[Freeipa-devel] [PATCH 0023 Do not display ports to open when password is incorrect during ipa-client-install

Martin Kosek mkosek at redhat.com
Tue Feb 18 15:40:15 UTC 2014 

On 04/30/2013 04:33 PM, Petr Viktorin wrote:
> On 04/30/2013 04:03 PM, Ana Krivokapic wrote:
>> On 04/30/2013 10:42 AM, Petr Viktorin wrote:
>>> On 04/23/2013 12:17 PM, Ana Krivokapic wrote:
>>>> On 04/23/2013 12:06 AM, Rob Crittenden wrote:
>>>>> Ana Krivokapic wrote:
>>>>>> Do not display ports to open when password is incorrect during
>>>>>> ipa-client-install
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/3573
>>>>>>
>>>>>
>>>>> What happens if port 88 is not open so it can't connect to the KDC?
>>>>> I'm not sure how the best way to determine one vs the other, I don't
>>>>> think there are distinct return values.
>>>>>
>>>>> We could use the fact that Kerberos isn't translated to look for
>>>>> specific strings maybe, but that is hackish and could break.
>>>>>
>>>>> rob
>>>>
>>>> The return value from kinit is always 1 in case of failure. So the only
>>>> way to determine the reason for failure would be to look into the
>>>> message string. I agree this is hackish as Rob pointed out. Personally,
>>>> I am for leaving everything as it is now. In the case of incorrect
>>>> password, the user _does_ get the message that the password was
>>>> incorrect (kinit: Password incorrect while getting initial credentials).
>>>> So I don't think that displaying the message about ports, in addition to
>>>> this message, is confusing/misleading.
>>>
>>> I think displaying the error messages after the port information would
>>> make it clearer that this is the reason for failed installation.
>>>
>>
>> I think this is a good compromise. Updated patch attached.
> 
> So now we have, with bad password:
> 
> $ sudo ipa-client-install -p admin -w bad-password
> Discovery was successful!
> Hostname: vm-050.idm.lab.eng.brq.redhat.com
> Realm: IDM.LAB.ENG.BRQ.REDHAT.COM
> DNS Domain: idm.lab.eng.brq.redhat.com
> IPA Server: vm-109.idm.lab.eng.brq.redhat.com
> BaseDN: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
> 
> Continue to configure the system with these values? [no]: y
> Synchronizing time with KDC...
> Please make sure the following ports are opened in the firewall settings:
>      TCP: 80, 88, 389
>      UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
> Also note that following ports are necessary for ipa-client working properly
> after enrollment:
>      TCP: 464
>      UDP: 464, 123 (if NTP enabled)
> Kerberos authentication failed
> kinit: Password incorrect while getting initial credentials
> 
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> 
> 
> 
> and with no connection:
> 
> $ sudo ipa-client-install -p admin -w good-password
> Discovery was successful!
> Hostname: vm-050.idm.lab.eng.brq.redhat.com
> Realm: IDM.LAB.ENG.BRQ.REDHAT.COM
> DNS Domain: idm.lab.eng.brq.redhat.com
> IPA Server: vm-109.idm.lab.eng.brq.redhat.com
> BaseDN: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
> 
> Continue to configure the system with these values? [no]: y
> Synchronizing time with KDC...
> Please make sure the following ports are opened in the firewall settings:
>      TCP: 80, 88, 389
>      UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
> Also note that following ports are necessary for ipa-client working properly
> after enrollment:
>      TCP: 464
>      UDP: 464, 123 (if NTP enabled)
> Kerberos authentication failed
> kinit: Cannot contact any KDC for realm 'IDM.LAB.ENG.BRQ.REDHAT.COM' while
> getting initial credentials
> 
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> 
> 
> Rob, is the behavior OK?
> 
> ACK for the implementation.
> 

Looks good to me.

Pushed to master: f67268db6855738350481491119b9be29ba1f22d

Martin

More information about the Freeipa-devel mailing list