On 04/30/2013 04:33 PM, Petr Viktorin wrote: > On 04/30/2013 04:03 PM, Ana Krivokapic wrote: >> On 04/30/2013 10:42 AM, Petr Viktorin wrote: >>> On 04/23/2013 12:17 PM, Ana Krivokapic wrote: >>>> On 04/23/2013 12:06 AM, Rob Crittenden wrote: >>>>> Ana Krivokapic wrote: >>>>>> Do not display ports to open when password is incorrect during >>>>>> ipa-client-install >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/3573 >>>>>> >>>>> >>>>> What happens if port 88 is not open so it can't connect to the KDC? >>>>> I'm not sure how the best way to determine one vs the other, I don't >>>>> think there are distinct return values. >>>>> >>>>> We could use the fact that Kerberos isn't translated to look for >>>>> specific strings maybe, but that is hackish and could break. >>>>> >>>>> rob >>>> >>>> The return value from kinit is always 1 in case of failure. So the only >>>> way to determine the reason for failure would be to look into the >>>> message string. I agree this is hackish as Rob pointed out. Personally, >>>> I am for leaving everything as it is now. In the case of incorrect >>>> password, the user _does_ get the message that the password was >>>> incorrect (kinit: Password incorrect while getting initial credentials). >>>> So I don't think that displaying the message about ports, in addition to >>>> this message, is confusing/misleading. >>> >>> I think displaying the error messages after the port information would >>> make it clearer that this is the reason for failed installation. >>> >> >> I think this is a good compromise. Updated patch attached. > > So now we have, with bad password: > > $ sudo ipa-client-install -p admin -w bad-password > Discovery was successful! > Hostname: vm-050.idm.lab.eng.brq.redhat.com > Realm: IDM.LAB.ENG.BRQ.REDHAT.COM > DNS Domain: idm.lab.eng.brq.redhat.com > IPA Server: vm-109.idm.lab.eng.brq.redhat.com > BaseDN: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com > > Continue to configure the system with these values? [no]: y > Synchronizing time with KDC... > Please make sure the following ports are opened in the firewall settings: > TCP: 80, 88, 389 > UDP: 88 (at least one of TCP/UDP ports 88 has to be open) > Also note that following ports are necessary for ipa-client working properly > after enrollment: > TCP: 464 > UDP: 464, 123 (if NTP enabled) > Kerberos authentication failed > kinit: Password incorrect while getting initial credentials > > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > > > and with no connection: > > $ sudo ipa-client-install -p admin -w good-password > Discovery was successful! > Hostname: vm-050.idm.lab.eng.brq.redhat.com > Realm: IDM.LAB.ENG.BRQ.REDHAT.COM > DNS Domain: idm.lab.eng.brq.redhat.com > IPA Server: vm-109.idm.lab.eng.brq.redhat.com > BaseDN: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com > > Continue to configure the system with these values? [no]: y > Synchronizing time with KDC... > Please make sure the following ports are opened in the firewall settings: > TCP: 80, 88, 389 > UDP: 88 (at least one of TCP/UDP ports 88 has to be open) > Also note that following ports are necessary for ipa-client working properly > after enrollment: > TCP: 464 > UDP: 464, 123 (if NTP enabled) > Kerberos authentication failed > kinit: Cannot contact any KDC for realm 'IDM.LAB.ENG.BRQ.REDHAT.COM' while > getting initial credentials > > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > > Rob, is the behavior OK? > > ACK for the implementation. >
Looks good to me. Pushed to master: f67268db6855738350481491119b9be29ba1f22d Martin _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
