#6584 ipa-client-install fails to get CA cert via LDAP when non-FQDN name of IPA server is first in /etc/hosts
Closed: Fixed None Opened 7 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1404750

Description of problem:

When record for IPA server is present on IPA-client-to-be in /etc/hosts and it
starts with non-FQDN name, and principal + password is used to enroll, the
command fails with

In unattended mode without a One Time Password (OTP) or without --ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
Cannot obtain CA certificate
HTTP certificate download requires --force
Installation failed. Rolling back changes.
IPA client is not configured on this system.

This situation occurs for example when the IPA-client is run in container under
docker 1.12 because

# docker run --link freeipa-server-container:ipa --rm -ti centos:centos7 cat
/etc/hosts
127.0.0.1       localhost
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2      ipa ipa.example.test freeipa-server-container
172.17.0.5      be237a05c86a

Version-Release number of selected component (if applicable):

ipa-client-4.4.0-14.el7_3.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have IPA server ipa.example.test, with IPA-managed DNS server on the same
machine.
2. On the client machine, point the nameserver record in /etc/resolv.conf to
the IP address of the IPA server.
3. On the client machine, put the IP address + short IPA server name + FQDN of
IPA server record to /etc/hosts, for example

10.11.12.13 ipa ipa.example.test

4. Run ipa-client-install -U -p admin -w Secret123

Actual results:

WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Client hostname: client.example.test
Realm: EXAMPLE.TEST
DNS Domain: example.test
IPA Server: ipa.example.test
BaseDN: dc=example,dc=test

Skipping synchronizing time with NTP server.
In unattended mode without a One Time Password (OTP) or without --ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
Cannot obtain CA certificate
HTTP certificate download requires --force
Installation failed. Rolling back changes.
IPA client is not configured on this system.

Expected results:

No error, the client IPA-enrolled.

Additional info:

The /var/log/ipaclient-install.log says

2016-12-14T14:34:52Z DEBUG Initializing principal admin@EXAMPLE.TEST using
password
2016-12-14T14:34:52Z DEBUG Starting external process
2016-12-14T14:34:52Z DEBUG args=/usr/bin/kinit admin@EXAMPLE.TEST -c
/tmp/krbccxKR8MT/ccache
2016-12-14T14:34:52Z DEBUG Process finished, return code=0
2016-12-14T14:34:52Z DEBUG stdout=Password for admin@EXAMPLE.TEST:

2016-12-14T14:34:52Z DEBUG stderr=
2016-12-14T14:34:52Z DEBUG trying to retrieve CA cert via LDAP from
ipa.example.test
2016-12-14T14:34:53Z DEBUG get_ca_certs_from_ldap() error: Insufficient access:
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code
may provide more information (Server ldap/ipa@EXAMPLE.TEST not found in
Kerberos database)
2016-12-14T14:34:53Z DEBUG Insufficient access: SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information
(Server ldap/ipa@EXAMPLE.TEST not found in Kerberos database)
2016-12-14T14:34:53Z ERROR In unattended mode without a One Time Password (OTP)
or without --ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
2016-12-14T14:34:53Z ERROR Cannot obtain CA certificate
HTTP certificate download requires --force
2016-12-14T14:34:53Z ERROR Installation failed. Rolling back changes.
2016-12-14T14:34:53Z ERROR IPA client is not configured on this system.

Note that the non-FQDN name of the IPA server machine is used as principal
(ldap/ipa@EXAMPLE.TEST).

master:

  • 566c86a disable hostname canonicalization by Kerberos library

Metadata Update from @pvoborni:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.5

7 years ago

So this is pretty late, I know, but - the fix for this actually breaks something else...

Login to comment on this ticket.

Metadata