Bug 910245

Summary: [abrt] freeipa-client-3.1.2-1.fc18: ipautil.py:838:get_ipa_basedn:KeyError: 'namingcontexts'
Product: [Fedora] Fedora Reporter: Ted Henscheid <thenscheid>
Component: freeipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: abokovoy, jboero, mkosek, rcritten, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:f33a05535eac74f974299f5085dd66894292857e
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-11 10:05:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: core_backtrace
none
File: environ
none
File: smolt_data none

Description Ted Henscheid 2013-02-12 06:46:16 UTC 
Version-Release number of selected component:
freeipa-client-3.1.2-1.fc18

Additional info:
cmdline:        /usr/bin/python -E /usr/sbin/ipa-client-install --noac --principal=Adminstrator -W
dso_list:       freeipa-python-3.1.2-1.fc18.x86_64
executable:     /usr/sbin/ipa-client-install
kernel:         3.7.4-204.fc18.x86_64
uid:            0

Truncated backtrace:
ipautil.py:838:get_ipa_basedn:KeyError: 'namingcontexts'

Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 2360, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 2346, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 1708, in install
    ret = ds.search(domain=options.domain, server=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
  File "/usr/lib/python2.7/site-packages/ipaclient/ipadiscovery.py", line 231, in search
    ldapret = self.ipacheckldap(self.server, self.realm, ca_cert_path=ca_cert_path)
  File "/usr/lib/python2.7/site-packages/ipaclient/ipadiscovery.py", line 299, in ipacheckldap
    basedn = get_ipa_basedn(lh)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 838, in get_ipa_basedn
    contexts = entries[0][1]['namingcontexts']
KeyError: 'namingcontexts'

Local variables in innermost frame:
conn: <ldap.ldapobject.SimpleLDAPObject instance at 0x19bccf8>
entries: [('', {'namingContexts': ['DC=henscheid,DC=com', 'CN=Configuration,DC=henscheid,DC=com', 'CN=Schema,CN=Configuration,DC=henscheid,DC=com', 'DC=DomainDnsZones,DC=henscheid,DC=com', 'DC=ForestDnsZones,DC=henscheid,DC=com'], 'defaultNamingContext': ['DC=henscheid,DC=com']})]
Comment 1 Ted Henscheid 2013-02-12 06:46:19 UTC 
Created attachment 696374 [details]
File: backtrace
Comment 2 Ted Henscheid 2013-02-12 06:46:21 UTC 
Created attachment 696375 [details]
File: core_backtrace
Comment 3 Ted Henscheid 2013-02-12 06:46:22 UTC 
Created attachment 696376 [details]
File: environ
Comment 4 Ted Henscheid 2013-02-12 06:46:24 UTC 
Created attachment 696377 [details]
File: smolt_data
Comment 5 Rob Crittenden 2013-02-12 18:30:31 UTC 
Can you provide /var/log/ipaclient-install.log?

Can you confirm that the server that it connected to is an IPA server?
Comment 6 Martin Kosek 2013-02-21 09:40:32 UTC 
By checking the Local variables, it is clear, that server returned attribute named NamingContext (CamelCase) while we expected it to be lowercase.

I investigated this issue and found out that while 389-ds returns lowercase attributes, OpenLDAP does not:

>>> import ldap  
>>> ldap_url = "ldap://localhost:5389"              
>>> lh = ldap.initialize(ldap_url)
>>> lh.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
>>> lh.simple_bind_s("","")
(97, [], 1, [])
>>> lh.search_ext_s('', scope=ldap.SCOPE_BASE, attrlist=['defaultnamingcontext', 'namingcontexts'])[('', {'namingContexts': ['dc=external,dc=test']})]

We need to use our LDAP handling classes in the client discovery, otherwise the client autodiscovery may crash when it tests OpenLDAP server discovered via SRV records.
Comment 7 Martin Kosek 2013-02-21 09:56:07 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3446
Comment 8 Martin Kosek 2013-03-13 11:42:03 UTC 
Fixed upstream:

master:
63407ed477035765dda38fbead1353d4f47ac26a Don't download the schema in ipadiscovery
cf4b52111d384e8baa250aefe57f21ebda4dad7e Remove unneeded python-ldap imports
664248d5b846321f61e0776b646cca82c5a17884 Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.py
a0242334feb3da01430f517806768965dabe92c2 Use IPAdmin rather than raw python-ldap in ipa-client-install
91a63cce6203cb8d0cf956d9e30842db365500da Remove ipaserver/ipaldap.py
4e6a2a916d99c4eb9f5e6f5d622517e1b3fe323e Move ipaldap to ipapython
Comment 9 Martin Kosek 2013-03-14 15:43:15 UTC 
I also pushed a fix for ipa-3-1 branch so that it also gets to Fedora 18.

49577a4c66fe4260946f9bf132ad12bdcc213662 Fix client discovery crash
Comment 10 Fedora Update System 2013-03-26 16:08:11 UTC 
freeipa-3.1.3-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/freeipa-3.1.3-1.fc18
Comment 11 Fedora Update System 2013-03-27 00:47:22 UTC 
Package freeipa-3.1.3-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-3.1.3-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-4460/freeipa-3.1.3-1.fc18
then log in and leave karma (feedback).
Comment 12 Fedora Update System 2013-03-29 01:34:20 UTC 
Package freeipa-3.1.3-2.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-3.1.3-2.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-4460/freeipa-3.1.3-2.fc18
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2013-04-03 04:46:18 UTC 
Package freeipa-3.1.3-4.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-3.1.3-4.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-4460/freeipa-3.1.3-4.fc18
then log in and leave karma (feedback).
Comment 14 Fedora Update System 2013-04-11 10:05:43 UTC 
freeipa-3.1.3-4.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 John Boero 2013-10-08 15:18:33 UTC 
Just a 2ndary note on this:
I was getting this error installing clients in an environment with existing DNS.  Maybe it should be a little more obvious, but specifying 

ipa-client-install --server [server] --domain [domain]

manually was my duh workaround.  Just in case anybody else encounters this running ipa-client-install with hopes DNS is already set up correctly.

Thanks!
JohnnyB