922843 – unattended ipa-client installation fails when anonymous access to LDAP is disabled on IPA servers

Bug 922843 - unattended ipa-client installation fails when anonymous access to LDAP is disabled on IPA servers

Summary: unattended ipa-client installation fails when anonymous access to LDAP is dis...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	924100 952741 952745
TreeView+	depends on / blocked

Reported:	2013-03-18 16:28 UTC by pgustafs
Modified:	2013-11-21 20:51 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-3.0.0-29.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-21 20:51:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1651	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2013-11-21 00:39:40 UTC

Description pgustafs 2013-03-18 16:28:06 UTC

Description of problem:
unattended ipa-client-install fails when anonymous access to LDAP is disabled on IPA servers:

/usr/sbin/ipa-client-install -p admin -w somepass --mkhomedir -dd -U
/usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': 'admin', 'hostname': None, 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False, 'realm_name': None, 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None, hostname=31075-01.example.com
Start searching for LDAP SRV record in "example.com" (domain of the hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.example.com.
DNS record found: DNSResult::name:_ldap._tcp.example.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa2.example.com.}
DNS record found: DNSResult::name:_ldap._tcp.example.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa1.example.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.example.com.
DNS record found: DNSResult::name:_kerberos.example.com.,type:16,class:1,rdata={data:TESTSITE.ATG.SE}
Search DNS for SRV record of _kerberos._udp.example.com.
DNS record found: DNSResult::name:_kerberos._udp.example.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa1.example.com.}
DNS record found: DNSResult::name:_kerberos._udp.example.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa2.example.com.}
[LDAP server check]
Verifying that ipa2.example.com (realm TESTSITE.ATG.SE) is an IPA server
Init LDAP connection with: ldap://ipa2.example.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=example,dc=com' is for IPA
Naming context 'dc=example,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub)
LDAP Error: Anonymous access not allowed
Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=example.com, kdc=ipa1.example.com,ipa2.example.com, basedn=dc=example,dc=com
Validated servers: ipa2.example.com
will use discovered domain: example.com
IPA Server not found
Unable to find IPA Server to join
Installation failed. Rolling back changes.
IPA client is not configured on this system.


Version-Release number of selected component (if applicable):
ipa-client-3.0.0-26.el6_4.2.x86_64


How reproducible:
Always


Steps to Reproduce:
1. disable anonymous access to ldap on IPA server
# ldapmodify -x -D "cn=Directory Manager" -w <secret> -h localhost -p 389
<pgustafs> dn: cn=config
<pgustafs> changetype: modify
<pgustafs> replace: nsslapd-allow-anonymous-access
<pgustafs> nsslapd-allow-anonymous-access: rootdse

2. install ipa-client-3.0.0-26.el6_4.2.x86_64 on ipa client machine
3. Execute unattended ipa-client installation on ipa client machine
# /usr/sbin/ipa-client-install -p admin -w somepass --mkhomedir -dd -U
  
Actual results:
ipa-client-install fails with:
/usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': 'admin', 'hostname': None, 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False, 'realm_name': None, 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None, hostname=31075-01.example.com
Start searching for LDAP SRV record in "example.com" (domain of the hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.example.com.
DNS record found: DNSResult::name:_ldap._tcp.example.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa2.example.com.}
DNS record found: DNSResult::name:_ldap._tcp.example.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa1.example.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.example.com.
DNS record found: DNSResult::name:_kerberos.example.com.,type:16,class:1,rdata={data:TESTSITE.ATG.SE}
Search DNS for SRV record of _kerberos._udp.example.com.
DNS record found: DNSResult::name:_kerberos._udp.example.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa1.example.com.}
DNS record found: DNSResult::name:_kerberos._udp.example.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa2.example.com.}
[LDAP server check]
Verifying that ipa2.example.com (realm TESTSITE.ATG.SE) is an IPA server
Init LDAP connection with: ldap://ipa2.example.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=example,dc=com' is for IPA
Naming context 'dc=example,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub)
LDAP Error: Anonymous access not allowed
Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=example.com, kdc=ipa1.example.com,ipa2.example.com, basedn=dc=example,dc=com
Validated servers: ipa2.example.com
will use discovered domain: example.com
IPA Server not found
Unable to find IPA Server to join
Installation failed. Rolling back changes.
IPA client is not configured on this system.



Expected results:
ipa-client-install should finish without prompting for information 

Additional info:

Comment 1 Martin Kosek 2013-03-18 16:50:41 UTC

Note: client discovery now only works if nsslapd-allow-anonymous-access is set to on or off. When set to rootdse, it breaks.

Comment 2 Rob Crittenden 2013-03-18 18:20:04 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3519

Comment 7 Martin Kosek 2013-03-20 08:34:44 UTC

Fixed upstream:

master:
be54d1deb5e40945e4ead5b34d9acde88c1e8264 ipa-client discovery with anonymous access off

ipa-3-1:
dda3cd1b1c94c764d774110789dff8899ff873c8 ipa-client discovery with anonymous access off

Comment 13 Namita Soman 2013-09-05 18:27:49 UTC

Verified using ipa-client-3.0.0-33.el6.x86_64

:: [   PASS   ] :: Running 'yum install -y openldap-clients' (Expected 0, got 0)
:: [   PASS   ] :: Create a resolv.conf file pointing to IPA DNS (Expected 0, got 0)
search testrelm.com
nameserver 10.16.98.183
modifying entry "cn=config"

:: [   PASS   ] :: Setting nsslapd-allow-anonymous-access to rootdse on ipaqa64vmb.testrelm.com (Expected 0, got 0)
/usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': 'admin', 'hostname': None, 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False, 'realm_name': None, 'conf_ssh': True, 'force_join': False, 'server': None, 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False}
....
<snip>
....

Client configuration complete.

:: [   PASS   ] :: Running 'ipa-client-install -p admin -w Secret123 --mkhomedir -dd -U' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/ipaclient-install.log' should contain 'Client configuration complete.' 
'042ce99f-0ffa-4874-bb47-3cb0823f7e20'
unattended-ipa-client-installation-fails-when-anonymous-access-to-LDAP-is-disabled-on-IPA-servers-bz952741 result: PASS

Comment 15 errata-xmlrpc 2013-11-21 20:51:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1651.html

Note You need to log in before you can comment on or make changes to this bug.