[Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off
bahan w
bahanw042014 at gmail.com
Wed Jan 20 15:03:58 UTC 2016
Re Martin.
Here we are for the ipaclient-install.log :
###
2016-01-20T14:55:48Z DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'domain': '<MYDOMAIN>', 'force': False, 'realm_name':
'<MYREALM>', 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir':
True, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False,
'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain':
False, 'principal': 'admin', 'hostname': '<FQDN IPA CLIENT>', 'no_ac':
False, 'unattended': True, 'sssd': True, 'trust_sshfp': False,
'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh':
False, 'force_join': False, 'ca_cert_file': None, 'server': ['<FQDN IPA
SERVER>'], 'prompt_password': False, 'permit': False, 'debug': True,
'preserve_sssd': False, 'uninstall': False}
2016-01-20T14:55:48Z DEBUG missing options might be asked for interactively
later
2016-01-20T14:55:48Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2016-01-20T14:55:48Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2016-01-20T14:55:48Z DEBUG [IPA Discovery]
2016-01-20T14:55:48Z DEBUG Starting IPA discovery with domain=<MYDOMAIN>,
servers=['<FQDN IPA SERVER>'], hostname=<FQDN IPA CLIENT>
2016-01-20T14:55:48Z DEBUG Server and domain forced
2016-01-20T14:55:48Z DEBUG [Kerberos realm search]
2016-01-20T14:55:48Z DEBUG Search DNS for TXT record of
_kerberos.<MYDOMAIN>.
2016-01-20T14:55:48Z DEBUG No DNS record found
2016-01-20T14:55:48Z DEBUG [LDAP server check]
2016-01-20T14:55:48Z DEBUG Verifying that <FQDN IPA SERVER> (realm None) is
an IPA server
2016-01-20T14:55:48Z DEBUG Init LDAP connection with: ldap://<FQDN IPA
SERVER>:389
2016-01-20T14:55:48Z DEBUG LDAP Error: Anonymous access not allowed
2016-01-20T14:55:48Z DEBUG Assuming realm is the same as domain: <MYDOMAIN>
2016-01-20T14:55:48Z DEBUG Generated basedn from realm:
dc=<domainoftheservers>
2016-01-20T14:55:48Z DEBUG Discovery result: NO_ACCESS_TO_LDAP;
server=None, domain=<MYDOMAIN>, kdc=None, basedn=<domainoftheservers>
2016-01-20T14:55:48Z DEBUG Validated servers: <FQDN IPA SERVER>
2016-01-20T14:55:48Z DEBUG will use discovered domain: <MYDOMAIN>
2016-01-20T14:55:48Z DEBUG Using servers from command line, disabling DNS
discovery
2016-01-20T14:55:48Z DEBUG will use provided server: <FQDN IPA SERVER>
2016-01-20T14:55:48Z DEBUG will use discovered realm: <MYDOMAIN>
2016-01-20T14:55:48Z ERROR The provided realm name [<MYREALM>] does not
match discovered one [<MYDOMAIN>]
2016-01-20T14:55:48Z DEBUG (<MYDOMAIN>: Assumed same as domain)
2016-01-20T14:55:48Z ERROR Installation failed. Rolling back changes.
2016-01-20T14:55:48Z ERROR IPA client is not configured on this system.
###
Best regards.
Bahan
On Wed, Jan 20, 2016 at 1:52 PM, Martin Kosek <mkosek at redhat.com> wrote:
> Adding freeipa-users back, so that others can benefit from the answer.
>
> Can you please attach a full ipaclient-install.log DEBUG log somewhere so
> that
> we can get the full context of the bug? You may also want to open a RHEL-6
> Bugzilla as FreeIPA 3.0.0 is no longer developed upstream, but only
> maintained
> in RHEL-6.x.
>
> Thanks,
> Martin
>
> On 01/20/2016 01:39 PM, bahan w wrote:
> > Hello Martin !
> >
> > Thanks for your answer, Martin !
> >
> > I uninstalled the 3.0.0.25 and installed the 3.0.0.47, but unfortunately
> I
> > still have the same error message.
> >
> > # rpm -qa | grep ipa-client
> > ipa-client-3.0.0-47.el6.x86_64
> >
> > And in ipa-client-install.log :
> > ###
> > 2016-01-20T12:38:14Z DEBUG [LDAP server check]
> > 2016-01-20T12:38:14Z DEBUG Verifying that <fqdn ipa server> (realm None)
> is
> > an IPA server
> > 2016-01-20T12:38:14Z DEBUG Init LDAP connection with: ldap://<fqdn ipa
> > server>:389
> > 2016-01-20T12:38:14Z DEBUG LDAP Error: Anonymous access not allowed
> > ###
> >
> > Best regards.
> >
> > Bahan
> >
> >
> > On Wed, Jan 20, 2016 at 1:26 PM, Martin Kosek <mkosek at redhat.com> wrote:
> >
> >> On 01/20/2016 12:08 PM, bahan w wrote:
> >>> Hello !
> >>>
> >>> I send you this mail because of the following topic.
> >>>
> >>> I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous
> >>> access for security reasons.
> >>>
> >>> But now, I have a problem when I try to enroll a new host.
> >>>
> >>> Here is the command I try :
> >>> ###
> >>> ipa-client-install --domain=<mydomain> --realm=<myrealm> --server=<fqdn
> >>> ipaserver> --principal=admin --password=<PASSWORD FOR IPA ADMIN>
> >>> --mkhomedir --hostname=<fqdn server> --no-ntp --no-ssh --no-sshd
> >>> --unattended
> >>> ###
> >>>
> >>> And here is the error message :
> >>> ###
> >>> 2016-01-20T11:06:44Z DEBUG Verifying that <fqdn ipaserver> (realm None)
> >> is
> >>> an IPA server
> >>> 2016-01-20T11:06:44Z DEBUG Init LDAP connection with: ldap://<fqdn ipa
> >>> server>:389
> >>> 2016-01-20T11:06:44Z DEBUG LDAP Error: Anonymous access not allowed
> >>> ###
> >>>
> >>> Is there a way with IPA 3.0.0.25 to enroll host with the anonymous
> acces
> >>> disabled ?
> >>>
> >>> Best regards.
> >>>
> >>> Bahan
> >>
> >> Hello,
> >>
> >> This looks like
> >> https://bugzilla.redhat.com/show_bug.cgi?id=922843
> >>
> >> It should be fixed in recent ipa-client versions (ipa-3.0.0-29.el6 and
> >> later).
> >>
> >> HTH,
> >> Martin
> >>
> >>
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160120/0f274549/attachment.htm>
More information about the Freeipa-users
mailing list