Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1232843

Summary: ipa-client-install errors out if client and server time are not in sync or unreachable
Product: Red Hat Enterprise Linux 6 Reporter: Kaushik Banerjee <kbanerje>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.7CC: akasurde, kbanerje, ksiddiqu, mkosek, pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.0.0-50.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-11 00:08:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kaushik Banerjee 2015-06-17 15:48:50 UTC 
Description of problem:
Traceback appears during joining a client to a server if client and server time are not in sync

Version-Release number of selected component (if applicable):
ipa-client-3.0.0-47.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Join ipa-client(RHEL6.7) to ipa-server(RHEL7.1)
2. Make sure client and server time are out of sync
3.

Actual results:

# ipa-client-install --domain=testrelm.test --server=dhcp207-70.testrelm.test --realm=TESTRELM.TEST --force-join -p admin -w Secret123
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Hostname: dhcp207-169.lab.eng.pnq.redhat.com
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: dhcp207-70.testrelm.test
BaseDN: dc=testrelm,dc=test

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Enrolled in IPA realm TESTRELM.TEST
Attempting to get host TGT...
Created /etc/ipa/default.conf
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.TEST
trying https://dhcp207-70.testrelm.test/ipa/xml
Forwarding 'env' to server u'https://dhcp207-70.testrelm.test/ipa/xml'
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 2567, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 2553, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 2346, in install
    remote_env = api.Command['env'](server=True)['result']
  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 438, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1076, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 772, in forward
    return self.Backend.xmlclient.forward(self.name, *args, **kw)
  File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 731, in forward
    raise error(message=e.faultString)
ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Ticket not yet valid) 

Expected result:
No traceback

Additional info:
Comment 2 Petr Vobornik 2015-06-23 08:24:10 UTC 
Kaushik, do you know if this bug is present only on RHEL 6.x or also on later versions 7.x, upstream)?
Comment 3 Kaushik Banerjee 2015-06-23 08:29:49 UTC 
(In reply to Petr Vobornik from comment #2)
> Kaushik, do you know if this bug is present only on RHEL 6.x or also on
> later versions 7.x, upstream)?

I had only used a rhel6.7 client and seen this issue. Not sure if this exists on rhel7.
If you want I can try connecting a rhel7.1 client to a ipa-server and see if I can reproduce this issue.
Comment 4 Petr Vobornik 2015-06-23 08:40:45 UTC 
That would be very helpful.
Comment 6 Kaushik Banerjee 2015-06-24 09:05:07 UTC 
I cannot reproduce this issue on rhel7.1 (ipa-client-4.1.0-18.el7.x86_64)
Comment 7 Martin Kosek 2015-10-07 13:08:24 UTC 
This should be fixed, if reproduced. I would also like to backport the related NTP fixes from FreeIPA 4.1.x:

https://fedorahosted.org/freeipa/ticket/4842
Comment 8 Petr Vobornik 2016-01-04 16:49:10 UTC 
The linked upstream ticket is fixed, therefore moving to POST.
Comment 10 Abhijeet Kasurde 2016-02-15 09:23:08 UTC 
Verified using ipa-client using version 
ipa-client-3.0.0-50.el6.x86_64


Console log for verification steps ::

# rpm -qa |grep ipa-client
ipa-client-3.0.0-50.el6.x86_64
# date 
Mon Feb 15 14:46:09 IST 2016
# date -s "Mon Feb 15 14:46:09 IST 2017" 
Wed Feb 15 14:46:09 IST 2017
# date
Wed Feb 15 14:46:10 IST 2017
# ipa-client-install --server=dhcp201-151.testrelm.test --domain=testrelm.test --realm=TESTRELM.TEST
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Hostname: dhcp201-214.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: dhcp201-151.testrelm.test
BaseDN: dc=testrelm,dc=test

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin: 
Enrolled in IPA realm TESTRELM.TEST
Attempting to get host TGT...
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.TEST
trying https://dhcp201-151.testrelm.test/ipa/xml
Forwarding 'env' to server u'https://dhcp201-151.testrelm.test/ipa/xml'
Hostname (dhcp201-214.testrelm.test) not found in DNS
Failed to update DNS records.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server u'https://dhcp201-151.testrelm.test/ipa/xml'
Could not update DNS SSHFP records.
SSSD enabled
Configuring testrelm.test as NIS domain
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
# echo $?
0
# date
Mon Feb 15 14:47:30 IST 2016
Comment 12 errata-xmlrpc 2016-05-11 00:08:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0874.html