<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 07.12.2015 08:21, Jan Cholasta
wrote:<br>
</div>
<blockquote cite="mid:56653386.5020703@redhat.com" type="cite">On
2.12.2015 16:23, Jan Cholasta wrote:
<br>
<blockquote type="cite">Hi,
<br>
<br>
the attached patch fixes
<a class="moz-txt-link-rfc2396E" href="https://fedorahosted.org/freeipa/ticket/5498"><https://fedorahosted.org/freeipa/ticket/5498></a>.
<br>
<br>
Note that you still have to provide admin password in
<br>
ipa-replica-install, either using --admin-password or
interactively,
<br>
because:
<br>
<br>
a) Admin password is required for replica promotion. This will
be fixed
<br>
with <a class="moz-txt-link-rfc2396E" href="https://fedorahosted.org/freeipa/ticket/5401"><https://fedorahosted.org/freeipa/ticket/5401></a>.
<br>
<br>
Patches are on the list:
<br>
<a class="moz-txt-link-rfc2396E" href="https://www.redhat.com/archives/freeipa-devel/2015-December/msg00027.html"><https://www.redhat.com/archives/freeipa-devel/2015-December/msg00027.html></a>.
<br>
</blockquote>
<br>
Pushed.
<br>
<br>
<blockquote type="cite">
<br>
<br>
b) Admin password is required for connection check. This will be
fixed
<br>
with <a class="moz-txt-link-rfc2396E" href="https://fedorahosted.org/freeipa/ticket/5497"><https://fedorahosted.org/freeipa/ticket/5497></a>.
<br>
</blockquote>
<br>
Martin Basti pointed out that admin password should not be asked
interactively during OTP replica promotion. Fixed.
<br>
<br>
Updated and rebased patch attached.
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
1)<br>
[root@vm-058-138 ~]# ipa-replica-install --server
vm-058-137.abc.idm.lab.eng.brq.redhat.com --domain
abc.idm.lab.eng.brq.redhat.com --password=bubak --setup-ca<br>
Configuring client side components<br>
Password for <a class="moz-txt-link-abbreviated" href="mailto:admin@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM">admin@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</a>: <br>
<br>
IMO password should be asked first, before any installation begins
(IMO this is for conncheck)<br>
<br>
2)<br>
When host is not in ipaservers hostgroup. Also I would expect
different error message<br>
ipa-replica-install --server
vm-058-137.abc.idm.lab.eng.brq.redhat.com --domain
abc.idm.lab.eng.brq.redhat.com --password=bubak --setup-ca
--skip-conncheck<br>
<br>
....<br>
step()<br>
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 352, in <lambda><br>
step = lambda: next(self.__gen)<br>
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 81, in run_generator_with_yield_from<br>
six.reraise(*exc_info)<br>
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 59, in run_generator_with_yield_from<br>
value = gen.send(prev_value)<br>
File
"/usr/lib/python2.7/site-packages/ipapython/install/common.py", line
63, in _install<br>
for nothing in self._installer(self.parent):<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1507, in main<br>
promote_check(self)<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 374, in decorated<br>
func(installer)<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1002, in promote_check<br>
conn.connect(ccache=installer._ccache)<br>
File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line
66, in connect<br>
conn = self.create_connection(*args, **kw)<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line
199, in create_connection<br>
principal = krb_utils.get_principal(ccache_name=ccache)<br>
File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line
184, in get_principal<br>
raise errors.CCacheError(message=unicode(e))<br>
<br>
2015-12-07T16:23:40Z DEBUG The ipa-replica-install command failed,
exception: CCacheError: Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (2529639053): No
Kerberos credentials available<br>
2015-12-07T16:23:40Z ERROR Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (2529639053): No
Kerberos credentials available<br>
<br>
<br>
3)<br>
This case is not handle very well:<br>
a) install client with OTP password<br>
b) install replica with the same OTP password (when host is no in
ipaservers group, if host is in ipaservers group it works)<br>
<br>
ipa.ipapython.install.cli.install_tool(Replica): ERROR Major
(851968): Unspecified GSS failure. Minor code may provide more
information, Minor (2529639053): No Kerberos credentials available<br>
ipa.ipapython.install.cli.install_tool(Replica): ERROR The
ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information<br>
<br>
4)<br>
This is not user friendly<br>
I used wrong OTP password, can we somehow propagate the actual error
from client install to stderr?<br>
<br>
ipa.ipapython.install.cli.install_tool(Replica): ERROR
Configuration of client side components failed!<br>
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
'--unattended' '--domain' 'abc.idm.lab.eng.brq.redhat.com'
'--server' 'vm-058-137.abc.idm.lab.eng.brq.redhat.com' '--password'
'buba'' returned non-zero exit status 1<br>
ipa.ipapython.install.cli.install_tool(Replica): ERROR The
ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information<br>
<br>
</body>
</html>