Red Hat Bugzilla – Bug 733009
ipa-client-install says system configured after an unsuccessful run
Last modified: 2015-01-04 18:50:44 EST
Description of problem: If ipa-client-install fails with IPA 2.0 (e.g., due to ipa-join failing, ref: bug 732468) then when running ipa-client-install again it will try to configure the system as expected. However, with IPA 2.1 in the same situation when running ipa-client-install for the second time it says "IPA client is already configured on this system. In both cases essential configuration files like krb5.conf and sssd.conf have not been updated so the system is clearly unconfigured. Version-Release number of selected component (if applicable): IPA 2.1
Can you provide details on where the client installer failed? Can you attach /var/lib/ipa-client/sysrestore/sysrestore.index
> Can you provide details on where the client installer failed? After entering the admin password this is printed: "Joining realm failed: HTTP response code is 500, not 200" This was caused by the known issue with A/PTR mismatch as discussed in bug 732468. > Can you attach /var/lib/ipa-client/sysrestore/sysrestore.index It only has: [files] 63b72c9e823af994-network = 33188,0,0,/etc/sysconfig/network Thanks.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/1704
Would it be sufficient to fix by adding more text to the message: "IPA client is already configured on this system. If you want to repair a broken installation run 'ipa-client-install --uninstall --U' to uninstall client software and then try again."
The problem is that /etc/sysconfig/network gets set before we attempt to enroll. This isn't getting rolled-back on unsuccessful enrollment attempts. So we need to either set network after enrollment or roll back that change when installation fails.
Fixed upstream. master: ad717bff3c8c176f2c3c983d1a743eac00af426e ipa-2-1: 4cd65a1d6e432945ae3c86a49ebc236d845d9cbd
Tested using ipa-server-2.1.2-2.el6.x86_64 Steps taken: 1. the client doesn't have a host entry for the server in /etc/hosts. 2. install client, and the installation is unsuccessful 3. check /etc/sysconfig/network, and verify it is restored. 4. reinstall, and see same behaviour as above, and not the reported error that "when running ipa-client-install for the second time it says "IPA client is already configured on this system." test result outputs: # ipa-client-install --hostname namita.testrelm Discovery was successful! Hostname: namita.testrelm Realm: TESTRELM DNS Domain: testrelm IPA Server: rhel62-server1.testrelm BaseDN: dc=testrelm Continue to configure the system with these values? [no]: y User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin@TESTRELM: Joining realm failed: HTTP response code is 500, not 200 Installation failed. Rolling back changes. # cat /etc/sysconfig/network NETWORKING=yes HOSTNAME=rhel62-server2.testrelm # ipa-client-install --hostname namita.testrelm Discovery was successful! Hostname: namita.testrelm Realm: TESTRELM DNS Domain: testrelm IPA Server: rhel62-server1.testrelm BaseDN: dc=testrelm Continue to configure the system with these values? [no]: y User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin@TESTRELM: Joining realm failed: HTTP response code is 500, not 200 Installation failed. Rolling back changes.
A 500 error means that something bad happened on the server side. Can you see if a backtrace is in /var/log/httpd/error_log on the IPA server and include it here?
Not getting the 500 error since then...but it was very timely to see the error to help verify this bug. Verified that when this error was thrown, client was uninstalled, and all files were restored successfully. Tested with ipa-server-2.1.2-2.el6.x86_64
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Do not document
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html