Bug 1132261
Summary: | ipa-client-install failing produces a traceback instead of useful error message | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | hgraham |
Component: | ipa | Assignee: | Martin Kosek <mkosek> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.5 | CC: | hgraham, mkosek, pvoborni, rcritten, xdong |
Target Milestone: | rc | ||
Target Release: | 6.7 | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ipa-3.0.0-43.el6 | Doc Type: | Bug Fix |
Doc Text: |
If an Active Directory (AD) server was specified or discovered automatically when running the ipa-client-install utility, the utility produced a traceback instead of informing the user that an IdM server is expected in this situation. Now, ipa-client-install detects the AD server and fails with an explanatory message.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-07-22 07:38:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
hgraham
2014-08-21 02:37:12 UTC
This happens in RHELs older than 7.0 when ipa-client-install hits an AD which uses "namingContexts" instead of "namingcontext". You would be able to tell by either looking on ipaclient-install.log or by using --debug function and checking on which server it tries to autodiscover. It should be possible to prevent it by --domain and --server option pointing directly to the IPA server. Would you like to propose this bug for RHEL-6.7 - do customers keep hitting it regularly to justify this update? For reproduction, see Comment 1. It should be sufficient to point ipa-client-install to some AD (e.g. by using --domain and/or --server options or just by having it in AD domain and run autodiscovery). Verified on ipa-client-3.0.0-45.el6.x86_64: AD host name:ipaqa-w2012r2-1.adtest2.qe AD host ip:10.16.98.175 [root@idm-qe-03 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.8.0.86 idm-qe-03.testrelm.test idm-qe-03 10.16.98.175 ipaqa-w2012r2-1.adtest2.qe ipaqa-w2012r2-1 [root@idm-qe-03 ~]# cat /etc/resolv.conf ; generated by /sbin/dhclient-script search adtest2.qe testrelm.test nameserver 10.16.98.175 nameserver 10.8.0.86 [root@idm-qe-03 ~]# ipa-client-install --server ipaqa-w2012r2-1.adtest2.qe --domain adtest2.qe LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is not recognized. LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is not recognized. Failed to verify that ipaqa-w2012r2-1.adtest2.qe is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Installation failed. Rolling back changes. IPA client is not configured on this system. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1462.html |