705800 – Improve debug logging in ipa-client-install

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 705800 - Improve debug logging in ipa-client-install

Summary: Improve debug logging in ipa-client-install

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-05-18 14:08 UTC by Rob Crittenden
Modified:	2015-01-04 23:48 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-2.1.0-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: If installing an IPA client fails it is not always clear why. Consequence: Debugging some installation failures can be very difficult. Fix: Add more debugging to the IPA client installation log, /var/log/ipaclient-install.log, so that problems can be more easily debugged. Result: Reasons for failure are more apparent.
Clone Of:
Environment:
Last Closed:	2011-12-06 18:22:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1533	0	normal	SHIPPED_LIVE	Moderate: ipa security and bug fix update	2011-12-06 01:23:31 UTC

Description Rob Crittenden 2011-05-18 14:08:15 UTC

Description of problem:

For enrollment using Kerberos credentials we create a temporary krb5.conf. The contents of this should be logged at debug log level for debugging purposes. We also attempt to update DNS and create a nsupdate file, this should be logged as well.

It is not easy/possible to discern the contents of these using other information from the current logs.

Comment 2 Rob Crittenden 2011-05-18 14:47:15 UTC

Once the patches are applied, to verify the bug:

Look in /var/log/ipaclient-install.log for:

Writing Kerberos configuration to /tmp/XXXXXXXX

You should see a copy of the temporary krb5.conf used during enrollment.

and

Writing nsupdate commands to /tmp/XXXXXXXXX

It should contain the nsupdate sent to the IPA server. It will look something
like:

zone example.com.
update delete lion.example.com. IN A
send
update add lion.example.com. 1200 IN A 192.168.166.32
send

Comment 3 Dmitri Pal 2011-05-18 18:21:13 UTC

https://fedorahosted.org/freeipa/ticket/1093
https://fedorahosted.org/freeipa/ticket/1094

Comment 4 Rob Crittenden 2011-05-27 16:23:15 UTC

master: 8472dc26b7e261090b73e0dba488df23917830fa

ipa-2-0: d615e45a8f99af25086aef03ae8b724be630d48a 

and

master: 8472dc26b7e261090b73e0dba488df23917830fa

ipa-2-0: d615e45a8f99af25086aef03ae8b724be630d48a

Comment 10 Jenny Severance 2011-09-21 18:22:38 UTC

partially verified:

<snip_of_install_log>
2011-09-21 13:49:52,547 DEBUG Writing Kerberos configuration to /tmp/tmplwFeOn:
#File modified by ipa-client-install

[libdefaults]
  default_realm = TESTRELM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  TESTRELM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .testrelm = TESTRELM
  testrelm = TESTRELM

[appdefaults]
  pam = {
    debug = false
    krb4_convert = false
  }
</snip>

However, I do not see any debug output for nsupdate

Comment 11 Rob Crittenden 2011-09-21 18:40:45 UTC

To see the nsupdate output you need to either add the command-line option --enable-dns-updates or have the client configured to use the IPA DNS but not have the client hostname in DNS.

Comment 12 Namita Soman 2011-09-22 15:51:09 UTC

Will test with above options

Comment 13 Namita Soman 2011-09-22 17:32:46 UTC

Verified using ipa-client-2.1.1-3.el6.x86_64

Installed using cmd:
ipa-client-install --enable-dns-updates


In addition to the debug section for kerberos in the log, also saw:
<snip_of_install_log>
2011-09-22 13:27:39,096 DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt:

zone testrelm.
update delete ipaqavmh.testrelm. IN A
send
update add ipaqavmh.testrelm. 1200 IN A 10.16.98.193
send
</snip>

Comment 14 Rob Crittenden 2011-10-31 18:36:48 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: If installing an IPA client fails it is not always clear why.
Consequence: Debugging some installation failures can be very difficult.
Fix: Add more debugging to the IPA client installation log, /var/log/ipaclient-install.log, so that problems can be more easily debugged.
Result: Reasons for failure are more apparent.

Comment 15 errata-xmlrpc 2011-12-06 18:22:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.