Hi Flo, First of all, thanks a lot for taking your time to reproduced the issue from your end, you have been very helpful and you are the best!
Here're the what I observed after some more tests: 1. In this case I used Entrust(www.entrust.com) certificate service, and they provided root-G2-L1K certificate chain. In the /etc/ipa/ca.crt file on the primary IPA server ipaprd1, I saw 3 certificates(root, G2 and L1K) as the root chain. When I checked the ca.crt file on the RHEL6 IPA client(called ipadev6), I only saw one certificate, the L1K one, which didn't look right. So I followed your advise to remove it, then the ipa-client-install could finish without the LDAP error. But after the installation, I found the ca.crt file on such RHEL6 box still had only one certificate(L1K). Meanwhile, when I checked the RHEL7 IPA client(called ipadev7, which I mentioned before that it was always working), the /etc/ipa/ca.crt file has 3 certificate, the complete root chain. I have no clue why the IPA client installation on RHEL7 box is so smooth but not the RHEL6 box, while they both enrolled with the exact same primary & replica IPA server. The bug document you mentioned doesn't explain this. 2. During the client installation on ipadev6(RHEL6 box), with ca.crt file manually removed, I saw the following message: A RA is not configured on the server. Not requesting host certificate. The installation stuck there for about 3~4 minutes before it continued to the next step, then it finished eventually with "Client configuration complete". Any idea about such message? Thanks!! On Tue, Dec 20, 2016 at 9:43 AM, Florence Blanc-Renaud <f...@redhat.com> wrote: > On 12/16/2016 03:54 PM, Florence Blanc-Renaud wrote: > >> On 12/15/2016 08:01 PM, beeth beeth wrote: >> >>> Hi Flo, >>> >>> That's a good point! I checked the dirsrv certificate and confirmed >>> valid(good until later next year). >>> Since I had no problem to enroll another new IPA client(RHEL7 box >>> instead of RHEL6) to such replica server, I thought it might not be a >>> server end issue. However, when I tried to restart the DIRSRV service on >>> the replica server, I found these messages in the log >>> file /var/log/dirsrv/slapd-IPA-EXAMPLE-COM/errors: >>> >>> [15/Dec/2016:13:38:15.891301246 -0500] 389-Directory/1.3.5.10 >>> <http://1.3.5.10> B2016.257.1817 starting up >>> [15/Dec/2016:13:38:15.911777373 -0500] default_mr_indexer_create: >>> warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match >>> [15/Dec/2016:13:38:15.926320306 -0500] WARNING: changelog: entry cache >>> size 2097152 B is less than db size 5488640 B; We recommend to increase >>> the entry cache size nsslapd-cachememsize. >>> [15/Dec/2016:13:38:16.132155534 -0500] schema-compat-plugin - scheduled >>> schema-compat-plugin tree scan in about 5 seconds after the server >>> startup! >>> [15/Dec/2016:13:38:16.167896279 -0500] NSACLPlugin - The ACL target >>> cn=dns,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.173317345 -0500] NSACLPlugin - The ACL target >>> cn=dns,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.178354342 -0500] NSACLPlugin - The ACL target >>> cn=keys,cn=sec,cn=dns,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.183579322 -0500] NSACLPlugin - The ACL target >>> cn=dns,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.188786976 -0500] NSACLPlugin - The ACL target >>> cn=dns,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.193275650 -0500] NSACLPlugin - The ACL target >>> cn=groups,cn=compat,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.197580407 -0500] NSACLPlugin - The ACL target >>> cn=computers,cn=compat,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.201863256 -0500] NSACLPlugin - The ACL target >>> cn=ng,cn=compat,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.206318629 -0500] NSACLPlugin - The ACL target >>> ou=sudoers,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.211559100 -0500] NSACLPlugin - The ACL target >>> cn=users,cn=compat,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.216146819 -0500] NSACLPlugin - The ACL target >>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.220786596 -0500] NSACLPlugin - The ACL target >>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.225594942 -0500] NSACLPlugin - The ACL target >>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.229986749 -0500] NSACLPlugin - The ACL target >>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.234518367 -0500] NSACLPlugin - The ACL target >>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.238763121 -0500] NSACLPlugin - The ACL target >>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.243031116 -0500] NSACLPlugin - The ACL target >>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.247507984 -0500] NSACLPlugin - The ACL target >>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.252327210 -0500] NSACLPlugin - The ACL target >>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.259046910 -0500] NSACLPlugin - The ACL target >>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.263856581 -0500] NSACLPlugin - The ACL target >>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.269301704 -0500] NSACLPlugin - The ACL target >>> cn=ad,cn=etc,dc=ipa,dc=example,dc=com does not exist >>> [15/Dec/2016:13:38:16.283511408 -0500] NSACLPlugin - The ACL target >>> cn=casigningcert >>> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example,dc=com does >>> not exist >>> [15/Dec/2016:13:38:16.287853825 -0500] NSACLPlugin - The ACL target >>> cn=casigningcert >>> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example,dc=com does >>> not exist >>> [15/Dec/2016:13:38:16.395872649 -0500] NSACLPlugin - The ACL target >>> cn=automember rebuild membership,cn=tasks,cn=config does not exist >>> [15/Dec/2016:13:38:16.405404114 -0500] Skipping CoS Definition >>> cn=Password Policy,cn=accounts,dc=ipa,dc=example,dc=com--no CoS >>> Templates found, which should be added before the CoS Definition. >>> [15/Dec/2016:13:38:16.463117873 -0500] set_krb5_creds - Could not get >>> initial credentials for principal >>> [ldap/ipaprd2.example....@ipa.example.com >>> <mailto:ipaprd2.example....@ipa.example.com>] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) >>> [15/Dec/2016:13:38:16.471256279 -0500] schema-compat-plugin - >>> schema-compat-plugin tree scan will start in about 5 seconds! >>> [15/Dec/2016:13:38:16.479213976 -0500] slapd started. Listening on All >>> Interfaces port 389 for LDAP requests >>> [15/Dec/2016:13:38:16.483683353 -0500] Listening on >>> /var/run/slapd-IPA-EXAMPLE-COM.socket for LDAPI requests >>> [15/Dec/2016:13:38:21.634319974 -0500] schema-compat-plugin - warning: >>> no entries set up under ou=sudoers,dc=ipa,dc=example,dc=com >>> [15/Dec/2016:13:38:21.639855161 -0500] schema-compat-plugin - warning: >>> no entries set up under cn=ng, cn=compat,dc=ipa,dc=example,dc=com >>> [15/Dec/2016:13:38:21.653406463 -0500] schema-compat-plugin - no RDN for >>> cn=cdm_users,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com, unsetting >>> domain/map/id >>> "cn=compat,dc=ipa,dc=example,dc=com"/"cn=groups"/("cn=cdm_us >>> ers,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com") >>> >>> [15/Dec/2016:13:38:21.714897614 -0500] schema-compat-plugin - warning: >>> no entries set up under cn=computers, cn=compat,dc=ipa,dc=example,dc=com >>> [15/Dec/2016:13:38:21.719933118 -0500] schema-compat-plugin - Finished >>> plugin initialization. >>> [15/Dec/2016:13:38:36.591969481 -0500] ipa-topology-plugin - >>> ipa_topo_util_get_replica_conf: server configuration missing >>> [15/Dec/2016:13:38:36.598683009 -0500] ipa-topology-plugin - >>> ipa_topo_util_get_replica_conf: cannot create replica >>> >>> Any idea? >>> BTW, everything ran well on IPA 4.2(server installation and client >>> installation), as you once assisted me couple months ago, until we set >>> up a new IPA environment with RHEL7.3 instead of RHEL7.2, then the IPA >>> version changed from 4.2 to 4.4. Last time you guided me about the >>> change since IPA 4.3, for the newly introduced domain level concept, and >>> the way how the replica should be installed was changed too... Thanks >>> again! >>> >>> Hi Beeth, >> >> I managed to reproduce your issue with IPA master installed without dns >> and without integrated CA. >> >> Can you check on your RHEL 6 client if there is a file /etc/ipa/ca.crt? >> If yes, check its content with >> $ sudo openssl x509 -noout -text -in /etc/ipa/ca.crt >> and compare with the CA certificate stored on the master or the replica >> (at the same location /etc/ipa/ca.crt). The certificate should be the >> one for the CA that signed your HTTPd and LDAP server certs (ie Verisign). >> >> If the certificate is different, it is probably a left-over CA >> certificate corresponding to a previous installation. You can just >> delete the file on the client and re-run ipa-client-install. >> >> Flo. >> >> > To follow-up on this issue: it happens only in CA-less environment and > when the client has an old /etc/ipa/ca.crt file. > > If the /etc/ipa/ca.crt file is present, the client installer connects to > the IPA LDAP server using startTLS to perform basic checks (instead of > using a simple ldap conn otherwise). But there is a bug in > ipa-replica-install which does not set up startTLS on the LDAP replica (see > ticket 6226 [1]). > > This explains why the issue does not happen if you specify only the master > during ipa-client-install, or if your client does not have any > /etc/ipa/ca.crt. > > Hope this clarifies, > Flo > > > [1] https://fedorahosted.org/freeipa/ticket/6226 > > >>> On Thu, Dec 15, 2016 at 10:52 AM, Florence Blanc-Renaud <f...@redhat.com >>> <mailto:f...@redhat.com>> wrote: >>> >>> On 12/14/2016 07:49 PM, beeth beeth wrote: >>> >>> Hi Flo, >>> >>> Thanks for the great hint! I reran the ipa-client-install on the >>> rhel6 >>> box(ipadev6), and monitored the access log file you mentioned >>> on the >>> replica: >>> >>> # ipa-client-install --domain=ipa.example.com >>> <http://ipa.example.com> <http://ipa.example.com> >>> --server=ipaprd2.example.com <http://ipaprd2.example.com> >>> <http://ipaprd2.example.com> >>> --hostname=ipadev6.example.com <http://ipadev6.example.com> >>> <http://ipadev6.example.com> -d >>> >>> ( ipaprd2 = primary IPA server on RHEL7; ipadev6 = replica on >>> RHEL6 ) >>> >>> AFTER about 3 seconds, I saw these on the replica ipaprd2: >>> [14/Dec/2016:13:11:41.071421132 -0500] conn=1040 fd=73 slot=73 >>> connection from <IP of ipadev6> to <IP of ipaprd2> >>> [14/Dec/2016:13:11:41.071880026 -0500] conn=1040 op=0 EXT >>> oid="1.3.6.1.4.1.1466.20037" >>> [14/Dec/2016:13:11:41.071964217 -0500] conn=1040 op=0 RESULT >>> err=2 >>> tag=120 nentries=0 etime=0 >>> [14/Dec/2016:13:11:41.073275674 -0500] conn=1040 op=1 UNBIND >>> [14/Dec/2016:13:11:41.073307101 -0500] conn=1040 op=1 fd=73 >>> closed - U1 >>> [14/Dec/2016:13:11:41.074782496 -0500] conn=1041 fd=73 slot=73 >>> connection from <IP of ipadev6> to <IP of ipaprd2> >>> [14/Dec/2016:13:11:41.074985233 -0500] conn=1041 op=0 EXT >>> oid="1.3.6.1.4.1.1466.20037" >>> [14/Dec/2016:13:11:41.075022849 -0500] conn=1041 op=0 RESULT >>> err=2 >>> tag=120 nentries=0 etime=0 >>> [14/Dec/2016:13:11:41.075448887 -0500] conn=1041 op=1 UNBIND >>> [14/Dec/2016:13:11:41.075460964 -0500] conn=1041 op=1 fd=73 >>> closed - U1 >>> [14/Dec/2016:13:11:49.006146850 -0500] conn=1029 op=8 UNBIND >>> [14/Dec/2016:13:11:49.006181982 -0500] conn=1029 op=8 fd=66 >>> closed - U1 >>> >>> So I did see the err=2, and oid="1.3.6.1.4.1.1466.20037", I >>> checked the >>> oid and got: >>> >>> 1.3.6.1.4.1.1466.20037: StartTLS Request (RFC 4511) >>> >>> It looked to be related with TLS... pease advise. Thanks! >>> >>> >>> Hi, >>> >>> when the replica got installed, the installer must have configured >>> the directory server for SSL and start TLS. I tend to suspect an >>> expired certificate issue rather than a misconfiguration. Could you >>> please check that dirsrv certificate is still valid? >>> >>> $ certutil -L -d /etc/dirsrv/slapd-DOMAIN-COM/ -n Server-Cert >>> |grep Not >>> Not Before: Wed Dec 14 16:56:02 2016 >>> Not After : Sat Dec 15 16:56:02 2018 >>> >>> If the certificate is still valid, you may want to read 389-ds >>> How-To to make sure that SSL is properly setup: >>> >>> http://directory.fedoraproject.org/docs/389ds/howto/howto- >>> ssl.html#deploy-the-settings >>> >>> >>> <http://directory.fedoraproject.org/docs/389ds/howto/howto- >>> ssl.html#deploy-the-settings> >>> >>> >>> Flo. >>> >>> >>> On Wed, Dec 14, 2016 at 7:57 AM, Florence Blanc-Renaud >>> <f...@redhat.com <mailto:f...@redhat.com> >>> <mailto:f...@redhat.com <mailto:f...@redhat.com>>> wrote: >>> >>> On 12/14/2016 01:08 PM, beeth beeth wrote: >>> >>> Thanks David. I installed both the master and replica IPA >>> servers with >>> third-party certificates(Verisign), but I doubt that >>> could be >>> the issue, >>> because I had no problem to run the same >>> ipa-client-install >>> command on a >>> RHEL7 machine(of course, the --hostname used a different >>> hostname of the >>> server). And I had no problem to run the >>> ipa-client-install >>> command with >>> --server=<master> on such RHEL6 machine. So what could >>> cause the >>> LDAP >>> communication failed during the client enrollment with >>> the >>> replica? Is >>> there a way I can troubleshoot this by running some >>> commands? So >>> far I >>> did telnet to check the open ports, as well as run the >>> ldapsearch >>> towards the replica. Thanks again! >>> >>> >>> On Tue, Dec 13, 2016 at 8:46 AM, David Kupka >>> <dku...@redhat.com <mailto:dku...@redhat.com> >>> <mailto:dku...@redhat.com <mailto:dku...@redhat.com>> >>> <mailto:dku...@redhat.com <mailto:dku...@redhat.com> >>> <mailto:dku...@redhat.com <mailto:dku...@redhat.com>>>> wrote: >>> >>> On 13/12/16 05:44, beeth beeth wrote: >>> >>> I have two IPA servers ipaprd1.example.com >>> <http://ipaprd1.example.com> >>> <http://ipaprd1.example.com> >>> <http://ipaprd1.example.com> and >>> ipaprd2.example.com <http://ipaprd2.example.com> >>> <http://ipaprd2.example.com> >>> <http://ipaprd2.example.com>, running >>> ipa 4.4 on RHEL7. When I tried to >>> install/configure the >>> client >>> on a RHEL6 >>> system(called ipadev6), I had issue when I >>> tried to >>> enroll it >>> with the >>> replica(ipaprd2), while no issue with the >>> primary(ipaprd1): >>> >>> # ipa-client-install --domain=ipa.example.com >>> <http://ipa.example.com> >>> <http://ipa.example.com> >>> <http://ipa.example.com> >>> --server=ipaprd1.example.com <http://ipaprd1.example.com> >>> <http://ipaprd1.example.com> >>> <http://ipaprd1.example.com> >>> --server=ipaprd2.example.com >>> <http://ipaprd2.example.com> >>> <http://ipaprd2.example.com> <http://ipaprd2.example.com >>> > >>> --hostname=ipadev6.example.com >>> <http://ipadev6.example.com> >>> <http://ipadev6.example.com> <http://ipadev6.example.com >>> > >>> LDAP Error: Protocol error: unsupported extended >>> operation >>> Autodiscovery of servers for failover cannot >>> work with this >>> configuration. >>> If you proceed with the installation, services >>> will be >>> configured to always >>> access the discovered server for all operations >>> and will not >>> fail over to >>> other servers in case of failure. >>> Proceed with fixed values and no DNS >>> discovery? [no] >>> >>> Then I tried to run ipa-client-install to enroll >>> with the >>> replica(ipaprd2), >>> with debug mode, I got this: >>> >>> # ipa-client-install --domain=ipa.example.com >>> <http://ipa.example.com> >>> <http://ipa.example.com> >>> <http://ipa.example.com> >>> --server=ipaprd2.example.com <http://ipaprd2.example.com> >>> <http://ipaprd2.example.com> >>> <http://ipaprd2.example.com> >>> --hostname=ipadev6.example.com >>> <http://ipadev6.example.com> >>> <http://ipadev6.example.com> >>> <http://ipadev6.example.com> -d >>> >>> /usr/sbin/ipa-client-install was invoked with >>> options: >>> {'domain': ' >>> ipa.example.com <http://ipa.example.com> >>> <http://ipa.example.com> >>> <http://ipa.example.com>', 'force': False, >>> 'realm_name': None, >>> 'krb5_offline_passwords': True, 'primary': False, >>> 'mkhomedir': >>> False, >>> 'create_sshfp': True, 'conf_sshd': True, >>> 'conf_ntp': True, >>> 'on_master': >>> False, 'ntp_server': None, 'nisdomain': None, >>> 'no_nisdomain': False, >>> 'principal': None, 'hostname': >>> 'ipadev6.example.com <http://ipadev6.example.com> >>> <http://ipadev6.example.com> >>> <http://ipadev6.example.com>', 'no_ac': False, >>> 'unattended': None, 'sssd': True, 'trust_sshfp': >>> False, >>> 'kinit_attempts': >>> 5, 'dns_updates': False, 'conf_sudo': True, >>> 'conf_ssh': >>> True, >>> 'force_join': >>> False, 'ca_cert_file': None, 'server': >>> ['ipaprd2.example.com <http://ipaprd2.example.com> >>> <http://ipaprd2.example.com> >>> <http://ipaprd2.example.com>'], >>> 'prompt_password': False, 'permit': False, >>> 'debug': True, >>> 'preserve_sssd': >>> False, 'uninstall': False} >>> missing options might be asked for interactively >>> later >>> Loading Index file from >>> '/var/lib/ipa-client/sysrestor >>> e/sysrestore.index' >>> Loading StateFile from >>> '/var/lib/ipa-client/sysrestor >>> e/sysrestore.state' >>> [IPA Discovery] >>> Starting IPA discovery with >>> domain=ipa.example.com <http://ipa.example.com> >>> <http://ipa.example.com> >>> <http://ipa.example.com>, servers=[' >>> ipaprd2.example.com <http://ipaprd2.example.com> >>> <http://ipaprd2.example.com> >>> <http://ipaprd2.example.com>'], >>> hostname=ipadev6.example.com >>> <http://ipadev6.example.com> >>> <http://ipadev6.example.com> <http://ipadev6.example.com >>> > >>> Server and domain forced >>> [Kerberos realm search] >>> Search DNS for TXT record of >>> _kerberos.ipa.example.com <http://kerberos.ipa.example.com> >>> <http://kerberos.ipa.example.com >>> <http://kerberos.ipa.example.com>> >>> <http://kerberos.ipa.example.com >>> <http://kerberos.ipa.example.com> >>> <http://kerberos.ipa.example.com >>> <http://kerberos.ipa.example.com>>>. >>> No DNS record found >>> Search DNS for SRV record of >>> _kerberos._udp.ipa.example.com >>> <http://udp.ipa.example.com> <http://udp.ipa.example.com> >>> <http://udp.ipa.example.com>. >>> No DNS record found >>> SRV record for KDC not found! Domain: >>> ipa.example.com <http://ipa.example.com> >>> <http://ipa.example.com> >>> <http://ipa.example.com> >>> [LDAP server check] >>> Verifying that ipaprd2.example.com >>> <http://ipaprd2.example.com> >>> <http://ipaprd2.example.com> <http://ipaprd2.example.com >>> > >>> (realm None) is an IPA server >>> Init LDAP connection with: >>> ldap://ipaprd2.example.com:389 >>> <http://ipaprd2.example.com:389> <http://ipaprd2.example.com:389 >>> <http://ipaprd2.example.com:389>> >>> <http://ipaprd2.example.com:389 >>> <http://ipaprd2.example.com:389> >>> <http://ipaprd2.example.com:389 >>> <http://ipaprd2.example.com:389>>> >>> LDAP Error: Protocol error: unsupported extended >>> operation >>> Discovery result: UNKNOWN_ERROR; server=None, >>> domain=ipa.example.com <http://ipa.example.com> >>> <http://ipa.example.com> >>> <http://ipa.example.com>, >>> kdc=None, basedn=None >>> Validated servers: >>> will use discovered domain: ipa.example.com >>> <http://ipa.example.com> >>> <http://ipa.example.com> <http://ipa.example.com> >>> IPA Server not found >>> [IPA Discovery] >>> Starting IPA discovery with >>> domain=ipa.example.com <http://ipa.example.com> >>> <http://ipa.example.com> >>> <http://ipa.example.com>, servers=[' >>> ipaprd2.example.com <http://ipaprd2.example.com> >>> <http://ipaprd2.example.com> >>> <http://ipaprd2.example.com>'], >>> hostname=ipadev6.example.com >>> <http://ipadev6.example.com> >>> <http://ipadev6.example.com> <http://ipadev6.example.com >>> > >>> Server and domain forced >>> [Kerberos realm search] >>> Search DNS for TXT record of >>> _kerberos.ipa.example.com <http://kerberos.ipa.example.com> >>> <http://kerberos.ipa.example.com >>> <http://kerberos.ipa.example.com>> >>> <http://kerberos.ipa.example.com >>> <http://kerberos.ipa.example.com> >>> <http://kerberos.ipa.example.com >>> <http://kerberos.ipa.example.com>>>. >>> No DNS record found >>> Search DNS for SRV record of >>> _kerberos._udp.ipa.example.com >>> <http://udp.ipa.example.com> <http://udp.ipa.example.com> >>> <http://udp.ipa.example.com>. >>> No DNS record found >>> SRV record for KDC not found! Domain: >>> ipa.example.com <http://ipa.example.com> >>> <http://ipa.example.com> >>> <http://ipa.example.com> >>> [LDAP server check] >>> Verifying that ipaprd2.example.com >>> <http://ipaprd2.example.com> >>> <http://ipaprd2.example.com> <http://ipaprd2.example.com >>> > >>> (realm None) is an IPA server >>> Init LDAP connection with: >>> ldap://ipaprd2.example.com:389 >>> <http://ipaprd2.example.com:389> <http://ipaprd2.example.com:389 >>> <http://ipaprd2.example.com:389>> >>> <http://ipaprd2.example.com:389 >>> <http://ipaprd2.example.com:389> >>> <http://ipaprd2.example.com:389 >>> <http://ipaprd2.example.com:389>>> >>> LDAP Error: Protocol error: unsupported extended >>> operation >>> Discovery result: UNKNOWN_ERROR; server=None, >>> domain=ipa.example.com <http://ipa.example.com> >>> <http://ipa.example.com> >>> <http://ipa.example.com>, >>> kdc=None, basedn=None >>> Validated servers: >>> Failed to verify that ipaprd2.example.com >>> <http://ipaprd2.example.com> >>> <http://ipaprd2.example.com> >>> <http://ipaprd2.example.com> is an IPA Server. >>> This may mean that the remote server is not up >>> or is not >>> reachable due to >>> network or firewall settings. >>> Please make sure the following ports are opened >>> in the >>> firewall >>> settings: >>> TCP: 80, 88, 389 >>> UDP: 88 (at least one of TCP/UDP ports 88 >>> has to be >>> open) >>> Also note that following ports are necessary for >>> ipa-client working >>> properly after enrollment: >>> TCP: 464 >>> UDP: 464, 123 (if NTP enabled) >>> (ipaprd2.example.com >>> <http://ipaprd2.example.com> <http://ipaprd2.example.com> >>> <http://ipaprd2.example.com>: Provided as >>> option) >>> Installation failed. Rolling back changes. >>> IPA client is not configured on this system. >>> >>> >>> I double checked the services running on the >>> replica, >>> all looked >>> well: >>> ports are listening, and I could telnet the >>> ports from the >>> client(ipadev6). >>> I could run "ldapserach" command to talk to the >>> replica(ipaprd2) >>> from this >>> client(ipadev6), with pulling out all the LDAP >>> records. >>> >>> Also, I have another test box running RHEL7, >>> and no >>> issue at all >>> to run the >>> exact same ipa-client-install command on that >>> RHEL7 box. So >>> could there be >>> a bug on the ipa-client software on RHEL6, to >>> talk to >>> IPA sever >>> running on >>> RHEL7? Please advise. Thank you! >>> >>> Hi Beeth, >>> >>> you may want to check the access and errors log of the >>> Directory >>> Server in /var/log/dirsrv/slapd-DOMAIN. The extended >>> operations are >>> logged in the access log with the tag "EXT oid=...", but a >>> failing >>> operation related to unsupported extended operation will >>> probably >>> log a "RESULT err=2". >>> >>> So I would first check access log and look for such a >>> failure. With >>> the OID we will be able to understand which operation is >>> failing and >>> which part could be misconfigured. >>> >>> HTH, >>> Flo. >>> >>> Best regards, >>> Beeth >>> >>> >>> >>> Hello Beeth, >>> I've tried to reproduce the problem you described >>> with 7.3 >>> (ipa-server 4.4.0-12) on master and replica and 6.9 >>> (ipa-client >>> 3.0.0-51) on client and it worked for me as expected. >>> I've done these steps: >>> [master] # ipa-server-install -a Secret123 -p >>> Secret123 --domain >>> example.test --realm EXAMPLE.TEST --setup-dns >>> --auto-forwarders -U >>> [replica] # ipa-client-install -p admin -w Secret123 >>> --domain >>> example.test --server master.example.test -U >>> [replica] # ipa-replica-install >>> [client] # ipa-client-install -p admin -w Secret123 >>> --domain >>> example.test --server replica.example.test -U >>> [client] # id admin >>> >>> Is there anything you've done differently? >>> >>> -- >>> David Kupka >>> >>> >>> >>> >>> >>> >>> >>> >>> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project