<div dir="ltr">Hi Flo,<div><br></div><div>First of all, thanks a lot for taking your time to reproduced the issue from your end, you have been very helpful and you are the best!</div><div><br></div><div>Here're the what I observed after some more tests:</div><div><br></div><div>1. In this case I used Entrust(<a href="http://www.entrust.com">www.entrust.com</a>) certificate service, and they provided root-G2-L1K certificate chain. In the /etc/ipa/ca.crt file on the primary IPA server ipaprd1, I saw 3 certificates(root, G2 and L1K) as the root chain. When I checked the ca.crt file on the RHEL6 IPA client(called ipadev6), I only saw one certificate, the L1K one, which didn't look right. So I followed your advise to remove it, then the ipa-client-install could finish without the LDAP error. But after the installation, I found the ca.crt file on such RHEL6 box still had only one certificate(L1K). Meanwhile, when I checked the RHEL7 IPA client(called ipadev7, which I mentioned before that it was always working), the /etc/ipa/ca.crt file has 3 certificate, the complete root chain. I have no clue why the IPA client installation on RHEL7 box is so smooth but not the RHEL6 box, while they both enrolled with the exact same primary & replica IPA server. The bug document you mentioned doesn't explain this.</div><div><br></div><div>2. During the client installation on ipadev6(RHEL6 box), with ca.crt file manually removed, I saw the following message:</div><div><br></div><div>A RA is not configured on the server. Not requesting host certificate.<br></div><div><br></div><div>The installation stuck there for about 3~4 minutes before it continued to the next step, then it finished eventually with "Client configuration complete". Any idea about such message?</div><div><br></div><div>Thanks!!</div><div><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 20, 2016 at 9:43 AM, Florence Blanc-Renaud <span dir="ltr"><<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="gmail-HOEnZb"><div class="gmail-h5">On 12/16/2016 03:54 PM, Florence Blanc-Renaud wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
On 12/15/2016 08:01 PM, beeth beeth wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Hi Flo,<br>
<br>
That's a good point! I checked the dirsrv certificate and confirmed<br>
valid(good until later next year).<br>
Since I had no problem to enroll another new IPA client(RHEL7 box<br>
instead of RHEL6) to such replica server, I thought it might not be a<br>
server end issue. However, when I tried to restart the DIRSRV service on<br>
the replica server, I found these messages in the log<br>
file /var/log/dirsrv/slapd-IPA-EXAM<wbr>PLE-COM/errors:<br>
<br>
[15/Dec/2016:13:38:15.89130124<wbr>6 -0500] 389-Directory/<a href="http://1.3.5.10" rel="noreferrer" target="_blank">1.3.5.10</a><br>
<<a href="http://1.3.5.10" rel="noreferrer" target="_blank">http://1.3.5.10</a>> B2016.257.1817 starting up<br>
[15/Dec/2016:13:38:15.91177737<wbr>3 -0500] default_mr_indexer_create:<br>
warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match<br>
[15/Dec/2016:13:38:15.92632030<wbr>6 -0500] WARNING: changelog: entry cache<br>
size 2097152 B is less than db size 5488640 B; We recommend to increase<br>
the entry cache size nsslapd-cachememsize.<br>
[15/Dec/2016:13:38:<a href="tel:16.132155534" value="+16132155534" target="_blank">16.<wbr>132155534</a> -0500] schema-compat-plugin - scheduled<br>
schema-compat-plugin tree scan in about 5 seconds after the server<br>
startup!<br>
[15/Dec/2016:13:38:<a href="tel:16.167896279" value="+16167896279" target="_blank">16.<wbr>167896279</a> -0500] NSACLPlugin - The ACL target<br>
cn=dns,dc=ipa,dc=example,dc=co<wbr>m does not exist<br>
[15/Dec/2016:13:38:<a href="tel:16.173317345" value="+16173317345" target="_blank">16.<wbr>173317345</a> -0500] NSACLPlugin - The ACL target<br>
cn=dns,dc=ipa,dc=example,dc=co<wbr>m does not exist<br>
[15/Dec/2016:13:38:<a href="tel:16.178354342" value="+16178354342" target="_blank">16.<wbr>178354342</a> -0500] NSACLPlugin - The ACL target<br>
cn=keys,cn=sec,cn=dns,dc=ipa,d<wbr>c=example,dc=com does not exist<br>
[15/Dec/2016:13:38:<a href="tel:16.183579322" value="+16183579322" target="_blank">16.<wbr>183579322</a> -0500] NSACLPlugin - The ACL target<br>
cn=dns,dc=ipa,dc=example,dc=co<wbr>m does not exist<br>
[15/Dec/2016:13:38:<a href="tel:16.188786976" value="+16188786976" target="_blank">16.<wbr>188786976</a> -0500] NSACLPlugin - The ACL target<br>
cn=dns,dc=ipa,dc=example,dc=co<wbr>m does not exist<br>
[15/Dec/2016:13:38:<a href="tel:16.193275650" value="+16193275650" target="_blank">16.<wbr>193275650</a> -0500] NSACLPlugin - The ACL target<br>
cn=groups,cn=compat,dc=ipa,dc=<wbr>example,dc=com does not exist<br>
[15/Dec/2016:13:38:<a href="tel:16.197580407" value="+16197580407" target="_blank">16.<wbr>197580407</a> -0500] NSACLPlugin - The ACL target<br>
cn=computers,cn=compat,dc=ipa,<wbr>dc=example,dc=com does not exist<br>
[15/Dec/2016:13:38:16.20186325<wbr>6 -0500] NSACLPlugin - The ACL target<br>
cn=ng,cn=compat,dc=ipa,dc=exam<wbr>ple,dc=com does not exist<br>
[15/Dec/2016:13:38:<a href="tel:16.206318629" value="+16206318629" target="_blank">16.<wbr>206318629</a> -0500] NSACLPlugin - The ACL target<br>
ou=sudoers,dc=ipa,dc=example,d<wbr>c=com does not exist<br>
[15/Dec/2016:13:38:16.21155910<wbr>0 -0500] NSACLPlugin - The ACL target<br>
cn=users,cn=compat,dc=ipa,dc=e<wbr>xample,dc=com does not exist<br>
[15/Dec/2016:13:38:16.21614681<wbr>9 -0500] NSACLPlugin - The ACL target<br>
cn=vaults,cn=kra,dc=ipa,dc=exa<wbr>mple,dc=com does not exist<br>
[15/Dec/2016:13:38:16.22078659<wbr>6 -0500] NSACLPlugin - The ACL target<br>
cn=vaults,cn=kra,dc=ipa,dc=exa<wbr>mple,dc=com does not exist<br>
[15/Dec/2016:13:38:<a href="tel:16.225594942" value="+16225594942" target="_blank">16.<wbr>225594942</a> -0500] NSACLPlugin - The ACL target<br>
cn=vaults,cn=kra,dc=ipa,dc=exa<wbr>mple,dc=com does not exist<br>
[15/Dec/2016:13:38:<a href="tel:16.229986749" value="+16229986749" target="_blank">16.<wbr>229986749</a> -0500] NSACLPlugin - The ACL target<br>
cn=vaults,cn=kra,dc=ipa,dc=exa<wbr>mple,dc=com does not exist<br>
[15/Dec/2016:13:38:<a href="tel:16.234518367" value="+16234518367" target="_blank">16.<wbr>234518367</a> -0500] NSACLPlugin - The ACL target<br>
cn=vaults,cn=kra,dc=ipa,dc=exa<wbr>mple,dc=com does not exist<br>
[15/Dec/2016:13:38:<a href="tel:16.238763121" value="+16238763121" target="_blank">16.<wbr>238763121</a> -0500] NSACLPlugin - The ACL target<br>
cn=vaults,cn=kra,dc=ipa,dc=exa<wbr>mple,dc=com does not exist<br>
[15/Dec/2016:13:38:16.24303111<wbr>6 -0500] NSACLPlugin - The ACL target<br>
cn=vaults,cn=kra,dc=ipa,dc=exa<wbr>mple,dc=com does not exist<br>
[15/Dec/2016:13:38:16.24750798<wbr>4 -0500] NSACLPlugin - The ACL target<br>
cn=vaults,cn=kra,dc=ipa,dc=exa<wbr>mple,dc=com does not exist<br>
[15/Dec/2016:13:38:16.25232721<wbr>0 -0500] NSACLPlugin - The ACL target<br>
cn=vaults,cn=kra,dc=ipa,dc=exa<wbr>mple,dc=com does not exist<br>
[15/Dec/2016:13:38:16.25904691<wbr>0 -0500] NSACLPlugin - The ACL target<br>
cn=vaults,cn=kra,dc=ipa,dc=exa<wbr>mple,dc=com does not exist<br>
[15/Dec/2016:13:38:<a href="tel:16.263856581" value="+16263856581" target="_blank">16.<wbr>263856581</a> -0500] NSACLPlugin - The ACL target<br>
cn=vaults,cn=kra,dc=ipa,dc=exa<wbr>mple,dc=com does not exist<br>
[15/Dec/2016:13:38:<a href="tel:16.269301704" value="+16269301704" target="_blank">16.<wbr>269301704</a> -0500] NSACLPlugin - The ACL target<br>
cn=ad,cn=etc,dc=ipa,dc=example<wbr>,dc=com does not exist<br>
[15/Dec/2016:13:38:<a href="tel:16.283511408" value="+16283511408" target="_blank">16.<wbr>283511408</a> -0500] NSACLPlugin - The ACL target<br>
cn=casigningcert<br>
cert-pki-ca,cn=ca_renewal,cn=i<wbr>pa,cn=etc,dc=ipa,dc=example,dc<wbr>=com does<br>
not exist<br>
[15/Dec/2016:13:38:<a href="tel:16.287853825" value="+16287853825" target="_blank">16.<wbr>287853825</a> -0500] NSACLPlugin - The ACL target<br>
cn=casigningcert<br>
cert-pki-ca,cn=ca_renewal,cn=i<wbr>pa,cn=etc,dc=ipa,dc=example,dc<wbr>=com does<br>
not exist<br>
[15/Dec/2016:13:38:<a href="tel:16.395872649" value="+16395872649" target="_blank">16.<wbr>395872649</a> -0500] NSACLPlugin - The ACL target<br>
cn=automember rebuild membership,cn=tasks,cn=config does not exist<br>
[15/Dec/2016:13:38:16.40540411<wbr>4 -0500] Skipping CoS Definition<br>
cn=Password Policy,cn=accounts,dc=ipa,dc=e<wbr>xample,dc=com--no CoS<br>
Templates found, which should be added before the CoS Definition.<br>
[15/Dec/2016:13:38:<a href="tel:16.463117873" value="+16463117873" target="_blank">16.<wbr>463117873</a> -0500] set_krb5_creds - Could not get<br>
initial credentials for principal<br>
[ldap/<a href="mailto:ipaprd2.example.com@IPA.EXAMPLE.COM" target="_blank">ipaprd2.example.com@IPA.<wbr>EXAMPLE.COM</a><br>
<mailto:<a href="mailto:ipaprd2.example.com@IPA.EXAMPLE.COM" target="_blank">ipaprd2.example.com@IP<wbr>A.EXAMPLE.COM</a>>] in keytab<br>
[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))<br>
[15/Dec/2016:13:38:16.47125627<wbr>9 -0500] schema-compat-plugin -<br>
schema-compat-plugin tree scan will start in about 5 seconds!<br>
[15/Dec/2016:13:38:<a href="tel:16.479213976" value="+16479213976" target="_blank">16.<wbr>479213976</a> -0500] slapd started. Listening on All<br>
Interfaces port 389 for LDAP requests<br>
[15/Dec/2016:13:38:16.48368335<wbr>3 -0500] Listening on<br>
/var/run/slapd-IPA-EXAMPLE-COM<wbr>.socket for LDAPI requests<br>
[15/Dec/2016:13:38:21.63431997<wbr>4 -0500] schema-compat-plugin - warning:<br>
no entries set up under ou=sudoers,dc=ipa,dc=example,d<wbr>c=com<br>
[15/Dec/2016:13:38:21.63985516<wbr>1 -0500] schema-compat-plugin - warning:<br>
no entries set up under cn=ng, cn=compat,dc=ipa,dc=example,dc<wbr>=com<br>
[15/Dec/2016:13:38:21.65340646<wbr>3 -0500] schema-compat-plugin - no RDN for<br>
cn=cdm_users,cn=groups,cn=acco<wbr>unts,dc=ipa,dc=example,dc=com, unsetting<br>
domain/map/id<br>
"cn=compat,dc=ipa,dc=example,d<wbr>c=com"/"cn=groups"/("cn=cdm_us<wbr>ers,cn=groups,cn=accounts,dc=<wbr>ipa,dc=example,dc=com")<br>
<br>
[15/Dec/2016:13:38:21.71489761<wbr>4 -0500] schema-compat-plugin - warning:<br>
no entries set up under cn=computers, cn=compat,dc=ipa,dc=example,dc<wbr>=com<br>
[15/Dec/2016:13:38:21.71993311<wbr>8 -0500] schema-compat-plugin - Finished<br>
plugin initialization.<br>
[15/Dec/2016:13:38:36.59196948<wbr>1 -0500] ipa-topology-plugin -<br>
ipa_topo_util_get_replica_conf<wbr>: server configuration missing<br>
[15/Dec/2016:13:38:36.59868300<wbr>9 -0500] ipa-topology-plugin -<br>
ipa_topo_util_get_replica_conf<wbr>: cannot create replica<br>
<br>
Any idea?<br>
BTW, everything ran well on IPA 4.2(server installation and client<br>
installation), as you once assisted me couple months ago, until we set<br>
up a new IPA environment with RHEL7.3 instead of RHEL7.2, then the IPA<br>
version changed from 4.2 to 4.4. Last time you guided me about the<br>
change since IPA 4.3, for the newly introduced domain level concept, and<br>
the way how the replica should be installed was changed too... Thanks<br>
again!<br>
<br>
</blockquote>
Hi Beeth,<br>
<br>
I managed to reproduce your issue with IPA master installed without dns<br>
and without integrated CA.<br>
<br>
Can you check on your RHEL 6 client if there is a file /etc/ipa/ca.crt?<br>
If yes, check its content with<br>
$ sudo openssl x509 -noout -text -in /etc/ipa/ca.crt<br>
and compare with the CA certificate stored on the master or the replica<br>
(at the same location /etc/ipa/ca.crt). The certificate should be the<br>
one for the CA that signed your HTTPd and LDAP server certs (ie Verisign).<br>
<br>
If the certificate is different, it is probably a left-over CA<br>
certificate corresponding to a previous installation. You can just<br>
delete the file on the client and re-run ipa-client-install.<br>
<br>
Flo.<br>
<br>
</blockquote>
<br></div></div>
To follow-up on this issue: it happens only in CA-less environment and when the client has an old /etc/ipa/ca.crt file.<br>
<br>
If the /etc/ipa/ca.crt file is present, the client installer connects to the IPA LDAP server using startTLS to perform basic checks (instead of using a simple ldap conn otherwise). But there is a bug in ipa-replica-install which does not set up startTLS on the LDAP replica (see ticket 6226 [1]).<br>
<br>
This explains why the issue does not happen if you specify only the master during ipa-client-install, or if your client does not have any /etc/ipa/ca.crt.<br>
<br>
Hope this clarifies,<br>
Flo<br>
<br>
<br>
[1] <a href="https://fedorahosted.org/freeipa/ticket/6226" rel="noreferrer" target="_blank">https://fedorahosted.org/freei<wbr>pa/ticket/6226</a><div class="gmail-HOEnZb"><div class="gmail-h5"><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
On Thu, Dec 15, 2016 at 10:52 AM, Florence Blanc-Renaud <<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a><br>
<mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>>> wrote:<br>
<br>
On 12/14/2016 07:49 PM, beeth beeth wrote:<br>
<br>
Hi Flo,<br>
<br>
Thanks for the great hint! I reran the ipa-client-install on the<br>
rhel6<br>
box(ipadev6), and monitored the access log file you mentioned<br>
on the<br>
replica:<br>
<br>
# ipa-client-install --domain=<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>> <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
--server=<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
--hostname=<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">ipadev6.example.<wbr>com</a> <<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>><br>
<<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>> -d<br>
<br>
( ipaprd2 = primary IPA server on RHEL7; ipadev6 = replica on<br>
RHEL6 )<br>
<br>
AFTER about 3 seconds, I saw these on the replica ipaprd2:<br>
[14/Dec/2016:13:11:41.07142113<wbr>2 -0500] conn=1040 fd=73 slot=73<br>
connection from <IP of ipadev6> to <IP of ipaprd2><br>
[14/Dec/2016:13:11:41.07188002<wbr>6 -0500] conn=1040 op=0 EXT<br>
oid="1.3.6.1.4.1.1466.20037"<br>
[14/Dec/2016:13:11:41.07196421<wbr>7 -0500] conn=1040 op=0 RESULT<br>
err=2<br>
tag=120 nentries=0 etime=0<br>
[14/Dec/2016:13:11:41.07327567<wbr>4 -0500] conn=1040 op=1 UNBIND<br>
[14/Dec/2016:13:11:41.07330710<wbr>1 -0500] conn=1040 op=1 fd=73<br>
closed - U1<br>
[14/Dec/2016:13:11:41.07478249<wbr>6 -0500] conn=1041 fd=73 slot=73<br>
connection from <IP of ipadev6> to <IP of ipaprd2><br>
[14/Dec/2016:13:11:41.07498523<wbr>3 -0500] conn=1041 op=0 EXT<br>
oid="1.3.6.1.4.1.1466.20037"<br>
[14/Dec/2016:13:11:41.07502284<wbr>9 -0500] conn=1041 op=0 RESULT<br>
err=2<br>
tag=120 nentries=0 etime=0<br>
[14/Dec/2016:13:11:41.07544888<wbr>7 -0500] conn=1041 op=1 UNBIND<br>
[14/Dec/2016:13:11:41.07546096<wbr>4 -0500] conn=1041 op=1 fd=73<br>
closed - U1<br>
[14/Dec/2016:13:11:49.00614685<wbr>0 -0500] conn=1029 op=8 UNBIND<br>
[14/Dec/2016:13:11:49.00618198<wbr>2 -0500] conn=1029 op=8 fd=66<br>
closed - U1<br>
<br>
So I did see the err=2, and oid="1.3.6.1.4.1.1466.20037", I<br>
checked the<br>
oid and got:<br>
<br>
1.3.6.1.4.1.1466.20037: StartTLS Request (RFC 4511)<br>
<br>
It looked to be related with TLS... pease advise. Thanks!<br>
<br>
<br>
Hi,<br>
<br>
when the replica got installed, the installer must have configured<br>
the directory server for SSL and start TLS. I tend to suspect an<br>
expired certificate issue rather than a misconfiguration. Could you<br>
please check that dirsrv certificate is still valid?<br>
<br>
$ certutil -L -d /etc/dirsrv/slapd-DOMAIN-COM/ -n Server-Cert<br>
|grep Not<br>
Not Before: Wed Dec 14 16:56:02 2016<br>
Not After : Sat Dec 15 16:56:02 2018<br>
<br>
If the certificate is still valid, you may want to read 389-ds<br>
How-To to make sure that SSL is properly setup:<br>
<br>
<a href="http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html#deploy-the-settings" rel="noreferrer" target="_blank">http://directory.fedoraproject<wbr>.org/docs/389ds/howto/howto-<wbr>ssl.html#deploy-the-settings</a><br>
<br>
<br>
<<a href="http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html#deploy-the-settings" rel="noreferrer" target="_blank">http://directory.fedoraprojec<wbr>t.org/docs/389ds/howto/howto-<wbr>ssl.html#deploy-the-settings</a>><br>
<br>
<br>
Flo.<br>
<br>
<br>
On Wed, Dec 14, 2016 at 7:57 AM, Florence Blanc-Renaud<br>
<<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>><br>
<mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>>>> wrote:<br>
<br>
On 12/14/2016 01:08 PM, beeth beeth wrote:<br>
<br>
Thanks David. I installed both the master and replica IPA<br>
servers with<br>
third-party certificates(Verisign), but I doubt that<br>
could be<br>
the issue,<br>
because I had no problem to run the same<br>
ipa-client-install<br>
command on a<br>
RHEL7 machine(of course, the --hostname used a different<br>
hostname of the<br>
server). And I had no problem to run the<br>
ipa-client-install<br>
command with<br>
--server=<master> on such RHEL6 machine. So what could<br>
cause the<br>
LDAP<br>
communication failed during the client enrollment with<br>
the<br>
replica? Is<br>
there a way I can troubleshoot this by running some<br>
commands? So<br>
far I<br>
did telnet to check the open ports, as well as run the<br>
ldapsearch<br>
towards the replica. Thanks again!<br>
<br>
<br>
On Tue, Dec 13, 2016 at 8:46 AM, David Kupka<br>
<<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a> <mailto:<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a>><br>
<mailto:<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a> <mailto:<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a>>><br>
<mailto:<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a> <mailto:<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a>><br>
<mailto:<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a> <mailto:<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a>>>>> wrote:<br>
<br>
On 13/12/16 05:44, beeth beeth wrote:<br>
<br>
I have two IPA servers <a href="http://ipaprd1.example.com" rel="noreferrer" target="_blank">ipaprd1.example.com</a><br>
<<a href="http://ipaprd1.example.com" rel="noreferrer" target="_blank">http://ipaprd1.example.com</a>><br>
<<a href="http://ipaprd1.example.com" rel="noreferrer" target="_blank">http://ipaprd1.example.com</a>><br>
<<a href="http://ipaprd1.example.com" rel="noreferrer" target="_blank">http://ipaprd1.example.com</a>> and<br>
<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>>, running<br>
ipa 4.4 on RHEL7. When I tried to<br>
install/configure the<br>
client<br>
on a RHEL6<br>
system(called ipadev6), I had issue when I<br>
tried to<br>
enroll it<br>
with the<br>
replica(ipaprd2), while no issue with the<br>
primary(ipaprd1):<br>
<br>
# ipa-client-install --domain=<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
--server=<a href="http://ipaprd1.example.com" rel="noreferrer" target="_blank">ipaprd1.example.com</a> <<a href="http://ipaprd1.example.com" rel="noreferrer" target="_blank">http://ipaprd1.example.com</a>><br>
<<a href="http://ipaprd1.example.com" rel="noreferrer" target="_blank">http://ipaprd1.example.com</a>><br>
<<a href="http://ipaprd1.example.com" rel="noreferrer" target="_blank">http://ipaprd1.example.com</a>><br>
--server=<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
--hostname=<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">ipadev6.example.com</a><br>
<<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>><br>
<<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>> <<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>><br>
LDAP Error: Protocol error: unsupported extended<br>
operation<br>
Autodiscovery of servers for failover cannot<br>
work with this<br>
configuration.<br>
If you proceed with the installation, services<br>
will be<br>
configured to always<br>
access the discovered server for all operations<br>
and will not<br>
fail over to<br>
other servers in case of failure.<br>
Proceed with fixed values and no DNS<br>
discovery? [no]<br>
<br>
Then I tried to run ipa-client-install to enroll<br>
with the<br>
replica(ipaprd2),<br>
with debug mode, I got this:<br>
<br>
# ipa-client-install --domain=<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
--server=<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
--hostname=<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">ipadev6.example.<wbr>com</a><br>
<<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>><br>
<<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>><br>
<<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>> -d<br>
<br>
/usr/sbin/ipa-client-install was invoked with<br>
options:<br>
{'domain': '<br>
<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a> <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>>', 'force': False,<br>
'realm_name': None,<br>
'krb5_offline_passwords': True, 'primary': False,<br>
'mkhomedir':<br>
False,<br>
'create_sshfp': True, 'conf_sshd': True,<br>
'conf_ntp': True,<br>
'on_master':<br>
False, 'ntp_server': None, 'nisdomain': None,<br>
'no_nisdomain': False,<br>
'principal': None, 'hostname':<br>
'<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">ipadev6.example.com</a> <<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>><br>
<<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>><br>
<<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>>', 'no_ac': False,<br>
'unattended': None, 'sssd': True, 'trust_sshfp':<br>
False,<br>
'kinit_attempts':<br>
5, 'dns_updates': False, 'conf_sudo': True,<br>
'conf_ssh':<br>
True,<br>
'force_join':<br>
False, 'ca_cert_file': None, 'server':<br>
['<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>>']<wbr>,<br>
'prompt_password': False, 'permit': False,<br>
'debug': True,<br>
'preserve_sssd':<br>
False, 'uninstall': False}<br>
missing options might be asked for interactively<br>
later<br>
Loading Index file from<br>
'/var/lib/ipa-client/sysrestor<wbr>e/sysrestore.index'<br>
Loading StateFile from<br>
'/var/lib/ipa-client/sysrestor<wbr>e/sysrestore.state'<br>
[IPA Discovery]<br>
Starting IPA discovery with<br>
domain=<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a> <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>>, servers=['<br>
<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>>']<wbr>,<br>
hostname=<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">ipadev6.example.com</a><br>
<<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>><br>
<<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>> <<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>><br>
Server and domain forced<br>
[Kerberos realm search]<br>
Search DNS for TXT record of<br>
_<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">kerberos.ipa.example.com</a> <<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">http://kerberos.ipa.example.c<wbr>om</a>><br>
<<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">http://kerberos.ipa.example.c<wbr>om</a><br>
<<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">http://kerberos.ipa.example.c<wbr>om</a>>><br>
<<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">http://kerberos.ipa.example.c<wbr>om</a><br>
<<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">http://kerberos.ipa.example.c<wbr>om</a>><br>
<<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">http://kerberos.ipa.example.c<wbr>om</a><br>
<<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">http://kerberos.ipa.example.c<wbr>om</a>>>>.<br>
No DNS record found<br>
Search DNS for SRV record of<br>
_kerberos._<a href="http://udp.ipa.example.com" rel="noreferrer" target="_blank">udp.ipa.example.com</a><br>
<<a href="http://udp.ipa.example.com" rel="noreferrer" target="_blank">http://udp.ipa.example.com</a>> <<a href="http://udp.ipa.example.com" rel="noreferrer" target="_blank">http://udp.ipa.example.com</a>><br>
<<a href="http://udp.ipa.example.com" rel="noreferrer" target="_blank">http://udp.ipa.example.com</a>>.<br>
No DNS record found<br>
SRV record for KDC not found! Domain:<br>
<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a> <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
[LDAP server check]<br>
Verifying that <a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
(realm None) is an IPA server<br>
Init LDAP connection with:<br>
ldap://<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">ipaprd2.example.com:389</a><br>
<<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">http://ipaprd2.example.com:38<wbr>9</a>> <<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">http://ipaprd2.example.com:38<wbr>9</a><br>
<<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">http://ipaprd2.example.com:38<wbr>9</a>>><br>
<<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">http://ipaprd2.example.com:38<wbr>9</a><br>
<<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">http://ipaprd2.example.com:38<wbr>9</a>><br>
<<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">http://ipaprd2.example.com:38<wbr>9</a><br>
<<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">http://ipaprd2.example.com:38<wbr>9</a>>>><br>
LDAP Error: Protocol error: unsupported extended<br>
operation<br>
Discovery result: UNKNOWN_ERROR; server=None,<br>
domain=<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a> <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>>,<br>
kdc=None, basedn=None<br>
Validated servers:<br>
will use discovered domain: <a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>> <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
IPA Server not found<br>
[IPA Discovery]<br>
Starting IPA discovery with<br>
domain=<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a> <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>>, servers=['<br>
<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>>']<wbr>,<br>
hostname=<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">ipadev6.example.com</a><br>
<<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>><br>
<<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>> <<a href="http://ipadev6.example.com" rel="noreferrer" target="_blank">http://ipadev6.example.com</a>><br>
Server and domain forced<br>
[Kerberos realm search]<br>
Search DNS for TXT record of<br>
_<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">kerberos.ipa.example.com</a> <<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">http://kerberos.ipa.example.c<wbr>om</a>><br>
<<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">http://kerberos.ipa.example.c<wbr>om</a><br>
<<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">http://kerberos.ipa.example.c<wbr>om</a>>><br>
<<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">http://kerberos.ipa.example.c<wbr>om</a><br>
<<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">http://kerberos.ipa.example.c<wbr>om</a>><br>
<<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">http://kerberos.ipa.example.c<wbr>om</a><br>
<<a href="http://kerberos.ipa.example.com" rel="noreferrer" target="_blank">http://kerberos.ipa.example.c<wbr>om</a>>>>.<br>
No DNS record found<br>
Search DNS for SRV record of<br>
_kerberos._<a href="http://udp.ipa.example.com" rel="noreferrer" target="_blank">udp.ipa.example.com</a><br>
<<a href="http://udp.ipa.example.com" rel="noreferrer" target="_blank">http://udp.ipa.example.com</a>> <<a href="http://udp.ipa.example.com" rel="noreferrer" target="_blank">http://udp.ipa.example.com</a>><br>
<<a href="http://udp.ipa.example.com" rel="noreferrer" target="_blank">http://udp.ipa.example.com</a>>.<br>
No DNS record found<br>
SRV record for KDC not found! Domain:<br>
<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a> <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
[LDAP server check]<br>
Verifying that <a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
(realm None) is an IPA server<br>
Init LDAP connection with:<br>
ldap://<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">ipaprd2.example.com:389</a><br>
<<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">http://ipaprd2.example.com:38<wbr>9</a>> <<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">http://ipaprd2.example.com:38<wbr>9</a><br>
<<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">http://ipaprd2.example.com:38<wbr>9</a>>><br>
<<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">http://ipaprd2.example.com:38<wbr>9</a><br>
<<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">http://ipaprd2.example.com:38<wbr>9</a>><br>
<<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">http://ipaprd2.example.com:38<wbr>9</a><br>
<<a href="http://ipaprd2.example.com:389" rel="noreferrer" target="_blank">http://ipaprd2.example.com:38<wbr>9</a>>>><br>
LDAP Error: Protocol error: unsupported extended<br>
operation<br>
Discovery result: UNKNOWN_ERROR; server=None,<br>
domain=<a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a> <<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>><br>
<<a href="http://ipa.example.com" rel="noreferrer" target="_blank">http://ipa.example.com</a>>,<br>
kdc=None, basedn=None<br>
Validated servers:<br>
Failed to verify that <a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>> is an IPA Server.<br>
This may mean that the remote server is not up<br>
or is not<br>
reachable due to<br>
network or firewall settings.<br>
Please make sure the following ports are opened<br>
in the<br>
firewall<br>
settings:<br>
TCP: 80, 88, 389<br>
UDP: 88 (at least one of TCP/UDP ports 88<br>
has to be<br>
open)<br>
Also note that following ports are necessary for<br>
ipa-client working<br>
properly after enrollment:<br>
TCP: 464<br>
UDP: 464, 123 (if NTP enabled)<br>
(<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">ipaprd2.example.com</a><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>> <<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>><br>
<<a href="http://ipaprd2.example.com" rel="noreferrer" target="_blank">http://ipaprd2.example.com</a>>: Provided as<br>
option)<br>
Installation failed. Rolling back changes.<br>
IPA client is not configured on this system.<br>
<br>
<br>
I double checked the services running on the<br>
replica,<br>
all looked<br>
well:<br>
ports are listening, and I could telnet the<br>
ports from the<br>
client(ipadev6).<br>
I could run "ldapserach" command to talk to the<br>
replica(ipaprd2)<br>
from this<br>
client(ipadev6), with pulling out all the LDAP<br>
records.<br>
<br>
Also, I have another test box running RHEL7,<br>
and no<br>
issue at all<br>
to run the<br>
exact same ipa-client-install command on that<br>
RHEL7 box. So<br>
could there be<br>
a bug on the ipa-client software on RHEL6, to<br>
talk to<br>
IPA sever<br>
running on<br>
RHEL7? Please advise. Thank you!<br>
<br>
Hi Beeth,<br>
<br>
you may want to check the access and errors log of the<br>
Directory<br>
Server in /var/log/dirsrv/slapd-DOMAIN. The extended<br>
operations are<br>
logged in the access log with the tag "EXT oid=...", but a<br>
failing<br>
operation related to unsupported extended operation will<br>
probably<br>
log a "RESULT err=2".<br>
<br>
So I would first check access log and look for such a<br>
failure. With<br>
the OID we will be able to understand which operation is<br>
failing and<br>
which part could be misconfigured.<br>
<br>
HTH,<br>
Flo.<br>
<br>
Best regards,<br>
Beeth<br>
<br>
<br>
<br>
Hello Beeth,<br>
I've tried to reproduce the problem you described<br>
with 7.3<br>
(ipa-server 4.4.0-12) on master and replica and 6.9<br>
(ipa-client<br>
3.0.0-51) on client and it worked for me as expected.<br>
I've done these steps:<br>
[master] # ipa-server-install -a Secret123 -p<br>
Secret123 --domain<br>
example.test --realm EXAMPLE.TEST --setup-dns<br>
--auto-forwarders -U<br>
[replica] # ipa-client-install -p admin -w Secret123<br>
--domain<br>
example.test --server master.example.test -U<br>
[replica] # ipa-replica-install<br>
[client] # ipa-client-install -p admin -w Secret123<br>
--domain<br>
example.test --server replica.example.test -U<br>
[client] # id admin<br>
<br>
Is there anything you've done differently?<br>
<br>
--<br>
David Kupka<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</div></div></blockquote></div><br></div></div></div>