Description of problem: When I want to set up an external auth using IPA, it does not work Version-Release number of selected component (if applicable): 5.4.0.0.19 How reproducible: always Steps to Reproduce: # appliance_console_cli --ipaserver server.domain.com --iparealm DOMAIN.COM --ipaprincipal admin --ipapassword password Configuring IPA (may take a minute) ... Configuring the IPA Client ... Usage: ipa-client-install [options] ipa-client-install: error: --server cannot be used without providing --domain Failed to Configure External Authentication - /usr/sbin/ipa-client-install exit code: 2 I tried to provide a domain, but voila: # appliance_console_cli --help Usage: appliance_console_cli [options] -H, --host=<s> /etc/hosts name -r, --region=<i> Region Number -i, --internal Internal Database -h, --hostname=<s> Database Hostname -U, --username=<s> Database Username (default: root) -p, --password=<s> Database Password -d, --dbname=<s> Database Name (default: vmdb_production) -k, --key Create encryption key -K, --fetch-key=<s> SSH host with encryption key -f, --force-key Forcefully create encryption key -s, --sshlogin=<s> SSH login (default: root) -a, --sshpassword=<s> SSH password -v, --verbose Verbose -b, --dbdisk=<s> Database Disk Path -t, --tmpdisk=<s> Temp storage Disk Path -u, --uninstall-ipa Uninstall IPA Client -e, --ipaserver=<s> IPA Server FQDN -n, --ipaprincipal=<s> IPA Server principal (default: admin) -w, --ipapassword=<s> IPA Server password -l, --iparealm=<s> IPA Server realm (optional) -c, --ca=<s> CA name used for certmonger (default: ipa) -o, --postgres-client-cert install certs for postgres client -g, --postgres-server-cert install certs for postgres server --api-cert install certs for regional api --help Show this message No domain to specify, seems like the console script should pass something new to the ipa setup script, because I remember this worked before.
I've never seen it before that I recall but, I have confirmed it from a quick test on RHEL6.7: [root@rhel6-3 ~]# ipa-client-install --server master.testrelm.test --realm TESTRELM.TEST -p admin -w Secret123 Usage: ipa-client-install [options] ipa-client-install: error: --server cannot be used without providing --domain What version of ipa-client is installed there?
I also went back to RHEL6.4 and tested and see the same thing: [root@client2 ~]# ipa-client-install --server master.testrelm.test --realm TESTRELM.TEST -p admin -w Secret123 Usage: ipa-client-install [options] ipa-client-install: error: --server cannot be used without providing --domain
Pete, can you clarify how you tested this a few weeks back? We are trying to confirm what works and what does not so it will be interesting to hear your path to success. Thanks,
Another data point of interest is the FQDN hostname of the appliance this is being run on. Thanks.
Meanwhile I bumped the appliance to .22 but the error persists. # rpm -qa | grep ipa-client ipa-client-3.0.0-42.el6.x86_64 I don't know what is the FQDN hostname of this appliance because it runs on one of our RHOSes and I did not see any of that both in UI and CLI.
Hi Milan, In the appliance console UI, when you display summary information (16) what does it show for first Hostname: field ? Thanks, Alberto
host-192-168-100-57 (so nothing publicly accessible I suppose)
FYI, This is the RHEL6.4 version that shows the same behavior: ipa-client-3.0.0-25.el6.x86_64
Both appliance and ipa server need to be FQDN defined and reachable as such. Can you update the appliance hostname to be FQDN and test again ? Thanks.
Yes, it works now. Seems one of our providers does not have IP->hostname resolution available. So notabug then?
IMHO, I'd keep this as a bug to request a new --ipadomain option be added to appliance_console_cli. That could prove useful also in the case where the domain does not match the client's domain from FQDN (if that's where it's coming from).
https://github.com/ManageIQ/manageiq/pull/2778
New commit detected on manageiq/master: https://github.com/ManageIQ/manageiq/commit/da4df402404d8d694d984cef29cea5c243584343 commit da4df402404d8d694d984cef29cea5c243584343 Author: Alberto Bellotti <abellott> AuthorDate: Tue Apr 28 13:04:36 2015 -0400 Commit: Alberto Bellotti <abellott> CommitDate: Tue Apr 28 13:18:49 2015 -0400 Enhancement to support optional --ipadomain In environments where the IPA Domain cannot be derived from the client's FQDN, we need to provide the --ipadomain option to the appliance console CLI. This capability was provided in the appliance console UI but not from the CLI. https://bugzilla.redhat.com/show_bug.cgi?id=1213378 lib/appliance_console/cli.rb | 2 ++ lib/spec/appliance_console/cli_spec.rb | 6 ++++-- 2 files changed, 6 insertions(+), 2 deletions(-)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1100.html