Bug 1300561 - ipa-client-install does not accept provided realm
ipa-client-install does not accept provided realm
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
Depends On:
  Show dependency treegraph
Reported: 2016-01-21 02:18 EST by Martin Kosek
Modified: 2016-01-29 08:03 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-01-29 08:03:26 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Martin Kosek 2016-01-21 02:18:27 EST
Description of problem:
As reported on freeipa-users in
when anonymous access is disabled and DNS Kerberos TXT Kerberos record is not configured and realm does not match domain, ipa-client-install tries to assume a realm from the domain and then fails as it is different from the provided one:

2016-01-20T14:55:48Z DEBUG [IPA Discovery]
2016-01-20T14:55:48Z DEBUG Starting IPA discovery with domain=<MYDOMAIN>,
servers=['<FQDN IPA SERVER>'], hostname=<FQDN IPA CLIENT>
2016-01-20T14:55:48Z DEBUG Server and domain forced
2016-01-20T14:55:48Z DEBUG [Kerberos realm search]
2016-01-20T14:55:48Z DEBUG Search DNS for TXT record of
2016-01-20T14:55:48Z DEBUG No DNS record found
2016-01-20T14:55:48Z DEBUG [LDAP server check]
2016-01-20T14:55:48Z DEBUG Verifying that <FQDN IPA SERVER> (realm None) is
an IPA server
2016-01-20T14:55:48Z DEBUG Init LDAP connection with: ldap://<FQDN IPA
2016-01-20T14:55:48Z DEBUG LDAP Error: Anonymous access not allowed
2016-01-20T14:55:48Z DEBUG Assuming realm is the same as domain: <MYDOMAIN>
2016-01-20T14:55:48Z DEBUG Generated basedn from realm:
2016-01-20T14:55:48Z DEBUG Discovery result: NO_ACCESS_TO_LDAP;
server=None, domain=<MYDOMAIN>, kdc=None, basedn=<domainoftheservers>
2016-01-20T14:55:48Z DEBUG Validated servers: <FQDN IPA SERVER>
2016-01-20T14:55:48Z DEBUG will use discovered domain: <MYDOMAIN>
2016-01-20T14:55:48Z DEBUG Using servers from command line, disabling DNS
2016-01-20T14:55:48Z DEBUG will use provided server: <FQDN IPA SERVER>
2016-01-20T14:55:48Z DEBUG will use discovered realm: <MYDOMAIN>
2016-01-20T14:55:48Z ERROR The provided realm name [<MYREALM>] does not
match discovered one [<MYDOMAIN>]
2016-01-20T14:55:48Z DEBUG (<MYDOMAIN>: Assumed same as domain)
2016-01-20T14:55:48Z ERROR Installation failed. Rolling back changes.
2016-01-20T14:55:48Z ERROR IPA client is not configured on this system.
Version-Release number of selected component (if applicable):

In such case, instead of assuming realm, client should rather accept the one passed via option.

How reproducible:

Steps to Reproduce:
1. Configure FreeIPA server without DNS, with domain different than realm, with anonymous access disabled
2. Install client with --server, --domain, --realm options

Actual results:
Installation fails

Expected results:
Installation succeeds

Additional info:
Comment 1 Martin Kosek 2016-01-21 09:38:08 EST
Before trying to fix it otherwise, I would recommend testing if
does not fix the problem.
Comment 2 Petr Vobornik 2016-01-29 08:03:26 EST
This bug is fixed in RHEL 7 and FreeIPA 4.x upstream releases.

It is present only under specific situation. Suggestion is to break the situation, e.g. by creating DNS Kerberos TXT record for IPA domain and providing the domain using --domain option.

Therefore this bug doesn't qualify for a fix in RHEL 6.

Feel free to reopen with appropriate justification.

Note You need to log in before you can comment on or make changes to this bug.