Unattended ipa-client-install with an expired enrolment user error yields errors pointing to kerberos rather than the expired password. Somehow, this seems to hit a condition where you get an LDAP error (as in #7945) instead of a Kerberos error. Perhaps a race condition in the client or a race condition in the server where the first call succeeds but follow-up calls fails because the password has just expired during the install.
kinit: Cannot read password while getting initial credentials
ipa client fails with kerberos error
ipa client fails with password expired message
ipa-client-4.6.4-10.el7.centos.3.x86_64
2019-05-07T11:34:25Z DEBUG args=/usr/bin/kinit host_enrollment_user@ipa-server-domain.com -c /tmp/krbccnwzCrI/ccache 2019-05-07T11:34:25Z DEBUG Process finished, return code=1 2019-05-07T11:34:25Z DEBUG stdout=Password for host_enrollment_user@ipa-server-domain.com: Password expired. You must change it now. Enter new password: 2019-05-07T11:34:25Z DEBUG stderr=kinit: Cannot read password while getting initial credentials 2019-05-07T11:34:25Z INFO Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) 2019-05-07T11:34:25Z ERROR Installation failed. Rolling back changes.
2019-05-07T11:34:27Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run return cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in run return self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 389, in execute for rval in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 3632, in main install(self) File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2353, in install _install(options) File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2507, in _install rval=CLIENT_INSTALL_ERROR) 2019-05-07T11:34:27Z DEBUG The ipa-client-install command failed, exception: ScriptError: Kerberos authentication failed: kinit: Cannot read password while getting initial credentials 2019-05-07T11:34:27Z ERROR Kerberos authentication failed: kinit: Cannot read password while getting initial credentials 2019-05-07T11:34:27Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
I'm not sure I follow. Because it is unattended there is no user to enter the new password so it fails. Are you suggesting the port information be suppressed? I'm not sure IPA is/can be aware when prompting for the password that it is expired.
Metadata Update from @pcech: - Custom field affects_doc adjusted to on - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
The issue is that regardless of unattended or attended install an unusable account will cause the install command to fail with a red herring. On the API side of things it makes sense that it can't ask for a new password to be entered, but that doesn't help a user or admin to diagnose failing installs. What does help is a message at the end of the log stating why the install failed.
Cannot read password while getting initial credentials is technically correct, but functionally unhelpful.
Cannot read password while getting initial credentials
Right but just before that in the log is a very clear explanation of what happened. When forking out to call other programs it isn't always possible or useful to display both stderr and stdout but both are logged so it is possible to discover the fuller error.
Login to comment on this ticket.