Installing a new server in an environment with misconfigured DNS does not allow you to override DNS with command line option. Same behavior in both 3.3.5 and 4.0.0 on Fedora 20.
specifically, client installation at the end of the server installation fails. In my environment, my TXT dns record is lowercase, and specifying the --realm on the command line does not cause the install script to recognize that the realm is "forced".
--realm
... Done configuring the web interface (httpd). Applying LDAP updates Restarting the directory server Restarting the KDC Restarting the certificate server Sample zone file for bind has been created in /tmp/sample.zone.ChB2R_.db Restarting the web server Configuration of client side components failed! ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain usfs-i2.umt.edu --server ipa.usfs-i2.umt.edu --realm USFS-I2.UMT.EDU --hostname ipa.usfs-i2.umt.edu' returned non-zero exit status 1
Output in /etc/ipaclient-install.log:
2014-07-16T23:00:47Z WARNING Using existing certificate '/etc/ipa/ca.crt'. 2014-07-16T23:00:47Z DEBUG [IPA Discovery] 2014-07-16T23:00:47Z DEBUG Starting IPA discovery with domain=usfs-i2.umt.edu, servers=['ipa.usfs-i2.umt.edu'], hostname=ipa.usfs-i2.umt.edu 2014-07-16T23:00:47Z DEBUG Server and domain forced 2014-07-16T23:00:47Z DEBUG [Kerberos realm search] 2014-07-16T23:00:47Z DEBUG Search DNS for TXT record of _kerberos.usfs-i2.umt.edu 2014-07-16T23:00:47Z DEBUG DNS record found: "usfs-i2.umt.edu." 2014-07-16T23:00:47Z DEBUG Search DNS for SRV record of _kerberos._udp.usfs-i2.umt.edu. 2014-07-16T23:00:47Z DEBUG DNS record found: 0 100 88 ipa.usfs-i2.umt.edu. 2014-07-16T23:00:47Z DEBUG [LDAP server check] 2014-07-16T23:00:47Z DEBUG Verifying that ipa.usfs-i2.umt.edu (realm usfs-i2.umt.edu.) is an IPA server 2014-07-16T23:00:47Z DEBUG Init LDAP connection to: ipa.usfs-i2.umt.edu 2014-07-16T23:00:47Z DEBUG Search LDAP server for IPA base DN 2014-07-16T23:00:47Z DEBUG Check if naming context 'dc=usfs-i2,dc=umt,dc=edu' is for IPA 2014-07-16T23:00:47Z DEBUG Naming context 'dc=usfs-i2,dc=umt,dc=edu' is a valid IPA context 2014-07-16T23:00:47Z DEBUG Search for (objectClass=krbRealmContainer) in dc=usfs-i2,dc=umt,dc=edu (sub) 2014-07-16T23:00:47Z DEBUG Found: cn=USFS-I2.UMT.EDU,cn=kerberos,dc=usfs-i2,dc=umt,dc=edu 2014-07-16T23:00:47Z WARNING Skip ipa.usfs-i2.umt.edu: cannot verify if this is an IPA server 2014-07-16T23:00:47Z DEBUG Discovery result: REALM_NOT_FOUND; server=None, domain=usfs-i2.umt.edu, kdc=ipa.usfs-i2.umt.edu, basedn=dc=usfs-i2,dc=umt,dc=edu 2014-07-16T23:00:47Z DEBUG Validated servers: 2014-07-16T23:00:47Z ERROR Failed to verify that ipa.usfs-i2.umt.edu is an IPA Server.
The end result is that the KDC is configured correctly (because ipa-server-install works) but ipa commands fail:
[root@ipa ~]# kinit admin Password for admin@USFS-I2.UMT.EDU: [root@ipa ~]# ipa user-find ipa: ERROR: cert validation failed for "CN=ipa.usfs-i2.umt.edu,O=USFS-I2.UMT.EDU" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cannot connect to 'https://ipa.usfs-i2.umt.edu/ipa/xml': (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.
We plan to fix, ideally in 4.0.x. This is the part that does not respect --realm:
#search for kerberos root_logger.debug("[Kerberos realm search]") krb_realm, kdc = self.ipadnssearchkrb(self.domain) if not servers and not krb_realm: return REALM_NOT_FOUND self.realm = krb_realm self.kdc = kdc self.realm_source = self.kdc_source = ( 'Discovered Kerberos DNS records from %s' % self.domain)
FreeIPA 4.0.1 was released, moving to next bugfixing release milestone.
attachment freeipa-dkupka-0011-Allow-user-to-force-Kerberos-realm-during-installati.patch
attachment freeipa-dkupka-0011-2-Allow-user-to-force-Kerberos-realm-during-installati.patch
master:
ipa-4-1:
ipa-4-0:
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1138794
Metadata Update from @bnordgren: - Issue assigned to dkupka - Issue set to the milestone: FreeIPA 4.0.2
Login to comment on this ticket.