#4444 ipa-client-install does not respect --realm option
Closed: Fixed None Opened 9 years ago by bnordgren.

Installing a new server in an environment with misconfigured DNS does not allow you to override DNS with command line option. Same behavior in both 3.3.5 and 4.0.0 on Fedora 20.

specifically, client installation at the end of the server installation fails. In my environment, my TXT dns record is lowercase, and specifying the --realm on the command line does not cause the install script to recognize that the realm is "forced".

...
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Restarting the certificate server
Sample zone file for bind has been created in /tmp/sample.zone.ChB2R_.db
Restarting the web server
Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain usfs-i2.umt.edu --server ipa.usfs-i2.umt.edu --realm USFS-I2.UMT.EDU --hostname ipa.usfs-i2.umt.edu' returned non-zero exit status 1

Output in /etc/ipaclient-install.log:

2014-07-16T23:00:47Z WARNING Using existing certificate '/etc/ipa/ca.crt'.
2014-07-16T23:00:47Z DEBUG [IPA Discovery]
2014-07-16T23:00:47Z DEBUG Starting IPA discovery with domain=usfs-i2.umt.edu, servers=['ipa.usfs-i2.umt.edu'], hostname=ipa.usfs-i2.umt.edu
2014-07-16T23:00:47Z DEBUG Server and domain forced
2014-07-16T23:00:47Z DEBUG [Kerberos realm search]
2014-07-16T23:00:47Z DEBUG Search DNS for TXT record of _kerberos.usfs-i2.umt.edu
2014-07-16T23:00:47Z DEBUG DNS record found: "usfs-i2.umt.edu."
2014-07-16T23:00:47Z DEBUG Search DNS for SRV record of _kerberos._udp.usfs-i2.umt.edu.
2014-07-16T23:00:47Z DEBUG DNS record found: 0 100 88 ipa.usfs-i2.umt.edu.
2014-07-16T23:00:47Z DEBUG [LDAP server check]
2014-07-16T23:00:47Z DEBUG Verifying that ipa.usfs-i2.umt.edu (realm usfs-i2.umt.edu.) is an IPA server
2014-07-16T23:00:47Z DEBUG Init LDAP connection to: ipa.usfs-i2.umt.edu
2014-07-16T23:00:47Z DEBUG Search LDAP server for IPA base DN
2014-07-16T23:00:47Z DEBUG Check if naming context 'dc=usfs-i2,dc=umt,dc=edu' is for IPA
2014-07-16T23:00:47Z DEBUG Naming context 'dc=usfs-i2,dc=umt,dc=edu' is a valid IPA context
2014-07-16T23:00:47Z DEBUG Search for (objectClass=krbRealmContainer) in dc=usfs-i2,dc=umt,dc=edu (sub)
2014-07-16T23:00:47Z DEBUG Found: cn=USFS-I2.UMT.EDU,cn=kerberos,dc=usfs-i2,dc=umt,dc=edu
2014-07-16T23:00:47Z WARNING Skip ipa.usfs-i2.umt.edu: cannot verify if this is an IPA server
2014-07-16T23:00:47Z DEBUG Discovery result: REALM_NOT_FOUND; server=None, domain=usfs-i2.umt.edu, kdc=ipa.usfs-i2.umt.edu, basedn=dc=usfs-i2,dc=umt,dc=edu
2014-07-16T23:00:47Z DEBUG Validated servers:
2014-07-16T23:00:47Z ERROR Failed to verify that ipa.usfs-i2.umt.edu is an IPA Server.

The end result is that the KDC is configured correctly (because ipa-server-install works) but ipa commands fail:

[root@ipa ~]# kinit admin
Password for admin@USFS-I2.UMT.EDU:
[root@ipa ~]# ipa user-find
ipa: ERROR: cert validation failed for "CN=ipa.usfs-i2.umt.edu,O=USFS-I2.UMT.EDU" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)
ipa: ERROR: cannot connect to 'https://ipa.usfs-i2.umt.edu/ipa/xml': (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.

We plan to fix, ideally in 4.0.x. This is the part that does not respect --realm:

        #search for kerberos
        root_logger.debug("[Kerberos realm search]")
        krb_realm, kdc = self.ipadnssearchkrb(self.domain)
        if not servers and not krb_realm:
            return REALM_NOT_FOUND

        self.realm = krb_realm
        self.kdc = kdc
        self.realm_source = self.kdc_source = (
            'Discovered Kerberos DNS records from %s' % self.domain)

FreeIPA 4.0.1 was released, moving to next bugfixing release milestone.

master:

  • dc4bdd3 Allow user to force Kerberos realm during installation.

ipa-4-1:

  • a28d9b8 Allow user to force Kerberos realm during installation.

ipa-4-0:

  • 0e07731 Allow user to force Kerberos realm during installation.

Metadata Update from @bnordgren:
- Issue assigned to dkupka
- Issue set to the milestone: FreeIPA 4.0.2

7 years ago

Login to comment on this ticket.

Metadata