Bug 1132261 - ipa-client-install failing produces a traceback instead of useful error message
Summary: ipa-client-install failing produces a traceback instead of useful error message
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.5
Hardware: x86_64
OS: Linux
Target Milestone: rc
: 6.7
Assignee: Martin Kosek
QA Contact: Namita Soman
Depends On:
TreeView+ depends on / blocked
Reported: 2014-08-21 02:37 UTC by hgraham
Modified: 2018-12-06 17:50 UTC (History)
5 users (show)

Fixed In Version: ipa-3.0.0-43.el6
Doc Type: Bug Fix
Doc Text:
If an Active Directory (AD) server was specified or discovered automatically when running the ipa-client-install utility, the utility produced a traceback instead of informing the user that an IdM server is expected in this situation. Now, ipa-client-install detects the AD server and fails with an explanatory message.
Clone Of:
Last Closed: 2015-07-22 07:38:43 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1462 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2015-07-21 14:14:52 UTC

Description hgraham 2014-08-21 02:37:12 UTC
Description of problem:
When the install command fails it produces python code traceback instead of a useful error message.

# ipa-client-install
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 2377, in <module>
  File "/usr/sbin/ipa-client-install", line 2363, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 1724, in install
    ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
  File "/usr/lib/python2.6/site-packages/ipaclient/ipadiscovery.py", line 242, in search
    ldapret = self.ipacheckldap(server, self.realm, ca_cert_path=ca_cert_path)
  File "/usr/lib/python2.6/site-packages/ipaclient/ipadiscovery.py", line 339, in ipacheckldap
    basedn = get_ipa_basedn(lh)
  File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 817, in get_ipa_basedn
    contexts = entries[0][1]['namingcontexts']
KeyError: 'namingcontexts'

Version-Release number of selected component (if applicable):

How reproducible:
Most likely a problem with DNS, the client wasn't pointed at the IPA DNS server.

Steps to Reproduce:

Actual results:
code traceback from failed ipa-client-install command

Expected results:
The command should fail but produce an error that can help the customer 

Additional info:
Passing server and domain info fixes the problem so it was likely DNS related

ipa-client-install --server [server] --domain [domain]

Also documented the same issue and resolution in RHEL7

Comment 1 Martin Kosek 2014-08-21 11:04:25 UTC
This happens in RHELs older than 7.0 when ipa-client-install hits an AD which uses "namingContexts" instead of "namingcontext". You would be able to tell by either looking on ipaclient-install.log or by using --debug function and checking on which server it tries to autodiscover.

It should be possible to prevent it by --domain and --server option pointing directly to the IPA server.

Would you like to propose this bug for RHEL-6.7 - do customers keep hitting it regularly to justify this update?

Comment 9 Martin Kosek 2015-03-31 06:45:28 UTC
For reproduction, see Comment 1. It should be sufficient to point ipa-client-install to some AD (e.g. by using --domain and/or --server options or just by having it in AD domain and run autodiscovery).

Comment 10 Xiyang Dong 2015-03-31 17:40:20 UTC
Verified on ipa-client-3.0.0-45.el6.x86_64:
AD host name:ipaqa-w2012r2-1.adtest2.qe
AD host ip:

[root@idm-qe-03 ~]# cat /etc/hosts   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6 idm-qe-03.testrelm.test idm-qe-03 ipaqa-w2012r2-1.adtest2.qe ipaqa-w2012r2-1

[root@idm-qe-03 ~]# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search adtest2.qe testrelm.test

[root@idm-qe-03 ~]# ipa-client-install --server ipaqa-w2012r2-1.adtest2.qe --domain adtest2.qe
LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is not recognized.
LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is not recognized.
Failed to verify that ipaqa-w2012r2-1.adtest2.qe is an IPA Server.
This may mean that the remote server is not up or is not reachable due to network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.

Comment 12 errata-xmlrpc 2015-07-22 07:38:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.