Bug 1300561 - ipa-client-install does not accept provided realm
Summary: ipa-client-install does not accept provided realm
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.8
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-21 07:18 UTC by Martin Kosek
Modified: 2016-01-29 13:03 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-29 13:03:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Martin Kosek 2016-01-21 07:18:27 UTC 
Description of problem:
As reported on freeipa-users in
https://www.redhat.com/archives/freeipa-users/2016-January/msg00341.html
when anonymous access is disabled and DNS Kerberos TXT Kerberos record is not configured and realm does not match domain, ipa-client-install tries to assume a realm from the domain and then fails as it is different from the provided one:

2016-01-20T14:55:48Z DEBUG [IPA Discovery]
2016-01-20T14:55:48Z DEBUG Starting IPA discovery with domain=<MYDOMAIN>,
servers=['<FQDN IPA SERVER>'], hostname=<FQDN IPA CLIENT>
2016-01-20T14:55:48Z DEBUG Server and domain forced
2016-01-20T14:55:48Z DEBUG [Kerberos realm search]
2016-01-20T14:55:48Z DEBUG Search DNS for TXT record of
_kerberos.<MYDOMAIN>.
2016-01-20T14:55:48Z DEBUG No DNS record found
2016-01-20T14:55:48Z DEBUG [LDAP server check]
2016-01-20T14:55:48Z DEBUG Verifying that <FQDN IPA SERVER> (realm None) is
an IPA server
2016-01-20T14:55:48Z DEBUG Init LDAP connection with: ldap://<FQDN IPA
SERVER>:389
2016-01-20T14:55:48Z DEBUG LDAP Error: Anonymous access not allowed
2016-01-20T14:55:48Z DEBUG Assuming realm is the same as domain: <MYDOMAIN>
2016-01-20T14:55:48Z DEBUG Generated basedn from realm:
dc=<domainoftheservers>
2016-01-20T14:55:48Z DEBUG Discovery result: NO_ACCESS_TO_LDAP;
server=None, domain=<MYDOMAIN>, kdc=None, basedn=<domainoftheservers>
2016-01-20T14:55:48Z DEBUG Validated servers: <FQDN IPA SERVER>
2016-01-20T14:55:48Z DEBUG will use discovered domain: <MYDOMAIN>
2016-01-20T14:55:48Z DEBUG Using servers from command line, disabling DNS
discovery
2016-01-20T14:55:48Z DEBUG will use provided server: <FQDN IPA SERVER>
2016-01-20T14:55:48Z DEBUG will use discovered realm: <MYDOMAIN>
2016-01-20T14:55:48Z ERROR The provided realm name [<MYREALM>] does not
match discovered one [<MYDOMAIN>]
2016-01-20T14:55:48Z DEBUG (<MYDOMAIN>: Assumed same as domain)
2016-01-20T14:55:48Z ERROR Installation failed. Rolling back changes.
2016-01-20T14:55:48Z ERROR IPA client is not configured on this system.
Version-Release number of selected component (if applicable):


In such case, instead of assuming realm, client should rather accept the one passed via option.

How reproducible:
Always

Steps to Reproduce:
1. Configure FreeIPA server without DNS, with domain different than realm, with anonymous access disabled
2. Install client with --server, --domain, --realm options
3.

Actual results:
Installation fails

Expected results:
Installation succeeds

Additional info:
Comment 1 Martin Kosek 2016-01-21 14:38:08 UTC 
Before trying to fix it otherwise, I would recommend testing if
https://fedorahosted.org/freeipa/ticket/4444
does not fix the problem.
Comment 2 Petr Vobornik 2016-01-29 13:03:26 UTC 
This bug is fixed in RHEL 7 and FreeIPA 4.x upstream releases.

It is present only under specific situation. Suggestion is to break the situation, e.g. by creating DNS Kerberos TXT record for IPA domain and providing the domain using --domain option.

Therefore this bug doesn't qualify for a fix in RHEL 6.

Feel free to reopen with appropriate justification.
Note You need to log in before you can comment on or make changes to this bug.