Re: [Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install

Tomas Babej Wed, 03 Oct 2012 06:32:42 -0700

On 10/02/2012 08:48 PM, Rob Crittenden wrote:

Tomas Babej wrote:

On 09/26/2012 09:32 PM, Rob Crittenden wrote:

Tomas Babej wrote:

Hi,


Connection error message in ipa-client-install now warns the user
about the need of opening 389 port for directory server.

https://fedorahosted.org/freeipa/ticket/2816

I think this can be pushed as a one-liner.

I think we should list all ports that are required for clientenrollment.


From my calculations we need at a minimum tcp ports 80 and 389, either
or both udp/tcp for port 88 and if NTP is enabled 123 udp for
enrollment alone. The NTP failure won't cause enrollment to fail
though, so we may be able to skip that.

Similarly 464 should be enabled but we don't use it during enrollment.

rob

I improved the error message. Please check if there are any issues.

Thanks

Tomas


This only works if port 389 is blocked, not 88 or 80.

rob

I tested and added the port configuration info message at the appropriate
places for TCP 80, 88, 389 ports. I also added the info message at the end
of installation output. Please consider if you agree with this approach.

Tomas

>From 2601be3b4373d7449daedefbcad82f034efb266d Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Wed, 26 Sep 2012 08:52:50 -0400
Subject: [PATCH] Adds port to connection error message in ipa-client-install

Connection error message in ipa-client-install now warns the user
about the need of opening 389 port for directory server.

https://fedorahosted.org/freeipa/ticket/2816
---
 ipa-client/ipa-install/ipa-client-install | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index ee8e5831866e1f5d960cbbca290606a944b0f357..e32c4979b0fd5decaf7bcb7022dc890782b33e3c 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1248,6 +1248,17 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp):
         if not do_nsupdate(update_txt):
             root_logger.warning("Could not update DNS SSHFP records.")
 
+def print_port_conf_info():
+    root_logger.info(
+        "Please make sure the following ports are opened "
+        "in the firewall settings:\n"
+        "     TCP: 80, 88, 389\n"
+        "     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)\n"
+        "Also note that following ports are necessary for ipa-client "
+        "working properly after enrollment:\n"
+        "     TCP: 464\n"
+        "     UDP: 464, 123 (if NTP enabled)")
+
 def install(options, env, fstore, statestore):
     dnsok = False
 
@@ -1377,6 +1388,7 @@ def install(options, env, fstore, statestore):
 
     if ret == ipadiscovery.NOT_IPA_SERVER:
         root_logger.error("%s is not an IPA v2 Server.", cli_server[0])
+        print_port_conf_info()
         root_logger.debug("(%s: %s)", cli_server[0], cli_server_source)
         return CLIENT_INSTALL_ERROR
 
@@ -1390,8 +1402,9 @@ def install(options, env, fstore, statestore):
     if ret != 0:
         root_logger.error("Failed to verify that %s is an IPA Server.",
             cli_server[0])
-        root_logger.error("This may mean that the remote server is not up " +
+        root_logger.error("This may mean that the remote server is not up "
             "or is not reachable due to network or firewall settings.")
+        print_port_conf_info()
         root_logger.debug("(%s: %s)", cli_server[0], cli_server_source)
         return CLIENT_INSTALL_ERROR
 
@@ -1440,6 +1453,7 @@ def install(options, env, fstore, statestore):
             ret = ds.search(domain=cli_domain, server=server, hostname=hostname)
             if ret == ipadiscovery.NOT_IPA_SERVER:
                 root_logger.error("%s is not an IPA v2 Server.", server)
+                print_port_conf_info()
                 root_logger.debug("(%s: %s)", server, cli_server_source)
                 return CLIENT_INSTALL_ERROR
 
@@ -1519,7 +1533,8 @@ def install(options, env, fstore, statestore):
                 synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0])
             if not synced_ntp:
                 root_logger.warning("Unable to sync time with IPA NTP " +
-                    "server, assuming the time is in sync.")
+                    "server, assuming the time is in sync. Please check " +
+                    "that 123 UDP port is opened.")
             (krb_fd, krb_name) = tempfile.mkstemp()
             os.close(krb_fd)
             if configure_krb5_conf(
@@ -1573,6 +1588,7 @@ def install(options, env, fstore, statestore):
                 if returncode != 0:
                     root_logger.error("Kerberos authentication failed")
                     root_logger.info("%s", stdout)
+                    print_port_conf_info()
                     return CLIENT_INSTALL_ERROR
             elif options.password:
                 nolog = (options.password,)
@@ -1869,6 +1885,10 @@ def install(options, env, fstore, statestore):
 
     root_logger.info('Client configuration complete.')
 
+    root_logger.info('='*30)
+    print_port_conf_info()
+    root_logger.info('='*30)
+
     return 0
 
 def main():
-- 
1.7.11.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install

Reply via email to