Issue #3512: ipa-client-install cannot obtain CA certificate - freeipa

freeipa

#3512 ipa-client-install cannot obtain CA certificate

Closed: Fixed None Opened 11 years ago by rcritten.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 920716

Description of problem:

Cannot obtain CA certificate
'ldap://ipa.hunter.org' doesn't have a certificate.


Version-Release number of selected component (if applicable):

Installed Packages
freeipa-client.x86_64                   3.1.2-1.fc18
@updates
freeipa-python.x86_64                   3.1.2-1.fc18
@updates


How reproducible: Consistent


Steps to Reproduce:

1. Build a new virtual machine with dynamic IP address assignment

2. yum install --assumeyes freeipa-client

3. ipa-client-install


Actual results:

[root@fedora18 ~]#   ipa-client-install \
>     --domain=hunter.org \
>     --enable-dns-updates \
>     --force-ntp \
>     --password=adminpassword \
>     --principal=admin \
>     --realm=HUNTER.ORG \
>     --ssh-trust-dns \
>     --unattended
Discovery was successful!
Hostname: fedora18.hunter.org
Realm: HUNTER.ORG
DNS Domain: hunter.org
IPA Server: ipa.hunter.org
BaseDN: dc=hunter,dc=org

Synchronizing time with KDC...
Cannot obtain CA certificate
'ldap://ipa.hunter.org' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root@fedora18 ~]#

Expected results:

I expected successful completion of the IPA client.


Additional info: /var/log/ipaclient-install.log

2013-03-12T14:16:01Z DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'domain': 'hunter.org', 'force': False, 'krb5_offline_passwords':
True, 'primary': False, 'realm_name': 'HUNTER.ORG', 'force_ntpd': True,
'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True,
'ca_cert_file': None, 'ntp_server': None, 'principal': 'admin', 'hostname':
None, 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': True,
'dns_updates': True, 'mkhomedir': False, 'conf_ssh': True, 'server': None,
'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd':
False, 'uninstall': False}
2013-03-12T14:16:01Z DEBUG missing options might be asked for interactively
later
2013-03-12T14:16:01Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2013-03-12T14:16:01Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2013-03-12T14:16:01Z DEBUG [IPA Discovery]
2013-03-12T14:16:01Z DEBUG Starting IPA discovery with domain=hunter.org,
server=None, hostname=fedora18.hunter.org
2013-03-12T14:16:01Z DEBUG Search for LDAP SRV record in hunter.org
2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of _ldap._tcp.hunter.org
2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 389 ipa.hunter.org.
2013-03-12T14:16:01Z DEBUG [Kerberos realm search]
2013-03-12T14:16:01Z DEBUG Search DNS for TXT record of _kerberos.hunter.org
2013-03-12T14:16:01Z DEBUG DNS record found: "HUNTER.ORG"
2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of
_kerberos._udp.hunter.org
2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 88 ipa.hunter.org.
2013-03-12T14:16:01Z DEBUG [LDAP server check]
2013-03-12T14:16:01Z DEBUG Verifying that ipa.hunter.org (realm HUNTER.ORG) is
an IPA server
2013-03-12T14:16:01Z DEBUG Init LDAP connection with: ldap://ipa.hunter.org:389
2013-03-12T14:16:01Z DEBUG Search LDAP server for IPA base DN
2013-03-12T14:16:01Z DEBUG Check if naming context 'dc=hunter,dc=org' is for
IPA
2013-03-12T14:16:01Z DEBUG Naming context 'dc=hunter,dc=org' is a valid IPA
context
2013-03-12T14:16:01Z DEBUG Search for (objectClass=krbRealmContainer) in
dc=hunter,dc=org (sub)
2013-03-12T14:16:01Z DEBUG Found: cn=HUNTER.ORG,cn=kerberos,dc=hunter,dc=org
2013-03-12T14:16:01Z DEBUG Discovery result: Success; server=ipa.hunter.org,
domain=hunter.org, kdc=ipa.hunter.org, basedn=dc=hunter,dc=org
2013-03-12T14:16:01Z DEBUG will use discovered domain: hunter.org
2013-03-12T14:16:01Z DEBUG Start searching for LDAP SRV record in "hunter.org"
(Validating DNS Discovery) and its sub-domains
2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of _ldap._tcp.hunter.org
2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 389 ipa.hunter.org.
2013-03-12T14:16:01Z DEBUG DNS validated, enabling discovery
2013-03-12T14:16:01Z DEBUG will use discovered server: ipa.hunter.org
2013-03-12T14:16:01Z INFO Discovery was successful!
2013-03-12T14:16:01Z DEBUG will use discovered realm: HUNTER.ORG
2013-03-12T14:16:01Z DEBUG will use discovered basedn: dc=hunter,dc=org
2013-03-12T14:16:01Z INFO Hostname: fedora18.hunter.org
2013-03-12T14:16:01Z DEBUG Hostname source: Machine's FQDN
2013-03-12T14:16:01Z INFO Realm: HUNTER.ORG
2013-03-12T14:16:01Z DEBUG Realm source: Discovered from LDAP DNS records in
ipa.hunter.org
2013-03-12T14:16:01Z INFO DNS Domain: hunter.org
2013-03-12T14:16:01Z DEBUG DNS Domain source: Discovered LDAP SRV records from
hunter.org
2013-03-12T14:16:01Z INFO IPA Server: ipa.hunter.org
2013-03-12T14:16:01Z DEBUG IPA Server source: Discovered from LDAP DNS records
in ipa.hunter.org
2013-03-12T14:16:01Z INFO BaseDN: dc=hunter,dc=org
2013-03-12T14:16:01Z DEBUG BaseDN source: From IPA server
ldap://ipa.hunter.org:389
2013-03-12T14:16:01Z DEBUG Starting external process
2013-03-12T14:16:01Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r
HUNTER.ORG
2013-03-12T14:16:01Z DEBUG Process finished, return code=3
2013-03-12T14:16:01Z DEBUG stdout=
2013-03-12T14:16:01Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No
such file or directory

2013-03-12T14:16:01Z INFO Synchronizing time with KDC...
2013-03-12T14:16:01Z DEBUG Search DNS for SRV record of _ntp._udp.hunter.org
2013-03-12T14:16:01Z DEBUG DNS record found: 0 100 123 ipa.hunter.org.
2013-03-12T14:16:01Z DEBUG Starting external process
2013-03-12T14:16:01Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v
ipa.hunter.org
2013-03-12T14:16:08Z DEBUG Process finished, return code=0
2013-03-12T14:16:08Z DEBUG stdout=
2013-03-12T14:16:08Z DEBUG stderr=
2013-03-12T14:16:08Z DEBUG Writing Kerberos configuration to /tmp/tmpGow23H:
2013-03-12T14:16:08Z DEBUG #File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = HUNTER.ORG
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  HUNTER.ORG = {
    kdc = ipa.hunter.org:88
    master_kdc = ipa.hunter.org:88
    admin_server = ipa.hunter.org:749
    default_domain = hunter.org
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .hunter.org = HUNTER.ORG
  hunter.org = HUNTER.ORG

2013-03-12T14:16:08Z DEBUG Starting external process
2013-03-12T14:16:08Z DEBUG args=kinit admin@HUNTER.ORG
2013-03-12T14:16:09Z DEBUG Process finished, return code=0
2013-03-12T14:16:09Z DEBUG stdout=Password for admin@HUNTER.ORG:

2013-03-12T14:16:09Z DEBUG stderr=
2013-03-12T14:16:09Z DEBUG trying to retrieve CA cert via LDAP from
ldap://ipa.hunter.org
2013-03-12T14:16:09Z DEBUG get_ca_cert_from_ldap() error: Local error SASL(-1):
generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide
more information (Credentials cache file
'/run/user/0/krb5cc_c7425795554d90f87ddd1bf2513f37ab/tkt' not found)
2013-03-12T14:16:09Z DEBUG {'info': "SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (Credentials
cache file '/run/user/0/krb5cc_c7425795554d90f87ddd1bf2513f37ab/tkt' not
found)", 'desc': 'Local error'}
2013-03-12T14:16:09Z ERROR Cannot obtain CA certificate
'ldap://ipa.hunter.org' doesn't have a certificate.
2013-03-12T14:16:09Z ERROR Installation failed. Rolling back changes.
2013-03-12T14:16:09Z ERROR IPA client is not configured on this system.