[Freeipa-users] Auto discover of the IPA server failing with LDAP anonymous binds off
Sigbjorn Lie
sigbjorn at nixtra.com
Sat Apr 6 17:38:14 UTC 2013
Hi,
I am trying to install the IPA client on a CentOS 6.4 host, however the
auto discovery of the IPA server is failing, from what seem to be caused
by my IPA servers having anonymous binds switched off.
Is this expected behaviour?
# rpm -qa|grep ^ipa|sort
ipa-client-3.0.0-26.el6_4.2.x86_64
ipa-python-3.0.0-26.el6_4.2.x86_64
# ipa-client-install -U --domain=unix.nuexample.com
--password='somepassword' --enable-dns-updates -d
/usr/sbin/ipa-client-install was invoked with options: {'domain':
'unix.nuexample.com', 'force': False, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd':
True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None,
'ntp_server': None, 'principal': None, 'hostname': None, 'no_ac': False,
'unattended': True, 'sssd': True, 'trust_sshfp': False, 'dns_updates':
True, 'realm_name': None, 'conf_ssh': True, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True,
'preserve_sssd': False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=unix.nuexample.com, servers=None,
hostname=clienthost.unix.nuexample.com
Search for LDAP SRV record in unix.nuexample.com
Search DNS for SRV record of _ldap._tcp.unix.nuexample.com.
DNS record found:
DNSResult::name:_ldap._tcp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa01.unix.nuexample.com.}
DNS record found:
DNSResult::name:_ldap._tcp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa02.unix.nuexample.com.}
DNS record found:
DNSResult::name:_ldap._tcp.unix.nuexample.com.,type:33,class:1,rdata={priority:5,port:389,weight:100,server:ipa03.unix.nuexample.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.unix.nuexample.com.
DNS record found:
DNSResult::name:_kerberos.unix.nuexample.com.,type:16,class:1,rdata={data:UNIX.NUEXAMPLE.COM}
Search DNS for SRV record of _kerberos._udp.unix.nuexample.com.
DNS record found:
DNSResult::name:_kerberos._udp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa02.unix.nuexample.com.}
DNS record found:
DNSResult::name:_kerberos._udp.unix.nuexample.com.,type:33,class:1,rdata={priority:5,port:88,weight:100,server:ipa03.unix.nuexample.com.}
DNS record found:
DNSResult::name:_kerberos._udp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa01.unix.nuexample.com.}
[LDAP server check]
Verifying that ipa01.unix.nuexample.com (realm UNIX.NUEXAMPLE.COM) is an
IPA server
Init LDAP connection with: ldap://ipa01.unix.nuexample.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=unix,dc=nuexample,dc=com' is for IPA
Naming context 'dc=unix,dc=nuexample,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in
dc=unix,dc=nuexample,dc=com (sub)
LDAP Error: Anonymous access not allowed
Discovery result: NO_ACCESS_TO_LDAP; server=None,
domain=unix.nuexample.com,
kdc=ipa02.unix.nuexample.com,ipa03.unix.nuexample.com,ipa01.unix.nuexample.com,
basedn=dc=unix,dc=nuexample,dc=com
Validated servers: ipa01.unix.nuexample.com
will use discovered domain: unix.nuexample.com
IPA Server not found
Unable to find IPA Server to join
Installation failed. Rolling back changes.
IPA client is not configured on this system.
Regards,
Siggi
More information about the Freeipa-users
mailing list