As an administrator, I want ipa-client-install to give a better error message when the given service account has expired so that I don't have to waste time trying to figure out the problem.
When I ran ipa-client-install today, I got this error message:
ipa-client-install
... User authorized to enroll computers: service-account Password for service-account@NETSKRT.IO: Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled)
An error message is printed that asks the user to check that the necessary ports are open in the firewall settings.
An error message is printed that says the service account's password has expired and needs to be rotated.
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server freeipa-client-4.7.0~pre1+git20180411-2ubuntu2.deb $ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
Partial strace output of ipa-client-install:
13714 write(3, "2022-05-03T16:34:43Z DEBUG Process finished, return code=1\n", 59) = 59 13714 getpid() = 13714 13714 write(3, "2022-05-03T16:34:43Z DEBUG stdout=Password for service-account@NETSKRT.IO: \nPassword expired. You must change it now.\nEnter new password: \n\n", 141) = 141 13714 getpid() = 13714 13714 write(3, "2022-05-03T16:34:43Z DEBUG stderr=kinit: Cannot read password while getting initial credentials\n\n", 97) = 97
Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting
What is service-account? Is it a full IPA user or an LDAP system account? I don't know that it will make a difference but asking to be sure we're comparing apples to apples.
Using a normal IPA user it's pretty easy to see what's going on in the client install log:
2022-05-03T19:01:07Z DEBUG args=['/usr/bin/kinit', 'enroll@EXAMPLE.TEST', '-c', '/tmp/krbcc2l6a2cmp/ccache'] 2022-05-03T19:01:07Z DEBUG Process finished, return code=1 2022-05-03T19:01:07Z DEBUG stdout=Password for enroll@EXAMPLE.TEST: Password expired. You must change it now. Enter new password:
2022-05-03T19:01:07Z DEBUG stderr=kinit: Cannot read password while getting initial credentials
I suppose we could capture stdout as well and include that in the message raised, it will just include some other stuff like prompting for the password change.
That would be awesome!
+1 for this. I also encountered this scenario today and wasted some time trying to figure out what was happening. Ideally we can explicitly report that the enrollment user account password is expired.
Login to comment on this ticket.