment on or make changes to this bug.