Issue #3519: unattended ipa-client installation fails when anonymous access to LDAP is disabled on IPA servers - freeipa

freeipa

#3519 unattended ipa-client installation fails when anonymous access to LDAP is disabled on IPA servers

Closed: Fixed None Opened 11 years ago by rcritten.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 922843

Description of problem:
unattended ipa-client-install fails when anonymous access to LDAP is disabled
on IPA servers:

/usr/sbin/ipa-client-install -p admin -w somepass --mkhomedir -dd -U
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir':
True, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp':
True, 'ca_cert_file': None, 'ntp_server': None, 'principal': 'admin',
'hostname': None, 'no_ac': False, 'unattended': True, 'sssd': True,
'trust_sshfp': False, 'dns_updates': False, 'realm_name': None, 'conf_ssh':
True, 'server': None, 'prompt_password': False, 'permit': False, 'debug': True,
'preserve_sssd': False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=31075-01.example.com
Start searching for LDAP SRV record in "example.com" (domain of the hostname)
and its sub-domains
Search DNS for SRV record of _ldap._tcp.example.com.
DNS record found: DNSResult::name:_ldap._tcp.example.com.,type:33,class:1,rdata
={priority:0,port:389,weight:100,server:ipa2.example.com.}
DNS record found: DNSResult::name:_ldap._tcp.example.com.,type:33,class:1,rdata
={priority:0,port:389,weight:100,server:ipa1.example.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.example.com.
DNS record found: DNSResult::name:_kerberos.example.com.,type:16,class:1,rdata=
{data:TESTSITE.ATG.SE}
Search DNS for SRV record of _kerberos._udp.example.com.
DNS record found: DNSResult::name:_kerberos._udp.example.com.,type:33,class:1,r
data={priority:0,port:88,weight:100,server:ipa1.example.com.}
DNS record found: DNSResult::name:_kerberos._udp.example.com.,type:33,class:1,r
data={priority:0,port:88,weight:100,server:ipa2.example.com.}
[LDAP server check]
Verifying that ipa2.example.com (realm TESTSITE.ATG.SE) is an IPA server
Init LDAP connection with: ldap://ipa2.example.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=example,dc=com' is for IPA
Naming context 'dc=example,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub)
LDAP Error: Anonymous access not allowed
Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=example.com,
kdc=ipa1.example.com,ipa2.example.com, basedn=dc=example,dc=com
Validated servers: ipa2.example.com
will use discovered domain: example.com
IPA Server not found
Unable to find IPA Server to join
Installation failed. Rolling back changes.
IPA client is not configured on this system.


Version-Release number of selected component (if applicable):
ipa-client-3.0.0-26.el6_4.2.x86_64


How reproducible:
Always


Steps to Reproduce:
1. disable anonymous access to ldap on IPA server
# ldapmodify -x -D "cn=Directory Manager" -w <secret> -h localhost -p 389
<pgustafs> dn: cn=config
<pgustafs> changetype: modify
<pgustafs> replace: nsslapd-allow-anonymous-access
<pgustafs> nsslapd-allow-anonymous-access: rootdse

2. install ipa-client-3.0.0-26.el6_4.2.x86_64 on ipa client machine
3. Execute unattended ipa-client installation on ipa client machine
# /usr/sbin/ipa-client-install -p admin -w somepass --mkhomedir -dd -U

Actual results:
ipa-client-install fails with:
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir':
True, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp':
True, 'ca_cert_file': None, 'ntp_server': None, 'principal': 'admin',
'hostname': None, 'no_ac': False, 'unattended': True, 'sssd': True,
'trust_sshfp': False, 'dns_updates': False, 'realm_name': None, 'conf_ssh':
True, 'server': None, 'prompt_password': False, 'permit': False, 'debug': True,
'preserve_sssd': False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=31075-01.example.com
Start searching for LDAP SRV record in "example.com" (domain of the hostname)
and its sub-domains
Search DNS for SRV record of _ldap._tcp.example.com.
DNS record found: DNSResult::name:_ldap._tcp.example.com.,type:33,class:1,rdata
={priority:0,port:389,weight:100,server:ipa2.example.com.}
DNS record found: DNSResult::name:_ldap._tcp.example.com.,type:33,class:1,rdata
={priority:0,port:389,weight:100,server:ipa1.example.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.example.com.
DNS record found: DNSResult::name:_kerberos.example.com.,type:16,class:1,rdata=
{data:TESTSITE.ATG.SE}
Search DNS for SRV record of _kerberos._udp.example.com.
DNS record found: DNSResult::name:_kerberos._udp.example.com.,type:33,class:1,r
data={priority:0,port:88,weight:100,server:ipa1.example.com.}
DNS record found: DNSResult::name:_kerberos._udp.example.com.,type:33,class:1,r
data={priority:0,port:88,weight:100,server:ipa2.example.com.}
[LDAP server check]
Verifying that ipa2.example.com (realm TESTSITE.ATG.SE) is an IPA server
Init LDAP connection with: ldap://ipa2.example.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=example,dc=com' is for IPA
Naming context 'dc=example,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub)
LDAP Error: Anonymous access not allowed
Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=example.com,
kdc=ipa1.example.com,ipa2.example.com, basedn=dc=example,dc=com
Validated servers: ipa2.example.com
will use discovered domain: example.com
IPA Server not found
Unable to find IPA Server to join
Installation failed. Rolling back changes.
IPA client is not configured on this system.



Expected results:
ipa-client-install should finish without prompting for information

Additional info:

mkosek commented 11 years ago

attachment
freeipa-mkosek-390-ipa-client-discovery-with-anonymous-access-off.patch

mkosek commented 11 years ago

Patch freeipa-mkosek-390-ipa-client-discovery-with-anonymous-access-off.patch sent for review

mkosek commented 11 years ago

master:[[BR]]
be54d1d ipa-client discovery with anonymous access off

ipa-3-1:[[BR]]
dda3cd1 ipa-client discovery with anonymous access off

mkosek commented 11 years ago

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=924100

Metadata Update from @rcritten:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.2 - 2013/03

7 years ago

Metadata

Assignee

mkosek

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 3.2 - 2013/03

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=922843, https://bugzilla.redhat.com/show_bug.cgi?id=924100

tester

None

changelog

None

design

None

freeipa

Source Code

#3519 unattended ipa-client installation fails when anonymous access to LDAP is disabled on IPA servers Closed: Fixed None Opened 11 years ago by rcritten.

Metadata

#3519 unattended ipa-client installation fails when anonymous access to LDAP is disabled on IPA servers

Closed: Fixed None Opened 11 years ago by rcritten.