freeipa team mailing list archive
-
freeipa team
-
Mailing list archive
-
Message #00075
[Bug 997990] Re: fail joining to a freeipa server with ipa-client-install
the problem could be also reproduced with the gnutls-cli command. it seeems that's launching the handshake in an incompatible manner with the server.
the same comman from a centos box works (2.8.5 version of gnutls-cli). in the ubuntu box is version 2.12.14
root@ubuntuprovesfreeipa:/etc/ldap# gnutls-cli -d 4 -p 636 freeipaserver.linux.gva.es
Resolving 'freeipaserver.linux.gva.es'...
Connecting to '192.168.222.99:636'...
|<4>| REC[0x9b5bf68]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0x9b5bf68]: Allocating epoch #1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<2>| EXT[0x9b5bf68]: Sending extension SERVER NAME (31 bytes)
|<2>| EXT[0x9b5bf68]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<2>| EXT[0x9b5bf68]: Sending extension SESSION TICKET (0 bytes)
|<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1
|<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1
|<2>| EXT[0x9b5bf68]: Sending extension SIGNATURE ALGORITHMS (10 bytes)
|<3>| HSK[0x9b5bf68]: CLIENT HELLO was sent [151 bytes]
|<4>| REC[0x9b5bf68]: Sending Packet[0] Handshake(22) with length: 151
|<4>| REC[0x9b5bf68]: Sent Packet[1] Handshake(22) with length: 156
|<2>| ASSERT: gnutls_buffers.c:640
|<2>| ASSERT: gnutls_record.c:969
|<2>| ASSERT: gnutls_handshake.c:2762
*** Fatal error: A TLS packet with unexpected length was received.
|<4>| REC: Sending Alert[2|22] - Record overflow
|<4>| REC[0x9b5bf68]: Sending Packet[1] Alert(21) with length: 2
|<4>| REC[0x9b5bf68]: Sent Packet[2] Alert(21) with length: 7
*** Handshake has failed
GnuTLS error: A TLS packet with unexpected length was received.
|<4>| REC[0x9b5bf68]: Epoch #0 freed
|<4>| REC[0x9b5bf68]: Epoch #1 freed
root@ubuntuprovesfreeipa:/etc/ldap#
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/997990
Title:
fail joining to a freeipa server with ipa-client-install
Status in “freeipa” package in Ubuntu:
New
Bug description:
I try to join a freeipa domain and it seems there is some problem with the tls negotiacion. this is the log:
pasqual@ubuntuprovesfreeipa:~$ sudo ipa-client-install -d --enable-dns-updates
[sudo] password for pasqual:
root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'realm_name': None, 'unattended': None, 'principal': None}
root : DEBUG missing options might be asked for interactively later
root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
root : DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
root : DEBUG [ipadnssearchldap(linux.gva.es)]
root : DEBUG [ipadnssearchldap(gva.es)]
root : DEBUG [ipadnssearchldap(es)]
root : DEBUG [ipadnssearchldap(linux.gva.es)]
root : DEBUG [ipadnssearchldap(gva.es)]
root : DEBUG [ipadnssearchldap(es)]
root : DEBUG Domain not found
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): linux.gva.es
root : DEBUG will use domain: linux.gva.es
root : DEBUG [ipadnssearchldap]
root : DEBUG IPA Server not found
DNS discovery failed to find the IPA Server
Provide your IPA server name (ex: ipa.example.com): freeipaserver.linux.gva.es
root : DEBUG will use server: freeipaserver.linux.gva.es
root : DEBUG [ipadnssearchkrb]
root : DEBUG [ipacheckldap]
root : DEBUG args=/usr/bin/wget -O /tmp/tmpWptXwb/ca.crt -T 15 -t 2 http://freeipaserver.linux.gva.es/ipa/config/ca.crt
root : DEBUG stdout=
root : DEBUG stderr=--2012-05-11 12:06:09-- http://freeipaserver.linux.gva.es/ipa/config/ca.crt
Resolent freeipaserver.linux.gva.es (freeipaserver.linux.gva.es)... 192.168.222.99
S'està connectant a freeipaserver.linux.gva.es (freeipaserver.linux.gva.es)|192.168.222.99|:80... conectat.
HTTP: Petició enviada, esperant resposta... 200 OK
Longitud: 1325 (1.3K) [application/x-x509-ca-cert]
S'està desant a: «/tmp/tmpWptXwb/ca.crt»
0K . 100%
38.4M=0s
2012-05-11 12:06:09 (38.4 MB/s) - s'ha desat «/tmp/tmpWptXwb/ca.crt»
[1325/1325]
root : DEBUG Init ldap with: ldap://freeipaserver.linux.gva.es:389
root : ERROR LDAP Error: Connect error: A TLS packet with unexpected length was received.
Failed to verify that freeipaserver.linux.gva.es is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.
Installation failed. Rolling back changes.
IPA client is not configured on this system.
pasqual@ubuntuprovesfreeipa:~$
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: freeipa-client 2.1.4-0ubuntu1
ProcVersionSignature: Ubuntu 3.2.0-24.37-generic-pae 3.2.14
Uname: Linux 3.2.0-24-generic-pae i686
ApportVersion: 2.0.1-0ubuntu7
Architecture: i386
Date: Fri May 11 12:07:16 2012
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release i386 (20120423)
SourcePackage: freeipa
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/997990/+subscriptions
References