Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 922843
Description of problem: unattended ipa-client-install fails when anonymous access to LDAP is disabled on IPA servers: /usr/sbin/ipa-client-install -p admin -w somepass --mkhomedir -dd -U /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': 'admin', 'hostname': None, 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False, 'realm_name': None, 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False} missing options might be asked for interactively later Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' [IPA Discovery] Starting IPA discovery with domain=None, servers=None, hostname=31075-01.example.com Start searching for LDAP SRV record in "example.com" (domain of the hostname) and its sub-domains Search DNS for SRV record of _ldap._tcp.example.com. DNS record found: DNSResult::name:_ldap._tcp.example.com.,type:33,class:1,rdata ={priority:0,port:389,weight:100,server:ipa2.example.com.} DNS record found: DNSResult::name:_ldap._tcp.example.com.,type:33,class:1,rdata ={priority:0,port:389,weight:100,server:ipa1.example.com.} [Kerberos realm search] Search DNS for TXT record of _kerberos.example.com. DNS record found: DNSResult::name:_kerberos.example.com.,type:16,class:1,rdata= {data:TESTSITE.ATG.SE} Search DNS for SRV record of _kerberos._udp.example.com. DNS record found: DNSResult::name:_kerberos._udp.example.com.,type:33,class:1,r data={priority:0,port:88,weight:100,server:ipa1.example.com.} DNS record found: DNSResult::name:_kerberos._udp.example.com.,type:33,class:1,r data={priority:0,port:88,weight:100,server:ipa2.example.com.} [LDAP server check] Verifying that ipa2.example.com (realm TESTSITE.ATG.SE) is an IPA server Init LDAP connection with: ldap://ipa2.example.com:389 Search LDAP server for IPA base DN Check if naming context 'dc=example,dc=com' is for IPA Naming context 'dc=example,dc=com' is a valid IPA context Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub) LDAP Error: Anonymous access not allowed Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=example.com, kdc=ipa1.example.com,ipa2.example.com, basedn=dc=example,dc=com Validated servers: ipa2.example.com will use discovered domain: example.com IPA Server not found Unable to find IPA Server to join Installation failed. Rolling back changes. IPA client is not configured on this system. Version-Release number of selected component (if applicable): ipa-client-3.0.0-26.el6_4.2.x86_64 How reproducible: Always Steps to Reproduce: 1. disable anonymous access to ldap on IPA server # ldapmodify -x -D "cn=Directory Manager" -w <secret> -h localhost -p 389 <pgustafs> dn: cn=config <pgustafs> changetype: modify <pgustafs> replace: nsslapd-allow-anonymous-access <pgustafs> nsslapd-allow-anonymous-access: rootdse 2. install ipa-client-3.0.0-26.el6_4.2.x86_64 on ipa client machine 3. Execute unattended ipa-client installation on ipa client machine # /usr/sbin/ipa-client-install -p admin -w somepass --mkhomedir -dd -U Actual results: ipa-client-install fails with: /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': 'admin', 'hostname': None, 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False, 'realm_name': None, 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False} missing options might be asked for interactively later Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' [IPA Discovery] Starting IPA discovery with domain=None, servers=None, hostname=31075-01.example.com Start searching for LDAP SRV record in "example.com" (domain of the hostname) and its sub-domains Search DNS for SRV record of _ldap._tcp.example.com. DNS record found: DNSResult::name:_ldap._tcp.example.com.,type:33,class:1,rdata ={priority:0,port:389,weight:100,server:ipa2.example.com.} DNS record found: DNSResult::name:_ldap._tcp.example.com.,type:33,class:1,rdata ={priority:0,port:389,weight:100,server:ipa1.example.com.} [Kerberos realm search] Search DNS for TXT record of _kerberos.example.com. DNS record found: DNSResult::name:_kerberos.example.com.,type:16,class:1,rdata= {data:TESTSITE.ATG.SE} Search DNS for SRV record of _kerberos._udp.example.com. DNS record found: DNSResult::name:_kerberos._udp.example.com.,type:33,class:1,r data={priority:0,port:88,weight:100,server:ipa1.example.com.} DNS record found: DNSResult::name:_kerberos._udp.example.com.,type:33,class:1,r data={priority:0,port:88,weight:100,server:ipa2.example.com.} [LDAP server check] Verifying that ipa2.example.com (realm TESTSITE.ATG.SE) is an IPA server Init LDAP connection with: ldap://ipa2.example.com:389 Search LDAP server for IPA base DN Check if naming context 'dc=example,dc=com' is for IPA Naming context 'dc=example,dc=com' is a valid IPA context Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub) LDAP Error: Anonymous access not allowed Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=example.com, kdc=ipa1.example.com,ipa2.example.com, basedn=dc=example,dc=com Validated servers: ipa2.example.com will use discovered domain: example.com IPA Server not found Unable to find IPA Server to join Installation failed. Rolling back changes. IPA client is not configured on this system. Expected results: ipa-client-install should finish without prompting for information Additional info:
attachment freeipa-mkosek-390-ipa-client-discovery-with-anonymous-access-off.patch
Patch freeipa-mkosek-390-ipa-client-discovery-with-anonymous-access-off.patch sent for review
master:[[BR]] be54d1d ipa-client discovery with anonymous access off
ipa-3-1:[[BR]] dda3cd1 ipa-client discovery with anonymous access off
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=924100
Metadata Update from @rcritten: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.2 - 2013/03
Login to comment on this ticket.