Ticket #53 (new defect) Opened 3 months ago Last modified 1 week ago ipa-client-install query about domain names when DNS is not available to autofill data is insufficiently precise Reported by: Suzanne Hillman <shillman> Assigned to: simo Priority: major Milestone: Component: ipa-client Version: Keywords: Cc: Description ¶ ipa-client-install query about domain names when DNS is not available to autofill data is insufficiently precise, such that is it not possible to tell if the domain name information desired is that of the client or the server (if they are not in the same domain). eg: "[root@dhcp83-110 ~]# ipa-client-install Failed to determine your DNS domain (DNS misconfigured?) Please provide your domain name (ex: example.com):" Change History 2008-01-15 11:58:56 changed by rcritten ¶ It is the domain of the master but even more so, it is the domain used when IPA was configured as far as I can tell. The domain is used to setup LDAP search queries for identifying users, etc. for pam. That goes into /etc/ldap.conf So for example you could have your IPA server on ipa.corp.example.com but have the realm in IPA as example.com. If you enter the wrong thing it does seem that there is plenty of warning that the client install tool can't figure out what the heck is going on. 2008-01-15 12:55:31 changed by rcritten ¶ The warnings are pretty harsh and could lead someone to believe their DNS is misconfigured when it isn't. For example, if discovery doesn't work you'll see: Failed to determine your DNS domain (DNS misconfigured?) Please provide your domain name (ex: example.com): This doesn't mean that DNS is misconfigured, just that it lacks the auto-discovery entries. If you get past that you'll get: Failed to find the IPA Server (DNS misconfigured?) Please provide your server name (ex: ipa.example.com): Again, DNS could be perfectly fine. Is it a safe assumption that if the DNS domain name can't be auto-discovered that the IPA server will fail as well? 2008-01-15 13:18:27 changed by simo ¶ In theory we request admins to correctly set up their DNS to provide the SRV records we need. Not doing so IMO can be marked as a DNS misconfiguration. The Domian name may not be discoverable because our host domain name is not a child of the IPA domain. eg: domain = corp.example.com our name = client1.cli.example.com If the SRV records are on corp.redhat.com then the domain discovery may fail but once that soved the SRV records for ldap and kerberos should be found. If not, then, it means you have no SRV records at all anywhere.
Not entirely sure why this claims to be needinfo me...
To get a suggestion for a better error message.
Well, rather than 'your domain name' when asking for it to be provided, how about 'the IPA server's domain name'? Or 'the domain name used when setting up your IPA server'?
I've been through this and I don't have any control over any of the error messages, doc, or whatever. I think Suzanne was just suggesting a more informative/useful message be popped up during the client install if service discovery isn't working. Sending back to Rob...
David, we were looking for some word-smithing from you :-)
Created attachment 307227 [details] try to clear up the request for input
master: e935287f6ea8b9b6ae8c33a074ecada156e058c9 ipa-1-0: f1233427262cc0bb6db20ab211524a0dd0da9a0d
I had a look at the revised text in the patch and it looks fine, except we use "e.g." and not "ex." for "for example".
QA Verified on June 9, 2008 (Yi) Build used: June 9, 2008 (64bit RHEL 5.2) the revised text look fine to me, here is the complete test and message output. ipaclient[06/10/08 03:17]~> ipa-client-install DNS discovery failed to determine your DNS domain Please provide the domain name of your IPA server (ex: example.com): ipaqa.com DNS discovery failed to find the IPA Server Please provide your IPA server name (ex: ipa.example.com): ipaserver.ipaqa.com The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured. Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operation and will not fail over to other servers in case of failure. Do you want to proceed and configure the system with fixed values with no DNS discovery? [y/N]: y Realm: IPAQA.COM DNS Domain: ipaqa.com IPA Server: ipaserver.ipaqa.com BaseDN: dc=ipaqa,dc=com Continue to configure the system with these values? [y/N]: y Created /etc/ipa/ipa.conf Configured /etc/ldap.conf Configured /etc/krb5.conf for IPA realm IPAQA.COM LDAP enabled Kerberos 5 enabled NTP enabled Client configuration complete. ipaclient[06/10/08 12:28]~> kinit admin Password for admin: ipaclient[06/10/08 12:28]~> ipa-finduser u101 Full Name: user 101 Home Directory: /home/u101 Login Shell: /bin/bash Login: u101