Ticket #3573 (closed defect: fixed)

Opened 23 months ago

Last modified 9 months ago

Should not display ports to open when password is incorrect during ipa-client-install.

Reported by: shanks Owned by: someone
Priority: minor Milestone: FreeIPA 4.0 - 2014/02
Component: Client Version:
Keywords: Cc:
Blocked By: Blocking:
Affects Documentation: no Patch posted for review: yes
Red Hat Bugzilla: 1108230 Patch review by:
External tracker: Design link:
Needs UI design: Feature:
Source: Temp mark:
Expertise:
Release Notes:

Description

[root@dhcp201-120 ~]# ipa-client-install --force-ntpd
Discovery was successful!
Hostname: dhcp201-120.englab.pnq.redhat.com
Realm: ENGLAB.PNQ.REDHAT.COM
DNS Domain: englab.pnq.redhat.com
IPA Server: dhcp201-146.englab.pnq.redhat.com
BaseDN: dc=englab,dc=pnq,dc=redhat,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin@ENGLAB.PNQ.REDHAT.COM: 
Kerberos authentication failed
kinit: Password incorrect while getting initial credentials

Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root@dhcp201-120 ~]# 

Should not display the ports to open when the installation failure is because of kerberos password incorrect.

Change History

comment:1 Changed 23 months ago by akrivoka

  • Status changed from new to assigned
  • Owner changed from someone to akrivoka
  • Cc akrivoka@… added

comment:2 Changed 23 months ago by akrivoka

  • Patch posted for review set

comment:3 Changed 23 months ago by dpal

  • Milestone changed from 0.0 NEEDS_TRIAGE to Pilsner barrel

comment:4 Changed 23 months ago by dpal

  • Red Hat Bugzilla set to todo

comment:5 Changed 21 months ago by mkosek

  • Component changed from ipa-client to Client

Rename component.

comment:6 follow-up: ↓ 7 Changed 21 months ago by adelton

Is there a way to reliably distinguish situation when it was password which was wrong in kinit (which assumes the ports are probably right and the message would not be needed) and when it was a different error? I'm afraid the kinit exit status will not help and parsing stderr output will break unless it also accounts for localized variants of those messages ...

comment:7 in reply to: ↑ 6 Changed 21 months ago by akrivoka

Replying to adelton:

Is there a way to reliably distinguish situation when it was password which was wrong in kinit (which assumes the ports are probably right and the message would not be needed) and when it was a different error? I'm afraid the kinit exit status will not help and parsing stderr output will break unless it also accounts for localized variants of those messages ...

You are right on both accounts - see the discussion in this thread on freeipa-devel: https://www.redhat.com/archives/freeipa-devel/2013-April/msg00324.html

comment:8 Changed 21 months ago by dpal

  • Type changed from enhancement to defect

comment:9 Changed 13 months ago by mkosek

  • Feature set to someone

Moving the tickets back to free-to-take pool.

comment:10 Changed 13 months ago by mkosek

  • Feature someone deleted
  • Owner changed from akrivoka to someone

comment:11 Changed 13 months ago by mkosek

  • Milestone changed from Future Releases to FreeIPA 3.4 - 2014/02
  • Status changed from assigned to closed
  • Resolution set to fixed

master:

comment:12 Changed 13 months ago by akrivoka

  • Cc akrivoka@… removed

comment:13 Changed 9 months ago by mkosek

  • Red Hat Bugzilla changed from todo to [https://bugzilla.redhat.com/show_bug.cgi?id=1108230 1108230]

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1108230

Note: See TracTickets for help on using tickets.