[Freeipa-users] Failed ipa-client-install with IPA Replica

beeth beeth beeth2006 at gmail.com
Tue Dec 13 04:44:45 UTC 2016 

I have two IPA servers ipaprd1.example.com and ipaprd2.example.com, running
ipa 4.4 on RHEL7. When I tried to install/configure the client on a RHEL6
system(called ipadev6), I had issue when I tried to enroll it with the
replica(ipaprd2), while no issue with the primary(ipaprd1):

# ipa-client-install --domain=ipa.example.com --server=ipaprd1.example.com
--server=ipaprd2.example.com --hostname=ipadev6.example.com
LDAP Error: Protocol error: unsupported extended operation
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always
access the discovered server for all operations and will not fail over to
other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]

Then I tried to run ipa-client-install to enroll with the replica(ipaprd2),
with debug mode, I got this:

# ipa-client-install --domain=ipa.example.com --server=ipaprd2.example.com
 --hostname=ipadev6.example.com -d
/usr/sbin/ipa-client-install was invoked with options: {'domain': '
ipa.example.com', 'force': False, 'realm_name': None,
'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': False,
'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master':
False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': False,
'principal': None, 'hostname': 'ipadev6.example.com', 'no_ac': False,
'unattended': None, 'sssd': True, 'trust_sshfp': False, 'kinit_attempts':
5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join':
False, 'ca_cert_file': None, 'server': ['ipaprd2.example.com'],
'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=ipa.example.com, servers=['
ipaprd2.example.com'], hostname=ipadev6.example.com
Server and domain forced
[Kerberos realm search]
Search DNS for TXT record of _kerberos.ipa.example.com.
No DNS record found
Search DNS for SRV record of _kerberos._udp.ipa.example.com.
No DNS record found
SRV record for KDC not found! Domain: ipa.example.com
[LDAP server check]
Verifying that ipaprd2.example.com (realm None) is an IPA server
Init LDAP connection with: ldap://ipaprd2.example.com:389
LDAP Error: Protocol error: unsupported extended operation
Discovery result: UNKNOWN_ERROR; server=None, domain=ipa.example.com,
kdc=None, basedn=None
Validated servers:
will use discovered domain: ipa.example.com
IPA Server not found
[IPA Discovery]
Starting IPA discovery with domain=ipa.example.com, servers=['
ipaprd2.example.com'], hostname=ipadev6.example.com
Server and domain forced
[Kerberos realm search]
Search DNS for TXT record of _kerberos.ipa.example.com.
No DNS record found
Search DNS for SRV record of _kerberos._udp.ipa.example.com.
No DNS record found
SRV record for KDC not found! Domain: ipa.example.com
[LDAP server check]
Verifying that ipaprd2.example.com (realm None) is an IPA server
Init LDAP connection with: ldap://ipaprd2.example.com:389
LDAP Error: Protocol error: unsupported extended operation
Discovery result: UNKNOWN_ERROR; server=None, domain=ipa.example.com,
kdc=None, basedn=None
Validated servers:
Failed to verify that ipaprd2.example.com is an IPA Server.
This may mean that the remote server is not up or is not reachable due to
network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working
properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
(ipaprd2.example.com: Provided as option)
Installation failed. Rolling back changes.
IPA client is not configured on this system.


I double checked the services running on the replica, all looked well:
ports are listening, and I could telnet the ports from the client(ipadev6).
I could run "ldapserach" command to talk to the replica(ipaprd2) from this
client(ipadev6), with pulling out all the LDAP records.

Also, I have another test box running RHEL7, and no issue at all to run the
exact same ipa-client-install command on that RHEL7 box. So could there be
a bug on the ipa-client software on RHEL6, to talk to IPA sever running on
RHEL7? Please advise. Thank you!

Best regards,
Beeth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161212/4604a589/attachment.htm>

More information about the Freeipa-users mailing list