Bug 1108230

Summary: Should not display ports to open when password is incorrect during ipa-client-install.
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: rcritten, xdong
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.0.3-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:12:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Kosek 2014-06-11 14:58:19 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3573

{{{
[root@dhcp201-120 ~]# ipa-client-install --force-ntpd
Discovery was successful!
Hostname: dhcp201-120.englab.pnq.redhat.com
Realm: ENGLAB.PNQ.REDHAT.COM
DNS Domain: englab.pnq.redhat.com
IPA Server: dhcp201-146.englab.pnq.redhat.com
BaseDN: dc=englab,dc=pnq,dc=redhat,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin.REDHAT.COM: 
Kerberos authentication failed
kinit: Password incorrect while getting initial credentials

Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root@dhcp201-120 ~]# 
}}}

Should not display the ports to open when the installation failure is because of kerberos password incorrect.
Comment 1 Martin Kosek 2014-06-11 15:23:22 UTC 
This request is already fixed in upstream FreeIPA project. Please refer to the linked ticket for additional details and related commits.
Comment 3 Xiyang Dong 2015-01-05 18:37:12 UTC 
Still reproducible on ipa-client-4.1.0-13.el7.x86_64:

[root@qe-blade-05 ~]# ipa-client-install --force-ntpd
Discovery was successful!
Hostname: qe-blade-05.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: hp-dl380pgen8-01.testrelm.test
BaseDN: dc=testrelm,dc=test

Continue to configure the system with these values? [no]: y
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for admin: 
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed
kinit: Password incorrect while getting initial credentials

Installation failed. Rolling back changes.
IPA client is not configured on this system.



Looking at the upstream patch https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=f67268db6855738350481491119b9be29ba1f22d
Still see print_port_conf_info() when returncode != 0.
Comment 4 Martin Kosek 2015-01-06 13:13:34 UTC 
This is the right patch. But the fix agreed to upstream was to avoid parsing error message to decide on whether to print the actual kerberos error message -*after* the port information to make it clearer to the user.

Details here:
https://fedorahosted.org/freeipa/ticket/3573#comment:7

I see in Comment 3 that the message was properly moved, so I am moving the bug back to ON_QA.
Comment 5 Xiyang Dong 2015-01-06 14:41:11 UTC 
Sorry I had an misunderstanding. 

Verified on ipa-client-4.1.0-13.el7.x86_64:

[root@qe-blade-05 ~]# ipa-client-install --force-ntpd
Discovery was successful!
Hostname: qe-blade-05.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: hp-dl380pgen8-01.testrelm.test
BaseDN: dc=testrelm,dc=test

Continue to configure the system with these values? [no]: y
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for admin: 
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed
kinit: Password incorrect while getting initial credentials

Installation failed. Rolling back changes.
IPA client is not configured on this system.
Comment 7 errata-xmlrpc 2015-03-05 10:12:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html