[Freeipa-devel] [PATCH 0023 Do not display ports to open when password is incorrect during ipa-client-install
Petr Viktorin
pviktori at redhat.com
Tue Apr 30 14:33:54 UTC 2013
On 04/30/2013 04:03 PM, Ana Krivokapic wrote:
> On 04/30/2013 10:42 AM, Petr Viktorin wrote:
>> On 04/23/2013 12:17 PM, Ana Krivokapic wrote:
>>> On 04/23/2013 12:06 AM, Rob Crittenden wrote:
>>>> Ana Krivokapic wrote:
>>>>> Do not display ports to open when password is incorrect during
>>>>> ipa-client-install
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/3573
>>>>>
>>>>
>>>> What happens if port 88 is not open so it can't connect to the KDC?
>>>> I'm not sure how the best way to determine one vs the other, I don't
>>>> think there are distinct return values.
>>>>
>>>> We could use the fact that Kerberos isn't translated to look for
>>>> specific strings maybe, but that is hackish and could break.
>>>>
>>>> rob
>>>
>>> The return value from kinit is always 1 in case of failure. So the only
>>> way to determine the reason for failure would be to look into the
>>> message string. I agree this is hackish as Rob pointed out. Personally,
>>> I am for leaving everything as it is now. In the case of incorrect
>>> password, the user _does_ get the message that the password was
>>> incorrect (kinit: Password incorrect while getting initial credentials).
>>> So I don't think that displaying the message about ports, in addition to
>>> this message, is confusing/misleading.
>>
>> I think displaying the error messages after the port information would
>> make it clearer that this is the reason for failed installation.
>>
>
> I think this is a good compromise. Updated patch attached.
So now we have, with bad password:
$ sudo ipa-client-install -p admin -w bad-password
Discovery was successful!
Hostname: vm-050.idm.lab.eng.brq.redhat.com
Realm: IDM.LAB.ENG.BRQ.REDHAT.COM
DNS Domain: idm.lab.eng.brq.redhat.com
IPA Server: vm-109.idm.lab.eng.brq.redhat.com
BaseDN: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
Continue to configure the system with these values? [no]: y
Synchronizing time with KDC...
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working
properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed
kinit: Password incorrect while getting initial credentials
Installation failed. Rolling back changes.
IPA client is not configured on this system.
and with no connection:
$ sudo ipa-client-install -p admin -w good-password
Discovery was successful!
Hostname: vm-050.idm.lab.eng.brq.redhat.com
Realm: IDM.LAB.ENG.BRQ.REDHAT.COM
DNS Domain: idm.lab.eng.brq.redhat.com
IPA Server: vm-109.idm.lab.eng.brq.redhat.com
BaseDN: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
Continue to configure the system with these values? [no]: y
Synchronizing time with KDC...
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working
properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed
kinit: Cannot contact any KDC for realm 'IDM.LAB.ENG.BRQ.REDHAT.COM'
while getting initial credentials
Installation failed. Rolling back changes.
IPA client is not configured on this system.
Rob, is the behavior OK?
ACK for the implementation.
--
Petr³
More information about the Freeipa-devel
mailing list