#9116 "No valid Negotiate header in server response" error when registering client to IPA
Closed: wontfix 2 years ago by abbra. Opened 2 years ago by tehaml7a.

Issue

We have 3 IPA servers that are fully synced up. When registering client via command 'ipa-client-install -N --mkhomedir', it fails on one IPA server but works on the other 2. The error message we're getting is: "No valid Negotiate header in server response The ipa-client-install command failed."

Steps to Reproduce

  1. On the client, run 'ipa-client-install -N --mkhomedir'
  2. Fill up details on prompt i.e. domain, ipa server, ipa user and password

Actual behavior

Client fails to register

Expected behavior

Client will successfully register

Version/Release/Distribution

ipa-server-4.6.8-5.el7.centos.10.x86_64
ipa-client-4.6.8-5.el7.centos.10.x86_64
389-ds-base-1.3.10.2-14.el7_9.x86_64
pki-ca-10.5.18-19.el7_9.noarch
krb5-server-1.15.1-51.el7_9.x86_64

Additional info:

Registration seem to be working when we use ipa-client-command with additional parameters:
ipa-client-install --hostname=hostname -f --mkhomedir --domain <domain> --no-ntp -v


FreeIPA issue tracker is not a support service. Please use freeipa-users@ mailing list for a community support. Issue tracker is used to track defects that need fixes in upstream code. Since upstream does not anymore support FreeIPA 4.6 version directly, it makes no sense to open tickets related to possible misconfiguration here.

I would recommend you to read through this thread: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/PVRGGNYXLSQGSS7XQQFO7MBEFQETZA6D/

While a specific configuration there reflects RHEL8, the only difference is a use of ccache sweeper and a particular mod_auth_gssapi configuration setting that I mention there in my response. If you have an error message with 'No valid Negotiate header in server response', it most likely related to the issues with access controls of the backing files/directories as explained in the thread.

Metadata Update from @abbra:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata