Created attachment 1669833 [details] Screenshot Description of problem: When enrolling against an Active Directory domain controller, the enrollment completes, but the modal dialog is not dismissed and displays an alert (!) notification. When clicking on "More", the alert is cleared but the dialog now appears to be back to the state from before "Join" was clicked. Version-Release number of selected component (if applicable): cockpit-213-1.fc32 realmd-0.16.3-22.fc32 How reproducible: Every time Steps to Reproduce: 1. Install Fedora 32 Beta from RC 1.2. 2. Connect to the cockpit web interface and sign in as a privileged user. 3. On the Overview page, click "Join Domain" 4. Provide the necessary information for the modal dialog to enroll with a real Active Directory server. Actual results: See screenshot. The dialog gives the impression that it has failed. Clicking "Join" a second time will report that the machine is already enrolled in a domain. Expected results: The modal dialog should indicate success properly to avoid user confusion. Additional info:
Hello Stephen, thanks for the report! Does that joining actually succeed? I. e. does "realm list -v" show that you joined the domain, and does reloading the cockpit UI show it on the front page? I. e. was this a bogus error message, or there was an error that cockpit didn't display properly? Do you still have the journal around the time when you joined? Could you please copy&paste it here? We only test Cockpit against FreeIPA, as we don't have access to an AD server, so that's difficult for us to reproduce.
(In reply to Martin Pitt from comment #1) > Hello Stephen, thanks for the report! > > Does that joining actually succeed? I. e. does "realm list -v" show that you > joined the domain, and does reloading the cockpit UI show it on the front > page? I. e. was this a bogus error message, or there was an error that > cockpit didn't display properly? > Yes, the join actually succeeds. You can even make it out in the background behind the modal dialog. > Do you still have the journal around the time when you joined? Could you > please copy&paste it here? > I do not, but I can get you access to an AD server against which to test. > We only test Cockpit against FreeIPA, as we don't have access to an AD > server, so that's difficult for us to reproduce.
Looking at the code, the Alert bar is supposed to show the exception from the org.freedesktop.realmd.Kerberos.Join() D-Bus method. Apparently we are getting an empty exception there. We also log the error to the console, so if you try this while having it open (Ctrl+Shift+J), you should see something like "Failed to join domain: " + realm.Name + ": " + ex but supposedly "ex" is also empty. Still worth a try though, in case it's just a HTML formatting issue. The "More" bit comes from realmd's "org.freedesktop.realmd.Service.Diagnostics" signal. What happens if you try "realm -v join" on the command line? For me it just locks up after "Password for Administrator:", which is presumably bug 1817869 all over again. Maybe for you it gets further and shows some error message/diagnostics even though joining the domain succeeds?
bug 1817869 made some progress, and there's a simple workaround. So I was able to try that myself. On the CLI, there is no error. On the cockpit UI it looks a bit different than for you, though. The JS console says Failed to join domain: windows.sgallagh.rht: IPA client is not configured on this system IPA client is not configured on this system and that's also what I see in the dialog: "IPA client is not configured on this system IPA client is not configured on this system More". Not sure why realm's error message contains the same string twice.. Clicking on "More" doesn't show anything (that's certainly a bug), then the machine apepars joined, at least "realm list" says it's part of the WINDOWS.SGALLAGH.RHT domain. So I can reproduce enough of that bug to get working (figure out the broken "More" and why it complains about IPA client), I just can't reproduce the empty error message that you see.
I sent https://github.com/cockpit-project/cockpit/pull/13802 to fix the bug with clicking "More.." hiding the verbose install log. This also happens with FreeIPA, so I covered that in a test case now. However, the verbose install look looks pretty well exactly like the "realm join" output, and there is no error message or anything about "ipa". This comes from install_ws_credentials() which does some FreeIPA specific operations after joining. Indeed we need to fix that to only run if we are actually joining an IPA domain, not an AD one.
I fixed the actual join error in https://github.com/cockpit-project/cockpit/pull/13803 . This should complete this bug report. Thanks again Stephen for letting me access your AD server! I only joined and left a few times, I didn't actually do anything there.
This was fixed in version 215, which is in Fedora 31/32/rawhide.