#7317 ipa-client-automount does not respect --server option
Opened 2 years ago by jose256. Modified 2 years ago


when invoking ipa-client-automount with the --server option it starts out by talking to that server but then decides to talk to another replica. In this case the replica is broken, which is why I am trying to override it.

Steps to Reproduce

1.ipa-client-automount --debug --server=ipa.example.com

Actual behavior

[root@abbey /]# ipa-client-automount  --debug --server=ipa.example.com
Verifying that ipa.example.com is an IPA server
Init LDAP connection to: ldap://ipa.example.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=example,dc=com' is for IPA
Naming context 'dc=example,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub)
Found: cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
IPA server: ipa.example.com
Using fixed server ipa.example.com
Location: default
Using automount location default
Initializing principal host/abbey.example.com@EXAMPLE.COM using keytab /etc/krb5.keytab
using ccache /tmp/tmpTTyz3a/ccache
Attempt 1/1: success
Error retrieving cookie from the persistent storage: expected string or buffer
failed to find session_cookie in persistent storage for principal 'host/abbey.example.com@EXAMPLE.COM'
trying https://ipa-replica.example.com/ipa/json
New HTTP connection (ipa-replica.example.com)
HTTP connection destroyed (ipa-replica.example.com)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 697, in single_request
    if not self._auth_complete(response):
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 657, in _auth_complete
    message=u"No valid Negotiate header in server response")
KerberosError: No valid Negotiate header in server response
Traceback (most recent call last):
  File "/sbin/ipa-client-automount", line 503, in <module>
  File "/sbin/ipa-client-automount", line 454, in main
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 714, in finalize
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 421, in __do_if_not_done
    getattr(self, name)()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 592, in load_plugins
    for package in self.packages:
  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 948, in packages
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 126, in get_package
    plugins = schema.get_package(server_info, client)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 537, in get_package
    schema = Schema(client)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 385, in __init__
    fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 397, in _fetch
  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect
    conn = self.create_connection(*args, **kw)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1034, in create_connection
    command([], {})
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1246, in _call
    return self.__request(name, args)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1213, in __request
    verbose=self.__verbose >= 3,
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 697, in single_request
    if not self._auth_complete(response):
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 657, in _auth_complete
    message=u"No valid Negotiate header in server response")
ipalib.errors.KerberosError: No valid Negotiate header in server response

Expected behavior

It should never talk to ipa-replica


$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
Centos 7.4

Seems that --server influence behavior only when --no-sssd option is used. Otherwise the client is configured always with autodiscovery. Except that one usage --server option is pretty much ignored in the code. API object doesn'T use it at all.

A workaround can to define the server in IPA's /etc/ipa/default.conf to force the client to talk to specific server. But it will break autodiscovery.

Man page says:

--server=SERVER Set the FQDN of the IPA server to connect to

but option in the tool says:

parser.add_option("--server", dest="server", help="FQDN of IPA server")

Seems that the tool help doesn't really say what is the use case. If the use case is what the man page says then this is a valid bug. API object should follow the option an override what is in default.conf

The intention was to mirror the behavior in ipa-client-install.

It may be possible to set this value when the API is bootstrapped. The API client should use the set master before falling back to any discovered servers.

Metadata Update from @rcritten:
- Issue priority set to: normal
- Issue set to the milestone: Ticket Backlog

2 years ago

Login to comment on this ticket.