Description of problem: ipa-client-install fails with the following error: Traceback (most recent call last): File "/sbin/ipa-client-install", line 1789, in <module> sys.exit(main()) File "/sbin/ipa-client-install", line 1775, in main rval = install(options, env, fstore, statestore) File "/sbin/ipa-client-install", line 1531, in install configure_ipa_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server) File "/sbin/ipa-client-install", line 503, in configure_ipa_conf ipaconf.newConf(target_fname, opts) File "/usr/lib/python2.7/site-packages/ipaclient/ipachangeconf.py", line 450, in newConf output = self.dump(options) File "/usr/lib/python2.7/site-packages/ipaclient/ipachangeconf.py", line 156, in dump output += self.dump(o['value'], level+1) File "/usr/lib/python2.7/site-packages/ipaclient/ipachangeconf.py", line 164, in dump output += self.indent[level]+o['name']+self.dassign+o['value']+self.deol TypeError: cannot concatenate 'str' and 'DN' objects Version-Release number of selected component (if applicable): freeipa-client-3.0.0-0.5.fc18.x86_64 This is running against a RHEL 6.3 IPA server How reproducible: run ipa-client-install, accept auto discovered defaults, wait for failure Actual results: The host entry is created on the IPA server, however the client is not configured properly. Let me know what other information you may need. Additional info:
Could you please attach a log from the failed IPA client install? I just tried several client installs on Fedora 18 against a RHEL 6.3 IPA server but I never hit this traceback: # rpm -q freeipa-client freeipa-client-3.0.0-0.5.fc18.x86_64 # ipa-client-install Discovery was successful! Hostname: vm-021.idm.lab.bos.redhat.com Realm: IDM.LAB.BOS.REDHAT.COM DNS Domain: idm.lab.bos.redhat.com IPA Server: vm-086.idm.lab.bos.redhat.com BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Continue to configure the system with these values? [no]: y User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin.BOS.REDHAT.COM: Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM Created /etc/ipa/default.conf Domain idm.lab.bos.redhat.com is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IDM.LAB.BOS.REDHAT.COM trying https://vm-086.idm.lab.bos.redhat.com/ipa/session/xml Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server 'http://vm-086.idm.lab.bos.redhat.com/ipa/session/xml' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete.
Created attachment 613699 [details] Install Log
If I had to guess I would say it is because of one of these two setting being set on the ipa server: nsslapd-minssf: 56 nsslapd-allow-anonymous-access: off Now it is supposed to work with those settings, and indeed it used to. Anyway, here are the log. -Erinn
The error is a data conversion error, trying to concatenate incompatible data types. In this case something that is a DN with a string. There is nothing in the logs or the traceback to tell us which option is the wrong type and I've been unable to duplicate this on my F-18 install. The easiest way to find it would be to instrument your /usr/sbin/ipa-client-install. Can you add this before line 503? root_logger.debug('opts: %s' % opts) It should look something like: target_fname = '/etc/ipa/default.conf' fstore.backup_file(target_fname) root_logger.debug('opts: %s' % opts) ipaconf.newConf(target_fname, opts) Run ipa-client-install --uninstall, then re-configure the client like you had before. It will fail again but the log will have the options in it and one value should be ipapython.dn.DN(). That will quickly narrow down what the problem is.
Created attachment 613794 [details] Install log with added debug Ok here you go.
Perfect. The problem is the basedn itself, {'type': 'option', 'name': 'basedn', 'value': ipapython.dn.DN('dc=foo,dc=com')} Now why, I'm not sure yet, but you've narrowed things down a lot.
Thanks Erinn for the info. I will continue to try to find the reproduction on our VMs, but we can at least fix the symptom so that we don't crash a convert DN object to str properly before construction the /etc/ipa/default.conf file. I will open an upstream ticket for that.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3088
By the way the reproduction scenario is now clear, as Erinn already pointed out, the key is in the forbidden anonymous access to the IPA server LDAP server: 1. On IPA server, set nsslapd-allow-anonymous-access to "off": dn: cn=config changetype: modify replace: nsslapd-allow-anonymous-access nsslapd-allow-anonymous-access: off 2. On client, run ipa-client-install This is the resulting log: # ipa-client-install Anonymous access to the LDAP server is disabled. Proceeding without strict verification. Note: This is not an error if anonymous access has been explicitly restricted. Discovery was successful! Hostname: vm-021.idm.lab.bos.redhat.com Realm: IDM.LAB.BOS.REDHAT.COM DNS Domain: idm.lab.bos.redhat.com IPA Server: vm-086.idm.lab.bos.redhat.com BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Continue to configure the system with these values? [no]: y User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin.BOS.REDHAT.COM: Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM Traceback (most recent call last): File "/sbin/ipa-client-install", line 1833, in <module> sys.exit(main()) File "/sbin/ipa-client-install", line 1819, in main rval = install(options, env, fstore, statestore) File "/sbin/ipa-client-install", line 1563, in install configure_ipa_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server) File "/sbin/ipa-client-install", line 505, in configure_ipa_conf ipaconf.newConf(target_fname, opts) File "/usr/lib/python2.7/site-packages/ipaclient/ipachangeconf.py", line 450, in newConf output = self.dump(options) File "/usr/lib/python2.7/site-packages/ipaclient/ipachangeconf.py", line 156, in dump output += self.dump(o['value'], level+1) File "/usr/lib/python2.7/site-packages/ipaclient/ipachangeconf.py", line 164, in dump output += self.indent[level]+o['name']+self.dassign+o['value']+self.deol TypeError: cannot concatenate 'str' and 'DN' objects
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/79b89f41962985cf0ab96238b21409b5874f67f8 ipa-3-0: https://fedorahosted.org/freeipa/changeset/54bb2505656c13bc7cae1d66618c12d5d4859978
Inserting this change worked for me, ipa-client-install ran cleanly. A couple of requests: I assume you are going to put out a new package, but just a request to do so for Fedora 18. Would you folks consider configuring an IPA server with one or the other, or both of these directives? nsslapd-minssf: 56 nsslapd-allow-anonymous-access: off The majority of issues I run across stem from one of these two directives being in place on my IPA servers. These are documented configuration options in the IPA guide, and well, since they are, I reckon they ought to be tested against. Thanks, -Erinn
Fixed in Fedora 18 and rawhide. Our unit tests have been updated to specifically test installation with these options.