Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 920716
Description of problem: Cannot obtain CA certificate 'ldap://ipa.hunter.org' doesn't have a certificate. Version-Release number of selected component (if applicable): Installed Packages freeipa-client.x86_64 3.1.2-1.fc18 @updates freeipa-python.x86_64 3.1.2-1.fc18 @updates How reproducible: Consistent Steps to Reproduce: 1. Build a new virtual machine with dynamic IP address assignment 2. yum install --assumeyes freeipa-client 3. ipa-client-install Actual results: [root@fedora18 ~]# ipa-client-install \ > --domain=hunter.org \ > --enable-dns-updates \ > --force-ntp \ > --password=adminpassword \ > --principal=admin \ > --realm=HUNTER.ORG \ > --ssh-trust-dns \ > --unattended Discovery was successful! Hostname: fedora18.hunter.org Realm: HUNTER.ORG DNS Domain: hunter.org IPA Server: ipa.hunter.org BaseDN: dc=hunter,dc=org Synchronizing time with KDC... Cannot obtain CA certificate 'ldap://ipa.hunter.org' doesn't have a certificate. Installation failed. Rolling back changes. IPA client is not configured on this system. [root@fedora18 ~]# Expected results: I expected successful completion of the IPA client. Additional info: /var/log/ipaclient-install.log 2013-03-12T14:16:01Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': 'hunter.org', 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'realm_name': 'HUNTER.ORG', 'force_ntpd': True, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': 'admin', 'hostname': None, 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': True, 'dns_updates': True, 'mkhomedir': False, 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False} 2013-03-12T14:16:01Z DEBUG missing options might be asked for interactively later 2013-03-12T14:16:01Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2013-03-12T14:16:01Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2013-03-12T14:16:01Z DEBUG [IPA Discovery] 2013-03-12T14:16:01Z DEBUG Starting IPA discovery with domain=hunter.org, server=None, hostname=fedora18.hunter.org 2013-03-12T14:16:01Z DEBUG Search for LDAP SRV record in hunter.org 2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of _ldap._tcp.hunter.org 2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 389 ipa.hunter.org. 2013-03-12T14:16:01Z DEBUG [Kerberos realm search] 2013-03-12T14:16:01Z DEBUG Search DNS for TXT record of _kerberos.hunter.org 2013-03-12T14:16:01Z DEBUG DNS record found: "HUNTER.ORG" 2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of _kerberos._udp.hunter.org 2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 88 ipa.hunter.org. 2013-03-12T14:16:01Z DEBUG [LDAP server check] 2013-03-12T14:16:01Z DEBUG Verifying that ipa.hunter.org (realm HUNTER.ORG) is an IPA server 2013-03-12T14:16:01Z DEBUG Init LDAP connection with: ldap://ipa.hunter.org:389 2013-03-12T14:16:01Z DEBUG Search LDAP server for IPA base DN 2013-03-12T14:16:01Z DEBUG Check if naming context 'dc=hunter,dc=org' is for IPA 2013-03-12T14:16:01Z DEBUG Naming context 'dc=hunter,dc=org' is a valid IPA context 2013-03-12T14:16:01Z DEBUG Search for (objectClass=krbRealmContainer) in dc=hunter,dc=org (sub) 2013-03-12T14:16:01Z DEBUG Found: cn=HUNTER.ORG,cn=kerberos,dc=hunter,dc=org 2013-03-12T14:16:01Z DEBUG Discovery result: Success; server=ipa.hunter.org, domain=hunter.org, kdc=ipa.hunter.org, basedn=dc=hunter,dc=org 2013-03-12T14:16:01Z DEBUG will use discovered domain: hunter.org 2013-03-12T14:16:01Z DEBUG Start searching for LDAP SRV record in "hunter.org" (Validating DNS Discovery) and its sub-domains 2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of _ldap._tcp.hunter.org 2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 389 ipa.hunter.org. 2013-03-12T14:16:01Z DEBUG DNS validated, enabling discovery 2013-03-12T14:16:01Z DEBUG will use discovered server: ipa.hunter.org 2013-03-12T14:16:01Z INFO Discovery was successful! 2013-03-12T14:16:01Z DEBUG will use discovered realm: HUNTER.ORG 2013-03-12T14:16:01Z DEBUG will use discovered basedn: dc=hunter,dc=org 2013-03-12T14:16:01Z INFO Hostname: fedora18.hunter.org 2013-03-12T14:16:01Z DEBUG Hostname source: Machine's FQDN 2013-03-12T14:16:01Z INFO Realm: HUNTER.ORG 2013-03-12T14:16:01Z DEBUG Realm source: Discovered from LDAP DNS records in ipa.hunter.org 2013-03-12T14:16:01Z INFO DNS Domain: hunter.org 2013-03-12T14:16:01Z DEBUG DNS Domain source: Discovered LDAP SRV records from hunter.org 2013-03-12T14:16:01Z INFO IPA Server: ipa.hunter.org 2013-03-12T14:16:01Z DEBUG IPA Server source: Discovered from LDAP DNS records in ipa.hunter.org 2013-03-12T14:16:01Z INFO BaseDN: dc=hunter,dc=org 2013-03-12T14:16:01Z DEBUG BaseDN source: From IPA server ldap://ipa.hunter.org:389 2013-03-12T14:16:01Z DEBUG Starting external process 2013-03-12T14:16:01Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r HUNTER.ORG 2013-03-12T14:16:01Z DEBUG Process finished, return code=3 2013-03-12T14:16:01Z DEBUG stdout= 2013-03-12T14:16:01Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory 2013-03-12T14:16:01Z INFO Synchronizing time with KDC... 2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of _ntp._udp.hunter.org 2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 123 ipa.hunter.org. 2013-03-12T14:16:01Z DEBUG Starting external process 2013-03-12T14:16:01Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.hunter.org 2013-03-12T14:16:08Z DEBUG Process finished, return code=0 2013-03-12T14:16:08Z DEBUG stdout= 2013-03-12T14:16:08Z DEBUG stderr= 2013-03-12T14:16:08Z DEBUG Writing Kerberos configuration to /tmp/tmpGow23H: 2013-03-12T14:16:08Z DEBUG #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = HUNTER.ORG dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] HUNTER.ORG = { kdc = ipa.hunter.org:88 master_kdc = ipa.hunter.org:88 admin_server = ipa.hunter.org:749 default_domain = hunter.org pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .hunter.org = HUNTER.ORG hunter.org = HUNTER.ORG 2013-03-12T14:16:08Z DEBUG Starting external process 2013-03-12T14:16:08Z DEBUG args=kinit admin@HUNTER.ORG 2013-03-12T14:16:09Z DEBUG Process finished, return code=0 2013-03-12T14:16:09Z DEBUG stdout=Password for admin@HUNTER.ORG: 2013-03-12T14:16:09Z DEBUG stderr= 2013-03-12T14:16:09Z DEBUG trying to retrieve CA cert via LDAP from ldap://ipa.hunter.org 2013-03-12T14:16:09Z DEBUG get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/run/user/0/krb5cc_c7425795554d90f87ddd1bf2513f37ab/tkt' not found) 2013-03-12T14:16:09Z DEBUG {'info': "SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/run/user/0/krb5cc_c7425795554d90f87ddd1bf2513f37ab/tkt' not found)", 'desc': 'Local error'} 2013-03-12T14:16:09Z ERROR Cannot obtain CA certificate 'ldap://ipa.hunter.org' doesn't have a certificate. 2013-03-12T14:16:09Z ERROR Installation failed. Rolling back changes. 2013-03-12T14:16:09Z ERROR IPA client is not configured on this system.
The fix will be needed in ipa-3-1/Fedora 18 to avoid client install issues.
ipa-3-1
attachment freeipa-mkosek-389-improve-client-install-ldap-cert-retrieval-fallback.patch
Patch freeipa-mkosek-389-improve-client-install-ldap-cert-retrieval-fallback.patch sent for review
attachment freeipa-mkosek-388-use-temporary-ccache-in-ipa-client-install.patch
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=924004
master:[[BR]] 1336b39 Improve client install LDAP cert retrieval fallback[[BR]] 6540eff Use temporary CCACHE in ipa-client-install[[BR]]
ipa-3-1:[[BR]] fdfcd2c Improve client install LDAP cert retrieval fallback[[BR]] 07755e8 Use temporary CCACHE in ipa-client-install[[BR]]
Metadata Update from @rcritten: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.2 - 2013/03
Login to comment on this ticket.