[Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off
Martin Kosek
mkosek at redhat.com
Thu Jan 21 14:37:33 UTC 2016
On 01/21/2016 02:29 PM, bahan w wrote:
> Hello Martin.
>
> Thank you for your answer.
Adding freeipa-users list back, so that others can follow the thread.
> Excuse me for my ignorance, but may you tell me how the bug and resolution
> work for FreeIPA ?
This is probably not something that would require own upstream release, it is
too old version no longer developed upstream. It may be rather fixed
downstream, in RHEL (I cannot promise anything though).
I wonder, do RHEL-7.x clients work in your environment? RHEL-7.1+ should have
https://fedorahosted.org/freeipa/ticket/4444
applied which may fix the issue.
> Will there be a new release concerning IPA 3.0.0, or a patch to apply ?
There may be RHEL-6.x fix. If you have RHEL subscription, I would recommend
pointing your Support Representative to Bug 1300561 below, to get higher
priority for the bug.
> Best regards.
>
> Bahan
>
>
> On Thu, Jan 21, 2016 at 8:21 AM, Martin Kosek <mkosek at redhat.com> wrote:
>
>> On 01/20/2016 05:55 PM, bahan w wrote:
>>> Ah sorry, for security reasons I didn't want to put the original name
>> and I
>>> made a mistake.
>>>
>>> Here we are, for the confusing lines :
>>> ###
>>> Assuming realm is the same as domain: <MYDOMAIN>
>>> Generated basedn from realm: dc=<mydomain>
>>> Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=<mydomain>,
>>> kdc=None, basedn=dc=<mydomain>
>>> Validated servers: <fqdn ipa server>
>>> will use discovered domain: <mydomain>
>>> Using servers from command line, disabling DNS discovery
>>> will use provided server: <fqdn ipa server>
>>> will use discovered realm: <MYDOMAIN>
>>> The provided realm name [<MYREALM>] does not match discovered one
>>> [<MYDOMAIN>]
>>> (<MYDOMAIN>: Assumed same as domain)
>>> Installation failed. Rolling back changes
>>> IPA client is not configured on this system.
>>> ###
>>>
>>> Is it more clear ? Sorry again for the confusion.
>>>
>>> I use a realm which is different than the domain.
>>
>> Ah, I see. I think you just found a bug. The problem is that given the
>> server
>> is not reachable, the realm is calculated based on the domain and then
>> rejected
>> as it is different from the option. In this case, ipa-client-install should
>> just accept the realm passed to the script. It is very specific condition,
>> but
>> we should be able to fix that easily
>>
>> I filed a bug:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1300561
>>
>> We will need to think if there is a workaround for you until the fix is
>> delivered.
>>
>
More information about the Freeipa-users
mailing list