Ticket #3573 (closed defect: fixed)

Opened 12 months ago

Last modified 2 months ago

Should not display ports to open when password is incorrect during ipa-client-install.

Reported by: shanks Owned by: someone
Priority: minor Milestone: FreeIPA 4.0 - 2014/02
Component: Client Version:
Keywords: Cc:
Blocked By: Blocking:
Affects Documentation: no Patch posted for review: yes
Red Hat Bugzilla: todo Patch review by:
External tracker: Design link:
Needs UI design: Fedora test page:
Feature: Source:
Expertise:
Release Notes:

Description

[root@dhcp201-120 ~]# ipa-client-install --force-ntpd
Discovery was successful!
Hostname: dhcp201-120.englab.pnq.redhat.com
Realm: ENGLAB.PNQ.REDHAT.COM
DNS Domain: englab.pnq.redhat.com
IPA Server: dhcp201-146.englab.pnq.redhat.com
BaseDN: dc=englab,dc=pnq,dc=redhat,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin@ENGLAB.PNQ.REDHAT.COM: 
Kerberos authentication failed
kinit: Password incorrect while getting initial credentials

Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root@dhcp201-120 ~]# 

Should not display the ports to open when the installation failure is because of kerberos password incorrect.

Change History

comment:1 Changed 12 months ago by akrivoka

  • Status changed from new to assigned
  • Owner changed from someone to akrivoka
  • Cc akrivoka@… added

comment:2 Changed 12 months ago by akrivoka

  • Patch posted for review set

comment:3 Changed 12 months ago by dpal

  • Milestone changed from 0.0 NEEDS_TRIAGE to Pilsner barrel

comment:4 Changed 12 months ago by dpal

  • Red Hat Bugzilla set to todo

comment:5 Changed 11 months ago by mkosek

  • Component changed from ipa-client to Client

Rename component.

comment:6 follow-up: ↓ 7 Changed 11 months ago by adelton

Is there a way to reliably distinguish situation when it was password which was wrong in kinit (which assumes the ports are probably right and the message would not be needed) and when it was a different error? I'm afraid the kinit exit status will not help and parsing stderr output will break unless it also accounts for localized variants of those messages ...

comment:7 in reply to: ↑ 6 Changed 11 months ago by akrivoka

Replying to adelton:

Is there a way to reliably distinguish situation when it was password which was wrong in kinit (which assumes the ports are probably right and the message would not be needed) and when it was a different error? I'm afraid the kinit exit status will not help and parsing stderr output will break unless it also accounts for localized variants of those messages ...

You are right on both accounts - see the discussion in this thread on freeipa-devel: https://www.redhat.com/archives/freeipa-devel/2013-April/msg00324.html

comment:8 Changed 10 months ago by dpal

  • Type changed from enhancement to defect

comment:9 Changed 3 months ago by mkosek

  • Feature set to someone

Moving the tickets back to free-to-take pool.

comment:10 Changed 3 months ago by mkosek

  • Owner changed from akrivoka to someone
  • Feature someone deleted

comment:11 Changed 2 months ago by mkosek

  • Milestone changed from Future Releases to FreeIPA 3.4 - 2014/02
  • Resolution set to fixed
  • Status changed from assigned to closed

master:

comment:12 Changed 2 months ago by akrivoka

  • Cc akrivoka@… removed
Note: See TracTickets for help on using tickets.