Bug 733009

Summary: ipa-client-install says system configured after an unsuccessful run
Product: Red Hat Enterprise Linux 6 Reporter: Marko Myllynen <myllynen>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: benl, dpal, jgalipea, mkosek, nsoman
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.1.1-1.el6 Doc Type: Bug Fix
Doc Text:
Do not document
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 18:30:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marko Myllynen 2011-08-24 13:03:11 UTC 
Description of problem:
If ipa-client-install fails with IPA 2.0 (e.g., due to ipa-join failing, ref: bug 732468) then when running ipa-client-install again it will try to configure the system as expected.

However, with IPA 2.1 in the same situation when running ipa-client-install for the second time it says "IPA client is already configured on this system.

In both cases essential configuration files like krb5.conf and sssd.conf have not been updated so the system is clearly unconfigured.

Version-Release number of selected component (if applicable):
IPA 2.1
Comment 1 Rob Crittenden 2011-08-24 13:09:22 UTC 
Can you provide details on where the client installer failed?

Can you attach /var/lib/ipa-client/sysrestore/sysrestore.index
Comment 3 Marko Myllynen 2011-08-24 13:23:05 UTC 
> Can you provide details on where the client installer failed?

After entering the admin password this is printed:

"Joining realm failed: HTTP response code is 500, not 200"

This was caused by the known issue with A/PTR mismatch as discussed in bug 732468.

> Can you attach /var/lib/ipa-client/sysrestore/sysrestore.index

It only has:

[files]
63b72c9e823af994-network = 33188,0,0,/etc/sysconfig/network

Thanks.
Comment 4 Rob Crittenden 2011-08-24 14:27:45 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1704
Comment 5 Dmitri Pal 2011-08-24 16:37:45 UTC 
Would it be sufficient to fix by adding more text to the message:

"IPA client is already configured on this system. If you want to repair a broken installation run 'ipa-client-install --uninstall --U' to uninstall client software and then try again."
Comment 6 Rob Crittenden 2011-08-24 16:48:52 UTC 
The problem is that /etc/sysconfig/network gets set before we attempt to enroll. This isn't getting rolled-back on unsuccessful enrollment attempts.

So we need to either set network after enrollment or roll back that change when installation fails.
Comment 7 Rob Crittenden 2011-08-30 14:28:11 UTC 
Fixed upstream.

master: ad717bff3c8c176f2c3c983d1a743eac00af426e

ipa-2-1: 4cd65a1d6e432945ae3c86a49ebc236d845d9cbd
Comment 10 Namita Soman 2011-10-10 13:52:34 UTC 
Tested using ipa-server-2.1.2-2.el6.x86_64


Steps taken:
1. the client doesn't have a host entry for the server in /etc/hosts.
2. install client, and the installation is unsuccessful
3. check /etc/sysconfig/network, and verify it is restored.
4. reinstall, and see same behaviour as above, and not the reported error that "when running ipa-client-install for the second time it says "IPA client is already configured on this system."

test result outputs:

# ipa-client-install --hostname namita.testrelm
Discovery was successful!
Hostname: namita.testrelm
Realm: TESTRELM
DNS Domain: testrelm
IPA Server: rhel62-server1.testrelm
BaseDN: dc=testrelm


Continue to configure the system with these values? [no]: y
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin@TESTRELM: 

Joining realm failed: HTTP response code is 500, not 200
Installation failed. Rolling back changes.


# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=rhel62-server2.testrelm


# ipa-client-install --hostname namita.testrelm
Discovery was successful!
Hostname: namita.testrelm
Realm: TESTRELM
DNS Domain: testrelm
IPA Server: rhel62-server1.testrelm
BaseDN: dc=testrelm


Continue to configure the system with these values? [no]: y
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin@TESTRELM: 

Joining realm failed: HTTP response code is 500, not 200
Installation failed. Rolling back changes.
Comment 11 Rob Crittenden 2011-10-10 14:06:53 UTC 
A 500 error means that something bad happened on the server side. Can you see if a backtrace is in /var/log/httpd/error_log on the IPA server and include it here?
Comment 12 Namita Soman 2011-10-17 18:19:04 UTC 
Not getting the 500 error since then...but it was very timely to see the error to help verify this bug. Verified that when this error was thrown, client was uninstalled, and all files were restored successfully. 
Tested with ipa-server-2.1.2-2.el6.x86_64
Comment 14 Martin Kosek 2011-11-01 13:42:16 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document
Comment 15 errata-xmlrpc 2011-12-06 18:30:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html