[Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off
Martin Kosek
mkosek at redhat.com
Thu Jan 21 07:21:19 UTC 2016
On 01/20/2016 05:55 PM, bahan w wrote:
> Ah sorry, for security reasons I didn't want to put the original name and I
> made a mistake.
>
> Here we are, for the confusing lines :
> ###
> Assuming realm is the same as domain: <MYDOMAIN>
> Generated basedn from realm: dc=<mydomain>
> Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=<mydomain>,
> kdc=None, basedn=dc=<mydomain>
> Validated servers: <fqdn ipa server>
> will use discovered domain: <mydomain>
> Using servers from command line, disabling DNS discovery
> will use provided server: <fqdn ipa server>
> will use discovered realm: <MYDOMAIN>
> The provided realm name [<MYREALM>] does not match discovered one
> [<MYDOMAIN>]
> (<MYDOMAIN>: Assumed same as domain)
> Installation failed. Rolling back changes
> IPA client is not configured on this system.
> ###
>
> Is it more clear ? Sorry again for the confusion.
>
> I use a realm which is different than the domain.
Ah, I see. I think you just found a bug. The problem is that given the server
is not reachable, the realm is calculated based on the domain and then rejected
as it is different from the option. In this case, ipa-client-install should
just accept the realm passed to the script. It is very specific condition, but
we should be able to fix that easily
I filed a bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1300561
We will need to think if there is a workaround for you until the fix is delivered.
More information about the Freeipa-users
mailing list