Description of problem: You can install ipa-admintools onto any random client and they may simply fail to work with very strange GSSAPI results, particularly if you aren't using DNS discovery. Expected results: We need to see what is being returned to the tools in this case. It may be an empty set which we can catch and display. The default /etc/ipa/ipa.conf has bogus entries for server and realm. We probably need to NULL those out
One way to make sure the machine is properly configure could be to have a non-default option in ipa.conf When running tools we check for that and direct users to use ipa-client-install or to proper documentation on what need to be configured (I mean we do both). Would that suffice ?
I think if we just put blank entries into /etc/ipa/ipa.conf by default will do the trick. rpcclient.py will need to be updated to handle this case as well. If it gets no servers to try it should say so in a helpful way. Currently an unconfigured client tries to connect to realm.foo.bar which is why we get the GSSAPI error.
Created attachment 298288 [details] Play nice on unconfigured systems
Committed in changeset 720
I ran all the ipa-admintools on an unconfigured system. The system has rhel 5.1 and then I installed ipa-admintools on top of it. thats it. All tools behave the same except ipa-pwpolicy. don't know why. /usr/sbin/ipa-adddelegation IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the command line. /usr/sbin/ipa-addgroup IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the command line. /usr/sbin/ipa-addservice IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the command line. /usr/sbin/ipa-adduser IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the command line. /usr/sbin/ipa-deldelegation IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the command line. /usr/sbin/ipa-delgroup IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the command line. /usr/sbin/ipa-delservice IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the command line. /usr/sbin/ipa-deluser IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the command line. /usr/sbin/ipa-findgroup IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the command line. /usr/sbin/ipa-findservice IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the command line. /usr/sbin/ipa-finduser IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the command line. /usr/sbin/ipa-listdelegation IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the command line. /usr/sbin/ipa-lockuser IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the command line. /usr/sbin/ipa-moddelegation IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the command line. /usr/sbin/ipa-modgroup IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the command line. /usr/sbin/ipa-moduser IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the command line. /usr/sbin/ipa-passwd IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the command line. /usr/sbin/ipa-pwpolicy No module named validate re-opening for dev to look at it... in any case, not a beta blocker. i'll lower the priority down...
I can't reproduce this. The validate module is installed in RHEL 5 in python-configobj as a dependency on TurboGears. Did you run this on a client after installing just ipa-client and ipa-admintools? We may need a new dependency on ipa-admintools.
QA Verified on May 29, 2008 (Yi) Build used: May 29, 2008 (i386) What I see from current implementation is below: [root@ipaclient ~]# /usr/sbin/ipa-addgroup Group name: uio Description: hkiluoiuoi Could not initialize GSSAPI: Unspecified GSS failure. Minor code may provide more information/No credentials cache found And it makes sense since there is no way to do kinit if client hasn't initialized. Bug closed