freeipa team mailing list archive

Thread
Date
[Bug 997990] Re: fail joining to a freeipa server with ipa-client-install

To: freeipa@xxxxxxxxxxxxxxxxxxx
From: pasqual milvaques <pasqual.milvaques@xxxxxxxxx>
Date: Fri, 11 May 2012 13:01:46 -0000
Reply-to: Bug 997990 <997990@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
the problem could be also reproduced with the gnutls-cli command. it seeems that's launching the handshake in an incompatible manner with the server.
the same comman from a centos box works (2.8.5 version of gnutls-cli). in the ubuntu box is version 2.12.14

root@ubuntuprovesfreeipa:/etc/ldap# gnutls-cli -d 4 -p 636 freeipaserver.linux.gva.es
Resolving 'freeipaserver.linux.gva.es'...
Connecting to '192.168.222.99:636'...
|<4>| REC[0x9b5bf68]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0x9b5bf68]: Allocating epoch #1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x9b5bf68]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<2>| EXT[0x9b5bf68]: Sending extension SERVER NAME (31 bytes)
|<2>| EXT[0x9b5bf68]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<2>| EXT[0x9b5bf68]: Sending extension SESSION TICKET (0 bytes)
|<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1
|<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1
|<2>| EXT[0x9b5bf68]: Sending extension SIGNATURE ALGORITHMS (10 bytes)
|<3>| HSK[0x9b5bf68]: CLIENT HELLO was sent [151 bytes]
|<4>| REC[0x9b5bf68]: Sending Packet[0] Handshake(22) with length: 151
|<4>| REC[0x9b5bf68]: Sent Packet[1] Handshake(22) with length: 156
|<2>| ASSERT: gnutls_buffers.c:640
|<2>| ASSERT: gnutls_record.c:969
|<2>| ASSERT: gnutls_handshake.c:2762
*** Fatal error: A TLS packet with unexpected length was received.
|<4>| REC: Sending Alert[2|22] - Record overflow
|<4>| REC[0x9b5bf68]: Sending Packet[1] Alert(21) with length: 2
|<4>| REC[0x9b5bf68]: Sent Packet[2] Alert(21) with length: 7
*** Handshake has failed
GnuTLS error: A TLS packet with unexpected length was received.
|<4>| REC[0x9b5bf68]: Epoch #0 freed
|<4>| REC[0x9b5bf68]: Epoch #1 freed
root@ubuntuprovesfreeipa:/etc/ldap#

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/997990

Title:
  fail joining to a freeipa server with ipa-client-install

Status in “freeipa” package in Ubuntu:
  New

Bug description:
  I try to join a freeipa domain and it seems there is some problem with the tls negotiacion. this is the log:
  pasqual@ubuntuprovesfreeipa:~$ sudo ipa-client-install -d --enable-dns-updates
  [sudo] password for pasqual: 
  root        : DEBUG    /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'realm_name': None, 'unattended': None, 'principal': None}
  root        : DEBUG    missing options might be asked for interactively later

  root        : DEBUG    Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
  root        : DEBUG    Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
  root        : DEBUG    [ipadnssearchldap(linux.gva.es)]
  root        : DEBUG    [ipadnssearchldap(gva.es)]
  root        : DEBUG    [ipadnssearchldap(es)]
  root        : DEBUG    [ipadnssearchldap(linux.gva.es)]
  root        : DEBUG    [ipadnssearchldap(gva.es)]
  root        : DEBUG    [ipadnssearchldap(es)]
  root        : DEBUG    Domain not found
  DNS discovery failed to determine your DNS domain
  Provide the domain name of your IPA server (ex: example.com): linux.gva.es
  root        : DEBUG    will use domain: linux.gva.es

  root        : DEBUG    [ipadnssearchldap]
  root        : DEBUG    IPA Server not found
  DNS discovery failed to find the IPA Server
  Provide your IPA server name (ex: ipa.example.com): freeipaserver.linux.gva.es
  root        : DEBUG    will use server: freeipaserver.linux.gva.es

  root        : DEBUG    [ipadnssearchkrb]
  root        : DEBUG    [ipacheckldap]
  root        : DEBUG    args=/usr/bin/wget -O /tmp/tmpWptXwb/ca.crt -T 15 -t 2 http://freeipaserver.linux.gva.es/ipa/config/ca.crt
  root        : DEBUG    stdout=
  root        : DEBUG    stderr=--2012-05-11 12:06:09--  http://freeipaserver.linux.gva.es/ipa/config/ca.crt
  Resolent freeipaserver.linux.gva.es (freeipaserver.linux.gva.es)... 192.168.222.99
  S'està connectant a freeipaserver.linux.gva.es (freeipaserver.linux.gva.es)|192.168.222.99|:80... conectat.
  HTTP: Petició enviada, esperant resposta... 200 OK
  Longitud: 1325 (1.3K) [application/x-x509-ca-cert]
  S'està desant a: «/tmp/tmpWptXwb/ca.crt»

       0K .                                                     100%
  38.4M=0s

  2012-05-11 12:06:09 (38.4 MB/s) - s'ha desat «/tmp/tmpWptXwb/ca.crt»
  [1325/1325]

  
  root        : DEBUG    Init ldap with: ldap://freeipaserver.linux.gva.es:389
  root        : ERROR    LDAP Error: Connect error: A TLS packet with unexpected length was received.
  Failed to verify that freeipaserver.linux.gva.es is an IPA Server.
  This may mean that the remote server is not up or is not reachable
  due to network or firewall settings.
  Installation failed. Rolling back changes.
  IPA client is not configured on this system.
  pasqual@ubuntuprovesfreeipa:~$

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: freeipa-client 2.1.4-0ubuntu1
  ProcVersionSignature: Ubuntu 3.2.0-24.37-generic-pae 3.2.14
  Uname: Linux 3.2.0-24-generic-pae i686
  ApportVersion: 2.0.1-0ubuntu7
  Architecture: i386
  Date: Fri May 11 12:07:16 2012
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release i386 (20120423)
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/997990/+subscriptions
References

[Bug 997990] [NEW] fail joining to a freeipa server with ipa-client-install
From: pasqual milvaques, 2012-05-11