Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off
On 01/21/2016 02:29 PM, bahan w wrote: > Hello Martin. > > Thank you for your answer. Adding freeipa-users list back, so that others can follow the thread. > Excuse me for my ignorance, but may you tell me how the bug and resolution > work for FreeIPA ? This is probably not something that would require own upstream release, it is too old version no longer developed upstream. It may be rather fixed downstream, in RHEL (I cannot promise anything though). I wonder, do RHEL-7.x clients work in your environment? RHEL-7.1+ should have https://fedorahosted.org/freeipa/ticket/ applied which may fix the issue. > Will there be a new release concerning IPA 3.0.0, or a patch to apply ? There may be RHEL-6.x fix. If you have RHEL subscription, I would recommend pointing your Support Representative to Bug 1300561 below, to get higher priority for the bug. > Best regards. > > Bahan > > > On Thu, Jan 21, 2016 at 8:21 AM, Martin Kosekwrote: > >> On 01/20/2016 05:55 PM, bahan w wrote: >>> Ah sorry, for security reasons I didn't want to put the original name >> and I >>> made a mistake. >>> >>> Here we are, for the confusing lines : >>> ### >>> Assuming realm is the same as domain: >>> Generated basedn from realm: dc= >>> Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=, >>> kdc=None, basedn=dc= >>> Validated servers: >>> will use discovered domain: >>> Using servers from command line, disabling DNS discovery >>> will use provided server: >>> will use discovered realm: >>> The provided realm name [] does not match discovered one >>> [] >>> (: Assumed same as domain) >>> Installation failed. Rolling back changes >>> IPA client is not configured on this system. >>> ### >>> >>> Is it more clear ? Sorry again for the confusion. >>> >>> I use a realm which is different than the domain. >> >> Ah, I see. I think you just found a bug. The problem is that given the >> server >> is not reachable, the realm is calculated based on the domain and then >> rejected >> as it is different from the option. In this case, ipa-client-install should >> just accept the realm passed to the script. It is very specific condition, >> but >> we should be able to fix that easily >> >> I filed a bug: >> https://bugzilla.redhat.com/show_bug.cgi?id=1300561 >> >> We will need to think if there is a workaround for you until the fix is >> delivered. >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off
On 01/20/2016 05:55 PM, bahan w wrote: > Ah sorry, for security reasons I didn't want to put the original name and I > made a mistake. > > Here we are, for the confusing lines : > ### > Assuming realm is the same as domain: > Generated basedn from realm: dc= > Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=, > kdc=None, basedn=dc= > Validated servers: > will use discovered domain: > Using servers from command line, disabling DNS discovery > will use provided server: > will use discovered realm: > The provided realm name [] does not match discovered one > [] > (: Assumed same as domain) > Installation failed. Rolling back changes > IPA client is not configured on this system. > ### > > Is it more clear ? Sorry again for the confusion. > > I use a realm which is different than the domain. Ah, I see. I think you just found a bug. The problem is that given the server is not reachable, the realm is calculated based on the domain and then rejected as it is different from the option. In this case, ipa-client-install should just accept the realm passed to the script. It is very specific condition, but we should be able to fix that easily I filed a bug: https://bugzilla.redhat.com/show_bug.cgi?id=1300561 We will need to think if there is a workaround for you until the fix is delivered. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off
Re Martin. Here we are for the ipaclient-install.log : ### 2016-01-20T14:55:48Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': '', 'force': False, 'realm_name': '', 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False, 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': False, 'principal': 'admin', 'hostname': '', 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': False, 'force_join': False, 'ca_cert_file': None, 'server': [''], 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False} 2016-01-20T14:55:48Z DEBUG missing options might be asked for interactively later 2016-01-20T14:55:48Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2016-01-20T14:55:48Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2016-01-20T14:55:48Z DEBUG [IPA Discovery] 2016-01-20T14:55:48Z DEBUG Starting IPA discovery with domain=, servers=[''], hostname= 2016-01-20T14:55:48Z DEBUG Server and domain forced 2016-01-20T14:55:48Z DEBUG [Kerberos realm search] 2016-01-20T14:55:48Z DEBUG Search DNS for TXT record of _kerberos.. 2016-01-20T14:55:48Z DEBUG No DNS record found 2016-01-20T14:55:48Z DEBUG [LDAP server check] 2016-01-20T14:55:48Z DEBUG Verifying that (realm None) is an IPA server 2016-01-20T14:55:48Z DEBUG Init LDAP connection with: ldap://:389 2016-01-20T14:55:48Z DEBUG LDAP Error: Anonymous access not allowed 2016-01-20T14:55:48Z DEBUG Assuming realm is the same as domain: 2016-01-20T14:55:48Z DEBUG Generated basedn from realm: dc= 2016-01-20T14:55:48Z DEBUG Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=, kdc=None, basedn= 2016-01-20T14:55:48Z DEBUG Validated servers: 2016-01-20T14:55:48Z DEBUG will use discovered domain: 2016-01-20T14:55:48Z DEBUG Using servers from command line, disabling DNS discovery 2016-01-20T14:55:48Z DEBUG will use provided server: 2016-01-20T14:55:48Z DEBUG will use discovered realm: 2016-01-20T14:55:48Z ERROR The provided realm name [] does not match discovered one [] 2016-01-20T14:55:48Z DEBUG (: Assumed same as domain) 2016-01-20T14:55:48Z ERROR Installation failed. Rolling back changes. 2016-01-20T14:55:48Z ERROR IPA client is not configured on this system. ### Best regards. Bahan On Wed, Jan 20, 2016 at 1:52 PM, Martin Kosekwrote: > Adding freeipa-users back, so that others can benefit from the answer. > > Can you please attach a full ipaclient-install.log DEBUG log somewhere so > that > we can get the full context of the bug? You may also want to open a RHEL-6 > Bugzilla as FreeIPA 3.0.0 is no longer developed upstream, but only > maintained > in RHEL-6.x. > > Thanks, > Martin > > On 01/20/2016 01:39 PM, bahan w wrote: > > Hello Martin ! > > > > Thanks for your answer, Martin ! > > > > I uninstalled the 3.0.0.25 and installed the 3.0.0.47, but unfortunately > I > > still have the same error message. > > > > # rpm -qa | grep ipa-client > > ipa-client-3.0.0-47.el6.x86_64 > > > > And in ipa-client-install.log : > > ### > > 2016-01-20T12:38:14Z DEBUG [LDAP server check] > > 2016-01-20T12:38:14Z DEBUG Verifying that (realm None) > is > > an IPA server > > 2016-01-20T12:38:14Z DEBUG Init LDAP connection with: ldap:// > server>:389 > > 2016-01-20T12:38:14Z DEBUG LDAP Error: Anonymous access not allowed > > ### > > > > Best regards. > > > > Bahan > > > > > > On Wed, Jan 20, 2016 at 1:26 PM, Martin Kosek wrote: > > > >> On 01/20/2016 12:08 PM, bahan w wrote: > >>> Hello ! > >>> > >>> I send you this mail because of the following topic. > >>> > >>> I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous > >>> access for security reasons. > >>> > >>> But now, I have a problem when I try to enroll a new host. > >>> > >>> Here is the command I try : > >>> ### > >>> ipa-client-install --domain= --realm= --server= >>> ipaserver> --principal=admin --password= > >>> --mkhomedir --hostname= --no-ntp --no-ssh --no-sshd > >>> --unattended > >>> ### > >>> > >>> And here is the error message : > >>> ### > >>> 2016-01-20T11:06:44Z DEBUG Verifying that (realm None) > >> is > >>> an IPA server > >>> 2016-01-20T11:06:44Z DEBUG Init LDAP connection with: ldap:// >>> server>:389 > >>> 2016-01-20T11:06:44Z DEBUG LDAP Error: Anonymous access not allowed > >>> ### > >>> > >>> Is there a way with IPA 3.0.0.25 to enroll host with the anonymous > acces > >>> disabled ? > >>> > >>> Best regards. > >>> > >>> Bahan > >> > >> Hello, > >> > >> This looks like > >> https://bugzilla.redhat.com/show_bug.cgi?id=922843 > >> > >> It should be fixed in recent ipa-client versions (ipa-3.0.0-29.el6 and > >> later). > >> > >> HTH, > >> Martin > >> > >> > > > > -- Manage your subscription for the Freeipa-users mailing list:
Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off
On 01/20/2016 04:03 PM, bahan w wrote: > Re Martin. > > Here we are for the ipaclient-install.log : > > ### > 2016-01-20T14:55:48Z DEBUG /usr/sbin/ipa-client-install was invoked with > options: {'domain': '', 'force': False, 'realm_name': > '', 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': > True, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False, > 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': > False, 'principal': 'admin', 'hostname': '', 'no_ac': > False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, > 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': > False, 'force_join': False, 'ca_cert_file': None, 'server': [' SERVER>'], 'prompt_password': False, 'permit': False, 'debug': True, > 'preserve_sssd': False, 'uninstall': False} > 2016-01-20T14:55:48Z DEBUG missing options might be asked for interactively > later > 2016-01-20T14:55:48Z DEBUG Loading Index file from > '/var/lib/ipa-client/sysrestore/sysrestore.index' > 2016-01-20T14:55:48Z DEBUG Loading StateFile from > '/var/lib/ipa-client/sysrestore/sysrestore.state' > 2016-01-20T14:55:48Z DEBUG [IPA Discovery] > 2016-01-20T14:55:48Z DEBUG Starting IPA discovery with domain=, > servers=[''], hostname= > 2016-01-20T14:55:48Z DEBUG Server and domain forced > 2016-01-20T14:55:48Z DEBUG [Kerberos realm search] > 2016-01-20T14:55:48Z DEBUG Search DNS for TXT record of > _kerberos.. > 2016-01-20T14:55:48Z DEBUG No DNS record found > 2016-01-20T14:55:48Z DEBUG [LDAP server check] > 2016-01-20T14:55:48Z DEBUG Verifying that (realm None) is > an IPA server > 2016-01-20T14:55:48Z DEBUG Init LDAP connection with: ldap:// SERVER>:389 > 2016-01-20T14:55:48Z DEBUG LDAP Error: Anonymous access not allowed > 2016-01-20T14:55:48Z DEBUG Assuming realm is the same as domain: > 2016-01-20T14:55:48Z DEBUG Generated basedn from realm: > dc= > 2016-01-20T14:55:48Z DEBUG Discovery result: NO_ACCESS_TO_LDAP; > server=None, domain=, kdc=None, basedn= > 2016-01-20T14:55:48Z DEBUG Validated servers: > 2016-01-20T14:55:48Z DEBUG will use discovered domain: > 2016-01-20T14:55:48Z DEBUG Using servers from command line, disabling DNS > discovery > 2016-01-20T14:55:48Z DEBUG will use provided server: > 2016-01-20T14:55:48Z DEBUG will use discovered realm: > 2016-01-20T14:55:48Z ERROR The provided realm name [] does not > match discovered one [] Well, I think the line above is the key to the problem. The realm you provided and the one discovered do not match. > 2016-01-20T14:55:48Z DEBUG (: Assumed same as domain) > 2016-01-20T14:55:48Z ERROR Installation failed. Rolling back changes. > 2016-01-20T14:55:48Z ERROR IPA client is not configured on this system. > ### > > Best regards. > > Bahan > > On Wed, Jan 20, 2016 at 1:52 PM, Martin Kosekwrote: > >> Adding freeipa-users back, so that others can benefit from the answer. >> >> Can you please attach a full ipaclient-install.log DEBUG log somewhere so >> that >> we can get the full context of the bug? You may also want to open a RHEL-6 >> Bugzilla as FreeIPA 3.0.0 is no longer developed upstream, but only >> maintained >> in RHEL-6.x. >> >> Thanks, >> Martin >> >> On 01/20/2016 01:39 PM, bahan w wrote: >>> Hello Martin ! >>> >>> Thanks for your answer, Martin ! >>> >>> I uninstalled the 3.0.0.25 and installed the 3.0.0.47, but unfortunately >> I >>> still have the same error message. >>> >>> # rpm -qa | grep ipa-client >>> ipa-client-3.0.0-47.el6.x86_64 >>> >>> And in ipa-client-install.log : >>> ### >>> 2016-01-20T12:38:14Z DEBUG [LDAP server check] >>> 2016-01-20T12:38:14Z DEBUG Verifying that (realm None) >> is >>> an IPA server >>> 2016-01-20T12:38:14Z DEBUG Init LDAP connection with: ldap://>> server>:389 >>> 2016-01-20T12:38:14Z DEBUG LDAP Error: Anonymous access not allowed >>> ### >>> >>> Best regards. >>> >>> Bahan >>> >>> >>> On Wed, Jan 20, 2016 at 1:26 PM, Martin Kosek wrote: >>> On 01/20/2016 12:08 PM, bahan w wrote: > Hello ! > > I send you this mail because of the following topic. > > I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous > access for security reasons. > > But now, I have a problem when I try to enroll a new host. > > Here is the command I try : > ### > ipa-client-install --domain= --realm= --server= ipaserver> --principal=admin --password= > --mkhomedir --hostname= --no-ntp --no-ssh --no-sshd > --unattended > ### > > And here is the error message : > ### > 2016-01-20T11:06:44Z DEBUG Verifying that (realm None) is > an IPA server > 2016-01-20T11:06:44Z DEBUG Init LDAP connection with: ldap:// server>:389 > 2016-01-20T11:06:44Z DEBUG LDAP Error: Anonymous access not allowed > ### > > Is there a way with IPA 3.0.0.25 to enroll host with the anonymous >> acces > disabled ? > > Best regards. > > Bahan
Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off
Ah sorry, for security reasons I didn't want to put the original name and I made a mistake. Here we are, for the confusing lines : ### Assuming realm is the same as domain: Generated basedn from realm: dc= Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=, kdc=None, basedn=dc= Validated servers: will use discovered domain: Using servers from command line, disabling DNS discovery will use provided server: will use discovered realm: The provided realm name [] does not match discovered one [] (: Assumed same as domain) Installation failed. Rolling back changes IPA client is not configured on this system. ### Is it more clear ? Sorry again for the confusion. I use a realm which is different than the domain. Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off
Hello ! I send you this mail because of the following topic. I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous access for security reasons. But now, I have a problem when I try to enroll a new host. Here is the command I try : ### ipa-client-install --domain= --realm= --server= --principal=admin --password= --mkhomedir --hostname= --no-ntp --no-ssh --no-sshd --unattended ### And here is the error message : ### 2016-01-20T11:06:44Z DEBUG Verifying that (realm None) is an IPA server 2016-01-20T11:06:44Z DEBUG Init LDAP connection with: ldap://:389 2016-01-20T11:06:44Z DEBUG LDAP Error: Anonymous access not allowed ### Is there a way with IPA 3.0.0.25 to enroll host with the anonymous acces disabled ? Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off
On 01/20/2016 12:08 PM, bahan w wrote: > Hello ! > > I send you this mail because of the following topic. > > I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous > access for security reasons. > > But now, I have a problem when I try to enroll a new host. > > Here is the command I try : > ### > ipa-client-install --domain= --realm= --server= ipaserver> --principal=admin --password= > --mkhomedir --hostname= --no-ntp --no-ssh --no-sshd > --unattended > ### > > And here is the error message : > ### > 2016-01-20T11:06:44Z DEBUG Verifying that (realm None) is > an IPA server > 2016-01-20T11:06:44Z DEBUG Init LDAP connection with: ldap:// server>:389 > 2016-01-20T11:06:44Z DEBUG LDAP Error: Anonymous access not allowed > ### > > Is there a way with IPA 3.0.0.25 to enroll host with the anonymous acces > disabled ? > > Best regards. > > Bahan Hello, This looks like https://bugzilla.redhat.com/show_bug.cgi?id=922843 It should be fixed in recent ipa-client versions (ipa-3.0.0-29.el6 and later). HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off
Adding freeipa-users back, so that others can benefit from the answer. Can you please attach a full ipaclient-install.log DEBUG log somewhere so that we can get the full context of the bug? You may also want to open a RHEL-6 Bugzilla as FreeIPA 3.0.0 is no longer developed upstream, but only maintained in RHEL-6.x. Thanks, Martin On 01/20/2016 01:39 PM, bahan w wrote: > Hello Martin ! > > Thanks for your answer, Martin ! > > I uninstalled the 3.0.0.25 and installed the 3.0.0.47, but unfortunately I > still have the same error message. > > # rpm -qa | grep ipa-client > ipa-client-3.0.0-47.el6.x86_64 > > And in ipa-client-install.log : > ### > 2016-01-20T12:38:14Z DEBUG [LDAP server check] > 2016-01-20T12:38:14Z DEBUG Verifying that (realm None) is > an IPA server > 2016-01-20T12:38:14Z DEBUG Init LDAP connection with: ldap:// server>:389 > 2016-01-20T12:38:14Z DEBUG LDAP Error: Anonymous access not allowed > ### > > Best regards. > > Bahan > > > On Wed, Jan 20, 2016 at 1:26 PM, Martin Kosekwrote: > >> On 01/20/2016 12:08 PM, bahan w wrote: >>> Hello ! >>> >>> I send you this mail because of the following topic. >>> >>> I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous >>> access for security reasons. >>> >>> But now, I have a problem when I try to enroll a new host. >>> >>> Here is the command I try : >>> ### >>> ipa-client-install --domain= --realm= --server=>> ipaserver> --principal=admin --password= >>> --mkhomedir --hostname= --no-ntp --no-ssh --no-sshd >>> --unattended >>> ### >>> >>> And here is the error message : >>> ### >>> 2016-01-20T11:06:44Z DEBUG Verifying that (realm None) >> is >>> an IPA server >>> 2016-01-20T11:06:44Z DEBUG Init LDAP connection with: ldap://>> server>:389 >>> 2016-01-20T11:06:44Z DEBUG LDAP Error: Anonymous access not allowed >>> ### >>> >>> Is there a way with IPA 3.0.0.25 to enroll host with the anonymous acces >>> disabled ? >>> >>> Best regards. >>> >>> Bahan >> >> Hello, >> >> This looks like >> https://bugzilla.redhat.com/show_bug.cgi?id=922843 >> >> It should be fixed in recent ipa-client versions (ipa-3.0.0-29.el6 and >> later). >> >> HTH, >> Martin >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project