[Freeipa-users] Auto discover of the IPA server failing with LDAP anonymous binds off
Martin Kosek
mkosek at redhat.com
Mon Apr 8 09:10:34 UTC 2013
On 04/06/2013 07:38 PM, Sigbjorn Lie wrote:
> Hi,
>
> I am trying to install the IPA client on a CentOS 6.4 host, however the auto
> discovery of the IPA server is failing, from what seem to be caused by my IPA
> servers having anonymous binds switched off.
>
> Is this expected behaviour?
>
>
> # rpm -qa|grep ^ipa|sort
> ipa-client-3.0.0-26.el6_4.2.x86_64
> ipa-python-3.0.0-26.el6_4.2.x86_64
>
>
> # ipa-client-install -U --domain=unix.nuexample.com --password='somepassword'
> --enable-dns-updates -d
> /usr/sbin/ipa-client-install was invoked with options: {'domain':
> 'unix.nuexample.com', 'force': False, 'krb5_offline_passwords': True,
> 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True,
> 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None,
> 'principal': None, 'hostname': None, 'no_ac': False, 'unattended': True,
> 'sssd': True, 'trust_sshfp': False, 'dns_updates': True, 'realm_name': None,
> 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False,
> 'debug': True, 'preserve_sssd': False, 'uninstall': False}
> missing options might be asked for interactively later
> Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
> [IPA Discovery]
> Starting IPA discovery with domain=unix.nuexample.com, servers=None,
> hostname=clienthost.unix.nuexample.com
> Search for LDAP SRV record in unix.nuexample.com
> Search DNS for SRV record of _ldap._tcp.unix.nuexample.com.
> DNS record found:
> DNSResult::name:_ldap._tcp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa01.unix.nuexample.com.}
>
> DNS record found:
> DNSResult::name:_ldap._tcp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa02.unix.nuexample.com.}
>
> DNS record found:
> DNSResult::name:_ldap._tcp.unix.nuexample.com.,type:33,class:1,rdata={priority:5,port:389,weight:100,server:ipa03.unix.nuexample.com.}
>
> [Kerberos realm search]
> Search DNS for TXT record of _kerberos.unix.nuexample.com.
> DNS record found:
> DNSResult::name:_kerberos.unix.nuexample.com.,type:16,class:1,rdata={data:UNIX.NUEXAMPLE.COM}
>
> Search DNS for SRV record of _kerberos._udp.unix.nuexample.com.
> DNS record found:
> DNSResult::name:_kerberos._udp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa02.unix.nuexample.com.}
>
> DNS record found:
> DNSResult::name:_kerberos._udp.unix.nuexample.com.,type:33,class:1,rdata={priority:5,port:88,weight:100,server:ipa03.unix.nuexample.com.}
>
> DNS record found:
> DNSResult::name:_kerberos._udp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa01.unix.nuexample.com.}
>
> [LDAP server check]
> Verifying that ipa01.unix.nuexample.com (realm UNIX.NUEXAMPLE.COM) is an IPA
> server
> Init LDAP connection with: ldap://ipa01.unix.nuexample.com:389
> Search LDAP server for IPA base DN
> Check if naming context 'dc=unix,dc=nuexample,dc=com' is for IPA
> Naming context 'dc=unix,dc=nuexample,dc=com' is a valid IPA context
> Search for (objectClass=krbRealmContainer) in dc=unix,dc=nuexample,dc=com (sub)
> LDAP Error: Anonymous access not allowed
> Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=unix.nuexample.com,
> kdc=ipa02.unix.nuexample.com,ipa03.unix.nuexample.com,ipa01.unix.nuexample.com,
> basedn=dc=unix,dc=nuexample,dc=com
> Validated servers: ipa01.unix.nuexample.com
> will use discovered domain: unix.nuexample.com
> IPA Server not found
> Unable to find IPA Server to join
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
>
>
>
> Regards,
> Siggi
>
Hello Sigbjorn,
This is caused by an unfortunate regression in RHEL-6.4 client which emerges
when cn=config's nsslapd-allow-anonymous-access is set to "rootdse". This was
already fixed upstream (ticket 3519) and there is a bugzilla filed for RHEL-6.5:
https://bugzilla.redhat.com/show_bug.cgi?id=922843
If this is not satisfactory, you can contact your customer service and we will
look for alternative solutions for you.
Thanks,
Martin
More information about the Freeipa-users
mailing list