#4459 ipa-client-install breaks with non-zero minSSF on the server
Closed: Fixed None Opened 9 years ago by mkosek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1122621

CHanging min SSF (setting cn=config's nsslapd-minssf to "1") in FreeIPA master DS breaks subsequent client enrollments:

Check if naming context 'dc=example,dc=com' is for
IPA Unhandled LDAPError: UNWILLING_TO_PERFORM: {'info': 'Minimum SSF not met.',
'desc': 'Server is unwilling to perform'}

My initial investigation:

# ipa-client-install --debug
DNS record found: "EXAMPLE.COM"
Search DNS for SRV record of _kerberos._udp.example.com
DNS record found: 0 100 88 vm-086.example.com.
[LDAP server check]
Verifying that vm-086.example.com (realm EXAMPLE.COM) is an IPA server
Init LDAP connection to: vm-086.example.com
Search LDAP server for IPA base DN
Check if naming context 'dc=example,dc=com' is for IPA
Unhandled LDAPError: UNWILLING_TO_PERFORM: {'info': 'Minimum SSF not met.', 'desc': 'Server is unwilling to perform'}
Error checking LDAP: Server is unwilling to perform: Minimum SSF not met.
Skip vm-086.example.com: cannot verify if this is an IPA server
Discovery result: UNKNOWN_ERROR; server=None, domain=example.com, kdc=vm-086.example.com, basedn=None
Validated servers: 
will use discovered domain: example.com
IPA Server not found
DNS discovery failed to find the IPA Server
...

I see we already try to catch the case when MINSSF is set higher than what
ipa-client-install can offer, but it was only applied to the anonymous BIND
and not the actual LDAP search. This should be pretty easy to fix.

Reported confirmed that the patch fixed the problem for them.

Patch freeipa-mkosek-480-do-not-crash-client-basedn-discovery-when-ssf-not-me.patch sent for review

master:

  • aa06392 Do not crash client basedn discovery when SSF not met

ipa-4-1:

  • aa06392 Do not crash client basedn discovery when SSF not met

ipa-4-0:

  • b104179 Do not crash client basedn discovery when SSF not met

Metadata Update from @mkosek:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 4.0.2

7 years ago

Login to comment on this ticket.

Metadata