Bug 705800 - Improve debug logging in ipa-client-install
Summary: Improve debug logging in ipa-client-install
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-18 14:08 UTC by Rob Crittenden
Modified: 2015-01-04 23:48 UTC (History)
6 users (show)

Fixed In Version: ipa-2.1.0-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: If installing an IPA client fails it is not always clear why. Consequence: Debugging some installation failures can be very difficult. Fix: Add more debugging to the IPA client installation log, /var/log/ipaclient-install.log, so that problems can be more easily debugged. Result: Reasons for failure are more apparent.
Clone Of:
Environment:
Last Closed: 2011-12-06 18:22:25 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Rob Crittenden 2011-05-18 14:08:15 UTC
Description of problem:

For enrollment using Kerberos credentials we create a temporary krb5.conf. The contents of this should be logged at debug log level for debugging purposes. We also attempt to update DNS and create a nsupdate file, this should be logged as well.

It is not easy/possible to discern the contents of these using other information from the current logs.

Comment 2 Rob Crittenden 2011-05-18 14:47:15 UTC
Once the patches are applied, to verify the bug:

Look in /var/log/ipaclient-install.log for:

Writing Kerberos configuration to /tmp/XXXXXXXX

You should see a copy of the temporary krb5.conf used during enrollment.

and

Writing nsupdate commands to /tmp/XXXXXXXXX

It should contain the nsupdate sent to the IPA server. It will look something
like:

zone example.com.
update delete lion.example.com. IN A
send
update add lion.example.com. 1200 IN A 192.168.166.32
send

Comment 4 Rob Crittenden 2011-05-27 16:23:15 UTC
master: 8472dc26b7e261090b73e0dba488df23917830fa

ipa-2-0: d615e45a8f99af25086aef03ae8b724be630d48a 

and

master: 8472dc26b7e261090b73e0dba488df23917830fa

ipa-2-0: d615e45a8f99af25086aef03ae8b724be630d48a

Comment 10 Jenny Severance 2011-09-21 18:22:38 UTC
partially verified:

<snip_of_install_log>
2011-09-21 13:49:52,547 DEBUG Writing Kerberos configuration to /tmp/tmplwFeOn:
#File modified by ipa-client-install

[libdefaults]
  default_realm = TESTRELM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  TESTRELM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .testrelm = TESTRELM
  testrelm = TESTRELM

[appdefaults]
  pam = {
    debug = false
    krb4_convert = false
  }
</snip>

However, I do not see any debug output for nsupdate

Comment 11 Rob Crittenden 2011-09-21 18:40:45 UTC
To see the nsupdate output you need to either add the command-line option --enable-dns-updates or have the client configured to use the IPA DNS but not have the client hostname in DNS.

Comment 12 Namita Soman 2011-09-22 15:51:09 UTC
Will test with above options

Comment 13 Namita Soman 2011-09-22 17:32:46 UTC
Verified using ipa-client-2.1.1-3.el6.x86_64

Installed using cmd:
ipa-client-install --enable-dns-updates


In addition to the debug section for kerberos in the log, also saw:
<snip_of_install_log>
2011-09-22 13:27:39,096 DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt:

zone testrelm.
update delete ipaqavmh.testrelm. IN A
send
update add ipaqavmh.testrelm. 1200 IN A 10.16.98.193
send
</snip>

Comment 14 Rob Crittenden 2011-10-31 18:36:48 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: If installing an IPA client fails it is not always clear why.
Consequence: Debugging some installation failures can be very difficult.
Fix: Add more debugging to the IPA client installation log, /var/log/ipaclient-install.log, so that problems can be more easily debugged.
Result: Reasons for failure are more apparent.

Comment 15 errata-xmlrpc 2011-12-06 18:22:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html


Note You need to log in before you can comment on or make changes to this bug.