Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1300561

Summary: ipa-client-install does not accept provided realm
Product: Red Hat Enterprise Linux 6 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED WONTFIX QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.8CC: pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-29 13:03:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Kosek 2016-01-21 07:18:27 UTC 
Description of problem:
As reported on freeipa-users in
https://www.redhat.com/archives/freeipa-users/2016-January/msg00341.html
when anonymous access is disabled and DNS Kerberos TXT Kerberos record is not configured and realm does not match domain, ipa-client-install tries to assume a realm from the domain and then fails as it is different from the provided one:

2016-01-20T14:55:48Z DEBUG [IPA Discovery]
2016-01-20T14:55:48Z DEBUG Starting IPA discovery with domain=<MYDOMAIN>,
servers=['<FQDN IPA SERVER>'], hostname=<FQDN IPA CLIENT>
2016-01-20T14:55:48Z DEBUG Server and domain forced
2016-01-20T14:55:48Z DEBUG [Kerberos realm search]
2016-01-20T14:55:48Z DEBUG Search DNS for TXT record of
_kerberos.<MYDOMAIN>.
2016-01-20T14:55:48Z DEBUG No DNS record found
2016-01-20T14:55:48Z DEBUG [LDAP server check]
2016-01-20T14:55:48Z DEBUG Verifying that <FQDN IPA SERVER> (realm None) is
an IPA server
2016-01-20T14:55:48Z DEBUG Init LDAP connection with: ldap://<FQDN IPA
SERVER>:389
2016-01-20T14:55:48Z DEBUG LDAP Error: Anonymous access not allowed
2016-01-20T14:55:48Z DEBUG Assuming realm is the same as domain: <MYDOMAIN>
2016-01-20T14:55:48Z DEBUG Generated basedn from realm:
dc=<domainoftheservers>
2016-01-20T14:55:48Z DEBUG Discovery result: NO_ACCESS_TO_LDAP;
server=None, domain=<MYDOMAIN>, kdc=None, basedn=<domainoftheservers>
2016-01-20T14:55:48Z DEBUG Validated servers: <FQDN IPA SERVER>
2016-01-20T14:55:48Z DEBUG will use discovered domain: <MYDOMAIN>
2016-01-20T14:55:48Z DEBUG Using servers from command line, disabling DNS
discovery
2016-01-20T14:55:48Z DEBUG will use provided server: <FQDN IPA SERVER>
2016-01-20T14:55:48Z DEBUG will use discovered realm: <MYDOMAIN>
2016-01-20T14:55:48Z ERROR The provided realm name [<MYREALM>] does not
match discovered one [<MYDOMAIN>]
2016-01-20T14:55:48Z DEBUG (<MYDOMAIN>: Assumed same as domain)
2016-01-20T14:55:48Z ERROR Installation failed. Rolling back changes.
2016-01-20T14:55:48Z ERROR IPA client is not configured on this system.
Version-Release number of selected component (if applicable):


In such case, instead of assuming realm, client should rather accept the one passed via option.

How reproducible:
Always

Steps to Reproduce:
1. Configure FreeIPA server without DNS, with domain different than realm, with anonymous access disabled
2. Install client with --server, --domain, --realm options
3.

Actual results:
Installation fails

Expected results:
Installation succeeds

Additional info:
Comment 1 Martin Kosek 2016-01-21 14:38:08 UTC 
Before trying to fix it otherwise, I would recommend testing if
https://fedorahosted.org/freeipa/ticket/4444
does not fix the problem.
Comment 2 Petr Vobornik 2016-01-29 13:03:26 UTC 
This bug is fixed in RHEL 7 and FreeIPA 4.x upstream releases.

It is present only under specific situation. Suggestion is to break the situation, e.g. by creating DNS Kerberos TXT record for IPA domain and providing the domain using --domain option.

Therefore this bug doesn't qualify for a fix in RHEL 6.

Feel free to reopen with appropriate justification.