[Freeipa-users] Failed ipa-client-install with IPA Replica
Florence Blanc-Renaud
flo at redhat.com
Wed Dec 14 12:57:57 UTC 2016
On 12/14/2016 01:08 PM, beeth beeth wrote:
> Thanks David. I installed both the master and replica IPA servers with
> third-party certificates(Verisign), but I doubt that could be the issue,
> because I had no problem to run the same ipa-client-install command on a
> RHEL7 machine(of course, the --hostname used a different hostname of the
> server). And I had no problem to run the ipa-client-install command with
> --server=<master> on such RHEL6 machine. So what could cause the LDAP
> communication failed during the client enrollment with the replica? Is
> there a way I can troubleshoot this by running some commands? So far I
> did telnet to check the open ports, as well as run the ldapsearch
> towards the replica. Thanks again!
>
>
> On Tue, Dec 13, 2016 at 8:46 AM, David Kupka <dkupka at redhat.com
> <mailto:dkupka at redhat.com>> wrote:
>
> On 13/12/16 05:44, beeth beeth wrote:
>
> I have two IPA servers ipaprd1.example.com
> <http://ipaprd1.example.com> and ipaprd2.example.com
> <http://ipaprd2.example.com>, running
> ipa 4.4 on RHEL7. When I tried to install/configure the client
> on a RHEL6
> system(called ipadev6), I had issue when I tried to enroll it
> with the
> replica(ipaprd2), while no issue with the primary(ipaprd1):
>
> # ipa-client-install --domain=ipa.example.com
> <http://ipa.example.com> --server=ipaprd1.example.com
> <http://ipaprd1.example.com>
> --server=ipaprd2.example.com <http://ipaprd2.example.com>
> --hostname=ipadev6.example.com <http://ipadev6.example.com>
> LDAP Error: Protocol error: unsupported extended operation
> Autodiscovery of servers for failover cannot work with this
> configuration.
> If you proceed with the installation, services will be
> configured to always
> access the discovered server for all operations and will not
> fail over to
> other servers in case of failure.
> Proceed with fixed values and no DNS discovery? [no]
>
> Then I tried to run ipa-client-install to enroll with the
> replica(ipaprd2),
> with debug mode, I got this:
>
> # ipa-client-install --domain=ipa.example.com
> <http://ipa.example.com> --server=ipaprd2.example.com
> <http://ipaprd2.example.com>
> --hostname=ipadev6.example.com <http://ipadev6.example.com> -d
> /usr/sbin/ipa-client-install was invoked with options: {'domain': '
> ipa.example.com <http://ipa.example.com>', 'force': False,
> 'realm_name': None,
> 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir':
> False,
> 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
> 'on_master':
> False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': False,
> 'principal': None, 'hostname': 'ipadev6.example.com
> <http://ipadev6.example.com>', 'no_ac': False,
> 'unattended': None, 'sssd': True, 'trust_sshfp': False,
> 'kinit_attempts':
> 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True,
> 'force_join':
> False, 'ca_cert_file': None, 'server': ['ipaprd2.example.com
> <http://ipaprd2.example.com>'],
> 'prompt_password': False, 'permit': False, 'debug': True,
> 'preserve_sssd':
> False, 'uninstall': False}
> missing options might be asked for interactively later
> Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> Loading StateFile from
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> [IPA Discovery]
> Starting IPA discovery with domain=ipa.example.com
> <http://ipa.example.com>, servers=['
> ipaprd2.example.com <http://ipaprd2.example.com>'],
> hostname=ipadev6.example.com <http://ipadev6.example.com>
> Server and domain forced
> [Kerberos realm search]
> Search DNS for TXT record of _kerberos.ipa.example.com
> <http://kerberos.ipa.example.com>.
> No DNS record found
> Search DNS for SRV record of _kerberos._udp.ipa.example.com
> <http://udp.ipa.example.com>.
> No DNS record found
> SRV record for KDC not found! Domain: ipa.example.com
> <http://ipa.example.com>
> [LDAP server check]
> Verifying that ipaprd2.example.com <http://ipaprd2.example.com>
> (realm None) is an IPA server
> Init LDAP connection with: ldap://ipaprd2.example.com:389
> <http://ipaprd2.example.com:389>
> LDAP Error: Protocol error: unsupported extended operation
> Discovery result: UNKNOWN_ERROR; server=None,
> domain=ipa.example.com <http://ipa.example.com>,
> kdc=None, basedn=None
> Validated servers:
> will use discovered domain: ipa.example.com <http://ipa.example.com>
> IPA Server not found
> [IPA Discovery]
> Starting IPA discovery with domain=ipa.example.com
> <http://ipa.example.com>, servers=['
> ipaprd2.example.com <http://ipaprd2.example.com>'],
> hostname=ipadev6.example.com <http://ipadev6.example.com>
> Server and domain forced
> [Kerberos realm search]
> Search DNS for TXT record of _kerberos.ipa.example.com
> <http://kerberos.ipa.example.com>.
> No DNS record found
> Search DNS for SRV record of _kerberos._udp.ipa.example.com
> <http://udp.ipa.example.com>.
> No DNS record found
> SRV record for KDC not found! Domain: ipa.example.com
> <http://ipa.example.com>
> [LDAP server check]
> Verifying that ipaprd2.example.com <http://ipaprd2.example.com>
> (realm None) is an IPA server
> Init LDAP connection with: ldap://ipaprd2.example.com:389
> <http://ipaprd2.example.com:389>
> LDAP Error: Protocol error: unsupported extended operation
> Discovery result: UNKNOWN_ERROR; server=None,
> domain=ipa.example.com <http://ipa.example.com>,
> kdc=None, basedn=None
> Validated servers:
> Failed to verify that ipaprd2.example.com
> <http://ipaprd2.example.com> is an IPA Server.
> This may mean that the remote server is not up or is not
> reachable due to
> network or firewall settings.
> Please make sure the following ports are opened in the firewall
> settings:
> TCP: 80, 88, 389
> UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
> Also note that following ports are necessary for ipa-client working
> properly after enrollment:
> TCP: 464
> UDP: 464, 123 (if NTP enabled)
> (ipaprd2.example.com <http://ipaprd2.example.com>: Provided as
> option)
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
>
> I double checked the services running on the replica, all looked
> well:
> ports are listening, and I could telnet the ports from the
> client(ipadev6).
> I could run "ldapserach" command to talk to the replica(ipaprd2)
> from this
> client(ipadev6), with pulling out all the LDAP records.
>
> Also, I have another test box running RHEL7, and no issue at all
> to run the
> exact same ipa-client-install command on that RHEL7 box. So
> could there be
> a bug on the ipa-client software on RHEL6, to talk to IPA sever
> running on
> RHEL7? Please advise. Thank you!
>
Hi Beeth,
you may want to check the access and errors log of the Directory Server
in /var/log/dirsrv/slapd-DOMAIN. The extended operations are logged in
the access log with the tag "EXT oid=...", but a failing operation
related to unsupported extended operation will probably log a "RESULT
err=2".
So I would first check access log and look for such a failure. With the
OID we will be able to understand which operation is failing and which
part could be misconfigured.
HTH,
Flo.
> Best regards,
> Beeth
>
>
>
> Hello Beeth,
> I've tried to reproduce the problem you described with 7.3
> (ipa-server 4.4.0-12) on master and replica and 6.9 (ipa-client
> 3.0.0-51) on client and it worked for me as expected.
> I've done these steps:
> [master] # ipa-server-install -a Secret123 -p Secret123 --domain
> example.test --realm EXAMPLE.TEST --setup-dns --auto-forwarders -U
> [replica] # ipa-client-install -p admin -w Secret123 --domain
> example.test --server master.example.test -U
> [replica] # ipa-replica-install
> [client] # ipa-client-install -p admin -w Secret123 --domain
> example.test --server replica.example.test -U
> [client] # id admin
>
> Is there anything you've done differently?
>
> --
> David Kupka
>
>
>
>
More information about the Freeipa-users
mailing list