[Freeipa-devel] [PATCH 0005] Clarified error message with ipa-client-automount
Rob Crittenden
rcritten at redhat.com
Thu Jan 31 16:20:40 UTC 2013
Lynn Root wrote:
> On Mon 03 Dec 2012 05:20:32 AM PST, Lynn Root wrote:
>> On 11/30/2012 10:35 PM, Rob Crittenden wrote:
>>> Lynn Root wrote:
>>>> Returns a clearer hint when user is running ipa-client-automount with
>>>> possible firewall up and blocking need ports.
>>>>
>>>> Not sure if this patch is worded correctly in order to address the
>>>> potential firewall block when running ipa-client-automount. Perhaps a
>>>> different error should be thrown, rather than NOT_IPA_SERVER.
>>>>
>>>> Ticket: https://fedorahosted.org/freeipa/ticket/3080
>>>
>>> Tomas made a similar change recently in ipa-client-install which
>>> includes more information on the ports we need. You may want to take
>>> a look at that. It was for ticket
>>> https://fedorahosted.org/freeipa/ticket/2816
>>>
>>> rob
>> Thank you Rob - I adapted the same approach in this updated patch. Let
>> me know if it addresses the blocked port issue better.
>>
>> Thanks!
>
> Just bumping this thread - I think this might have fallen on the
> way-side; certainly lost track of it myself after returning home/holidays.
>
> However I noticed that this ticket
> (https://fedorahosted.org/freeipa/ticket/3080) now has an RFE tag -
> don't _believe_ that was there when I started working on it in late
> November. I believe the whole design doc conversation was going on
> around then. I assume I'll need to start one for this?
>
> Thanks!
>
I think this is still not quite right, and I think could be improved in
ipa-client-install as well.
ipacheckldap() only tries to connect to port 389 (optionally with
StartTLS). It returns a number of different possible errors, I think we
should have some way to report more specific error messages based on
those (can't connect to server Y on port 389, Unable to find Kerberos
container, etc) in addition to "Unable to confirm that X is an IPA
server". We probably want to do something about the v2 part as well.
I think a table in ipadiscovery to translate the possible return vals
from ipacheckldap() into a string that can logged is the way to go.
rob
More information about the Freeipa-devel
mailing list