[Freeipa-users] stupid question

Mike Calautti Mike.Calautti at genesyslab.com
Tue Oct 15 20:24:47 UTC 2013 

Your awesome !!!!

Interesting..
Well for one its claiming it cant contact the LDAP server...
But its calling a machine in our domain that I didn't know existed and furthermore never mentioned in the ipa setup..
So I see it was searching the network... 

Also..when doing research on installing, I saw that someone said to paste the entries form the example DNS file to your existing DNS db file.
I didn't do that because I am just testing..
Would that affect it ?

Dns is correct for both IPA master/replica

Here is the log.

cat /var/log/ipaclient-install.log 
2013-10-15T20:18:11Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': None, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False, 'realm_name': None, 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False}
2013-10-15T20:18:11Z DEBUG missing options might be asked for interactively later
2013-10-15T20:18:11Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2013-10-15T20:18:11Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2013-10-15T20:18:11Z DEBUG [IPA Discovery]
2013-10-15T20:18:11Z DEBUG Starting IPA discovery with domain=None, servers=None, hostname=freeiptest01.dev.com
2013-10-15T20:18:11Z DEBUG Start searching for LDAP SRV record in "dev.com" (domain of the hostname) and its sub-domains
2013-10-15T20:18:11Z DEBUG Search DNS for SRV record of _ldap._tcp.dev.com.
2013-10-15T20:18:11Z DEBUG No DNS record found
2013-10-15T20:18:11Z DEBUG Search DNS for SRV record of _ldap._tcp.dev.com.
2013-10-15T20:18:11Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.dev.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:hqdc02.dev.com.}
2013-10-15T20:18:11Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.dev.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:hqdc.dev.com.}
2013-10-15T20:18:11Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.dev.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:drdc01.dev.com.}
2013-10-15T20:18:11Z DEBUG [Kerberos realm search]
2013-10-15T20:18:11Z DEBUG Search DNS for TXT record of _kerberos.dev.com.
2013-10-15T20:18:11Z DEBUG No DNS record found
2013-10-15T20:18:11Z DEBUG [LDAP server check]
2013-10-15T20:18:11Z DEBUG Verifying that hqdc02.dev.com (realm None) is an IPA server
2013-10-15T20:18:11Z DEBUG Init LDAP connection with: ldap://hqdc02.dev.com:389
2013-10-15T20:18:11Z DEBUG Search LDAP server for IPA base DN

If I specify --server=rdsdev01 --domain=dev.com

I get 

Failed to verify that rdsdev01 is an IPA Server.
This may mean that the remote server is not up or is not reachable due to network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.

However there is no FW>. Iptables is not running.. and I can telnet to each of those ports.



-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com] 
Sent: Tuesday, October 15, 2013 4:11 PM
To: Mike Calautti; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] stupid question

Mike Calautti wrote:
> I installed ipa-client..
>
> I get this now.
>
> ipa-client-install
> Traceback (most recent call last):
>    File "/usr/sbin/ipa-client-install", line 2323, in <module>
>      sys.exit(main())
>    File "/usr/sbin/ipa-client-install", line 2309, in main
>      rval = install(options, env, fstore, statestore)
>    File "/usr/sbin/ipa-client-install", line 1684, in install
>      ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
>    File "/usr/lib/python2.6/site-packages/ipaclient/ipadiscovery.py", line 242, in search
>      ldapret = self.ipacheckldap(server, self.realm, ca_cert_path=ca_cert_path)
>    File "/usr/lib/python2.6/site-packages/ipaclient/ipadiscovery.py", line 339, in ipacheckldap
>      basedn = get_ipa_basedn(lh)
>    File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 817, in get_ipa_basedn
>      contexts = entries[0][1]['namingcontexts']
>
> cat /etc/redhat-release
> CentOS release 6.4 (Final)

Hmm. I'd take a look at /var/log/ipaclient-install.log to see what host it is trying to enroll against. I have the feeling it is finding another host.

We fixed a bug post-6.4 related to case insensitivity and namingcontents. I have the feeling the LDAP server you're connecting to isn't return it all as lower case as we expect.

rob

More information about the Freeipa-users mailing list