freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

#3573 Should not display ports to open when password is incorrect during ipa-client-install.

Created 4 years ago by shanks
Modified 9 months ago

[root@dhcp201-120 ~]# ipa-client-install --force-ntpd
Discovery was successful!
Hostname: dhcp201-120.englab.pnq.redhat.com
Realm: ENGLAB.PNQ.REDHAT.COM
DNS Domain: englab.pnq.redhat.com
IPA Server: dhcp201-146.englab.pnq.redhat.com
BaseDN: dc=englab,dc=pnq,dc=redhat,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin@ENGLAB.PNQ.REDHAT.COM: 
Kerberos authentication failed
kinit: Password incorrect while getting initial credentials

Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root@dhcp201-120 ~]#

Should not display the ports to open when the installation failure is because of kerberos password incorrect.

Rename component.

Is there a way to reliably distinguish situation when it was password which was wrong in kinit (which assumes the ports are probably right and the message would not be needed) and when it was a different error? I'm afraid the kinit exit status will not help and parsing stderr output will break unless it also accounts for localized variants of those messages ...

Replying to [comment:6 adelton]:

Is there a way to reliably distinguish situation when it was password which was wrong in kinit (which assumes the ports are probably right and the message would not be needed) and when it was a different error? I'm afraid the kinit exit status will not help and parsing stderr output will break unless it also accounts for localized variants of those messages ...

You are right on both accounts - see the discussion in this thread on freeipa-devel:
https://www.redhat.com/archives/freeipa-devel/2013-April/msg00324.html

Moving the tickets back to free-to-take pool.

master:

  • f67268d Improve error message on failed Kerberos authentication
9 months ago

Metadata Update from @shanks:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.0 - 2014/02

Login to comment on this ticket.

defect

Client

1

https://bugzilla.redhat.com/show_bug.cgi?id=1108230

cancel