[root@dhcp201-120 ~]# ipa-client-install --force-ntpd Discovery was successful! Hostname: dhcp201-120.englab.pnq.redhat.com Realm: ENGLAB.PNQ.REDHAT.COM DNS Domain: englab.pnq.redhat.com IPA Server: dhcp201-146.englab.pnq.redhat.com BaseDN: dc=englab,dc=pnq,dc=redhat,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin@ENGLAB.PNQ.REDHAT.COM: Kerberos authentication failed kinit: Password incorrect while getting initial credentials Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Installation failed. Rolling back changes. IPA client is not configured on this system. [root@dhcp201-120 ~]#
Should not display the ports to open when the installation failure is because of kerberos password incorrect.
Rename component.
Is there a way to reliably distinguish situation when it was password which was wrong in kinit (which assumes the ports are probably right and the message would not be needed) and when it was a different error? I'm afraid the kinit exit status will not help and parsing stderr output will break unless it also accounts for localized variants of those messages ...
Replying to [comment:6 adelton]:
You are right on both accounts - see the discussion in this thread on freeipa-devel: https://www.redhat.com/archives/freeipa-devel/2013-April/msg00324.html
Moving the tickets back to free-to-take pool.
master:
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1108230
Metadata Update from @shanks: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.0 - 2014/02
Log in to comment on this ticket.