On 12/14/2016 01:08 PM, beeth beeth wrote:
Thanks David. I installed both the master and replica IPA servers with
third-party certificates(Verisign), but I doubt that could be the issue,
because I had no problem to run the same ipa-client-install command on a
RHEL7 machine(of course, the --hostname used a different hostname of the
server). And I had no problem to run the ipa-client-install command with
--server=<master> on such RHEL6 machine. So what could cause the LDAP
communication failed during the client enrollment with the replica? Is
there a way I can troubleshoot this by running some commands? So far I
did telnet to check the open ports, as well as run the ldapsearch
towards the replica. Thanks again!


On Tue, Dec 13, 2016 at 8:46 AM, David Kupka <dku...@redhat.com
<mailto:dku...@redhat.com>> wrote:

    On 13/12/16 05:44, beeth beeth wrote:

        I have two IPA servers ipaprd1.example.com
        <http://ipaprd1.example.com> and ipaprd2.example.com
        <http://ipaprd2.example.com>, running
        ipa 4.4 on RHEL7. When I tried to install/configure the client
        on a RHEL6
        system(called ipadev6), I had issue when I tried to enroll it
        with the
        replica(ipaprd2), while no issue with the primary(ipaprd1):

        # ipa-client-install --domain=ipa.example.com
        <http://ipa.example.com> --server=ipaprd1.example.com
        <http://ipaprd1.example.com>
        --server=ipaprd2.example.com <http://ipaprd2.example.com>
        --hostname=ipadev6.example.com <http://ipadev6.example.com>
        LDAP Error: Protocol error: unsupported extended operation
        Autodiscovery of servers for failover cannot work with this
        configuration.
        If you proceed with the installation, services will be
        configured to always
        access the discovered server for all operations and will not
        fail over to
        other servers in case of failure.
        Proceed with fixed values and no DNS discovery? [no]

        Then I tried to run ipa-client-install to enroll with the
        replica(ipaprd2),
        with debug mode, I got this:

        # ipa-client-install --domain=ipa.example.com
        <http://ipa.example.com> --server=ipaprd2.example.com
        <http://ipaprd2.example.com>
         --hostname=ipadev6.example.com <http://ipadev6.example.com> -d
        /usr/sbin/ipa-client-install was invoked with options: {'domain': '
        ipa.example.com <http://ipa.example.com>', 'force': False,
        'realm_name': None,
        'krb5_offline_passwords': True, 'primary': False, 'mkhomedir':
        False,
        'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
        'on_master':
        False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': False,
        'principal': None, 'hostname': 'ipadev6.example.com
        <http://ipadev6.example.com>', 'no_ac': False,
        'unattended': None, 'sssd': True, 'trust_sshfp': False,
        'kinit_attempts':
        5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True,
        'force_join':
        False, 'ca_cert_file': None, 'server': ['ipaprd2.example.com
        <http://ipaprd2.example.com>'],
        'prompt_password': False, 'permit': False, 'debug': True,
        'preserve_sssd':
        False, 'uninstall': False}
        missing options might be asked for interactively later
        Loading Index file from
        '/var/lib/ipa-client/sysrestore/sysrestore.index'
        Loading StateFile from
        '/var/lib/ipa-client/sysrestore/sysrestore.state'
        [IPA Discovery]
        Starting IPA discovery with domain=ipa.example.com
        <http://ipa.example.com>, servers=['
        ipaprd2.example.com <http://ipaprd2.example.com>'],
        hostname=ipadev6.example.com <http://ipadev6.example.com>
        Server and domain forced
        [Kerberos realm search]
        Search DNS for TXT record of _kerberos.ipa.example.com
        <http://kerberos.ipa.example.com>.
        No DNS record found
        Search DNS for SRV record of _kerberos._udp.ipa.example.com
        <http://udp.ipa.example.com>.
        No DNS record found
        SRV record for KDC not found! Domain: ipa.example.com
        <http://ipa.example.com>
        [LDAP server check]
        Verifying that ipaprd2.example.com <http://ipaprd2.example.com>
        (realm None) is an IPA server
        Init LDAP connection with: ldap://ipaprd2.example.com:389
        <http://ipaprd2.example.com:389>
        LDAP Error: Protocol error: unsupported extended operation
        Discovery result: UNKNOWN_ERROR; server=None,
        domain=ipa.example.com <http://ipa.example.com>,
        kdc=None, basedn=None
        Validated servers:
        will use discovered domain: ipa.example.com <http://ipa.example.com>
        IPA Server not found
        [IPA Discovery]
        Starting IPA discovery with domain=ipa.example.com
        <http://ipa.example.com>, servers=['
        ipaprd2.example.com <http://ipaprd2.example.com>'],
        hostname=ipadev6.example.com <http://ipadev6.example.com>
        Server and domain forced
        [Kerberos realm search]
        Search DNS for TXT record of _kerberos.ipa.example.com
        <http://kerberos.ipa.example.com>.
        No DNS record found
        Search DNS for SRV record of _kerberos._udp.ipa.example.com
        <http://udp.ipa.example.com>.
        No DNS record found
        SRV record for KDC not found! Domain: ipa.example.com
        <http://ipa.example.com>
        [LDAP server check]
        Verifying that ipaprd2.example.com <http://ipaprd2.example.com>
        (realm None) is an IPA server
        Init LDAP connection with: ldap://ipaprd2.example.com:389
        <http://ipaprd2.example.com:389>
        LDAP Error: Protocol error: unsupported extended operation
        Discovery result: UNKNOWN_ERROR; server=None,
        domain=ipa.example.com <http://ipa.example.com>,
        kdc=None, basedn=None
        Validated servers:
        Failed to verify that ipaprd2.example.com
        <http://ipaprd2.example.com> is an IPA Server.
        This may mean that the remote server is not up or is not
        reachable due to
        network or firewall settings.
        Please make sure the following ports are opened in the firewall
        settings:
             TCP: 80, 88, 389
             UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
        Also note that following ports are necessary for ipa-client working
        properly after enrollment:
             TCP: 464
             UDP: 464, 123 (if NTP enabled)
        (ipaprd2.example.com <http://ipaprd2.example.com>: Provided as
        option)
        Installation failed. Rolling back changes.
        IPA client is not configured on this system.


        I double checked the services running on the replica, all looked
        well:
        ports are listening, and I could telnet the ports from the
        client(ipadev6).
        I could run "ldapserach" command to talk to the replica(ipaprd2)
        from this
        client(ipadev6), with pulling out all the LDAP records.

        Also, I have another test box running RHEL7, and no issue at all
        to run the
        exact same ipa-client-install command on that RHEL7 box. So
        could there be
        a bug on the ipa-client software on RHEL6, to talk to IPA sever
        running on
        RHEL7? Please advise. Thank you!

Hi Beeth,

you may want to check the access and errors log of the Directory Server in /var/log/dirsrv/slapd-DOMAIN. The extended operations are logged in the access log with the tag "EXT oid=...", but a failing operation related to unsupported extended operation will probably log a "RESULT err=2".

So I would first check access log and look for such a failure. With the OID we will be able to understand which operation is failing and which part could be misconfigured.

HTH,
Flo.
        Best regards,
        Beeth



    Hello Beeth,
    I've tried to reproduce the problem you described with 7.3
    (ipa-server 4.4.0-12) on master and replica and 6.9 (ipa-client
    3.0.0-51) on client and it worked for me as expected.
    I've done these steps:
    [master] # ipa-server-install -a Secret123 -p Secret123 --domain
    example.test --realm EXAMPLE.TEST --setup-dns --auto-forwarders -U
    [replica] # ipa-client-install -p admin -w Secret123 --domain
    example.test --server master.example.test -U
    [replica] # ipa-replica-install
    [client] # ipa-client-install -p admin -w Secret123 --domain
    example.test --server replica.example.test -U
    [client] # id admin

    Is there anything you've done differently?

    --
    David Kupka





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to