subject:"\[Freeipa\-users\] ipa\-client\-install and nsslapd\-allow\-anonymous\-access\: off"

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-21 Thread Martin Kosek

On 01/21/2016 02:29 PM, bahan w wrote:
> Hello Martin.
> 
> Thank you for your answer.

Adding freeipa-users list back, so that others can follow the thread.

> Excuse me for my ignorance, but may you tell me how the bug and resolution
> work for FreeIPA ?

This is probably not something that would require own upstream release, it is
too old version no longer developed upstream. It may be rather fixed
downstream, in RHEL (I cannot promise anything though).

I wonder, do RHEL-7.x clients work in your environment? RHEL-7.1+ should have
https://fedorahosted.org/freeipa/ticket/
applied which may fix the issue.

> Will there be a new release concerning IPA 3.0.0, or a patch to apply ?

There may be RHEL-6.x fix. If you have RHEL subscription, I would recommend
pointing your Support Representative to Bug 1300561 below, to get higher
priority for the bug.

> Best regards.
> 
> Bahan
> 
> 
> On Thu, Jan 21, 2016 at 8:21 AM, Martin Kosek  wrote:
> 
>> On 01/20/2016 05:55 PM, bahan w wrote:
>>> Ah sorry, for security reasons I didn't want to put the original name
>> and I
>>> made a mistake.
>>>
>>> Here we are, for the confusing lines :
>>> ###
>>> Assuming realm is the same as domain: 
>>> Generated basedn from realm: dc=
>>> Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=,
>>> kdc=None, basedn=dc=
>>> Validated servers: 
>>> will use discovered domain: 
>>> Using servers from command line, disabling DNS discovery
>>> will use provided server: 
>>> will use discovered realm: 
>>> The provided realm name [] does not match discovered one
>>> []
>>> (: Assumed same as domain)
>>> Installation failed. Rolling back changes
>>> IPA client is not configured on this system.
>>> ###
>>>
>>> Is it more clear ? Sorry again for the confusion.
>>>
>>> I use a realm which is different than the domain.
>>
>> Ah, I see. I think you just found a bug. The problem is that given the
>> server
>> is not reachable, the realm is calculated based on the domain and then
>> rejected
>> as it is different from the option. In this case, ipa-client-install should
>> just accept the realm passed to the script. It is very specific condition,
>> but
>> we should be able to fix that easily
>>
>> I filed a bug:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1300561
>>
>> We will need to think if there is a workaround for you until the fix is
>> delivered.
>>
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-20 Thread Martin Kosek

On 01/20/2016 05:55 PM, bahan w wrote:
> Ah sorry, for security reasons I didn't want to put the original name and I
> made a mistake.
> 
> Here we are, for the confusing lines :
> ###
> Assuming realm is the same as domain: 
> Generated basedn from realm: dc=
> Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=,
> kdc=None, basedn=dc=
> Validated servers: 
> will use discovered domain: 
> Using servers from command line, disabling DNS discovery
> will use provided server: 
> will use discovered realm: 
> The provided realm name [] does not match discovered one
> []
> (: Assumed same as domain)
> Installation failed. Rolling back changes
> IPA client is not configured on this system.
> ###
> 
> Is it more clear ? Sorry again for the confusion.
> 
> I use a realm which is different than the domain.

Ah, I see. I think you just found a bug. The problem is that given the server
is not reachable, the realm is calculated based on the domain and then rejected
as it is different from the option. In this case, ipa-client-install should
just accept the realm passed to the script. It is very specific condition, but
we should be able to fix that easily

I filed a bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1300561

We will need to think if there is a workaround for you until the fix is 
delivered.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-20 Thread bahan w

Re Martin.

Here we are for the ipaclient-install.log :

###
2016-01-20T14:55:48Z DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'domain': '', 'force': False, 'realm_name':
'', 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir':
True, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False,
'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain':
False, 'principal': 'admin', 'hostname': '', 'no_ac':
False, 'unattended': True, 'sssd': True, 'trust_sshfp': False,
'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh':
False, 'force_join': False, 'ca_cert_file': None, 'server': [''], 'prompt_password': False, 'permit': False, 'debug': True,
'preserve_sssd': False, 'uninstall': False}
2016-01-20T14:55:48Z DEBUG missing options might be asked for interactively
later
2016-01-20T14:55:48Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2016-01-20T14:55:48Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2016-01-20T14:55:48Z DEBUG [IPA Discovery]
2016-01-20T14:55:48Z DEBUG Starting IPA discovery with domain=,
servers=[''], hostname=
2016-01-20T14:55:48Z DEBUG Server and domain forced
2016-01-20T14:55:48Z DEBUG [Kerberos realm search]
2016-01-20T14:55:48Z DEBUG Search DNS for TXT record of
_kerberos..
2016-01-20T14:55:48Z DEBUG No DNS record found
2016-01-20T14:55:48Z DEBUG [LDAP server check]
2016-01-20T14:55:48Z DEBUG Verifying that  (realm None) is
an IPA server
2016-01-20T14:55:48Z DEBUG Init LDAP connection with: ldap://:389
2016-01-20T14:55:48Z DEBUG LDAP Error: Anonymous access not allowed
2016-01-20T14:55:48Z DEBUG Assuming realm is the same as domain: 
2016-01-20T14:55:48Z DEBUG Generated basedn from realm:
dc=
2016-01-20T14:55:48Z DEBUG Discovery result: NO_ACCESS_TO_LDAP;
server=None, domain=, kdc=None, basedn=
2016-01-20T14:55:48Z DEBUG Validated servers: 
2016-01-20T14:55:48Z DEBUG will use discovered domain: 
2016-01-20T14:55:48Z DEBUG Using servers from command line, disabling DNS
discovery
2016-01-20T14:55:48Z DEBUG will use provided server: 
2016-01-20T14:55:48Z DEBUG will use discovered realm: 
2016-01-20T14:55:48Z ERROR The provided realm name [] does not
match discovered one []
2016-01-20T14:55:48Z DEBUG (: Assumed same as domain)
2016-01-20T14:55:48Z ERROR Installation failed. Rolling back changes.
2016-01-20T14:55:48Z ERROR IPA client is not configured on this system.
###

Best regards.

Bahan

On Wed, Jan 20, 2016 at 1:52 PM, Martin Kosek  wrote:

> Adding freeipa-users back, so that others can benefit from the answer.
>
> Can you please attach a full ipaclient-install.log DEBUG log somewhere so
> that
> we can get the full context of the bug? You may also want to open a RHEL-6
> Bugzilla as FreeIPA 3.0.0 is no longer developed upstream, but only
> maintained
> in RHEL-6.x.
>
> Thanks,
> Martin
>
> On 01/20/2016 01:39 PM, bahan w wrote:
> > Hello Martin !
> >
> > Thanks for your answer, Martin !
> >
> > I uninstalled the 3.0.0.25 and installed the 3.0.0.47, but unfortunately
> I
> > still have the same error message.
> >
> > # rpm -qa | grep ipa-client
> > ipa-client-3.0.0-47.el6.x86_64
> >
> > And in ipa-client-install.log :
> > ###
> > 2016-01-20T12:38:14Z DEBUG [LDAP server check]
> > 2016-01-20T12:38:14Z DEBUG Verifying that  (realm None)
> is
> > an IPA server
> > 2016-01-20T12:38:14Z DEBUG Init LDAP connection with: ldap:// > server>:389
> > 2016-01-20T12:38:14Z DEBUG LDAP Error: Anonymous access not allowed
> > ###
> >
> > Best regards.
> >
> > Bahan
> >
> >
> > On Wed, Jan 20, 2016 at 1:26 PM, Martin Kosek  wrote:
> >
> >> On 01/20/2016 12:08 PM, bahan w wrote:
> >>> Hello !
> >>>
> >>> I send you this mail because of the following topic.
> >>>
> >>> I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous
> >>> access for security reasons.
> >>>
> >>> But now, I have a problem when I try to enroll a new host.
> >>>
> >>> Here is the command I try :
> >>> ###
> >>> ipa-client-install --domain= --realm= --server= >>> ipaserver> --principal=admin --password=
> >>> --mkhomedir  --hostname= --no-ntp --no-ssh --no-sshd
> >>> --unattended
> >>> ###
> >>>
> >>> And here is the error message :
> >>> ###
> >>> 2016-01-20T11:06:44Z DEBUG Verifying that  (realm None)
> >> is
> >>> an IPA server
> >>> 2016-01-20T11:06:44Z DEBUG Init LDAP connection with: ldap:// >>> server>:389
> >>> 2016-01-20T11:06:44Z DEBUG LDAP Error: Anonymous access not allowed
> >>> ###
> >>>
> >>> Is there a way with IPA 3.0.0.25 to enroll host with the anonymous
> acces
> >>> disabled ?
> >>>
> >>> Best regards.
> >>>
> >>> Bahan
> >>
> >> Hello,
> >>
> >> This looks like
> >> https://bugzilla.redhat.com/show_bug.cgi?id=922843
> >>
> >> It should be fixed in recent ipa-client versions (ipa-3.0.0-29.el6 and
> >> later).
> >>
> >> HTH,
> >> Martin
> >>
> >>
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-20 Thread Martin Kosek

On 01/20/2016 04:03 PM, bahan w wrote:
> Re Martin.
> 
> Here we are for the ipaclient-install.log :
> 
> ###
> 2016-01-20T14:55:48Z DEBUG /usr/sbin/ipa-client-install was invoked with
> options: {'domain': '', 'force': False, 'realm_name':
> '', 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir':
> True, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False,
> 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain':
> False, 'principal': 'admin', 'hostname': '', 'no_ac':
> False, 'unattended': True, 'sssd': True, 'trust_sshfp': False,
> 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh':
> False, 'force_join': False, 'ca_cert_file': None, 'server': [' SERVER>'], 'prompt_password': False, 'permit': False, 'debug': True,
> 'preserve_sssd': False, 'uninstall': False}
> 2016-01-20T14:55:48Z DEBUG missing options might be asked for interactively
> later
> 2016-01-20T14:55:48Z DEBUG Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> 2016-01-20T14:55:48Z DEBUG Loading StateFile from
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> 2016-01-20T14:55:48Z DEBUG [IPA Discovery]
> 2016-01-20T14:55:48Z DEBUG Starting IPA discovery with domain=,
> servers=[''], hostname=
> 2016-01-20T14:55:48Z DEBUG Server and domain forced
> 2016-01-20T14:55:48Z DEBUG [Kerberos realm search]
> 2016-01-20T14:55:48Z DEBUG Search DNS for TXT record of
> _kerberos..
> 2016-01-20T14:55:48Z DEBUG No DNS record found
> 2016-01-20T14:55:48Z DEBUG [LDAP server check]
> 2016-01-20T14:55:48Z DEBUG Verifying that  (realm None) is
> an IPA server
> 2016-01-20T14:55:48Z DEBUG Init LDAP connection with: ldap:// SERVER>:389
> 2016-01-20T14:55:48Z DEBUG LDAP Error: Anonymous access not allowed
> 2016-01-20T14:55:48Z DEBUG Assuming realm is the same as domain: 
> 2016-01-20T14:55:48Z DEBUG Generated basedn from realm:
> dc=
> 2016-01-20T14:55:48Z DEBUG Discovery result: NO_ACCESS_TO_LDAP;
> server=None, domain=, kdc=None, basedn=
> 2016-01-20T14:55:48Z DEBUG Validated servers: 
> 2016-01-20T14:55:48Z DEBUG will use discovered domain: 
> 2016-01-20T14:55:48Z DEBUG Using servers from command line, disabling DNS
> discovery
> 2016-01-20T14:55:48Z DEBUG will use provided server: 
> 2016-01-20T14:55:48Z DEBUG will use discovered realm: 
> 2016-01-20T14:55:48Z ERROR The provided realm name [] does not
> match discovered one []

Well, I think the line above is the key to the problem. The realm you provided
and the one discovered do not match.

> 2016-01-20T14:55:48Z DEBUG (: Assumed same as domain)
> 2016-01-20T14:55:48Z ERROR Installation failed. Rolling back changes.
> 2016-01-20T14:55:48Z ERROR IPA client is not configured on this system.
> ###
> 
> Best regards.
> 
> Bahan
> 
> On Wed, Jan 20, 2016 at 1:52 PM, Martin Kosek  wrote:
> 
>> Adding freeipa-users back, so that others can benefit from the answer.
>>
>> Can you please attach a full ipaclient-install.log DEBUG log somewhere so
>> that
>> we can get the full context of the bug? You may also want to open a RHEL-6
>> Bugzilla as FreeIPA 3.0.0 is no longer developed upstream, but only
>> maintained
>> in RHEL-6.x.
>>
>> Thanks,
>> Martin
>>
>> On 01/20/2016 01:39 PM, bahan w wrote:
>>> Hello Martin !
>>>
>>> Thanks for your answer, Martin !
>>>
>>> I uninstalled the 3.0.0.25 and installed the 3.0.0.47, but unfortunately
>> I
>>> still have the same error message.
>>>
>>> # rpm -qa | grep ipa-client
>>> ipa-client-3.0.0-47.el6.x86_64
>>>
>>> And in ipa-client-install.log :
>>> ###
>>> 2016-01-20T12:38:14Z DEBUG [LDAP server check]
>>> 2016-01-20T12:38:14Z DEBUG Verifying that  (realm None)
>> is
>>> an IPA server
>>> 2016-01-20T12:38:14Z DEBUG Init LDAP connection with: ldap://>> server>:389
>>> 2016-01-20T12:38:14Z DEBUG LDAP Error: Anonymous access not allowed
>>> ###
>>>
>>> Best regards.
>>>
>>> Bahan
>>>
>>>
>>> On Wed, Jan 20, 2016 at 1:26 PM, Martin Kosek  wrote:
>>>
 On 01/20/2016 12:08 PM, bahan w wrote:
> Hello !
>
> I send you this mail because of the following topic.
>
> I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous
> access for security reasons.
>
> But now, I have a problem when I try to enroll a new host.
>
> Here is the command I try :
> ###
> ipa-client-install --domain= --realm= --server= ipaserver> --principal=admin --password=
> --mkhomedir  --hostname= --no-ntp --no-ssh --no-sshd
> --unattended
> ###
>
> And here is the error message :
> ###
> 2016-01-20T11:06:44Z DEBUG Verifying that  (realm None)
 is
> an IPA server
> 2016-01-20T11:06:44Z DEBUG Init LDAP connection with: ldap:// server>:389
> 2016-01-20T11:06:44Z DEBUG LDAP Error: Anonymous access not allowed
> ###
>
> Is there a way with IPA 3.0.0.25 to enroll host with the anonymous
>> acces
> disabled ?
>
> Best regards.
>
> Bahan

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-20 Thread bahan w

Ah sorry, for security reasons I didn't want to put the original name and I
made a mistake.

Here we are, for the confusing lines :
###
Assuming realm is the same as domain: 
Generated basedn from realm: dc=
Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=,
kdc=None, basedn=dc=
Validated servers: 
will use discovered domain: 
Using servers from command line, disabling DNS discovery
will use provided server: 
will use discovered realm: 
The provided realm name [] does not match discovered one
[]
(: Assumed same as domain)
Installation failed. Rolling back changes
IPA client is not configured on this system.
###

Is it more clear ? Sorry again for the confusion.

I use a realm which is different than the domain.

Best regards.

Bahan

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-20 Thread bahan w

Hello !

I send you this mail because of the following topic.

I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous
access for security reasons.

But now, I have a problem when I try to enroll a new host.

Here is the command I try :
###
ipa-client-install --domain= --realm= --server= --principal=admin --password=
--mkhomedir  --hostname= --no-ntp --no-ssh --no-sshd
--unattended
###

And here is the error message :
###
2016-01-20T11:06:44Z DEBUG Verifying that  (realm None) is
an IPA server
2016-01-20T11:06:44Z DEBUG Init LDAP connection with: ldap://:389
2016-01-20T11:06:44Z DEBUG LDAP Error: Anonymous access not allowed
###

Is there a way with IPA 3.0.0.25 to enroll host with the anonymous acces
disabled ?

Best regards.

Bahan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-20 Thread Martin Kosek

On 01/20/2016 12:08 PM, bahan w wrote:
> Hello !
> 
> I send you this mail because of the following topic.
> 
> I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous
> access for security reasons.
> 
> But now, I have a problem when I try to enroll a new host.
> 
> Here is the command I try :
> ###
> ipa-client-install --domain= --realm= --server= ipaserver> --principal=admin --password=
> --mkhomedir  --hostname= --no-ntp --no-ssh --no-sshd
> --unattended
> ###
> 
> And here is the error message :
> ###
> 2016-01-20T11:06:44Z DEBUG Verifying that  (realm None) is
> an IPA server
> 2016-01-20T11:06:44Z DEBUG Init LDAP connection with: ldap:// server>:389
> 2016-01-20T11:06:44Z DEBUG LDAP Error: Anonymous access not allowed
> ###
> 
> Is there a way with IPA 3.0.0.25 to enroll host with the anonymous acces
> disabled ?
> 
> Best regards.
> 
> Bahan

Hello,

This looks like
https://bugzilla.redhat.com/show_bug.cgi?id=922843

It should be fixed in recent ipa-client versions (ipa-3.0.0-29.el6 and later).

HTH,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-20 Thread Martin Kosek

Adding freeipa-users back, so that others can benefit from the answer.

Can you please attach a full ipaclient-install.log DEBUG log somewhere so that
we can get the full context of the bug? You may also want to open a RHEL-6
Bugzilla as FreeIPA 3.0.0 is no longer developed upstream, but only maintained
in RHEL-6.x.

Thanks,
Martin

On 01/20/2016 01:39 PM, bahan w wrote:
> Hello Martin !
> 
> Thanks for your answer, Martin !
> 
> I uninstalled the 3.0.0.25 and installed the 3.0.0.47, but unfortunately I
> still have the same error message.
> 
> # rpm -qa | grep ipa-client
> ipa-client-3.0.0-47.el6.x86_64
> 
> And in ipa-client-install.log :
> ###
> 2016-01-20T12:38:14Z DEBUG [LDAP server check]
> 2016-01-20T12:38:14Z DEBUG Verifying that  (realm None) is
> an IPA server
> 2016-01-20T12:38:14Z DEBUG Init LDAP connection with: ldap:// server>:389
> 2016-01-20T12:38:14Z DEBUG LDAP Error: Anonymous access not allowed
> ###
> 
> Best regards.
> 
> Bahan
> 
> 
> On Wed, Jan 20, 2016 at 1:26 PM, Martin Kosek  wrote:
> 
>> On 01/20/2016 12:08 PM, bahan w wrote:
>>> Hello !
>>>
>>> I send you this mail because of the following topic.
>>>
>>> I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous
>>> access for security reasons.
>>>
>>> But now, I have a problem when I try to enroll a new host.
>>>
>>> Here is the command I try :
>>> ###
>>> ipa-client-install --domain= --realm= --server=>> ipaserver> --principal=admin --password=
>>> --mkhomedir  --hostname= --no-ntp --no-ssh --no-sshd
>>> --unattended
>>> ###
>>>
>>> And here is the error message :
>>> ###
>>> 2016-01-20T11:06:44Z DEBUG Verifying that  (realm None)
>> is
>>> an IPA server
>>> 2016-01-20T11:06:44Z DEBUG Init LDAP connection with: ldap://>> server>:389
>>> 2016-01-20T11:06:44Z DEBUG LDAP Error: Anonymous access not allowed
>>> ###
>>>
>>> Is there a way with IPA 3.0.0.25 to enroll host with the anonymous acces
>>> disabled ?
>>>
>>> Best regards.
>>>
>>> Bahan
>>
>> Hello,
>>
>> This looks like
>> https://bugzilla.redhat.com/show_bug.cgi?id=922843
>>
>> It should be fixed in recent ipa-client versions (ipa-3.0.0-29.el6 and
>> later).
>>
>> HTH,
>> Martin
>>
>>
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

[Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

8 matches

Site Navigation

Mail list logo

Footer information