Description of problem: ipa-client-install is not able to fail over to functional server and installation fails. Version-Release number of selected component (if applicable): ipa-client-2.1.3-5.el5_9.2 How reproducible: 100 % if ipa-client picks dead server as first from the list Steps to Reproduce: 1. Install at least 2 IPA replicas 2. Make sure that DNS SRV records point to both replicas 3. Shutdown one replica 4. Run ipa-client-install IPA domain as a parameter Actual results: Installation fails if client tries dead replica as first. Expected results: ipa-client-install fails over to functional replica. Additional info: I intentionally use IPA domain 'r.test.' and the client machine is in domain 'example.com.', but it doesn't matter. The detection logic is okay, the problem seems to be in failover logic. Output from console (replica vm-035 is up and running, vm-070 is down): # dig -t SRV _ldap._tcp.r.test. ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> -t SRV _ldap._tcp.r.test. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1885 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;_ldap._tcp.r.test. IN SRV ;; ANSWER SECTION: _ldap._tcp.r.test. 86400 IN SRV 0 100 389 vm-035.example.com. _ldap._tcp.r.test. 86400 IN SRV 0 100 389 vm-070.example.com. ;; AUTHORITY SECTION: r.test. 86400 IN NS vm-035.example.com. ;; ADDITIONAL SECTION: vm-035.example.com. 86400 IN A 10.34.47.35 ;; Query time: 2 msec ;; SERVER: 10.34.47.35#53(10.34.47.35) ;; WHEN: Mon Apr 8 18:26:46 2013 ;; MSG SIZE rcvd: 171 [root@vm-054 ~]# ipa-client-install DNS discovery failed to determine your DNS domain Provide the domain name of your IPA server (ex: example.com): r.test. root : ERROR LDAP Error: Can't contact LDAP server: Failed to verify that vm-070.example.com is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Installation failed. Rolling back changes. IPA client is not configured on this system.
Can you attach /var/log/ipaclient-install.log?
Created attachment 733035 [details] ipaclient-install.log from failed attempt
Created attachment 733040 [details] ipaclient-install.log from successful attempt Sure, sorry.
Created attachment 733045 [details] 733040: ipaclient-install.log from successful attempt - dead replica has A record in DNS I repeated installation with proper A record for both replicas. The dead replica didn't have A record in DNS in previous successful attempt. Log files from unsuccessful attempts are exactly same in both cases.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3388 Related RHEL-6.5 Bugzilla: Bug 905626 This bug would require backporting RHEL-6.4/RHEL 6.5 bug fix (Bug Bug 905626) also for RHEL-6.5. Let us decide on triage if we want to backport or not.
(In reply to comment #5) > This bug would require backporting RHEL-6.4/RHEL 6.5 bug fix (Bug Bug > 905626) also for RHEL-6.5. ... Sorry for typo, I meant backporting for *RHEL 5.10*.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
Upstream commits: master: cbb262dc07ea0615068a630e6c7136e3200d5a06 ipa-3-1: a5f10e25b27fb860be0f06506d603197c2e5a955 Regression fix: master: be54d1deb5e40945e4ead5b34d9acde88c1e8264 ipa-client discovery with anonymous access off ipa-3-1: dda3cd1b1c94c764d774110789dff8899ff873c8 ipa-client discovery with anonymous access off
verified using ipa-client-2.1.3-7.el5; ipa-server-3.0.0-26.el6_4.4.x86_64 Steps taken: 1> Installed master (storm.testrelm.com) 2> Installed replica (qe-blade-01.testrelm.com) 3> On Client (mgmt7.testrelm.com) # cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 10.16.120.17 mgmt7.testrelm.com mgmt7 10.16.76.32 qe-blade-01.testrelm.com qe-blade-01 10.16.96.68 storm.testrelm.com storm # cat /etc/resolv.conf ; generated by /sbin/dhclient-script search testrelm.com nameserver 10.16.96.68 nameserver 10.16.76.32 4> Stopped server on master 5> On replica: [root@qe-blade-01 ~]# dig -t SRV _ldap._tcp.testrelm.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t SRV _ldap._tcp.testrelm.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 421 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;_ldap._tcp.testrelm.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.testrelm.com. 86400 IN SRV 0 100 389 storm.testrelm.com. _ldap._tcp.testrelm.com. 86400 IN SRV 0 100 389 qe-blade-01.testrelm.com. ;; AUTHORITY SECTION: testrelm.com. 86400 IN NS storm.testrelm.com. testrelm.com. 86400 IN NS qe-blade-01.testrelm.com. ;; ADDITIONAL SECTION: storm.testrelm.com. 1200 IN A 10.16.96.68 qe-blade-01.testrelm.com. 1200 IN A 10.16.76.32 ;; Query time: 1 msec ;; SERVER: 10.16.76.32#53(10.16.76.32) ;; WHEN: Mon Aug 5 13:27:30 2013 ;; MSG SIZE rcvd: 183 6> Installed client: # ipa-client-install --domain=testrelm.com Discovery was successful! Hostname: mgmt7.testrelm.com Realm: TESTRELM.COM DNS Domain: testrelm.com IPA Server: qe-blade-01.testrelm.com BaseDN: dc=testrelm,dc=com Continue to configure the system with these values? [no]: y User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admin: Enrolled in IPA realm TESTRELM.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TESTRELM.COM Warning: Hostname (mgmt7.testrelm.com) not found in DNS Failed to update DNS A record. (Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status -6) SSSD enabled NTP enabled Client configuration complete. 7> on client tried: # kinit one Password for one: Password expired. You must change it now. Enter new password: Enter it again: # ssh storm.testrelm.com Automated test: ipaclientinstall_withmasterdown()
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1334.html