Hide Forgot
Description of problem: When ipa-client-install is run, it autodiscovers for existing LDAP servers and checks if it is a valid IPA server. During the process, it tries to download ca.crt. If the discovered target is unresponsive, ipa-client-install hangs and does not let user to override the autodiscovered server/domain. Version-Release number of selected component (if applicable): ipa-client-2.1.1-101.20111004T0103zgita013597.el6.x86_64 How reproducible: Have an LDAP server with proper _ldap._tcp DNS SRV records in client domain and which would not return ca.crt (in my test it was ldap.corp.redhat.com) and run ipa-client-install. Steps to Reproduce: 1. Have the LDAP server with DNS SRV records as described 2. Run ipa-client-install without --server or --domain options Actual results: ipa-client-install hangs: # ipa-client-install -d root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'mkhomedir': False, 'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'realm_name': None, 'unattended': None, 'principal': None} root : DEBUG missing options might be asked for interactively later root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root : DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' root : DEBUG [ipadnssearchldap(idm.lab.bos.redhat.com)] root : DEBUG [ipadnssearchldap(lab.bos.redhat.com)] root : DEBUG [ipadnssearchldap(bos.redhat.com)] root : DEBUG [ipadnssearchldap(redhat.com)] root : DEBUG [ipadnssearchkrb] root : DEBUG [ipacheckldap] Expected results: ipa-client-install should timeout, inform the user that the autodiscovery has failed and let user enter his IPA server (which obviously does not have proper DNS SRV records)
Upstream ticket: https://fedorahosted.org/freeipa/ticket/1960
Fixed upstream master: 17f247d6c2aef177c40a690f886b0773a88a6dfa ipa-2-1: 7227ffe86485bcfc9d97ce302120cfae56541a03
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: When ipa-client-install tries to autodiscover IPA server in its domain, it does not use any timeout when a server is found and is being checked Consequence: If the found server is unresponsive during the autodiscovery, the whole ipa-client-install gets stuck Fix: A 30 second timeout is added to ipa-client-install autodiscovery server check Result: ipa-client-install reports autodiscovery failure when the tested checked server is unresponsive and lets user set IPA server address manually
testing
Verified using ipa-client-2.1.3-8.el6.x86_64 # ipa-client-install -d root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 'preserve_sssd': False, 'server': None, 'prompt_password': False, 'mkhomedir': False, 'dns_updates': False, 'permit': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'realm_name': None, 'unattended': None, 'principal': None} root : DEBUG missing options might be asked for interactively later root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root : DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' root : DEBUG [ipadnssearchldap(testrelm)] root : DEBUG [ipadnssearchldap(bos.redhat.com)] root : DEBUG [ipadnssearchldap(redhat.com)] root : DEBUG [ipadnssearchkrb] root : DEBUG [ipacheckldap] root : DEBUG args=/usr/bin/wget -O /tmp/tmp0INq5Z/ca.crt -T 15 -t 2 http://ldap.corp.redhat.com/ipa/config/ca.crt root : DEBUG stdout= root : DEBUG stderr=--2011-11-04 10:43:23-- http://ldap.corp.redhat.com/ipa/config/ca.crt Resolving ldap.corp.redhat.com... failed: Name or service not known. wget: unable to resolve host address “ldap.corp.redhat.com” root : DEBUG Retrieving CA from ldap.corp.redhat.com failed. Command '/usr/bin/wget -O /tmp/tmp0INq5Z/ca.crt -T 15 -t 2 http://ldap.corp.redhat.com/ipa/config/ca.crt' returned non-zero exit status 4 root : DEBUG Domain not found DNS discovery failed to determine your DNS domain Provide the domain name of your IPA server (ex: example.com):
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html