Bug 979197
Summary: | ipa-client-install : ambiguity in option --force | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Yi Zhang <yzhang> |
Component: | ipa | Assignee: | Martin Kosek <mkosek> |
Status: | CLOSED NOTABUG | QA Contact: | Namita Soman <nsoman> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.4 | CC: | abokovoy, jgalipea, rcritten, yzhang |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-07-01 13:06:54 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Yi Zhang
2013-06-27 22:07:16 UTC
I do not think this has anything to do with --force option. I rather think that after your first test, /etc/ipa/ca.crt was created on the system, thus the second test with rhel6.4 ipa server succeeded - it did not need to download the cert, it already had it in /etc/ipa/ca.crt. Yi, can you please confirm that this is the case? If yes, please close the bug as NOTABUG. Martin: I still insist my finding. I redo the above test by removing /etc/ipa/ca.crt file first, I get same result == test one: against rhel6.4 ipa master ==== [root@green (RH5.10-x86_64) install-client-cli] ls /etc/ipa/ca.crt /etc/ipa/ca.crt [root@green (RH5.10-x86_64) install-client-cli] rm /etc/ipa/ca.crt rm: remove regular file `/etc/ipa/ca.crt'? yes [root@green (RH5.10-x86_64) install-client-cli] ls -l /etc/ipa total 0 [root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --server=apple.yzhang.redhat.com --domain=yzhang.redhat.com -p admin -w Secret123 --realm=YZHANG.REDHAT.COM -U Hostname: green.yzhang.redhat.com Realm: YZHANG.REDHAT.COM DNS Domain: yzhang.redhat.com IPA Server: apple.yzhang.redhat.com BaseDN: dc=yzhang,dc=redhat,dc=com Synchronizing time with KDC... Enrolled in IPA realm YZHANG.REDHAT.COM Created /etc/ipa/default.conf Domain yzhang.redhat.com is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm YZHANG.REDHAT.COM SSSD enabled NTP enabled Client configuration complete. [root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --uninstall -U Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Restoring client configuration files ==== test two: against rhel6.3 ipa master on the same ipa client host ==== [root@green (RH5.10-x86_64) install-client-cli] ls /etc/ipa/ca.crt /etc/ipa/ca.crt [root@green (RH5.10-x86_64) install-client-cli] rm /etc/ipa/ca.crt rm: remove regular file `/etc/ipa/ca.crt'? yes [root@green (RH5.10-x86_64) install-client-cli] ls -l /etc/ipa total 0 [root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --server=eggfruit.yzhang.redhat.com --domain=yzhang.redhat.com -p admin -w Secret123 --realm=YZHANG.REDHAT.COM -U Hostname: green.yzhang.redhat.com Realm: YZHANG.REDHAT.COM DNS Domain: yzhang.redhat.com IPA Server: eggfruit.yzhang.redhat.com BaseDN: dc=yzhang,dc=redhat,dc=com Synchronizing time with KDC... root : ERROR In unattended mode without a One Time Password (OTP) or without --ca-cert-file You must specify --force to retrieve the CA cert using HTTP root : ERROR Cannot obtain CA certificate HTTP certificate download requires --force Installation failed. Rolling back changes. IPA client is not configured on this system. This is because the 2.2 server does not store the certificate in LDAP and the 3.x server does. Retrieving the CA over HTTP is insecure, hence the --force requirement. 3.0 specifically introduced storage in LDAP for the certificate to be able to fetch it securely. I think at most we may mention that difference in the documentation. already send email to doc writer about this issue. |