<div dir="ltr">Hi Flo,<div><br></div><div>Thanks for the great hint! I reran the ipa-client-install on the rhel6 box(ipadev6), and monitored the access log file you mentioned on the replica:</div><div><br></div><div><div># ipa-client-install --domain=<a href="http://ipa.example.com">ipa.example.com</a> --server=<a href="http://ipaprd2.example.com">ipaprd2.example.com</a>  --hostname=<a href="http://ipadev6.example.com">ipadev6.example.com</a> -d</div><div><br></div><div>( ipaprd2 = primary IPA server on RHEL7; ipadev6 = replica on RHEL6 )</div><div><br></div><div>AFTER about 3 seconds, I saw these on the replica ipaprd2:</div><div>[14/Dec/2016:13:11:41.071421132 -0500] conn=1040 fd=73 slot=73 connection from <IP of ipadev6> to <IP of ipaprd2></div><div>[14/Dec/2016:13:11:41.071880026 -0500] conn=1040 op=0 EXT oid="1.3.6.1.4.1.1466.20037"</div><div>[14/Dec/2016:13:11:41.071964217 -0500] conn=1040 op=0 RESULT err=2 tag=120 nentries=0 etime=0</div><div>[14/Dec/2016:13:11:41.073275674 -0500] conn=1040 op=1 UNBIND</div><div>[14/Dec/2016:13:11:41.073307101 -0500] conn=1040 op=1 fd=73 closed - U1</div><div>[14/Dec/2016:13:11:41.074782496 -0500] conn=1041 fd=73 slot=73 connection from <IP of ipadev6> to <IP of ipaprd2></div><div>[14/Dec/2016:13:11:41.074985233 -0500] conn=1041 op=0 EXT oid="1.3.6.1.4.1.1466.20037"</div><div>[14/Dec/2016:13:11:41.075022849 -0500] conn=1041 op=0 RESULT err=2 tag=120 nentries=0 etime=0</div><div>[14/Dec/2016:13:11:41.075448887 -0500] conn=1041 op=1 UNBIND</div><div>[14/Dec/2016:13:11:41.075460964 -0500] conn=1041 op=1 fd=73 closed - U1</div><div>[14/Dec/2016:13:11:49.006146850 -0500] conn=1029 op=8 UNBIND</div><div>[14/Dec/2016:13:11:49.006181982 -0500] conn=1029 op=8 fd=66 closed - U1</div></div><div><br></div><div>So I did see the err=2, and oid="1.3.6.1.4.1.1466.20037", I checked the oid and got:</div><div><br></div><div>1.3.6.1.4.1.1466.20037: StartTLS Request (RFC 4511)<br></div><div><br></div><div>It looked to be related with TLS... pease advise. Thanks!</div><div><br></div><div><br></div><div><br></div><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Dec 14, 2016 at 7:57 AM, Florence Blanc-Renaud <span dir="ltr"><<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">On 12/14/2016 01:08 PM, beeth beeth wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">
Thanks David. I installed both the master and replica IPA servers with<br>
third-party certificates(Verisign), but I doubt that could be the issue,<br>
because I had no problem to run the same ipa-client-install command on a<br>
RHEL7 machine(of course, the --hostname used a different hostname of the<br>
server). And I had no problem to run the ipa-client-install command with<br>
--server=<master> on such RHEL6 machine. So what could cause the LDAP<br>
communication failed during the client enrollment with the replica? Is<br>
there a way I can troubleshoot this by running some commands? So far I<br>
did telnet to check the open ports, as well as run the ldapsearch<br>
towards the replica. Thanks again!<br>
<br>
<br>
On Tue, Dec 13, 2016 at 8:46 AM, David Kupka <<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a><br></span><span class="gmail-">
<mailto:<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a>>> wrote:<br>
<br>
    On 13/12/16 05:44, beeth beeth wrote:<br>
<br>
        I have two IPA servers <a href="http://ipaprd1.example.com" rel="noreferrer" target="_blank">ipaprd1.example.com</a><br></span>
        <<a href="http://ipaprd1.example.com" rel="noreferrer" target="_blank">http://ipaprd1.example.com</a>> and <a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a><br>
        <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>>, running<span class="gmail-"><br>
        ipa 4.4 on RHEL7. When I tried to install/configure the client<br>
        on a RHEL6<br>
        system(called ipadev6), I had issue when I tried to enroll it<br>
        with the<br>
        replica(ipaprd2), while no issue with the primary(ipaprd1):<br>
<br>
        # ipa-client-install --domain=<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a><br></span>
        <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>> --server=<a href="http://ipaprd1.example.com" rel="noreferrer" target="_blank">ipaprd1.example.com</a><br>
        <<a href="http://ipaprd1.example.com" rel="noreferrer" target="_blank">http://ipaprd1.example.com</a>><br>
        --server=<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
        --hostname=<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">ipadev6.example.com</a> <<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>><span class="gmail-"><br>
        LDAP Error: Protocol error: unsupported extended operation<br>
        Autodiscovery of servers for failover cannot work with this<br>
        configuration.<br>
        If you proceed with the installation, services will be<br>
        configured to always<br>
        access the discovered server for all operations and will not<br>
        fail over to<br>
        other servers in case of failure.<br>
        Proceed with fixed values and no DNS discovery? [no]<br>
<br>
        Then I tried to run ipa-client-install to enroll with the<br>
        replica(ipaprd2),<br>
        with debug mode, I got this:<br>
<br>
        # ipa-client-install --domain=<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a><br></span>
        <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>> --server=<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a><br>
        <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
         --hostname=<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">ipadev6.example.<wbr>com</a> <<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>> -d<span class="gmail-"><br>
        /usr/sbin/ipa-client-install was invoked with options: {'domain': '<br></span>
        <a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a> <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>>', 'force': False,<span class="gmail-"><br>
        'realm_name': None,<br>
        'krb5_offline_passwords': True, 'primary': False, 'mkhomedir':<br>
        False,<br>
        'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,<br>
        'on_master':<br>
        False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': False,<br>
        'principal': None, 'hostname': '<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">ipadev6.example.com</a><br></span>
        <<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>>', 'no_ac': False,<span class="gmail-"><br>
        'unattended': None, 'sssd': True, 'trust_sshfp': False,<br>
        'kinit_attempts':<br>
        5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True,<br>
        'force_join':<br>
        False, 'ca_cert_file': None, 'server': ['<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a><br></span>
        <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>>']<wbr>,<span class="gmail-"><br>
        'prompt_password': False, 'permit': False, 'debug': True,<br>
        'preserve_sssd':<br>
        False, 'uninstall': False}<br>
        missing options might be asked for interactively later<br>
        Loading Index file from<br>
        '/var/lib/ipa-client/sysrestor<wbr>e/sysrestore.index'<br>
        Loading StateFile from<br>
        '/var/lib/ipa-client/sysrestor<wbr>e/sysrestore.state'<br>
        [IPA Discovery]<br>
        Starting IPA discovery with domain=<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a><br></span>
        <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>>, servers=['<br>
        <a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>>']<wbr>,<br>
        hostname=<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">ipadev6.example.com</a> <<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>><span class="gmail-"><br>
        Server and domain forced<br>
        [Kerberos realm search]<br>
        Search DNS for TXT record of _<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">kerberos.ipa.example.com</a><br></span>
        <<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">http://kerberos.ipa.example.c<wbr>om</a>>.<span class="gmail-"><br>
        No DNS record found<br>
        Search DNS for SRV record of _kerberos._<a href="http://udp.ipa.example.com" rel="noreferrer" target="_blank">udp.ipa.example.com</a><br></span>
        <<a href="http://udp.ipa.example.com" rel="noreferrer" target="_blank">http://udp.ipa.example.com</a>>.<span class="gmail-"><br>
        No DNS record found<br>
        SRV record for KDC not found! Domain: <a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a><br></span>
        <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
        [LDAP server check]<br>
        Verifying that <a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><span class="gmail-"><br>
        (realm None) is an IPA server<br>
        Init LDAP connection with: ldap://<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">ipaprd2.example.com:389</a><br></span>
        <<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">http://ipaprd2.example.com:38<wbr>9</a>><span class="gmail-"><br>
        LDAP Error: Protocol error: unsupported extended operation<br>
        Discovery result: UNKNOWN_ERROR; server=None,<br></span>
        domain=<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a> <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>>,<br>
        kdc=None, basedn=None<br>
        Validated servers:<br>
        will use discovered domain: <a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a> <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><span class="gmail-"><br>
        IPA Server not found<br>
        [IPA Discovery]<br>
        Starting IPA discovery with domain=<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a><br></span>
        <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>>, servers=['<br>
        <a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>>']<wbr>,<br>
        hostname=<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">ipadev6.example.com</a> <<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>><span class="gmail-"><br>
        Server and domain forced<br>
        [Kerberos realm search]<br>
        Search DNS for TXT record of _<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">kerberos.ipa.example.com</a><br></span>
        <<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">http://kerberos.ipa.example.c<wbr>om</a>>.<span class="gmail-"><br>
        No DNS record found<br>
        Search DNS for SRV record of _kerberos._<a href="http://udp.ipa.example.com" rel="noreferrer" target="_blank">udp.ipa.example.com</a><br></span>
        <<a href="http://udp.ipa.example.com" rel="noreferrer" target="_blank">http://udp.ipa.example.com</a>>.<span class="gmail-"><br>
        No DNS record found<br>
        SRV record for KDC not found! Domain: <a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a><br></span>
        <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
        [LDAP server check]<br>
        Verifying that <a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><span class="gmail-"><br>
        (realm None) is an IPA server<br>
        Init LDAP connection with: ldap://<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">ipaprd2.example.com:389</a><br></span>
        <<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">http://ipaprd2.example.com:38<wbr>9</a>><span class="gmail-"><br>
        LDAP Error: Protocol error: unsupported extended operation<br>
        Discovery result: UNKNOWN_ERROR; server=None,<br></span>
        domain=<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a> <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>>,<span class="gmail-"><br>
        kdc=None, basedn=None<br>
        Validated servers:<br>
        Failed to verify that <a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a><br></span>
        <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>> is an IPA Server.<span class="gmail-"><br>
        This may mean that the remote server is not up or is not<br>
        reachable due to<br>
        network or firewall settings.<br>
        Please make sure the following ports are opened in the firewall<br>
        settings:<br>
             TCP: 80, 88, 389<br>
             UDP: 88 (at least one of TCP/UDP ports 88 has to be open)<br>
        Also note that following ports are necessary for ipa-client working<br>
        properly after enrollment:<br>
             TCP: 464<br>
             UDP: 464, 123 (if NTP enabled)<br></span>
        (<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>>: Provided as<span class="gmail-"><br>
        option)<br>
        Installation failed. Rolling back changes.<br>
        IPA client is not configured on this system.<br>
<br>
<br>
        I double checked the services running on the replica, all looked<br>
        well:<br>
        ports are listening, and I could telnet the ports from the<br>
        client(ipadev6).<br>
        I could run "ldapserach" command to talk to the replica(ipaprd2)<br>
        from this<br>
        client(ipadev6), with pulling out all the LDAP records.<br>
<br>
        Also, I have another test box running RHEL7, and no issue at all<br>
        to run the<br>
        exact same ipa-client-install command on that RHEL7 box. So<br>
        could there be<br>
        a bug on the ipa-client software on RHEL6, to talk to IPA sever<br>
        running on<br>
        RHEL7? Please advise. Thank you!<br>
<br>
</span></blockquote>
Hi Beeth,<br>
<br>
you may want to check the access and errors log of the Directory Server in /var/log/dirsrv/slapd-DOMAIN. The extended operations are logged in the access log with the tag "EXT oid=...", but a failing operation related to unsupported extended operation will probably log a "RESULT err=2".<br>
<br>
So I would first check access log and look for such a failure. With the OID we will be able to understand which operation is failing and which part could be misconfigured.<br>
<br>
HTH,<br>
Flo.<div class="gmail-HOEnZb"><div class="gmail-h5"><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
        Best regards,<br>
        Beeth<br>
<br>
<br>
<br>
    Hello Beeth,<br>
    I've tried to reproduce the problem you described with 7.3<br>
    (ipa-server 4.4.0-12) on master and replica and 6.9 (ipa-client<br>
    3.0.0-51) on client and it worked for me as expected.<br>
    I've done these steps:<br>
    [master] # ipa-server-install -a Secret123 -p Secret123 --domain<br>
    example.test --realm EXAMPLE.TEST --setup-dns --auto-forwarders -U<br>
    [replica] # ipa-client-install -p admin -w Secret123 --domain<br>
    example.test --server master.example.test -U<br>
    [replica] # ipa-replica-install<br>
    [client] # ipa-client-install -p admin -w Secret123 --domain<br>
    example.test --server replica.example.test -U<br>
    [client] # id admin<br>
<br>
    Is there anything you've done differently?<br>
<br>
    --<br>
    David Kupka<br>
<br>
<br>
<br>
<br>
</blockquote>
<br>
</div></div></blockquote></div><br></div></div></div>