when invoking ipa-client-automount with the --server option it starts out by talking to that server but then decides to talk to another replica. In this case the replica is broken, which is why I am trying to override it.
1.ipa-client-automount --debug --server=ipa.example.com 2. 3.
[root@abbey /]# ipa-client-automount --debug --server=ipa.example.com Verifying that ipa.example.com is an IPA server Init LDAP connection to: ldap://ipa.example.com:389 Search LDAP server for IPA base DN Check if naming context 'dc=example,dc=com' is for IPA Naming context 'dc=example,dc=com' is a valid IPA context Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub) Found: cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com IPA server: ipa.example.com Using fixed server ipa.example.com Location: default Using automount location default Initializing principal host/abbey.example.com@EXAMPLE.COM using keytab /etc/krb5.keytab using ccache /tmp/tmpTTyz3a/ccache Attempt 1/1: success Error retrieving cookie from the persistent storage: expected string or buffer failed to find session_cookie in persistent storage for principal 'host/abbey.example.com@EXAMPLE.COM' trying https://ipa-replica.example.com/ipa/json New HTTP connection (ipa-replica.example.com) HTTP connection destroyed (ipa-replica.example.com) Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 697, in single_request if not self._auth_complete(response): File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 657, in _auth_complete message=u"No valid Negotiate header in server response") KerberosError: No valid Negotiate header in server response Traceback (most recent call last): File "/sbin/ipa-client-automount", line 503, in <module> sys.exit(main()) File "/sbin/ipa-client-automount", line 454, in main api.finalize() File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 714, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 421, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 592, in load_plugins for package in self.packages: File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 948, in packages ipaclient.remote_plugins.get_package(self), File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 126, in get_package plugins = schema.get_package(server_info, client) File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 537, in get_package schema = Schema(client) File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 385, in __init__ fingerprint, ttl = self._fetch(client, ignore_cache=read_failed) File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 397, in _fetch client.connect(verbose=False) File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1034, in create_connection command([], {}) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1246, in _call return self.__request(name, args) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1213, in __request verbose=self.__verbose >= 3, File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request return self.single_request(host, handler, request_body, verbose) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 697, in single_request if not self._auth_complete(response): File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 657, in _auth_complete message=u"No valid Negotiate header in server response") ipalib.errors.KerberosError: No valid Negotiate header in server response
It should never talk to ipa-replica
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server ipa-client-4.5.0-22.el7.centos.x86_64 Centos 7.4
Seems that --server influence behavior only when --no-sssd option is used. Otherwise the client is configured always with autodiscovery. Except that one usage --server option is pretty much ignored in the code. API object doesn'T use it at all.
--server
--no-sssd
A workaround can to define the server in IPA's /etc/ipa/default.conf to force the client to talk to specific server. But it will break autodiscovery.
Man page says:
--server=SERVER Set the FQDN of the IPA server to connect to
but option in the tool says:
parser.add_option("--server", dest="server", help="FQDN of IPA server")
Seems that the tool help doesn't really say what is the use case. If the use case is what the man page says then this is a valid bug. API object should follow the option an override what is in default.conf
The intention was to mirror the behavior in ipa-client-install.
It may be possible to set this value when the API is bootstrapped. The API client should use the set master before falling back to any discovered servers.
Metadata Update from @rcritten: - Issue priority set to: normal - Issue set to the milestone: Ticket Backlog
Login to comment on this ticket.