Bug 1132261
| Summary: | ipa-client-install failing produces a traceback instead of useful error message | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | hgraham |
| Component: | ipa | Assignee: | Martin Kosek <mkosek> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.5 | CC: | hgraham, mkosek, pvoborni, rcritten, xdong |
| Target Milestone: | rc | ||
| Target Release: | 6.7 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-3.0.0-43.el6 | Doc Type: | Bug Fix |
| Doc Text: |
If an Active Directory (AD) server was specified or discovered automatically when running the ipa-client-install utility, the utility produced a traceback instead of informing the user that an IdM server is expected in this situation. Now, ipa-client-install detects the AD server and fails with an explanatory message.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-07-22 07:38:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This happens in RHELs older than 7.0 when ipa-client-install hits an AD which uses "namingContexts" instead of "namingcontext". You would be able to tell by either looking on ipaclient-install.log or by using --debug function and checking on which server it tries to autodiscover. It should be possible to prevent it by --domain and --server option pointing directly to the IPA server. Would you like to propose this bug for RHEL-6.7 - do customers keep hitting it regularly to justify this update? For reproduction, see Comment 1. It should be sufficient to point ipa-client-install to some AD (e.g. by using --domain and/or --server options or just by having it in AD domain and run autodiscovery). Verified on ipa-client-3.0.0-45.el6.x86_64:
AD host name:ipaqa-w2012r2-1.adtest2.qe
AD host ip:10.16.98.175
[root@idm-qe-03 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.8.0.86 idm-qe-03.testrelm.test idm-qe-03
10.16.98.175 ipaqa-w2012r2-1.adtest2.qe ipaqa-w2012r2-1
[root@idm-qe-03 ~]# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search adtest2.qe testrelm.test
nameserver 10.16.98.175
nameserver 10.8.0.86
[root@idm-qe-03 ~]# ipa-client-install --server ipaqa-w2012r2-1.adtest2.qe --domain adtest2.qe
LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is not recognized.
LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is not recognized.
Failed to verify that ipaqa-w2012r2-1.adtest2.qe is an IPA Server.
This may mean that the remote server is not up or is not reachable due to network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1462.html |
Description of problem: When the install command fails it produces python code traceback instead of a useful error message. # ipa-client-install Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 2377, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 2363, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 1724, in install ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file)) File "/usr/lib/python2.6/site-packages/ipaclient/ipadiscovery.py", line 242, in search ldapret = self.ipacheckldap(server, self.realm, ca_cert_path=ca_cert_path) File "/usr/lib/python2.6/site-packages/ipaclient/ipadiscovery.py", line 339, in ipacheckldap basedn = get_ipa_basedn(lh) File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 817, in get_ipa_basedn contexts = entries[0][1]['namingcontexts'] KeyError: 'namingcontexts' Version-Release number of selected component (if applicable): ipa-client-3.0.0-37.el6.x86_64 How reproducible: Most likely a problem with DNS, the client wasn't pointed at the IPA DNS server. Steps to Reproduce: 1. 2. 3. Actual results: code traceback from failed ipa-client-install command Expected results: The command should fail but produce an error that can help the customer Additional info: Passing server and domain info fixes the problem so it was likely DNS related ipa-client-install --server [server] --domain [domain] Also documented the same issue and resolution in RHEL7 https://access.redhat.com/solutions/1160163