On 04/06/2013 07:38 PM, Sigbjorn Lie wrote: > Hi, > > I am trying to install the IPA client on a CentOS 6.4 host, however the auto > discovery of the IPA server is failing, from what seem to be caused by my IPA > servers having anonymous binds switched off. > > Is this expected behaviour? > > > # rpm -qa|grep ^ipa|sort > ipa-client-3.0.0-26.el6_4.2.x86_64 > ipa-python-3.0.0-26.el6_4.2.x86_64 > > > # ipa-client-install -U --domain=unix.nuexample.com --password='somepassword' > --enable-dns-updates -d > /usr/sbin/ipa-client-install was invoked with options: {'domain': > 'unix.nuexample.com', 'force': False, 'krb5_offline_passwords': True, > 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, > 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': > None, > 'principal': None, 'hostname': None, 'no_ac': False, 'unattended': True, > 'sssd': True, 'trust_sshfp': False, 'dns_updates': True, 'realm_name': None, > 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False, > 'debug': True, 'preserve_sssd': False, 'uninstall': False} > missing options might be asked for interactively later > Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' > Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' > [IPA Discovery] > Starting IPA discovery with domain=unix.nuexample.com, servers=None, > hostname=clienthost.unix.nuexample.com > Search for LDAP SRV record in unix.nuexample.com > Search DNS for SRV record of _ldap._tcp.unix.nuexample.com. > DNS record found: > DNSResult::name:_ldap._tcp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa01.unix.nuexample.com.} > > DNS record found: > DNSResult::name:_ldap._tcp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa02.unix.nuexample.com.} > > DNS record found: > DNSResult::name:_ldap._tcp.unix.nuexample.com.,type:33,class:1,rdata={priority:5,port:389,weight:100,server:ipa03.unix.nuexample.com.} > > [Kerberos realm search] > Search DNS for TXT record of _kerberos.unix.nuexample.com. > DNS record found: > DNSResult::name:_kerberos.unix.nuexample.com.,type:16,class:1,rdata={data:UNIX.NUEXAMPLE.COM} > > Search DNS for SRV record of _kerberos._udp.unix.nuexample.com. > DNS record found: > DNSResult::name:_kerberos._udp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa02.unix.nuexample.com.} > > DNS record found: > DNSResult::name:_kerberos._udp.unix.nuexample.com.,type:33,class:1,rdata={priority:5,port:88,weight:100,server:ipa03.unix.nuexample.com.} > > DNS record found: > DNSResult::name:_kerberos._udp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa01.unix.nuexample.com.} > > [LDAP server check] > Verifying that ipa01.unix.nuexample.com (realm UNIX.NUEXAMPLE.COM) is an IPA > server > Init LDAP connection with: ldap://ipa01.unix.nuexample.com:389 > Search LDAP server for IPA base DN > Check if naming context 'dc=unix,dc=nuexample,dc=com' is for IPA > Naming context 'dc=unix,dc=nuexample,dc=com' is a valid IPA context > Search for (objectClass=krbRealmContainer) in dc=unix,dc=nuexample,dc=com > (sub) > LDAP Error: Anonymous access not allowed > Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=unix.nuexample.com, > kdc=ipa02.unix.nuexample.com,ipa03.unix.nuexample.com,ipa01.unix.nuexample.com, > basedn=dc=unix,dc=nuexample,dc=com > Validated servers: ipa01.unix.nuexample.com > will use discovered domain: unix.nuexample.com > IPA Server not found > Unable to find IPA Server to join > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > > > > Regards, > Siggi >
Hello Sigbjorn, This is caused by an unfortunate regression in RHEL-6.4 client which emerges when cn=config's nsslapd-allow-anonymous-access is set to "rootdse". This was already fixed upstream (ticket 3519) and there is a bugzilla filed for RHEL-6.5: https://bugzilla.redhat.com/show_bug.cgi?id=922843 If this is not satisfactory, you can contact your customer service and we will look for alternative solutions for you. Thanks, Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users