Hundreds of clients have been joined earlier, never such an issue. What could have happened please advise?
Client debug - nothing suspicious until:
2018-02-02T10:07:47Z DEBUG args=/usr/sbin/ipa-join -s <arguments> 2018-02-02T10:07:50Z DEBUG Process finished, return code=17 2018-02-02T10:07:50Z DEBUG stdout= 2018-02-02T10:07:50Z DEBUG stderr=No permission to join this host to the IPA domain.
Server debug, not sure if related to the above error:
[Fri Feb 02 02:07:48.515408 2018] [auth_gssapi:error] [pid 28668] [client <ip>:52140] NO AUTH DATA Client did not send any authentication headers, referer: https://ipa.host/ipa/xml
Selinux is disabled on the client side. Server version 4.5.0
i'm using -p admin to join clients. Therefore permissions are full.
Any ideas please.
Maybe firewall on client host? I would look to allowed ports and traffic exchange.
2018-02-02 14:09 GMT+03:00 skrawczenko--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hundreds of clients have been joined earlier, never such an issue. What could have happened please advise?
Client debug - nothing suspicious until:
2018-02-02T10:07:47Z DEBUG args=/usr/sbin/ipa-join -s <arguments> 2018-02-02T10:07:50Z DEBUG Process finished, return code=17 2018-02-02T10:07:50Z DEBUG stdout= 2018-02-02T10:07:50Z DEBUG stderr=No permission to join this host to the IPA domain.
Server debug, not sure if related to the above error:
[Fri Feb 02 02:07:48.515408 2018] [auth_gssapi:error] [pid 28668] [client <ip>:52140] NO AUTH DATA Client did not send any authentication headers, referer: https://ipa.host/ipa/xml
Selinux is disabled on the client side. Server version 4.5.0
i'm using -p admin to join clients. Therefore permissions are full.
Any ideas please. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Checked TCP 80,443,389,88, 636,464 all open except tcp/7389 which is not used i suppose. As i understand it is unable to download https://ipahost/ipa/xml Any way to check manually?
I think you should launch tcpdump on all specified ports and simultaneously run ipa-client enroll.
2018-02-02 14:36 GMT+03:00 skrawczenko--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Checked TCP 80,443,389,88, 636,464 all open except tcp/7389 which is not used i suppose. As i understand it is unable to download https://ipahost/ipa/xml Any way to check manually? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
It looks like the issue is on server side, tested from same subnet vm without firewall. Tried different enroll users.
skrawczenko--- via FreeIPA-users wrote:
It looks like the issue is on server side, tested from same subnet vm without firewall. Tried different enroll users.
Check the 389-ds access logs. IIRC this happens when the user does not have permission to add or modify hosts (which obviously shouldn't happen with admin but you'd need to look at the user to know what it can do).
rob
Created user with maximum possible permission, still 'No permission to join this host to the IPA domain'. Need more ideas, the problem doesn't fix itself :(
skrawczenko--- via FreeIPA-users wrote:
Created user with maximum possible permission, still 'No permission to join this host to the IPA domain'. Need more ideas, the problem doesn't fix itself :(
This isn't enough information to be helpful. I need to know exactly what permissions the user has.
And seeing the 389-ds access logs around the enrollment time would be handy as well.
rob
Thank you for reply, Rob.
I'm afraid it doesn't even get to 389-ds layer at least there is no log entries at the moment of failure. not access nor error. The only error i'm getting on the server side is
[Tue Feb 06 02:35:30.637409 2018] [auth_gssapi:error] [pid 24222] [client 10.23.2.84:48966] NO AUTH DATA Client did not send any authentication headers, referer: https://ipaserver/ipa/xml
during the ipa-join attempt from client side.
However, i've got some hint I've managed to join this client by running ipa-join locally on ipa server after kinit admin (same user used for ipa-client-install). Does it mean anything? Like some relevant entry missed from ldap which is responsible for remote hosts rights to join?
This is also a manual ipa-join attempt from the client (kinit admin was done as well):
XML-RPC CALL:
<?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n <methodName>join</methodName>\r\n <params>\r\n <param><value><array><data>\r\n <value><string>client fqdn</string></value>\r\n </data></array></value></param>\r\n <param><value><struct>\r\n <member><name>nsosversion</name>\r\n <value><string>3.10.0-693.17.1.el7.x86_64</string></value></member>\r\n <member><name>nshardwareplatform</name>\r\n <value><string>x86_64</string></value></member>\r\n </struct></value></param>\r\n </params>\r\n </methodCall>\r\n
XML-RPC RESPONSE:
<?xml version='1.0' encoding='UTF-8'?>\n <methodResponse>\n <fault>\n <value><struct>\n <member>\n <name>faultCode</name>\n <value><int>2100</int></value>\n </member>\n <member>\n <name>faultString</name>\n <value><string>Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)</string></value>\n </member>\n </struct></value>\n </fault>\n </methodResponse>\n
freeipa-users@lists.fedorahosted.org
-
Andrew Radygin -
Rob Crittenden -
skrawczenko@gmail.com