[Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off
Martin Kosek
mkosek at redhat.com
Wed Jan 20 15:26:16 UTC 2016
On 01/20/2016 04:03 PM, bahan w wrote:
> Re Martin.
>
> Here we are for the ipaclient-install.log :
>
> ###
> 2016-01-20T14:55:48Z DEBUG /usr/sbin/ipa-client-install was invoked with
> options: {'domain': '<MYDOMAIN>', 'force': False, 'realm_name':
> '<MYREALM>', 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir':
> True, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False,
> 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain':
> False, 'principal': 'admin', 'hostname': '<FQDN IPA CLIENT>', 'no_ac':
> False, 'unattended': True, 'sssd': True, 'trust_sshfp': False,
> 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh':
> False, 'force_join': False, 'ca_cert_file': None, 'server': ['<FQDN IPA
> SERVER>'], 'prompt_password': False, 'permit': False, 'debug': True,
> 'preserve_sssd': False, 'uninstall': False}
> 2016-01-20T14:55:48Z DEBUG missing options might be asked for interactively
> later
> 2016-01-20T14:55:48Z DEBUG Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> 2016-01-20T14:55:48Z DEBUG Loading StateFile from
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> 2016-01-20T14:55:48Z DEBUG [IPA Discovery]
> 2016-01-20T14:55:48Z DEBUG Starting IPA discovery with domain=<MYDOMAIN>,
> servers=['<FQDN IPA SERVER>'], hostname=<FQDN IPA CLIENT>
> 2016-01-20T14:55:48Z DEBUG Server and domain forced
> 2016-01-20T14:55:48Z DEBUG [Kerberos realm search]
> 2016-01-20T14:55:48Z DEBUG Search DNS for TXT record of
> _kerberos.<MYDOMAIN>.
> 2016-01-20T14:55:48Z DEBUG No DNS record found
> 2016-01-20T14:55:48Z DEBUG [LDAP server check]
> 2016-01-20T14:55:48Z DEBUG Verifying that <FQDN IPA SERVER> (realm None) is
> an IPA server
> 2016-01-20T14:55:48Z DEBUG Init LDAP connection with: ldap://<FQDN IPA
> SERVER>:389
> 2016-01-20T14:55:48Z DEBUG LDAP Error: Anonymous access not allowed
> 2016-01-20T14:55:48Z DEBUG Assuming realm is the same as domain: <MYDOMAIN>
> 2016-01-20T14:55:48Z DEBUG Generated basedn from realm:
> dc=<domainoftheservers>
> 2016-01-20T14:55:48Z DEBUG Discovery result: NO_ACCESS_TO_LDAP;
> server=None, domain=<MYDOMAIN>, kdc=None, basedn=<domainoftheservers>
> 2016-01-20T14:55:48Z DEBUG Validated servers: <FQDN IPA SERVER>
> 2016-01-20T14:55:48Z DEBUG will use discovered domain: <MYDOMAIN>
> 2016-01-20T14:55:48Z DEBUG Using servers from command line, disabling DNS
> discovery
> 2016-01-20T14:55:48Z DEBUG will use provided server: <FQDN IPA SERVER>
> 2016-01-20T14:55:48Z DEBUG will use discovered realm: <MYDOMAIN>
> 2016-01-20T14:55:48Z ERROR The provided realm name [<MYREALM>] does not
> match discovered one [<MYDOMAIN>]
Well, I think the line above is the key to the problem. The realm you provided
and the one discovered do not match.
> 2016-01-20T14:55:48Z DEBUG (<MYDOMAIN>: Assumed same as domain)
> 2016-01-20T14:55:48Z ERROR Installation failed. Rolling back changes.
> 2016-01-20T14:55:48Z ERROR IPA client is not configured on this system.
> ###
>
> Best regards.
>
> Bahan
>
> On Wed, Jan 20, 2016 at 1:52 PM, Martin Kosek <mkosek at redhat.com> wrote:
>
>> Adding freeipa-users back, so that others can benefit from the answer.
>>
>> Can you please attach a full ipaclient-install.log DEBUG log somewhere so
>> that
>> we can get the full context of the bug? You may also want to open a RHEL-6
>> Bugzilla as FreeIPA 3.0.0 is no longer developed upstream, but only
>> maintained
>> in RHEL-6.x.
>>
>> Thanks,
>> Martin
>>
>> On 01/20/2016 01:39 PM, bahan w wrote:
>>> Hello Martin !
>>>
>>> Thanks for your answer, Martin !
>>>
>>> I uninstalled the 3.0.0.25 and installed the 3.0.0.47, but unfortunately
>> I
>>> still have the same error message.
>>>
>>> # rpm -qa | grep ipa-client
>>> ipa-client-3.0.0-47.el6.x86_64
>>>
>>> And in ipa-client-install.log :
>>> ###
>>> 2016-01-20T12:38:14Z DEBUG [LDAP server check]
>>> 2016-01-20T12:38:14Z DEBUG Verifying that <fqdn ipa server> (realm None)
>> is
>>> an IPA server
>>> 2016-01-20T12:38:14Z DEBUG Init LDAP connection with: ldap://<fqdn ipa
>>> server>:389
>>> 2016-01-20T12:38:14Z DEBUG LDAP Error: Anonymous access not allowed
>>> ###
>>>
>>> Best regards.
>>>
>>> Bahan
>>>
>>>
>>> On Wed, Jan 20, 2016 at 1:26 PM, Martin Kosek <mkosek at redhat.com> wrote:
>>>
>>>> On 01/20/2016 12:08 PM, bahan w wrote:
>>>>> Hello !
>>>>>
>>>>> I send you this mail because of the following topic.
>>>>>
>>>>> I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous
>>>>> access for security reasons.
>>>>>
>>>>> But now, I have a problem when I try to enroll a new host.
>>>>>
>>>>> Here is the command I try :
>>>>> ###
>>>>> ipa-client-install --domain=<mydomain> --realm=<myrealm> --server=<fqdn
>>>>> ipaserver> --principal=admin --password=<PASSWORD FOR IPA ADMIN>
>>>>> --mkhomedir --hostname=<fqdn server> --no-ntp --no-ssh --no-sshd
>>>>> --unattended
>>>>> ###
>>>>>
>>>>> And here is the error message :
>>>>> ###
>>>>> 2016-01-20T11:06:44Z DEBUG Verifying that <fqdn ipaserver> (realm None)
>>>> is
>>>>> an IPA server
>>>>> 2016-01-20T11:06:44Z DEBUG Init LDAP connection with: ldap://<fqdn ipa
>>>>> server>:389
>>>>> 2016-01-20T11:06:44Z DEBUG LDAP Error: Anonymous access not allowed
>>>>> ###
>>>>>
>>>>> Is there a way with IPA 3.0.0.25 to enroll host with the anonymous
>> acces
>>>>> disabled ?
>>>>>
>>>>> Best regards.
>>>>>
>>>>> Bahan
>>>>
>>>> Hello,
>>>>
>>>> This looks like
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=922843
>>>>
>>>> It should be fixed in recent ipa-client versions (ipa-3.0.0-29.el6 and
>>>> later).
>>>>
>>>> HTH,
>>>> Martin
>>>>
>>>>
>>>
>>
>>
>
More information about the Freeipa-users
mailing list