[Freeipa-users] Failed ipa-client-install with IPA Replica
beeth beeth
beeth2006 at gmail.com
Wed Dec 14 18:49:04 UTC 2016
Hi Flo,
Thanks for the great hint! I reran the ipa-client-install on the rhel6
box(ipadev6), and monitored the access log file you mentioned on the
replica:
# ipa-client-install --domain=ipa.example.com --server=ipaprd2.example.com
--hostname=ipadev6.example.com -d
( ipaprd2 = primary IPA server on RHEL7; ipadev6 = replica on RHEL6 )
AFTER about 3 seconds, I saw these on the replica ipaprd2:
[14/Dec/2016:13:11:41.071421132 -0500] conn=1040 fd=73 slot=73 connection
from <IP of ipadev6> to <IP of ipaprd2>
[14/Dec/2016:13:11:41.071880026 -0500] conn=1040 op=0 EXT
oid="1.3.6.1.4.1.1466.20037"
[14/Dec/2016:13:11:41.071964217 -0500] conn=1040 op=0 RESULT err=2 tag=120
nentries=0 etime=0
[14/Dec/2016:13:11:41.073275674 -0500] conn=1040 op=1 UNBIND
[14/Dec/2016:13:11:41.073307101 -0500] conn=1040 op=1 fd=73 closed - U1
[14/Dec/2016:13:11:41.074782496 -0500] conn=1041 fd=73 slot=73 connection
from <IP of ipadev6> to <IP of ipaprd2>
[14/Dec/2016:13:11:41.074985233 -0500] conn=1041 op=0 EXT
oid="1.3.6.1.4.1.1466.20037"
[14/Dec/2016:13:11:41.075022849 -0500] conn=1041 op=0 RESULT err=2 tag=120
nentries=0 etime=0
[14/Dec/2016:13:11:41.075448887 -0500] conn=1041 op=1 UNBIND
[14/Dec/2016:13:11:41.075460964 -0500] conn=1041 op=1 fd=73 closed - U1
[14/Dec/2016:13:11:49.006146850 -0500] conn=1029 op=8 UNBIND
[14/Dec/2016:13:11:49.006181982 -0500] conn=1029 op=8 fd=66 closed - U1
So I did see the err=2, and oid="1.3.6.1.4.1.1466.20037", I checked the oid
and got:
1.3.6.1.4.1.1466.20037: StartTLS Request (RFC 4511)
It looked to be related with TLS... pease advise. Thanks!
On Wed, Dec 14, 2016 at 7:57 AM, Florence Blanc-Renaud <flo at redhat.com>
wrote:
> On 12/14/2016 01:08 PM, beeth beeth wrote:
>
>> Thanks David. I installed both the master and replica IPA servers with
>> third-party certificates(Verisign), but I doubt that could be the issue,
>> because I had no problem to run the same ipa-client-install command on a
>> RHEL7 machine(of course, the --hostname used a different hostname of the
>> server). And I had no problem to run the ipa-client-install command with
>> --server=<master> on such RHEL6 machine. So what could cause the LDAP
>> communication failed during the client enrollment with the replica? Is
>> there a way I can troubleshoot this by running some commands? So far I
>> did telnet to check the open ports, as well as run the ldapsearch
>> towards the replica. Thanks again!
>>
>>
>> On Tue, Dec 13, 2016 at 8:46 AM, David Kupka <dkupka at redhat.com
>> <mailto:dkupka at redhat.com>> wrote:
>>
>> On 13/12/16 05:44, beeth beeth wrote:
>>
>> I have two IPA servers ipaprd1.example.com
>> <http://ipaprd1.example.com> and ipaprd2.example.com
>> <http://ipaprd2.example.com>, running
>> ipa 4.4 on RHEL7. When I tried to install/configure the client
>> on a RHEL6
>> system(called ipadev6), I had issue when I tried to enroll it
>> with the
>> replica(ipaprd2), while no issue with the primary(ipaprd1):
>>
>> # ipa-client-install --domain=ipa.example.com
>> <http://ipa.example.com> --server=ipaprd1.example.com
>> <http://ipaprd1.example.com>
>> --server=ipaprd2.example.com <http://ipaprd2.example.com>
>> --hostname=ipadev6.example.com <http://ipadev6.example.com>
>> LDAP Error: Protocol error: unsupported extended operation
>> Autodiscovery of servers for failover cannot work with this
>> configuration.
>> If you proceed with the installation, services will be
>> configured to always
>> access the discovered server for all operations and will not
>> fail over to
>> other servers in case of failure.
>> Proceed with fixed values and no DNS discovery? [no]
>>
>> Then I tried to run ipa-client-install to enroll with the
>> replica(ipaprd2),
>> with debug mode, I got this:
>>
>> # ipa-client-install --domain=ipa.example.com
>> <http://ipa.example.com> --server=ipaprd2.example.com
>> <http://ipaprd2.example.com>
>> --hostname=ipadev6.example.com <http://ipadev6.example.com> -d
>> /usr/sbin/ipa-client-install was invoked with options: {'domain':
>> '
>> ipa.example.com <http://ipa.example.com>', 'force': False,
>> 'realm_name': None,
>> 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir':
>> False,
>> 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
>> 'on_master':
>> False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain':
>> False,
>> 'principal': None, 'hostname': 'ipadev6.example.com
>> <http://ipadev6.example.com>', 'no_ac': False,
>> 'unattended': None, 'sssd': True, 'trust_sshfp': False,
>> 'kinit_attempts':
>> 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True,
>> 'force_join':
>> False, 'ca_cert_file': None, 'server': ['ipaprd2.example.com
>> <http://ipaprd2.example.com>'],
>> 'prompt_password': False, 'permit': False, 'debug': True,
>> 'preserve_sssd':
>> False, 'uninstall': False}
>> missing options might be asked for interactively later
>> Loading Index file from
>> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>> Loading StateFile from
>> '/var/lib/ipa-client/sysrestore/sysrestore.state'
>> [IPA Discovery]
>> Starting IPA discovery with domain=ipa.example.com
>> <http://ipa.example.com>, servers=['
>> ipaprd2.example.com <http://ipaprd2.example.com>'],
>> hostname=ipadev6.example.com <http://ipadev6.example.com>
>> Server and domain forced
>> [Kerberos realm search]
>> Search DNS for TXT record of _kerberos.ipa.example.com
>> <http://kerberos.ipa.example.com>.
>> No DNS record found
>> Search DNS for SRV record of _kerberos._udp.ipa.example.com
>> <http://udp.ipa.example.com>.
>> No DNS record found
>> SRV record for KDC not found! Domain: ipa.example.com
>> <http://ipa.example.com>
>> [LDAP server check]
>> Verifying that ipaprd2.example.com <http://ipaprd2.example.com>
>> (realm None) is an IPA server
>> Init LDAP connection with: ldap://ipaprd2.example.com:389
>> <http://ipaprd2.example.com:389>
>> LDAP Error: Protocol error: unsupported extended operation
>> Discovery result: UNKNOWN_ERROR; server=None,
>> domain=ipa.example.com <http://ipa.example.com>,
>> kdc=None, basedn=None
>> Validated servers:
>> will use discovered domain: ipa.example.com <
>> http://ipa.example.com>
>> IPA Server not found
>> [IPA Discovery]
>> Starting IPA discovery with domain=ipa.example.com
>> <http://ipa.example.com>, servers=['
>> ipaprd2.example.com <http://ipaprd2.example.com>'],
>> hostname=ipadev6.example.com <http://ipadev6.example.com>
>> Server and domain forced
>> [Kerberos realm search]
>> Search DNS for TXT record of _kerberos.ipa.example.com
>> <http://kerberos.ipa.example.com>.
>> No DNS record found
>> Search DNS for SRV record of _kerberos._udp.ipa.example.com
>> <http://udp.ipa.example.com>.
>> No DNS record found
>> SRV record for KDC not found! Domain: ipa.example.com
>> <http://ipa.example.com>
>> [LDAP server check]
>> Verifying that ipaprd2.example.com <http://ipaprd2.example.com>
>> (realm None) is an IPA server
>> Init LDAP connection with: ldap://ipaprd2.example.com:389
>> <http://ipaprd2.example.com:389>
>> LDAP Error: Protocol error: unsupported extended operation
>> Discovery result: UNKNOWN_ERROR; server=None,
>> domain=ipa.example.com <http://ipa.example.com>,
>> kdc=None, basedn=None
>> Validated servers:
>> Failed to verify that ipaprd2.example.com
>> <http://ipaprd2.example.com> is an IPA Server.
>> This may mean that the remote server is not up or is not
>> reachable due to
>> network or firewall settings.
>> Please make sure the following ports are opened in the firewall
>> settings:
>> TCP: 80, 88, 389
>> UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
>> Also note that following ports are necessary for ipa-client
>> working
>> properly after enrollment:
>> TCP: 464
>> UDP: 464, 123 (if NTP enabled)
>> (ipaprd2.example.com <http://ipaprd2.example.com>: Provided as
>> option)
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>>
>>
>> I double checked the services running on the replica, all looked
>> well:
>> ports are listening, and I could telnet the ports from the
>> client(ipadev6).
>> I could run "ldapserach" command to talk to the replica(ipaprd2)
>> from this
>> client(ipadev6), with pulling out all the LDAP records.
>>
>> Also, I have another test box running RHEL7, and no issue at all
>> to run the
>> exact same ipa-client-install command on that RHEL7 box. So
>> could there be
>> a bug on the ipa-client software on RHEL6, to talk to IPA sever
>> running on
>> RHEL7? Please advise. Thank you!
>>
>> Hi Beeth,
>
> you may want to check the access and errors log of the Directory Server in
> /var/log/dirsrv/slapd-DOMAIN. The extended operations are logged in the
> access log with the tag "EXT oid=...", but a failing operation related to
> unsupported extended operation will probably log a "RESULT err=2".
>
> So I would first check access log and look for such a failure. With the
> OID we will be able to understand which operation is failing and which part
> could be misconfigured.
>
> HTH,
> Flo.
>
> Best regards,
>> Beeth
>>
>>
>>
>> Hello Beeth,
>> I've tried to reproduce the problem you described with 7.3
>> (ipa-server 4.4.0-12) on master and replica and 6.9 (ipa-client
>> 3.0.0-51) on client and it worked for me as expected.
>> I've done these steps:
>> [master] # ipa-server-install -a Secret123 -p Secret123 --domain
>> example.test --realm EXAMPLE.TEST --setup-dns --auto-forwarders -U
>> [replica] # ipa-client-install -p admin -w Secret123 --domain
>> example.test --server master.example.test -U
>> [replica] # ipa-replica-install
>> [client] # ipa-client-install -p admin -w Secret123 --domain
>> example.test --server replica.example.test -U
>> [client] # id admin
>>
>> Is there anything you've done differently?
>>
>> --
>> David Kupka
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161214/01ee2035/attachment.htm>
More information about the Freeipa-users
mailing list