<div dir="ltr">Hi Flo,<div><br></div><div>Thanks for the great hint! I reran the ipa-client-install on the rhel6 box(ipadev6), and monitored the access log file you mentioned on the replica:</div><div><br></div><div><div># ipa-client-install --domain=<a href="http://ipa.example.com">ipa.example.com</a> --server=<a href="http://ipaprd2.example.com">ipaprd2.example.com</a> --hostname=<a href="http://ipadev6.example.com">ipadev6.example.com</a> -d</div><div><br></div><div>( ipaprd2 = primary IPA server on RHEL7; ipadev6 = replica on RHEL6 )</div><div><br></div><div>AFTER about 3 seconds, I saw these on the replica ipaprd2:</div><div>[14/Dec/2016:13:11:41.071421132 -0500] conn=1040 fd=73 slot=73 connection from <IP of ipadev6> to <IP of ipaprd2></div><div>[14/Dec/2016:13:11:41.071880026 -0500] conn=1040 op=0 EXT oid="1.3.6.1.4.1.1466.20037"</div><div>[14/Dec/2016:13:11:41.071964217 -0500] conn=1040 op=0 RESULT err=2 tag=120 nentries=0 etime=0</div><div>[14/Dec/2016:13:11:41.073275674 -0500] conn=1040 op=1 UNBIND</div><div>[14/Dec/2016:13:11:41.073307101 -0500] conn=1040 op=1 fd=73 closed - U1</div><div>[14/Dec/2016:13:11:41.074782496 -0500] conn=1041 fd=73 slot=73 connection from <IP of ipadev6> to <IP of ipaprd2></div><div>[14/Dec/2016:13:11:41.074985233 -0500] conn=1041 op=0 EXT oid="1.3.6.1.4.1.1466.20037"</div><div>[14/Dec/2016:13:11:41.075022849 -0500] conn=1041 op=0 RESULT err=2 tag=120 nentries=0 etime=0</div><div>[14/Dec/2016:13:11:41.075448887 -0500] conn=1041 op=1 UNBIND</div><div>[14/Dec/2016:13:11:41.075460964 -0500] conn=1041 op=1 fd=73 closed - U1</div><div>[14/Dec/2016:13:11:49.006146850 -0500] conn=1029 op=8 UNBIND</div><div>[14/Dec/2016:13:11:49.006181982 -0500] conn=1029 op=8 fd=66 closed - U1</div></div><div><br></div><div>So I did see the err=2, and oid="1.3.6.1.4.1.1466.20037", I checked the oid and got:</div><div><br></div><div>1.3.6.1.4.1.1466.20037: StartTLS Request (RFC 4511)<br></div><div><br></div><div>It looked to be related with TLS... pease advise. Thanks!</div><div><br></div><div><br></div><div><br></div><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Dec 14, 2016 at 7:57 AM, Florence Blanc-Renaud <span dir="ltr"><<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">On 12/14/2016 01:08 PM, beeth beeth wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">
Thanks David. I installed both the master and replica IPA servers with<br>
third-party certificates(Verisign), but I doubt that could be the issue,<br>
because I had no problem to run the same ipa-client-install command on a<br>
RHEL7 machine(of course, the --hostname used a different hostname of the<br>
server). And I had no problem to run the ipa-client-install command with<br>
--server=<master> on such RHEL6 machine. So what could cause the LDAP<br>
communication failed during the client enrollment with the replica? Is<br>
there a way I can troubleshoot this by running some commands? So far I<br>
did telnet to check the open ports, as well as run the ldapsearch<br>
towards the replica. Thanks again!<br>
<br>
<br>
On Tue, Dec 13, 2016 at 8:46 AM, David Kupka <<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a><br></span><span class="gmail-">
<mailto:<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a>>> wrote:<br>
<br>
On 13/12/16 05:44, beeth beeth wrote:<br>
<br>
I have two IPA servers <a href="http://ipaprd1.example.com" rel="noreferrer" target="_blank">ipaprd1.example.com</a><br></span>
<<a href="http://ipaprd1.example.com" rel="noreferrer" target="_blank">http://ipaprd1.example.com</a>> and <a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>>, running<span class="gmail-"><br>
ipa 4.4 on RHEL7. When I tried to install/configure the client<br>
on a RHEL6<br>
system(called ipadev6), I had issue when I tried to enroll it<br>
with the<br>
replica(ipaprd2), while no issue with the primary(ipaprd1):<br>
<br>
# ipa-client-install --domain=<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a><br></span>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>> --server=<a href="http://ipaprd1.example.com" rel="noreferrer" target="_blank">ipaprd1.example.com</a><br>
<<a href="http://ipaprd1.example.com" rel="noreferrer" target="_blank">http://ipaprd1.example.com</a>><br>
--server=<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
--hostname=<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">ipadev6.example.com</a> <<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>><span class="gmail-"><br>
LDAP Error: Protocol error: unsupported extended operation<br>
Autodiscovery of servers for failover cannot work with this<br>
configuration.<br>
If you proceed with the installation, services will be<br>
configured to always<br>
access the discovered server for all operations and will not<br>
fail over to<br>
other servers in case of failure.<br>
Proceed with fixed values and no DNS discovery? [no]<br>
<br>
Then I tried to run ipa-client-install to enroll with the<br>
replica(ipaprd2),<br>
with debug mode, I got this:<br>
<br>
# ipa-client-install --domain=<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a><br></span>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>> --server=<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
--hostname=<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">ipadev6.example.<wbr>com</a> <<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>> -d<span class="gmail-"><br>
/usr/sbin/ipa-client-install was invoked with options: {'domain': '<br></span>
<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a> <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>>', 'force': False,<span class="gmail-"><br>
'realm_name': None,<br>
'krb5_offline_passwords': True, 'primary': False, 'mkhomedir':<br>
False,<br>
'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,<br>
'on_master':<br>
False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': False,<br>
'principal': None, 'hostname': '<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">ipadev6.example.com</a><br></span>
<<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>>', 'no_ac': False,<span class="gmail-"><br>
'unattended': None, 'sssd': True, 'trust_sshfp': False,<br>
'kinit_attempts':<br>
5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True,<br>
'force_join':<br>
False, 'ca_cert_file': None, 'server': ['<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a><br></span>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>>']<wbr>,<span class="gmail-"><br>
'prompt_password': False, 'permit': False, 'debug': True,<br>
'preserve_sssd':<br>
False, 'uninstall': False}<br>
missing options might be asked for interactively later<br>
Loading Index file from<br>
'/var/lib/ipa-client/sysrestor<wbr>e/sysrestore.index'<br>
Loading StateFile from<br>
'/var/lib/ipa-client/sysrestor<wbr>e/sysrestore.state'<br>
[IPA Discovery]<br>
Starting IPA discovery with domain=<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a><br></span>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>>, servers=['<br>
<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>>']<wbr>,<br>
hostname=<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">ipadev6.example.com</a> <<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>><span class="gmail-"><br>
Server and domain forced<br>
[Kerberos realm search]<br>
Search DNS for TXT record of _<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">kerberos.ipa.example.com</a><br></span>
<<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">http://kerberos.ipa.example.c<wbr>om</a>>.<span class="gmail-"><br>
No DNS record found<br>
Search DNS for SRV record of _kerberos._<a href="http://udp.ipa.example.com" rel="noreferrer" target="_blank">udp.ipa.example.com</a><br></span>
<<a href="http://udp.ipa.example.com" rel="noreferrer" target="_blank">http://udp.ipa.example.com</a>>.<span class="gmail-"><br>
No DNS record found<br>
SRV record for KDC not found! Domain: <a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a><br></span>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
[LDAP server check]<br>
Verifying that <a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><span class="gmail-"><br>
(realm None) is an IPA server<br>
Init LDAP connection with: ldap://<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">ipaprd2.example.com:389</a><br></span>
<<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">http://ipaprd2.example.com:38<wbr>9</a>><span class="gmail-"><br>
LDAP Error: Protocol error: unsupported extended operation<br>
Discovery result: UNKNOWN_ERROR; server=None,<br></span>
domain=<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a> <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>>,<br>
kdc=None, basedn=None<br>
Validated servers:<br>
will use discovered domain: <a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a> <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><span class="gmail-"><br>
IPA Server not found<br>
[IPA Discovery]<br>
Starting IPA discovery with domain=<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a><br></span>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>>, servers=['<br>
<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>>']<wbr>,<br>
hostname=<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">ipadev6.example.com</a> <<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>><span class="gmail-"><br>
Server and domain forced<br>
[Kerberos realm search]<br>
Search DNS for TXT record of _<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">kerberos.ipa.example.com</a><br></span>
<<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">http://kerberos.ipa.example.c<wbr>om</a>>.<span class="gmail-"><br>
No DNS record found<br>
Search DNS for SRV record of _kerberos._<a href="http://udp.ipa.example.com" rel="noreferrer" target="_blank">udp.ipa.example.com</a><br></span>
<<a href="http://udp.ipa.example.com" rel="noreferrer" target="_blank">http://udp.ipa.example.com</a>>.<span class="gmail-"><br>
No DNS record found<br>
SRV record for KDC not found! Domain: <a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a><br></span>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
[LDAP server check]<br>
Verifying that <a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><span class="gmail-"><br>
(realm None) is an IPA server<br>
Init LDAP connection with: ldap://<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">ipaprd2.example.com:389</a><br></span>
<<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">http://ipaprd2.example.com:38<wbr>9</a>><span class="gmail-"><br>
LDAP Error: Protocol error: unsupported extended operation<br>
Discovery result: UNKNOWN_ERROR; server=None,<br></span>
domain=<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a> <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>>,<span class="gmail-"><br>
kdc=None, basedn=None<br>
Validated servers:<br>
Failed to verify that <a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a><br></span>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>> is an IPA Server.<span class="gmail-"><br>
This may mean that the remote server is not up or is not<br>
reachable due to<br>
network or firewall settings.<br>
Please make sure the following ports are opened in the firewall<br>
settings:<br>
TCP: 80, 88, 389<br>
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)<br>
Also note that following ports are necessary for ipa-client working<br>
properly after enrollment:<br>
TCP: 464<br>
UDP: 464, 123 (if NTP enabled)<br></span>
(<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>>: Provided as<span class="gmail-"><br>
option)<br>
Installation failed. Rolling back changes.<br>
IPA client is not configured on this system.<br>
<br>
<br>
I double checked the services running on the replica, all looked<br>
well:<br>
ports are listening, and I could telnet the ports from the<br>
client(ipadev6).<br>
I could run "ldapserach" command to talk to the replica(ipaprd2)<br>
from this<br>
client(ipadev6), with pulling out all the LDAP records.<br>
<br>
Also, I have another test box running RHEL7, and no issue at all<br>
to run the<br>
exact same ipa-client-install command on that RHEL7 box. So<br>
could there be<br>
a bug on the ipa-client software on RHEL6, to talk to IPA sever<br>
running on<br>
RHEL7? Please advise. Thank you!<br>
<br>
</span></blockquote>
Hi Beeth,<br>
<br>
you may want to check the access and errors log of the Directory Server in /var/log/dirsrv/slapd-DOMAIN. The extended operations are logged in the access log with the tag "EXT oid=...", but a failing operation related to unsupported extended operation will probably log a "RESULT err=2".<br>
<br>
So I would first check access log and look for such a failure. With the OID we will be able to understand which operation is failing and which part could be misconfigured.<br>
<br>
HTH,<br>
Flo.<div class="gmail-HOEnZb"><div class="gmail-h5"><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Best regards,<br>
Beeth<br>
<br>
<br>
<br>
Hello Beeth,<br>
I've tried to reproduce the problem you described with 7.3<br>
(ipa-server 4.4.0-12) on master and replica and 6.9 (ipa-client<br>
3.0.0-51) on client and it worked for me as expected.<br>
I've done these steps:<br>
[master] # ipa-server-install -a Secret123 -p Secret123 --domain<br>
example.test --realm EXAMPLE.TEST --setup-dns --auto-forwarders -U<br>
[replica] # ipa-client-install -p admin -w Secret123 --domain<br>
example.test --server master.example.test -U<br>
[replica] # ipa-replica-install<br>
[client] # ipa-client-install -p admin -w Secret123 --domain<br>
example.test --server replica.example.test -U<br>
[client] # id admin<br>
<br>
Is there anything you've done differently?<br>
<br>
--<br>
David Kupka<br>
<br>
<br>
<br>
<br>
</blockquote>
<br>
</div></div></blockquote></div><br></div></div></div>