Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1132261 - ipa-client-install failing produces a traceback instead of useful error message
ipa-client-install failing produces a traceback instead of useful error message
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.5
x86_64 Linux
medium Severity medium
: rc
: 6.7
Assigned To: Martin Kosek
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-08-20 22:37 EDT by hgraham
Modified: 2015-07-22 03:38 EDT (History)
5 users (show)

See Also:
Fixed In Version: ipa-3.0.0-43.el6
Doc Type: Bug Fix
Doc Text:
If an Active Directory (AD) server was specified or discovered automatically when running the ipa-client-install utility, the utility produced a traceback instead of informing the user that an IdM server is expected in this situation. Now, ipa-client-install detects the AD server and fails with an explanatory message.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-22 03:38:43 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1462 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2015-07-21 10:14:52 EDT

  None (edit)
Description hgraham 2014-08-20 22:37:12 EDT 
Description of problem:
When the install command fails it produces python code traceback instead of a useful error message.

# ipa-client-install
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 2377, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 2363, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 1724, in install
    ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
  File "/usr/lib/python2.6/site-packages/ipaclient/ipadiscovery.py", line 242, in search
    ldapret = self.ipacheckldap(server, self.realm, ca_cert_path=ca_cert_path)
  File "/usr/lib/python2.6/site-packages/ipaclient/ipadiscovery.py", line 339, in ipacheckldap
    basedn = get_ipa_basedn(lh)
  File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 817, in get_ipa_basedn
    contexts = entries[0][1]['namingcontexts']
KeyError: 'namingcontexts'

Version-Release number of selected component (if applicable):
ipa-client-3.0.0-37.el6.x86_64

How reproducible:
Most likely a problem with DNS, the client wasn't pointed at the IPA DNS server.

Steps to Reproduce:
1.
2.
3.

Actual results:
code traceback from failed ipa-client-install command

Expected results:
The command should fail but produce an error that can help the customer 

Additional info:
Passing server and domain info fixes the problem so it was likely DNS related

ipa-client-install --server [server] --domain [domain]

Also documented the same issue and resolution in RHEL7
https://access.redhat.com/solutions/1160163
Comment 1 Martin Kosek 2014-08-21 07:04:25 EDT 
This happens in RHELs older than 7.0 when ipa-client-install hits an AD which uses "namingContexts" instead of "namingcontext". You would be able to tell by either looking on ipaclient-install.log or by using --debug function and checking on which server it tries to autodiscover.

It should be possible to prevent it by --domain and --server option pointing directly to the IPA server.

Would you like to propose this bug for RHEL-6.7 - do customers keep hitting it regularly to justify this update?
Comment 9 Martin Kosek 2015-03-31 02:45:28 EDT 
For reproduction, see Comment 1. It should be sufficient to point ipa-client-install to some AD (e.g. by using --domain and/or --server options or just by having it in AD domain and run autodiscovery).
Comment 10 Xiyang Dong 2015-03-31 13:40:20 EDT 
Verified on ipa-client-3.0.0-45.el6.x86_64:
AD host name:ipaqa-w2012r2-1.adtest2.qe
AD host ip:10.16.98.175

[root@idm-qe-03 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.8.0.86 idm-qe-03.testrelm.test idm-qe-03
10.16.98.175 ipaqa-w2012r2-1.adtest2.qe ipaqa-w2012r2-1

[root@idm-qe-03 ~]# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search adtest2.qe testrelm.test
nameserver 10.16.98.175
nameserver 10.8.0.86

[root@idm-qe-03 ~]# ipa-client-install --server ipaqa-w2012r2-1.adtest2.qe --domain adtest2.qe
LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is not recognized.
LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is not recognized.
Failed to verify that ipaqa-w2012r2-1.adtest2.qe is an IPA Server.
This may mean that the remote server is not up or is not reachable due to network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.
Comment 12 errata-xmlrpc 2015-07-22 03:38:43 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1462.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.