[Freeipa-users] Failed ipa-client-install with IPA Replica
beeth beeth
beeth2006 at gmail.com
Wed Dec 21 18:52:39 UTC 2016
Hi Flo,
First of all, thanks a lot for taking your time to reproduced the issue
from your end, you have been very helpful and you are the best!
Here're the what I observed after some more tests:
1. In this case I used Entrust(www.entrust.com) certificate service, and
they provided root-G2-L1K certificate chain. In the /etc/ipa/ca.crt file on
the primary IPA server ipaprd1, I saw 3 certificates(root, G2 and L1K) as
the root chain. When I checked the ca.crt file on the RHEL6 IPA
client(called ipadev6), I only saw one certificate, the L1K one, which
didn't look right. So I followed your advise to remove it, then the
ipa-client-install could finish without the LDAP error. But after the
installation, I found the ca.crt file on such RHEL6 box still had only one
certificate(L1K). Meanwhile, when I checked the RHEL7 IPA client(called
ipadev7, which I mentioned before that it was always working), the
/etc/ipa/ca.crt file has 3 certificate, the complete root chain. I have no
clue why the IPA client installation on RHEL7 box is so smooth but not the
RHEL6 box, while they both enrolled with the exact same primary & replica
IPA server. The bug document you mentioned doesn't explain this.
2. During the client installation on ipadev6(RHEL6 box), with ca.crt file
manually removed, I saw the following message:
A RA is not configured on the server. Not requesting host certificate.
The installation stuck there for about 3~4 minutes before it continued to
the next step, then it finished eventually with "Client configuration
complete". Any idea about such message?
Thanks!!
On Tue, Dec 20, 2016 at 9:43 AM, Florence Blanc-Renaud <flo at redhat.com>
wrote:
> On 12/16/2016 03:54 PM, Florence Blanc-Renaud wrote:
>
>> On 12/15/2016 08:01 PM, beeth beeth wrote:
>>
>>> Hi Flo,
>>>
>>> That's a good point! I checked the dirsrv certificate and confirmed
>>> valid(good until later next year).
>>> Since I had no problem to enroll another new IPA client(RHEL7 box
>>> instead of RHEL6) to such replica server, I thought it might not be a
>>> server end issue. However, when I tried to restart the DIRSRV service on
>>> the replica server, I found these messages in the log
>>> file /var/log/dirsrv/slapd-IPA-EXAMPLE-COM/errors:
>>>
>>> [15/Dec/2016:13:38:15.891301246 -0500] 389-Directory/1.3.5.10
>>> <http://1.3.5.10> B2016.257.1817 starting up
>>> [15/Dec/2016:13:38:15.911777373 -0500] default_mr_indexer_create:
>>> warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match
>>> [15/Dec/2016:13:38:15.926320306 -0500] WARNING: changelog: entry cache
>>> size 2097152 B is less than db size 5488640 B; We recommend to increase
>>> the entry cache size nsslapd-cachememsize.
>>> [15/Dec/2016:13:38:16.132155534 -0500] schema-compat-plugin - scheduled
>>> schema-compat-plugin tree scan in about 5 seconds after the server
>>> startup!
>>> [15/Dec/2016:13:38:16.167896279 -0500] NSACLPlugin - The ACL target
>>> cn=dns,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.173317345 -0500] NSACLPlugin - The ACL target
>>> cn=dns,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.178354342 -0500] NSACLPlugin - The ACL target
>>> cn=keys,cn=sec,cn=dns,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.183579322 -0500] NSACLPlugin - The ACL target
>>> cn=dns,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.188786976 -0500] NSACLPlugin - The ACL target
>>> cn=dns,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.193275650 -0500] NSACLPlugin - The ACL target
>>> cn=groups,cn=compat,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.197580407 -0500] NSACLPlugin - The ACL target
>>> cn=computers,cn=compat,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.201863256 -0500] NSACLPlugin - The ACL target
>>> cn=ng,cn=compat,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.206318629 -0500] NSACLPlugin - The ACL target
>>> ou=sudoers,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.211559100 -0500] NSACLPlugin - The ACL target
>>> cn=users,cn=compat,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.216146819 -0500] NSACLPlugin - The ACL target
>>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.220786596 -0500] NSACLPlugin - The ACL target
>>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.225594942 -0500] NSACLPlugin - The ACL target
>>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.229986749 -0500] NSACLPlugin - The ACL target
>>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.234518367 -0500] NSACLPlugin - The ACL target
>>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.238763121 -0500] NSACLPlugin - The ACL target
>>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.243031116 -0500] NSACLPlugin - The ACL target
>>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.247507984 -0500] NSACLPlugin - The ACL target
>>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.252327210 -0500] NSACLPlugin - The ACL target
>>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.259046910 -0500] NSACLPlugin - The ACL target
>>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.263856581 -0500] NSACLPlugin - The ACL target
>>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.269301704 -0500] NSACLPlugin - The ACL target
>>> cn=ad,cn=etc,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.283511408 -0500] NSACLPlugin - The ACL target
>>> cn=casigningcert
>>> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example,dc=com does
>>> not exist
>>> [15/Dec/2016:13:38:16.287853825 -0500] NSACLPlugin - The ACL target
>>> cn=casigningcert
>>> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example,dc=com does
>>> not exist
>>> [15/Dec/2016:13:38:16.395872649 -0500] NSACLPlugin - The ACL target
>>> cn=automember rebuild membership,cn=tasks,cn=config does not exist
>>> [15/Dec/2016:13:38:16.405404114 -0500] Skipping CoS Definition
>>> cn=Password Policy,cn=accounts,dc=ipa,dc=example,dc=com--no CoS
>>> Templates found, which should be added before the CoS Definition.
>>> [15/Dec/2016:13:38:16.463117873 -0500] set_krb5_creds - Could not get
>>> initial credentials for principal
>>> [ldap/ipaprd2.example.com at IPA.EXAMPLE.COM
>>> <mailto:ipaprd2.example.com at IPA.EXAMPLE.COM>] in keytab
>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
>>> [15/Dec/2016:13:38:16.471256279 -0500] schema-compat-plugin -
>>> schema-compat-plugin tree scan will start in about 5 seconds!
>>> [15/Dec/2016:13:38:16.479213976 -0500] slapd started. Listening on All
>>> Interfaces port 389 for LDAP requests
>>> [15/Dec/2016:13:38:16.483683353 -0500] Listening on
>>> /var/run/slapd-IPA-EXAMPLE-COM.socket for LDAPI requests
>>> [15/Dec/2016:13:38:21.634319974 -0500] schema-compat-plugin - warning:
>>> no entries set up under ou=sudoers,dc=ipa,dc=example,dc=com
>>> [15/Dec/2016:13:38:21.639855161 -0500] schema-compat-plugin - warning:
>>> no entries set up under cn=ng, cn=compat,dc=ipa,dc=example,dc=com
>>> [15/Dec/2016:13:38:21.653406463 -0500] schema-compat-plugin - no RDN for
>>> cn=cdm_users,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com, unsetting
>>> domain/map/id
>>> "cn=compat,dc=ipa,dc=example,dc=com"/"cn=groups"/("cn=cdm_us
>>> ers,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com")
>>>
>>> [15/Dec/2016:13:38:21.714897614 -0500] schema-compat-plugin - warning:
>>> no entries set up under cn=computers, cn=compat,dc=ipa,dc=example,dc=com
>>> [15/Dec/2016:13:38:21.719933118 -0500] schema-compat-plugin - Finished
>>> plugin initialization.
>>> [15/Dec/2016:13:38:36.591969481 -0500] ipa-topology-plugin -
>>> ipa_topo_util_get_replica_conf: server configuration missing
>>> [15/Dec/2016:13:38:36.598683009 -0500] ipa-topology-plugin -
>>> ipa_topo_util_get_replica_conf: cannot create replica
>>>
>>> Any idea?
>>> BTW, everything ran well on IPA 4.2(server installation and client
>>> installation), as you once assisted me couple months ago, until we set
>>> up a new IPA environment with RHEL7.3 instead of RHEL7.2, then the IPA
>>> version changed from 4.2 to 4.4. Last time you guided me about the
>>> change since IPA 4.3, for the newly introduced domain level concept, and
>>> the way how the replica should be installed was changed too... Thanks
>>> again!
>>>
>>> Hi Beeth,
>>
>> I managed to reproduce your issue with IPA master installed without dns
>> and without integrated CA.
>>
>> Can you check on your RHEL 6 client if there is a file /etc/ipa/ca.crt?
>> If yes, check its content with
>> $ sudo openssl x509 -noout -text -in /etc/ipa/ca.crt
>> and compare with the CA certificate stored on the master or the replica
>> (at the same location /etc/ipa/ca.crt). The certificate should be the
>> one for the CA that signed your HTTPd and LDAP server certs (ie Verisign).
>>
>> If the certificate is different, it is probably a left-over CA
>> certificate corresponding to a previous installation. You can just
>> delete the file on the client and re-run ipa-client-install.
>>
>> Flo.
>>
>>
> To follow-up on this issue: it happens only in CA-less environment and
> when the client has an old /etc/ipa/ca.crt file.
>
> If the /etc/ipa/ca.crt file is present, the client installer connects to
> the IPA LDAP server using startTLS to perform basic checks (instead of
> using a simple ldap conn otherwise). But there is a bug in
> ipa-replica-install which does not set up startTLS on the LDAP replica (see
> ticket 6226 [1]).
>
> This explains why the issue does not happen if you specify only the master
> during ipa-client-install, or if your client does not have any
> /etc/ipa/ca.crt.
>
> Hope this clarifies,
> Flo
>
>
> [1] https://fedorahosted.org/freeipa/ticket/6226
>
>
>>> On Thu, Dec 15, 2016 at 10:52 AM, Florence Blanc-Renaud <flo at redhat.com
>>> <mailto:flo at redhat.com>> wrote:
>>>
>>> On 12/14/2016 07:49 PM, beeth beeth wrote:
>>>
>>> Hi Flo,
>>>
>>> Thanks for the great hint! I reran the ipa-client-install on the
>>> rhel6
>>> box(ipadev6), and monitored the access log file you mentioned
>>> on the
>>> replica:
>>>
>>> # ipa-client-install --domain=ipa.example.com
>>> <http://ipa.example.com> <http://ipa.example.com>
>>> --server=ipaprd2.example.com <http://ipaprd2.example.com>
>>> <http://ipaprd2.example.com>
>>> --hostname=ipadev6.example.com <http://ipadev6.example.com>
>>> <http://ipadev6.example.com> -d
>>>
>>> ( ipaprd2 = primary IPA server on RHEL7; ipadev6 = replica on
>>> RHEL6 )
>>>
>>> AFTER about 3 seconds, I saw these on the replica ipaprd2:
>>> [14/Dec/2016:13:11:41.071421132 -0500] conn=1040 fd=73 slot=73
>>> connection from <IP of ipadev6> to <IP of ipaprd2>
>>> [14/Dec/2016:13:11:41.071880026 -0500] conn=1040 op=0 EXT
>>> oid="1.3.6.1.4.1.1466.20037"
>>> [14/Dec/2016:13:11:41.071964217 -0500] conn=1040 op=0 RESULT
>>> err=2
>>> tag=120 nentries=0 etime=0
>>> [14/Dec/2016:13:11:41.073275674 -0500] conn=1040 op=1 UNBIND
>>> [14/Dec/2016:13:11:41.073307101 -0500] conn=1040 op=1 fd=73
>>> closed - U1
>>> [14/Dec/2016:13:11:41.074782496 -0500] conn=1041 fd=73 slot=73
>>> connection from <IP of ipadev6> to <IP of ipaprd2>
>>> [14/Dec/2016:13:11:41.074985233 -0500] conn=1041 op=0 EXT
>>> oid="1.3.6.1.4.1.1466.20037"
>>> [14/Dec/2016:13:11:41.075022849 -0500] conn=1041 op=0 RESULT
>>> err=2
>>> tag=120 nentries=0 etime=0
>>> [14/Dec/2016:13:11:41.075448887 -0500] conn=1041 op=1 UNBIND
>>> [14/Dec/2016:13:11:41.075460964 -0500] conn=1041 op=1 fd=73
>>> closed - U1
>>> [14/Dec/2016:13:11:49.006146850 -0500] conn=1029 op=8 UNBIND
>>> [14/Dec/2016:13:11:49.006181982 -0500] conn=1029 op=8 fd=66
>>> closed - U1
>>>
>>> So I did see the err=2, and oid="1.3.6.1.4.1.1466.20037", I
>>> checked the
>>> oid and got:
>>>
>>> 1.3.6.1.4.1.1466.20037: StartTLS Request (RFC 4511)
>>>
>>> It looked to be related with TLS... pease advise. Thanks!
>>>
>>>
>>> Hi,
>>>
>>> when the replica got installed, the installer must have configured
>>> the directory server for SSL and start TLS. I tend to suspect an
>>> expired certificate issue rather than a misconfiguration. Could you
>>> please check that dirsrv certificate is still valid?
>>>
>>> $ certutil -L -d /etc/dirsrv/slapd-DOMAIN-COM/ -n Server-Cert
>>> |grep Not
>>> Not Before: Wed Dec 14 16:56:02 2016
>>> Not After : Sat Dec 15 16:56:02 2018
>>>
>>> If the certificate is still valid, you may want to read 389-ds
>>> How-To to make sure that SSL is properly setup:
>>>
>>> http://directory.fedoraproject.org/docs/389ds/howto/howto-
>>> ssl.html#deploy-the-settings
>>>
>>>
>>> <http://directory.fedoraproject.org/docs/389ds/howto/howto-
>>> ssl.html#deploy-the-settings>
>>>
>>>
>>> Flo.
>>>
>>>
>>> On Wed, Dec 14, 2016 at 7:57 AM, Florence Blanc-Renaud
>>> <flo at redhat.com <mailto:flo at redhat.com>
>>> <mailto:flo at redhat.com <mailto:flo at redhat.com>>> wrote:
>>>
>>> On 12/14/2016 01:08 PM, beeth beeth wrote:
>>>
>>> Thanks David. I installed both the master and replica IPA
>>> servers with
>>> third-party certificates(Verisign), but I doubt that
>>> could be
>>> the issue,
>>> because I had no problem to run the same
>>> ipa-client-install
>>> command on a
>>> RHEL7 machine(of course, the --hostname used a different
>>> hostname of the
>>> server). And I had no problem to run the
>>> ipa-client-install
>>> command with
>>> --server=<master> on such RHEL6 machine. So what could
>>> cause the
>>> LDAP
>>> communication failed during the client enrollment with
>>> the
>>> replica? Is
>>> there a way I can troubleshoot this by running some
>>> commands? So
>>> far I
>>> did telnet to check the open ports, as well as run the
>>> ldapsearch
>>> towards the replica. Thanks again!
>>>
>>>
>>> On Tue, Dec 13, 2016 at 8:46 AM, David Kupka
>>> <dkupka at redhat.com <mailto:dkupka at redhat.com>
>>> <mailto:dkupka at redhat.com <mailto:dkupka at redhat.com>>
>>> <mailto:dkupka at redhat.com <mailto:dkupka at redhat.com>
>>> <mailto:dkupka at redhat.com <mailto:dkupka at redhat.com>>>> wrote:
>>>
>>> On 13/12/16 05:44, beeth beeth wrote:
>>>
>>> I have two IPA servers ipaprd1.example.com
>>> <http://ipaprd1.example.com>
>>> <http://ipaprd1.example.com>
>>> <http://ipaprd1.example.com> and
>>> ipaprd2.example.com <http://ipaprd2.example.com>
>>> <http://ipaprd2.example.com>
>>> <http://ipaprd2.example.com>, running
>>> ipa 4.4 on RHEL7. When I tried to
>>> install/configure the
>>> client
>>> on a RHEL6
>>> system(called ipadev6), I had issue when I
>>> tried to
>>> enroll it
>>> with the
>>> replica(ipaprd2), while no issue with the
>>> primary(ipaprd1):
>>>
>>> # ipa-client-install --domain=ipa.example.com
>>> <http://ipa.example.com>
>>> <http://ipa.example.com>
>>> <http://ipa.example.com>
>>> --server=ipaprd1.example.com <http://ipaprd1.example.com>
>>> <http://ipaprd1.example.com>
>>> <http://ipaprd1.example.com>
>>> --server=ipaprd2.example.com
>>> <http://ipaprd2.example.com>
>>> <http://ipaprd2.example.com> <http://ipaprd2.example.com
>>> >
>>> --hostname=ipadev6.example.com
>>> <http://ipadev6.example.com>
>>> <http://ipadev6.example.com> <http://ipadev6.example.com
>>> >
>>> LDAP Error: Protocol error: unsupported extended
>>> operation
>>> Autodiscovery of servers for failover cannot
>>> work with this
>>> configuration.
>>> If you proceed with the installation, services
>>> will be
>>> configured to always
>>> access the discovered server for all operations
>>> and will not
>>> fail over to
>>> other servers in case of failure.
>>> Proceed with fixed values and no DNS
>>> discovery? [no]
>>>
>>> Then I tried to run ipa-client-install to enroll
>>> with the
>>> replica(ipaprd2),
>>> with debug mode, I got this:
>>>
>>> # ipa-client-install --domain=ipa.example.com
>>> <http://ipa.example.com>
>>> <http://ipa.example.com>
>>> <http://ipa.example.com>
>>> --server=ipaprd2.example.com <http://ipaprd2.example.com>
>>> <http://ipaprd2.example.com>
>>> <http://ipaprd2.example.com>
>>> --hostname=ipadev6.example.com
>>> <http://ipadev6.example.com>
>>> <http://ipadev6.example.com>
>>> <http://ipadev6.example.com> -d
>>>
>>> /usr/sbin/ipa-client-install was invoked with
>>> options:
>>> {'domain': '
>>> ipa.example.com <http://ipa.example.com>
>>> <http://ipa.example.com>
>>> <http://ipa.example.com>', 'force': False,
>>> 'realm_name': None,
>>> 'krb5_offline_passwords': True, 'primary': False,
>>> 'mkhomedir':
>>> False,
>>> 'create_sshfp': True, 'conf_sshd': True,
>>> 'conf_ntp': True,
>>> 'on_master':
>>> False, 'ntp_server': None, 'nisdomain': None,
>>> 'no_nisdomain': False,
>>> 'principal': None, 'hostname':
>>> 'ipadev6.example.com <http://ipadev6.example.com>
>>> <http://ipadev6.example.com>
>>> <http://ipadev6.example.com>', 'no_ac': False,
>>> 'unattended': None, 'sssd': True, 'trust_sshfp':
>>> False,
>>> 'kinit_attempts':
>>> 5, 'dns_updates': False, 'conf_sudo': True,
>>> 'conf_ssh':
>>> True,
>>> 'force_join':
>>> False, 'ca_cert_file': None, 'server':
>>> ['ipaprd2.example.com <http://ipaprd2.example.com>
>>> <http://ipaprd2.example.com>
>>> <http://ipaprd2.example.com>'],
>>> 'prompt_password': False, 'permit': False,
>>> 'debug': True,
>>> 'preserve_sssd':
>>> False, 'uninstall': False}
>>> missing options might be asked for interactively
>>> later
>>> Loading Index file from
>>> '/var/lib/ipa-client/sysrestor
>>> e/sysrestore.index'
>>> Loading StateFile from
>>> '/var/lib/ipa-client/sysrestor
>>> e/sysrestore.state'
>>> [IPA Discovery]
>>> Starting IPA discovery with
>>> domain=ipa.example.com <http://ipa.example.com>
>>> <http://ipa.example.com>
>>> <http://ipa.example.com>, servers=['
>>> ipaprd2.example.com <http://ipaprd2.example.com>
>>> <http://ipaprd2.example.com>
>>> <http://ipaprd2.example.com>'],
>>> hostname=ipadev6.example.com
>>> <http://ipadev6.example.com>
>>> <http://ipadev6.example.com> <http://ipadev6.example.com
>>> >
>>> Server and domain forced
>>> [Kerberos realm search]
>>> Search DNS for TXT record of
>>> _kerberos.ipa.example.com <http://kerberos.ipa.example.com>
>>> <http://kerberos.ipa.example.com
>>> <http://kerberos.ipa.example.com>>
>>> <http://kerberos.ipa.example.com
>>> <http://kerberos.ipa.example.com>
>>> <http://kerberos.ipa.example.com
>>> <http://kerberos.ipa.example.com>>>.
>>> No DNS record found
>>> Search DNS for SRV record of
>>> _kerberos._udp.ipa.example.com
>>> <http://udp.ipa.example.com> <http://udp.ipa.example.com>
>>> <http://udp.ipa.example.com>.
>>> No DNS record found
>>> SRV record for KDC not found! Domain:
>>> ipa.example.com <http://ipa.example.com>
>>> <http://ipa.example.com>
>>> <http://ipa.example.com>
>>> [LDAP server check]
>>> Verifying that ipaprd2.example.com
>>> <http://ipaprd2.example.com>
>>> <http://ipaprd2.example.com> <http://ipaprd2.example.com
>>> >
>>> (realm None) is an IPA server
>>> Init LDAP connection with:
>>> ldap://ipaprd2.example.com:389
>>> <http://ipaprd2.example.com:389> <http://ipaprd2.example.com:389
>>> <http://ipaprd2.example.com:389>>
>>> <http://ipaprd2.example.com:389
>>> <http://ipaprd2.example.com:389>
>>> <http://ipaprd2.example.com:389
>>> <http://ipaprd2.example.com:389>>>
>>> LDAP Error: Protocol error: unsupported extended
>>> operation
>>> Discovery result: UNKNOWN_ERROR; server=None,
>>> domain=ipa.example.com <http://ipa.example.com>
>>> <http://ipa.example.com>
>>> <http://ipa.example.com>,
>>> kdc=None, basedn=None
>>> Validated servers:
>>> will use discovered domain: ipa.example.com
>>> <http://ipa.example.com>
>>> <http://ipa.example.com> <http://ipa.example.com>
>>> IPA Server not found
>>> [IPA Discovery]
>>> Starting IPA discovery with
>>> domain=ipa.example.com <http://ipa.example.com>
>>> <http://ipa.example.com>
>>> <http://ipa.example.com>, servers=['
>>> ipaprd2.example.com <http://ipaprd2.example.com>
>>> <http://ipaprd2.example.com>
>>> <http://ipaprd2.example.com>'],
>>> hostname=ipadev6.example.com
>>> <http://ipadev6.example.com>
>>> <http://ipadev6.example.com> <http://ipadev6.example.com
>>> >
>>> Server and domain forced
>>> [Kerberos realm search]
>>> Search DNS for TXT record of
>>> _kerberos.ipa.example.com <http://kerberos.ipa.example.com>
>>> <http://kerberos.ipa.example.com
>>> <http://kerberos.ipa.example.com>>
>>> <http://kerberos.ipa.example.com
>>> <http://kerberos.ipa.example.com>
>>> <http://kerberos.ipa.example.com
>>> <http://kerberos.ipa.example.com>>>.
>>> No DNS record found
>>> Search DNS for SRV record of
>>> _kerberos._udp.ipa.example.com
>>> <http://udp.ipa.example.com> <http://udp.ipa.example.com>
>>> <http://udp.ipa.example.com>.
>>> No DNS record found
>>> SRV record for KDC not found! Domain:
>>> ipa.example.com <http://ipa.example.com>
>>> <http://ipa.example.com>
>>> <http://ipa.example.com>
>>> [LDAP server check]
>>> Verifying that ipaprd2.example.com
>>> <http://ipaprd2.example.com>
>>> <http://ipaprd2.example.com> <http://ipaprd2.example.com
>>> >
>>> (realm None) is an IPA server
>>> Init LDAP connection with:
>>> ldap://ipaprd2.example.com:389
>>> <http://ipaprd2.example.com:389> <http://ipaprd2.example.com:389
>>> <http://ipaprd2.example.com:389>>
>>> <http://ipaprd2.example.com:389
>>> <http://ipaprd2.example.com:389>
>>> <http://ipaprd2.example.com:389
>>> <http://ipaprd2.example.com:389>>>
>>> LDAP Error: Protocol error: unsupported extended
>>> operation
>>> Discovery result: UNKNOWN_ERROR; server=None,
>>> domain=ipa.example.com <http://ipa.example.com>
>>> <http://ipa.example.com>
>>> <http://ipa.example.com>,
>>> kdc=None, basedn=None
>>> Validated servers:
>>> Failed to verify that ipaprd2.example.com
>>> <http://ipaprd2.example.com>
>>> <http://ipaprd2.example.com>
>>> <http://ipaprd2.example.com> is an IPA Server.
>>> This may mean that the remote server is not up
>>> or is not
>>> reachable due to
>>> network or firewall settings.
>>> Please make sure the following ports are opened
>>> in the
>>> firewall
>>> settings:
>>> TCP: 80, 88, 389
>>> UDP: 88 (at least one of TCP/UDP ports 88
>>> has to be
>>> open)
>>> Also note that following ports are necessary for
>>> ipa-client working
>>> properly after enrollment:
>>> TCP: 464
>>> UDP: 464, 123 (if NTP enabled)
>>> (ipaprd2.example.com
>>> <http://ipaprd2.example.com> <http://ipaprd2.example.com>
>>> <http://ipaprd2.example.com>: Provided as
>>> option)
>>> Installation failed. Rolling back changes.
>>> IPA client is not configured on this system.
>>>
>>>
>>> I double checked the services running on the
>>> replica,
>>> all looked
>>> well:
>>> ports are listening, and I could telnet the
>>> ports from the
>>> client(ipadev6).
>>> I could run "ldapserach" command to talk to the
>>> replica(ipaprd2)
>>> from this
>>> client(ipadev6), with pulling out all the LDAP
>>> records.
>>>
>>> Also, I have another test box running RHEL7,
>>> and no
>>> issue at all
>>> to run the
>>> exact same ipa-client-install command on that
>>> RHEL7 box. So
>>> could there be
>>> a bug on the ipa-client software on RHEL6, to
>>> talk to
>>> IPA sever
>>> running on
>>> RHEL7? Please advise. Thank you!
>>>
>>> Hi Beeth,
>>>
>>> you may want to check the access and errors log of the
>>> Directory
>>> Server in /var/log/dirsrv/slapd-DOMAIN. The extended
>>> operations are
>>> logged in the access log with the tag "EXT oid=...", but a
>>> failing
>>> operation related to unsupported extended operation will
>>> probably
>>> log a "RESULT err=2".
>>>
>>> So I would first check access log and look for such a
>>> failure. With
>>> the OID we will be able to understand which operation is
>>> failing and
>>> which part could be misconfigured.
>>>
>>> HTH,
>>> Flo.
>>>
>>> Best regards,
>>> Beeth
>>>
>>>
>>>
>>> Hello Beeth,
>>> I've tried to reproduce the problem you described
>>> with 7.3
>>> (ipa-server 4.4.0-12) on master and replica and 6.9
>>> (ipa-client
>>> 3.0.0-51) on client and it worked for me as expected.
>>> I've done these steps:
>>> [master] # ipa-server-install -a Secret123 -p
>>> Secret123 --domain
>>> example.test --realm EXAMPLE.TEST --setup-dns
>>> --auto-forwarders -U
>>> [replica] # ipa-client-install -p admin -w Secret123
>>> --domain
>>> example.test --server master.example.test -U
>>> [replica] # ipa-replica-install
>>> [client] # ipa-client-install -p admin -w Secret123
>>> --domain
>>> example.test --server replica.example.test -U
>>> [client] # id admin
>>>
>>> Is there anything you've done differently?
>>>
>>> --
>>> David Kupka
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161221/47e5bd17/attachment.htm>
More information about the Freeipa-users
mailing list