Bug 430001 - ipa-client-install query about domain names when DNS is not available to autofill data is insufficiently precise
ipa-client-install query about domain names when DNS is not available to auto...
Product: freeIPA
Classification: Community
Component: ipa-client (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
Depends On:
Blocks: freeipa10 429034
  Show dependency treegraph
Reported: 2008-01-24 01:30 EST by Chandrasekar Kannan
Modified: 2012-03-27 03:15 EDT (History)
5 users (show)

See Also:
Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-03-27 03:15:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
try to clear up the request for input (1.86 KB, patch)
2008-05-30 14:45 EDT, Rob Crittenden
no flags Details | Diff

  None (edit)
Description Chandrasekar Kannan 2008-01-24 01:30:18 EST
Ticket #53 (new defect)

Opened 3 months ago

Last modified 1 week ago
ipa-client-install query about domain names when DNS is not available to autofill data is insufficiently precise
Reported by: 	Suzanne Hillman <shillman@redhat.com> 	Assigned to: 	simo
Priority: 	major 	Milestone: 	
Component: 	ipa-client 	Version: 	
Keywords: 		Cc: 	
Description ¶

ipa-client-install query about domain names when DNS is not available to autofill data is insufficiently precise, such that is it not possible to tell if the domain name information desired is that of the client or the server (if they are not in the same domain).

eg: "[root@dhcp83-110 ~]# ipa-client-install Failed to determine your DNS domain (DNS misconfigured?) Please provide your domain name (ex: example.com):"
Change History
2008-01-15 11:58:56 changed by rcritten ¶

It is the domain of the master but even more so, it is the domain used when IPA was configured as far as I can tell.

The domain is used to setup LDAP search queries for identifying users, etc. for pam. That goes into /etc/ldap.conf

So for example you could have your IPA server on ipa.corp.example.com but have the realm in IPA as example.com.

If you enter the wrong thing it does seem that there is plenty of warning that the client install tool can't figure out what the heck is going on.
2008-01-15 12:55:31 changed by rcritten ¶

The warnings are pretty harsh and could lead someone to believe their DNS is misconfigured when it isn't.

For example, if discovery doesn't work you'll see:

Failed to determine your DNS domain (DNS misconfigured?) Please provide your domain name (ex: example.com):

This doesn't mean that DNS is misconfigured, just that it lacks the auto-discovery entries.

If you get past that you'll get:

Failed to find the IPA Server (DNS misconfigured?) Please provide your server name (ex: ipa.example.com):

Again, DNS could be perfectly fine.

Is it a safe assumption that if the DNS domain name can't be auto-discovered that the IPA server will fail as well?
2008-01-15 13:18:27 changed by simo ¶

In theory we request admins to correctly set up their DNS to provide the SRV records we need. Not doing so IMO can be marked as a DNS misconfiguration. The Domian name may not be discoverable because our host domain name is not a child of the IPA domain. eg: domain = corp.example.com our name = client1.cli.example.com

If the SRV records are on corp.redhat.com then the domain discovery may fail but once that soved the SRV records for ldap and kerberos should be found. If not, then, it means you have no SRV records at all anywhere.
Comment 3 Suzanne Hillman 2008-04-01 14:50:14 EDT
Not entirely sure why this claims to be needinfo me...
Comment 4 Rob Crittenden 2008-04-01 14:53:13 EDT
To get a suggestion for a better error message.
Comment 5 Suzanne Hillman 2008-04-01 16:22:49 EDT
Well, rather than 'your domain name' when asking for it to be provided, how
about 'the IPA server's domain name'? Or 'the domain name used when setting up
your IPA server'?
Comment 6 David O'Brien 2008-05-28 01:02:07 EDT
I've been through this and I don't have any control over any of the error
messages, doc, or whatever.

I think Suzanne was just suggesting a more informative/useful message be popped
up during the client install if service discovery isn't working.

Sending back to Rob...
Comment 7 Rob Crittenden 2008-05-28 09:30:26 EDT
David, we were looking for some word-smithing from you :-)
Comment 8 Rob Crittenden 2008-05-30 14:45:20 EDT
Created attachment 307227 [details]
try to clear up the request for input
Comment 9 Rob Crittenden 2008-05-30 15:48:52 EDT
master: e935287f6ea8b9b6ae8c33a074ecada156e058c9
ipa-1-0: f1233427262cc0bb6db20ab211524a0dd0da9a0d
Comment 10 David O'Brien 2008-05-31 15:08:08 EDT
I had a look at the revised text in the patch and it looks fine, except we use
"e.g." and not "ex." for "for example".
Comment 11 Yi Zhang 2008-06-10 18:18:29 EDT
QA Verified on June 9, 2008 (Yi)
Build used: June 9, 2008 (64bit RHEL 5.2)

the revised text look fine to me, here is the complete test and message output. 

ipaclient[06/10/08 03:17]~> ipa-client-install 
DNS discovery failed to determine your DNS domain
Please provide the domain name of your IPA server (ex: example.com): ipaqa.com
DNS discovery failed to find the IPA Server
Please provide your IPA server name (ex: ipa.example.com): ipaserver.ipaqa.com

The failure to use DNS to find your IPA server indicates that your
resolv.conf file is not properly configured.

Autodiscovery of servers for failover cannot work with this configuration.

If you proceed with the installation, services will be configured to always
access the discovered server for all operation and will not fail over to
other servers in case of failure.

Do you want to proceed and configure the system with fixed values with no DNS
discovery? [y/N]: y

DNS Domain: ipaqa.com
IPA Server: ipaserver.ipaqa.com
BaseDN: dc=ipaqa,dc=com

Continue to configure the system with these values? [y/N]: y

Created /etc/ipa/ipa.conf
Configured /etc/ldap.conf
Configured /etc/krb5.conf for IPA realm IPAQA.COM
LDAP enabled
Kerberos 5 enabled
NTP enabled
Client configuration complete.
ipaclient[06/10/08 12:28]~> kinit admin
Password for admin@IPAQA.COM: 
ipaclient[06/10/08 12:28]~> ipa-finduser u101
Full Name: user 101
Home Directory: /home/u101
Login Shell: /bin/bash
Login: u101

Note You need to log in before you can comment on or make changes to this bug.