https://bugzilla.redhat.com/show_bug.cgi?id=905626 (Red Hat Enterprise Linux 6)
Description of problem: When IPA Master is down, ipa-client-install failed: [root@rhel6-3 install-client-cli]# rlRun "ipa-client-install --domain=$DOMAIN --realm=$RELM -p $ADMINID -w $ADMINPW --unattended " LDAP Error: Can't contact LDAP server: Failed to verify that rhel6-1.testrelm.com is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Installation failed. Rolling back changes. IPA client is not configured on this system. :: [ FAIL ] :: Running 'ipa-client-install --domain=testrelm.com --realm=TESTRELM.COM -p admin -w Secret123 --unattended ' (Expected 0, got 1) Looking at log: Version-Release number of selected component (if applicable): ipa-client-3.0.0-24.el6.x86_64 How reproducible: very. seen it in automation and have reproduced it manually with little effort. Steps to Reproduce: 1. Install RHEL6.4 IPA Server 2. Install RHEL6.4 IPA Replica 3. On Server: ipactl stop 4. On Client: make sure resolv.conf points to Sever first and Replica second 5. On Client: ipa-client-install --domain=$DOMAIN --realm=$RELM -p $ADMINID -w $ADMINPW --unattended Actual results: fails Expected results: installs using replica Additional info: /var/log/ipaclient-install.log: 2013-01-29T17:07:27Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': 'testrelm.com', 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': 'admin', 'hostname': None, 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': F alse, 'dns_updates': False, 'realm_name': 'TESTRELM.COM', 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False} 2013-01-29T17:07:27Z DEBUG missing options might be asked for interactively later 2013-01-29T17:07:27Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2013-01-29T17:07:27Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2013-01-29T17:07:27Z DEBUG [IPA Discovery] 2013-01-29T17:07:27Z DEBUG Starting IPA discovery with domain=testrelm.com, server=None, hostname=rhel6-3.testrelm.com 2013-01-29T17:07:27Z DEBUG Search for LDAP SRV record in testrelm.com 2013-01-29T17:07:27Z DEBUG Search DNS for SRV record of _ldap._tcp.testrelm.com. 2013-01-29T17:07:27Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.testrel m.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:rhel6-1.tes trelm.com.} 2013-01-29T17:07:27Z DEBUG [Kerberos realm search] 2013-01-29T17:07:27Z DEBUG Search DNS for TXT record of _kerberos.testrelm.com. 2013-01-29T17:07:27Z DEBUG DNS record found: DNSResult::name:_kerberos.testrelm .com.,type:16,class:1,rdata={data:TESTRELM.COM} 2013-01-29T17:07:27Z DEBUG Search DNS for SRV record of _kerberos._udp.testrelm.com. 2013-01-29T17:07:27Z DEBUG DNS record found: DNSResult::name:_kerberos._udp.tes trelm.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:rhel6-1. testrelm.com.} 2013-01-29T17:07:27Z DEBUG DNS record found: DNSResult::name:_kerberos._udp.tes trelm.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:rhel6-2. testrelm.com.} 2013-01-29T17:07:27Z DEBUG [LDAP server check] 2013-01-29T17:07:27Z DEBUG Verifying that rhel6-1.testrelm.com (realm TESTRELM.COM) is an IPA server 2013-01-29T17:07:27Z DEBUG Init LDAP connection with: ldap://rhel6-1.testrelm.com:389 2013-01-29T17:07:27Z ERROR LDAP Error: Can't contact LDAP server: 2013-01-29T17:07:27Z DEBUG Discovery result: UNKNOWN_ERROR; server=rhel6-1.testrelm.com, domain=testrelm.com, kdc=rhel6-1.testrelm.com,rhel6-2.testrelm.com, basedn=None 2013-01-29T17:07:27Z DEBUG will use discovered domain: testrelm.com 2013-01-29T17:07:27Z DEBUG Start searching for LDAP SRV record in "testrelm.com" (Validating DNS Discovery) and its sub-domains 2013-01-29T17:07:27Z DEBUG Search DNS for SRV record of _ldap._tcp.testrelm.com. 2013-01-29T17:07:27Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.testrel m.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:rhel6-2.tes trelm.com.} 2013-01-29T17:07:27Z DEBUG DNS validated, enabling discovery 2013-01-29T17:07:27Z DEBUG will use discovered server: rhel6-1.testrelm.com 2013-01-29T17:07:27Z ERROR Failed to verify that rhel6-1.testrelm.com is an IPA Server. 2013-01-29T17:07:27Z ERROR This may mean that the remote server is not up or is not reachable due to network or firewall settings. 2013-01-29T17:07:27Z INFO Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) 2013-01-29T17:07:27Z DEBUG (rhel6-1.testrelm.com: Discovered LDAP SRV records from testrelm.com) 2013-01-29T17:07:27Z ERROR Installation failed. Rolling back changes. 2013-01-29T17:07:27Z ERROR IPA client is not configured on this system.
attachment freeipa-mkosek-362-add-ldap-server-fallback-to-client-installer.patch
Patch freeipa-mkosek-362-add-ldap-server-fallback-to-client-installer.patch sent for review
master: cbb262d
ipa-3-1: a5f10e2
Metadata Update from @dpal: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.2 - 2013/02
Login to comment on this ticket.